Information Security Compliance

Information Security Compliance is a growing issue for organizations. With the threat of cyber security breaches continuously increasing, governments across the world are implementing new mandates to protect valuable information from getting into the wrong hands. 

Regulations on the data that you collect and use depend on the nature of that data and the industry that you operate in. Information such as customer personally identifiable information or anonymized customer data are examples of valuable data that is often targeted by threat actors, and protected via regulations. 

The costs of non-compliance can be significant. Not only do you risk fines by the governing bodies of these regulations, but by not complying, you also expose yourself to the massive costs and reputation damage that come along with a breach. In 2021 the average cost of a data breach in the United States was $9.05 million. Each year, that number continues to grow, so it is likely that future breaches will add up to even more. 

Security Operations Center Consultant

Red Lion Compliance Services

Offering 20 years of experience across a wide variety of industries, Red Lion has a great deal of experience putting together custom information security compliance solutions for organizations of any size. Below is a list of common information security regulations that Red Lion can help with. Click below to learn more about each regulation, and feel free to contact us for help gaining compliance with these regulations or any other regulations not listed here.

Limited Time Offer

10% Off Compliance Services

Optimize your compliance efforts and prepare for regulatory changes in 2022. Sign up for Red Lion Compliance Gap Analysis, Managed Compliance, or Virtual Compliance Officer Services by February 28th, 2022 and save 10%!

Request a Quote Today

23 NYCRR 500

23 NYCRR 500 stands for Title 23 of the New York Codes, Rules, and Regulation Part 500. The purpose of this regulation is to protect consumer data by setting cyber security requirements for financials institutions who operate in the state of New York.


FedRAMP stands for Federal Risk and Authorization Management Program. This regulation is designed to standardize security controls revolving around cloud services and it applies to those federal agencies who have adopted cloud services (mandatory) as well as their cloud service providers.


FISMA stands for the Federal Information Security Management Act and it requires federal agencies to implement information security plans to protect sensitive data.


GDPR stands for General Data Protection Regulation. The purpose of GDPR is to support E.U. citizens right to protection of their personal data. GDPR accomplishes this by allowing individuals to understand what information organizations have on file for them, and giving individuals the power to rescind or control access to their data.


HIPAA stands for Health Insurance Portability and Accountability Act. The purpose of this act is to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.


NERC CIP (Critical Infrastructure Protection) is a cyber security framework that outlines a set of controls, with the goal of securing the assets required for operating the bulk electric system of North America.


The National Institute for Standards and Technology (NIST) Framework for Critical Infrastructure Cybersecurity (also referred to as the NIST Cybersecurity Framework or “NIST CSF”) describes the standing of an organization’s information security program using a Framework Core, Implementation Tiers, and Framework Profiles.

NIST 800-171

NIST 800-171 is a security standard created by the National Institute of Standards & Technology. It outlines a standard set of security controls that should be in place to protect Controlled Unclassified Information (CUI) for non-federal agencies.

NIST 800-53

NIST 800-53 is a recommended set of security controls and assessment procedures created by the National Institute of Standards & Technology. NIST 800-53 provides federal agencies with guidance on controls to use for maintaining risk management programs.


PCI DSS stands for Payment Card Industry Data Security Standard. This regulation is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry.


In this case, SOC stands for Systems and Organization Controls. SOC 2 is a standard designed for non-financial reporting (i.e., not directly tied to revenue) for stakeholders and regulatory compliance. There are two types of SOC 2 reports: Type 1 reports describe whether the controls’ designs are suitable whereas Type 2 reports describe whether the controls in place are effective.


SOX is a shortened term for the Sarbanes-Oxley Act. This was passed in 2002 and is designed to handle internal controls and reporting to protect current and potential future stakeholders from accounting errors, inaccuracies in corporate disclosures, and fraudulent practices. The goal is to increase transparency in financial reporting by corporations and create a system of checks and balances in each company.

UL 2900

UL 2900 is a series of standards published by UL (formerly Underwriters Laboratories), who is a global safety consulting and certification company. UL 2900 sets cyber security standards on “smart” devices, aka devices that have network connectable functionality.UL 2900 is a part of the UL CAP, which is a certification program for evaluating IoT security of network-connectable products and systems.

Let Red Lion Assist in your Compliance Efforts

Do you still have questions regarding which regulations your organization needs to comply with, or how your company can become compliant with certain regulations? Our compliance professionals are here to help!

Contact Us Today
Translate »