Security Frameworks

NTT Security services help organizations satisfy both common security frameworks and specific compliance requirements.

Some standards lack specific technical detail and guidance, but provide an overall program structure and the security management guidance that’s necessary to implement and maintain an effective security program. Assessing, executing, monitoring and auditing security programs using existing, proven security frameworks can strengthen security posture and support compliance with multiple regulations. Common security frameworks include: ISO, NIST, COBIT, COSO and HITRUST CSF.

ISO/IEC 27002:2013

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting information security as a systems issue that includes technology, practice, and people, and describes the need for a formal security program.

NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is a US government-ordered, cyber security framework. This framework provides a structure for the nation's financial, energy, health care and other critical systems to better protect their information and physical assets from cyber attack. NIST provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.


The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice.


The Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Frameworks, the widely accepted control frameworks for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes-Oxley requirements.


Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.


  • Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
  • Scales according to type, size and complexity of an implementing organization
  • Provides prescriptive requirements to ensure clarity
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
  • Allows for the adoption of alternate controls when necessary
  • Evolves according to user input and changing conditions in the healthcare industry and regulatory environment

NTT Security is a HITRUST Common Security Frameworks (CSF) Assessor. This means that NTT Security is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, NTT Security has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.

Compliance Activity NTT Security Services
and Capabilities
Regulatory Mapping
Assess & Measure Gaps Technical Consulting ISO/IEC 27001-2013; ISO/IEC 27002-2013; COBIT 4.1; COSO from COBIT 4.1; HITRUST CSF2
Remediation & Enhancement Technical Consulting; Certified HITRUST CSF Practitioners; Authorized partner consulting services ISO/IEC 27001-2013; ISO/IEC 27002-2013; 87 COBIT controls with technical and security requirements; 144 COSO controls with technical and security requirements
Execute & Monitor Security Program Log Management; Log Monitoring; Vulnerability Management; Security Device Management; UTM for ISO, COBIT, COSO; Endpoint Device Management; Authorized partner consulting services 152 of 191 ISO security controls; 40 COBIT controls with technical and security requirements; 59 COSO controls with technical and security requirements; 77 of 136 HITRUST CSF security specifications
Demonstrate Compliance ActiveGuard Evidence Log Vault; ActiveGuard Security Compliance Reporting 33 ISO security controls with auditing and reporting requirements; 23 COBIT controls with auditing and reporting requirements; 23 COSO controls with auditing and reporting requirements; 42 CSF security specifications with auditing and reporting requirements

What's New

Blog: New and Improved Dridex

Webinar: 2016 Global Threat Intelligence Report Review

White Paper: Defending Against Advanced Persistent Threats - Download