NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) in response to Executive Order 13636. The framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. OneLogin aligned its existing security controls to be compliant with this framework in order to augment its security program. These controls are tested as part of the periodic SOC 2 Type 2 report.
What’s the primary purpose of this initiative?
Provide an additional reference point for developing and maintaining OneLogin’s Security Program.
What’s the scope?
The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
How often are you evaluated/audited?
The security controls aligned with the NIST Cybersecurity Framework’s Framework Core are tested as part of the periodic SOC 2 Type 2 Report Audits.
Who performs the evaluation/audit?
Grant Thornton LLP performs the SOC 2 Type 2 Report audit.
Who is the primary audience?
Customers and relevant third parties with a business need.
Where can I get a copy of the report/certificate?
The evaluation of the security controls aligned with the NIST Cybersecurity Framework (NIST CF) is performed as part of the SOC 2 Type 2 Report Audits. Customers and relevant third parties can request the latest report from their Account Executive, Business Development, or Customer Success contact.