All Regulatory Frameworks Covered!

letsbloom assesses apps against regulatory and benchmark frameworks.

Results Reference


letsbloom scans and assesses your application's code against many regulatory and benchmark domains to check its security and compliance health.

Here are the descriptions of regulatory and benchmark domains that letsbloom uses.

Regulatory Domains

Audit

The audit is a process control domain that aims to validate organizational standards, policies, and procedures for effective IT audit management.

Cryptography

This domain verifies the use of cryptography to protect data privacy and maintain its integrity and authenticity.

Cryptographic algorithms that follow well-established international standards are used to maintain data confidentiality, and digital signatures are used to validate the authenticity and integrity of data.

Cyber Security Assessment

This domain verifies if an organization has processes and controls for effective vulnerability management, penetration testing, and cyber-attack simulation exercises. While penetration testing and cyber security exercises are enforced using organizational processes and practices, vulnerability assessment and remediation tracking controls are enforced using CI/CD pipelines.

letsbloom enforces these controls and provides an assessment of your current vulnerability posture.

Cyber Security Operations

This domain verifies if an organization has effective processes for threat intelligence collection, cyber event monitoring and detection, and incident response. It also checks whether the organization has clearly defined roles and responsibilities and technical controls for effective logging and monitoring of cyber threats.

A majority of the controls in this domain are process controls provided by the letsbloom platform as part of our enterprise subscription. However, letsbloom can also verify your infrastructure as code for technical controls that can be implemented in your infrastructure definitions including effective logging for potent cyber security operations.

Data & Infrastructure Security

This domain verifies whether an organization has implemented comprehensive policies and technical controls to prevent unauthorized data access and data theft and maintain data integrity and confidentiality.

It also checks whether the organization has implemented effective cloud, network, and systems security controls, such as OS hardening, database, and endpoint security.

Identity & Access Management

This domain controls verify whether the organization has implemented effective policies, processes, and technical controls to manage user identities (both internal and external users).

The controls also assess whether the organization has enforced effective authentication, authorization and role-based access controls across the application and infrastructure stack. Additionally, the domain checks whether the business enforced principle of least privilege and maintained segregation of duties especially for privileged users.

IT Resilience

This domain verifies whether an organization has implemented effective policies, processes, and technical controls to ensure their IT systems are available and recoverable in case of an outage or disaster to meet their business outcomes.

Most of the controls in this domain are process controls that validate organizational policies and processes around disaster recovery and business continuity. However, letsbloom also verifies specific technical controls on your infrastructure as code and cloud infrastructure such as multi-AZ or multi-region deployments.

IT Service Management

This domain verifies whether an organization has implemented robust policies, processes, and technical controls to effectively manage their IT services.

Most of the controls in this domain are process controls that validate organizational policies and processes around IT service management. However, letsbloom verifies specific technical controls on your infrastructure as code and cloud deployments

Risk Management

This domain contains process controls that verify whether an organization has implemented robust standards, policies, and procedures for effective IT risk management and governance.

Secure Software Development

This domain verifies whether an organization has implemented effective policies, processes, and technical controls to securely design, develop, test, and deploy software.

These domain controls are implemented using a Secure Systems Development Lifecycle (Secure SDLC) or DevOps (CI/CD) frameworks. They are enforced prior to deployment phase and therefore cannot be validated by reviewing artifacts such as infrastructure as code or container/OS images.

letsbloom platform leverages DevSecOps framework to implement continuous deployment pipelines with security guardrails and configuration. This empowers an organization to comply with its secure software development controls.

Benchmark Domains

Cyber Security Operations

This domain verifies whether an organization has implemented effective processes for threat intelligence collection, cyber event monitoring, detection, and incident response. It also checks whether the business has clearly defined roles and responsibilities and technical controls for effective logging and monitoring for cyber threats.

Most of this domain controls are process controls which are available as part of letsbloom enterprise subscription. However, letsbloom can also verify your infrastructure as code for technical controls that can be implemented in your infrastructure definitions such as effective logging for robust cyber security operations.

Data Protection

This domain verifies whether an organization has implemented effective data protection policies, processes, and technical controls such as data-at-rest and data-in-transit encryption to maintain data integrity and confidentiality.

Identity & Access Management

This domain verifies whether an organization has implemented effective policies, processes, and technical controls to manage user identities (for both internal and external users).

These domain controls also assess whether the organization has enforced effective authentication, authorization and role-based access controls across the application and infrastructure stack. Additionally, the domain checks whether the business enforced principle of least privilege and maintained segregation of duties especially for privileged users.

IT Asset Management

This domain verifies whether an organization has implemented robust policies, processes, and technical controls to effectively manage their IT assets and drive business value.

Most of this domain controls are process controls that validate organizational policies and processes around IT asset management. However, there are specific technical controls to be verified on your infrastructure as code and cloud deployments. These controls can be implemented on your cloud infrastructure to effectively manage the IT assets.

Network Security

This domain verifies whether an organization has implemented robust security processes and tooling to effectively manage, monitor and safeguard their network from cybersecurity threats.

Security Awareness & Training

This domain verifies whether an organization has implemented effective policies and procedures to ensure that their team is educated and trained on relevant cybersecurity skills.

Secure Configuration Management

This domain verifies whether an organization has implemented effective policies, processes, and technical controls for secure configuration management. These controls are usually implemented using CI/CD pipelines in DevSecOps.

letsbloom platform leverages DevSecOps frameworks to implement continuous deployment pipelines with security guardrails and configuration drift detection controls and ensure an organization can securely manage its software configurations across environments.

Security Logging & Monitoring

This domain verifies whether an organization has implemented effective security logging and monitoring controls on its cloud infrastructure to proactively detect and respond to security threats.

Secure Software Management

This domain verifies whether an organization has implemented effective policies, processes, and technical controls to securely design, develop, test, build, deploy, manage software.

These domain controls are implemented using a Secure Systems Development Lifecycle (Secure SDLC) or DevOps (CI/CD) frameworks. They are enforced prior to deployment phase.

letsbloom platform leverages DevSecOps framework to implement continuous deployment pipelines with security guardrails and secure configuration. This empowers an organization to comply with its secure software development controls.

Software Supply-Chain Security

This domain checks whether an organization has robust policies and procedures to effectively secure and manage their software supply-chain.

Vulnerability Management

This domain verifies whether an organization has implemented robust processes and technical controls for effective software vulnerability management.

letsbloom helps you enforce vulnerability assessment and remediation tracking controls in CI/CD pipeline using DevSecOps framework. We also assess your current vulnerability posture and provide an health report highlighting the gaps.