A compliance standard groups together security, configuration, and process requirements that follow established ICT security guidelines and best practices. Adhering to these standards helps organizations maintain required levels of security hardening and reduce exposure to risk.
In the following, you’ll find detailed descriptions of each standard and how Dynatrace supports it.
C5, also known as the Cloud Computing Compliance Criteria Catalogue, developed by the German Federal Office for Information Security (BSI), outlines the basic requirements for secure cloud computing. It's primarily designed to provide a high level of assurance in the security of cloud services. While based on international standards such as ISO 27001, C5 goes further by incorporating additional controls tailored explicitly to cloud environments.
Supported version is C5:2020.
The German IT Baseline Protection (IT- Grundschutz) standard was established by the German Federal Office for Information Security (BSI) as a sound and sustainable information security management system (ISMS). IT-Grundschutz covers technical, organizational, infrastructural, and personnel aspects equally. With its broad foundation, IT-Grundschutz offers a systematic information security approach compatible with ISO/IEC 27001.
Supported editions are 2022 and 2023.
The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help organizations achieve greater overall cybersecurity defense. These controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principal benefit of the controls is that they prioritize and focus a smaller number of actions with high pay-off results.
| Benchmark | Cloud provider/Server software | Supported versions |
|---|---|---|
| CIS Kubernetes v1.12.0 | Upstream Kubernetes | 1.32, 1.33, 1.34 |
| CIS Kubernetes v1.11.1 | Upstream Kubernetes | 1.29, 1.30, 1.31, 1.32 |
| CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.7.0 | Amazon EKS | 1.30, 1.31, 1.32 |
| CIS Azure Kubernetes Service (AKS) Benchmark v1.8.0 | Azure AKS | 1.32, 1.33, 1.34 |
| CIS Amazon Web Services Foundations Benchmark v3.0.0 | AWS | — |
| CIS Microsoft Azure Foundations Benchmark v5.0.0 | Azure | — |
| CIS Google Cloud Platform Foundation Benchmark v1.3.0 | GCP | — |
| CIS VMware ESXi 8.0 Benchmark v1.2.0 | VMware | VMware ESXi 8.0 |
| CIS VMware ESXi 7.0 Benchmark v1.4.0 | VMware | VMware ESXi 7.0 |
| CIS VMware ESXi 6.7 Benchmark v1.2.0 | VMware | VMware ESXi 6.7 |
| CIS VMware ESXi 6.5 Benchmark v1.0.0 | VMware | VMware ESXi 6.5 |
Cyber Essentials is a United Kingdom security standard aiming to demonstrate that an organization has implemented minimum cybersecurity protections through annual assessments. It comprises fundamental technical controls to help organizations safeguard against common online security threats. The Cyber Essentials scheme is a government-backed framework supported by the National Cyber Security Centre (NCSC).
Supported version for Cyber Essentials: Requirements for IT infrastructure is v3.1.
Security Technical Implementation Guides (STIGs) are based on the standards of the Department of Defense (DoD). DISA STIG guidelines are often used as a baseline in other sectors or segments to ensure compliance with the standards and access to the DoD networks. All organizations must meet the DISA STIG security standards before accessing and operating on DoD networks.
| STIG | Supported versions |
|---|---|
| Kubernetes STIG - Ver 2, Rel 4 | Upstream Kubernetes, Amazon EKS, Azure AKS |
| VMware vSphere 8.0 STIG | VMware vCenter 8.0.x, VMware ESXi 8.0.x |
| VMware vSphere 7.0 STIG | VMware vCenter 7.0.x, VMware ESXi 7.0.x |
| VMware vSphere 6.7 STIG | VMware vCenter 6.7.x, VMware ESXi 6.7.x |
| VMware vSphere 6.5 STIG | VMware vCenter 6.5.x, VMware ESXi 6.5.x |
| VMware NSX 4.x STIG | NSX 4.x |
| VMware NSX-T Data Center STIG | NSX 3.x |
Digital Operational Resilience Act (DORA) is a major piece of European Union legislation (Regulation (EU) 2022/2554). DORA aims to enhance the resilience of digital operations and protect the integrity of the financial market infrastructure in the European Union. Compliance with DORA is a pathway to creating a more secure and reliable digital environment within financial institutions. The act impacts day-to-day operations, security protocols, and compliance measures. DORA takes effect on January 17, 2025.
The Essential Eight standard is built on eight prioritized mitigation strategies designed to assist cybersecurity professionals in mitigating incidents caused by various cyber threats. Developed by the Australian Cyber Security Centre (ACSC), it's mandatory for all Australian non-corporate (federal) Commonwealth entities and highly recommended for other business organizations.
General Data Protection Regulation (GDPR) is a European privacy law designed to harmonize data protection regulations across the European Union (EU) by establishing a single, binding framework for all EU member states. GDPR.eu offers a comprehensive library of resources to assist organizations in achieving GDPR compliance.
The 1996 Health Insurance Portability and Accountability Act (HIPAA) mandated that the Secretary of the U.S. Department of Health and Human Services (HHS) establish regulations aimed at safeguarding the privacy and security of specific health information. In response, HHS introduced the HIPAA Privacy Rule and the HIPAA Security Rule, which are now widely recognized standards.
Supported version is 5/2005: rev. 3/2007.
ISO 27001 is one of the most globally recognized standards, offering a comprehensive Information Security Management Systems (ISMS) framework. It helps organizations align their security practices with international best practices and business, legal, and regulatory requirements. The standard encompasses all aspects of information risk management, from risk assessment to risk treatment, making it an essential tool in today's ever-changing cybersecurity landscape.
Supported version is ISO 27001/2022.
The Personal Data Protection Law (Turkish: Kişisel Verilerin Korunması Kanunu, KVKK) is a Turkish regulation that governs personal data protection and defines the legal obligations of entities and individuals handling personal data. This law ensures compliance with technical requirements for Data Protection, Data Access, and Audit readiness, modeled after the European Union’s General Data Protection Regulation (GDPR).
The National Institute of Standards and Technology (NIST) publishes the NIST SP 800-53, which offers security and privacy controls for information systems and organizations. Per the Office of Management and Budget (OMB), the NIST standards and policies are mandatory for all non-national security systems run by federal agencies in the USA.
| Revision | Cloud provider/Server software |
|---|---|
| SP 800-53 Rev. 5.1.1 | Upstream Kubernetes, Amazon EKS, Azure AKS |
| SP 800-53 Rev. 5 | AWS, Azure |
| SP 800-53 Rev. 5.1 | VMware vSphere |
Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements to ensure that companies that process, store, or transmit credit card information operate in a secure environment. Developed to address the increasing risk of data breaches in payment card systems, PCI DSS is crucial for any business accepting, handling, or storing payment card information.
Supported version is PCI DSS v4.0.
The Trusted Information Security Assessment Exchange (TISAX) is a prominent information security standard in the automotive industry, developed by the German Association of the Automotive Industry (VDA). TISAX requirements are outlined in the Information Security Assessment (ISA) catalog, which is managed by the ENX Association. These requirements are based on the international ISO/IEC 27001 standard for information security management, with additional provisions explicitly tailored to the automotive sector.
Supported version is VDA ISA 5.1.
VMware Security Configuration Guides provides guidance on how to deploy and operate VMware products in a secure manner based on the VMware Security Configuration Guide.
Supported version is vCenter Server 8.0 Update 3.