Security programs built on proven frameworks — not invented from scratch.
Cybersecurity Framework — the universal language of risk management
The NIST Cybersecurity Framework provides a common taxonomy for organizing security activities around five concurrent functions. It's vendor-neutral, scalable from SMB to enterprise, and maps cleanly onto existing compliance obligations (HIPAA, SOC 2, ISO). In practice, it's the most useful board-level communication tool available to security leaders — translating technical risk into business risk language.
Identify
Protect
Detect
Respond
Recover
Govern (CSF 2.0)
Applied at Parachute Health: Used as the primary risk assessment and program maturity model. CSF tiers drive quarterly security roadmap prioritization and executive reporting.
Information Security Management System — the global certification standard
ISO 27001 defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. Unlike compliance checklists, it mandates a risk treatment process — organizations must identify risks, select controls from Annex A (93 controls across 4 themes), and accept residual risk formally. The 2022 revision added 11 new controls covering threat intelligence, cloud security, and data masking. Certification requires an accredited third-party audit in two stages.
Organizational Controls
People Controls
Physical Controls
Technological Controls
Key insight: ISO 27001 certification signals mature security governance to enterprise customers and partners — particularly valuable in healthcare SaaS where vendor risk reviews are rigorous.
Trust Services Criteria — the SaaS industry's baseline security proof
SOC 2 examines controls relevant to security, availability, processing integrity, confidentiality, and privacy. Type I reports on control design at a point in time; Type II reports on operating effectiveness over a period (typically 6–12 months). The Security Trust Services Criterion (CC series) is mandatory — the other four are optional based on customer commitments. Common failure areas include change management, logical access reviews, and vendor management gaps.
Security (CC)
Availability (A)
Confidentiality (C)
Processing Integrity (PI)
Privacy (P)
Applied at Parachute Health: Managed SOC 2 Type II audit preparation including evidence collection automation, control mapping to HIPAA, and remediation of findings across access control and monitoring domains.
Healthcare data privacy & security — protecting PHI across the care ecosystem
HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). Required vs. addressable specifications create flexibility but also confusion — "addressable" doesn't mean optional; it means implement or document why an equivalent alternative was chosen. The Breach Notification Rule mandates reporting within 60 days of discovery, with OCR penalties reaching $1.9M per violation category per year. In digital health, HIPAA compliance must extend to APIs, mobile apps, and third-party integrations.
Privacy Rule
Security Rule
Breach Notification
Omnibus Rule
BAA Management
Research context: Published work on AI and PHI handling in cloud environments — examining how ML inference pipelines must be architected to avoid unintended PHI exposure at model training and serving layers.
Adversary tactics, techniques & procedures — how attackers actually operate
ATT&CK is a living knowledge base of real-world adversary behavior, organized by tactic (the why) and technique (the how). It's used for threat modeling, detection engineering, red team planning, and SOC gap analysis. The Enterprise matrix covers 14 tactics and 200+ techniques across Windows, macOS, Linux, and cloud platforms. Navigator layers allow teams to visualize detection coverage vs. technique prevalence — making it the most practical tool for prioritizing detection engineering work.
Reconnaissance
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Lateral Movement
Exfiltration
Research application: Used ATT&CK technique mapping in ML-based threat detection research — training classifiers on technique-labeled telemetry to improve detection specificity over signature-based approaches.
Prioritized security best practices — actionable defense from the ground up
The CIS Controls provide 18 prioritized safeguards mapped by Implementation Group (IG1–IG3), making them practical for any organization size. IG1 covers essential cyber hygiene (56 safeguards) — if you do nothing else, do these. Controls are mapped to NIST CSF, ISO 27001, and MITRE ATT&CK, making them an effective translation layer between frameworks. CIS Benchmarks (800+ configuration guidelines) complement the Controls by providing specific hardening guidance for OS, cloud, and application layers.
Asset Inventory
Data Protection
Secure Configuration
Account Management
Audit Log Management
Vulnerability Management
Incident Response
Practical use: CIS Controls IG2 serves as the baseline security program template for mid-market healthcare organizations — providing a defensible, audit-ready control set without the overhead of full ISO certification.