Main Site HUB Security Scorecard API 7.2 Get the mapping between SecurityScorecard issue types and a compliance frameworks

HUB

7.2 Get the mapping between SecurityScorecard issue types and a compliance frameworks

Get the mapping between SecurityScorecard issue types and a compliance framework

This API endpoint allows you to retrieve the mappings of SecurityScorecard issue types to a particular compliance framework. You can check out the full specification for this endpoint here

Resource URI

/compliance-frameworks/{framework_key}

Parameters:

Name Required Description
Compliance Framework Key Y The compliance framework key (ex: hipaa) you to get the mappings for.

Sample Code:


            curl -X GET \
                https://api.securityscorecard.io/compliance-frameworks/hipaa \
                -H 'Accept: application/json' \
                -H 'Authorization: Token <Your API Key>' \
                -H 'Content-Type: application/json' \
                -H 'cache-control: no-cache'
        

Sample Response:


{
    "sections": [
        {
            "id": "14.308",
            "questions": [
                {
                    "id": "(a)(1)(ii)(B)",
                    "issue_types": [
                        "x_xss_protection_incorrect",
                        "web_vuln_host_high",
                        "web_vuln_host_medium",
                        "web_vuln_host_low",
                        "cookie_missing_secure_attribute",
                        "x_frame_options_incorrect",
                        "cookie_missing_http_only",
                        "spf_record_missing",
                        "tls_weak_cipher",
                        "ssh_weak_cipher",
                        "tlscert_expired",
                        "tlscert_weak_signature",
                        "ssh_weak_mac",
                        "tlscert_excessive_expiration",
                        "outdated_os",
                        "outdated_browser",
                        "admin_subdomain",
                        "typosquat",
                        "service_vuln_host_low",
                        "service_vuln_host_medium",
                        "service_vuln_host_high",
                        "patching_cadence_high",
                        "patching_cadence_medium",
                        "service_microsoft_sql",
                        "service_mongodb",
                        "service_mysql",
                        "service_postgresql",
                        "service_couchdb",
                        "service_redis",
                        "service_cassandra",
                        "service_pop3",
                        "service_imap",
                        "service_ftp",
                        "service_telnet",
                        "service_rdp",
                        "service_smb",
                        "service_vnc",
                        "service_rsync",
                        "service_elasticsearch"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA implementation specification.",
                    "question": "Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a)."
                },
                {
                    "id": "(a)(1)(ii)(D)",
                    "issue_types": [
                        "malware_30_day",
                        "attack_feed",
                        "tor_node_events_last_month",
                        "malware_365_day",
                        "non_malware_events_last_month",
                        "uce",
                        "tlscert_expired",
                        "exposed_ports",
                        "outdated_browser",
                        "outdated_os",
                        "service_vuln_host_low",
                        "service_vuln_host_medium",
                        "service_vuln_host_high",
                        "patching_cadence_high"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA implementation specification.",
                    "question": "Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
                },
                {
                    "id": "(a)(4)(i)",
                    "issue_types": [
                        "service_microsoft_sql",
                        "service_mongodb",
                        "service_mysql",
                        "service_postgresql",
                        "service_couchdb",
                        "service_redis",
                        "service_cassandra"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part"
                },
                {
                    "id": "(a)(5)(i)",
                    "issue_types": [
                        "leaked_passwords",
                        "github_information_leak_disclosure",
                        "google_information_leak_disclosure",
                        "short_term_lending_site",
                        "social_network_issues",
                        "marketing_site"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: Security awareness and training.  Implement a security awareness and training program for all members of its workforce (including management)."
                },
                {
                    "id": "(a)(5)(iI)(B)",
                    "issue_types": [
                        "malware_1_day",
                        "malware_30_day",
                        "attack_feed",
                        "tor_node_events_last_month",
                        "malware_365_day",
                        "non_malware_events_last_month",
                        "uce"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA implementation specification.",
                    "question": "Implementation specification of security awareness and training: Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software."
                },
                {
                    "id": "(a)(6)(i)",
                    "issue_types": [
                        "tor_node_events_last_month",
                        "non_malware_events_last_month",
                        "new_defacement",
                        "new_booter_shell",
                        "patching_cadence_high",
                        "patching_cadence_medium"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: Security incident procedures. Implement policies and procedures to address security incidents."
                },
                {
                    "id": "(a)(8)(i)",
                    "issue_types": [
                        "web_vuln_host_low",
                        "web_vuln_host_medium",
                        "web_vuln_host_high",
                        "cookie_missing_secure_attribute",
                        "x_frame_options_incorrect",
                        "cookie_missing_http_only",
                        "spf_record_malformed",
                        "spf_record_softfail",
                        "tls_weak_cipher",
                        "ssh_weak_cipher",
                        "ssh_weak_mac",
                        "tlscert_expired",
                        "exposed_ports",
                        "tlscert_weak_signature",
                        "tlscert_no_revocation",
                        "tlscert_excessive_expiration",
                        "outdated_browser",
                        "outdated_os",
                        "service_vuln_host_low",
                        "service_vuln_host_medium",
                        "service_vuln_host_high",
                        "patching_cadence_high",
                        "service_end_of_service",
                        "patching_cadence_medium",
                        "service_end_of_life",
                        "patching_cadence_low",
                        "service_microsoft_sql",
                        "service_mongodb",
                        "service_mysql",
                        "service_postgresql",
                        "service_couchdb",
                        "service_redis",
                        "service_cassandra",
                        "service_pop3",
                        "service_imap",
                        "service_ftp",
                        "service_telnet",
                        "service_rdp",
                        "service_smb",
                        "service_vnc",
                        "service_rsync",
                        "service_elasticsearch"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart."
                }
            ],
            "title": "Administrative safeguards"
        },
        {
            "id": "164.312",
            "questions": [
                {
                    "id": "(a)(1)",
                    "issue_types": [
                        "malware_1_day",
                        "malware_30_day",
                        "attack_feed",
                        "malware_365_day",
                        "uce",
                        "exposed_ports",
                        "service_microsoft_sql",
                        "service_mongodb",
                        "service_mysql",
                        "service_postgresql",
                        "service_couchdb",
                        "service_redis",
                        "service_cassandra"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: access control. Implement technical policies and procedures that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4)."
                },
                {
                    "id": "(c)(1)",
                    "issue_types": [
                        "malware_1_day",
                        "malware_30_day",
                        "attack_feed",
                        "malware_365_day",
                        "uce",
                        "tls_weak_cipher",
                        "ssh_weak_protocol"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction."
                },
                {
                    "id": "(d)",
                    "issue_types": [
                        "leaked_passwords"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": "Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
                },
                {
                    "id": "(e)(i)",
                    "issue_types": [
                        "tls_weak_cipher",
                        "ssh_weak_protocol",
                        "tlscert_expired",
                        "tlscert_weak_signature",
                        "tlscert_no_revocation",
                        "ssh_weak_cipher",
                        "ssh_weak_mac",
                        "tlscert_excessive_expiration",
                        "service_pop3",
                        "service_imap",
                        "service_ftp",
                        "service_telnet",
                        "service_rdp",
                        "service_smb",
                        "service_vnc",
                        "service_rsync",
                        "service_elasticsearch"
                    ],
                    "no_match": "No evidence was found that would have indicated a possible violation of this HIPAA standard.",
                    "question": " Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic network."
                }
            ],
            "title": "Technical safeguards"
        }
    ],
    "standard": "Health Insurance Portability and Accountability Act of 1996 (HIPAA)"
}