Comparing NY DFS, HIPAA, SOC 2 Type II, and CIS Controls: Key Differences Explained

In Short:

A Clear, Framework-by-Framework Comparison Guide

Understanding cybersecurity and compliance frameworks can feel overwhelming—especially when multiple standards overlap. Instead of comparing everything at once, this guide breaks each framework down individually so you can clearly understand what it is, who it applies to, and what’s required.

NY DFS (New York Department of Financial Services Cybersecurity Regulation)

What Does It Stand For?

NY DFS = New York Department of Financial Services

What Is It?

A state-level cybersecurity regulation that requires financial institutions operating in New York to implement and maintain a formal cybersecurity program.

Who Must Comply?

• NY financial services companies

• Banks
• Insurance companies
• Lenders
• Financial advisors and brokers

Is It Mandatory?

Yes — This is a legally enforceable regulation.

Regular Audit Requirements

• Annual self-certification of compliance submitted to NY DFS

• Subject to regulatory oversight and examinations

Audit Frequency

• Annually (certification)

• Additional reviews may occur during investigations or regulatory exams

Evidence Required

• Security controls documentation
• Written cybersecurity policies
• Proof of compliance certifications

Policies & Governance

• Written cybersecurity policy approved by leadership
• Governance (CISO or equivalent oversight)
• Incident response plan

Technical Controls

• MFA
• Asset inventory and management
• Access control and privileged account management
• Continuous monitoring / logging
• Vulnerability management and malware protections

HIPAA

What Does It Stand For?

HIPAA = Health Insurance Portability and Accountability Act

What Is It?

A federal law that sets standards for protecting sensitive patient health information (PHI and ePHI).

Who Must Comply?

• Healthcare providers
• Health plans
• Healthcare clearinghouses
• Business Associates (any vendor handling patient data)

Is It Mandatory?

Yes — Federal law with significant penalties for non-compliance.

Regular Audit Requirements

• Overseen by the Office for Civil Rights (OCR)
• Audits are:
  •  Periodic
  • Triggered by incidents (e.g., data breaches)

Audit Frequency

• No fixed schedule

• Event-driven and ongoing oversight

Evidence Required

• Risk assessments and risk analysis documentation
• Security and privacy policies
• Audit logs and activity tracking
• Workforce training records
• Breach notification documentation
• Business Associate Agreements (BAAs)

Policies & Governance

• Documented safeguards for ePHI protection
• Workforce training and security awareness
• Incident response and breach notification procedures

Technical Controls

• Access control and user authentication
• Audit logging and activity monitoring
• Encryption / protection of ePHI
• Device and media controls
• Backup and disaster recovery

SOC 2 Type II

What Does It Stand For?

SOC 2 = System and Organization Controls 2
Type II = Controls are tested over time (not just at a single point)

What Is It?

An independent third-party audit that evaluates how well your organization protects customer data over a defined period.

Who Must Comply?

• Not legally required for any specific industry
• Common for:
  • SaaS companies
  • Technology providers
  • Service organizations handling customer data

Is It Mandatory?

No — but often required to win enterprise deals or pass vendor security reviews

Regular Audit Requirements

• Conducted by an independent CPA firm
• Includes:
  • Review of policies and procedures
  • Testing of security controls over time
  • Validation of control effectiveness

Audit Frequency

• Typically annual

Evidence Required

• Continuous evidence of control operation
• Logs, screenshots, and system records
• Formal system description
• Risk management documentation
• Incident response testing records
• Access reviews and change management documentation

SOC 2 requires ongoing evidence collection, not just one-time preparation.

Policies & Governance

• Formal security policies and procedures
• Incident response
• Change management

Technical Controls

• Access control and MFA
• Logging and monitoring
• Vulnerability management
• Encryption
• Change tracking and system integrity
• Security awareness training

CIS Controls (Critical Security Controls)

What Does It Stand For?

CIS = Center for Internet Security

What Is It?

A best practices cybersecurity framework that provides prioritized actions (Controls) to help organizations improve their security posture.

It includes implementation groups:

• IG1: Basic cyber hygiene
• IG2: Intermediate security maturity

Who Must Comply?

• No one is required to comply
• Used by:
  • Small to mid-sized businesses
  • Enterprises improving security maturity
  • Organizations preparing for audits (SOC 2, HIPAA, etc.)

Is It Mandatory?

No, completely voluntary

Regular Audit Requirements

• No formal audits required
• Typically self-assessed

Audit Frequency

• None required

• Organizations review progress internally as needed

Evidence Required

• Internal tracking of: 
  • Asset inventory
  • Security controls implementation
  • Risk management activities
  • Security awareness training
  • Incident response readiness

Policies & Governance

• Asset management policies
• Access control and account management
• Incident response procedures
• Change management
• Security awareness training 

Technical Controls

• Asset inventory (hardware/software)
• Secure configurations and patching
• MFA and identity management
• Logging and monitoring
• Endpoint protection and network security
• Data protection and encryption

NY DFS vs HIPAA vs SOC 2 Type II vs CIS Controls

Looking to obtain one of the security frameworks above? Usherwood offers compliance services designed to help you meet regulated frameworks. To learn more about how we can support your organization, fill out a technology evaluation to get started.