Information Security Directory: Purpose and Scope

The informationsecurityauthority.com directory organizes publicly available reference information about the information security sector in the United States — covering service categories, professional certifications, regulatory frameworks, and practice domains. This page defines the directory's purpose, what categories are included, the criteria applied to listing determinations, and the geographic boundaries of its scope. These parameters exist so that professionals, researchers, and service seekers can accurately assess whether this resource addresses their reference need before navigating the Information Security Listings.

Purpose of this directory

The directory functions as a structured reference index for the information security sector — not as a ranking system, advisory tool, or procurement platform. Its organizing function is to map the service landscape against established professional and regulatory categories so that readers can identify where a specific practice, framework, or credential type fits within the broader field.

Information security as a professional sector is governed by a layered set of federal frameworks, industry standards, and agency mandates. The National Institute of Standards and Technology defines information security as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (NIST SP 800-12, Rev 1). That definition provides the sector's operational boundaries and anchors the directory's subject matter scope.

Federal regulatory oversight of information security practices spans multiple agencies. The Cybersecurity and Infrastructure Security Agency (CISA) coordinates national infrastructure protection under the Cybersecurity and Infrastructure Security Agency Act of 2018. The Federal Trade Commission enforces information security obligations under Section 5 of the FTC Act for commercial entities. The Department of Health and Human Services enforces the HIPAA Security Rule (45 CFR Part 164) for covered healthcare organizations. The directory references these regulatory bodies as context for understanding which service categories operate under formal compliance obligations.

The directory does not provide legal advice, regulatory interpretations, or vendor procurement guidance. It describes publicly documented frameworks, agencies, and professional categories — not endorsements of any specific organization, product, or service.

What is included

Directory content falls into 5 primary classification areas:

  1. Service categories — Defined practice areas within the information security sector, including penetration testing, security operations, incident response, vulnerability management, governance and risk management, and security architecture. Each category is described against published professional standards where applicable.

  2. Regulatory frameworks and compliance domains — Named federal and state regulatory schemes that impose information security obligations, including HIPAA, the Gramm-Leach-Bliley Act Safeguards Rule (16 CFR Part 314), the NIST Cybersecurity Framework, FedRAMP authorization requirements, and CMMC (Cybersecurity Maturity Model Certification) for federal contractors.

  3. Professional certifications and credentialing bodies — Certifications issued by recognized bodies such as (ISC)², ISACA, CompTIA, SANS/GIAC, and EC-Council, with notation of the body's name, credential scope, and maintenance requirements where publicly documented.

  4. Threat and vulnerability categories — Structural threat classifications drawn from public sources including the MITRE ATT&CK framework, the NIST National Vulnerability Database, and OWASP published risk rankings.

  5. Agency and standards body references — Federal agencies, standards organizations, and oversight bodies whose published outputs shape professional and compliance practice in the sector.

Content that falls outside directory scope includes real-time threat intelligence feeds, active incident advisories, jurisdiction-specific legal opinions on state breach notification statutes, vendor product reviews, and incident response retainer service connections. For guidance on navigating the directory's structure, see How to Use This Information Security Resource.

How entries are determined

Entries in this directory are determined by 4 criteria applied consistently across all listing decisions:

  1. Public documentation — A service category, certification, framework, or agency must have publicly documented scope, purpose, and structure from an authoritative source. Undocumented, proprietary, or informally described categories are excluded.

  2. Sectoral relevance — The entry must fall within the CIA triad framework (confidentiality, integrity, availability) as defined by NIST, or must address a named regulatory compliance obligation with direct information security application.

  3. Professional or regulatory standing — Certifications are included only when issued by a named credentialing body with published examination requirements and maintenance criteria. Regulatory frameworks are included only when codified in statute, regulation, or formally published agency guidance.

  4. US applicability — Entries are evaluated for direct applicability to US-based organizations or practitioners. International frameworks such as ISO/IEC 27001 are included where they are widely referenced in US compliance contexts, but the directory does not purport to cover international regulatory regimes comprehensively.

Service categories that overlap or share boundaries are distinguished by their primary function. Penetration testing and vulnerability assessment, for example, are listed as separate categories despite operational overlap: penetration testing involves active exploitation simulation with defined rules of engagement, while vulnerability assessment involves systematic identification and severity classification without active exploitation. This distinction follows the terminology used in NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment.

Geographic coverage

The directory carries national scope, covering the contiguous United States, Alaska, Hawaii, and US territories for purposes of federal regulatory applicability. State-level variation in information security law — particularly data breach notification statutes, of which all 50 states have enacted at least one form per the National Conference of State Legislatures — is acknowledged in relevant framework entries but is not adjudicated at the individual state level.

Federal frameworks referenced throughout the directory apply uniformly to covered entities and federal contractors regardless of state of operation. Sector-specific mandates — including the HIPAA Security Rule, NERC CIP standards for electric utilities, and FINRA cybersecurity guidance for broker-dealers — apply based on industry classification and federal jurisdictional reach, not state geography.

Organizations operating in multiple states or jurisdictions are responsible for evaluating their own compliance posture against applicable law. The directory identifies the regulatory categories and named frameworks that bear on information security obligations; it does not map those obligations to specific organizational configurations. Full listing details are available through the Information Security Listings index.

Explore This Site

Regulations & Safety Regulatory References
Topics (45)
Tools & Calculators Password Strength Calculator