Cybersecurity Control Applicability: People, Processes, Technologies, Data & Facilities (PPTDF)

The Secure Controls Framework (SCF) approaches the concept of control applicability in a rational manner where cybersecurity and data protection controls primarily apply to one (1) of the following five (5) functions:

  1. People - The control directly applies to humans (e.g., training, background checks, non-disclosure agreements, etc.).
  2. Processes - The control directly applies to administrative work performed (e.g., processes, procedures, administrative documentation, etc.).
  3. Technologies - The control directly applies to systems, applications and services (e.g., secure baseline configurations, patching, etc.).
  4. Data - The control directly applies to data protection (e.g., encrypting sensitive and/or regulated data, applying metatags, etc.).
  5. Facilities - The control directly applies to infrastructure assets (e.g., physical access, HVAC systems, visitor control, etc.).

While the importance of robust cybersecurity controls cannot be overstated, the applicability of those controls is sometimes in question. These examples help demonstrate the applicable nature of controls:

Cybersecurity people processes technology data and facilities PPTDF

The PPTDF model, encompassing People, Processes, Technology, Data, and Facilities, provides a comprehensive approach to cybersecurity control applicability, as described below:

People

People are often considered the weakest link in cybersecurity. Human error, negligence, or malicious intent can lead to significant vulnerabilities. To mitigate these risks, organizations implement human-specific controls such as:

Processes

Effective cybersecurity processes are essential for identifying, responding to, and mitigating threats. Common processes that exist as controls include:

Technologies

The technological aspect of cybersecurity involves deploying and configuring tools to protect against threats. Common technologies that exist as controls include:

Data

Data is at the heart of the PPTDF model, making data protection truly the central focus of cybersecurity controls. There are many types of data that are considered sensitive/regulated that include, but are not limited to:

These data types have specific controls that are dictated by applicable laws, regulations or contractual obligations and include:

Facilities

Physical security is often overlooked but plays a crucial role in overall cybersecurity and data protection. Common physical controls include:

The PPTDF model shows that a multi-faceted approach to control applicability is indispensable, where it can create a resilient defense against a myriad of physical and cyber threats. A proactive stance in implementing and refining these controls will be crucial in securing the ever-expanding digital frontier.

There are no products listed under this category.

Learn More About Cybersecurity & Data Privacy