- The SCF RASCI Matrix leverages the Secure Controls Framework to address all 1,400+ of its controls and the NIST NICE Cybersecurity Workforce Framework as the foundation for the work roles and work role IDs.
- The Cybersecurity Business Plan (CBP) is focused on the CISO level and is a department-level planning document
Documentation That Helps Achieve Program Governance
When you "peel back the onion", outside of policies and standards, procedures, risk management, and the other categories of documentation that ComplianceForge provides, this category of program governance was created to address products that are not directly associated with those categories but are equally as improtant. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Cybersecurity Business Plan (CBP) is one of those products.
The two products in this category address the two sides of vulnerability management. The Cybersecurity Business Plan (CBP) is focused on the CISO level and is a department-level planning document. The SCF RASCI Matrix leverages the Secure Controls Framework (SCF) to address all 1,400+ of its controls and the NIST NICE Cybersecurity Workforce Framework as the foundation for the work roles and work role IDs.
Available Program Governance Products
Within this category, we currently provide two (2) products that can help build governance over your organization's cybersecurity program.
Comprehensive Coverage
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
- Not be considered negligent with reasonable expectations for cybersecurity & data protection;
- Comply with applicable laws, regulations and contractual obligations; and
- Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.