Policy, Standards, Controls & Metrics Template - DSP / SCF

Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics.

Product Walkthrough Video

This short product walkthrough video is designed to give a brief overview about what the DSP is to help answer common questions we receive.

What Is The Digital Security Program (DSP)?

The DSP is an enterprise-class solution for cybersecurity & data privacy documentation consisting of thirty-three (33) domains that defines a modern, digital security program. Specifically:

• Policies 
• Control objectives
• Standards
• Guidelines
• Controls (Secure Controls Framework)
• Metrics 

Nested within these thirty-three (33) policies are the control objectives, standards, guidelines, metrics & more that enable you to govern your cybersecurity & data privacy program. The DSP was developed to meet the need for growing organizations that want to avoid being locked into alignment with a single framework or have complex compliance requirements that span multiple frameworks. This approach is a "best in class" hybrid framework structure that provides you with the ability to align with multiple frameworks in an efficient and scalable manner. 

The DSP leverages the Secure Controls Framework (SCF), which is a metaframework that map to over 100 cybersecurity & data privacy laws, regulations and frameworks. The SCF's integration into the DSP provides mapped risks, threats, maturity criteria and much more to make it the most robust solution on the market!

The DSP's policies & standards have direct, 1-1 mapping to the SCF's controls. The DSP leverages several key SCF components to provide “more than just policies & standards” by incorporating maturity criteria, a threat catalog, a risk catalog and more! The DSP provides invaluable content to operationalize several of the SCF's notable capabilities:

• Cybersecurity & Data Privacy (C|P) Principles
• Data Privacy Management Principles (DPMP)
• Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM) 
• Cybersecurity & Data Privacy Risk Management Model (C|P-RMM)

What Problems Does The DSP Solve?  

• Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The DSP is an efficient method to obtain comprehensive security policies, standards, controls and metrics for your organization!
• Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The DSP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.
• Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The DSP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
• Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The DSP provides this evidence!

How Does the DSP Solve These Problems?

• Clear Documentation - The DSP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
• Time Savings - The DSP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
• Alignment With Leading Practices - The DSP is written to support over one hundred laws, regulations and industry frameworks! 

The DSP and its corresponding Cybersecurity Operating Procedures (CSOP), come together to provide "premium GRC content" that enables an organization to establish or refresh its GRC practices. The following documents are valuable resources to justify purchasing the DSP to advance your GRC practices:

• ComplianceForge Reference Model – Hierarchical Cybersecurity Governance Framework – Level setting on how the various types of documentation support each other. This provides insights into the definitions used, since there is a tendency within the industry to abuse definitions around policy, standard, procedure, etc. This is the hierarchical structure we follow to build our content so it is scalable and based on industry practices.
• Integrated Controls Management (ICM) - This is a "how to GRC playbook" that can help you establish the steps necessary to design, build and implement viable GRC processes. These are the steps we will tell you to follow if we were brought in to provide professional services. This helps explain further integration between the policies and standards within the DSP, corresponding procedures within the CSOP and controls from the SCF.
• Instructions & Best Practices For Using The DSP – This is a "start here" guide for using the DSP that provides a baseline for what the DSP's documentation components are and how to tailor the DSP for your specific needs.
• Security Metrics Reporting Model (SMRM) – This is the metrics model we developed as a way to leverage the built-in metrics that come as part of the DSP.
• DSP & CSOP Content Examples - This is a content example that shows two side-by-side examples from policies all the way to metrics.
• Unified Scoping Guide (USG) – Understanding control applicability is important and this scoping guide is designed to address any type of sensitive or regulated data so the appropriate controls can be applied.

Similar to our framework-specific Cybersecurity & Data Protection Program (CDPP) products, the DSP provides alignment with the underlying cybersecurity standards that must be complied with, as stipulated by statutory, regulatory and contractual requirements. However, the DSP provides robust coverage for over 100 laws, regulations and other cybersecurity and privacy frameworks. The DSP is essentially a "superset" of ISO 27002, NIST CSF, NIST 800-171, NIST 800-53 and other frameworks for organizations that do not want to be locked into alignment with just one framework [scroll to the bottom of the page to see a list of everything the DSP currently maps to]. 

Accelerating Your Business - Mapped To Over 100 Leading Cybersecurity & Data Privacy Laws, Regulations & Frameworks! 

Leveraging the Secure Controls Framework (SCF), the DSP maps over 100 cybersecurity and data privacy laws, regulations and frameworks! This includes the most common statutory, regulatory and contractual requirements that are expected from a cybersecurity & data protection program. The DSP provides the necessary policies, control objectives, standards, guidelines and metrics to operationalize the SCF for your organization!

Cybersecurity & Data Privacy Policies, Standards, Controls & Metrics For A Modern Company - Hierarchical & Scalable!

ComplianceForge provides organizations with exactly what they need to protect themselves - professionally written cybersecurity policies, control objectives, standards, controls, procedures and guidelines at a very affordable cost. The DSP can be found in medium and large organizations that range from Fortune 500 companies, to US and international government agencies, universities and other organizations that have complex compliance requirements and need an efficient, scalable solution for their Governance, Risk & Compliance (GRC) needs.

The Digital Security Program (DSP) is footnoted to provide authoritative references for the statutory, regulatory and contractual requirements that need to be addressed. Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the DSP does this from a cybersecurity perspective.

The Cybersecurity Standardized Operating Procedures (CSOP) is available that provides mapped procedures to the DSP's standards. This is a 1-1 mapping with a procedure for each standard.

Operationalize Cybersecurity & Data Privacy By Design

It is possible to visualize the Digital Security Program (DSP) as a buffet of cybersecurity and privacy policies, standards, controls and metrics. Once you determine what statutory, regulatory and contractual obligations are applicable to your organization, it is straightforward to identify a customized control set that is specific to your unique compliance obligations. This idea of building in cybersecurity and privacy requirements into your governance program is Security by Design (SbD) and Privacy by Design (PbD), where the obligations are understood before projects/initiatives commence, so that secure solutions can be designed, implemented and maintained. The DSP forms the cornerstone of your security and privacy program.  

	Security by Design (SbD) requirements come from numerous sources. In this context, some of the most important cybersecurity frameworks are: Cybersecurity Maturity Model Certification (CMMC) International Organization for Standardization (ISO) National Institute for Standards & Technology (NIST) US Government (HIPAA, FedRAMP, DFARS, FAR & FTC Act) Information Systems Audit and Control Association (ISACA) Cloud Security Alliance (CSA) Center for Internet Security (CIS) Open Web Application Security Project (OWASP) Payment Card Industry Data Security Standard (PCI DSS) European Union General Data Protection Regulation (EU GDPR)
	Similar to SbD, Privacy by Design (PbD) requirements come from numerous sources. In this context, some of the most important privacy frameworks are: Generally Accepted Privacy Principles (GAPP) Fair Information Practice Principles (FIPPs) Organization for the Advancement of Structured Information Standards (OASIS) International Organization for Standardization (ISO) National Institute for Standards & Technology (NIST) Information Systems Audit and Control Association (ISACA) European Union General Data Protection Regulation (EU GDPR) US Government (OMB, HIPAA & FTC Act)

Understanding "How To GRC" With The Digital Security Program (DSP) & Secure Controls Framework (SCF)

ComplianceForge, in conjunction with the Secure Controls Framework (SCF), literally wrote the book on "how to do GRC" by establishing the Integrated Controls Management (ICM) that is a principle-based approach to Governance, Risk & Compliance (GRC) operations. The ICM Overview document (shown below) is a great starting place to understand how the DSP can help your organization to designing, implementing and managing a security and privacy program that incorporates requirements to be both secure and compliant. This approach leverages the "Deming Cycle" of Plan, Do, Check and Act (PDCA) for continuous improvement. 

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. The approach looks at the following spheres of influence to identify applicable controls:

• Statutory - these are US state, federal and international laws.
• Regulatory - these are requirements from regulatory bodies or governmental agencies.
• Contractual - these are requirements that are stipulated in contracts, vendor agreements, etc.
• Industry-Recognized Practices - these are requirements that are based on an organization’s specific industry, where "industry norms" are established for what constitutes reasonable practices.

There are eight (8) principles associated with ICM that are fully-supported by the DSP to develop, implement and maintain a secure and compliant security and privacy program:

1. Establish Context
2. Define Applicable Controls
3. Assign Maturity-Based Criteria
4. Publish Policies, Standards & Procedures
5. Assign Stakeholder Accountability
6. Maintain Situational Awareness
7. Manage Risk
8. Evolve Processes

The structure of the Digital Security Program is scalable to make it is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs. The DSP addresses the “why?” and “what?” questions, since policies and standards form the foundation for your cybersecurity program. The following two documents shown below are well worth the time to make a pot of coffee and read through, since you will be able to understand both the structure of the documentation and how you can customize it for your specific needs. 

Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use the DSP! While the DSP does come in Microsoft Word like the CDPP, the included Excel version of the DSP comes with the following content so it is easy to import into a GRC/IRM solution:

• Policy statements
• Policy intent
• Control objectives
• Standards
• Guidance
• Controls (Secure Controls Framework)
• Risk catalog
• Threat catalog
• Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM) criteria
• Metrics - including suggested Key Performance Indicators (KPIs) & Key Risk Indicators (KRIs)
• Indicators of Compromise (IoC)
• Indicators of Exposure (IoC)
• Target Audience Applicability
• Scoping - Basic or Enhanced Requirement
• Recommended roles / teams with responsibility for each standard.

The DSP is our recommended solution if you are currently using or plan to use a  Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution. The DSP is ready to import into your GRC/IRM instance, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel straightforward and that allows you to then do you any customization and collaboration directly from your GRC portal.

Guide To Using The DSP & SCF		Understanding "How To GRC"

Example Digital Security Program (DSP)

Our customers choose the Digital Security Program (DSP) because they need a scalable and comprehensive solution. The DSP is a hybrid, "best in class" approach to cybersecurity documentation that covers dozens of statutory, regulatory and contractual frameworks to create a comprehensive set of cybersecurity policies, standards, controls and metrics. The DSP has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 100 leading practices! To understand the differences between the DSP and CDPP, please visit here for more details.

View Product Examples

What Is Included With The DSP?

Cost Savings Estimate For The Digital Security Program (DSP) - A Fraction Of The Time & Expense 

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the DSP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

• For your internal staff to generate comparable documentation, it would take them an estimated 900 internal staff work hours, which equates to a cost of approximately $90,000 in staff-related expenses. This is about 12-24 months of development time where your staff would be diverted from other work.
• If you hire a consultant to generate this documentation, it would take them an estimated 800 consultant work hours, which equates to a cost of approximately $260,000. This is about 6-12 months of development time for a contractor to provide you with the deliverable.
• The DSP is approximately 4% of the cost for a consultant or 12% of the cost of your internal staff to generate equivalent documentation.
• We process most orders the same business day so you can potentially start working with the DSP the same day you place your order.

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.

33 Domains - One Policy For Each Domain

The DSP contains thirty-three (33) unique domains that cover a modern cybersecurity & privacy program. Each of these 33 policies are supported by standards that provide the granular requirements necessary to enforce these standards (examples of what these policy and standards look like are available in the next section below this chart). The 32 policies that make up the DSP are: 

Before You "Can Move The Needle" You Need A Needle - Metrics Are Included In The DSP!

The DSP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.

In addition to being a hybrid model that is made up of leading security frameworks, we also added in features that are not available in the Cybersecurity & Data Protection Program (CDPP), namely mapped controls and metrics. This equates to a potential time savings of hundreds of hours, based on how much work goes into not only creating controls and worthwhile metrics, but mapping those back into your organizations policies and standards.

One special aspect of the DSP is while it comes in Microsoft Word format, it also comes in Microsoft Excel so that it is easy to import into a GRC solution (e.g., SCFConnect, Ostendio, ZenGRC (RiskOptics), SimpleRisk, LogicGate, Ignyte Assurance Platform, Archer, RSAM, MetricStream, etc.)! This is an ideal solution for companies that either currently use a GRC solution or are exploring the use of one. The time savings can equate to a saving of tens of thousands of dollars in customizing "out of the box" documentation from these tools. 

If you are interested in learning more, there is a product walk-through video and other helpful documentation, so keep reading or contact us so we can help answer your specific questions.

Digital Security - The Evolution of Security

If you are reading this, you are likely familiar with how “IT Security,” “Information Security,” and “Cybersecurity” are used interchangeably by most people. However, these terms do have meaning and as you “peel back the onion” on terminology you will see that “Digital Security” is the new leading terminology to describe the entire security ecosystem. This term has evolved to be all-encompassing, since it addresses technology, information, physical security, privacy and safety.

Product Hierarchy & Interactions

The diagram below helps visualize how the DSP exists at a strategic level to define the "what" and "why" requirements to be secure and compliant. Those foundational policies and standards influence every other component of your cybersecurity and data protection program.

Safety Component - One Benefit of Thinking Digital

For years, the “CIA Triad” stood as the foundation for what a security program was designed to address – the Confidentiality, Integrity and Availability of both systems and data. That has now changed, since there are real-world safety considerations from Operational Technology (OT) and the Internet of Things (IoT). This has caused the evolution of the CIA Triad into the Confidentiality, Integrity, Availability and Safety (CIAS) model.

The DSP is designed around the CIAS model by adopting the best of leading security frameworks.

Steps To Using The DSP To Obtain CMM4 Maturity (Metrics-Driven)

It is a simple fact that technology and cybersecurity departments are not revenue-generating. These cost centers must continuously demonstrate value to justify current and future budgets. While many boards of directors and executive management provide initial security budget funding based on Fear, Uncertainty & Doubt (FUD), there is an eventual need to demonstrate a Security Return on Investment (SROI). Without this return on investment, budgets are hard to justify and capabilities suffer.

The most common ways for a security program to justify budget needs is through metrics reporting. The DSP can help you leverage the Systems Security Engineering Capability Maturity Model (SSE-CMM) with the Secure Control Framework's Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM). We avoided re-inventing the wheel and simply created an enterprise-class product that can help your organization rapidly advance its capability maturity to a CCM 4 levell or beyond! 

Hierarchical Approach - Built To Scale & Evolve With Your Business 

Our experience has proven that when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Cybersecurity & Data Protection Program (CDPP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements. Why is this? It is simple - in the real world, compliance is penalty-centric. Courts have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards. 

The Cybersecurity & Data Protection Program (CDPP) follows a hierarchical approach to how the structure is designed so that standards map to control objectives and control objectives map to policies. This allows for the standards to be logically grouped to support the policies.

Security Metrics Reporting Model

The ComplianceForge Security Metrics Reporting Model™ (SMRM) takes a practical view towards implementing a sustainable metrics reporting capability. At the end of the day, executive management (e.g., CIO, CEO, Board of Directors (BoD), etc.) want an answer to a relatively-straightforward question: “Are we secure?” In order for a CISO to honestly provide an answer, it requires a way for the CISO to measure and quantify an “apples and oranges” landscape where processes and technologies lack both uniform risk weighting and abilities to capture metrics. The SMRM helps solve this aspect of dissimilarity by utilizing a weighted approach to metrics that generate Key Performance Indexes (KPXs) as a way to logically-organize and report individual metrics. Using KPX enables the SMRM to provide a reasonable and defendable answer.

The “Are we secure?” question is best answered as a numerical score. This quantifiable score is used to visualize the score against a numerical spectrum to provides context, based on the risk profile of the organization. The numerical score would land between “not secure” and “secure” on the spectrum, according to a baseline score definition that would be specific to the organization. This can provide long-term trending to evaluate the direct impact of certain security initiatives. The SMRM can be automated in a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform, but it comes as a Microsoft Excel spreadsheet as part of ComplianceForge’s Digital Security Program (DSP). The “Are we secure?” question can be both tracked to display trending and drilled down into KPXs, or individual metrics, to identify why the score changed.

Key Performance Index (KPX) is essentially a term that we use to normalize the various metrics in each category. One area of contention with metrics is defining what a KPI or KRI is since people tend to butcher the terminology. Our approach to defining those terms are shown below:

Key Performance Indexes (KPXs)
KPXs are logical groupings of KPIs that allow an organization to monitor an index of metrics about a specific capability or team.

• KPXs are used to answer the question, “Is the XYZ capability operating effectively?” where that capability is an aggregation of multiple individual metrics.
• KPXs may be weighted to highlight risk-heavy topics of concern.
• KPXs may be nested underneath other KPXs to report the hierarchical nature of metrics that help answer the question of “Are we secure?”

KPIs and KRIs are not hierarchical metrics, but are individual metrics that are deemed important to monitor, based on the specific risk or value associated with that metric:

Key Performance Indicators (KPIs)

• KPIs are “rearward facing” and focus on historical trending to evaluate performance.
• KPIs should not be weighted.
• KPIs are indicators that enable an organization to monitor its progress towards achieving its defined performance targets.
• KPIs are used to answer the question, “Are we achieving our desired levels of performance?” for a specific control.

Key Risk Indicators (KRIs)

• KRIs are “forward facing” and focus on identifying a future-looking trend that impacts risk.
• KRIs should not be weighted.
• KRIs are indicators that enable an organization to define its risk profile and monitor changes to that profile.
• KRIs are used to answer the question, “Are we within our desired risk tolerance level?” for a specific control.

The metrics shown in this model are included in DSP. ComplianceForge does not sell the SMRM, KPIs, KRIs on their own, since the metrics are part of the DSP solution. With the 1-1 mapping relationship between the DSP and the Secure Controls Framework (SCF), the DSP can help operationalize the SCF controls in a meaningful and efficient manner, so that is something to consider for organizations that want to fully adopt the SCF as its control structure and maximize its effectiveness.

Being transparent on the subject, the entire point of a "canned solution" for metrics is to provide a starting point where someone else does the heavy lifting for you to get to a 70-80% solution that someone within your organization can then run with to customize for your specific needs. This is where ComplianceForge is a business accelerator - we enable you to hit the ground running with your cybersecurity documentation that can takes months or years to create on your own. The "heavy lifting" of the equation is what we provide, not the finalized metrics product. That is really where the demarcation is between what ComplianceForge offers for metrics and how an organization would customize the remaining since you have the organization-specific knowledge side of the metrics equation that cannot be templatized.

More Examples

While nearly all organizations have “security policies” in place, it is a sad reality that many are outdated, improperly scoped, and inadvertently add to technical debt. Quite simply, most security policies were never designed to scale as the organization grows or technologies evolve and are more of a liability than benefit. If that is your organization, the DSP can be a “quick win” to dramatically advance the maturity of your security program.

The DSP is a different animal – it is built to scale and adapt to the needs of the organization. The modular nature of the DSP means that each policy has its own standards, all the way down to controls and metrics. This hierarchical nature makes mapping metrics to policies a breeze, due to the logical organization of the documentation.

[click to see an example of the Excel content] 

“GOLDILOCKS” CONTROLS – NOT TOO BIG AND NOT TOO SMALL. JUST RIGHT.

The DSP uses the NIST Cybersecurity Controls Framework (CSF) version 1.1 for its metrics reporting model, so the controls are aligned with a leading framework for expected security controls. Key controls are identified from this control set and metrics are mapped to these controls. Again, being Excel it is editable for your needs.

[click to see an example of the Excel content]

Creating A Cybersecurity Program Based On Multiple Leading Frameworks Is Achievable With A Metaframework!

The DSP uses the latest version of the Secure Controls Framework (SCF) for mapping to leading cybersecurity & data privacy laws, regulations and frameworks. The DSP comes with an Excel spreadsheet that provides the mapping for the standards to these references. The DSP currently maps to well over 100 frameworks that includes mapped coverage of the following cybersecurity and data privacy-related statutory, regulatory and contractual frameworks:

Optional Professional Services (Add On)

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at: www.complianceforge.com/contact-us/.

We offer our professional services in bundles of: five (5), ten (10) & twenty (20) hours.

Purchased professional service hours will expire after 120 days (4 months) from the time of purchase before they expire.