ComplianceForge sells cybersecurity & privacy policies, standards and procedures that are designed to be imported into a GRC platform. This is "premium GRC content" that enables you to make the most of the expensive GRC solution that you use by providing heirarchical and concise policies, control objectives, standards, guidelines, metrics, procedures, and more.
If you use the Secure Controls Framework (SCF), then you will want to buy one of these bundles, since the Digital Security Program (DSP) has 1-1 mapping between the SCF and the DSP. We sell the policies, standards, procedures & more that will compliment the SCF controls that you use! The DSP provides you with SCF-aligned policies, standards, guidelines, metrics, controls and capability maturity criteria. The Cybersecurity Standardized Operating Procedures (CSOP) provides you with SCF-aligned procedures/control activities. These two products alone can save you hundreds of hours of document writing and can help your organization hit the ground running with the SCF.
ComplianceForge is able to sell cybersecurity and data protection policies, standards and procedures based on the Secure Controls Framework (SCF) as a SCF Licensed Content Provider (LCP). The benefit ComplianceForge brings to operationalizing the SCF is (1) decreased cost and (2) increased speed of adoption. ComplianceForge's SCF-based policies, standards and procedures can save an organization a significant amount of money from the labor-related costs to research, write and refine cybersecurity documentation. ComplianceForge's SCF-based documentation can also be obtained the same day you purchase it, so the time savings is immense.
The Digital Security Program (DSP) is a product we developed for companies that need to comply with multiple requirements, but do not want to be locked into documentation that is formatted to conform with the taxonomy ISO 27002 or NIST 800-53. Essentially, the DSP is a "best in class" approach to security documentation. The DSP metrics come mapped to the NIST Cybersecurity Framework (CSF).
Leveraging the Secure Controls Framework (SCF), the DSP maps over 100 cybersecurity and data privacy laws, regulations and frameworks! This includes the most common statutory, regulatory and contractual requirements that are expected from a cybersecurity & data protection program. The DSP provides the necessary policies, control objectives, standards, guidelines and metrics to operationalize the SCF for your organization!
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. It is comprised of thirty-two (32) domains that cover the high-level topics that are expected to be addressed by cybersecurity and privacy-related statutory, regulatory and contractual obligations.
These bundles can help you operationalize your cybersecurity and privacy programs by efficiently mapping to over 100 statutory, regulatory and contractual frameworks. This will allow your cyber and privacy teams to speak the same language and more efficiently manage risks.
The structure of the Digital Security Program is scalable to make it is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs. The DSP addresses the “why?” and “what?” questions, since policies and standards form the foundation for your cybersecurity program. The following two documents shown below are well worth the time to make a pot of coffee and read through, since you will be able to understand both the structure of the documentation and how you can customize it for your specific needs.
The DSP is our recommended solution if you are currently using or plan to use a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution. The DSP is ready to import into your GRC/IRM instance, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel straightforward and that allows you to then do any customization and collaboration directly from your GRC portal.
| Guide To Using The DSP & SCF | Understanding "How To GRC" | |
 |
|
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use the DSP! While the DSP does come in Microsoft Word like the CDPP, the included Excel version of the DSP comes with the following content so it is easy to import into a GRC/IRM solution:
ComplianceForge provides organizations with exactly what they need to protect themselves - professionally written cybersecurity policies, control objectives, standards, controls, procedures and guidelines at a very affordable cost. The DSP can be found in medium and large organizations that range from Fortune 500 companies, to US and international government agencies, universities and other organizations that have complex compliance requirements and need an efficient, scalable solution for their Governance, Risk & Compliance (GRC) needs.
The Digital Security Program (DSP) is footnoted to provide authoritative references for the statutory, regulatory and contractual requirements that need to be addressed. Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the DSP does this from a cybersecurity perspective.
The Cybersecurity Standardized Operating Procedures (CSOP) is available that provides mapped procedures to the DSP's standards. This is a 1-1 mapping with a procedure for each standard.
The DSP contains thirty-three (33) unique domains that cover a modern cybersecurity & privacy program. Each of these 33 policies are supported by standards that provide the granular requirements necessary to enforce these standards (examples of what these policy and standards look like are available on the DSP product page). The 33 policies that make up the DSP are:
| Policy # |
DSP Policy | Identifier | DSP Policy Intent |
| 1 | Security & Privacy Governance | GOV | The GOV policy is focused on helping an organization specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management. |
| 2 | Artificial Intelligence & Autonomous Technologies | AAT | The AAT policy is focused on ensuring trustworthy and resilient Artificial Intelligence (AI) and autonomous technologies to achieve a beneficial impact by informing, advising or simplifying tasks. |
| 3 | Asset Management | AST | The AST policy is focused on helping an organization ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets. |
| 4 | Business Continuity & Disaster Recovery | BCD | The BCD policy is focused on helping an organization establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery. |
| 5 | Capacity & Performance Planning | CAP | The CAP policy is focused on helping an organization prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance. |
| 6 | Change Management | CHG | The CHG policy is focused on helping an organization ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues. |
| 7 | Cloud Security | CLD | The CLD policy is focused on helping an organization govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed. |
| 8 | Compliance | CPL | The CPL policy is focused on helping an organization ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards. |
| 9 | Configuration Management | CFG | The CFG policy is focused on helping an organization establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code. |
| 10 | Continuous Monitoring | MON | The MON policy is focused on helping an organization establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources. |
| 11 | Cryptographic Protections | CRY | The CRY policy is focused on helping an organization ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data. |
| 12 | Data Classification & Handling | DCH | The DCH policy is focused on helping an organization ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data. |
| 13 | Embedded Technology | EMB | The EMB policy is focused on helping an organization specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices. |
| 14 | Endpoint Security | END | The END policy is focused on helping an organization ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations. |
| 15 | Human Resources Security | HRS | The HRS policy is focused on helping an organization create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration. |
| 16 | Identification & Authentication | IAC | The IAC policy is focused on helping an organization implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only. |
| 17 | Incident Response | IRO | The IRO policy is focused on helping an organization establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents. |
| 18 | Information Assurance | IAO | The IAO policy is focused on helping an organization ensure the adequately of security and controls are appropriate in both development and production environments. |
| 19 | Maintenance | MNT | The MNT policy is focused on helping an organization ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets. |
| 20 | Mobile Device Management | MDM | The MDM policy is focused on helping an organization govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices. |
| 21 | Network Security | NET | The NET policy is focused on helping an organization ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks. |
| 22 | Physical & Environmental Security | PES | The PES policy is focused on helping an organization minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats. |
| 23 | Privacy | PRI | The PRI policy is focused on helping an organization align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Information (PI) that implements the concept of privacy by design and by default. |
| 24 | Project & Resource Management | PRM | The PRM policy is focused on helping an organization ensure that security-related projects have both resource and project/program management support to ensure successful project execution. |
| 25 | Risk Management | RSK | The RSK policy is focused on helping an organization ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk. |
| 26 | Secure Engineering & Architecture | SEA | The SEA policy is focused on helping an organization align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments. |
| 27 | Security Operations | OPS | The OPS policy is focused on helping an organization ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity operations. |
| 28 | Security Awareness & Training | SAT | The SAT policy is focused on helping an organization develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training. |
| 29 | Technology Development & Acquisition | TDA | The TDA policy is focused on helping an organization ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated. |
| 30 | Third-Party Management | TPM | The TPM policy is focused on helping an organization ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become defunct. |
| 31 | Threat Management | THR | The THR policy is focused on helping an organization establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes. |
| 32 | Vulnerability & Patch Management | VPM | The VPM policy is focused on helping an organization proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized. |
| 33 | Web Security | WEB | The WEB policy is focused on helping an organization address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities. |
The most common ways for a security program to justify budget needs is through metrics reporting. The DSP can help you leverage the Systems Security Engineering Capability Maturity Model (SSE-CMM) with the Secure Control Framework's Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM). We avoided re-inventing the wheel and simply created an enterprise-class product that can help your organization rapidly advance its capability maturity to a CCM 4 levell or beyond!
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
