 |
When you properly design, build and maintain with security in mind, compliance is a natural byproduct. That goes for both cybersecurity and privacy needs. For a lot of organizations, that is merely lip-service, but at ComplianceForge, we found a way to help operationalize security and privacy controls in an efficient, scalable manner. Our solution is the Digital Security Program (DSP) that leverages the Secure Controls Framework (SCF). This combination allows an organization to have a "full stack" of security and privacy documentation. Our solution is designed for "digital security" that is essentially a superset of common cybersecurity requirements. This approach also builds in privacy considerations to allow an organization to ensure that both cybersecurity and privacy principles are addressed by design and by default. With the requirements security and privacy to be "baked in" to comply with EU GDPR and other statutory and regulatory obligations, this is a topic that is here to stay. The problem for most organizations is figuring out the most efficient and cost-effective way to accomplish it. |
The acronym SCF refers to the Secure Controls Framework. The SCF is the Common Controls Framework (CCF), a comprehensive cybersecurity and data privacy control framework designed to help organizations implement and manage information security, risk management and compliance requirements.
The SCF is a metaframework where it is a catalog of controls made up of over 100 cybersecurity and data privacy laws, regulations and frameworks. This control catalog contains roughly 1,200 controls and is logically organized into 33 domains. The structure of the SCF normalizes disparate control language into something that is usable across technology, cybersecurity, privacy and other departments where they can share the same control language. The SCF enables not only intra-organization standardization, but inter-organization standardization where control GOV-03 means the same thing to one organization to any other organization using the SCF.
The SCF is a more efficient way to operationalize cybersecurity and data privacy operations by simplifying the underlying controls that power an organization’s cybersecurity program. The SCF provides a straightforward and scalable method to define those “must have” and “nice to have” requirements into a holistic control set to operationalize cybersecurity operations, risk management and third-party governance. There is no cost to use the SCF and quite a few Governance Risk and Compliance (GRC) platforms natively support the SCF as a built-in control set.
The “sweet spot” for the SCF is medium to large organizations, but it has been successfully used by small organizations. Any organization with complex compliance requirements can benefit from using the SCF. We are just trying to make it easier for cybersecurity practitioners to do their jobs, since we all benefit from organizations having better security practices in place.
SCF is used by organizations to:
The SCF is much more than just a cybersecurity control set, since the SCF has:
ComplianceForge is able to sell cybersecurity and data protection policies, standards and procedures based on the Secure Controls Framework (SCF) as a SCF Licensed Content Provider (LCP). The benefit ComplianceForge brings to operationalizing the SCF is (1) decreased cost and (2) increased speed of adoption. ComplianceForge's SCF-based policies, standards and procedures can save an organization a significant amount of money from the labor-related costs to research, write and refine cybersecurity documentation. ComplianceForge's SCF-based documentation can also be obtained the same day you purchase it, so the time savings is immense.
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. Controls are often a missing piece in a company's cybersecurity program or controls exist in "compliance islands" where the controls are only applicable to certain compliance requirements, such as SOX, PCI DSS or NIST 800-171. That might be easy from a compliance perspective, but it is not good security. The SCF is designed to help companies be both secure and compliant.
If you are not familiar with the SCF, it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. ComplianceForge is proud to be one of the founding supporters of the SCF. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations!
 |
The Secure Controls Framework (SCF) is an open source project that provides free cybersecurity and privacy controls for business. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected. |
Where the SCF is truly unique is its industry-agnostic focus on both security and privacy controls that creates a hybrid that makes up for shortcomings by leading frameworks:
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.
Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.
It is important to understand that controls exist to protect an organization’s data. In support of this concept of being data-centric, look at the example of asset management requirements in terms of cybersecurity and privacy – those administrative, technical and physical security controls do not primarily exist to protect the inherent value of the asset, but the data it contains, because assets are merely data containers. Assets, such as laptops, servers and network infrastructure are commodities that can be easily replaced, but the data cannot. This mindset of being data-centric is crucial to understand when developing, implementing and governing a cybersecurity and privacy program.
While most organizations do not have a Data Centric Architecture (DCA), based on technical debt and legacy processes, it is possible to implement Data Centric Security (DCS) that can put the organization on a path to building a DCA. This all comes down to designing, implementing and managing the appropriate cybersecurity and privacy controls that govern people, processes and technology. This is where the DSP and SCF can be invaluable.
 |
|
|
|
Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. The approach looks at the following spheres of influence to identify applicable controls: Statutory Obligations - These are US state, federal and international laws ​ Regulatory Obligations - These are requirements from regulatory bodies or governmental agencies ​ Contractual Obligations - These are requirements that are stipulated in contracts, vendor agreements, etc. ​ Industry-Recognized Leading Practices - These are requirements that are based on an organization’s specific industry.
|
For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The DSP & SCF can help you implement these four principles of cybersecurity and privacy in your organization!
 |
CONFIDENTIALITY - Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services. ​ INTEGRITY - Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner. ​ AVAILABILITY - Availability addresses ensuring timely and reliable access to and use of information. ​ SAFETY - Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors. |
ComplianceForge offers a version of our Cybersecurity Standardized Operating Procedures (CSOP) that provides control activities (e.g., procedure statements) that have a 1-1 mapping with the DSP & SCF. This is a potential time savings of hundreds of hours of work, not having to reinvent the wheel by writing your own procedures to address SCF controls.
We have a few discounted bundles specifically tailored for clients who want to operationalize the SCF, but we can always make a custom package for you. Just give us a call or email us at support@complianceforge.com to request a custom package.
The thirty-three (33) domains listed below are how the SCF are organized, which provided a 1-1 relationship with ComplianceForge's Digital Security Program (DSP):
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) Is your organization looking for enterprise cybersecurity documentation? This is a bundle that includes the following two (2) ComplianceForge...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) Is your organization looking ofr enterprise cybersecurity documentation? This is a bundle that includes the following seven (7) ComplianceForge products that are...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) Is your organization looking for enterprise cybersecurity documentation? This is a bundle that includes the following thirteen (13) ComplianceForge products that are...
Secure Controls Framework (SCF)
NIST 800-171 & CMMC 2.0 Compliance Bundle #4 - EXPERT CMMC 2.0 Levels 1-3 (45% discount) Is your organization looking to achieve CMMC compliance? This is a bundle that includes the following thirteen (13) ComplianceForge...
For many cybersecurity practitioners, even those well versed in NIST 800-171 and Cybersecurity Matur...
Can you tell the difference in these secure software development attestation forms? There isn't one...
ComplianceForge released NIST 800-171 R3 documentation updated to address DoD-provided Organization-...
ComplianceForge is a Licensed Content Provider (LCP) for the Secure Controls Framework (SC...
