Secure Controls Framework (SCF) Security & Privacy by Design (S|P) Principles
The concept of building security and privacy into technology solutions both by default and by design is a basic expectation for businesses, regardless of the industry. The adoption of security and privacy principles is a crucial step in building a secure, audit-ready program.
The S|P is a set of 32 security and privacy principles that leverage the SCF's extensive cybersecurity and privacy control set. You can download the free poster by clicking the image to the right.
The “S pipe P” logo is a nod to the computing definition of the | or “pipe” symbol (e.g., shift+backslash), which is a computer command line mechanism that allows the output of one process to be used as input to another process. In this way, a series of commands can be linked to more quickly and easily perform complex, multi-stage processing. Essentially, the concept is that security principles are being “piped” with privacy principles to create secure processes in an efficient manner.
The thirty-two S|P principles cover each of the domains from the SCF:
1. Security & Privacy Governance
Principle: Govern a documented, risk-based program that encompasses appropriate security and privacy principles to address all applicable statutory, regulatory and contractual obligations.
Intent: Organizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management.
2. Asset Management
Principle: Manage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.
Intent: Organizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets.
3. Business Continuity & Disaster Recovery
Principle: Maintain the capability to sustain business-critical functions while successfully responding to and recovering from incidents through a well-documented and exercised process.
Intent: Organizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery.
4. Capacity & Performance Planning
Principle: Govern the current and future capacities and performance of technology assets.
Intent: Organizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance.
5. Change Management
Principle: Govern change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur.
Intent: Organizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues.
6. Cloud Security
Principle: Govern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal controls.
Intent: Organizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed.
Principle: Oversee the execution of cybersecurity and privacy controls to create appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations.
Intent: Organizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.
8. Configuration Management
Principle: Govern the establishment and ongoing management of secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.
Intent: Organizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code.
9. Continuous Monitoring
Principle: Maintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services.
Intent: Organizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources.
10. Cryptographic Protections
Principle: Utilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive data both at rest and in transit.
Intent: Organizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data.
11. Data Classification & Handling
Principle: Publish and enforce a data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can
Intent: Organizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data.
12. Embedded Technology
Principle: Provide additional scrutiny to the risks associated with embedded technology, based on the
potential damages posed when used maliciously.
Intent: Organizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices.
13. Endpoint Security
Principle: Harden endpoint devices to protect against reasonable threats to those devices and the data they store, transmit and process.
Intent: Organizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations.
14. Human Resources Security
Principle: Foster a security and privacy-minded workforce through sound hiring practices and ongoing
Intent: Organizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration.
15. Identification & Authentication
Principle: Implement an Identity and Access Management (IAM) capability to ensure the concept of “least
privilege” is consistently implemented across all systems, applications and services for individual, group and service accounts.
Intent: Organizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only.
16. Incident Response
Principle: Maintain a practiced incident response capability that trains all users on how to recognize and report
suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with an Incident Response Plan (IRP).
Intent: Organizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents.
17. Information Assurance
Principle: Utilize an impartial assessment process to validate the existence and functionality of appropriate security and privacy controls, prior to a system, application or service being used in a production environment.
Intent: Organizations ensure the adequately of security and controls are appropriate in both development and production environments.
Principle: Utilize secure practices to maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties.
Intent: Organizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets.
19. Mobile Device Management
Principle: Govern mobile devices through a centralized or decentralized model to restrict logical and physical access to the devices, as well as the amount and type of data that can be stored, transmitted or processed.
Intent: Organizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices.
20. Network Security
Principle: Architect a defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services.
Intent: Organizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks.
21. Physical & Environmental Security
Principle: Implement layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage.
Intent: Organizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats.
Principle: Implement a privacy program that ensures industry-recognized privacy practices are identified and operationalized throughout the lifecycle of systems, applications and services.
Intent: Organizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Information (PI) that implements the concept of privacy by design and by default.
23. Project & Resource Management
Principle: Utilize a risk-based approach to prioritize the planning and resourcing of all security and privacy aspects for projects and other initiatives to alleviate foreseeable governance, risk and compliance roadblocks.
Intent: Organizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution.
24. Risk Management
Principle: Govern a risk management capability that ensures risks are consistently identified, assessed, categorized and appropriately remediated.
Intent: Organizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk.
25. Secure Engineering & Architecture
Principle: Implement secure engineering and architecture processes to ensure industry-recognized secure practices are identified and operationalized throughout the lifecycle of systems, applications and services.
Intent: Organizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments.
26. Security Operations
Principle: Assign appropriately-qualified personnel to deliver security and privacy operations that provide reasonable protective, detective and responsive services.
Intent: Organizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity operations.
27. Security Awareness & Training
Principle: Develop a security and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.
Intent: Organizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training.
28. Technology Development & Acquisition
Principle: Govern the development process for any acquired or developed system, application or service to ensure secure engineering principles are operationalized and functional.
Intent: Organizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated.
29. Third-Party Management
Principle: Implement ongoing third-party risk management practices to actively oversee the supply chain so that only trustworthy third-parties are used.
Intent: Organizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become defunct.
30. Threat Management
Principle: Identify, assess and remediate technology-related threats to assets and business processes, based on a thorough risk analysis to determine the potential risk posed from the threat.
Intent: Organizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes.
31. Vulnerability & Patch Management
Principle: Utilize a risk-based approach to vulnerability and patch management practices that minimizes the attack surface of systems, applications and services.
Intent: Organizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized.
32. Web Security
Principle: Govern all Internet-facing technologies to ensure those systems, applications and services are securely configured and monitored for anomalous activity.
Intent: Organizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities.