If you use the Secure Controls Framework (SCF), then you will want to buy one of these bundles, since the Digital Security Program (DSP) has 1-1 mapping between the SCF and the DSP. We sell the policies, standards, procedures & more that will compliment the SCF controls that you use! The DSP provides you with SCF-aligned policies, standards, guidelines, metrics, controls and capability maturity criteria. The Cybersecurity Standardized Operating Procedures (CSOP) provides you with SCF-aligned procedures/control activities. These two products alone can save you hundreds of hours of document writing and can help your organization hit the ground running with the SCF.
Holistic Approach To Cybersecurity & Privacy With The SCF
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. It is comprised of thirty-two (32) domains that cover the high-level topics that are expected to be addressed by cybersecurity and privacy-related statutory, regulatory and contractual obligations.
These bundles can help you operationalize your cybersecurity and privacy programs by efficiently mapping to over 100 statutory, regulatory and contractual frameworks. This will allow your cyber and privacy teams to speak the same language and more efficiently manage risks.
Understanding "How To GRC" With The Digital Security Program (DSP) & Secure Controls Framework (SCF)
The structure of the Digital Security Program is scalable to make it is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs. The DSP addresses the “why?” and “what?” questions, since policies and standards form the foundation for your cybersecurity program. The following two documents shown below are well worth the time to make a pot of coffee and read through, since you will be able to understand both the structure of the documentation and how you can customize it for your specific needs.
The DSP is our recommended solution if you are currently using or plan to use a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution. The DSP is ready to import into your GRC/IRM instance, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel straightforward and that allows you to then do any customization and collaboration directly from your GRC portal.
Guide To Using The DSP & SCF
Understanding "How To GRC"
Free Download - Secure Controls Framework (SCF)
If you are not familiar with the Secure Controls Framework (SCF), it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations!
The Secure Controls Framework (SCF) is an open source project that provides free cybersecurity and privacy controls for business. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
Where the SCF is truly unique is its industry-agnostic focus on both security and privacy controls that creates a hybrid that makes up for shortcomings by leading frameworks:
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. Controls are often a missing piece in a company's cybersecurity program or controls exist in "compliance islands" where the controls are only applicable to certain compliance requirements, such as SOX, PCI DSS or NIST 800-171. That might be easy from a compliance perspective, but it is not good security. The SCF is designed to help companies be both secure and compliant.
Focus On What Matters - Data-Centric Approach To Governing People, Processes & Technology
It is important to understand that controls exist to protect an organization’s data. In support of this concept of being data-centric, look at the example of asset management requirements in terms of cybersecurity and privacy – those administrative, technical and physical security controls do not primarily exist to protect the inherent value of the asset, but the data it contains, because assets are merely data containers. Assets, such as laptops, servers and network infrastructure are commodities that can be easily replaced, but the data cannot. This mindset of being data-centric is crucial to understand when developing, implementing and governing a cybersecurity and privacy program.
While most organizations do not have a Data Centric Architecture (DCA), based on technical debt and legacy processes, it is possible to implement Data Centric Security (DCS) that can put the organization on a path to building a DCA. This all comes down to designing, implementing and managing the appropriate cybersecurity and privacy controls that govern people, processes and technology. This is where the DSP and SCF can be invaluable.
Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. The approach looks at the following spheres of influence to identify applicable controls:
Statutory Obligations - These are US state, federal and international laws
Regulatory Obligations - These are requirements from regulatory bodies or governmental agencies
Contractual Obligations - These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Leading Practices - These are requirements that are based on an organization’s specific industry.
For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The DSP & SCF can help you implement these four principles of cybersecurity and privacy in your organization!
CONFIDENTIALITY - Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
INTEGRITY - Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
AVAILABILITY - Availability addresses ensuring timely and reliable access to and use of information.
SAFETY - Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
Operationalize The SCF With ComplianceForge Products
If you like what you see with the Secure Controls Framework, you can use these ComplianceForge products to operationalize those SCF controls in a cost-effective and efficient manner:
Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-three (33) domains that defines a modern,...
Cybersecurity Standardized Operating Procedures (CSOP) DSP | SCF Version
Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The...
Cybersecurity Supply Chain Risk Management (C-SCRM) Bundle #2 - DSP Version (45% discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing Cybersecurity Supply Chain Risk...
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount)
This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount)
This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF):
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF):
NIST 800-171 & CMMC 2.0 Compliance Bundle #4 - EXPERT CMMC 2.0 Levels 1-3 (45% discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing NIST SP 800-171...
Privacy Bundle #2 - DSP Version (45% discount)
This is a bundle that includes the following twelve (12) ComplianceForge products that are focused on operationalizing the cybersecurity and privacy principles:
Cybersecurity & Data Protection Program...