Secure Controls Framework (SCF) Bundles
Operationalizing The SCF
If you use the Secure Controls Framework (SCF), then you will want to buy one of these bundles, since the Digital Security Program (DSP) has 1-1 mapping between the SCF and the DSP. These are the policies, standards, procedures & more that will compliment the SCF controls that you use! The DSP provides you with SCF-aligned policies, standards, guidelines, metrics, controls and capability maturity criteria. The Cybersecurity Standardized Operating Procedures (CSOP) provides you with SCF-aligned procedures/control activities. These two products alone can save you hundreds of hours of document writing and can help your organization hit the ground running with the SCF.
The Digital Security Program (DSP) is a product we developed for companies that need to comply with multiple requirements, but do not want to be locked into documentation that is formatted to conform with the taxonomy ISO 27002 or NIST 800-53. Essentially, the DSP is a "best in class" approach to security documentation. The DSP metrics come mapped to the NIST Cybersecurity Framework (CSF).
Holistic Approach To Cybersecurity & Privacy With The SCF
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. It is comprised of thirty-two (32) domains that cover the high-level topics that are expected to be addressed by cybersecurity and privacy-related statutory, regulatory and contractual obligations.
These bundles can help you operationalize your cybersecurity and privacy programs by efficiently mapping to over 100 statutory, regulatory and contractual frameworks. This will allow your cyber and privacy teams to speak the same language and more efficiently manage risks.
Understanding "How To GRC" With The Digital Security Program (DSP) & Secure Controls Framework (SCF)
The structure of the Digital Security Program is scalable to make it is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs. The DSP addresses the “why?” and “what?” questions, since policies and standards form the foundation for your cybersecurity program. The following two documents shown below are well worth the time to make a pot of coffee and read through, since you will be able to understand both the structure of the documentation and how you can customize it for your specific needs.
The DSP is our recommended solution if you are currently using or plan to use a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution (e.g., Ostendio's MyVCM, ZenGRC, LogicGate, Ignyte Assurance Platform, Archer, RSAM, MetricStream, ServiceNow, etc.). The DSP is ready to import into your GRC/IRM instance, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel straightforward and that allows you to then do any customization and collaboration directly from your GRC portal.
|Guide To Using The DSP & SCF||Understanding "How To GRC"|
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use the DSP! While the DSP does come in Microsoft Word like the WISP, the included Excel version of the DSP comes with the following content so it is easy to import into a GRC/IRM solution:
- Policy statements
- Policy intent
- Control objectives
- Controls (Secure Controls Framework)
- Security & Privacy Capability Maturity Model (SP-CMM) criteria
- Metrics - including suggested Key Performance Indicators (KPIs) & Key Risk Indicators (KRIs)
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoC)
- Target Audience Applicability
- Scoping - Basic or Enhanced Requirement
- Recommended roles / teams with responsibility for each standard (NIST NICE Cybersecurity Workforce Framework-based roles & responsibilities).
The most common ways for a security program to justify budget needs is through metrics reporting. The DSP can help you leverage the Systems Security Engineering Capability Maturity Model (SSE-CMM) with the Secure Control Framework's Security & Privacy Capability Maturity Model (SP-CMM). We avoided re-inventing the wheel and simply created an enterprise-class product that can help your organization rapidly advance its capability maturity to a CCM 4 levell or beyond!