Operationalizing The Secure Controls Framework (SCF)
The Secure Controls Framework (SCF) is an open source project that provides free cybersecurity and privacy controls for business. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
If you are not familiar with the SCF, it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. ComplianceForge is proud to be one of the founding supporters of the SCF. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations!
Holistic Approach To Cybersecurity & Privacy Controls
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. Controls are often a missing piece in a company's cybersecurity program or controls exist in "compliance islands" where the controls are only applicable to certain compliance requirements, such as SOX, PCI DSS or NIST 800-171. That might be easy from a compliance perspective, but it is not good security. The SCF is designed to help companies be both secure and compliant.
For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The SCF can help you implement these four principles of cybersecurity and privacy in your organization!
CONFIDENTIALITY - Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
INTEGRITY - Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
AVAILABILITY - Availability addresses ensuring timely and reliable access to and use of information.
SAFETY - Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
Focus On What Matters - People, Processes & Technology
Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. The approach looks at the following spheres of influence to identify applicable controls:
Statutory Obligations - These are US state, federal and international laws
Regulatory Obligations - These are requirements from regulatory bodies or governmental agencies
Contractual Obligations - These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Leading Practices - These are requirements that are based on an organization’s specific industry.
Need Control Activities For Your Controls?
ComplianceForge offers a version of our Cybersecurity Standardized Operating Procedures (CSOP) that provides control activities (e.g., procedure statements) that have a 1-1 mapping with the SCF. This is a potential time savings of hundreds of hours of work, not having to reinvent the wheel by writing your own procedures to address SCF controls.
Operationalize The SCF & Save Up To 45% With A Bundle!
We have a few discounted bundles specifically tailored for clients who want to operationalize the SCF, but we can always make a custom package for you. Just give us a call or email us at firstname.lastname@example.org to request a custom package.
Controls That Are Designed For A Modern Security Program
The thirty-two (32) domains listed below are how the SCF are organized, which provided a 1-1 relationship with ComplianceForge's Digital Security Program (DSP):