Operationalizing Security & Privacy Needs by Design (and by default)
Holistic Approach To Cybersecurity & Privacy Controls
When you properly design, build and maintain with security in mind, compliance is a natural byproduct. That goes for both cybersecurity and privacy needs. For a lot of organizations, that is merely lip-service, but at ComplianceForge, we found a way to help operationalize security and privacy controls in an efficient, scalable manner. Our solution is the Digital Security Program (DSP) that leverages the Secure Controls Framework (SCF). This combination allows an organization to have a "full stack" of security and privacy documentation.
Our solution is designed for "digital security" that is essentially a superset of common cybersecurity requirements. This approach also builds in privacy considerations to allow an organization to ensure that both cybersecurity and privacy principles are addressed by design and by default. With the requirements security and privacy to be "baked in" to comply with EU GDPR and other statutory and regulatory obligations, this is a topic that is here to stay. The problem for most organizations is figuring out the most efficient and cost-effective way to accomplish it.
Scalable Approach That Addresses Tactical, Operational & Strategic Security & Privacy Needs
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. Controls are often a missing piece in a company's cybersecurity program or controls exist in "compliance islands" where the controls are only applicable to certain compliance requirements, such as SOX, PCI DSS or NIST 800-171. That might be easy from a compliance perspective, but it is not good security. The SCF is designed to help companies be both secure and compliant.
If you are not familiar with the SCF, it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. ComplianceForge is proud to be one of the founding supporters of the SCF. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations!
The Secure Controls Framework (SCF) is an open source project that provides free cybersecurity and privacy controls for business. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
Where the SCF is truly unique is its industry-agnostic focus on both security and privacy controls that creates a hybrid that makes up for shortcomings by leading frameworks:
Documentation Done Right - Our Solution Is Designed To Be Scalable, Comprehensive & Efficient
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.
Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.
Focus On What Matters - Data-Centric Approach To Governing People, Processes & Technology
It is important to understand that controls exist to protect an organization’s data. In support of this concept of being data-centric, look at the example of asset management requirements in terms of cybersecurity and privacy – those administrative, technical and physical security controls do not primarily exist to protect the inherent value of the asset, but the data it contains, because assets are merely data containers. Assets, such as laptops, servers and network infrastructure are commodities that can be easily replaced, but the data cannot. This mindset of being data-centric is crucial to understand when developing, implementing and governing a cybersecurity and privacy program.
While most organizations do not have a Data Centric Architecture (DCA), based on technical debt and legacy processes, it is possible to implement Data Centric Security (DCS) that can put the organization on a path to building a DCA. This all comes down to designing, implementing and managing the appropriate cybersecurity and privacy controls that govern people, processes and technology. This is where the DSP and SCF can be invaluable.
Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. The approach looks at the following spheres of influence to identify applicable controls:
Statutory Obligations - These are US state, federal and international laws
Regulatory Obligations - These are requirements from regulatory bodies or governmental agencies
Contractual Obligations - These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Leading Practices - These are requirements that are based on an organization’s specific industry.
For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The DSP & SCF can help you implement these four principles of cybersecurity and privacy in your organization!
CONFIDENTIALITY - Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
INTEGRITY - Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
AVAILABILITY - Availability addresses ensuring timely and reliable access to and use of information.
SAFETY - Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
Need Control Activities For Your Controls?
ComplianceForge offers a version of our Cybersecurity Standardized Operating Procedures (CSOP) that provides control activities (e.g., procedure statements) that have a 1-1 mapping with the DSP & SCF. This is a potential time savings of hundreds of hours of work, not having to reinvent the wheel by writing your own procedures to address SCF controls.
Operationalize The SCF & Save Up To 45% With A Bundle!
We have a few discounted bundles specifically tailored for clients who want to operationalize the SCF, but we can always make a custom package for you. Just give us a call or email us at firstname.lastname@example.org to request a custom package.
Controls That Are Designed For A Modern Security Program
The thirty-two (32) domains listed below are how the SCF are organized, which provided a 1-1 relationship with ComplianceForge's Digital Security Program (DSP):
|DSP Icon||#||DSP Domain||DSP Identifier||Domain Intent|
|1||Security & Privacy Governance||GOV||Organizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management.|
|2||Asset Management||AST||Organizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets.|
|3||Business Continuity & Disaster Recovery||BCD||Organizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery.|
|4||Capacity & Performance Planning||CAP||Organizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance.|
|5||Change Management||CHG||Organizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues.|
|6||Cloud Security||CLD||Organizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed.|
|7||Compliance||CPL||Organizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.|
|8||Configuration Management||CFG||Organizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code.|
|9||Continuous Monitoring||MON||Organizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources.|
|10||Cryptographic Protections||CRY||Organizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data.|
|11||Data Classification & Handling||DCH||Organizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data.|
|12||Embedded Technology||EMB||Organizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices.|
|13||Endpoint Security||END||Organizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations.|
|14||Human Resources Security||HRS||Organizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration.|
|15||Identification & Authentication||IAC||Organizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only.|
|16||Incident Response||IRO||Organizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents.|
|17||Information Assurance||IAO||Organizations ensure the adequately of security and controls are appropriate in both development and production environments.|
|18||Maintenance||MNT||Organizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets.|
|19||Mobile Device Management||MDM||Organizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices.|
|20||Network Security||NET||Organizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks.|
|21||Physical & Environmental Security||PES||Organizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats.|
|22||Privacy||PRI||Organizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Information (PI) that implements the concept of privacy by design and by default.|
|23||Project & Resource Management||PRM||Organizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution.|
|24||Risk Management||RSK||Organizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk.|
|25||Secure Engineering & Architecture||SEA||Organizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments.|
|26||Security Operations||OPS||Organizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity operations.|
|27||Security Awareness & Training||SAT||Organizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training.|
|28||Technology Development & Acquisition||TDA||Organizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated.|
|29||Third-Party Management||TPM||Organizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become defunct.|
|30||Threat Management||THR||Organizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes.|
|31||Vulnerability & Patch Management||VPM||Organizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized.|
|32||Web Security||WEB||Organizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities.|