Security & Privacy Metaframework
The SCF focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
A control is the power to influence or direct behaviors and the course of events. That is precisely why the Secure Controls Framework™ (SCF) was developed – we want to influence secure practices within organizations so that both cybersecurity and privacy principles are designed, implemented and managed in an efficient and sustainable manner. The SCF is a metaframework - a framework of frameworks.
The SCF has the ambitious goal of providing FREE cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin.
Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.
The approach looks at the following spheres of influence to identify applicable controls:
These are US state, federal and international laws
These are requirements from regulatory bodies or governmental agencies
These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Leading Practices
These are requirements that are based on an organization’s specific industry.
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.
One of the main factors driving the integration of cybersecurity and privacy is the European Union’s General Data Protection Regulation (EU GDPR).
The EU GDPR has three (3) very specific requirements that require significant coordination between privacy and cybersecurity teams to accomplish:
Article 5 covers the principles relating to the secure processing of personal data.
Article 25 covers data protection by design and by default.
Article 35 covers the requirement to perform Data Protection Impact Assessments (DPIAs).
EU GDPR Compliance
For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The SCF can help you implement these four principles of cybersecurity and privacy in your organization!
Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
Availability addresses ensuring timely and reliable access to and use of information.
Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
Designed For A Modern Security Program
Listed below are the thirty-two (32) domains that make up the SCF. There are approximately 750 controls that are categorized within these domains to make it easier to manage. Each domain has a three-letter identifier, which is included in the control name to make it easy to understand what the focus of the control is.
Security & Privacy by Design (S|P) Principles
Security & Privacy Governance
Govern a documented, risk-based program that encompasses appropriate security and privacy principles to address all applicable statutory, regulatory and contractual obligations.
Organizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management.
Manage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.
Organizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets.
Business Continuity & Disaster Recovery
Maintain the capability to sustain business-critical functions while successfully responding to and recovering from incidents through a well-documented and exercised process.
Organizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery.
Capacity & Performance Planning
Govern the current and future capacities and performance of technology assets.
Organizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance.
Govern change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur.
Organizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues.
Govern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal controls.
Organizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed.
Oversee the execution of cybersecurity and privacy controls to create appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations.
Organizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.
Govern the establishment and ongoing management of secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.
Organizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code.
Maintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services.
Organizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources.
Utilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive data both at rest and in transit.
Organizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data.
Data Classification & Handling
Publish and enforce a data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can be followed.
Organizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data.
Provide additional scrutiny to the risks associated with embedded technology, based on the potential damages posed when used maliciously.
Organizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices.
Harden endpoint devices to protect against reasonable threats to those devices and the data they store, transmit and process.
Organizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations.
Human Resources Security
Foster a security and privacy-minded workforce through sound hiring practices and ongoing personnel management.
Organizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration.
Identification & Authentication
Implement an Identity and Access Management (IAM) capability to ensure the concept of “least privilege” is consistently implemented across all systems, applications and services for individual, group and service accounts.
Organizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only.
Maintain a practiced incident response capability that trains all users on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with an Incident Response Plan (IRP).
Organizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents.
Utilize an impartial assessment process to validate the existence and functionality of appropriate security and privacy controls, prior to a system, application or service being used in a production environment.
Organizations ensure the adequately of security and controls are appropriate in both development and production environments.
Utilize secure practices to maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties.
Organizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets.
Mobile Device Management
Govern mobile devices through a centralized or decentralized model to restrict logical and physical access to the devices, as well as the amount and type of data that can be stored, transmitted or processed.
Organizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices.
Architect a defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services.
Organizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks.
Physical & Environmental Security
Implement layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage.
Organizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats.
Implement a privacy program that ensures industry-recognized privacy practices are identified and operationalized throughout the lifecycle of systems, applications and services.
Organizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Information (PI) that implements the concept of privacy by design and by default.
Project & Resource Management
Utilize a risk-based approach to prioritize the planning and resourcing of all security and privacy aspects for projects and other initiatives to alleviate foreseeable governance, risk and compliance roadblocks.
Organizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution.
Govern a risk management capability that ensures risks are consistently identified, assessed, categorized and appropriately remediated.
Organizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk.
Secure Engineering & Architecture
Implement secure engineering and architecture processes to ensure industry-recognized secure practices are identified and operationalized throughout the lifecycle of systems, applications and services.
Organizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments.
Assign appropriately-qualified personnel to deliver security and privacy operations that provide reasonable protective, detective and responsive services.
Organizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity operations.
Security Awareness & Training
Develop a security and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.
Organizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training.
Technology Development & Acquisition
Govern the development process for any acquired or developed system, application or service to ensure secure engineering principles are operationalized and functional.
Organizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated.
Implement ongoing third-party risk management practices to actively oversee the supply chain so that only trustworthy third-parties are used.
Organizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become defunct.
Identify, assess and remediate technology-related threats to assets and business processes, based on a thorough risk analysis to determine the potential risk posed from the threat.
Organizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes.
Vulnerability & Patch Management
Utilize a risk-based approach to vulnerability and patch management practices that minimizes the attack surface of systems, applications and services.
Organizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized.
Govern all Internet-facing technologies to ensure those systems, applications and services are securely configured and monitored for anomalous activity.
Organizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities.