TM

  • Secure By Design

  • Secure Controls Framework

  • Solution Providers

  • Certification

  • FAQ

  • News & Updates

  • About SCF

  • Contact

  • More

    TERMS & CONDITIONS

    ERRATA

    SPONSORS

    PRIVACY NOTICE

    COOKIE POLICY

    Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.

     

    If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

    ​

    SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​

     

    SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

    © 2019. Secure Controls Framework Council, LLC

    ​

    Secue Control Framework (SCF)

    TM

    Security & Privacy Metaframework

    Secure Controls Framework

    The SCF focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.

    A control is the power to influence or direct  behaviors and the course of events. That is precisely why the Secure Controls Framework™ (SCF) was developed – we want to influence secure practices within organizations so that both cybersecurity and privacy principles are designed, implemented and managed in an efficient and sustainable manner. The SCF is a metaframework - a framework of frameworks.

    Secure Controls Framework

    Project

    Criteria

    Protection

    Needs

    Expected

    Controls

    The SCF has the ambitious goal of providing FREE cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin.

    LEADING PRACTICES

    SCF - statutory regulatory contractual compliance controls

    Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.

    ​

    The approach looks at the following spheres of influence to identify applicable controls:

    ​

    Statutory Obligations

    These are US state, federal and international laws

    ​

    Regulatory Obligations

    These are requirements from regulatory bodies or governmental agencies

    ​

    Contractual Obligations

    These are requirements that are stipulated in contracts, vendor agreements, etc.

    ​

    Industry-Recognized Leading Practices

    These are requirements that are based on an organization’s specific industry.

    ComplianceForge - Cybersecurity policies standards procedures and more

    HOLISTIC APPROACH

    The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.

    Cybersecurity and privacy strategic operational tactical privacy and cyber controls

    One of the main factors driving the integration of cybersecurity and privacy is the European Union’s General Data Protection Regulation (EU GDPR).

     

    The EU GDPR has three (3) very specific requirements that require significant coordination between privacy and cybersecurity teams to accomplish:

    ​

    • Article 5 covers the principles relating to the secure processing of personal data.

    ​

    • Article 25 covers data protection by design and by default.

    ​

    • Article 35 covers the requirement to perform Data Protection Impact Assessments (DPIAs).

    EU GDPR compliance - articles 5 25 and 35 cybersecurity and privay controls

    EU GDPR Compliance

    CIAS Quadrant

    For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The SCF can help you implement these four principles of cybersecurity and privacy in your organization!

    CIAS Quadrant - confidentiality integrity availability safety

    CONFIDENTIALITY

    Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.

    ​

    INTEGRITY

    Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.

    ​

    AVAILABILITY

    Availability addresses ensuring timely and reliable access to and use of information.

    ​

    SAFETY

    Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.

    Designed For A Modern Security Program

    Listed below are the thirty-two (32) domains that make up the SCF. There are approximately 750 controls that are categorized within these domains to make it easier to manage. Each domain has a three-letter identifier, which is included in the control name to make it easy to understand what the focus of the control is.

    cybersecurity documentation - editable policies standards procedues EU GDPR NIST 800-171
    • White LinkedIn Icon
    • White Facebook Icon
    • White Twitter Icon
    • White Google+ Icon