Security & Privacy Metaframework
The SCF focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
A control is the power to influence or direct behaviors and the course of events. That is precisely why the Secure Controls Framework™ (SCF) was developed – we want to influence secure practices within organizations so that both cybersecurity and privacy principles are designed, implemented and managed in an efficient and sustainable manner. The SCF is a metaframework - a framework of frameworks.
The SCF has the ambitious goal of providing FREE cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin.
Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.
The approach looks at the following spheres of influence to identify applicable controls:
These are US state, federal and international laws
These are requirements from regulatory bodies or governmental agencies
These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Leading Practices
These are requirements that are based on an organization’s specific industry.
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.
One of the main factors driving the integration of cybersecurity and privacy is the European Union’s General Data Protection Regulation (EU GDPR).
The EU GDPR has three (3) very specific requirements that require significant coordination between privacy and cybersecurity teams to accomplish:
Article 5 covers the principles relating to the secure processing of personal data.
Article 25 covers data protection by design and by default.
Article 35 covers the requirement to perform Data Protection Impact Assessments (DPIAs).
EU GDPR Compliance
For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The SCF can help you implement these four principles of cybersecurity and privacy in your organization!
Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
Availability addresses ensuring timely and reliable access to and use of information.
Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
Designed For A Modern Security Program
Listed below are the thirty-two (32) domains that make up the SCF. There are approximately 750 controls that are categorized within these domains to make it easier to manage. Each domain has a three-letter identifier, which is included in the control name to make it easy to understand what the focus of the control is.