Frequently Asked Questions (FAQ)

What Is The SCF?

The SCF stands for the Secure Controls Framework. It is more than just an assortment of cybersecurity controls, since it is focused on designing, implementing and maintaining SECURE solutions to address all applicable statutory, regulatory and contractual requirements that an organization faces. 

How Do I Use The SCF?

You can start in one of two ways: (1) if you know what your requirements are, you can jump right into creating a customized contol set here or (2) you can download the Excel version of the SCF here and create your own set of controls from the complete listing of SCF controls.


Realistically, pour yourself a cup of coffee (or your favorite beverage) and read through the SCF to get an understanding for its overall layout and what it contains. Being an Excel spreadsheet, you can do wonders with sorting out what is applicable to you. 

What happens if you get stuck and don't know how to tailor the SCF or what steps you need to take to operationalize it? We have thought of that and we have a resource where you can find a SCF Practitioner - specialists within the cybersecurity and privacy fields who you can contract with. We give away the SCF for free, but if you want to get a consultant to walk you through setting up or operationalizing your control set, you will have to pay for a consultant to assist and that is outside of the scope of what this website offers.

Why Is the SCF Free To Use?

The quality of the SCF could easily justify a costly subscription service, but we know that would exclude most organizations and defeat our broader goal of improving cybersecurity and privacy practices on a macro scale. While our contributors are volunteers, we rely on sponsorship and advertising revenue to maintain the SCF.

Are There Restrictions On The Use of the SCF?

Secure Controls Framework Council, LLC owns the copyright for the SCF. However, under the Terms & Conditions page, you will see the open license that is granted for organizations to freely the use of the SCF.

What Does "Mechanisms Exist" Mean?

We wrote the controls to be flexible to meet the needs of organizations, regardless of the size or industry. As you might imagine, that can make wording a challenge. Given that, you will see text within the controls, such as "Mechanisms exist to..." and if you do not like the term mechanism, you can replace that with "solution," "processes," or some other term of your preference. 

However, the term "mechanism" can mean a manual process, technology solution, outsourced contract or a combination of those that come together to address the needs of the control. Some smaller companies may lack technology solutions for many controls, so manual processes will likely prevail. However, getting into Fortune 500 environments, technology solutions will most often exist to address the controls.

What Is Cybersecurity For Privacy by Design (C4P)?

Cybersecurity For Privacy by Design (C4P) is simply the concept of designing, implementing and maintaining the appropriate cybersecurity controls that address the confidentiality and integrity side of privacy concerns with Personal Information (PI). 

Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes and Technology (PPT) to:

  • Enable privacy.

  • Preset security configuration settings so that they are secure by default.

  • "Bake in” security mechanisms, as compared to “bolt on” protections as an afterthought.

  • Value keeping things simple to save resources and avoid negatively affecting users.

  • Integrate throughout the lifecycle of projects / applications / systems.

  • Support a common method to “trust but verify” projects / applications / systems.

  • Set security up to be seen as an enabler through educating users, managing expectations, and supporting change.