Leading Cybersecurity & Privacy Practices

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.

The approach looks at the following spheres of influence to identify applicable controls:

  • Statutory obligations

  • Regulatory obligations

  • Contractual obligations

  • Industry-recognized "best practices"


It is best to visualize the SCF as a buffet of cybersecurity and privacy controls, where there is a selection of 740+ controls available to you. Once you know what is applicable to you, you can generate a customized control set that gives you the controls you need to address your statutory, regulatory and contractual obligations.

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:

  • US - Federal Laws

    • Children's Online Privacy Protection Act (COPPA)

    • Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule

    • Family Education Rights and Privacy Act (FERPA)

    • Federal Information Security Management Act (FISMA)

    • Federal Trade Commission (FTC) Act

    • Gramm-Leach-Bliley Act (GLBA)

    • Health Insurance Portability and Accountability Act (HIPAA)

    • Sarbanes-Oxley Act (SOX)

  • US - State Laws

    • California SB1386

    • Massachusetts 201 CMR 17.00

    • Oregon ORS 646A.622

  • International Laws

    • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)

    • UK - Data Protection Act (DPA)

    • Other countries' variations of Personal Data Protect Acts (PDPA)

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:

  • US Regulations

    • Defense Federal Acquisition Regulation Supplement (DFARS) - NIST 800-171

    • Federal Acquisition Regulation (FAR)

    • Federal Risk and Authorization Management Program (FedRAMP)

    • DoD Information Assurance Risk Management Framework (DIARMF)

    • National Industrial Security Program Operating Manual (NISPOM)

    • New York Department of Financial Services (NY DFS) 23 NYCRR 500

  • International Regulations

    • European Union General Data Protection Regulation (EU GDPR)

    • EU ePrivacy Directive

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

  • Payment Card Industry Data Security Standard (PCI DSS)

  • Financial Industry Regulatory Authority (FINRA)

  • Service Organization Control (SOC)

  • Generally Accepted Privacy Principles (GAPP)

Industry-Leading "Best Practices" for Cybersecurity & Privacy

Leading practices may be required under a contractual obligation with a client or partner, but these industry frameworks are commonly referenced for “what right looks like” with how technology is implemented. Leading frameworks generally more technical in nature and provide granular requirements. From a cybersecurity and privacy perspective, common leading frameworks include:

  • Cybersecurity Frameworks

    • Center for Internet Security (CIS) Critical Security Controls (CSC)

    • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

    • Department of Defense Cybersecurity Agency (DISA) Secure Technology Implementation Guides (STIGs)

    • ISO 15288: Systems and Software Engineering -- System Life Cycle Processes

    • ISO 27002: Information Technology -- Security Techniques -- Code of Practice for Cybersecurity Controls

    • NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

    • NIST 800-39: Managing Cybersecurity Risk: Organization, Mission and Information System View

    • NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

    • NIST 800-64: Security Considerations in System Development Lifecycle

    • NIST 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

    • NIST 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

    • NIST 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

    • NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

    • NIST IR 7298: Glossary of Key Cybersecurity Terms

    • NIST IR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems

    • NIST IR 8179: Criticality Analysis Process Model: Prioritizing Systems and Components [draft]

    • Open Web Application Security Project (OWASP)

    • OWASP Top 10 Most Critical Web Application Security Risks

    • OWASP Application Security Verification Standard Project (ASVS)

  • Privacy Frameworks

    • Fair Information Practice Principles (FIPP)

    • Generally Accepted Privacy Practices (GAPP)

    • ISO 27018: Information Technology -- Security Techniques -- Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors

    • OASIS Privacy Management Reference Model and Methodology (PMRM)

    • Privacy by Design (PbD)

SCF Coverage

The SCF provides mapping to the following cybersecurity & privacy-related statutory, regulatory and contractual frameworks: