Updated: Apr 17, 2019
SCF Certification Overview - Information Assurance Program (IAP)
We are pleased to announce that a certification program is coming for the SCF. The IAP is expected to launch in Q4 of 2019. If you would like to learn more about this, please contact us for more information.
Information Assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. The Secure Control Framework Information Assurance Program (IAP) will focused on using the SCF as the control set to provide a company-level certification, similar to other existing single-focused certifications (e.g., ISO 27001 certification).
Uniqueness of the IAP
The SCF is an open source approach to creating cybersecurity and privacy controls. The IAP is a way to make a certification processes using the SCF controls more efficient and objective:
As a meta framework, the SCF allows for a “single certification” approach to cybersecurity and privacy requirements:
This is a “test once, report on many” approach that will allow the IAP to scale to cover multiple requirements simultaneously (e.g., certification on NIST CSF, ISO 27002, NIST 800-171, EU GDPR, etc.).
The IAP will allow an organization to specify the statutory, regulatory and contractual obligations that are applicable to establish a Minimum Security Requirements (MSR) control set.
The IAP leverages several leading practices to perform assessments in an effort to avoid re-inventing the wheel.
While it is currently possible for a SOC 2 assessment to utilize the SCF as its control set, one of the factors in developing the IAP is to remove Certified Public Accountants (CPAs) from the cybersecurity assessment process, which is a requirement in SOC 2 assessments. The IAP is developed by and will be executed by cybersecurity professionals.
In an effort to create impartiality, maintain high standards and prevent SCF Assessors from “softballing” reports that encourage the re-hiring of a specific SCF Assessor, the IAP will restrict an SCF Assessor from performing SCF Certification services for the same client to no more than two (2) consecutive years:
In the “off year” for a SCF Assessor, it can provide consulting and other professional services to a client, but not SCF Certification services.
This applies at the company level, not at the individual assessor level. This company-level rotation will encourage objective assessments by SCF Assessors.
There is currently a demand in the market for a scalable, cost-effective solution for obtaining a company-level, third-party assessment for cybersecurity and privacy.
Instead of “making a square peg fit into a round hole,” the IAP allows a company to tailor its control set to meet its specific needs for certification:
For example, a company that needs a third-party assessment for NIST CSF and NIST 800-171 can select those applicable controls for SCF Certification.
The result of a passing assessment will be documentation the company can use to demonstrate compliance with both the NIST CSF and NIST 800-171.
The resulting documentation of a passing assessment will be:
Executive summary – ideal for sharing with clients and other third-parties.
Complete report – full reporting that is not meant to be shared externally, since it may contain sensitive controls information that are meant for internal audiences only.
A Focus on Being Able To Demonstrate Security & Privacy by Design (SPbD)
The concept of being able to demonstrate evidence of both security and privacy by design (SPbD) is growing in importance with regulations such as the European Union General Data Protection Regulation (EU GDPR).
The SCF’s Security & Privacy by Design Principles (S|P) provides thirty-two (32) principles that are able to be reported on, based on the controls associated with each of those principles.
The applicable controls form the MSR, as defined by the applicable statutory, regulatory and contractual obligations the client wants to be assessed against. The result of these controls should provide evidence of SPbD.
In an effort to avoid re-inventing the wheel, the IAP will leverage NIST’s Risk Management Framework (RMF) as a way to scope the lifecycle of security and privacy controls. The RMF consists of six (6) unique phases and the IAP will cover the lifecycle of controls management:
Select security & privacy controls
Implement security & privacy controls
Assess security & privacy controls
Authorize systems, applications & services
Monitor security & privacy controls.
During the SCF Certification process, SCF Assessors will primarily evaluate:
How systems/processes/services are categorized;
The security and privacy controls that were selected;
The efficacy of how the security and privacy controls were implemented;
The method that security and privacy by design principles were assessed, prior to systems/services/applications going into production; and
The ongoing monitoring of security and privacy controls.
SCF Assessors will also evaluate controls deemed by a client to be not applicable or identify compensating controls for where the organization has accepted the risk not to implement a SCF control.
SCF Certification Process
SCF Certifications will be valid for one (1) year from the date of the Secure Controls Framework Report on Compliance (SCF ROC).
Clients that successfully pass the SCF Certification will be able to display a SCF Certified Trustmark.
The SCF Certification services will be through a contract directly between the SCF Assessor and its client. The SCF Assessor negotiates the fee structure of the assessment directly with its client.
Accreditation for SCF Assessors
If you would like to learn more about becoming a SCF Assessor, please contact us for more information.For the accreditation hierarchy of the IAP:
The Secure Controls Framework Council, LLC (SCF Council) will be the accrediting body for the IAP.
SCF Council will accredit Certifying Bodies (CB) to perform SCF Certification services.
Only a Certified Body will be allowed to perform SCF Certification services.
To establish minimum certification requirements for SCF Assessors, the IAP derives its requirements from the DoD-approved 8570-01 baseline certifications for the Information Assurance Technician (IAT) Level III and Cyber Security Service Provider (CSSP) Auditor roles. SCF Assessors must have at least one (1) of the following certifications:
Certified Information Systems Auditor (CISA) through Information Systems Audit and Control Association (ISACA)
Certified Information Systems Security Professional (CISSP) through International Information Systems Security Certifications Consortium (ISC)2
Cisco Certified Network Professional-Security (CCNP-Security) through Cisco
GIAC Certified Enterprise Defender (GCED) through Global Information Assurance Certification (GIAC)
GIAC Systems and Network Auditor (GSNA) through GIAC
CompTIA Advanced Security Practitioner Continuing Education (CASP+ CE) through Computing Technology Industry Association (CompTIA)
The accreditation for a company to perform SCF Certification services will be valid for a period of two (2) years.