SCF Certification - Conformity Assessment Program (CAP)

SCF Certification Overview

We are pleased to announce that an organization-level certification program is coming for the SCF.  The CAP is currently under development and does not have a current launch date

 

Information Assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. The Secure Control Framework Conformity Assessment Program (CAP) will focused on using the SCF as the control set to provide a company-level certification, similar to other existing single-focused certifications (e.g., ISO 27001 certification).

The CAP is designed to produce an deliverable Report on Conformity (ROC) that indicate one of three outcomes that describes the overall organization's cybersecurity and privacy program:

 

1. Conforms.  

  • ​This is a positive outcome.

  • This indicates that at a high-level, the organization’s cybersecurity and privacy practices conform with its selected cybersecurity and privacy practices.

  • At the control level, there may be one or more deficient controls, but as a whole, the cybersecurity and privacy practices support the organization’s stated risk tolerance

  • A statement that the assessed controls conform indicates to the organization’s management that sufficient evidence of due care and due diligence exists to provide assurance that the organization’s stated risk tolerance is achieved.

2. Significant Deficiency.  

  • This is a negative outcome and indicates the organization is unable to demonstrate conformity with its selected cybersecurity and privacy practices, due to systematic problems.

  • This indicates cybersecurity and privacy practices fail to support the organization’s stated risk tolerance. This is less severe than a material weakness, but merits executive leadership attention.

  • A statement that the assessed controls have a significant deficiency indicates to the organization’s management that insufficient evidence of due care and due diligence exists to provide assurance that the organization’s stated risk tolerance is achieved, due to a systemic problem in the cybersecurity and/or privacy program.

  • In the context of a significant deficiency, a systemic problem is a consequence of issues inherent in the overall function (e.g., team, department, project, application, service, vendor, etc.), rather than due to a specific, isolated factor. Systemic errors may require a change to the structure, personnel, technology and/or practices to remediate the significant deficiency.

3. Material Weakness.  

  • This is a negative outcome and indicates the organization is unable to demonstrate conformity with its selected cybersecurity and privacy practices, due to deficiencies that make it probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.

  • This indicates cybersecurity and privacy practices fail to support the organization’s stated risk tolerance.

  • A statement that the assessed controls have a material weakness indicates to the organization’s management that deficiencies are grave enough that it probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.

  • Essentially, the security and privacy program is incapable of performing its stated mission and drastic changes to people, processes and/or technology are necessary to remediate the findings.

SCF CAP Methodology.jpeg

Uniqueness of the CAP

The SCF is an open source approach to creating cybersecurity and privacy controls. The CAP is a way to make a certification processes using the SCF controls more efficient and objective:

  • As a meta framework, the SCF allows for a “single certification” approach to cybersecurity and privacy requirements:

    • This is a “test once, report on many” approach that will allow the IAP to scale to cover multiple requirements simultaneously (e.g., certification on NIST CSF, ISO 27002, NIST 800-171, EU GDPR, etc.).

    • The CAP will allow an organization to specify the statutory, regulatory and contractual obligations that are applicable to establish a Minimum Security Requirements (MSR) control set.

  • The CAP leverages several leading practices to perform assessments in an effort to avoid re-inventing the wheel.

  • One of the factors in developing the CAP is to remove Certified Public Accountants (CPAs) from the cybersecurity assessment process, which is a requirement in SOC 2 assessments. The CAP is developed by and will be executed by cybersecurity professionals. 

  • In an effort to create impartiality, maintain high standards and prevent SCF Assessors from “softballing” reports that encourage the re-hiring of a specific SCF Assessor, the CAP will restrict an SCF Assessor from performing SCF Certification services for the same client to no more than two (2) consecutive years:

    • In the “off year” for a SCF Assessor, it can provide consulting and other professional services to a client, but not SCF Certification services.

    • This applies at the company level, not at the individual assessor level. This company-level rotation will encourage objective assessments by SCF Assessors.

 

Client Deliverable – Understanding The Need For SCF Certification

  • There is currently a demand in the market for a scalable, cost-effective solution for obtaining a company-level, third-party assessment for cybersecurity and privacy.

  • Instead of “making a square peg fit into a round hole,” the CAP allows a company to tailor its control set to meet its specific needs for certification:

    • For example, a company that needs a third-party assessment for NIST CSF, HIPAA and NIST 800-171 can select those applicable controls for SCF Certification.

    • The resulting documentation of a passing assessment will be:

      • Executive summary – ideal for sharing with clients and other third-parties.

      • Complete report – full reporting that is not meant to be shared externally, since it may contain sensitive controls information that are meant for internal audiences only.

​​

A Focus on Being Able To Demonstrate Security & Privacy by Design (SPbD)

The concept of being able to demonstrate evidence of both security and privacy by design (SPbD) is growing in importance with regulations such as the European Union General Data Protection Regulation (EU GDPR).

  • The SCF’s Security & Privacy by Design Principles (S|P) provides thirty-two (32) principles that are able to be reported on, based on the controls associated with each of those principles.

  • The applicable controls form the MSR, as defined by the applicable statutory, regulatory and contractual obligations the client wants to be assessed against. The result of these controls should provide evidence of SPbD.

 

In an effort to avoid re-inventing the wheel, the CAP will leverage NIST’s Risk Management Framework (RMF) as a way to scope the lifecycle of security and privacy controls. The RMF consists of six (6) unique phases and the CAP will cover the lifecycle of controls management:

  1. Categorize systems

  2. Select security & privacy controls

  3. Implement security & privacy controls

  4. Assess security & privacy controls

  5. Authorize systems, applications & services

  6. Monitor security & privacy controls.

 

During the SCF Certification process, SCF Assessors will primarily evaluate:

  • How systems/processes/services are categorized;

  • The security and privacy controls that were selected;

  • The efficacy of how the security and privacy controls were implemented;

  • The method that security and privacy by design principles were assessed, prior to systems/services/applications going into production; and

  • The ongoing monitoring of security and privacy controls.

 

SCF Assessors will also evaluate controls deemed by a client to be not applicable or identify compensating controls for where the organization has accepted the risk not to implement a SCF control.