SCF Domains

The SCF is comprised of thirty-two (32) domains that cover the high-level topics that are expected to be addressed by cybersecurity and privacy-related statutory, regulatory and contractual obligations.

Click on the icons below to see the controls associated with that domain.

Icon
SCF Domain
Identifier
Security & Privacy by Design (S|P) Principles
Principle Intent
1
Security & Privacy Governance
GOV
Govern a documented, risk-based program that encompasses appropriate security and privacy principles to address all applicable statutory, regulatory and contractual obligations.
Organizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management.
2
Asset Management
AST
Manage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.
Organizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets.
3
Business Continuity & Disaster Recovery
BCD
Maintain the capability to sustain business-critical functions while successfully responding to and recovering from incidents through a well-documented and exercised process.
Organizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery.
4
Capacity & Performance Planning
CAP
Govern the current and future capacities and performance of technology assets.
Organizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance.
5
Change Management
CHG
Govern change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur.
Organizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues.
6
Cloud Security
CLD
Govern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal controls.
Organizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed.
7
Compliance
CPL
Oversee the execution of cybersecurity and privacy controls to create appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations.
Organizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.
8
Configuration Management
CFG
Govern the establishment and ongoing management of secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.
Organizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code.
9
Continuous Monitoring
MON
Maintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services.
Organizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources.
10
Cryptographic Protections
CRY
Utilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive data both at rest and in transit.
Organizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data.
11
Data Classification & Handling
DCH
Publish and enforce a data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can be followed.
Organizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data.
12
Embedded Technology
EMB
Provide additional scrutiny to the risks associated with embedded technology, based on the potential damages posed when used maliciously.
Organizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices.
13
Endpoint Security
END
Harden endpoint devices to protect against reasonable threats to those devices and the data they store, transmit and process.
Organizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations.
14
Human Resources Security
HRS
Foster a security and privacy-minded workforce through sound hiring practices and ongoing personnel management.
Organizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration.
15
Identification & Authentication
IAC
Implement an Identity and Access Management (IAM) capability to ensure the concept of “least privilege” is consistently implemented across all systems, applications and services for individual, group and service accounts.
Organizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only.
16
Incident Response
IRO
Maintain a practiced incident response capability that trains all users on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with an Incident Response Plan (IRP).
Organizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents.
17
Information Assurance
IAO
Utilize an impartial assessment process to validate the existence and functionality of appropriate security and privacy controls, prior to a system, application or service being used in a production environment.
Organizations ensure the adequately of security and controls are appropriate in both development and production environments.
18
Maintenance
MNT
Utilize secure practices to maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties.
Organizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets.
19
Mobile Device Management
MDM
Govern mobile devices through a centralized or decentralized model to restrict logical and physical access to the devices, as well as the amount and type of data that can be stored, transmitted or processed.
Organizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices.
20
Network Security
NET
Architect a defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services.
Organizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks.
21
Physical & Environmental Security
PES
Implement layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage.
Organizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats.
22
Privacy
PRI 
Implement a privacy program that ensures industry-recognized privacy practices are identified and operationalized throughout the lifecycle of systems, applications and services.
Organizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Information (PI) that implements the concept of privacy by design and by default.
23
Project & Resource Management
PRM 
Utilize a risk-based approach to prioritize the planning and resourcing of all security and privacy aspects for projects and other initiatives to alleviate foreseeable governance, risk and compliance roadblocks.
Organizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution.
24
Risk Management
RSK 
Govern a risk management capability that ensures risks are consistently identified, assessed, categorized and appropriately remediated.
Organizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk.
25
Secure Engineering & Architecture
SEA 
Implement secure engineering and architecture processes to ensure industry-recognized secure practices are identified and operationalized throughout the lifecycle of systems, applications and services.
Organizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments.
26
Security Operations
OPS 
Assign appropriately-qualified personnel to deliver security and privacy operations that provide reasonable protective, detective and responsive services.
Organizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity operations.
27
Security Awareness & Training
SAT 
Develop a security and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.
Organizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training.
28
Technology Development & Acquisition
TDA 
Govern the development process for any acquired or developed system, application or service to ensure secure engineering principles are operationalized and functional.
Organizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated.
29
Third-Party Management
TPM 
Implement ongoing third-party risk management practices to actively oversee the supply chain so that only trustworthy third-parties are used.
Organizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become defunct.
30
Threat Management
THR
Identify, assess and remediate technology-related threats to assets and business processes, based on a thorough risk analysis to determine the potential risk posed from the threat.
Organizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes.
31
Vulnerability & Patch Management
VPM 
Utilize a risk-based approach to vulnerability and patch management practices that minimizes the attack surface of systems, applications and services.
Organizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized.
32
Web Security
WEB 
Govern all Internet-facing technologies to ensure those systems, applications and services are securely configured and monitored for anomalous activity.
Organizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities.

TERMS & CONDITIONS

ERRATA

SPONSORS

PRIVACY NOTICE

COOKIE POLICY

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.

 

If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​

 

SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2021. Secure Controls Framework Council, LLC

Secue Control Framework (SCF)

TM