Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.

 

If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​

 

SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2019. Secure Controls Framework Council, LLC

TM

SCF Certification - Information Assurance Program (IAP)

SCF Certification Overview

We are pleased to announce that an organization-level certification program is coming for the SCF.  The IAP is expected to launch in Q4 of 2019

 

Information Assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. The Secure Control Framework Information Assurance Program (IAP) will focused on using the SCF as the control set to provide a company-level certification, similar to other existing single-focused certifications (e.g., ISO 27001 certification).

 

Uniqueness of the IAP

The SCF is an open source approach to creating cybersecurity and privacy controls. The IAP is a way to make a certification processes using the SCF controls more efficient and objective:

  • As a meta framework, the SCF allows for a “single certification” approach to cybersecurity and privacy requirements:

    • This is a “test once, report on many” approach that will allow the IAP to scale to cover multiple requirements simultaneously (e.g., certification on NIST CSF, ISO 27002, NIST 800-171, EU GDPR, etc.).

    • The IAP will allow an organization to specify the statutory, regulatory and contractual obligations that are applicable to establish a Minimum Security Requirements (MSR) control set.

  • The IAP leverages several leading practices to perform assessments in an effort to avoid re-inventing the wheel.

  • While it is currently possible for a SOC 2 assessment to utilize the SCF as its control set, one of the factors in developing the IAP is to remove Certified Public Accountants (CPAs) from the cybersecurity assessment process, which is a requirement in SOC 2 assessments. The IAP is developed by and will be executed by cybersecurity professionals. 

  • In an effort to create impartiality, maintain high standards and prevent SCF Assessors from “softballing” reports that encourage the re-hiring of a specific SCF Assessor, the IAP will restrict an SCF Assessor from performing SCF Certification services for the same client to no more than two (2) consecutive years:

    • In the “off year” for a SCF Assessor, it can provide consulting and other professional services to a client, but not SCF Certification services.

    • This applies at the company level, not at the individual assessor level. This company-level rotation will encourage objective assessments by SCF Assessors.

 

Client Deliverable – Understanding The Need For SCF Certification

  • There is currently a demand in the market for a scalable, cost-effective solution for obtaining a company-level, third-party assessment for cybersecurity and privacy.

  • Instead of “making a square peg fit into a round hole,” the IAP allows a company to tailor its control set to meet its specific needs for certification:

    • For example, a company that needs a third-party assessment for NIST CSF and NIST 800-171 can select those applicable controls for SCF Certification.

    • The result of a passing assessment will be documentation the company can use to demonstrate compliance with both the NIST CSF and NIST 800-171. The resulting documentation of a passing assessment will be:

      • Executive summary – ideal for sharing with clients and other third-parties.

      • Complete report – full reporting that is not meant to be shared externally, since it may contain sensitive controls information that are meant for internal audiences only.

​​

A Focus on Being Able To Demonstrate Security & Privacy by Design (SPbD)

The concept of being able to demonstrate evidence of both security and privacy by design (SPbD) is growing in importance with regulations such as the European Union General Data Protection Regulation (EU GDPR).

  • The SCF’s Security & Privacy by Design Principles (S|P) provides thirty-two (32) principles that are able to be reported on, based on the controls associated with each of those principles.

  • The applicable controls form the MSR, as defined by the applicable statutory, regulatory and contractual obligations the client wants to be assessed against. The result of these controls should provide evidence of SPbD.

 

In an effort to avoid re-inventing the wheel, the IAP will leverage NIST’s Risk Management Framework (RMF) as a way to scope the lifecycle of security and privacy controls. The RMF consists of six (6) unique phases and the IAP will cover the lifecycle of controls management:

  1. Categorize systems

  2. Select security & privacy controls

  3. Implement security & privacy controls

  4. Assess security & privacy controls

  5. Authorize systems, applications & services

  6. Monitor security & privacy controls.

 

During the SCF Certification process, SCF Assessors will primarily evaluate:

  • How systems/processes/services are categorized;

  • The security and privacy controls that were selected;

  • The efficacy of how the security and privacy controls were implemented;

  • The method that security and privacy by design principles were assessed, prior to systems/services/applications going into production; and

  • The ongoing monitoring of security and privacy controls.

 

SCF Assessors will also evaluate controls deemed by a client to be not applicable or identify compensating controls for where the organization has accepted the risk not to implement a SCF control.

 

SCF Certification Process

  • SCF Certifications will be valid for one (1) year from the date of the Secure Controls Framework Report on Compliance (SCF ROC).

  • Clients that successfully pass the SCF Certification will be able to display a SCF Certified Trustmark.  

  • The SCF Certification services will be through a contract directly between the SCF Assessor and its client. The SCF Assessor negotiates the fee structure of the assessment directly with its client.​

Accreditation for SCF Assessors

  • For the accreditation hierarchy of the IAP:

    • The Secure Controls Framework Council, LLC (SCF Council) will be the accrediting body for the IAP.

    • SCF Council will accredit a Certifying Body (CB) to perform SCF Certification services (e.g., a cybersecurity consulting company could apply to be a CB):

      • Only an accredited CB will be allowed to perform SCF Certification services. Any company can do pre-assessment consulting, but only a CB will be able to offer SCF Certification services.

      • CBs must have at least (2) SCF Assessors on staff. There is no certification path for 1-person consulting firms, since there is an expectation for peer review of assessment work to ensure quality assessments are performed.

  • To establish minimum certification requirements for SCF Assessors, the IAP derives its requirements from the DoD-approved 8570-01 baseline certifications for the Information Assurance Technician (IAT) Level III and Cyber Security Service Provider (CSSP) Auditor roles. SCF Assessors must have at least one (1) of the following certifications:

    • Certified Information Systems Auditor (CISA) through Information Systems Audit and Control Association (ISACA)

    • Certified Information Systems Security Professional (CISSP) through International Information Systems Security Certifications Consortium (ISC)2

    • Cisco Certified Network Professional-Security (CCNP-Security)​ through Cisco

    • GIAC Certified Enterprise Defender (GCED) through Global Information Assurance Certification (GIAC)

    • GIAC Systems and Network Auditor (GSNA) through GIAC

    • CompTIA Advanced Security Practitioner Continuing Education (CASP+ CE) through Computing Technology Industry Association (CompTIA)

  • The accreditation for a company to perform SCF Certification services will be valid for a period of two (2) years.​

If you would like to learn more about becoming a SCF Assessor, please contact us for more information. Please do not ask for an exception if you are a 1-person consulting firm, since that will not be granted.

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon