Secure By Design & Default

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.

The approach looks at the following spheres of influence to identify applicable controls:

  • Statutory obligations

  • Regulatory obligations

  • Contractual obligations

  • Industry-recognized "best practices"

 

It is best to visualize the SCF as a buffet of cybersecurity and privacy controls, where there is a selection of 740+ controls available to you. Once you know what is applicable to you, you can generate a customized control set that gives you the controls you need to address your statutory, regulatory and contractual obligations.

The SCF's mission is to provide a powerful catalyst that will advance how cybersecurity and privacy controls are utilized at the strategic, operational and tactical layers of an organization, regardless of its size or industry.

Designing & Building An Audit-Ready Cybersecurity & Privacy Program

Building a security program that routinely incorporates security and privacy practices into daily operations requires a mastery of the basics. A useful analogy is with the children's toy, LEGO®. With LEGO® you can build nearly anything you want — either through following directions or using your own creativity. However, it first requires an understanding of how various LEGO® shapes either snap together or are incompatible.

 

Once you master the fundamentals with LEGO®, it is easy to keep building and become immensely creative since you know how everything interacts. However, when the fundamentals are ignored, the LEGO® structure will be weak and include systemic flaws. Security and privacy really are not much different, since those disciplines are made up of numerous building blocks that all come together to build secure systems and processes. The lack of critical building blocks will lead to insecure and poorly architected solutions.

 

When you envision each component that makes up a security or privacy “best practice” is a LEGO® block, it is possible to conceptualize how certain requirements are the foundation that form the basis for others components to attach to. Only when the all the building blocks come together and take shape do you get a functional security / privacy program!

 

Think of the SCF as a toolkit for you to build out your overall security program domain-by-domain so that cybersecurity and privacy principles are designed, implemented and managed by default!

Understanding Cybersecurity & Privacy By Design

Security by Design (SbD)

These requirements come from numerous sources. In this context, some of the most important cybersecurity frameworks are:

 

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • US Government (HIPAA, FedRAMP, DFARS, FAR & FTC Act)

  • Information Systems Audit and Control Association (ISACA)

  • Cloud Security Alliance (CSA)

  • Center for Internet Security (CIS)

  • Open Web Application Security Project (OWASP)

  • Payment Card Industry Data Security Standard (PCI DSS)

  • European Union General Data Protection Regulation (EU GDPR)

Privacy by Design (PbD)

These requirements come from numerous sources. In this context, some of the most important privacy frameworks are:

  • Generally Accepted Privacy Principles (GAPP)

  • Fair Information Practice Principles (FIPPs)

  • Organization for the Advancement of Structured Information Standards (OASIS)

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • Information Systems Audit and Control Association (ISACA)

  • European Union General Data Protection Regulation (EU GDPR)

  • US Government (HIPAA & FTC Act)

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:

  • US - Federal Laws

    • Children's Online Privacy Protection Act (COPPA)

    • Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule

    • Family Education Rights and Privacy Act (FERPA)

    • Federal Information Security Management Act (FISMA)

    • Federal Trade Commission (FTC) Act

    • Gramm-Leach-Bliley Act (GLBA)

    • Health Insurance Portability and Accountability Act (HIPAA)

    • Sarbanes-Oxley Act (SOX)

  • US - State Laws

    • California SB1386

    • California Consumer Privacy Act (CCPA)

    • Massachusetts 201 CMR 17.00

    • Oregon ORS 646A.622

  • International Laws

    • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)

    • UK - Data Protection Act (DPA)

    • Other countries' variations of Personal Data Protect Acts (PDPA)

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:

  • US Regulations

    • Defense Federal Acquisition Regulation Supplement (DFARS) - NIST 800-171

    • Federal Acquisition Regulation (FAR)

    • Federal Risk and Authorization Management Program (FedRAMP)

    • DoD Information Assurance Risk Management Framework (DIARMF)

    • National Industrial Security Program Operating Manual (NISPOM)

    • New York Department of Financial Services (NY DFS) 23 NYCRR 500

  • International Regulations

    • European Union General Data Protection Regulation (EU GDPR)

    • EU ePrivacy Directive

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

  • Payment Card Industry Data Security Standard (PCI DSS)

  • Financial Industry Regulatory Authority (FINRA)

  • Service Organization Control (SOC)

  • Generally Accepted Privacy Principles (GAPP)

Industry-Leading "Best Practices" for Cybersecurity & Privacy

Leading practices may be required under a contractual obligation with a client or partner, but these industry frameworks are commonly referenced for “what right looks like” with how technology is implemented. Leading frameworks generally more technical in nature and provide granular requirements. From a cybersecurity and privacy perspective, common leading frameworks include:

  • Cybersecurity Frameworks

    • Center for Internet Security (CIS) Critical Security Controls (CSC)

    • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

    • Department of Defense Cybersecurity Agency (DISA) Secure Technology Implementation Guides (STIGs)

    • ISO 15288: Systems and Software Engineering -- System Life Cycle Processes

    • ISO 27002: Information Technology -- Security Techniques -- Code of Practice for Cybersecurity Controls

    • NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

    • NIST 800-39: Managing Cybersecurity Risk: Organization, Mission and Information System View

    • NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

    • NIST 800-64: Security Considerations in System Development Lifecycle

    • NIST 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

    • NIST 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

    • NIST 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

    • NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

    • NIST IR 7298: Glossary of Key Cybersecurity Terms

    • NIST IR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems

    • NIST IR 8179: Criticality Analysis Process Model: Prioritizing Systems and Components [draft]

    • Open Web Application Security Project (OWASP)

    • OWASP Top 10 Most Critical Web Application Security Risks

    • OWASP Application Security Verification Standard Project (ASVS)

  • Privacy Frameworks

    • Fair Information Practice Principles (FIPP)

    • Generally Accepted Privacy Practices (GAPP)

    • ISO 27018: Information Technology -- Security Techniques -- Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors

    • OASIS Privacy Management Reference Model and Methodology (PMRM)

    • Privacy by Design (PbD)

SCF Coverage

The SCF provides mapping to the following cybersecurity & privacy-related statutory, regulatory and industry frameworks (please note that this list is regularly being updated as new mappings are added):

Geography
Icon
Source
Authoritative Source - Statutory / Regulatory / Contractual / Industry Framework
Version
Universal
AICPA
Generally Accepted Privacy Principles (GAPP)
N/A
Universal
AICPA
Service Organization Control - Trust Services Criteria (TSC) - SOC2
2016
Universal
AICPA
Service Organization Control - Trust Services Criteria (TSC) - SOC2
2017
Universal
CIS
Critical Security Controls (CSC)
6.1
Universal
CIS
Critical Security Controls (CSC)
7.1
Universal
COSO
Committee of Sponsoring Organizations (COSO) 2013 Framework
2013
Universal
COSO
Committee of Sponsoring Organizations (COSO) 2017 Framework
2017
Universal
CSA
Cloud Controls Matrix (CCM)
3.0.1
Universal
EU
European Union Agency for Network and Information Security (ENISA)
2
Universal
ISACA
Control Objectives for Information and Related Technologies (COBIT)
5
Universal
ISACA
Control Objectives for Information and Related Technologies (COBIT)
2019
Universal
ISO
22301 - Security and resilience — Business continuity management systems — Requirements
2019
Universal
ISO
27001 - Information Security Management Systems (ISMS) - Requirements
2013
Universal
ISO
27002 - Code of Practice for Information Security Controls
2013
Universal
ISO
27018 - Code of Practice for PI in Public Clouds Acting as PI Processors
2014
Universal
ISO
27701 - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
2019
Universal
ISO
29100 - Privacy Framework
2011
Universal
ISO
31000 - Risk Management
2009
Universal
ISO
31010 - Risk Assessment Techniques
2009
Universal
MPAA
MPAA Content Security Best Practices Common Guidelines
4.04
Universal
NAIC
Insurance Data Security Model Law (MDL-668)
N/A
Universal
NIST
SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev1
1
Universal
NIST
SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2
2
Universal
NIST
SP 800-39 - Managing Information Security Risk
N/A
Universal
NIST
SP 800-53 - Security and Privacy Controls for Information Systems and Organizations
4
Universal
NIST
SP 800-53 - Security and Privacy Controls for Information Systems and Organizations
5 (draft)
Universal
NIST
SP 800-63B - Digital Identity Guidelines (partial mapping)
Jun-17
Universal
NIST
SP 800-160 - Systems Security Engineering
N/A
Universal
NIST
SP 800-171 - Protecting CUI in Nonfederal Systems and Organizations
1
Universal
NIST
SP 800-171B - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
draft
Universal
NIST
Cybersecurity Framework (CSF)
1.1 (Apr 19)
Universal
OWASP
Top 10 Most Critical Web Application Security Risks
2017
Universal
PCI SSC
Payment Card Industry Data Security Standard (PCI DSS)
3.2
Universal
SWIFT
SWIFT Customer Security Controls Framework
2019
Universal
UL
2900-1 - Software Cybersecurity for Network-Connectable Products
N/A
US
Federal
US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy
5.5
US
Federal
US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy
5.8
US
Federal
Children's Online Privacy Protection Act (COPPA)
N/A
US
Federal
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008
252.204-7008
US
Federal
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
252.204-7012
US
Federal
Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA)
N/A
US
Federal
Family Educational Rights and Privacy Act (FERPA)
N/A
US
Federal
Federal Acquisition Regulation (FAR)
52.204-21
US
Federal
Federal Financial Institutions Examination Council (FFIEC)
N/A
US
Federal
Federal Risk and Authorization Management Program (FedRAMP)
Moderate
US
Federal
Financial Industry Regulatory Authority (FINRA)
N/A
US
Federal
Food & Drug Administration (FDA)
21 CFR Part 11
US
Federal
Federal Trade Commission (FTC) Act
N/A
US
Federal
Gramm Leach Bliley Act (GLBA)
N/A
US
Federal
Health Industry Cybersecurity Practices (HICP) - Small / Medium / Large Practice
N/A
US
Federal
Health Insurance Portability and Accountability Act (HIPAA)
N/A
US
Federal
Internal Revenue Service (IRS) 1075
N/A
US
Federal
National Industrial Security Program Operating Manual (NISPOM)
N/A
US
Federal
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
N/A
US
Federal
Privacy Shield
N/A
US
Federal
Sarbanes Oxley Act (SOX)
N/A
US
Federal
Social Security Administration (SSA) Electronic Information Exchange Security Requirements
8
US
State
AK - Alaska Personal Information Protection Act (PIPA)
N/A
US
State
CA - SB327
N/A
US
State
CA - SB1121 - California Consumer Privacy Act (CCPA)
N/A
US
State
CA - SB1386
N/A
US
State
MA - 201 CMR 17.00
N/A
US
State
NY - NY DFS 23NYCRR500
N/A
US
State
NV - SB220
N/A
US
State
OR - ORS 646A
N/A
US
State
SC - South Carolina Insurance Data Security Act
N/A
US
State
TX - BC521
N/A
US
State
TX - Cybersecurity Act
N/A
US
State
TX - 2019 - SB820
N/A
EMEA
EU
ePrivacy Directive
draft
EMEA
EU
General Data Protection Regulation (GDPR)
N/A
EMEA
EU
Second Payment Services Directive (PSD2)
N/A
EMEA
Austria
Federal Act concerning the Protection of Personal Data (DSG 2000)
N/A
EMEA
Belgium
Act of 8 December 1992
N/A
EMEA
Czech Republic
Act No. 101/2000 on the Protection of Personal Data
N/A
EMEA
Denmark
Act on Processing of Personal Data (Act No. 429 of May 31, 2000)
N/A
EMEA
Finland
Personal Data Act (986/2000)
N/A
EMEA
France
78 17 / 2004 8021 - Information Technology, Data Files & Civil Liberty
N/A
EMEA
Germany
Cloud Computing Compliance Controls Catalogue (C5)
N/A
EMEA
Germany
Federal Data Protection Act
N/A
EMEA
Greece
Protection of Individuals with Regard to the Processing of Personal Data (2472/1997)
N/A
EMEA
Hungary
Informational Self-Determination and Freedom of Information (Act CXII of 2011)
N/A
EMEA
Ireland
Data Protection Act (2003)
N/A
EMEA
Israel
Cybersecurity Methodology for an Organization
1
EMEA
Israel
Protection of Privacy Law, 5741 – 1981
N/A
EMEA
Italy
Personal Data Protection Code
N/A
EMEA
Luxembourg
Protection of Personals with Regard to the Processing of Personal Data
N/A
EMEA
Netherlands
Personal Data Protection Act
N/A
EMEA
Norway
Personal Data Act
N/A
EMEA
Poland
Act of 29 August 1997 on the Protection of Personal Data
N/A
EMEA
Portugal
Act on the Protection of Personal Data
N/A
EMEA
Russia
Federal Law of 27 July 2006 N 152-FZ
N/A
EMEA
Russia
Russian Labor Code
N/A
EMEA
Slovak Republic
Protection of Personal Data (122/2013)
N/A
EMEA
South Africa
Protection of Personal Information Act (POPIA)
N/A
EMEA
Spain
Royal Decree 1720/2007 (protection of personal data)
N/A
EMEA
Sweden
Personal Data Act
N/A
EMEA
Switzerland
Federal Act on Data Protection (FADP)
N/A
EMEA
Turkey
Regulation on Protection of Personal Data in Electronic Communications Sector
N/A
EMEA
UAE
Data Protection Law No. 1 of 2007
N/A
EMEA
United Kingdom
Data Protection Act
N/A
APAC
Australia
Privacy Act of 1998
N/A
APAC
Australia
Australian Government Information Security Manual (ISM)
2017
APAC
China
Decision on Strengthening Network Information Protection
N/A
APAC
Hong Kong
Personal Data Ordinance
N/A
APAC
India
Information Technology Rules (Privacy Rules)
N/A
APAC
Indonesia
Government Regulation No. 82 of 2012
N/A
APAC
Japan
Act of the Protection of Personal Information
N/A
APAC
Malaysia
Personal Data Protection Act of 2010
N/A
APAC
New Zealand
Privacy Act of 1993
N/A
APAC
New Zealand
New Zealand Information Security Manual (NZISM)
N/A
APAC
Philippines
Data Privacy Act of 2012
N/A
APAC
Singapore
Personal Data Protection Act of 2012
N/A
APAC
Singapore
Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines
N/A
APAC
South Korea
Personal Information Protection Act
N/A
APAC
Taiwan
Personal Data Protection Act
N/A
Americas
Argentina
Protection of Personal Law No. 25,326
N/A
Americas
Argentina
Protection of Personal Data - MEN-2018-147-APN-PTE
N/A
Americas
Bahamas
Data Protection Act
N/A
Americas
Brazil
General Data Protection Law (LGPD)
N/A
Americas
Canada
Personal Information Protection and Electronic Documents Act (PIPEDA)
N/A
Americas
Chile
Act 19628 - Protection of Personal Data
N/A
Americas
Colombia
Law 1581 of 2012
N/A
Americas
Costa Rica
Protection of the Person in the Processing of His Personal Data
N/A
Americas
Mexico
Federal Law on Protection of Personal Data held by Private Parties
N/A
Americas
Peru
Personal Data Protection Law
N/A
Americas
Uruguay
Law No. 18,331 - Protection of Personal Data and Action "Habeas Data"
N/A