Secure By Design & Default

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.

The approach looks at the following spheres of influence to identify applicable controls:

  • Statutory obligations

  • Regulatory obligations

  • Contractual obligations

  • Industry-recognized "best practices"


It is best to visualize the SCF as a buffet of cybersecurity and privacy controls, where there is a selection of 740+ controls available to you. Once you know what is applicable to you, you can generate a customized control set that gives you the controls you need to address your statutory, regulatory and contractual obligations.

The SCF's mission is to provide a powerful catalyst that will advance how cybersecurity and privacy controls are utilized at the strategic, operational and tactical layers of an organization, regardless of its size or industry.

Designing & Building An Audit-Ready Cybersecurity & Privacy Program

Building a security program that routinely incorporates security and privacy practices into daily operations requires a mastery of the basics. A useful analogy is with the children's toy, LEGO®. With LEGO® you can build nearly anything you want — either through following directions or using your own creativity. However, it first requires an understanding of how various LEGO® shapes either snap together or are incompatible.


Once you master the fundamentals with LEGO®, it is easy to keep building and become immensely creative since you know how everything interacts. However, when the fundamentals are ignored, the LEGO® structure will be weak and include systemic flaws. Security and privacy really are not much different, since those disciplines are made up of numerous building blocks that all come together to build secure systems and processes. The lack of critical building blocks will lead to insecure and poorly architected solutions.


When you envision each component that makes up a security or privacy “best practice” is a LEGO® block, it is possible to conceptualize how certain requirements are the foundation that form the basis for others components to attach to. Only when the all the building blocks come together and take shape do you get a functional security / privacy program!


Think of the SCF as a toolkit for you to build out your overall security program domain-by-domain so that cybersecurity and privacy principles are designed, implemented and managed by default!

Understanding Cybersecurity & Privacy By Design

Security by Design (SbD)

These requirements come from numerous sources. In this context, some of the most important cybersecurity frameworks are:


  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • US Government (HIPAA, FedRAMP, DFARS, FAR & FTC Act)

  • Information Systems Audit and Control Association (ISACA)

  • Cloud Security Alliance (CSA)

  • Center for Internet Security (CIS)

  • Open Web Application Security Project (OWASP)

  • Payment Card Industry Data Security Standard (PCI DSS)

  • European Union General Data Protection Regulation (EU GDPR)

Privacy by Design (PbD)

These requirements come from numerous sources. In this context, some of the most important privacy frameworks are:

  • Generally Accepted Privacy Principles (GAPP)

  • Fair Information Practice Principles (FIPPs)

  • Organization for the Advancement of Structured Information Standards (OASIS)

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • Information Systems Audit and Control Association (ISACA)

  • European Union General Data Protection Regulation (EU GDPR)

  • US Government (HIPAA & FTC Act)

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:

  • US - Federal Laws

    • Children's Online Privacy Protection Act (COPPA)

    • Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule

    • Family Education Rights and Privacy Act (FERPA)

    • Federal Information Security Management Act (FISMA)

    • Federal Trade Commission (FTC) Act

    • Gramm-Leach-Bliley Act (GLBA)

    • Health Insurance Portability and Accountability Act (HIPAA)

    • Sarbanes-Oxley Act (SOX)

  • US - State Laws

    • California SB1386

    • California Consumer Privacy Act (CCPA)

    • Massachusetts 201 CMR 17.00

    • Oregon ORS 646A.622

  • International Laws

    • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)

    • UK - Data Protection Act (DPA)

    • Other countries' variations of Personal Data Protect Acts (PDPA)

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:

  • US Regulations

    • Defense Federal Acquisition Regulation Supplement (DFARS) - NIST 800-171

    • Federal Acquisition Regulation (FAR)

    • Federal Risk and Authorization Management Program (FedRAMP)

    • DoD Information Assurance Risk Management Framework (DIARMF)

    • National Industrial Security Program Operating Manual (NISPOM)

    • New York Department of Financial Services (NY DFS) 23 NYCRR 500

  • International Regulations

    • European Union General Data Protection Regulation (EU GDPR)

    • EU ePrivacy Directive

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

  • Payment Card Industry Data Security Standard (PCI DSS)

  • Financial Industry Regulatory Authority (FINRA)

  • Service Organization Control (SOC)

  • Generally Accepted Privacy Principles (GAPP)

Industry-Leading "Best Practices" for Cybersecurity & Privacy

Leading practices may be required under a contractual obligation with a client or partner, but these industry frameworks are commonly referenced for “what right looks like” with how technology is implemented. Leading frameworks generally more technical in nature and provide granular requirements. From a cybersecurity and privacy perspective, common leading frameworks include:

  • Cybersecurity Frameworks

    • Center for Internet Security (CIS) Critical Security Controls (CSC)

    • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

    • Department of Defense Cybersecurity Agency (DISA) Secure Technology Implementation Guides (STIGs)

    • ISO 15288: Systems and Software Engineering -- System Life Cycle Processes

    • ISO 27002: Information Technology -- Security Techniques -- Code of Practice for Cybersecurity Controls

    • NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

    • NIST 800-39: Managing Cybersecurity Risk: Organization, Mission and Information System View

    • NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

    • NIST 800-64: Security Considerations in System Development Lifecycle

    • NIST 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

    • NIST 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

    • NIST 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

    • NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

    • NIST IR 7298: Glossary of Key Cybersecurity Terms

    • NIST IR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems

    • NIST IR 8179: Criticality Analysis Process Model: Prioritizing Systems and Components [draft]

    • Open Web Application Security Project (OWASP)

    • OWASP Top 10 Most Critical Web Application Security Risks

    • OWASP Application Security Verification Standard Project (ASVS)

  • Privacy Frameworks

    • Fair Information Practice Principles (FIPP)

    • Generally Accepted Privacy Practices (GAPP)

    • ISO 27018: Information Technology -- Security Techniques -- Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors

    • OASIS Privacy Management Reference Model and Methodology (PMRM)

    • Privacy by Design (PbD)

SCF Coverage

The SCF provides mapping to the following cybersecurity & privacy-related statutory, regulatory and industry frameworks (please note that this list is regularly being updated as new mappings are added):

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2019. Secure Controls Framework Council, LLC


  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon