Start Here: Make Compliance A Natural Byproduct of Secure Practices

The Secure Controls Framework™ (SCF) focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures, technologies and associated processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected. This page will covers the following topics:

SCF - Overview & Instructions.png

  • Level setting what the SCF is and what it is not

  • Integrated Controls Management (ICM) approach to develop a Plan, Do, Check & Act (PDCA) approach to controls

  • Recommendations to tailor the control set for your needs:

    • Defining Minimum Compliance Criteria (MCC)

    • Defining Discretionary Security Requirements (DSR)

    • Leveraging the Security & Privacy Capability Maturity Model (SP-CMM)

    • Leveraging the Security & Privacy Risk Management Model (SP-RMM)

  • Ways to operationalize the SCF

For your off-line reading pleasure, you can download the PDF version of this helpful information

The SCF's mission is to provide a powerful catalyst that will advance how cybersecurity and privacy controls are utilized at the strategic, operational and tactical layers of an organization, regardless of its size or industry.

What Is The Secure Controls Framework (SCF)?

The concept of the SCF is to have a metaframework (e.g., framework of frameworks) that is capable of addressing the broader People, Processes, Technology and Data (PPTD) that are what controls fundamentally exists to govern.

Holistic Cybersecurity & Data Protection - Strategic Operational Tactical Cybersecurity Co

Using the SCF should be viewed as a long-term tool to not only help with compliance-related efforts but to ensure security and privacy principles are properly designed, implemented and maintained. The SCF helps implement a holistic approach to protecting the Confidentiality, Integrity, Availability and Safety (CIAS) of your data, systems, applications and other processes. The SCF can be used to assist with strategic planning down to tactical needs that impact the people, processes and technologies directly impacting your organization.

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.

The approach looks at the following spheres of influence to identify applicable controls:

  • Statutory obligations

  • Regulatory obligations

  • Contractual obligations

  • Industry-recognized "best practices"


It is best to visualize the SCF as a buffet of cybersecurity and privacy controls, where there is a selection of 1,000+ controls available to you. Once you know what is applicable to you, you can generate a customized control set that gives you the controls you need to address your statutory, regulatory and contractual obligations.

Why You Should Use The SCF

There is no sales pitch for using the SCF – it is a free resource so there is no financial incentive for us to make companies use it:

  • For companies that have just one 1-2 compliance requirements, the SCF might be considered overkill for your needs.

  • For companies that have 3+ compliance requirements (e.g., organization that has requirements to address ISO 27002, SOC 2, PCI DSS and GDPR), then the SCF is a great tool to streamline the management of cybersecurity and privacy controls.


In developing the SCF, we identified and analyzed over 100 statutory, regulatory and contractual frameworks. Through analyzing these thousands of legal, regulatory and framework requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the controls that makeup the SCF. For instance, a requirement to maintain strong passwords is not unique, since it is required by dozens of laws, regulations and frameworks. This allows one well-worded SCF control to address multiple requirements. This focus on simplicity and sustainability is key to the SCF, since it can enable various teams to speak the same controls language, even though they may have entirely different statutory, regulatory or contractual obligations that they are working towards.


The SCF targets silos, since siloed practices within any organization are inefficient and can lead to poor security, due to poor communications and incorrect assumptions.

What The SCF Is

The SCF is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.


The SCF is:

  • A control set.

  • A useful tool to provide a “Rosetta Stone” approach to organizing cybersecurity and privacy controls so that the same controls can be used among companies and teams (e.g., privacy, cybersecurity, IT, project, procurement, etc.).

  • Free for businesses to use. A result of a volunteer-led effort that uses “expert derived assessments” to perform the mapping from the controls to applicable laws, regulations and other frameworks.


The SCF also contains helpful guidance on possible tools and solutions to address controls. Additionally, it contains maturity criteria that can help an organization plan for and evaluate controls, based on a target maturity level.

What The SCF Is Not

While the SCF is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications, the SCF will only ever be a control set and is not a “magic bullet” technology solution to address every possible cybersecurity and privacy compliance obligation that an organization faces.


The SCF is not:

  • A substitute for performing due diligence and due care steps to understand your specific compliance needs.

  • A complete technology or documentation solution to address all your security & privacy needs (e.g., the policies, standards, procedures and processes you need to have in place to be secure and compliant).

  • Infallible or guaranteed to meet every compliance requirement your organization offers, since the controls are mapped based on expert-derived assessments to provide the control crosswalking that relies on human expertise and that is not infallible.

Integrated Controls Management (ICM) Approach To Building A Security Program

Building a security program that routinely incorporates security and privacy practices into daily operations requires a mastery of the basics. A useful analogy is with the children's toy, LEGO®. With LEGO® you can build nearly anything you want — either through following directions or using your own creativity. However, it first requires an understanding of how various LEGO® shapes either snap together or are incompatible.


Once you master the fundamentals with LEGO®, it is easy to keep building and become immensely creative since you know how everything interacts. However, when the fundamentals are ignored, the LEGO® structure will be weak and include systemic flaws. Security and privacy really are not much different, since those disciplines are made up of numerous building blocks that all come together to build secure systems and processes. The lack of critical building blocks will lead to insecure and poorly architected solutions.


When you envision each component that makes up a security or privacy “best practice” is a LEGO® block, it is possible to conceptualize how certain requirements are the foundation that form the basis for others components to attach to. Only when the all the building blocks come together and take shape do you get a functional security / privacy program!


Think of the SCF as a toolkit for you to build out your overall security program domain-by-domain so that cybersecurity and privacy principles are designed, implemented and managed by default!

Controls Are Key To Everything In Cybersecurity & Data Protection


The premise of Integrated Controls Management (ICM) is that controls are central to cybersecurity and privacy operations, as well as the overall business rhythm of an organization.

ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. ICM is designed to address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).

Integrated Controls Management (ICM) cover.jpg

ICM specifically focuses on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions. To assist in this process, an organization’s applicable controls are categorized according to “must have” vs “nice to have” requirements:

  • Minimum Compliance Criteria (MCC) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts. MCC are primarily externally-influenced, based on industry, government, state and local regulations. MCC should never imply adequacy for secure practices and data protection, since they are merely compliance-related.

  • Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCC, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments. DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCC establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.

Using The SCF Starts With Defining "Must Have" & "Nice to Have" Requirements

As described above, the concept of MCC & DSR are a crucial step to get right, otherwise you will likely design it incorrectly that will leave gaps that can expose your organization to issues of non-compliance and/or inadequate security practices.

When you add MCC & DSR, you are able to define "what right looks like" for your organization, which equates to your Minimum Security Requirements (MSR) that can be published to project teams, risk management, engineers, etc. The MSR is the blueprint for an organization to build security and privacy in by design across the SDLC and business-as-usual operations.

2022.1 - MCC Minimum Compliance Criteria DSR Discretionary Security Requirements.jpg

Plan, Do, Check & Act (PDCA) Approach To Cybersecurity & Data Protection

Within the ICM, its principles are overlaid onto the following graphic to show how a PDCA approach for continuous improvement of your cybersecurity and data protection program is possible:

  1. Establish Context

  2. Define Applicable Controls

  3. Assign Maturity-Based Criteria

  4. Publish Policies, Standards & Procedures

  5. Assign Stakeholder Accountability

  6. Maintain Situational Awareness

  7. Manage Risk

  8. Evolve Processes


More Than Just A Control Set

Where the SCF sets itself apart from other metaframeworks is the following:

  • Capability maturity criteria for each control

  • Proposed control weighting (not all controls are as important in risk management decisions)

  • Built-in risk catalog

  • Built-in threat catalog

For the capability maturity criteria, we published the ​Security & Privacy Capability Maturity Model (SP-CMM). 


To make use of the risk & threat catalogs, we published the Security & Privacy Risk Management Model (SP-RMM). 

This is where the Integrated Controls Management (ICM) model ties all those capabilities together to help you design the controls that are right for your organization, as well as be able to leverage that same control set to help understand risks and threats. This is a "paint by numbers" approach to operationalizing your cybersecurity and data protection program!

Understanding Cybersecurity & Privacy By Design

Security by Design (SbD)

These requirements come from numerous sources. In this context, some of the most important cybersecurity frameworks are:


  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • US Government (HIPAA, FedRAMP, DFARS, FAR & FTC Act)

  • Information Systems Audit and Control Association (ISACA)

  • Cloud Security Alliance (CSA)

  • Center for Internet Security (CIS)

  • Open Web Application Security Project (OWASP)

  • Payment Card Industry Data Security Standard (PCI DSS)

  • European Union General Data Protection Regulation (EU GDPR)

Privacy by Design (PbD)

These requirements come from numerous sources. In this context, some of the most important privacy frameworks are:

  • Generally Accepted Privacy Principles (GAPP)

  • Fair Information Practice Principles (FIPPs)

  • Organization for the Advancement of Structured Information Standards (OASIS)

  • International Organization for Standardization (ISO)

  • National Institute for Standards & Technology (NIST)

  • Information Systems Audit and Control Association (ISACA)

  • European Union General Data Protection Regulation (EU GDPR)

  • US Government (HIPAA & FTC Act)

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:

  • US - Federal Laws

    • Children's Online Privacy Protection Act (COPPA)

    • Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule

    • Family Education Rights and Privacy Act (FERPA)

    • Federal Information Security Management Act (FISMA)

    • Federal Trade Commission (FTC) Act

    • Gramm-Leach-Bliley Act (GLBA)

    • Health Insurance Portability and Accountability Act (HIPAA)

    • Sarbanes-Oxley Act (SOX)

  • US - State Laws

    • California SB1386

    • California Consumer Privacy Act (CCPA)

    • Massachusetts 201 CMR 17.00

    • Oregon ORS 646A.622

  • International Laws

    • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)

    • UK - Data Protection Act (DPA)

    • Other countries' variations of Personal Data Protect Acts (PDPA)

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:

  • US Regulations

    • Defense Federal Acquisition Regulation Supplement (DFARS) - NIST 800-171

    • Federal Acquisition Regulation (FAR)

    • Federal Risk and Authorization Management Program (FedRAMP)

    • DoD Information Assurance Risk Management Framework (DIARMF)

    • National Industrial Security Program Operating Manual (NISPOM)

    • New York Department of Financial Services (NY DFS) 23 NYCRR 500

  • International Regulations

    • European Union General Data Protection Regulation (EU GDPR)

    • EU ePrivacy Directive

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

  • Payment Card Industry Data Security Standard (PCI DSS)

  • Financial Industry Regulatory Authority (FINRA)

  • Service Organization Control (SOC)

  • Generally Accepted Privacy Principles (GAPP)

Industry-Leading "Best Practices" for Cybersecurity & Privacy

Leading practices may be required under a contractual obligation with a client or partner, but these industry frameworks are commonly referenced for “what right looks like” with how technology is implemented. Leading frameworks generally more technical in nature and provide granular requirements. From a cybersecurity and privacy perspective, common leading frameworks include:

  • Cybersecurity Frameworks

    • Center for Internet Security (CIS) Critical Security Controls (CSC)

    • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

    • Department of Defense Cybersecurity Agency (DISA) Secure Technology Implementation Guides (STIGs)

    • ISO 15288: Systems and Software Engineering -- System Life Cycle Processes

    • ISO 27002: Information Technology -- Security Techniques -- Code of Practice for Cybersecurity Controls

    • NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

    • NIST 800-39: Managing Cybersecurity Risk: Organization, Mission and Information System View

    • NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

    • NIST 800-64: Security Considerations in System Development Lifecycle

    • NIST 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

    • NIST 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

    • NIST 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

    • NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

    • NIST IR 7298: Glossary of Key Cybersecurity Terms

    • NIST IR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems

    • NIST IR 8179: Criticality Analysis Process Model: Prioritizing Systems and Components [draft]

    • Open Web Application Security Project (OWASP)

    • OWASP Top 10 Most Critical Web Application Security Risks

    • OWASP Application Security Verification Standard Project (ASVS)

  • Privacy Frameworks

    • Fair Information Practice Principles (FIPP)

    • Generally Accepted Privacy Practices (GAPP)

    • ISO 27018: Information Technology -- Security Techniques -- Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors

    • OASIS Privacy Management Reference Model and Methodology (PMRM)

    • Privacy by Design (PbD)