Blog: Consultancy advice

Which security framework? All of them, in the SCF

Kamaria Harvey 27 Sep 2023

TL;DR:

  • All roads lead to Rome. There are plenty of ways to meet your security requirements
  • ISO 27001 is not everything. There, I said it
  • What is the Secure Controls Framework (SCF)?
  • Why you should consider SCF on your journey to security excellence

PTP has a myriad of customers coming for help to improve their security posture. They usually default to one framework, ISO 27001. But ISO 27001 is not your only option. Let me introduce the Secure Controls Framework (SCF).

The SCF is a valuable resource for organisations seeking to establish and maintain a robust cybersecurity program. It can be customised to fit different organisation sizes and industries, making it a versatile tool for enhancing security in a rapidly evolving threat landscape. It is capable of dealing with the larger challenges like People, Processes, Technology, and Data (PPTD), that controls in general are designed to address.

Over 1,000 controls are presently included in the SCF framework, which is baselined against over 150 standards and pieces of legislation, and is regularly updated.

Although the SCF has some resemblance to individualised certifications such as ISO 27001, NIST 800-53, and PCI DSS, it stands apart due to its meta framework strategy. This approach involves addressing cybersecurity and data protection requirements that encompass numerous laws, regulations, and frameworks.

As an organisation trying to determine which road you should go down, you first need to consider why you’re doing this. Are you in an industry where compliance is mandated and regulated? Do you have vendors or third parties requiring compliance under contractual obligations? Do you want to improve your security posture through alignment to an industry standard?

You need to understand your driver for what should be a deeply embedded program that requires ongoing maintenance and development. Do you have key stakeholders on side? Do you have a comprehensive understanding of your risk appetite? Ultimately, do you understand the repercussions of a breach in security for both you as an organisation, and the customers you serve?

Control families

The SCF is not a single rigid framework. It’s a flexible and adaptable resource that is organised into several control families, each addressing a different aspect of cybersecurity. These control families are:

  • Access Control
    Focuses on managing and controlling access to systems and data, including user authentication, authorization, and access policies.
  • Audit and Accountability
    Covers logging and auditing practices to track and monitor system activities for security and compliance purposes.
  • Awareness and Training
    Addresses security awareness programs and training for employees to ensure they are aware of security risks and best practices.
  • Configuration Management
    Deals with the management and control of system configurations, including software and hardware configurations, to minimize vulnerabilities.
  • Incident Response and Management
    Covers processes and procedures for detecting, responding to, and mitigating cybersecurity incidents.
  • Risk Management
    Focuses on identifying, assessing, and managing cybersecurity risks within the organization.
  • Security Assessment and Authorization
    Includes processes for assessing and authorizing systems and applications before they are deployed or used in production.
  • Security Continuous Monitoring
    Involves continuous monitoring of security controls and systems to detect and respond to security threats and vulnerabilities in real-time.
  • Security Governance
    Addresses the overall governance and management of an organization’s cybersecurity program, including policies, procedures, and oversight.
  • System and Communications Protection
    Covers measures to protect data in transit and at rest, including encryption and network security.
  • System and Information Integrity
    Focuses on ensuring the integrity of data and systems through measures like anti-malware, data validation, and error handling.
  • Security Engineering
    Includes practices and controls related to secure software development and system design.
  • Supply Chain Risk Management
    Addresses the assessment and management of cybersecurity risks associated with the supply chain and third-party vendors.
  • Privacy and Data Protection
    Deals with the protection of sensitive and personal data, including compliance with privacy regulations.

Purpose

The SCF aims to assist organisations in multiple ways whilst working towards a comprehensive and mature security posture:

  • Identifying Security Requirements
    Helps organisations identify the security requirements and controls that are relevant to their specific industry, regulatory environment, and risk profile.
  • Implementing Security Controls
    Provides guidance on how to implement and configure security controls effectively.
  • Monitoring and Assessing Security Posture
    Organisations can use the SCF to continuously monitor and assess their security posture, identifying weaknesses and areas for improvement.
  • Compliance and Reporting
    Assists organisations in demonstrating compliance with various cybersecurity standards, regulations, and best practices.

It’s important to note that the exact control families and their content will evolve over time as the SCF is updated to align with changes in the cybersecurity landscape, industry regulations, and best practices. Organisations can customize and tailor the SCF to their specific needs and regulatory requirements.

Featured frameworks

If you’re looking for specific security frameworks that might be referenced or used in conjunction with the SCF, they include well-known standards and frameworks such as:

  • NIST Cybersecurity Framework
    Developed by the National Institute of Standards and Technology (NIST), this framework provides guidelines for organisations to manage and reduce cybersecurity risk.
  • ISO/IEC 27001
    This international standard specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of the organization’s overall business risks.
  • CIS Controls
    Developed by the Centre for Internet Security (CIS), these are a set of best practices for securing an organization’s IT systems and data.
  • NIST SP 800-53
    This publication from NIST provides a catalogue of security and privacy controls for federal information systems and organisations and is widely used in government and industry.
  • COBIT (Control Objectives for Information and Related Technologies)
    COBIT is a framework for the governance and management of enterprise IT. It provides a comprehensive set of controls and guidelines for IT governance and management.
  • PCI DSS (Payment Card Industry Data Security Standard)
    This standard is specifically for organisations that handle payment card data and provides requirements for securing payment card transactions.

Conclusion

Framework alignment is a board decision however, one that is usually guided or mandated by contractual and legal obligations. But in some cases, a company just wants to… do better!

In both cases, the SCF has you covered. If you want to go above and beyond your mandated obligations, considering the SCF to align to multiple frameworks can often save time in the long run. You will find your justification for alignment to one requirement within a single framework will also cover off a like-for-like in another, vastly reducing the time required to assess or audit against a given standard.

As I’ve said, all roads do indeed lead to Rome.