The Dilemma: Your small/medium enterprise (SME) is growing. That’s a good thing, right? In some respects yes, but as your business grows, so will your regulatory and compliance overhead. Customers demand that you meet certain information security or cybersecurity requirements, government or industry bodies mandate specific compliance requirements, and even internal business needs may dictate the use of specific governance frameworks.
How do you manage these disparate requirements? A single set of information and cyber security controls, mapped to your various compliance requirements, can help bring order to the chaos. Sales enablement, regulatory audits going smoothly, and reduced costs for compliance are all benefits a unified set of controls can provide.
What is SCF?
The Secure Controls Framework (SCF) is a free-to-use tool provided by a company called Verutus (closely related to Compliance Forge, who make some great tools & templates for a variety of compliance needs), and can be accessed here: https://www.securecontrolsframework.com/. It contains over 740 controls across 32 domains. That sounds overwhelming, but don’t worry! It’s quite thorough, and you are able to pick only the SCF Domains you need to implement. These include basics like Asset Management and Cryptographic Protections, along with more comprehensive topics such as Privacy and Project & Resource Management.
There are a number of SCF Controls within each domain. These are tagged with an ID number that includes an abbreviation of the domain, e.g., Security & Privacy Governance Control #1 is GOV-01. Each control comes with a relatively easy to read description, which is important for a business implementing compliance, infosec, or cyber security for the first time. There’s also a set of helpful guidance called “Methods to Comply with SCF Controls”, which gives both first time implementers and seasoned security pros a quick and easy starting point.
Why is SCF Useful?
The SCF has two major benefits. First is its mixture of comprehensiveness and simplicity. The 32 domains cover the vast majority of compliance, InfoSec, and cyber security needs for many, many businesses. However, the Control language is still approachable enough to be useful by novices - you don’t need decades of experience in any of these fields to implement business processes and tools that meet the SCF Controls.
The second benefit SCF offers is an extensive list of cross-references. The controls are mapped to 100 other security and compliance frameworks from a variety of sources, including:
- Common InfoSec and cybersecurity frameworks - AICPA’s Service Organization Controls report (SOC2), Control Objectives for Information and Related Technologies (COBIT), Cloud Security Alliance Cloud Controls Matrix (CSA CCM), ISO 27001, and the National Institute of Standards & Technologies Special Publications (NIST SP) 800-53 & 800-171
- US Federal and State Regulations - Graham-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), EU-US Privacy Shield, NY DFS 23 and NYCRR 500.
- EU GDPR - The General Data Protection Regulation contains a very complex set of requirements. The SCF workbook shows a cross-mappings of GDPR articles, roles, and target audience (management/technical).
- EU and Asia Pacific data protection acts including Austria, Germany, UK, Australia, Hong Kong, and Singapore.
- American data protection acts including Argentina, Canada (PIPEDA), and Mexico.
So does that mean SCF will make you globally compliant with all these 100 frameworks? Not quite, as there may be some regional nuances you need to take into account. However, having a unified set of controls that allow you to check multiple boxes across several industry and country frameworks certainly gives you a leg up!
How should I get started implementing SCF Controls?
There are two paths that can help you launch a compliance program based on the SCF, differentiated by what’s driving your compliance initiative.
SCF: A valuable tool for SMEs
An increased understanding of the importance of cybersecurity has led to a large number of frameworks, audit reports, and tools designed to help. Unfortunately, this abundance makes the approach to securing your small/medium enterprise more confusing than ever. Which framework is right? How do you get started? Which part of the framework should you address first? SCF aims to simplify this situation, which makes it ideal for an SME who wants to kickstart efforts to secure their businesses. This is the same idea driving Zeguro’s Virtual Cybersecurity Officer. We take the guesswork out of identifying and mitigating your cyber risks, allowing you to focus on growing your business on a cyber-secure footing.