Build Custom Templates using the Secure Controls Framework

This article covers the Secure Controls Framework (SCF), how it works, and why it is useful for making custom templates for myITprocess.

The Standards Library in myITprocess is one of the most powerful tools the software has to offer. With it, a vCIO and TAM can tailor their alignment and strategy to an individual or wide range of customers. Templates come in many shapes and sizes, usually adhering to an appropriate audit, compliance, or regulation.

Sections—commonly referred to as Templates—are customizable to meet the needs of every client. They can come in many forms.

  • A preloaded Default Template to provide a true “out of the box” experience. Sections cover Core Infrastructure, Software, Business Continuity, and others. The purpose is to have a standards baseline for Technology Service Providers (TSPs) from the start, kickstarting the standards and alignment process.
  • Compliance and regulatory templates designed after specific documentation. For instance, NIST 800-53, 800-171, and the Cybersecurity Framework (CSF) are direct copies of the security controls in myITprocess format. Prestructured compliance templates give a TSP flexibility while interpreting the end result on their own.
  • Customized templates for certain needs like monthly and quarterly checks or creating routine assessments for many locations.

Related article: What is the Standards Library?

Creating a custom audit is difficult, tedious, and time-consuming. When reducing risk at a customer location a TSP does not want to miss obvious items that wind up being a big issue. Is it possible to make a reliable Business Continuity template? Can templates map to NIST, CIS, or SOC 2 security controls to reassure customers the assessment holds water? With the Secure Controls Framework (SCF), custom templates are only a few clicks away.

What is the Secure Controls Framework?

The Secure Controls Framework (SCF) is a database of shared information on how to best protect an organization from cyber threats. As stated on their website (www.securecontrolsframework.com ), their mission “is to provide a powerful catalyst that will advance how cybersecurity and privacy controls are utilized at the strategic, operational and tactical layers of an organization, regardless of its size or industry.” 

About the SCF

The SCF is made up of volunteers, mainly specialists within the cybersecurity profession, who focus on Governance, Risk and Compliance (GRC) and the cybersecurity side of privacy. These are auditors, engineers, architects, incident responders, consultants and other specialists who live and breathe these topics on a daily basis. The end product is "expert-derived content" that makes up the SCF.

We have the ambitious goal of providing cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. The end state is to help companies become and stay compliant with cybersecurity and privacy requirements. The glue that ties GRC together is a uniform set of controls. Unfortunately, in most organizations, there is no set of shared controls and that leads to poor governance practices and an overall weaker state of security and privacy.

An open source security framework and useful for organizations of any size. Sounds great right? The plethora of information provided in the SCF is overwhelming at first and finding a starting point may take some time. With 32 domains to work with, there is an abundance of topics that help build out a custom template for almost any need. The short explanation is the SCF allows a user to customize their own Control Set from the 32 domains.

IDENTIFIER

DOMAIN TITLE

IDENTIFIER

DOMAIN TITLE

GOV

Security & Privacy Governance

IAO

Assurance

AST

Asset Management

MNT

Maintenance

BCD

Business Continuity & Disaster Recovery

MDM

Mobile Device Management

CAP

Capacity & Performance Planning

NET

Network Security

CHG

Change Management

PES

Physical & Environmental Security

CLD

Cloud Security

PRI

Privacy

CPL

Compliance

PRM

Project & Resource Management

CFG

Configuration Management

RSK

Risk Management

MON

Continuous Monitoring

SEA

Secure Engineering & Architecture

CRY

Cryptographic Protections

OPS

Security Operations

DCH

Data Classification & Handling

SAT

Security Awareness & Training

EMB

Embedded Technology

TDA

Technology Development & Acquisition

END

Endpoint Security

TPM

Third-Party Management

HRS

Human Resources Security

THR

Threat Management

IAC

Identification & Authentication

VPM

Vulnerability & Patch Management

IRO

Incident Response

WEB

Web Security

The 32 SCF Domains.

All security controls in the SCF break down into four major categories.

  • Statutory Cybersecurity & Privacy Requirements
    • Includes US Federal, US State, and International Laws.
  • Regulatory Cybersecurity & Privacy Requirements
    • Includes US & International Regulations.
  • Contractual Cybersecurity & Privacy Requirements
    • Includes contractual obligations like PCI, SOC, etc.
  • Industry-Leading "Best Practices" for Cybersecurity & Privacy
    • Includes Cybersecurity (NIST, ISO, CIS) and Privacy (GAPP, ISO) Frameworks.

The value of the information the SCF provides makes an incredible and powerful tool. It may not fulfill the needs of all TSPs or even work for many. The important thing to understand is it exists as a plain-text control set for anyone to use.

Create Your Own Tailored SCF Control Set

The SCF website gives users two options: create a custom control set or download everything in an Excel spreadsheet. Both options have pros and cons so it is completely at the discretion of the user. This section of the article details three steps:

  1. Create a custom SCF control set from the online tool.
  2. Use the CSF Master Spreadsheet.
  3. Map fields from the SCF to a myITprocess template.

The comprehensiveness of this section limits the steps required to export and format the SCF controls into myITprocess format. It is up to the user to fill in the gaps.

Create a Custom SCF Control Set from the Online Tool

Navigate to the SCF page for customization here: https://www.securecontrolsframework.com/customize-the-scf. The directions listed on the page are as follows:

  1. Click on the "Choose Your Mandates" drop-down and click on all the requirements that apply to your organization.
  2. Click on the "Create Table" image that appears once you start selecting your requirements.
  3. Click on the "Download Excel" image to download a CSV file that contains your customized set of SCF controls, based on what you selected in the first step.

The animation below shows the steps.



The exported CSV file needs minor tweaks to make the columns easier to read. It is a raw output file format so there are no fancy formatting or color schemes. That is the difference with the SCF Master Spreadsheet: formatting, color schemes, and the kitchen sink.

Use the CSF Master Spreadsheet

The Master Spreadsheet is at this link: https://www.securecontrolsframework.com/download-scf. This version contains all 32 domains and their appropriate mappings. It is daunting to look at due to the amount of information on a single sheet. The benefit with the Excel sheet is so savvy Excel users can have fun navigating and moving items around.



Excel version of the Secure Controls Framework.

The Master Spreadsheet provides extra fields over the customized control set. For starters, it includes the Relative Control Weighting column which rates each control from 1 (low priority) to 10 (high priority). Each is color-coded for ease of readability. The weighted rating system is beneficial when determining how to mark question priority in myITprocess.

The other column is Function Grouping. This column puts questions from each domain into its own control group—like NIST 800-171. The groups listed are Identify, Detect, Respond. Protect, and Recover. These categories are useful when prioritizing groups of questions into categories.

It is best to download the Master Spreadsheet first and take a look around. While navigating through the various columns, it begins to make sense over time. The connection between the SCF controls and the others clearly begins to stand out. Plus, the user can see how statutes and regulations compare and contrast with each other.

Map Fields from the SCF to a myITprocess Template

Output generated by the SCF differs from the exported myITprocess default template. The three fields—Question text, Why we are asking, and How to—requires shuffling of the information in the export from the SCF.

Related article: Import/Export Standards Library

The examples below show the SCF export and a myITprocess template. Notice which fields map to the myITprocess default template.

SCF Controls for Backup Continuity & Disaster Recovery:



myITprocess template format:



Fields were mapped from SCF to myITprocess as follows.

  • SCF Control > Question Title
  • SCF # > Prefix to Question Title
  • SCF Control Description > Question Text
  • Methods To Comply With SCF Controls > How To?

The only field that is not copied directly is ‘Why Are We Asking’. This information derives from the regulation, statute, contract, or best practice. In the previous example, the SCF Controls map to NIST 800-53: Recommended Security Controls for Federal Information Systems and Organizations.

Why were these mapped to NIST controls? There are a few valid reasons:

  • NIST provides standards and best practices free of charge that function across many industries.
  • The SCF Controls—by design—map to popular compliance frameworks.
  • Mapping to an existing framework requires less effort in preparing a template and more time performing an assessment.
  • Creates peace of mind for customers when best practices reference well-established authorities.

The NIST 800-53 Control CP-1 states:

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing
policy and procedures.

Quoting text directly in the myITprocess template sets the standard for quality assessments. The SCF provides references to specific controls listed under those regulations but does not provide the text. That requires manual intervention by the user creating each template.



Custom template in the Standards Library.

Resources

Secure Controls Framework (SCF)

https://www.securecontrolsframework.com

Standards Library (myITprocess)

/hc/en-us/sections/360002650194-Standards-Library-

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us