A SCF Licensed Content Provider (LCP) is authorized by the SCF Council, LLC to sell derivative works of the SCF including SCF-based policies, standards, procedures, and more. Only a SCF LCP is authorized to provide SCF-based derivative content.
ComplianceForge is a SCF LCP and sells cybersecurity and data protection policies, standards, procedures, and other documentation solutions based on the SCF.
ComplianceForge’s SCF-based policies, standards, and procedures can save an organization a significant amount of money from the labor-related costs to research, write, and refine cybersecurity documentation. ComplianceForge’s SCF-based documentation can also be obtained the same day you purchase it, so the time savings is immense.
Two Key Advantages
The ComplianceForge Reference Model isalso referred to as the Hierarchical Cybersecurity Governance Framework (HCGF). This reference model isdesigned to encourage clear communication by defining generally accepted cybersecurity and data protection documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care.
The HCGF addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics.
The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure, compliant and resilient. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and data protection documentation in the following diagram to demonstrate the unique nature of these components, as well as the dependencies that exist.
The Security, Compliance & Resilience Program (SCRP) is the next evolution of the Digital Security Program (DSP). ComplianceForge evolved the DSP into the SCRP to support the SCF’s Security, Compliance & Resilience Management System (SCRMS) focused on helping companies be secure, compliant, and resilient.
The metaframework nature of the SCF enables the SCRP to provide governance documentation (policies and standards) for over 200 cybersecurity & data privacy laws, regulations, and frameworks. The SCRP consists of the thirty-three (33) SCF domains that define a modern security program. For each SCF domain, there is a corresponding policy. For each SCF control, there is a corresponding standard.
The SCRP is a one-time purchase with no software to install. You are buying content in the form of Microsoft Office-based documentation templates that you can edit for your specific needs. The SCRP provides the necessary policies, control objectives, standards, guidelines, and metrics to operationalize the SCF for your organization.
GRC-Ready Format
The SCRP is the recommended solution if you are currently using or plan to use a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution. The SCRP is ready to import into your GRC/IRM instance, coming in both Microsoft Word and Excel formats.
SCRP Policies & Standards
The SCRP's policies & standards have direct, 1-1 mapping to the SCF's controls. The SCF's integration provides mapped risks, threats, maturity criteria, Assessment Objectives (AOs), and evidence artifacts, including SCR Principles, Privacy Management Principles (PMP), SCR-CMM, SCR-RMM, and Premium GRC Content.
The Case for Purchasing vs. Writing Your Own
When you look at the costs associated with either hiring an external consultant or tasking internal staff, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant at $300/hr+, you can save months of wait time and tens of thousands of dollars. Compared to writing your own, you can save hundreds of work hours and associated lost productivity.
The Cybersecurity Standardized Operating Procedures (CSOP) is an enterprise-class solution for SCF-based procedures that augments the Security, Compliance & Resilience Program (SCRP)’s SCF-based policies, control objectives, standards, guidelines, and metrics.
The CSOP is a one-time purchase with no software to install. You are buying content in the form of Microsoft Office-based documentation templates. The CSOP comes in both Microsoft Word and Excel formats, making it easy to import into a GRC/IRM solution. For each SCF control, there is a corresponding procedure in the CSOP.
Ownership Model for Documentation
Ownership Model for Documentation: Policies, standards, and controls are designed to be centrally managed at the corporate level. Procedures are by their very nature decentralized, where control implementation at the team level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
From an auditability perspective, evidence of due diligence and due care should match what the organization’s cybersecurity business plan is attempting to achieve. The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes, and Technologies (PPT).
The Data Privacy Program (DPP) is a solution to accelerate the adoption and implementation of a privacy program at your organization. The DPP leverages the SCF’s Privacy Management Principles, providing flexibility due to its mapping to commonly cited privacy laws, regulations, and frameworks.
The DPP is a one-time purchase with no software to install. You are buying content in the form of Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use the DPP. The DPP is capable of scaling for any sized company.
What the DPP Covers
The DPP addresses the who/what/when/where/why/how concepts that need to exist to operationalize privacy principles, including: stakeholder identification and accountability structure, applicable privacy-specific laws and regulations, Concept of Operations (CONOPS), targeted privacy maturity level, data classification and handling guidelines, and more.
Privacy Frameworks Covered: AICPA TSC, APEC, CPRA, EU GDPR, FIPPs (DHS & OMB), GAPP, HIPAA Privacy Rule, ISO/IEC 27701:2019, ISO/IEC 29100:2011, Nevada SB820, NIST SP 800-53 R4/R5, NIST Privacy Framework v1.0, OASIS PMRM, OECD, OMB Circular A-130, PIPEDA, and Privacy by Design (PbD), totaling 19 privacy frameworks.
%20(white).png)
.png)