SCF Practitioners

A common issue for organizations is finding competent personnel to help build and maintain their cybersecurity and privacy programs. To help with this effort, the SCF created the SCF Practitioner™ designation to help identify an individual who has expertise with the SCF. You can find listings for SCF-knowledgeable consultants on the SCF Marketplace.

Note - as with any service, it is entirely your obligation to perform due diligence to ensure a consultant can competently meet your specific needs. 

SCF PRACTITIONER CODE OF CONDUCT (VERSION 2023.1)

SCF Practitioners have an influential and privileged role in how the Secure Controls Framework (SCF)™ is both adopted and utilized by an organization. Therefore, a SCF Practitioner™ must be able to account for the decisions and behaviors exhibited.

SCF Practitioners have no employment, contract or any other form legally-binding relationship with the Secure Controls Framework Council, LLC (SCF Council), where the term “SCF Practitioner™” is only provided as a means to help market the SCF Practitioner’s familiarity with the SCF to prospective clients. Any services provided by a SCF Practitioner are solely between a SCF Practitioner and their client. The Secure Controls Framework Council, LLC (SCF Council) trademarked the term “SCF Practitioner™” and it allows individuals to utilize that term to describe their use of the SCF, as long as the following criteria are met:

• Indemnify the SCF Council for any consulting services or professional services provided as a SCF Practitioner;
• Maintain familiarity with recommended SCF practices/guidance; and
• SCF Practitioners must abide by the SCF Practitioner Code of Conduct to utilize the term “SCF Practitioner” to describe themselves.

SCF Practitioner Recommended SCF Practices / Guidance:

• Integrated Controls Management (ICM) – this is the SCF Council’s recommended practice to approach SCF tailoring and implementation.
• Security & Privacy Capability Maturity Model (SP-CMM) – this is the maturity criteria associated with each control.
• Security & Privacy Risk Management Model (SP-RMM) – this is a risk assessment and reporting model that is specific to the SCF.
• SCF Conformity Assessment Program (SCF CAP) – this is the only authorized assessment methodology for the SCF.
• Unified Scoping Guide (USG) – this is the methodology used in the SCF CAP to determine control applicability.

SCF Practitioner Code of Conduct:

• Be honest, impartial and committed to conducting rigorous, objective and fair assessments.
• Adhere to professional conduct with truth, accuracy, fairness, responsibility and objectivity.
• Avoid Conflicts of Interest (COI).
• Treat all information gained about any client organization confidentially and sensitively.
• Be able to act professionally and objectively under adverse pressure to deviate from recommended SCF practices/guidance. Seek clarification from the SCF Council for matters that are unclear or need authoritative guidance.
• Honestly represent professional qualifications, competence and experience. Honest representation requires the SCF Practitioner to not undertake consulting / professional services beyond the SCF Practitioner’s capabilities.
• Strive to increase the prestige of the SCF.
• Be professionally qualified and competent for any consulting / professional services role that the SCF Practitioner accepts, as well as be capable of fulfilling the role’s responsibilities.
• Inform client organizations of any business connections, interests, or affiliations which might influence SCF Practitioner judgment or which could be perceived to influence SCF Practitioner objectivity.