A common issue for organizations is finding competent personnel to help build and maintain their cybersecurity and privacy programs. To help with this effort, the SCF created the SCF Practitioner™ designation to help identify an individual who has expertise with the SCF. You can find listings for SCF-knowledgeable consultants on the SCF Marketplace.
Note - as with any service, it is entirely your obligation to perform due diligence to ensure a consultant can competently meet your specific needs.
SCF PRACTITIONER CODE OF CONDUCT (VERSION 2023.1)
SCF Practitioners have an influential and privileged role in how the Secure Controls Framework (SCF)™ is both adopted and utilized by an organization. Therefore, a SCF Practitioner™ must be able to account for the decisions and behaviors exhibited.
SCF Practitioners have no employment, contract or any other form legally-binding relationship with the Secure Controls Framework Council, LLC (SCF Council), where the term “SCF Practitioner™” is only provided as a means to help market the SCF Practitioner’s familiarity with the SCF to prospective clients. Any services provided by a SCF Practitioner are solely between a SCF Practitioner and their client. The Secure Controls Framework Council, LLC (SCF Council) trademarked the term “SCF Practitioner™” and it allows individuals to utilize that term to describe their use of the SCF, as long as the following criteria are met:
- Indemnify the SCF Council for any consulting services or professional services provided as a SCF Practitioner;
- Maintain familiarity with recommended SCF practices/guidance; and
- SCF Practitioners must abide by the SCF Practitioner Code of Conduct to utilize the term “SCF Practitioner” to describe themselves.
SCF Practitioner Recommended SCF Practices / Guidance:
- Integrated Controls Management (ICM) – this is the SCF Council’s recommended practice to approach SCF tailoring and implementation.
- Security & Privacy Capability Maturity Model (SP-CMM) – this is the maturity criteria associated with each control.
- Security & Privacy Risk Management Model (SP-RMM) – this is a risk assessment and reporting model that is specific to the SCF.
- SCF Conformity Assessment Program (SCF CAP) – this is the only authorized assessment methodology for the SCF.
- Unified Scoping Guide (USG) – this is the methodology used in the SCF CAP to determine control applicability.
SCF Practitioner Code of Conduct:
- Be honest, impartial and committed to conducting rigorous, objective and fair assessments.
- Adhere to professional conduct with truth, accuracy, fairness, responsibility and objectivity.
- Avoid Conflicts of Interest (COI).
- Treat all information gained about any client organization confidentially and sensitively.
- Be able to act professionally and objectively under adverse pressure to deviate from recommended SCF practices/guidance. Seek clarification from the SCF Council for matters that are unclear or need authoritative guidance.
- Honestly represent professional qualifications, competence and experience. Honest representation requires the SCF Practitioner to not undertake consulting / professional services beyond the SCF Practitioner’s capabilities.
- Strive to increase the prestige of the SCF.
- Be professionally qualified and competent for any consulting / professional services role that the SCF Practitioner accepts, as well as be capable of fulfilling the role’s responsibilities.
- Inform client organizations of any business connections, interests, or affiliations which might influence SCF Practitioner judgment or which could be perceived to influence SCF Practitioner objectivity.