Security & Privacy by Design Principles (S|P)

The S|P establishes 32 common-sense principles to guide the development and oversight of a modern security and privacy program. The S|P is sourced from the Secure Controls Framework (SCF), which is a free resource for businesses. The SCF’s comprehensive listing of over 1,000 cybersecurity and
privacy controls is categorized into 32 domains that are mapped to over 100 statutory, regulatory and contractual frameworks. Those applicable SCF controls can operationalize the S|P principles to help an organization ensure that secure practices are implemented by design and by default. Those 32
S|P principles are listed below:

1. Security & Privacy Governance 12. Embedded Technology

Execute a documented, risk-based program that supports business objectives while Provide additional scrutiny to reduce the risks associated with embedded technology, version 2022.1
encompassing appropriate security and privacy principles that addresses applicable based on the potential damages posed from malicious use of the technology.
statutory, regulatory and contractual obligations.

2. Asset Management 13. Endpoint Security 23. Project & Resource Management
Manage all technology assets from purchase through disposition, both physical and Harden endpoint devices to protect against reasonable threats to those devices and the Operationalize a viable strategy to achieve cybersecurity & privacy objectives that
virtual, to ensure secured use, regardless of the asset’s location. data those devices store, transmit and process. establishes cybersecurity as a key stakeholder within project management
practices to ensure the delivery of resilient and secure solutions.

3. Business Continuity & Disaster Recovery 14. Human Resources Security 24. Risk Management
Maintain a resilient capability to sustain business-critical functions while successfully Execute sound hiring practices and ongoing personnel management to cultivate a Proactively identify, assess, prioritize and remediate risk through alignment with
responding to and recovering from incidents through well-documented and exercised security and privacy-minded workforce. industry-recognized risk management principles to ensure risk decisions adhere to the
processes. organization's risk threshold.

4. Capacity & Performance Planning 15. Identification & Authentication 25. Secure Engineering & Architecture
Govern the current and future capacities and performance of technology assets. Enforce the concept of “least privilege” consistently across all systems, applications and Utilize industry-recognized secure engineering and architecture principles to deliver
services for individual, group and service accounts through a documented and secure and resilient systems, applications and services.
standardized Identity and Access Management (IAM) capability.

5. Change Management 16. Incident Response 26. Security Operations

Manage change in a sustainable and ongoing manner that involves active participation Maintain a viable incident response capability that trains personnel on how to recognize Execute the delivery of security and privacy operations to provide quality services and
from both technology and business stakeholders to ensure that only authorized changes and report suspicious activities so that trained incident responders can take the appropriate secure systems, applications and services that meet the organization's business needs.
occur. steps to handle incidents, in accordance with a documented Incident Response Plan (IRP).

6. Cloud Security 17. Assurance 27. Security Awareness & Training

Govern cloud instances as an extension of on-premise technologies with equal or Execute an impartial assessment process to validate the existence and functionality of Foster a security and privacy-minded workforce through ongoing user education about
greater security protections than the organization’s own internal cybersecurity and appropriate cybersecurity and privacy controls, prior to a system, application or service evolving threats, compliance obligations and secure workplace practices.
privacy controls. being used in a production environment.

7. Compliance 18. Maintenance 28. Technology Development & Acquisition

Oversee the execution of cybersecurity and privacy controls to ensure appropriate Proactively maintain technology assets, according to current vendor recommendations Develop and test systems, applications or services according to a Secure Software
evidence required due care and due diligence exists to meet compliance with applicable for configurations and updates, including those supported or hosted by third-parties. Development Framework (SSDF) to reduce the potential impact of undetected or
statutory, regulatory and contractual obligations. unaddressed vulnerabilities and design weaknesses.

8. Configuration Management 19. Mobile Device Management 29. Third-Party Management

Enforce secure configurations for systems, applications and services according to Implement measures to restrict mobile device connectivity with critical infrastructure and Execute Supply Chain Risk Management (SCRM) practices so that only trustworthy
vendor-recommended and industry-recognized secure practices. sensitive data that limit the attack surface and potential data exposure from mobile device third-parties are used for products and/or service delivery.
usage.

9. Continuous Monitoring 20. Network Security 30. Threat Management

Maintain situational awareness of security-related events through the centralized Architect and implement a secure and resilient defense-in-depth methodology that enforces Leverage industry-recognized Attack Surface Management (ASM) practices to
collection and analysis of event logs from systems, applications and services. the concept of “least functionality” through restricting network access to systems, strengthen the security and resilience systems, applications and services against
applications and services. evolving and sophisticated attack vectors.

10. Cryptographic Protections 21. Physical & Environmental Security 31. Vulnerability & Patch Management
Utilize appropriate cryptographic solutions and industry-recognized key management Protect physical environments through layers of physical security and environmental Utilize a risk-based approach to vulnerability and patch management practices that
practices to protect the confidentiality and integrity of sensitive data both at rest and in controls that work together to protect both physical and digital assets from theft and minimizes the attack surface of systems, applications and services.
transit. damage.

11. Data Classification & Handling 22. Privacy 32. Web Security
Enforce a standardized data classification methodology to objectively determine the Align privacy practices with industry-recognized privacy principles to implement Ensure the security and resilience of Internet-facing technologies through secure
sensitivity and criticality of all data and technology assets so that proper handling and appropriate administrative, technical and physical controls to protect regulated personal configuration management practices and monitoring for anomalous activity.
disposal requirements can data throughout the lifecycle of systems, applications and services.
be followed.

Security & Privacy Capability Maturity Model (SP-CMM) The SP-CMM enables organizations using the S|P and associated SCF controls to identify objective expectations for each control, based
CMM 0 CMM 1 CMM 2 CMM 3 CMM 4 CMM 5 on the targeted maturity level.
Not Performed Performed Informally Planned & Tracked Well Defined Quantitatively Controlled Continuously Improving
METRICS-DRIVEN Based on the criteria provided by each of the SP-CMM’s maturity levels, this allows the SCF to assess maturity across multiple statutory,
NEGLIGENT AD HOC REQUIREMENTS-DRIVEN ENTERPRISE-WIDE WORLD-CLASS
PRACTICES regulatory or contractual requirement, since it is written to be objective and the maturity is focused at the control level. The SP-CMM is a
PRACTICES PRACTICES PRACTICES STANDARDIZATION PRACTICES
free resource for businesses and is included as part of the SCF.

Copyright © 2022 by Secure Controls Framework Council, LLC (SCF Council). All rights reserved.
All text, images, logos, trademarks and information contained in this document are the intellectual property of SCF Council, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of SCF Council. Requests may be sent to [email protected].
Security & Privacy Capability Maturity Model (SP-CMM)
The SP-CMM a Capability Maturity Model (CMM) that was designed to help solve the problem of objectivity in both establishing and evaluating cybersecurity and privacy control, so maturity criteria can exist to defend decision
There are three main objectives for the SP-CMM:
1. Provide CISO/CPOs/CIOs with objective criteria that can be used to establish expectations for a cybersecurity & privacy program;
2. Provide objective criteria for project teams so that secure practices are appropriately planned and budgeted for; and
3. Provide minimum criteria that can be used to evaluate third-party service provider controls.

EXCESSIVE CMM 5
RISK OPTIMAL
RISK TAKING PERCEIVED VALUE Continuously
Improving

CMM 4
Quantitatively
Controlled DIMINISHING
PERCEIVED VALUE
LITTLE OR NO
PROCESS CMM 3
OVERSIGHT
REVIEW LAG Well-Defined
OPTIMAL
CMM 2 RISK TAKING
ANNUAL
Planned & REVIEWS

NEGLIGENCE THRESHOLD
Tracked

STAKEHOLDER CMM 1 MONTHLY / QUARTERLY

Performed REVIEWS
VALUE Informally NEAR REAL-TIME
(AI / ML-DRIVEN)
CMM 0
Not CAPABILITY MATURITY “SWEET SPOT”
Performed

NON-EXISTENT AD HOC REQUIREMENTS-DRIVEN ENTERPRISE-WIDE METRICS-DRIVEN WORLD-CLASS

PRACTICES PRACTICES PRACTICES STANDARDIZATION PRACTICES PRACTICES

MATURITY LEVEL (PEOPLE, PROCESSES, TECHNOLOGY & DATA) = INCREASING COST & COMPLEXITY
RISK : Risk decreases with maturity, but noticeable risk reductions are harder to attain above CMM 3.
PROCESS IMPROVEMENTS : Process improvements increase with maturity, based on shorter review cycles and increased process oversight. Artificial Intelligence (AI) and Machine Learning
(ML) can make process improvements near real-time at CMM 5.
STAKEHOLDER VALUE : The perceived value of security controls increases with maturity, but plateaus after CMM 3 and decreases after CMM 4. The value of the additional cost and
complexity is harder to justify after CMM 3.
Copyright © 2022 by Secure Controls Framework Council, LLC (SCF Council). All rights reserved.
All text, images, logos, trademarks and information contained in this document are the intellectual property of SCF Council, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of SCF Council. Requests may be sent to [email protected].