If CSA community practitioners haven't encountered this one before, and looking for one, this one is a solid guidance framework that I've been using to help guide my cloud customers on internal controls, called the SCF (Secure Controls Framework). It is called a metaframework since it is a framework of frameworks and covers many domains including risk management.
Key summary points:
- Openly licensed under Creative Commons (no subscription for updates required), but cannot be reused and repackaged as part of a product for revenue
- Positioned and used primarily for internal controls
- Is Excel friendly and can be imported into a SaaS toolset
- Has documentation that can be scanned and reused for an by end-users
- Has 32 domains covered with over 1K controls covered
- Covers a multi-vendor landscape (Ostendio, Logicgate, Ignyte, etc.)
- There isn't an SCF certification available but a CAP (Conformity Assessment Program) is in progress (launch date: TBD)
- The SCF Metaframework is easier to adopt and more holistic, less proprietary than others
- People, Processes and Technology under the C4P (Cybersecurity 4 Privacy by Design) can be presented to executives simply without the need of having a lot of deep-rabbit hole discussions, with a focus on metrics
As always, hit me up if you have any practitioner questions and I'll try to get back to you in a day or so.
Link:
https://www.securecontrolsframework.com/secure-by-default------------------------------
Kristian Gonzalez
Security Team
IoT Home Lab
------------------------------