The SCF: What is it and why does it matter for data protection?

Jul 30, 2021 7:15:00 AM | Industry The SCF: What is it and why does it matter for data protection?

If you had to guess the year when the first data privacy law in the world came to be, what would you guess?

You may be surprised to learn that the very first data privacy law dates back to 1970.

It was passed by the state of Hesse in Germany. One year later, a similar bill would be submitted at the federal level, and eight years later, on January 1, 1978, it came into full enforcement throughout Germany. In the 1980s several crucial developments came to German constitutional law, one being that personal data is constitutionally protected in Germany. The so-called "right to self-determination of information" was determined to be a central human right, justified by the very first sentence of Germany's constitution: "Human dignity is inviolable." Indeed, privacy, in no uncertain terms, is a central tenant of German data law. Eventually, Germany would pass the Bundesdatenschutzgesetz (BDSG) in 1990. It protected personal data which was manually stored or processed in IT systems from unethical exposure.

While Germany developed the world's first data protection law and was an early champion of data privacy, much of the rest of the world would enact its own data privacy laws in the coming decades. Fast forward to 2021 and more than 120 countries have now adopted data privacy laws of their own, which have consequences that reach far beyond ****any physical borders.

This constantly changing regulatory environment creates problems for companies trying to achieve compliance: resources, intra-institutional coordination, and due diligence, to list a few. While legislatures attempt to set realistic deadlines for the adoption of new legislation, those deadlines aren't always as realistic as they might seem for every business. For example, 35% of businesses surveyed in the United States reported they would not be CCPA compliant by the time it was put into effect on January 1, 2020.

To compound the problem of tackling the current regulatory environment, compliance can be a massive time and resource drain, and the cost of making errors in this process is high. The process of becoming compliant often involves initiatives that reach far across institutions, involving expensive labor hours for weeks, months, or even years on end.

Time is money—not just money gained by achieving voluntary compliance frameworks that help win contracts, but money lost to fines enforced due to non-compliance with data privacy legislation that is constantly being enacted in various forms worldwide. Sound like a mess? It absolutely is.

So, a natural question arises: how can this process be improved?

Enter the SCF.

The Secure Controls Framework (SCF), according to its website, is "a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems, and applications."

To generalize, the SCF is a document that lays out a framework for statutory, regulatory, and contractual compliance. It's updated several times a year to adapt to the constantly changing regulatory environment.

The Secure Controls Framework Council, a volunteer organization, publishes the SCF for free. In their words: "Our mission is to provide a powerful catalyst that will advance how cybersecurity and privacy controls are utilized at the strategic, operational and tactical layers of an organization, regardless of its size or industry."

The primary purpose of the SCF was to develop a relatively straightforward framework that encourages companies to develop systems and processes to streamline compliance efforts.

In developing the SCF, we identified and analyzed 100 statutory, regulatory and contractual frameworks. Through analyzing these thousands of requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the less than 750 controls that make up the SCF. For instance, a requirement to maintain strong passwords is not unique, since it is required by dozens of frameworks. This allows one well-worded SCF control to address multiple requirements.

At the time of this article's publication, there are 999 SCF controls, laid out across 32 domains. The list of controls provides a comprehensive guide for orchestrating a centralized, organized approach to compliance, linking each SCF control to the specific section(s) of the 162 potential compliance frameworks they pertain to.

Put another way, the SCF is a sort of Rosetta Stone for compliance frameworks. By addressing and documenting each SCF control, your organization will be able to quickly respond to questionnaires and audits across 162 compliance frameworks. More importantly, it can catalyze an open and ongoing process in your organization around privacy and cybersecurity frameworks.

Beyond the Secure Controls Framework

Trustpage is working toward a future where your company's compliance efforts aren't simply a checkbox; they're a part of an ongoing framework of trust that endears you to your customers—much like the SCF. We want to take data privacy and security from a compliance-based paradigm to one that is based upon trust.

From our founder, Chase Lee:

It is time we realize that trust is not a cost center but an asset, and we need to create the incentives necessary to align profits with protecting data. Before we crumple under the massive weight of cybercrime we must create a race to the top for security among businesses.

Compliance is just one aspect of a comprehensive InfoSec program. Here at Trustpage, we want to take your investments toward being trustworthy and display them in order to foster a trust relationship with your customers, and beyond.

Sign up to claim your Trust Center today for free.

Mitch Kuchenberg

By: Mitch Kuchenberg

Mitch is a Senior Data Engineer Trustpage. After work, you can find him at the climbing gym or sweating it out on a long run. He lives in Southeast Michigan.