SCF Library Application Overview

3 min

the scf library application provides a unified control catalog that consolidates control definitions across 20 industry standard compliance frameworks these controls are derived from the secure controls framework (scf) and serve as the system of record for defining compliance requirements across domains such as data privacy, risk management, vulnerability management, and more each scf library record represents a single framework agnostic control and includes both read only metadata and editable organization specific implementation fields once the desired frameworks are chosen, the solution populates a unified control catalog that encompasses all mapped controls for each framework selected each unified control is stored in an scf library record these framework agnostic controls are the source of truth for external compliance guidance and come pre populated from the scf data scf library records include the following read only fields to maintain the integrity and accuracy of the control catalog application field name description scf # id of the global control which is the key value that maps to all other compliance frameworks scf control the title of the scf control scf domain security area that the control covers which spans across 33 domains such as (data privacy, risk management, and so on) scf control description the description of each scf control scf control question a question that the control information should answer relative control weighting number relative weighting assigned by the scf to each control total mapped framework controls number the sum of all framework specific controls that the global control maps to scrm focus multi selection supply chain risk management focus tactical pptdf operational day to day activities strategic long term planning pptdf applicability single selection value from nist csf people processes data facilities technology nist csf function grouping control function coming from the nist cyber security framework 2 0 identify protect detect respond recover govern scf library records also have editable fields used to describe how the organization implements the control the following are editable fields application field name description how we perform the control? rich text box for providing a write up of how the control is performed users have the freedom to include as much detail as they want in this field, including the use of hyperlinks to an external knowledge base or other resource control scope single select in scope out of scope note if the “ out of scope ” value is selected an additional field populates in the record called out of scope rationale which becomes mandatory to explain why the control is excluded from the scope control status single select not started in progress ready control type single select administrative technical physical linked control frequency single select continuous ad hoc hourly daily weekly monthly quarterly bi annually annually control automation single select automated manual control owner this field is organization specific as it pertains to the team or individuals in the organization responsible for implementing the control for more information on how to configure this field see how to use the scf library application how to use the scf library application each scf library record guides users through a structured process to ensure complete documentation and traceability of compliance controls step 1 assign control owner populate the control owner field with the email address of the stakeholder accountable for maintaining the control step 2 answer control question use the scf control answer field to describe the organization’s approach to satisfying the control’s intent include procedural, technical, or policy based details step 3 set control metadata update the following fields to reflect your organization's implementation status control scope (in/out of scope) control status (for example, not started, ready) control frequency control automation this data feeds directly into scf reporting and determines readiness scoring across frameworks step 4 manage & updated referenced evidence if applicable, link evidence records via the referenced evidence section at the bottom of the record you can associate one or more scf evidence records (for example , scfe 200, scfe 212) that support the implementation claim