Blogpost

SIG And SCF: Mapping Strong Connections

Shared Assessments is pleased to announce that the Standard Information Gathering Questionnaire (SIG) mapping is now incorporated into the Secure Controls Framework (SCF) catalog of controls. This was a collaborative endeavor between Shared Assessments and the SCF.

Benefit of Using SCF Alongside the SIG

Users of the Shared Assessments SIG will now be able to map directly to SCF’s comprehensive controls catalog & mappings using questions in the SIG. This collaboration expands the SIG library related to third party risk management.

How will users access this new functionality?

When using the SCF, users of the Shared Assessments SIG will be able to see how questions within the SIG map to authoritative sources and related regulatory guidelines or standards. The SCF can be downloaded here. 

By viewing the “Authoritative Sources” tab in the SCF, users can browse through columns of national and international authorities and corresponding regulations. Within these columns, rows contain the exact question numbers within the SIG.

Users can also cross-reference SCF’s control questions with SIG control questions. In this way, the SCF serves as a translation table.

What authoritative sources and regulatory guidelines/standards are connected by the SCF to the SIG?

Notable national authoritative sources and related guidelines/standards include:

  • PCI Security Standards2
  • OWASP Top 10 v2017
  • NIST 800-171A and NIST 900-171 rev 2
  • US Cert RMM v1.2
  • US DOJ/FBI Cert RMM v1.2 and US CJIS Security Policy 5.9
  • US DOD US CMMC 2.0 v1.02 Mapping (Cybersecurity Capability Maturity Model)
  • US FDA 21 CFR Part 11
  • FedRAMP.gov high, moderate, low and LI-SaaS
  • US IRS Publication 1075

Notable international authoritative sources and related guidelines/standards include:

  • EMEA EU ePrivacy and GDPR
  • EMEA Personal Data Act: Finland
  • EMEA France – 78.17/2004 8021
  • Hong Kong Personal Data Ordinance
  • People’s Republic of China Personal Information Protection Law

What is the Secure Controls Framework (SCF)?

The SCF stands for the Secure Controls Framework. More than an assortment of cybersecurity controls, the SCF is focused on designing, implementing and maintaining SECURE solutions to address all applicable statutory, regulatory and contractual requirements that an organization faces.

The SCF has the ambitious goal of providing free cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin.

The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance – we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.

What’s Coming Next?

This release is the first of two planned updates to the SCF catalog this year that will include the Shared Assessments SIG.  The second release will occur this coming fall during the 2023 Shared Assessments Third Party Risk Management Toolkit launch.

With the 2023 Third Party Risk Management Toolkit launch, we anticipate expanding the existing content library in the SIG by our traditional and vetted means using the SCF as a springboard for our alignment with authoritative sources.