SCF Framework implementations

Veeresh468
Tera Contributor

I am currently exploring the implementation of the Secure Controls Framework (SCF) in our organization. While conducting my research, I came across the Autorotative sources and control objectives on the official SCF website (https://securecontrolsframework.com/scf-download/).

I am reaching out to inquire if anyone in your organization has experience with implementing the SCF framework. I am particularly interested in learning about practical insights, challenges faced, and best practices associated with the implementation process.

Additionally, as I am compiling relevant information for my research, I would like to ensure that proper citations are included in my documentation. Could you please guide me on where I can find more details and citations related to the SCF framework? Any recommended publications, whitepapers, or authoritative sources would be greatly appreciated.

Thank you in advance for your time and assistance.

1 ACCEPTED SOLUTION

Community Alums
Not applicable

Hi @Veeresh468 ,

To answer your question, we can use both  ServiceNow support free SCF (Secure Controls Framework) and  UCF (Unified Compliance Framework).

SCF  is generally for the control objectives and policies which already exist at your company , you can create the entity scoping and others and start using SCF. However, UCF is a external body and Unified Compliance is the integration of processes and tools to aggregate and harmonize all compliance requirements applicable to an organization and it is the world’s largest library database of interconnected compliance documents and the world’s only commercially available Common Controls framework, which gives helps you with Authority documents and citations. Also, once you have UCF integrated it will help you to create the Policies, controls,etc.. automatically.

Only using SCF won't give you Authority documents!!

ServiceNow supports UCF integration using UCF spoke .

Refer to this video to understand importance of UCF :https://community.servicenow.com/community?id=community_article&sys_id=d4146efbdbc68c102be0a851ca961...

View solution in original post

5 REPLIES 5

Community Alums
Not applicable

Hi @Veeresh468 ,

To answer your question, we can use both  ServiceNow support free SCF (Secure Controls Framework) and  UCF (Unified Compliance Framework).

SCF  is generally for the control objectives and policies which already exist at your company , you can create the entity scoping and others and start using SCF. However, UCF is a external body and Unified Compliance is the integration of processes and tools to aggregate and harmonize all compliance requirements applicable to an organization and it is the world’s largest library database of interconnected compliance documents and the world’s only commercially available Common Controls framework, which gives helps you with Authority documents and citations. Also, once you have UCF integrated it will help you to create the Policies, controls,etc.. automatically.

Only using SCF won't give you Authority documents!!

ServiceNow supports UCF integration using UCF spoke .

Refer to this video to understand importance of UCF :https://community.servicenow.com/community?id=community_article&sys_id=d4146efbdbc68c102be0a851ca961...

marknyquist
Tera Expert

We use the SCF framework and really appreciate the flexibility. It's straightforward to import and even update through transform maps. From an authority doc / citation standpoint, you'd need to create those manually, but I'd argue that curating the few frameworks you need to comply with is time better spent than trying to demonstrate compliance to frameworks that don't have relevance to you via someone else's mapping. The effort to map citations is not that great and gives you the opportunity to determine if the mapping fits your use of the control. Hope that helps! 

Sebastien Fix
Giga Guru
Giga Guru

Like any mapping out there, you need to make a QA and see if you are comfortable with it. UCF costs 10kUSD/year and is far from flawless.


SCF looks decent 🙂

you can check this one from AuditScripts called AuditScripts Critical Security Controls Master Mapping

 

source page: https://www.auditscripts.com/free-resources/critical-security-controls/ 


UCF (if I recall) provides citations but with same content as the COs. So you can do the same things in few minutes if you want to 🙂

rishDabh
Tera Contributor

Hi Veer,

I am going to use SCF in my project but I am not getting exact process of how to implement this in servicenow.

Can you please share process of SCF implementation into servicenow?