SCF 2023.3.1
securecontrolsframework
released this
19 Sep 22:05
·
12 commits
to main
since this release
Version 2023.3.1 errata (minor corrections):
- AST-01- 2023.3.1 - added Article 21.2(i) for NIS 2 and 2.0 for CIS 8.0
- AST-02- 2023.3.1 - added 2.0 for CIS 8.0
- MON-02- 2023.3.1 - updated CIS 8.0 (typo correction for 12.1 to 13.1)
- IAC-01- 2023.3.1 - added Article 21.2(i) for NIS 2
Version 2023.3 represents a minor update.
Added Mapping:
- Australia Essential Eight
- Canada OSFI B-13
- Cybersecurity Maturity Model Certification (CMMC) 2.1 (draft release)
- EU-US Data Privacy Framework
- European Banking Authority (EBA) Guidelines on ICT and security risk management
- FedRAMP R5
- Kenya DPA 2019
- MITRE ATT&CK
- Nigeria DPR 2019
- NIS2
- NIST CSF v2.0 Initial Public Draft (IPD)
- NSTC NSPM-33
- PCI DSS Self-Assessment Questionnaires (SAQs)
- Qatar PDPPL
- Saudi Arabia SACS-002
- SEC Cybersecurity Rule
- Serbia 87/2018
- SWIFT CSF 2023
- UN R155
- UK CAP 1850
Wordsmithing controls:
- BCD-10.3 - Provider Continency Plan
- CHG-06 - Cybersecurity Functionality Verification
- PRI-15 - Register As A Data Controller and/or Data Processor
- RSK-01.3 - Risk Tolerance
- RSK-01.4 - Risk Threshold
- SEA-07.1 - Technology Lifecycle Management
- SAT-03 - Role-Based Cybersecurity & Data Privacy Training
- TDA-02.4 - Pre-Established Secure Configurations
- TDA-12 - Customized Development of Critical Components
- TDA-17 - Unsupported Systems
- TPM-04.3 - Conflict of Interests
Renamed controls:
- GOV-01 - Cybersecurity & Data Protection Governance Program
- GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
- CHG-02.3 - Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes
- CPL-02 - Cybersecurity & Data Privacy Controls Oversight
- CPL-03 - Cybersecurity & Data Privacy Assessments
- CPL-03.2 - Functional Review Of Cybersecurity & Data Privacy Controls
- CRY-10 - Transmission of Cybersecurity & Data Privacy Attributes
- DCH-05 - Cybersecurity & Data Privacy Attributes
- DCH-23.6 - Differential Data Privacy
- HRS-13.2 - Identify Vital Cybersecurity & Data Privacy Staff
- HRS-13.3 - Establish Redundancy for Vital Cybersecurity & Data Privacy Staff
- IRO-02.4 - Incident Classification & Prioritization
- PRI-01.3 - Dissemination of Data Privacy Program Information
- PRI-07.1 - Data Privacy Requirements for Contractors & Service Providers
- PRI-14 - Data Privacy Records & Reporting
- PRI-15 - Register As A Data Controller and/or Data Processor
- PRI-17.1 - Conspicuous Link To Data Privacy Notice
- PRM-01 - Cybersecurity & Data Privacy Portfolio Management
- PRM-02 - Cybersecurity & Data Privacy Resource Management
- PRM-04 - Cybersecurity & Data Privacy In Project Management
- PRM-05 - Cybersecurity & Data Privacy Requirements Definition
- SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
- SAT-02 - Cybersecurity & Data Privacy Awareness Training
- SAT-03 - Role-Based Cybersecurity & Data Privacy Training
- SAT-03.4 -Vendor Cybersecurity & Data Privacy Training
- SAT-03.7 -Continuing Professional Education (CPE) - Cybersecurity & Data Privacy Personnel
- SAT-04 - Cybersecurity & Data Privacy Training Records
- TDA-02.4 - Pre-Established Secure Configurations
- TDA-02.7 - Cybersecurity & Data Privacy Representatives For Product Changes
- TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development