Aligning security standards and compliance strategies with frequently changing cybersecurity laws and regulations is challenging for most organizations. Especially when achieving compliance with the many existing requirements is already a time-consuming, resource-heavy process.
The Adobe Tech GRC Team developed the Common Controls Framework (CCF) to support organizations’ ongoing compliance efforts. The Adobe CCF consolidates popular industry-accepted best practices, standards, regulations, and security certifications into a single compliance framework, providing better visibility of overall security compliance.
Besides the CCF Adobe is well known for its products such as Adobe Illustrator, Adobe Photoshop, and Adobe Express.
This article explains the Adobe CCF’s structure and how to implement it in your organization.
What is the Adobe Common Controls Framework?
The Adobe Common Controls Framework (CCF) is a foundational framework of security processes and controls. Adobe first developed the CCF to help protect its infrastructure, applications, and services and to maintain compliance with industry standards and requirements.
The CCF was originally used by Adobe’s product operations and engineering teams. Adobe has now made the framework open source to help risk management teams from any organization.
The Adobe CCF consolidates more than 1,350 requirements from 13 recognized standards specific to Adobe into 288 Control Requirements (CRs), spanning 21 Control Domains.
Which Industry Standards Map to Adobe CCF?
Adobe CCF maps security controls to over ten industry standards, including:
- ISO 27001
- ISO 22301
- PCI DSS
- NIST CSF
- GLBA
- FERPA
- HIPAA Security Rule
- GDPR
- Privacy Shield
- SOX
- HITRUST
- SOC 2 (AICPA TSC A, C, and CC)
- FedRAMP Tailored
- BSI C5
- Information Security Registered Assessors Program (iRAP)
- Spain Esquema Nacional de Seguridad (Spanish ENS)
What are the Adobe CCF’s Control Requirements and Domains?
The 288 CCF controls are split across 21 domains:
- Asset Management - 11 Controls
- Business Continuity - 5 Controls
- Backup Management - 5 Controls
- Configuration Management - 15 Controls
- Change Management - 6 Controls
- Data Management - 32 Controls
- Entity Management - 49 Controls
- Identity and Access Management - 49 Controls
- Incident Response - 9 Controls
- Mobile Device Management - 4 Controls
- Network Operations - 19 Controls
- People Resources - 6 Controls
- Risk Management - 8 Controls
- System Design Documentation - 3 Controls
- Security Governance - 23 Controls
- Service Lifecycle - 7 Controls
- Systems Monitoring - 30 Controls
- Site Operations - 16 Controls
- Training and Awareness - 6 Controls
- Third-Party Management - 13 Controls
- Vulnerability Management - 21 Controls
The Adobe Common Controls Framework is available at adobe.com, along with a whitepaper about how Adobe secures its digital experiences using the CCF.
Benefits of Adobe CCF Controls Mapping
Risk and compliance teams can benefit from control mapping in their enterprise risk management (ERM) initiatives.
Cybersecurity risk is just one of several risks included in an ERM program. Further, there are many subsets of security risk, such as data security, network security, cloud security, and remediation processes. Organizations must implement, maintain, and review all of these requirements on top of the other types of risks included in their ERM framework.
Control mapping allows organizations to quickly identify the high-level needs of their cybersecurity programs, providing ERM committees with a baseline of standards for aligning risk management with broader business objectives.
How To Implement the Adobe Common Control Framework
1. Understand Your Compliance Requirements
Every industry has different legal and regulatory requirements. For example, healthcare organizations and financial institutions face much stricter cybersecurity standards than most industries.
Organizations must first identify all their compliance requirements to prevent double-handling during the control mapping process. From here, you can customize the Adobe CCF to add or remove your specific compliance requirements.
2. Create a Single Source of Truth for Risk and Control Data
All industries must comply with several cyber laws and regulations. Centralizing risk and control data is crucial to ensuring the mapping process is accurate and efficient. Using an automated platform is the best way to aggregate data into a single source of truth.
How UpGuard Can Help
UpGuard’s Risk Profile dashboard provides a high-level summary of your organization’s security posture and cyber risks from six different categories to provide key insights at a glance. Learn more.
3. Map Evidence to Existing Frameworks
Your organization likely already has an industry framework in place, such as NIST CSF and SOC 2. You can replicate the evidence used against these frameworks to map to Adobe CCF’s controls and identify areas of compliance.
You must also ensure your vendors also comply with the relevant laws or regulations, or you will likely face non-compliance. With most organizations having hundreds or thousands of service providers, managing manual security questionnaires processes a complicated an unscalable approach to proper Third-Party Risk Management.
How UpGuard Can Help
UpGuard offers a library of pre-built security questionnaires for recognized security frameworks, including ISO 27001 and NIST CSF. UpGuard's Compliance Reporting feature can map your vendors’ compliance against these standards.
Take a 5-minute tour of UpGuard >
4. Identify Compliance Gaps
After mapping your organization’s internal and third-party compliance against your existing frameworks, you can now identify any areas of non-compliance. You should prioritize these risks by following the risk treatment processes outlined in your ERM program. Third-party risks may prove harder to visualize across your entire inventory but are equally important to address.
How UpGuard Can Help
UpGuard’s Vendor Risk Matrix visualizes your vendors’ risk level against their business impact, allowing you to identify and remediate risks of the most concern. Learn more.
5. Maintain Compliance with Security Requirements
Effective compliance management ensures your organization’s workflow, information security policy, and IT initiatives align with all compliance requirements. Organizations must continuously monitor the attack surface for security risks or risk falling out of compliance with requirements.
Ensure your ERM program mandates regular internal and third-party compliance audits and remediate any identified risks immediately to remain compliant.
How UpGuard Can Help
UpGuard continuously monitors the entire attack surface, including third parties, allowing you to detect and remediate vulnerabilities immediately. Learn more.