The Standard
Control Domains
OFDSS covers 79 individual security requirements across 13 control domains, each addressing a critical area of data security for cloud-native financial services.
1. Resource Allocation
Ensures that adequate resources—personnel, budget, and tools—are allocated to information security. This domain establishes the foundation for a strong security program by requiring organizational commitment.
2. Asset Management
Covers the identification, classification, and management of information assets. Companies must maintain an inventory of assets and understand the sensitivity of data they handle.
3. Access Controls
Addresses authentication, authorization, and access management. This includes user provisioning, multi-factor authentication, role-based access control, and the principle of least privilege.
4. Change Controls
Establishes requirements for managing changes to systems and applications. This domain ensures that changes are reviewed, tested, and approved before deployment to production.
5. Software Development Life Cycle (SDLC)
Covers secure software development practices, including code review, security testing, and vulnerability management throughout the development process.
6. Cryptography
Addresses the use of encryption to protect data at rest and in transit. This includes key management practices, encryption standards, and certificate management.
7. Data Minimization
Ensures that companies collect, process, and retain only the minimum amount of data necessary. This domain aligns with privacy principles and regulatory requirements.
8. Auditing and Alerting
Covers logging, monitoring, and alerting capabilities. Companies must maintain audit logs, monitor for security events, and have alerting mechanisms for suspicious activity.
9. Incident Management
Establishes requirements for detecting, responding to, and recovering from security incidents. This includes incident response plans, communication procedures, and post-incident review.
10. Network Security
Addresses network architecture, segmentation, and protection. This includes firewall management, network monitoring, and secure network design principles.
11. Awareness and Training
Covers security awareness and training programs for employees. Companies must ensure that staff understand their security responsibilities and are trained on current threats.
12. Vendor Management
Addresses the security requirements for third-party vendors and service providers. Companies must assess vendor security practices and manage vendor risk.
13. Independent Testing
Requires regular independent security testing, including penetration testing and vulnerability assessments. This domain ensures that security controls are validated by qualified third parties.
Summary
| # | Domain | Focus Area |
|---|---|---|
| 1 | Resource Allocation | Organizational commitment |
| 2 | Asset Management | Data classification & inventory |
| 3 | Access Controls | Authentication & authorization |
| 4 | Change Controls | Change management processes |
| 5 | SDLC | Secure development practices |
| 6 | Cryptography | Encryption & key management |
| 7 | Data Minimization | Privacy & data handling |
| 8 | Auditing and Alerting | Monitoring & logging |
| 9 | Incident Management | Response & recovery |
| 10 | Network Security | Architecture & segmentation |
| 11 | Awareness and Training | Employee education |
| 12 | Vendor Management | Third-party risk |
| 13 | Independent Testing | External validation |