Introducing the SPENCER Framework: A Framework for Maintaining Digital Trust

In the ever-evolving digital landscape, the need for a robust framework that ensures digital trust and cybersecurity has become paramount. The SPENCER Framework is here to meet this demand and is set to revolutionize the way we approach the security and trustworthiness of our digital systems. In this blog post we’ll introduce you to the SPENCER Framework, its core components, and how it can shape a more secure digital future.

What is the SPENCER Framework?

Originally, the concept for what is now the SPENCER Framework started out due to practical necessity in order to ensure small-businesses could balance performance and conformance in a manner which considered both business needs with Information Technology, while at the same time attempting to identify the various risks to enterprise security.  As illustrated below, this canvas model would be used to allow the rapid identification of impacts, based on various elements of an organization.

The SPENCER Framework has since been further developed to act as a starting point for maintaining Digital Trust – which requires a collaboration between Business and Information Technology.  The initial framework started off as a modeling canvas and has since turned into comprehensive and adaptive approach to digital trust and cybersecurity. It’s designed to address the multifaceted challenges that modern organizations and individuals face in safeguarding their digital assets and maintaining trust in the digital realm. The name “SPENCER” stands for Security, Privacy, Ethics, Non-Invasiveness, Compliance, Education and Reporting, which are the core pillars of this innovative framework.

The Core Components of the SPENCER Framework

Designed initially with privacy, information and cybersecurity in mind and the need to align with business, the canvas model balanced needs of the business with Information Technology capabilities. 

The canvas has since morphed into a framework built out of necessity to support our clients practically.

Security Measures – At the heart of the SPENCER Framework is the commitment to robust security measures. This component encompasses the technical safeguards, risk assessments, and threat mitigation strategies that protect your digital assets from cyber threats.

Privacy Protection – Privacy is a fundamental right in the digital age. SPENCER ensures that data protection, user consent, and transparency are at the forefront of all digital interactions.

Ethical Behavior – SPENCER strives to ensure the highest ethical standards in the digital realm are identified, maintained and aligned. It encourages organizations and individuals to embrace ethical behavior in their digital practices, ensuring fairness and accountability.

Non-Invasive Practices – Intrusive and invasive practices erode trust. The SPENCER Framework promotes non-invasive methods, prioritizing user-friendly experiences without compromising security.

Compliance & Accountability – SPENCER emphasizes the importance of compliance with regulations and accountability for data handling. This component ensures that organizations adhere to the highest standards of legal and ethical conduct.

Education & Training – Education is key to strengthening the digital defense. The SPENCER Framework encourages ongoing education and training to ensure that individuals and organizations are equipped to face evolving threats.

Regular Auditing & Reporting – Regular audits and reporting are the foundation of transparency and accountability. This component ensures that all stakeholders have a clear view of an organization’s digital trust posture.

Why SPENCER Matters

The digital landscape is rife with cyber threats, data breaches, and privacy concerns. Every individual and organization must actively participate in maintaining digital trust. The SPENCER Framework offers a holistic approach that empowers you to do just that.

In adopting the SPENCER Framework, you can:

  • Strengthen your organization’s cybersecurity posture.
  • Build and maintain trust with your customers and partners.
  • Ensure ethical behavior in digital interactions.
  • Embrace non-invasive practices that prioritize user comfort.
  • Stay compliant with evolving data protection regulations.
  • Invest in education and training to keep your digital workforce well-prepared.
  • Demonstrate transparency through regular audits and reporting.


The SPENCER Framework represents a transformative approach to digital trust and cybersecurity. It’s a call to action for organizations and individuals to prioritize security, privacy, ethics, non-invasiveness, compliance, education, and transparency in their digital practices.

By adopting and integrating these core components into your digital strategy, you’ll be better equipped to navigate the challenges of the digital age, protect your assets, and maintain the trust of those you interact with. The SPENCER Framework is not just a framework; it’s a commitment to a safer, more secure digital future for all. Stay tuned for more in-depth explorations of each SPENCER component in future blog posts. Together, we can shape a digital world we can trust.

Use this framework guide to transform your Digital Trust

SPENCER Framework

Do you use any data loss prevention products as part of your compliance/security program?

The Driver Behind This

Regulated and sensitive information can leave your environment quicker than you realize. Data loss prevention (DLP) systems can prevent this information from leaving your control in unauthorized manners. Whether that’s from an employee copying the information to take it so they can work from home or an adversary that has managed to infiltrate and embed in your environment – we’re talking about the insider threat.  The ability to identify this information leaving your environment is crucial.  This is being driven from a variety of regulatory and contractual requirements and you are on the hook to ensure the information you’ve been entrusted with is protected. It doesn’t matter if you’re talking about the information that has been provided by your customers, shared by your business partners or your own intellectual property – you must protect it.  Being able to detect and respond plays a major role in supporting your claims of conforming with the relevant regulatory drivers, but also in the midst of responding to an incident where you have to know and get to ground truth on what data that you’re accountable for, left your organization.

Continue reading “Do you use any data loss prevention products as part of your compliance/security program?”

What are you doing regarding threat intelligence?

Another Question to Consider: How do you get your actionable cyber threat intelligence?

The Driver Behind This

Understanding the threats you face is the first step (identification) of a Risk Management program and ultimately how the organization manages risks.  The organization’s ability to collect, process and analyze cyber threats goes a long way in protecting the organization and reducing its risk.  

Continue reading “What are you doing regarding threat intelligence?”

What are you doing regarding Identity and Access Management?

Another Question to Consider: What is the central authority that governs your active directory domains?

The Driver Behind This

Identity (and by extension access) is at the center of not only security, but compliance as well.  The way your organization manages users is critical, now more than ever.   The way your organization protects authorized identities, ensures policy compliance, and provisions access to sensitive/regulated data all drives toward the overall organizational risk posture.  

Continue reading “What are you doing regarding Identity and Access Management?”

Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?

The Driver Behind This

Full Packet Captures (FPCs) and NetFlow are probably the most important data you will need during an incident.  FPCs contain all of the data, think of them like a DVR.  FPCs record all communications over a network.  FPCs allow you to reconstruct network activity between systems, allowing you to “re-play the conversation between two systems”, which you will need (note need, not want) when an incident occurs.

Continue reading “Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?”

How do you define and manage your perimeter?

The Driver Behind This

Just like the first step of avoiding a trap is knowing of its existence; the first step in protecting against something is knowing it’s there.  Knowing the variety of ways in and out of your organization’s network environment is equally important.  Those points of entry and exit NEED TO BE MANAGED AND PROTECTED TOO. While your firewall is normally the first line of defense when employing a Defense in Depth model, it should not be your only line of defense.  You should be including not only your perimeter firewall, but also applications that allow data exchanges (including APIs), X-as-a-Service providers, Wireless Access Points, mobile devices, as well as Shadow IT (i.e., Gramarly, OneDrive, DropBox).  When networks are poorly designed and architected, they will degrade other security capabilities.   Make sure the perimeter is documented (inventoried, if you will) and that it is centrally managed.  Ensure you know what data is flowing where, how it’s being exchanged, what the classification is (e.g., public, private, secret), when it’s being shared and how it gets from point A to point B. 

Continue reading “How do you define and manage your perimeter?”

How do you manage remote access?

The Driver Behind This

Single factor authentication is like locking a screen door.  Sure, you’ll keep out the small pests, but the neighbor’s German shepherd is going to get in. When an adversary gets into a network (or gets credentials from any number of data dumps), they’re going to capture credentials via any number of relatively easy methods (passive monitoring is second only to reviewing freely accessible anonymous file share).  This allows an adversary the ability to move, largely undetected, throughout the network.  If an organization is using single-factor authentication on their VPN or email, it’s not difficult to find weak passwords through password spraying.  When done properly, you’ll never see it coming. Once the adversary finds those credentials, they’re now the insider – same permissions, levels of access, read/writes on shares, databases, etc. Because compromised credentials look like, well valid credentials.

Continue reading “How do you manage remote access?”

How do you manage network traffic to and from your network?

Another question to consider: Do you allow anything in your network to talk directly to the Internet?

The Driver Behind This

Systems that can communicate directly to the Internet in 2020 are just asking for problems.  This means that those systems can bypass all the safeguards and countermeasures (you know, the controls management has invested in to prevent attacks?) that would otherwise provide and enforce proper monitoring in addition to the ability to effectively identify and respond should a system be compromised.  This also opens the organization with additional liability if they fail to screen out harassing content.  So, in addition to the added liability, what else? Well, as it turns out adversaries LOVE this type of setup.  It’s like finding that $100 bill in your winter coat that you forgot about or finding that scratch off ticket you thought was for a $100 really was really for $10K.   Why do they like it you ask?  Well remember when we said, “this means that those systems can bypass all the safeguards and countermeasures”?  We’ll wait for you to finish processing that thought, because while you’re thinking about all those systems that may be able to connect directly to the Internet, just keep in mind the adversary isn’t having to deal with all those pesky defenses.

Continue reading “How do you manage network traffic to and from your network?”

How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?

Another question to consider: Is there a clear plan for response, including incident and crisis communication?

The Driver Behind This

Incidents are going to happen, it’s not a matter of if but when.  Whether it’s a result of you being placed in the crosshairs by a sophisticated adversary or an employee who has a laptop with personal information stolen out of their locker while at the gym, the organization’s leadership must be engaged.  Understand, this is not an IT function, this is a joint effort and means having the appropriate authoritative representatives available and ready.  Ensure general counsel is engaged to address any regulatory or privacy implications, the corporate communications lead is effectively communicating with the media and identified staff are sufficiently trained to answer questions from concerned customers. Engage with the appropriate team members from IT Operations, Information & Cybersecurity to understand what happened from the technical aspect; as well as internal audit teams to understand what control weakness allowed the incident to occur in the first place.   Based on the type of breach, you may have to notify third parties such as Attorney Generals, specific payment card brands (e.g., Visa, MasterCard) or a federal agency (i.e., Department of Health and Human Services).

Continue reading “How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?”

Who has access to our systems?

Other questions to consider: How do we identify who has access? After third parties have access, how quickly can we sever access to our systems and data?

The Driver Behind This

This expands on the previous question from the last post, adding additional granularity to the matter.  Specifically, which third parties have access to regulated/sensitive data your organization has been entrusted with?  This includes everything from cloud applications to service providers (e.g., HRIS, ERP, CRM systems).  It doesn’t matter if the system is onsite managed by a third party (i.e., HVAC system) or hosted offsite (i.e., Amazon Web Services), you need to know who has access to your data (and why?). Accept that an adversary will consider all available attack vectors, to include your providers, business partners and vendors. These are common attack vectors used to gain access to systems as they advance on their objectives.

Continue reading “Who has access to our systems?”