Connect with us

Hi, what are you looking for?


CISO Strategy

Equifax Releases Security and Privacy Controls Framework  

Equifax released its security and privacy controls framework to provide a public blueprint to help organizations to build or enhance their own cybersecurity programs.

Credit reporting agency Equifax on Wednesday released its security and privacy controls framework to provide a public blueprint to help organizations to build or enhance their own cybersecurity programs.

The framework, released as open-source,  provides tools that can be used by businesses large and small to design, build and maintain secure processes, Equifax said.

Equifax Chief Information Security Officer (CISO) Jamil Farshchi said the framework was created as part of the company’s $1.5 billion investment into a security transformation that followed a massive data breach in 2017 that exposed personal data from approximately 147 million people.

In a 2022 post-breach settlement with the FTC, Equifax was ordered to spend $1 billion on data security improvements.

“Over the course of several years, we’ve made unprecedented investments in our cybersecurity, and now, we’re open sourcing our security and privacy controls framework to help other organizations who need it,” said Russ Ayres, Senior Vice President, Security Architecture and Engineering at Equifax. 

“The framework we’ve created is comprehensive enough to protect an entire organization and has the specificity to ensure that it can be implemented swiftly and effectively.”

The company said the five core capabilities within the framework — cybersecurity, privacy, fraud prevention, crisis management and physical security — matches the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) and Privacy Framework (NIST PF) and support a comprehensive, defense-in-depth approach to security and privacy.  

Advertisement. Scroll to continue reading.

Farshchi said the newly released framework has served as the basis for nearly every improvement made by Equifax  in security and privacy. “It was the mechanism we used to establish our strategic priorities, assess risk across our enterprise, navigate regulatory requirements, and drive progress,” he added.

Related: 143 Million Affected in Hack of U.S. Credit Agency Equifax

Related: Equifax Ordered to Spend $1 Billion on Data Security 

Related: Equifax CEO Steps Down After Massive Data Breach

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

SecurityWeek examines the role of the virtual CISO in a conversation with Chris Bedel and Greg Schaffer.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

In this edition of CISO Conversations, SecurityWeek talked to two vendor CISOs: Chris Morales, CISO at security and analytics firm Netenrich; and Laura Whitt-Winyard,...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...