Security Management Framework | Universal

A universal security management framework is needed that integrates the business view of processes and information assets with the security and business continuity controls within an application and the IT infrastructure. An examination was made of existing security models used in the security industry to define the requirements. From this an existing model developed for used by business consultants and IT architects, to create a common business and architectural description language, was examined and assessed for suitability as framework for information risk management.

Existing Security Models

Existing Security Models Many organizations, including solutions providers and services organizations, are trying to create security models to explain security. Each of the models has a different purpose with varying degrees of usefulness.

The security models tend to fall into six mains areas with hybrids of these models:

    • Countermeasure Model -  a countermeasure model describes the technical countermeasures that are contained within a security solution. An example of this is the ISO-derived model used in the security bastion Security Architecture.
    •  Solution Model – a solution model describes the areas that a security company provides solutions. An example of this is the Security Bastions Security Solutions model that uses the model Assess, Protect, Detect, Recover and Manage. Similar models are available from other security solution providers.
    •  Lifecycle Model – a lifecycle model focuses on the feedback loop of assessing the risks with a solution, building the solution, monitoring and continually updating the security countermeasures to meet new threats.
    •  Documentation Model – a documentation model describes the documents that need to be produced with include Information Security Policy Documents.
    •  Delivery Model – a delivery model describes the sequence of events throughout the lifecycle of a project or system. This type of model is focused on expressing the steps needed to deliver a project.
    •  Activity Model – an activity model is focused on activities that result in the delivery of security policy, process etc. An example is the Security Bastion Security and Privacy Services model that breaks down activities into Assess, Architect and Design, Implementation, and Management.
  •  Service Obligations Model – a model often based on using a service provider or unintegrated organization where the delivery of the security service is based on a predefined standard or contract, such as with Security Bastion offerings this Service is associated with technology and processes but ignores the changes to the business strategy and associated business risk. Each of these models defines security in terms of the solution but it would be useful if security could be linked to the way business delivers services to clients.