Security Management Framework Requirements

Security Framework Requirements

In thinking about a universal security management framework a set of evaluation criteria were considered:

Security Services not Technical Solutions ? the framework must emphasize security services and not technical solutions. Security services consider the technical solution plus the need to have processes and the people to ensure the correct operation of security controls. Frameworks with technical solutions can result in products being sold without consideration of the necessary effort to correctly implement and continue to securely run a solution.

Business Risk not Vulnerabilities ? the framework must focus on the business risk and the impact to a business. Some models are more focused on the theoretical vulnerabilities of technical solutions rather than the actual risk to a business. This introduces the tendency to sell solutions to meet vulnerabilities where the risk to the business is either not very likely or will have little impact.

Appropriate Levels of Trust ? the framework must be flexible to enable more than varying solutions to be described. It must allow varying levels of security to support the appropriate business needs and risks. ! Acceptance of Risk Appetite ? the framework must be able to support the description of a less than optimal technical solution as a result of the purposeful balance between the level of service, the risk to the business and the cost or affordability of the solution. ! Business Organisation ? the framework must be able to describe how the organisation of a business relates to the delivery of security.

Security Operational and Development Processes ? the framework must be able to describe the security processes required to support the development and operation of security.

Security Management and Technology Management ? some frameworks talk about security management in the context of managing the technical solutions such as identity management but they do not consider the linkage of the technology management controls that support the successful implementation of the security controls. Processes such as asset management and change management are often not considered.

Integration of Business Needs with Technology ? Information security is about protection of the business processes and information assets that support the services a business delivers. The framework needs to integrate the needs of the business with the technology being used to deliver business products and services through business applications. The technology needs to meet the needs of the business and operational risk policy.

Common Language ? security professionals need to communicate their needs to other business and IT professionals. The framework should use terminology that other business and IT professionals will recognise and understand otherwise other business and IT professionals involved in the deliver will switch-off very quickly.

Perspectives ? the framework must be able to be a way of showing different models for the different perspectives that could be used to represent security.

Complete, Comprehensive and Extensible ? the framework must be able to cope with the introduction of new technical solutions, processes and business applications.

These factors were considered in the selection of a framework for security models.