Security frameworks
SF - 0.00.0 - intro and ToC
(You can thank the Technology Forum of the Chartered Professional Accountants of British Columbia for this one. They asked me to do a presentation, and chose the Security Frameworks presentation [that I hadn't done in a while], which reminded me that I had never dictated the text and resources of this presentation out in full. So, here it is.)
Security frameworks is a rather vague description, and advisedly so. That is because there are so many different options in terms of security frameworks: so many different types of security frameworks. All of them have advice or guidance that can be used to improve your security situation or processes. None of them, unfortunately, are a one-size-fits-all perfect standard for the creation of a security program.
An awful lot of security frameworks are guidelines, or guidance, towards improving your security posture. Some stick to the basic principles of security, reminding you of areas which you need to examine. A number of the frameworks will be standards, of one type or another. Some of them are fairly generic standards, and so it's hard to distinguish them between from guidelines and principles. However, others are standards for particular operations or systems, such as the data security standards specifically for the payment card industry.
Some of the frameworks are actual frameworks, and are either structures, or breakdown structures, for examining your existing Enterprise and the security operations and processes within it.
There are a number of security frameworks which basically consists of checklists. I tend to refer to the checklist style of frameworks as the "135 checklists," since, for whatever reason, most of them have approximately 135 items in the checklist. There can be a bit of leeway with a few items either more or less, but it has been astounding, over the years, how many of these checklists clock in very close to the 135 item number. A number of the checklists frameworks either originated as, or have been folded into software of some type, so that the software will walk you through the items on the checklist, and allow you to determine which of these items you have, and which you should examine for inclusion in your own security systems.
A number of the security frameworks will style themselves as either a collection of "best practice" items, or the "gold standard" in security frameworks. Best practice tends to be the gold standard in terms of a buzz phrase for getting someone to buy into your framework, while gold standard tends to be the best practice in terms of convincing people that your framework is the top of the line.
Some of the security frameworks are targeted at a specific process, even though they may provide guidance for security as a whole. Sometimes these particular security standards are audit guidelines or outlines. Sometimes some security frameworks result from legislation or regulation mandated by the government. Some are reporting standards for a particular industry or a particular process. Finally there are certain security frameworks that relate to product evaluation.
As noted, all of these frameworks can provide you with guidance in a number of areas. Unfortunately, none of them are able to provide you with a perfect security situation all on their own. It is important to know the range and variety of security frameworks so that you can choose a security framework which will complement your existing security situation, and provide you with the greatest opportunity for improvement of your security situation.
In a number of these reference articles I will be including links to certain portions of the full CISSP workshop, which also functions as an introduction to the field of information technology in general. This link is to the video on security frameworks.
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html (this one)
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
No comments:
Post a Comment