Enterprise Architecture & Security Control Framework

A security program is a framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment. Each has an important place in the framework, and if one is missing or incomplete, the whole framework may be affected. The program should work in layers: each layer provides support for the layer above it and protection for the layer below it. Below mindmap explains most of the Enterprise Architecture and Security frameworks discussed in CISSP exam.

The most important security planning steps is to consider the overall security control framework or structure of the security solution desired by the organization.

One can choose from several options in regard to security concept infrastructure; however, one of the more widely used security control frameworks is Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). COBIT is based on below 5 principle

Principle 1: Meeting Stakeholder Need
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

There are many other standards and guidelines for IT security. A few of these are:

  • Open Source Security Testing Methodology Manual (OSSTMM): A peer-reviewed guide for the testing and analysis of a security infrastructure
  • ISO/IEC 27002 (which replaced ISO 17799): An international standard that can be the basis of implementing organizational security and related management practices
  • Information Technology Infrastructure Library (ITIL): Initially crafted by the British government, ITIL is a set of recommended best practices for core IT security and operational processes and is often used as a starting point for the crafting of a customized IT security solution