8/17/2019 Discussion 1 -Security Frameworks
1/3
Security Frameworks
Are you familiar with age-long practice of people putting spare keys under the doormat
believing they are smarter than the enemies who could enter their house? Well, the problem
with that is if anyone has access to that bunch of keys, the house is no more secured. So a
way to guard against unauthorized access to the house would be to pray the attacker is not
smarter than you to think. !perience attackers will always be smart enough figure out wherethe spare keys are. "his concept is called Security through obscurity.
A technical e!ample would be vendors who believe that their products are more secured than
products based on open-source because their products# code is compiled, well, the bad news
about that is attackers are motivated and are e$uipped with sophisticated tools to reverse-
engineer the codes. ven without reverse-engineering they can e!ploit any security
vulnerability in the code. "he proper approach security is to make sure that the original
software code does not give rooms for flaws. %thers believe changing port numbers, writing
in-house algorithms that the attackers are not familiar with will provide more security to the
organization but again, there are lots of ways attackers use to decipher the perceived secured
algorithms and ports.
"he only way out is to believe you cannot outsmart the attackers and build security programs
that have been tested over the years and certified secured called Security Framework. So
organizations can plug in different types of technologies, methods and procedures etc, to
achieve the level of protection their environment re$uires. &arris '()*+, p.+.
"he following are some of the e!amples of the security frameworks, standards and industry
best practices suitable for different organizations and environments, that have yielded proven
results over the years.
. Security Program Development: .g. S%/0 (1))) series.. Enterprise Architecture Development: .g. 2achman, "%3A4, 5o5A4, 6%5A4. Security Enterprise Architecture Development: SA7SA model8. Security Controls Development: 0obi", S9 :))-;+8. Corporate Governance: 0%S%
8. Process Management: II!" Si# Sigma" CMMI$ &arris '()*+, p.).
%$ IS&'IEC ()** series: Also known as the S6S family of standards, it is the standard
framework
8/17/2019 Discussion 1 -Security Frameworks
2/3
for which the artifact was constructed 'the 9erspective as well as classified by the
content or sub.*. "%3A4 '()*.,$ DoDAF: 4or @nited States 5epartment of 5efense '5o5 to be able to meet up with the
military goals and to facilitate establishing interoperability 5o5 systems, 5epartment
of 5efense Architecture 4ramework '5o5A4 was developed. t is an architecture
framework. 5andashi '()). p.*(.-$ M&DAF: 6%5A4 is the enterprise architecture framework developed by the 7ritish
6inistry of 5efence '6%5 called 6inistry of 5efence Architecture 4ramework.
According to the 6inistry of 5efence '()*(, 6%5A4 was developed to support the
defence planning change activities. nformation are captured and presented in
coherent, comprehensive and rigorous way for the complete understanding of comple!
issues. .$ C&/I: n *>>, nformation System Audit and 0ontrol Association developed a security
control development framework known as 0ontrol %b
8/17/2019 Discussion 1 -Security Frameworks
3/3
7ibliography
5andashi, 4. et al '()). "he %pen 3roup Architecture 4ramework '"%3A4 and the @S
5epartment of 5efense Architecture 4ramework '5o5A4. "he %pen 3roup. etrieved
4ebruary, *+ ()*, from httpB//pubs.opengroup.org/onlinepubs/1>>>+>:>>/toc.pdf.
&arris, S. '()*+. 0SS9 !am 3uide. Cew DorkB 6c3raw &ill.
6inistry of 5efence, @nited Eingdom. '()*(. 6%5 Architecture 4rameworkB 5efence and
Armed 4orces 3uidance. etrieved 4ebruary, *+ ()*, from
httpsB//www.gov.uk/guidance/mod-architecture-framework.
%lzak, ". '()*+. 0%7"; for nformation SecurityB "he underlying 9rinciples. etrieved
4ebruary, *+ ()*, from httpB//www.techrepublic.com/blog/it-security/cobit-;-for-
information-security-the-underlying-principles/.
"%3A4 '()*. "%3A4, an %pen 3roup Standard. "he %pen 3roup. etrieved 4ebruary, *+
()*, from httpB//www.opengroup.org/sub