Download pdf - Discussion 1 -Security Frameworks

8/17/2019 Discussion 1 -Security Frameworks

1/3

Security Frameworks

Are you familiar with age-long practice of people putting spare keys under the doormat

believing they are smarter than the enemies who could enter their house? Well, the problem

with that is if anyone has access to that bunch of keys, the house is no more secured. So a

way to guard against unauthorized access to the house would be to pray the attacker is not

smarter than you to think. !perience attackers will always be smart enough figure out wherethe spare keys are. "his concept is called Security through obscurity.

A technical e!ample would be vendors who believe that their products are more secured than

products based on open-source because their products# code is compiled, well, the bad news

about that is attackers are motivated and are e$uipped with sophisticated tools to reverse-

engineer the codes. ven without reverse-engineering they can e!ploit any security

vulnerability in the code. "he proper approach security is to make sure that the original

software code does not give rooms for flaws. %thers believe changing port numbers, writing

in-house algorithms that the attackers are not familiar with will provide more security to the

organization but again, there are lots of ways attackers use to decipher the perceived secured

algorithms and ports.

"he only way out is to believe you cannot outsmart the attackers and build security programs

that have been tested over the years and certified secured called Security Framework. So

organizations can plug in different types of technologies, methods and procedures etc, to

achieve the level of protection their environment re$uires. &arris '()*+, p.+.

"he following are some of the e!amples of the security frameworks, standards and industry

best practices suitable for different organizations and environments, that have yielded proven

results over the years.

. Security Program Development: .g. S%/0 (1))) series.. Enterprise Architecture Development: .g. 2achman, "%3A4, 5o5A4, 6%5A4. Security Enterprise Architecture Development: SA7SA model8. Security Controls Development: 0obi", S9 :))-;+8. Corporate Governance: 0%S%

8. Process Management: II!" Si# Sigma" CMMI$ &arris '()*+, p.).

%$ IS&'IEC ()** series: Also known as the S6S family of standards, it is the standard

framework


2/3

for which the artifact was constructed 'the 9erspective as well as classified by the

content or sub.*. "%3A4 '()*.,$ DoDAF: 4or @nited States 5epartment of 5efense '5o5 to be able to meet up with the

military goals and to facilitate establishing interoperability 5o5 systems, 5epartment

of 5efense Architecture 4ramework '5o5A4 was developed. t is an architecture

framework. 5andashi '()). p.*(.-$ M&DAF: 6%5A4 is the enterprise architecture framework developed by the 7ritish

6inistry of 5efence '6%5 called 6inistry of 5efence Architecture 4ramework.

According to the 6inistry of 5efence '()*(, 6%5A4 was developed to support the

defence planning change activities. nformation are captured and presented in

coherent, comprehensive and rigorous way for the complete understanding of comple!

issues. .$ C&/I: n *>>, nformation System Audit and 0ontrol Association developed a security

control development framework known as 0ontrol %b


3/3

7ibliography

5andashi, 4. et al '()). "he %pen 3roup Architecture 4ramework '"%3A4 and the @S

5epartment of 5efense Architecture 4ramework '5o5A4. "he %pen 3roup. etrieved

4ebruary, *+ ()*, from httpB//pubs.opengroup.org/onlinepubs/1>>>+>:>>/toc.pdf.

&arris, S. '()*+. 0SS9 !am 3uide. Cew DorkB 6c3raw &ill.

6inistry of 5efence, @nited Eingdom. '()*(. 6%5 Architecture 4rameworkB 5efence and

Armed 4orces 3uidance. etrieved 4ebruary, *+ ()*, from

httpsB//www.gov.uk/guidance/mod-architecture-framework.

%lzak, ". '()*+. 0%7"; for nformation SecurityB "he underlying 9rinciples. etrieved

4ebruary, *+ ()*, from httpB//www.techrepublic.com/blog/it-security/cobit-;-for-

information-security-the-underlying-principles/.

"%3A4 '()*. "%3A4, an %pen 3roup Standard. "he %pen 3roup. etrieved 4ebruary, *+

()*, from httpB//www.opengroup.org/sub