Information Technology Reference
In-Depth Information
sis, regulatory reporting, management reporting, and much more. If a particular
security element is not applicable to the organization or the organization chooses
not to perform activities related to that security element, leave that element in the
SMP framework and record the rationale as to why the organization chooses to
accept the risks or chooses not to invest in a particular remediation. To record such
rationale is to address each security element, and by extension address each risk. A
legitimate manner of addressing risk is to consciously choose to accept it. Captur-
ing these details in the context of the SMP framework provides a record that any
omission of risk mitigation is a conscious omission and not omission by oversight.
The first enterprise product to develop within the context of the SMP frame-
work is an interpretation guide. Define every term and provide a description of
intent for each security element. This provides a consistent manner to think about
security throughout the organization. This also provides interpretation of legislative
or regulatory directions. Too often, the real intent of the legislation is lost to legalese
or vague descriptions. Providing an interpretation ensures everyone thinks about
security in common and consistent terms. Even if the interpretations are wrong,
at least they are consistently wrong. Upon correcting an interpretation, there is a
medium to disseminate a new interpretation guide—the SMP framework.
Security tasks include planning (to-be), discovery (as-is), risk management
(accept, transfer, share, mitigate), implementation (transition), tracking progress,
and reporting. The SMP framework provides an outline for tools, templates, and
guidelines to assist with all enterprise security planning tasks. The IA
2
provides
the ability to align security with business drivers. The SMP framework provides a
foundation to execute on the information assurance architecture.
What if the SMP framework changes? The development of the SMP framework
in the context of business need and using an industry standard as a basis for the
SMP framework both provide a solid rationale behind the SMP framework format.
If the business need changes or if there are updates to industry standard, modify
the SMP framework accordingly. The new SMP framework provides a new founda-
tion for the aforementioned tools, templates, and guidelines.
12.15
reality Check Framework (rCF)
The RCF uses the classic who, what, why, when, where, and how as an approach
to ask hard questions about a situation, proposed solution, architecture, etc. All
aspects of business, technology, and security boil down to who, what, why, when,
where, and how—these are the elements of the bottom line. The RCF provides a
guide to examine a claim, document, system, solution, department, operation, etc.,
in context of who cares, who is using it, what they are using, what they are using
it for, why they are using it, when they are using it, where they are applying it, and
how. The RCF is an extremely flexible framework and assists in informative writ-
ing, investigative inquiry, and performing reality checks on policies, standards,
