« Is The Appearance of Security More Important Than Security Itself?
Note to Self »

A Conceptual Hierarchy of Security (Politics)

Someone sent me an email earlier today. Buried inside the most bizarre and ineffective sales pitch ever (the topic of a follow on post) was a hierarchy modeling frameworks, regulations and standards etc.

At first I thought it was neat, then crap and now I don’t know.  I think I have just not seen the words on paper like that.

But how do you model these things? Surely you need multiple axis to represent different views. Are frameworks really more important to follow than regulations?

Note: It’s interesting that PCI is listed as a regulation!

<snip>

Frameworks Mapped: COBIT, COSO, ITIL, ISO, 17799, ISO 27001-08, CMMI

Regulations: Sarbanes-Oxley, HIPAA, GLBA, Privacy, SB1386, PCI, CISP, FDA-CFR-21-11, SAS70-TypeII, etc.

Industry Standards: ISO, IEEE, IEC, JTC, etc.

Best Practices: Information Security: State, Federal and International Standards Internal Controls, ITGC, Security: Policies, Standards, Processes, Procedures Compliance Phases: Risk Assessments, Gap Analysis, Remediation, Automation,

</snip>

Explore posts in the same categories: Security Industry

This entry was posted on February 5, 2007 at 10:24 pm and is filed under Security Industry. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

One Comment on “A Conceptual Hierarchy of Security (Politics)”

  1. Building a security plan | tssci security Says:
    December 10, 2007 at 2:25 pm

    [...] security plan for 2006 or 2007? How many had clients that implemented a new security program? Which frameworks were [...]

Comment: