Risk Management...continued

There are many good enterprise architecture frameworks one can follow. Here is a few you can consider during the planning process.


Security Program Development


  • ISO/IEC 27000 series International standards on how to developand maintain an ISMS developed by ISO and IEC
  • Enterprise Architecture Development
  • Zachman framework Model for the development of enterprise architectures developed by John Zachman
  • TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group
  • DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
  • MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence
  • Security Enterprise Architecture Development
  • SABSA model Model and methodology for the development of information security enterprise architectures
  • Security Controls Development
  • CobiT Set of control objectives for IT management developed by
  • Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
  • SP 800-53 Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST) Corporate Governance
  • COSO Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring
  • Organizations (COSO) of the Treadway Commission
  • Process Management
  • ITIL Processes to allow for IT service management developed by the
  • United Kingdom’s Office of Government Commerce
  • Six Sigma Business management strategy that can be used to carry out process improvement
  • Capability Maturity Model Integration (CMMI)  Organizational development for process improvement developed by Carnegie Mellon


Security documentation and the legal liability issues it brings to the table also need to me considered in the mix. It depends on the type of business, its goals, and culture. This will help you to focus on the right language to use and who is the audience for the documentation – Auditors, Government, Vendors, Customer’s?


Not all data or assets hold the same value. Information classification should be used to recognize and identify key assets. You should assign the asset a value and allocate funds to protect that assets be it data or hardware based on its assigned classification.

Information classification helps ensure data/hardware is protected in the most cost-effective manner. Moreover, it cost you money to acquire it, why not protect it. As you move forward in the classification process each should have separate handling requirements, and procedures as to how that data/hardware is accessed, used and destroyed.


The common levels of sensitivity from the highest to the lowest for commercial business:


• Confidential

• Private

• Sensitive

• Public

Security awareness training which is an administrative control can also emphasize enforcement measures. In addition, basic security awareness should not be a once a year thing, it should be an ongoing process in this day of the internet. If a company does not have security policies in place, the necessary countermeasures implemented, and security awareness training in place, it is not practicing due care – and opens you up for a lawsuit.


Information Security Governance is the responsibility of everyone, not only senior executives. Its an integral part of any IT governance framework. Whilst senior management and IT professionals will lead the process, it’s a task everyone within the organization should know about and understand, because each has a part to play. This document below is a good start.


ISO/IEC 27014 Guideline for information security governance



Lance West





  • Cyber-Security


  • Information Assurance training


  • IT Risk Analysis


  • BIA/BCP Development


  • Software Security


  • Databases
Print | Sitemap
© DigiBrains LLC