The SISMA framework is a cyber and information security framework which provides integrations from the following two point of views:
– Security architecture and security management integration;
– Content and process framework integration. The content framework provides multiple abstract views/ layers up to the detailed level of technical security controls. The process framework provides methodology and approach for implementing these.
Security architecture and management integration
The former relates to enterprise security architecture domain and the latter refers to the governance, risk, and compliance domain.
Content and process framework integration
Content relates to the technical security controls -organization, people, process, technology related- for which multiple taxonomies are provided based on content and process. The content framework is designed in the SISMA framework itself. For the process framework an existing methodology and approach is adopted, which will be elaborated on later. The content framework is defined as follow:
– Enterprise Security Architecture (ESA);
– Enterprise Security Management (ESM aka GRC domain);
– Security Architecture Capability controls (SAC), covering:
– Vulnerability Management
– Threat Management
– Identity Management
– Information Protection
– Information Management
– Security Management Controls (SMC);
– Security Awareness, Training, and Education controls (SATE);
– Security Operations controls (SO);
– Security Assurance controls (SA).
The process relates to a methodology and approach for implementing the technical security controls, i.e. the content framework. For the process part an existing proven methodology and approach is adopted for integration, namely the:
– PDCA-cycle (Plan-Do-Check-Act) aka Deming Circle as methodology;
– PPT Triangle (People, Process, Technology), including Organization as approach.
The Deming Circle is a quality management cycle adopted as methodology for implementing technical security controls. The following phases are separated in this methodology and also provide a taxonomy for the content:
– Plan. The strategic plan phase.
– Do. The execution phase, which includes project and service management.
– Check. The assurance phase.
– Act. The phase of continuous improvement
The PPT Triangle + Organization is also used as a taxonomy -for technical security controls- from a process point of view. The PPT Triangle -also referred to as the Golden Triangle- is an approach for organizational change, IT management, and operational efficiency.
Below you will find two views -an abstract one and a detailed one- of the Samson Integrated Security Architecture & Management framework. The content and process frameworks are full integrated in the views.
Stay tuned for the follow-up publication which will provide a content deep-dive in the Samson Integrated Security Architecture & Management framework, including it’s technical security controls.