Defining A High-Level Security Framework

A comprehensive security framework boils down to three familiar basic components: people, technology, and process. When correctly assembled, the people, technology, and process elements of your information security program work together to secure the environment and remain consistent with your firm's business objectives. A comprehensive security framework must be based on these three components and must also ensure policy definition, enforcement, measurement, monitoring, and reporting for each one of the components. However, because defining and implementing policies alone cannot ensure security, the framework must also: 1) identify risks to confidentiality, integrity, and availability for different business functions, and 2) reduce, transfer, or accept those risks. In this document, we establish a high-level framework that you can use either as a starting point for a new security program or as a blueprint for assessing your current security program.