This piece of intellectual capital I have developed over the last 12 years adding to it as the Security Landscape has changed. I have used it on many engagements adapting it to suit the given environment and task.
Is it complete - no, it can't be. Security professionals and the control sets they work with change with the threat landscape and so this view needs to continually evolve.
Version 2 is a major update where I have broken out the "operational security capability" from the "control". I have also revamped and modified a large number of controls. I have also restructured the visio/omnigraffle so that the sections are in separate layers which will make future updates easier. Still more to do…
What is it? It is a generic control set which can be used to pick and choose the controls you need in a given situation. I use it for the following purposes
1. Gap Analysis. When auditing or reviewing an architecture I use this model as reference to ensure I have covered all the bases.
2. Requirements Definition and Control Selection. I use the model to make sure I don't miss any inputs when defining the requirements for security and make sure I have considered all the different control groups when deciding which controls are most suitable for a given set of threats within the constraints of the environment I am working in.
3. Capability Reviews or Definition. I use this model in the development of Capability Views (another product I generate which describes how the people, process and control sets work together to deliver the capability). These Capability views are used when describing or analysing the operation effectiveness of a capability. For example a lot of organisations will build something like a Certificate Management or SIEM solution without fully capitalising on the investment by making sure the operational processes are complete and effective, and that the right information is going to the correct stakeholders. The PDCA cycle can't operate effectively if you can't close the loop.
It can be put to other uses but these are the main use cases I use it for.
I have shared this as it is something I use regularly with great effect and hope others might find it useful. It is my intellectual capital but anyone is free to use it if they find it useful. I am also open to suggestions as to how it might be made better so feel free to contact me if you want to discuss.
Contact me on firstname.lastname@example.org
or via linkedin
For downloadable versions look at the useful tools