Security Architecture frameworks?

Your Public Answer:
“Hi ......, I work with several customers regarding the same question. Unfortunately it is not possible to redirect them to a single compliance framework and get all the answers ( I usually say that compliance is like religion; they all tell you to be a good person, not to lie, not to cheat, be good to your neighbor etc, but it is not exactly about how to get there) That being said it will be wrong to accept a generic enterprise architecture framework for security like Zachmann, you may get lost within the steps of the steps. Security architectures are risk driven (at least they should be) so most of the blocks in the frameworks might be irrelevant. Instead of a full framework I am following a brief methodology based on security risk management principles: 1- Build Asset, Documentation, Architecture and Resource Registries 2- Run business requirements analysis, determine what business, compliance, partners, peers, industry requires, determine what is important for target operation 3- Run risk analysis (full-cycle: threats, vulnerabilities, safeguards, risks, impacts etc). Use the data from the 2 previous steps. 4- Run gap analysis and compare requirements vs. risks. That usually tells where the security architecture should be. To determine the blocks to fill-in the gaps, you may use a management framework like ISO 27001, NIST, COBIT or even PCI DSS... Let me know if you have a question regarding actual implementation of the methodology, Regards, - yinal ozkan”