There are, of course, numerous frameworks regarding this material, these approaches and these standards. Here, you see several that have been developed over the recent years. We have COBIT, an assurance framework put out by ISACA, a sister organization to ². We have the standards known as ITIL which bring about service-oriented architecture design and delivery. The CMMI known as a capability maturity integration, which is a very well-known system first brought into existence to bring greater maturity and control to the whole area of software design and development.

We have SLC, the System Life Cycle, of which the software development life cycle is a subprocess. And it's a generic description of the process of designing, building and operating a system over the life cycle of that particular system. We have OWASP which is a web focus development community that publishes different kinds of standards and guides. We have the security approach to risk management known as OCTAVE, a highly quantitative construct that allows us to look at this in terms of threats, vulnerabilities and assets to be protected. And BSI which is a Department of Homeland security-sponsored initiative intended to bring about improved practices for design and build.

We have COSO which has been around for many years and is a standards-based construct to enforce controls and methods to prevent fraudulent financial reporting. Now, here, you see a diagram of the COSO framework. Now, COSO stands for the Committee of Sponsoring Organizations and it is a conglomeration of worldwide recognized frameworks that is intended to provide guidance on organizational governance, business ethics, internal controls, enterprise risk management, and fraud and financial reporting. COSO was a committee of five sponsoring organizations whose representatives come together periodically to work on specific projects. COSO's projects are undertaken, reviewed and finalized in accordance with policies agreed to by the sponsoring organizations. COSO describes a unified approach for the evaluation of internal control systems that have been designed to provide reasonable assurance and of the integrity of the information being presented. The enterprise risk management framework that it is, COSO emphasizes the importance of identifying and managing risks across the enterprise and that it is widely adopted and consistently used.

So you see the different areas, internal environment, objective setting, event identification, risk assessment and risk response are there as top layers on the approach. SABSA, the Sherwood Applied Business Security Architecture, which is a multi-layered, multi-dimensional approach that encompasses security, service, quality and efficiency, all in one architectural volume. Here we have a similar diagram showing the SABSA structure. Now, as a cube, it is represented to show the three strategic axes that make it up and the four elements that are crossed by these three axes. So that we see that both the long-term and the short-term are addressed by strategic, operations, and then accompanied by reporting and, of course, compliance.

Now, it exists in four dimensions as does the risk evaluation cube I showed you earlier, and it includes time as its fourth dimension, and it brings these four dimensions together to see how it affects the entity itself, the environment and the entity's assets. Now, as mentioned earlier, we have also the Common Criteria known as ISO 15408. Now, as the conceived replacement for several frameworks that predated it, notably the "Rainbow Series" and the "Orange Book" in the U.S., and the ITSEC are complimentary, and yet set aside different one from the EU. The Common Criteria took the best of all the standards that existed at the time, combined them and came up with the first truly international product evaluation criteria that looked at both assurance and performance. This Common Criteria brought about different kinds of definitions and nomenclature. For example, it specified a protection profile. This would be a set of requirements and needs that the customer provides for a product or software that it was going to acquire or have built. The strategic target, known as the Security Target or ST, was a narrative description describing the product offering offered by the supplier responding to the customer's provided protection profile.

The Target of Evaluation or TOE is the actual thing that the customer will receive when they decide on a provider, either buying it from the evaluated products list or having it built specifically for them, so that they could know exactly what they would be getting. When the evaluation is completed, it is compared to an Evaluated Assurance Level. Now, unlike some other standards that evaluate products, software and other items up to a certain level, it can't be specified in advance what EAL or Evaluated Assurance Level the product is targeting as its final objective. It may very well be able to go beyond that but the customer wants it to meet a certain set of standards as specified in its protection profile.

So the EAL is what it either targets or is ultimately assigned. And the EPL, the Evaluated Products List, is the list from which a customer can pick a product that is listed there to meet its needs or from which it can draw a set of requirements and criteria for putting together its own unique protection profile. Now, the goal of any framework is, of course, to bring about standards, bring them into enforceable conditions and for structure and rationalized methodology to develop these things, and then focus on continuous improvement across improvement of function, performance and integration of security.