Architecture and Frameworks
Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of security policies and regulations.

Learning Objectives

  • Obtain a general understanding of security policies, regulations, and compliance
  • Understand the legal and privacy issues that these regulations aim to address
  • Learn about a variety of security frameworks and standards
  • Learn about trusted computed principles and how they underpin security frameworks
  • Understand the security implications of acquiring software

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification, or for anyone interested in the topics it covers.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at



There are, of course, numerous frameworks regarding this material, these approaches and these standards. Here, you see several that have been developed over the recent years. We have COBIT, an assurance framework put out by ISACA, a sister organization to ². We have the standards known as ITIL which bring about service-oriented architecture design and delivery. The CMMI known as a capability maturity integration, which is a very well-known system first brought into existence to bring greater maturity and control to the whole area of software design and development.

We have SLC, the System Life Cycle, of which the software development life cycle is a subprocess. And it's a generic description of the process of designing, building and operating a system over the life cycle of that particular system. We have OWASP which is a web focus development community that publishes different kinds of standards and guides. We have the security approach to risk management known as OCTAVE, a highly quantitative construct that allows us to look at this in terms of threats, vulnerabilities and assets to be protected. And BSI which is a Department of Homeland security-sponsored initiative intended to bring about improved practices for design and build.

We have COSO which has been around for many years and is a standards-based construct to enforce controls and methods to prevent fraudulent financial reporting. Now, here, you see a diagram of the COSO framework. Now, COSO stands for the Committee of Sponsoring Organizations and it is a conglomeration of worldwide recognized frameworks that is intended to provide guidance on organizational governance, business ethics, internal controls, enterprise risk management, and fraud and financial reporting. COSO was a committee of five sponsoring organizations whose representatives come together periodically to work on specific projects. COSO's projects are undertaken, reviewed and finalized in accordance with policies agreed to by the sponsoring organizations. COSO describes a unified approach for the evaluation of internal control systems that have been designed to provide reasonable assurance and of the integrity of the information being presented. The enterprise risk management framework that it is, COSO emphasizes the importance of identifying and managing risks across the enterprise and that it is widely adopted and consistently used.

So you see the different areas, internal environment, objective setting, event identification, risk assessment and risk response are there as top layers on the approach. SABSA, the Sherwood Applied Business Security Architecture, which is a multi-layered, multi-dimensional approach that encompasses security, service, quality and efficiency, all in one architectural volume. Here we have a similar diagram showing the SABSA structure. Now, as a cube, it is represented to show the three strategic axes that make it up and the four elements that are crossed by these three axes. So that we see that both the long-term and the short-term are addressed by strategic, operations, and then accompanied by reporting and, of course, compliance.

Now, it exists in four dimensions as does the risk evaluation cube I showed you earlier, and it includes time as its fourth dimension, and it brings these four dimensions together to see how it affects the entity itself, the environment and the entity's assets. Now, as mentioned earlier, we have also the Common Criteria known as ISO 15408. Now, as the conceived replacement for several frameworks that predated it, notably the "Rainbow Series" and the "Orange Book" in the U.S., and the ITSEC are complimentary, and yet set aside different one from the EU. The Common Criteria took the best of all the standards that existed at the time, combined them and came up with the first truly international product evaluation criteria that looked at both assurance and performance. This Common Criteria brought about different kinds of definitions and nomenclature. For example, it specified a protection profile. This would be a set of requirements and needs that the customer provides for a product or software that it was going to acquire or have built. The strategic target, known as the Security Target or ST, was a narrative description describing the product offering offered by the supplier responding to the customer's provided protection profile.

The Target of Evaluation or TOE is the actual thing that the customer will receive when they decide on a provider, either buying it from the evaluated products list or having it built specifically for them, so that they could know exactly what they would be getting. When the evaluation is completed, it is compared to an Evaluated Assurance Level. Now, unlike some other standards that evaluate products, software and other items up to a certain level, it can't be specified in advance what EAL or Evaluated Assurance Level the product is targeting as its final objective. It may very well be able to go beyond that but the customer wants it to meet a certain set of standards as specified in its protection profile.

So the EAL is what it either targets or is ultimately assigned. And the EPL, the Evaluated Products List, is the list from which a customer can pick a product that is listed there to meet its needs or from which it can draw a set of requirements and criteria for putting together its own unique protection profile. Now, the goal of any framework is, of course, to bring about standards, bring them into enforceable conditions and for structure and rationalized methodology to develop these things, and then focus on continuous improvement across improvement of function, performance and integration of security.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.