Just wanted to get some feedback on the terms "Security model". For context, I've been asked to perform some assurance activities on a system design that was written from a Blueprint. Said blueprint was assessed a long time ago, and the control mappings etc that were produced likely need an update to match current technical controls. (it needs an uplift, though this has been described as uplifting the security model)
My question is this - I hear security model, and I go to Bell-La Padula, Biba etc, but the reference here is to a full list of NIST control mappings to risk scenarios. Are the terms interchangeable, in your own opinions, to match both such things, or would you expect to see and hear differently.
My question is this - I hear security model, and I go to Bell-La Padula, Biba etc, but the reference here is to a full list of NIST control mappings to risk scenarios.
Maybe someone is interchanging "framework" for "model?" This dives into the mind-numbing lexicon, but while Bell-Lapdula, etc. could be called "security models," a better description may be "machine state," or "system" security models whereas what you've been asked to do seems more along the lines of an "enterprise" or "organizational" model, framework, method, approach, etc.
I've been doing this for going a few decades now, and the older I get - maybe because I'm forgetting more than anything else these days - the more I ignore the semantics. Whether you call it a model or a framework (and you can even throw "standard" in there), the value is not that one is overwhelmingly better than the other; it's just that it offers a prescribed methodology so that 90 percent of the planning can be done for you. Sure, some are more suited based on industry and objectives, but all require a little (i.e. that 10 percent) additional work. As an analogy, if I am going to build a shed in my yard, I might start with the "NIST shed framework" as opposed to coming at it from the "ISO 27001 shed standard." Either way, I need to use them in the context of my yard, local zoning, and customization to my needs. The downside is at compliance time, you might have to do a little more work, but that just gets to the question of whether the goal is to check boxes or do something more substantive. I'd rather start with the latter and produce the former.
I agree, it does seem to mean something totally different to different people, and on speaking with a colleague I was asked what was meant by security model here, and couldn't answer. seems the CISO here is throwing the term around to reflect an overall position.
Effectively, what they are asking for is a threat profiling/analysis, followed by a mapping of NIST controls to mitigate each, placed neatly into an agreed format, so that anything built from the underpinning blueprint can then check that all controls are being met satisfactorily.
Not entirely sure whether this would constitute a "security model" per say, but a rough understanding of the terms use at least is had.