I did a [Google search on Security Frameworks](http://www.google.com/search?ls=en-us&q=Security+Frameworks&ie=UTF-8&oe=UTF-8 “Security Frameworks”). The first hit I got was to this PDF: [Security Frameworks](http://www.hackerz.ir/e-books/127%20Security%20Frameworks.pdf “Security Frameworks”). And since I linked to it here, I’m helping to keep it high on the search list.
Let me just say that, this is about the funniest security document I have read in a while. Don’t get me wrong, it is not meant to be funny. I assume at least. I don’t want to offend the author, but seriously, this is funny stuff. I suspect it’s from 2005 based on the file date, but it doesn’t say in the document itself.
You would expect that a document called “Security Frameworks” would contain subjects like BS 7799, ISO2700x, COBIT, etc. However you won’t find any any of these standards and frameworks in the document.
Instead the author basically comes up with, what I assume, is his own security framework based on the OSI seven layer network model 
He even defines two new layers: layer 8, the financial layer and layer 9 the political layer. I’ll will give you a couple of seconds to think about that.
Have a read through the document. It’s really worth it. For instance, on page 21 he starts mapping the model to what he calls security components. Some examples:
| Security Component | Architecture Layer | Architecture Component Description |
| Managing user accounts on and access to the network | Layers 6 & 7, Presentation and Application Layers | Uses Network NOS, Active Directory, LDAP, etc. to authenticate. |
| Provides an operational framework for regular security checks | Layer 8 – Financial Layer | Security becomes part of the enterprise operations, providing consistent security management in the same fashion as enterprise system management. In the same way, the security framework reduces the total cost of security. |
| Provides a platform to align security with business goals | Layer 9 – Political Layer | Security framework can be used to manage security consistently to meet business goals just as the enterprise system management manages the IT infrastructure to meet the company objectives |
Now I don’t want to go into details, but this is just mind boggling. It seems like the author at least worked with security related products. Does have some basic knowledge of security terminology, seems to have a network security (firewalls, VLANs, etc) background, but does not seem to understand security as a whole and how things fit together. He quotes the cliché:“Security is not something you buy, it is something you do”
. And he certainly did something. Perhaps he should have bought an ISO standard. Ok, that was a lame joke 
On the other hand, he gets an A for effort in my book. Coming up with a security framework is usually something a big group of serious people do. To make your own is impressive, no matter if it makes sense or not. And I do recognise myself (a little) in the struggle to give all these IT and IT security subjects a place in your head, to find some structure for the mesh of abbreviations and abstractions.
None the less it looks like a perfect example of an engineer who grew into a security job somehow, but never stopped and asked himself “What is security?”
.