0

I'm currently writing a paper about security standards. Therefore several terms have to be defined before I can actually start. The problem is that in every resource the term "Framework" is somehow connected to the terms "Standard", "Guideline", "Procedure" and "Policy". However, I fail to find a general definition for the term, since every resource defines it in a different way. E.g

  • "A Framework is an assembly of standards, guidelines and best practices, which helps organizations at managing their assets and reaching their goals"
  • "An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment"
  • "A Framework is a general guideline that an organization can adopt."
  • "A framework is at best, a frame that can be used as a practice."

etc..
So, obviously people have completely different definitions for a framework. But which one is correct? Any experts here that can give me a short explanation?

koapsi
  • 25
  • 5
  • It appears to me that the confusion arises from how broad the term "framework" is. I believe the exact term you are after is: https://en.wikipedia.org/wiki/Policy_framework. – EdOverflow Jan 05 '19 at 15:19
  • Yes, I've actually thought about the term and it seems to appear everywhere. In the programming field, in risk management, in data science .... etc. But the term "Policy Framework" seems to be the most fitting one in this context! Thank you – koapsi Jan 05 '19 at 17:10

1 Answers1

1

I will reiterate my comment above so that this question has an answer. It appears to me that the confusion arises from how broad the term "framework" is. I believe the exact term you are after is "policy framework".

A policy framework is document that sets out a set of procedures or goals, which might be used in negotiation or decision-making to guide a more detailed set of policies, or to guide ongoing maintenance of an organization's policies. A framework might be used by a large organization such as a company, educational institution, or government, to inform employees about whose approval is needed to make new policies, what rules new policies must follow, how policies should be communicated and enforced, and what high-level or long-term goals that new policies should try to support.

EdOverflow
  • 1,246
  • 8
  • 21
  • To expand on this, as I believe it to be the correct answer. A "framework" can be defined as, "a frame or structure composed of parts fitted and joined together." ref - [Dictionary.com](https://www.dictionary.com/browse/framework). So a framework in and of itself does not define it's composed parts. That depends on the user. And in this context it is likely that you are referring to a Policy Framework or Information Security Framework such as the NIST Cybersecurity Framework. – Justin Jan 06 '19 at 22:29
  • This helped me a lot, as the NIST Cybersecurity Framework is one of my main references for the paper. "Policy Framework" seems to be the most fitting term! Thank you – koapsi Jan 08 '19 at 12:38