I work in a world of standards, opinions, controls and countermeasures, all encompassed in a foreign language of “infosec” and “itsec”. This of course, while entertaining, is of little use to the world. I would like to propose a simple concept, probably high level, and I am sure my peers would argue is “inadequate”, that said however, hear me out:
Ok, so the basic concept is simple, setup three primary work streams or “functions”, 1 is a Risk Asssesment and Classifcation Function, 2 is a People / Process/ Awareness, and 3 is Controls, both protective and detective as needed.
The idea is that the risk assessment process runs in a cycle with inputs and outputs at the core of the system which serves as the engine for security. Its easier to explain in a diagram, take a look:
Genious or Madness, its your decision, I like it because its simple and can be applied to any situation. Of course I agree with arguments such as “where is the governance?”, “what about strategy” etc, but quite simply, thats not what this is. This is a simple security process that allows you to feed information in and get solutions out.