There is no practice called "Security"
I've never thought of Security as a distinct function or practice.
There is a security oversight/coordination role within Management - a CSO is fine by me
there is a security topic within Risk
There is security within Architecture
There is a LOT of security within Data, what ITIL calls Information Security. but I don't think Security should OWN data integrity as they often try to do with the "security=CIA" mantra.
There is a security group within Infrastructure who set up perimeters and barriers
There is a security team within Operations, managing threats and intrusions
Access is of course a security-related practice
Since I think Risk is a distinct practice whereas ITIL etc treat it in the same spread-everywhere way that i am treating security, I'm prepared to listen to arguments for Security as a practice. if so where does it sit in the Framework? next to risk?
I can your point there. As long as it is clear somewhere that architecture needs to incorporate security (ops hate it when new solutions are introduced with no security considerations) then all well and good.
Thanks. I'll make it clear that it is a component of architecture. I gave in to politics and included Security as an explicit operational practice in Framework 13: i.e. threat, identity, confidentiality. The tech stuff. otherwise there will be resistance to the framework from the tech geeks - a fight not worth fighting