We often find ourselves asking: What is this talk about Frameworks and how will it help me solve a day-to-day problem in a tangible manner? Not just some abstract concept which lives as a theory and never gets translated into something useful or just remains a talking point for those senior folks on a panel somewhere brushing their beards.
To state out a definition clearly: A framework is essentially a structured approach or a set of guidelines that helps you tackle complex problems or tasks in a consistent and efficient way. It's like a blueprint that guides you through a process or a map that helps you walk a terrain. They bring consistency, clarity, and efficiency, making complex tasks more manageable and helping ensure that best practices are followed which prevents us from falling into known traps.
In practice, a framework often serves as the overarching structure or set of principles that guide how decisions and actions are made. From that framework, you develop policies, procedures, and standards as more detailed, actionable components. To visualize use the following image which we will evolve as we go along:
So, the framework sets the high-level vision and the core principles. Lets assume you are responsible for “Data Security” of a company. You are a smart person, so you start thinking, what does it mean to have a secure data. You think of the following criteria:
So you come up with these 3 “pillars” based on your needs to support “Data Security” in your organization. This ‘Data Security Framework’ that you just thought of, ensures the protection of sensitive information in your company through confidentiality, integrity, and availability.
This all sounds great, but this seems very vague to you. You say to yourself, what can I do make sure these Principles / Guidelines are actually followed? You get an idea, let’s make company-wide rules or ‘Policies’, which will make these principles concrete and easy to follow for new and old employees.
Then you come up with the following ‘Policy’:
After you issue this policy company wide, a junior colleague of yours from HR division comes up to you and asks while peering over your computer, “How do you expect me to follow this policy? I am not very sure how to do this and what to use for this?”. Now you have a challenge, just making this policy is not going to be enough for everyone cough who does not understand data security as well as you cough to follow.
So, you decide to give everyone a checklist of steps to ensure they are in compliance with the Data Security Policy you set above:
Thus, Procedures are the step-by-step instructions on “how to” implement those Policies. Now everything sounds great! You were declared the star of your company and a month later were given an award for top performance. You thought to yourself, what could go wrong? I have thought of everything, decided on what is important and how to make everyone follow it. Right? But, Alas your dreams were shattered one day as there was a data hack in the company.
That fateful day, someone stole some data files from your company servers but you thought, what could they do with the data, even if it was stolen? All the files were encrypted after all! But then, a cyber cell from the police department contacts you with the information that some of your SSN numbers were leaked on the dark net which leaves you wondering, what went wrong? How did the hackers decrypt the data?