Security Management Life Cycle (SMLC): A Comparative Study

We introduce an integrated conceptualization of enterprise information technology security management in the form of a life cycle that accounts for the people, processes, infrastructure, and applications within an enterprise. Our life cycle view provides a lens through which one can view the security management activities at the strategic, tactical, and operational levels with regard to their strategic alignment with organizational goals. We compare and contrast three widely adopted frameworks (COSO, COBIT and ITIL) for enterprise risk and IT management with respect to our life cycle. We conclude that although the definitions of each stage of the life cycle are similar in these frameworks, their approach, philosophy, and method of execution is primarily determined by their unique focus. By developing a life cycle abstraction which encapsulates all of these frameworks, security management can better understand how their responsibilities and activities support organizational objectives.