Within cybersecurity, the framework forms the link between the three security goals of confidentiality, integrity and availability. It contains an extremely efficient procedure for developing sets of rules for each subarea of the C-I-A triangle and makes use of smart visualizations to define user-centric and data-centric approaches. For building a comprehensive data security solution, it serves to define the interfaces between the solution components.

In this way, systems for DLP (Data Leakage Prevention), EIM (Enterprise Integrity Management) as the components used in a classic data center for the permanent availability of the IT infrastructure and services, such as SIEM (Security Information and Event Management), IDS (Intrusion Detection System), MCD (Malicious Code Detection), etc. are united.
The framework binds the technology concepts into a common unit.

The framework also meets the requirements of centrally routing the notifications of the individual systems to an incident response system, where they can be comprehensively examined and immediately responded to. It is irrelevant which system is already available for this task in the SOC.

However, this stable foundation established in this way not only serves to align the solution components within cybersecurity, but also prepares further fundamental components for essential levels of action. The framework can be used to address governance, risk and compliance as well as data classification and the handling of personal data.

By combining the two integrated, holistic approaches to cybersecurity (CIA triangle) and the management approach to facilitating the organization (RGC architecture), all technical and organizational processes can be mapped within a pyramid.
The link between the two models here is the Compliance module, which formulates clear intrinsic and extrinsic cybersecurity requirements in its definitions and whose protection goals are explicitly named in its specifications.

When the risk layer is built on top of this, and the governance layer on top of that, this arrangement in no way breaks up the direct interaction of the individual elements with each other. These layers always remain coupled via connections in the framework, which at its core is another pyramid whose base is anchored in the CIA triangle and whose apex also extends to governance. The objects for processes, strategy, people and technology are the supporting points within the framework and define and process the internal and external requirements as well as the risk appetite. All elements are viewed in an integrated, holistic and organization-wide manner.

Of course, both approaches keep all previous connections, relations and interactions with their objects.

The combination of the two approaches couples the theoretical-technical approach to cybersecurity with the organizational-strategic approach for a company. Here, for the first time, all prerequisites and goals are brought into connection.

Data classifications can be represented as a separate layer. This layer is located within Compliance and can define the value of company data (e.g. trade secrets) or deal with a particularly sensitive set of data (e.g. personal data).

Internal definitions are made for sensitive company data. For personal data, external legal requirements apply.

In many companies, multiple classifications for one object are also conceivable.

The creative management of information technology, which can also always be understood as an organizational unit for the areas of confidentiality, integrity and availability, is detached from the form of the management approach for it. It can be determined by a very classical management approach through the principle of “operation and change”, waterfall or also agile methods with sprints. All of these approaches are governed by the cybersecurity protection goals. The form of management approach selected depends to a large extent on the structure and size of the company. A change in the management approach over time can be mapped at any time and does not affect the framework presented at any time.

Since the framework is based on both the principles of information technology and the principles of information management, it is completely irrelevant whether the components to be considered are realized in the classic data center and network management (on-premise), the IoT (Internet of Things) or a cloud.

Mixed forms, which have often been established in recent years, can also be considered. A change over time, even during expansion or as technological migrations in these technological manifestations, can always be mapped for companies via the framework.

Management principles such as ITIL or PRINCE2 as well as PMBOK, IPMA ICB can still be used through the best practice approaches. The principles are further supported by the framework, because they live from a holistic view, transparency, connection of UseCase and risk, configuration and change management, ect.

Ultimately, the framework formulated here enables the complete consideration in all these management principles.