Abstract: | Frameworks are useful guides to the thought processes of information security professionals for building their solutions. These frameworks are not solutions, only guides. They ensure that nothing is left out and that the work is done thoroughly and well. The quality of frameworks unfortunately is not consistent. Following a framework that is not fitting to the business requirements can create false assurance. A methodology is discussed in this paper about building a fitting framework. Asking pertinent questions forms the basis for such framework. The questions and the process of asking those questions determine the quality of the solution. A set of questions are described as examples, and explained how they define the areas that are necessary to enable a sound solution development. Some common errors and misconceptions are highlighted together with pointers to how they can be avoided or overcome. The methodology for developing those areas identified by the questions completes the paper. |