Tom Scholtz’s definition of an Information Security Architecture is really what I would define as an overall Information Security Program driven by the Information Security Strategic Plan. The trick is to have an ala carte menu of security controls; these are controls that are individually procedural; combined technical and procedural, and other combinations and permutations of your people, process, and technology. I’m not really seeing anything new here but a repackaging of of what is being done already. I tend to gravitate towards ISO27001 + combining the 0 to 5 CMM maturity levels.”]