Yo,

interesting : just came across comp.risks.

http://bsi-mm.com/

This "security model" was built by studying and evaluating real life practice at a number of software-intensive institutions. From the FAQ:

We built BSIMM by studying 9 organizations, all of them household names. The organizations are drawn from three verticals: financial services (4), independent software vendors (3), and technology firms (2). Those companies among the nine who graciously agreed to be identified include: Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and The Depository Trust and Clearing Corporation (DTCC). Okay, maybe DTCC is a household name only if a stockbroker lives in your house, but you get the picture.

JT