There are many people who have many opinions on these sorts of things.
There's nothing that covers all aspects in one methodology. Engineering and operations are very different things, and you can't apply one methodology to both.
Donn Parker, one of the most respected names in computer security, has a new book out with his ideas about how we've been doing things wrong for the last three decades. I think it's a must-read. It is called "Fighting computer crime: A new framework for protecting information." You can find it at Amazon.
John Viega and Gary McGraw have an excellent new book on building secure software. You can also find it at Amazon.
Also, there's Ross Anderson's excellent book on Security engineering.While we're at it, Schneier's Secrets and Lies is also a must read.
All of these resources talk about the various methodologies that you might use. Unfortunately, there's no one size that fits all. Not only is development not the same as operations, but the way you operate a bank is not the way you operate a convenience store. Neither of these is the way you operate a military base. When you construct a methodology for yourself, you look at what your assets are, what your threats are, what things you can solve easily (like buying insurance) and so on.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Security standards and guidelines
Best Web Links: Security management
This was first published in April 2002