Add to collection(s) Add to saved
  1. No category
Uploaded by josphat moyo

Business Model for Information Security (BMIS)

advertisement 
The ISACA Business Model
for Information Security:
An Integrative and Innovative
Approach
Rolf von Roessing
SCM Ud
rvr@scmltd.com
ISACA
Abstract
In recent years , information security manag ement has matured into a professiona l discip line that cove rs both tech nical and manag erial aspects in an organi sational environment. Information security is increasing ly depend ent on
business-driven parame ters and interfaces to a variety of organisation al units and dep artmen ts. In contrast, common security mode ls and frameworks have remained largely technical. A review of extant mode ls ranging from
[LaBe?3] to more recen t mode ls shows that technical aspec ts are covered in great detail, while the manageri al
aspects of security are often neg lected .Likewi se, the business view on organisational security is frequently at odd s
with the demands ofinformation security personnel or information techno logy management. In practice, senior and
executive level management remain comparativ ely distant from technical requir ements. As a result, information
security is generally regard ed as a cost factor rather than a benefit to the organisation.
ISACA ·s Business Model for Information Security (BMIS) has been developed to address the weaknesses in exist ing models . lt addresses information sec urity primarily from a managemen t perspective, by placing it in the context
of a functioning, profit-oriented organisation. The model further outlines appro aches and key organisation al factor s
influencing the succes s or failure of sec urity. The paper present s the BMIS in its entirety, and reflects on the indivi dual components and their significance for information security. lt will be shown that the current framework for the
BM IS can interfac e with existing mode ls as weil as common control frameworks and international standards. The
paper will demonstrate that the complete integration ofinformation security with business is an essential prerequi site to overcoming the technical restrictions and manageri al disadv antages often experienced in the past. In relating
some ofthe aspects ofBMIS to typic al incidents and security violations, the paper will conclude by presen ting an
outlook on practical BMIS use and addressing typic al security risk s by means ofthe BM IS.
1 Introduction
For aperiod of several years, information techno logy has been at the very top of many reports listing
business -related challenges and so-called " hot topics" . In accountancy [AICP06, AICP07, AICP08] and
various other disciplines, the topic has been ranked as the highest managerial priority for many years .
More often than not, information security in its widest sense is directly linked to genera l compliance ,
risk management and corporate govema nce [ISAC06, ISAC07]. Failure to comply with existing m ies,
N. Pohlmarm. H. Reimer. \V. Schneide r (Editors): Securing Electronic Business Processes. Vieweg (2009). 37-47
38
The ISACA Business Model for Information Security :
or weaknesses in governance, may easily lead to consequences that reach beyond the sphere of infonnation technology or infonnation management.
Conversely, the single obstacle most quoted in theoretical and practical work on the subject is the
perceived (or observed) lack of "senior management support". The primary concern voiced by senior
business managers is the lack of c1ear economic parameters and the lack of an unequivocal business
case for infonnation security. Concepts such as "retum on security investment" (RoSI) and others have
addressed this expectation gap, but they remain largely disconnected from the traditional models in
security and infonnation technology. In order to provide an answer to some of the well-known problems in infonnation security, the Business Model for Information Security (BMIS) [ISAC09] presents a
holistic view of security as one of the organisational goals. The following sections of this paper outline
its foundations in theory and practice .
1.1 Business Imperatives in Information Security
Information security, or InfoSec in short, has been a largely technical discipline for many decades . Early
infonnation technology did not present any security-related challenges in the civilian context , With the
advent of office-based infonnation technology use and the increasingly commercial focus of the web,
investments in infonnation security increased over a long period of time. Today s business imperatives
in infonnation security are therefore multi-dimensional and multi-faceted. The use ofIT itselfis subject
to security requirements, as the profitability of business processes is often directly dependent on their
technical support. As a secondary imperative, the interaction between business and the interaction with
customers has brought a wide range oflaws, regulations and contractual requirements . At the same time,
organisations are seeking cost reductions and enhancements to efficiency. The cost of IT, and thus of
infonnation security, is a frequent target for reductions, particularly during economic downturns or in
phases of intense economic competition.
As a result, there is a widening gap between the reality of infonnation security and the notional demands
of business . The long-range consequences of a decoupling between the business view and the technical view have been subject to extensive research . The results - dating back to the mid 1970s - form a
picture of imminent danger and growing risk, regardless of the processes and technologies involved .
Where [Turn76, Turn78, Perr84] and others found that an unrealistic business perspective on technology led to disaster, more recent authors such as [PaMi92] fonnulated the theory of "crisis-prone" organisations whose narrow view on reality will lead to erroneous conclusions , flawed actions and finally,
disaster. It has been shown in earlier works on the subject that factors conducive to "crisis proncness"
apparently do not change over time: they are in evidence both in a non-IT age and in the modem ITdependent world [Roes06, Roes09].
1.2 Historical Context and Existing Models
The vast majority of extant models dealing with infonnation security addresses technically descriptive
or nonnative aspects . The former category may be traced back to the theory of data access and integrity,
for instance in [BeLa73] and subsequent publications. The narrow system ofreference adopted disqualifies these models for use in practical day-to-day business. The nonnative category, on the other hand,
takes a wider view on security as a technical objective by setting control objectives and introducing
various operational controls. Examples ofthis latter category are common frameworks such as COBIT,
ITIL or the ISO 27000 series . In this historical context , existing models often lack the decisive business
focus that is required for practical application . The business view is only found in secondary literature
that is usually focused on narrow topics, as witnessed by somed illustrative examples . [SoSo05] argue
Related documents
,$t3n irii-iri l. 2.
,$t3n irii-iri l. 2.
14-IN-06-GE-TRC-A - Asian Productivity Organization
14-IN-06-GE-TRC-A - Asian Productivity Organization
Lesson Plan #1 - Olde English Consortium
Lesson Plan #1 - Olde English Consortium
Download
advertisement