A Business Model for Information
Security Management (BMIS)
Krag Brotby
With thanks to
Dr. Derek J. Oliver
Ravenswood Consultants Ltd.
Session Goals
 Consider the business challenges that organizational
leaders and security managers need to confront
 Evaluate traditional approaches to protection used to
address these challenges
 Introduce systemic thinking as a better way of
addressing the business needs for information
protection
 Review the concepts contained within the Business
Model for Information Security Management
Models, frameworks,
standards
Model is a representation of something
Theoretical description of how a system
works
Should function as foundation for all
standards and frameworks used
Help define goals, translate strategy into
concepts
Models, frameworks,
standards
Frameworks provide structure
Skeleton to be ‘fleshed’ in
Generally operational in nature
Usually rely on subsidiary standards
OCTAVE, Risk IT are risk frameworks
COBIT is IT management framework
Models, frameworks,
standards
A standard is an agreed, repeatable way
of doing something (BSI)
Or basis for comparison, a reference point
Or in CISM, a standard sets the allowable
functional boundaries of technologies,
people and processes
Information Security
Program Models
An information security program model should:
 Provide a means for understanding how components of a program
function
 Map to and integrate existing frameworks and stovepiped
assurance functions
 Predict the end result that will be achieved when change is
introduced
 Enhance communications among individuals and groups who provide
or benefit from information security program activities
Do existing security approaches meet this
criteria?
Existing Models?
 While there are many existing models for security
they have not looked at security in an holistic way.
 The existing models have been successful in
specifying rules, e.g. for access controls and integrity
of data, but have not looked at security systemically.
 There are many areas that contribute to an
organizations security posture and all of them need to
be considered in order to have a security program
that can operate in a dynamic environment.
Systemic Security
Management Model
The “Systemic Security Management Model” was
developed to address the complexity of “security”.
A business oriented model that promotes a balance
between “protection” and “business”. ISACA is
developing this Model as the Business Model for
Information Security.(BMIS)
BMIS
Model is comprised of:
Elements
• Organization Design and Strategy
• People
• Process
• Technology
Dynamic Interconnections
• Culture
• Architecture
• Governing
• Emergence
• Enabling and Support
• Human Factors
Origins and Intent
of this Model
 Developed by the Marshall School of Business at the
University of Southern California by Laree Kiely PhD
and Terry Benzel
 Presents a high level, business focused model, for
information security management
 Built around a core set of principles whose intent is to
ensure an optimal balance of protection while
maintaining the ability to conduct business
Why is a Model
Required?
Most significant challenges confronting
information security practitioners:
Management commitment to information security
Management understanding of information security issues
Information security planning prior to implementation of
new technologies or processes
Integration with all other organizational elements
Alignment with the organization’s objectives
Specific
Challenges
 Information protection problems are complex and
involve multiple parties
 Many problems appear not to have been solved
regardless of past actions taken
 Reactive, “Cause and effect” linear thinking is not
effective
 Continuous fire fighting crisis mode results in little
time for innovation
 Organization “silos” reduce opportunities for
strategic solutions
 Over-reliance on technology to solve problems
The Systems
Approach
 Systemic approach is relational. Relationships
between participants, systems, processes are
crucial
 Concentrates on the interaction among
components of systems rather than
individuals
 Systems strive to preserve themselves;
participants become habituated – “we’ve
always done it this way”
 Adaptability suffers, change is difficult
The Systems
Approach
“You really can’t understand completely
any one piece without looking at an
interaction from other elements or
dynamic interconnections”
– Ron Hale, Director of Information Security Practices,
ISACA
The old notion of the whole is greater
than the sum of the parts
“Systems Thinking”
is . . . . . .
 A conceptual framework; a body of knowledge and
tools that are used to make full patterns clearer and
help us see how to effectively manage change
 A discipline for seeing wholes and dynamic interrelationships rather than static snapshots
 A discipline for seeing the structures that underlie
complex situations and for discerning high from low
leverage change
A.K.A.. “Holistic” or “Whole Body”
Approach
Holistic?
The Term is well known in Medicine
Taking a “Whole Body” approach
Identify & treat the CAUSE not simply the
Symptoms . . . . .
Root cause analysis?
Linear vs systems
Problem Analysis
 Traditional approach breakS down complex
tasks into manageable bits BUT takes away
our intrinsic connection to the larger whole –
i.e. REDUCTIONISM
 Problem resolution can become an attempt to
address obvious symptoms without identifying
the underlying cause. This results in short
term benefit and long term problems.
Problem Analysis
 Must understand how our actions extend beyond
the boundary of our position.
 Results in consequences that appear to come from the
outside when they return to bite us.
 If we just focus on events the best we can do is
predict an event before it happens.
 Can’t create an environment where the event won’t happen
 “Either/Or” thinking is a point in time correction
and does not provide lasting improvement.
Understand the
Whole Problem
 Tendency is to push harder and harder on familiar solutions
while the fundamental problem persists.
 The easy or familiar solution may be addictive and dangerous.
 Short term improvements can lead to long term dependency.
 There is an optimal rate of growth which is not Fast, Fast,
Fast. When growth becomes excessive the system will
respond by slowing down.
 Seeing interrelationships underlying a problem leads to new
insight.
Benefits of
Systems Thinking
 Create a better understanding of the “big picture”
 Obtain the greatest benefit from innovation efforts
 Make innovation more strategically useful and beneficial
 See security as part of the big picture
 Understand the feedback relationship between what is studied
and other parts of the system
 Envision different environments so that change becomes
indispensable. Creative Vision Statements are essential to
creating change.
For example?
Audit
CEO
LAN
Board of Directors
Critical
Business
Operational
Function
Information
Technology
Information
Technology
Support
Functions
(Finance, HR,
Security etc.)
Critical
Business
Operational
Function
Information
Technology
Business Model for
Information Security
BMIS was developed to address the complexity of security.
It is a business oriented model that promotes a balance between
protection and business.
Elements
• Organization Design and Strategy
• People
• Process
• Technology
Dynamic Interconnections
• Culture
• Architecture
• Governing
• Emergence
• Enabling and Support
• Human Factors
Core Concept
The BMIS can be viewed as a three
dimensional fluid model best
visualized as a pyramid.
All aspects of the model interact
with each other.
If any one part of the model is
changed, not addressed, or managed
inappropriately, it will distort the
balance of the model.
Organization Design & Strategy
Element
 Organization is a network of people
interacting with each other. It
contains interactions between people
and things. It drives culture
governance and architecture.
Security as a component needs to
map to the larger organization
 Strategy specifies the goals and
objectives to be achieved as well as
the values and missions to be
pursued. It is the organizations
formula for success and sets the
basic direction.
 Design relates to the formal
organization structure and reporting
relationships
Organization
Governing
Culture
Architecture
Process
Emergence
People
Enabling &
Support
Human Factors
Technology
Process Element
 Includes formal and informal
mechanisms to get things done
 Provides vital link to all of the
dynamic interconnections
 Process is designed to:
 identify, measure, manage, and
control
• risk,
• availability,
• integrity and
• confidentiality,
 and to ensure accountability
Organization
Governing
Culture
Architecture
Process
Emergence
People
Enabling &
Support
Human Factors
Technology
Technology Element
 Organization infrastructure Tools
that make processes more
Technology
efficient.
 Used to accomplish an
organizations mission
Enabling &
Support
 Part of an organizations
infrastructure
Architecture
Human Factors
 Can be considered a band-aid for
Process
security issues
Governing
Emergence
 Too often the only place Security
is addressed!
Culture
Organization
People
 NOT simply IT . . . . . . .
People Element
 Represents the human resources
and the security issues that
surround them
 Collective of human actors
including values and behaviors
 All whose efforts must be
coordinated to accomplish the
goals of the organization
 Not just units of “one” since
each individual comes with all
their experiences, values
People
Emergence
Culture
Governing
Organization
Process
Human Factors
Enabling &
Support
Architecture
Technology
Using the BMIS
How the Model has developed
since its Introduction
The Systems
Approach
 If Information Security activity is centred in one
“Element” or “Dynamic Interconnection” . . .
 What if one of the other elements or DI’s is weak?
 Can we then rely on the Quality of information?
 What are the real weaknesses?
 Where should we strengthen the overall ISMS?
• Directly in the Element or DI?
• With compensation in another area?
 The BMIS aims to assist the Practitioner to:
 Consider Business areas where there may be a weakness
 Identify:
• Weaknesses
• Possible areas of control
ORGANIZATION
Design/Strategy
GOVERNING
GOVERNING
Skewing the
Model
PROCESS
PEOPLE
HUMAN FACTORS
TECHNOLOGY
TECHNOLOGY
Looking directly at the
Dynamic Interconnections
Governing?
 Policies & Procedures
 Published & Circulated
 Understood & Accepted
 Driven from “The Top”
 Reviewed & Reissued
 Covering
 Information Security
• Access to Information
 Leavers & Movers
• DR & BCP
 Risk Management
• Defined Responsibilities
• Methodology
 Standards
 Manageable & Enforceable
 Consistent
 Understood
 Alignment




Corporate Strategy
Objectives
Goals
Mission
 Culture . . . . . . ?
Governing
 Links “Organization” with “Process”
 Thus the Processes in the enterprise are linked to the
Organizational structure, Strategic Planning & Business
design
 Both Elements will therefore depend upon the “Will of the
Executive” and the effectiveness of their management
 Therefore:
• GOOD Governing = strong Processes & Organizational Structure
for security as well as Strategic Alignment
• POOR Governing can represent a security weakness
Architecture?
 Form, Fit & Function
 Alignment with Business
Needs
 Key factors:




Space for improvement
Reaction to Change
Effective & Efficient
Maintainable & Useable
 Includes
 IT Architecture
 Buildings & Physical
Assets
Culture
OFFICES
MAIN
GATE
Security Systems
Alarm Systems
Environment Mgt.
Voice Comm’s
CAR PARK
LAN
DELIVERY
GATE
IT Centre
Warehouse
Security & Alarms
Environment & Safety
WAN & Web
Hardware
Operating Systems
Applications
Firewalls
Routers, Hubs etc
Environment
Architecture
 Links “Organization” with “Technology”
 Thus the Technology will reflect the needs of the
Organization Structure, where the term includes every
Technical aspect not simply IT
• Buildings; Environment; Health & Safety; Physical Access Control
• Meeting the Strategic & Design requirements of functional organization
 Both Elements will therefore depend upon the design and
implementation of the Architecture
 Therefore
• GOOD Architecture provides inbuilt security with automatic
compensation for changes in Organization & Technology
• POOR Architecture could lead to security weakness through a lack of
Physical security or “outdated” methods of Logical security etc
Emergence?
 New:





Technology
Business Opportunities
Physical locations
Legislation/regulation
Threats & Risks
 Events that are:




Unexpected
Unplanned
Unpredicted
‘Perfect storm’
 Affecting the Business’




Ability to React
Ability to Plan
Security strengths
Security weaknesses
Emergence
 Links “Process” with “People”
 Thus People can affect Process and the other way around
because:
• People and people-related issues affect process
• Processes, working methods, external demands etc change
 People can be affected by sudden and unexpected external
and internal changes: new technologies, emerging threats &
risks such as “Global Warming”
 Processes can be affected by new legislation & regulation as
well as technical opportunities
 Therefore:
• GOOD ADAPTIVE management can respond to emerging issues
• POOR “planning for the unexpected” can lead to serious security
weaknesses AND CONSEQUENCES
Enabling & Support?
 Reflects the way in
which Processes and
Technology support
each other
 When either changes, the
other must change
accordingly
 Enables the business to
take advantage of new
opportunities
 Maintains the relationship
between the needs of the
process and the
application of Technology
 Specific issues:




Quality of Information
Reliability
Availability
Confidentiality
 Security Issues:





Managing access
Business activities
Data exchange
Emergency reactions
Change management
Enabling & Support
 Links “Process” with “Technology”
 Thus Processes enable Technology which, in turn, supports
the Processes
 Also, Processes support the Technology by defining
developing needs and Technology enable Processes by
meeting those needs
 Therefore:
• GOOD linkage manages the effective and efficient use of Technology
and provides the essential support for the Business
• WEAK linkage can lead to security weaknesses such as inappropriate
technology, e.g. where a process requires security & technology is
inadequate or where there is a lack of alignment so that the technology
slows down the process.
Culture?
 Includes:




National
Religious
Corporate and
Personal influences
 Can represent a security
weakness:




Culture of “Trust”
Blame culture
Risk adverse culture
Devil may care go-for-it
 Affect all other DI’s
and Elements
 A poor “security culture“
is hard to address
 OCAI metrics
Culture
 Links “Organization” to “People”
 Thus the culture affects the way security is organized and
the way people react to it
 Also, Culture affects and can be influenced by every other
aspect of Security
 The potential weaknesses are immense:
• GOOD security culture may counterbalance weaknesses elsewhere, e.g.
some countries have “security aware” culture, some businesses have such
obvious risks that security is implicit
• POOR security culture leads to weaknesses everywhere so strong
countermeasures are needed unless the culture can be changed, e.g. a
corporate culture of ‘openness’ (or the CEO who likes trees!)
• Structure indicative of culture – command and control vs flat
Human Factors?
 Includes:
 Human weaknesses
• Addiction to Alcohol, Drugs, Gambling etc
• Sickness
 Comprehension, Awareness & Understanding
 Strengths
• Skills, experience, training
 Application & Compliance
 External influences
• Threats, coercion, blackmail, fear
 Management techniques
• Sheer bloody-mindedness!
 Privilege abuse
• Personal use of resources
Human Factors
 Links “People” and “Technology”
 Thus the Technology must reflect the potential for Human
weaknesses and People must understand and make best use
of the technology (remember, NOT simply IT!)
 Human Factors may be addressed by:
•
•
•
•
•
Policies, Procedures & Standards: clear management lines (Governing)
Defined & documented processes: training (Process)
A good security attitude (Culture)
Ability to react (Emergence)
Automated security (Architecture)
 Therefore:
• GOOD, positive Human Factors will enhance security through awareness
& understanding
• POOR Human Factor management will lead to security weaknesses
through misunderstanding & attitude problems
Using BMIS to address the issues
BMIS
 Works from the Business level
 Identifies failures to meet the Business need for security by
examining defined elements of the Business
 Suggests points of compensating control . . . .
TECHNOLOGY
PROCESS
ARCHITECTURE
GOVERNING
ORGANIZATION
GOVERNING
CULTURE
TECHNOLOGY
PEOPLE
PROCESS
PEOPLE
Implementing
Frameworks to populate BMIS
Implementing
Frameworks to populate BMIS
BMIS Diagnostics:
Identifying Strengths and Weaknesses
 Integrate security solutions with model and align to
existing standards
 Analyze strengths and weaknesses
 An example is a weakness found in a technical solution where
root cause may be an architectural flaw or policy issue.
 BMIS can help structuring analysis of strengths and
weaknesses.
BMIS Diagnostics:
Situational Analysis
 First step in identifying strengths and weaknesses is
thorough analysis of the situation based on fully
populated and standardized BMIS
 With systemic approach any element or DI is good
starting point
 For each element model should contain the minimum
information added previously:
• Existing policies, methods and controls
• Existing detailed solutions, tools and procedures
• Relevant parts of information security standards
• Relevant parts of general IT standards
BMIS Diagnostics:
 The simplest way this information may be represented is a
tabular format
 Lists may be long but are easy to manage and update in
subsequent cycles of BMIS activity.
BMIS Diagnostics:
BMIS Diagnostics:
 Second step in analyzing situation is consider tables in terms of
each item.
 An example is ISO 27001 requirement of having a security policy,
which is likely to come up in several tables including:
• Organization element
• People element
• Culture DI
 In many cases the same item—in this case, the policy—will
receive a different rating, depending on the viewpoint
 E.g. information security policy might be seen as a strength in the
Organization element, but as a weakness in terms of the Culture DI.
 Similarly, employee security leaflets might be a strong point in
the People element, but a weakness in the Organization element.
BMIS Diagnostics:
 These differences will become even more visible in
technical solutions or detailed procedures. In working
through the tables, the result might look like this:
BMIS Diagnostics:
Root-cause Analysis
 Once the situational analysis has been completed,
strengths and weaknesses should be known for the
complete set of elements and DIs
 To maintain strengths and address weaknesses root
causes need to be identified.
 The real reasons for a security weakness may be
hidden or located in another part of the organization
 The systemic approach in BMIS provides a step-bystep guide to finding out about the root causes
BMIS Diagnostics:
 For any given security weakness (or strength),
the following steps will reveal the full picture:
• Is this a trivial weakness (e.g., the tool is
dysfunctional or needs bug fixing)?
• Is the root cause within the element(s) where the
weakness is located?
• Is the root cause within the DIs pointing to other
elements?
• Is the root cause in other elements and indirectly
connected to the weakness?
BMIS Diagnostics:
Simple sample
BMIS Diagnostics:
Simple sample
BMIS Diagnostics:
Complex sample
Conclusion
 ISACA has invested in an academic concept which we
believe:
 Will become a standard model for the Systems Approach to
managing Information Security for any Business
• Whatever the size or complexity
• Whatever the nature of the organization (Trading, Government,
Associations or even individuals)
 Is being integrated with COBIT
 Enhances the Practitioner and assists the integration of
Information Security throughout the Organization
Truly International . . . . . .
 ISACA Security Management
Committee:









Jo Stewart-Rattray (Australia)
Manuel Aceves (Mexico)
Kent Anderson (USA)
Emil D’Angelo (USA)
Yves LeRoux (France)
Mark Lobel (USA)
Kyong-Hee Oh (Korea)
Vernon Poole (UK)
Rolf von Roessing (Germany)
 ISACA BMIS Development
Committee









Derek Oliver (UK)
Jean-Luc Allard (Belgium)
Elisabeth Antonsson (Sweden)
Sanjay Bahl (India)
Krag Brotby (USA)
Christos Dimitriadis (Greece)
Meenu Gupta (USA)
Cristina Ledesma (Uruguay)
Ghassan Youssef (UAE)
Assisted (Driven) by:
Ron Hale, Director of Information Security Practices, ISACA
Shannon Donahue, Security Practice development manager, ISACA
Status?
 Development includes:
 Mapping to CobiT
• Relevance in IT Governance . . . Corporate Governance
• A tool to help CobiT implementation
 Mapping to ISO27k series
• Implementation of ISMS
 Other Mappings
• SOX
• ISF Standards
• Other ISO standards? Other Security Organizations?
• Certifications?
International Information Systems Security Certification Consortium
Questions ?
Krag Brotby CISM CGEIT
NextStepInfosec.com
kragby@gmail.com
209 206 2469