Business Model For Information Security

Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.

Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo

Business Model for Information Security

“The Learning Organization”

Marco Melo RaposoOct 2011



Security Challenges

Many times, interaction between business and security is similar to a train wreck…

The BMIS model



The BMIS model

� Introduced by ISACA in January 2009

� Provides the frame and mindset to structure communications amongst senior management and security professionals

� Addresses the security program at the strategic level

� Is a model. Must be supported by additional standards and frameworks



Combining Model, Frameworks and Standards

� BMIS is a model. Must be supported by additional standards and frameworks

� Model - ‘A schematic description of a system, theory or phenomenon that accounts for its known or inferred properties and may be used for further study of its characteristics’� Need to be flexible, and refined periodically

� HLD

� Flexibility to mutate: High

� Frameworks – provide structure � skeletal system

� Operational Tool

� Examples: COBIT, OCTAVE, ITIL, RiskIT

� Flexibility to mutate : Medium

� Standard – Provide Guidelines� Agreed, repeatable way of doing something

� Flexibility to mutate: Low



BMIS Overview

� Proactive, interconnected mode

� Holistic and dynamic

� Systemic

� Maximizes elements efficiency

� Allow assets to create value



Elements

7

OrganizationOrganizationOrganizationOrganization

• Higher level, Lower level

• Formal and informal

• High-priority strategic objectives

PeoplePeoplePeoplePeople

• Employees, contractors, vendors

and service providers

• Own beliefs, values and behaviors

ProcessProcessProcessProcess

• Instrumental tool

• Structured activities

• Maturity—Can utilize formal or informal

mechanisms

• Span all aspects and areas

of an organization

TechnologyTechnologyTechnologyTechnology

• "the practical application of knowledge“

• "‘a capability given by the

practical application of knowledge"



Di’s ( )

8

Governance

‘governance is the set of responsibilities and

practices exercised by the board and executive

management with the goal of providing

strategic direction, ensuring that objectives

are achieved.

Culture

Culture is a pattern of behaviors, beliefs,

assumptions, attitudes and ways of doing

things

People are the key to culture, and culture, in

turn, creates a set of perceptions in people.

Architecture

The fundamental organization of a system,

embodied in its components, their

relationships to each other and the

environment, and the principles governing its

design and evolution Affected directly or indirectly by changes imposed

on any of the other components within the model



…More Di’s (Everything has beauty, but not everyone sees it)

9

Emergence

‘the arising of novel and coherent structures,

patterns and properties during the process of

self-organization in complex systems (positive

or negative)

LEARNING

Human Factors

Culture is a pattern of behaviors, beliefs,

assumptions, attitudes and ways of doing

things

People are the key to culture, and culture, in

turn, creates a set of perceptions in people.

Enabling & Support

• High-level business objectives

• Detailed business requirements

• Enterprise architecture and process

frameworks

• Cross-functional work group

… flexible and also represents the potential

tension between the elements



The Importance of Systems Thinking

� Process of understanding how

things influence one another

within a whole.

� "problems" as parts of an overall

system

� A set of habits or practices within

a framework understanding a

component as part of the system

� Action-Feedback

Personal

Mastery

Mental

Models

Shared

Vision

Team

Learning

Systems

Thinking



Feedback on System Thinking

Password

Policy

Enforcement

Vision

Objectives



“The Art and Practice of the Learning Organization”*

1) Today's problems come from yesterday's "solutions."

2) The harder you push, the harder the system pushes back.

3) Behavior grows better before it grows worse.

4) The easy way out usually leads back in.

5) The cure can be worse than the disease.

6) Faster is slower.

7) Cause and effect are not closely related in time and space.

8) Small changes can produce big results...but the areas of highest leverage are often

the least obvious.

9) You can have your cake and eat it too ---but not all at once.

10) Dividing an elephant in half does not produce two small elephants.

11) There is no blame.*“The Fifth Discipline: The Art and Practice of the Learning Organization”,

Peter Senge, 1990



Using BMIS

� Fully integrate the existing security program.

� Analyze and internalize the detailed security measures and solutions in place.

� Align current standards, regulations and frameworks to BMIS.

� Clearly identify strengths and weaknesses in existing security.

� Use the dynamic security system that BMIS introduces.

� Manage emergence within the organization to maximize security improvements.



Using BMISInternal attacks addressed in a step-by-step manner using the available factors of influence



Control Mapping to Elements or BI’s



“Take-Away’s”

� Security must interact with business to ensure an

EVA

� BMIS is a Model for matching business and IS

� Understand Systemic, dynamic approach

� Maximize system results by acting in key points

� Feedback and Delay as system attributes

� Adjust security to system feedback



Discussion

[email protected]

M: +351 968779278

Business Model For Information Security

Documents

Transcript of Business Model For Information Security