1 / 63

A Business Model for Information Security Management (BMIS)

Krag Brotby With thanks to Dr. Derek J. Oliver Ravenswood Consultants Ltd. A Business Model for Information Security Management (BMIS). Session Goals. Consider the business challenges that organizational leaders and security managers need to confront

horace
Download Presentation

A Business Model for Information Security Management (BMIS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Krag Brotby With thanks to Dr. Derek J. Oliver Ravenswood Consultants Ltd. A Business Model for Information Security Management (BMIS)

  2. Session Goals • Consider the business challenges that organizational leaders and security managers need to confront • Evaluate traditional approaches to protection used to address these challenges • Introduce systemic thinking as a better way of addressing the business needs for information protection • Review the concepts contained within the Business Model for Information Security Management

  3. Models, frameworks, standards • Model is a representation of something • Theoretical description of how a system works • Should function as foundation for all standards and frameworks used • Help define goals, translate strategy into concepts

  4. Models, frameworks, standards • Frameworks provide structure • Skeleton to be ‘fleshed’ in • Generally operational in nature • Usually rely on subsidiary standards • OCTAVE, Risk IT are risk frameworks • COBIT is IT management framework

  5. Models, frameworks, standards • A standard is an agreed, repeatable way of doing something (BSI) • Or basis for comparison, a reference point • Or in CISM, a standard sets the allowable functional boundaries of technologies, people and processes

  6. Information Security Program Models • Provide a means for understanding how components of a program function • Map to and integrate existing frameworks and stovepiped assurance functions • Predict the end result that will be achieved when change is introduced • Enhance communications among individuals and groups who provide or benefit from information security program activities An information security program model should: Do existing security approaches meet this criteria?

  7. Existing Models? • While there are many existing models for security they have not looked at security in an holistic way. • The existing models have been successful in specifying rules, e.g. for access controls and integrity of data, but have not looked at security systemically. • There are many areas that contribute to an organizations security posture and all of them need to be considered in order to have a security program that can operate in a dynamic environment.

  8. Systemic Security Management Model The “Systemic Security Management Model” was developed to address the complexity of “security”. A business oriented model that promotes a balance between “protection” and “business”. ISACA is developing this Model as the Business Model for Information Security.(BMIS)

  9. BMIS Model is comprised of: • Elements • Organization Design and Strategy • People • Process • Technology • Dynamic Interconnections • Culture • Architecture • Governing • Emergence • Enabling and Support • Human Factors

  10. Origins and Intent of this Model • Developed by the Marshall School of Business at the University of Southern California by Laree Kiely PhD and Terry Benzel • Presents a high level, business focused model, for information security management • Built around a core set of principles whose intent is to ensure an optimal balance of protection while maintaining the ability to conduct business

  11. Why is a Model Required? Most significant challenges confronting information security practitioners: • Management commitment to information security • Management understanding of information security issues • Information security planning prior to implementation of new technologies or processes • Integration with all other organizational elements • Alignment with the organization’s objectives

  12. Specific Challenges • Information protection problems are complex and involve multiple parties • Many problems appear not to have been solved regardless of past actions taken • Reactive, “Cause and effect”linear thinking is not effective • Continuous fire fighting crisis mode results in little time for innovation • Organization “silos” reduce opportunities for strategic solutions • Over-reliance on technology to solve problems

  13. The Systems Approach • Systemic approach is relational. Relationships between participants, systems, processes are crucial • Concentrates on the interaction among components of systems rather than individuals • Systems strive to preserve themselves; participants become habituated – “we’ve always done it this way” • Adaptability suffers, change is difficult

  14. The Systems Approach “You really can’t understand completely any one piece without looking at an interaction from other elements or dynamic interconnections” • Ron Hale, Director of Information Security Practices, ISACA • The old notion of the whole is greater than the sum of the parts

  15. “Systems Thinking” is . . . . . . • A conceptual framework; a body of knowledge and tools that are used to make full patterns clearer and help us see how to effectively manage change • A discipline for seeing wholes and dynamic inter-relationships rather than static snapshots • A discipline for seeing the structures that underlie complex situations and for discerning high from low leverage change A.K.A.. “Holistic” or “Whole Body” Approach

  16. Holistic? • The Term is well known in Medicine • Taking a “Whole Body” approach • Identify & treat the CAUSE not simply the Symptoms . . . . . • Root cause analysis?

  17. Linear vs systems

  18. Problem Analysis • Traditional approach breakS down complex tasks into manageable bits BUT takes away our intrinsic connection to the larger whole – i.e. REDUCTIONISM • Problem resolution can become an attempt to address obvious symptoms without identifying the underlying cause. This results in short term benefit and long term problems.

  19. Problem Analysis • Must understand how our actions extend beyond the boundary of our position. • Results in consequences that appear to come from the outside when they return to bite us. • If we just focus on events the best we can do is predict an event before it happens. • Can’t create an environment where the event won’t happen • “Either/Or” thinking is a point in time correction and does not provide lasting improvement.

  20. Understand the Whole Problem • Tendency is to push harder and harder on familiar solutions while the fundamental problem persists. • The easy or familiar solution may be addictive and dangerous. • Short term improvements can lead to long term dependency. • There is an optimal rate of growth which is not Fast, Fast, Fast. When growth becomes excessive the system will respond by slowing down. • Seeing interrelationships underlying a problem leads to new insight.

  21. Benefits of Systems Thinking • Create a better understanding of the “big picture” • Obtain the greatest benefit from innovation efforts • Make innovation more strategically useful and beneficial • See security as part of the big picture • Understand the feedback relationship between what is studied and other parts of the system • Envision different environments so that change becomes indispensable. Creative Vision Statements are essential to creating change.

  22. For example? Audit CEO LAN Board of Directors Critical Business Operational Function Information Technology Support Functions (Finance, HR, Security etc.) Critical Business Operational Function Information Technology Information Technology

  23. Business Model for Information Security BMIS was developed to address the complexity of security. It is a business oriented model that promotes a balance between protection and business. • Elements • Organization Design and Strategy • People • Process • Technology • Dynamic Interconnections • Culture • Architecture • Governing • Emergence • Enabling and Support • Human Factors

  24. Core Concept The BMIS can be viewed as a three dimensional fluid model best visualized as a pyramid. All aspects of the model interact with each other. If any one part of the model is changed, not addressed, or managed inappropriately, it will distort the balance of the model.

  25. Organization Design & Strategy Element • Organization is a network of people interacting with each other. It contains interactions between people and things. It drives culture governance and architecture. Security as a component needs to map to the larger organization • Strategy specifies the goals and objectives to be achieved as well as the values and missions to be pursued. It is the organizations formula for success and sets the basic direction. • Design relates to the formal organization structure and reporting relationships Organization Governing Process Culture Architecture Emergence Enabling & Support People Technology Human Factors

  26. Process Element • Includes formal and informal mechanisms to get things done • Provides vital link to all of the dynamic interconnections • Process is designed to: • identify, measure, manage, and control • risk, • availability, • integrity and • confidentiality, • and to ensure accountability Organization Governing Process Culture Architecture Emergence Enabling & Support People Technology Human Factors

  27. Technology Enabling & Support Process Architecture Human Factors Governing Emergence Organization People Culture Technology Element • Organization infrastructure Tools that make processes more efficient. • Used to accomplish an organizations mission • Part of an organizations infrastructure • Can be considered a band-aid for security issues • Too often the only place Security is addressed! • NOT simply IT . . . . . . .

  28. People Element • Represents the human resources and the security issues that surround them • Collective of human actors including values and behaviors • All whose efforts must be coordinated to accomplish the goals of the organization • Not just units of “one” since each individual comes with all their experiences, values People Emergence Process Culture Human Factors Enabling & Support Governing Organization Technology Architecture

  29. Using the BMISHow the Model has developedsince its Introduction

  30. The Systems Approach • If Information Security activity is centred in one “Element” or “Dynamic Interconnection” . . . • What if one of the other elements or DI’s is weak? • Can we then rely on the Quality of information? • What are the real weaknesses? • Where should we strengthen the overall ISMS? • Directly in the Element or DI? • With compensation in another area? • The BMIS aims to assist the Practitioner to: • Consider Business areas where there may be a weakness • Identify: • Weaknesses • Possible areas of control

  31. Skewing the Model ORGANIZATION Design/Strategy ORGANIZATION Design/Strategy GOVERNING GOVERNING ARCHITECTURE PROCESS PROCESS CULTURE EMERGENCE ENABLING & SUPPORT PEOPLE PEOPLE TECHNOLOGY TECHNOLOGY HUMAN FACTORS

  32. Looking directly at the Dynamic Interconnections

  33. Governing? • Policies & Procedures • Published & Circulated • Understood & Accepted • Driven from “The Top” • Reviewed & Reissued • Covering • Information Security • Access to Information • Leavers & Movers • DR & BCP • Risk Management • Defined Responsibilities • Methodology • Standards • Manageable & Enforceable • Consistent • Understood • Alignment • Corporate Strategy • Objectives • Goals • Mission • Culture . . . . . . ?

  34. Governing • Links “Organization” with “Process” • Thus the Processes in the enterprise are linked to the Organizational structure, Strategic Planning & Business design • Both Elements will therefore depend upon the “Will of the Executive” and the effectiveness of their management • Therefore: • GOOD Governing = strong Processes & Organizational Structure for security as well as Strategic Alignment • POOR Governing can represent a security weakness

  35. Architecture? • Form, Fit & Function • Alignment with Business Needs • Key factors: • Space for improvement • Reaction to Change • Effective & Efficient • Maintainable & Useable • Includes • IT Architecture • Buildings & Physical Assets Culture OFFICES Security Systems Alarm Systems Environment Mgt. Voice Comm’s MAIN GATE CAR PARK LAN Warehouse IT Centre DELIVERY GATE Hardware Operating Systems Applications Firewalls Routers, Hubs etc Environment Security & Alarms Environment & Safety WAN & Web

  36. Architecture • Links “Organization” with “Technology” • Thus the Technology will reflect the needs of the Organization Structure, where the term includes every Technical aspect not simply IT • Buildings; Environment; Health & Safety; Physical Access Control • Meeting the Strategic & Design requirements of functional organization • Both Elements will therefore depend upon the design and implementation of the Architecture • Therefore • GOOD Architecture provides inbuilt security with automatic compensation for changes in Organization & Technology • POOR Architecture could lead to security weakness through a lack of Physical security or “outdated” methods of Logical security etc

  37. Emergence? • New: • Technology • Business Opportunities • Physical locations • Legislation/regulation • Threats & Risks • Events that are: • Unexpected • Unplanned • Unpredicted • ‘Perfect storm’ • Affecting the Business’ • Ability to React • Ability to Plan • Security strengths • Security weaknesses

  38. Emergence • Links “Process” with “People” • Thus People can affect Process and the other way around because: • People and people-related issues affect process • Processes, working methods, external demands etc change • People can be affected by sudden and unexpected external and internal changes: new technologies, emerging threats & risks such as “Global Warming” • Processes can be affected by new legislation & regulation as well as technical opportunities • Therefore: • GOOD ADAPTIVE management can respond to emerging issues • POOR “planning for the unexpected” can lead to serious security weaknesses AND CONSEQUENCES

  39. Enabling & Support? • Reflects the way in which Processes and Technology support each other • When either changes, the other must change accordingly • Enables the business to take advantage of new opportunities • Maintains the relationship between the needs of the process and the application of Technology • Specific issues: • Quality of Information • Reliability • Availability • Confidentiality • Security Issues: • Managing access • Business activities • Data exchange • Emergency reactions • Change management

  40. Enabling & Support • Links “Process” with “Technology” • Thus Processes enable Technology which, in turn, supports the Processes • Also, Processes support the Technology by defining developing needs and Technology enable Processes by meeting those needs • Therefore: • GOOD linkage manages the effective and efficient use of Technology and provides the essential support for the Business • WEAK linkage can lead to security weaknesses such as inappropriate technology, e.g. where a process requires security & technology is inadequate or where there is a lack of alignment so that the technology slows down the process.

  41. Culture? • Includes: • National • Religious • Corporate and • Personal influences • Can represent a security weakness: • Culture of “Trust” • Blame culture • Risk adverse culture • Devil may care go-for-it • Affect all other DI’s and Elements • A poor “security culture“ is hard to address • OCAI metrics

  42. Culture • Links “Organization” to “People” • Thus the culture affects the way security is organized and the way people react to it • Also, Culture affects and can be influenced by every other aspect of Security • The potential weaknesses are immense: • GOOD security culture may counterbalance weaknesses elsewhere, e.g. some countries have “security aware” culture, some businesses have such obvious risks that security is implicit • POOR security culture leads to weaknesses everywhere so strong countermeasures are needed unless the culture can be changed, e.g. a corporate culture of ‘openness’ (or the CEO who likes trees!) • Structure indicative of culture – command and control vs flat

  43. Human Factors? • Includes: • Human weaknesses • Addiction to Alcohol, Drugs, Gambling etc • Sickness • Comprehension, Awareness & Understanding • Strengths • Skills, experience, training • Application & Compliance • External influences • Threats, coercion, blackmail, fear • Management techniques • Sheer bloody-mindedness! • Privilege abuse • Personal use of resources

  44. Human Factors • Links “People” and “Technology” • Thus the Technology must reflect the potential for Human weaknesses and People must understand and make best use of the technology (remember, NOT simply IT!) • Human Factors may be addressed by: • Policies, Procedures & Standards: clear management lines (Governing) • Defined & documented processes: training (Process) • A good security attitude (Culture) • Ability to react (Emergence) • Automated security (Architecture) • Therefore: • GOOD, positive Human Factors will enhance security through awareness & understanding • POOR Human Factor management will lead to security weaknesses through misunderstanding & attitude problems

  45. Using BMIS to address the issues

  46. BMIS • Works from the Business level • Identifies failures to meet the Business need for security by examining defined elements of the Business • Suggests points of compensating control . . . . ORGANIZATION ORGANIZATION PEOPLE PROCESS PROCESS TECHNOLOGY CULTURE GOVERNING GOVERNING ARCHITECTURE HUMAN FACTORS EMERGENCE TECHNOLOGY PEOPLE

  47. ImplementingFrameworks to populate BMIS

  48. ImplementingFrameworks to populate BMIS

  49. BMIS Diagnostics: Identifying Strengths and Weaknesses • Integrate security solutions with model and align to existing standards • Analyze strengths and weaknesses • An example is a weakness found in a technical solution where root cause may be an architectural flaw or policy issue. • BMIS can help structuring analysis of strengths and weaknesses.

  50. BMIS Diagnostics: Situational Analysis • First step in identifying strengths and weaknesses is thorough analysis of the situation based on fully populated and standardized BMIS • With systemic approach any element or DI is good starting point • For each element model should contain the minimum information added previously: • Existing policies, methods and controls • Existing detailed solutions, tools and procedures • Relevant parts of information security standards • Relevant parts of general IT standards

More Related