krag brotby with thanks to dr derek j oliver ravenswood consultants ltd n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Business Model for Information Security Management (BMIS) PowerPoint Presentation
Download Presentation
A Business Model for Information Security Management (BMIS)

Loading in 2 Seconds...

play fullscreen
1 / 63

A Business Model for Information Security Management (BMIS) - PowerPoint PPT Presentation


  • 285 Views
  • Uploaded on

Krag Brotby With thanks to Dr. Derek J. Oliver Ravenswood Consultants Ltd. A Business Model for Information Security Management (BMIS). Session Goals. Consider the business challenges that organizational leaders and security managers need to confront

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Business Model for Information Security Management (BMIS)' - horace


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
krag brotby with thanks to dr derek j oliver ravenswood consultants ltd
Krag Brotby

With thanks to

Dr. Derek J. Oliver

Ravenswood Consultants Ltd.

A Business Model for Information Security Management (BMIS)

session goals
Session Goals
  • Consider the business challenges that organizational leaders and security managers need to confront
  • Evaluate traditional approaches to protection used to address these challenges
  • Introduce systemic thinking as a better way of addressing the business needs for information protection
  • Review the concepts contained within the Business Model for Information Security Management
models frameworks standards
Models, frameworks, standards
  • Model is a representation of something
    • Theoretical description of how a system works
    • Should function as foundation for all standards and frameworks used
    • Help define goals, translate strategy into concepts
models frameworks standards1
Models, frameworks, standards
  • Frameworks provide structure
    • Skeleton to be ‘fleshed’ in
    • Generally operational in nature
    • Usually rely on subsidiary standards
    • OCTAVE, Risk IT are risk frameworks
    • COBIT is IT management framework
models frameworks standards2
Models, frameworks, standards
  • A standard is an agreed, repeatable way of doing something (BSI)
    • Or basis for comparison, a reference point
    • Or in CISM, a standard sets the allowable functional boundaries of technologies, people and processes
information security program models
Information Security Program Models
  • Provide a means for understanding how components of a program function
  • Map to and integrate existing frameworks and stovepiped assurance functions
  • Predict the end result that will be achieved when change is introduced
  • Enhance communications among individuals and groups who provide or benefit from information security program activities

An information security program model should:

Do existing security approaches meet this criteria?

existing models
Existing Models?
  • While there are many existing models for security they have not looked at security in an holistic way.
  • The existing models have been successful in specifying rules, e.g. for access controls and integrity of data, but have not looked at security systemically.
  • There are many areas that contribute to an organizations security posture and all of them need to be considered in order to have a security program that can operate in a dynamic environment.
systemic security management model
Systemic Security Management Model

The “Systemic Security Management Model” was developed to address the complexity of “security”.

A business oriented model that promotes a balance between “protection” and “business”. ISACA is developing this Model as the Business Model for Information Security.(BMIS)

slide9
BMIS

Model is comprised of:

  • Elements
  • Organization Design and Strategy
  • People
  • Process
  • Technology
  • Dynamic Interconnections
  • Culture
  • Architecture
  • Governing
  • Emergence
  • Enabling and Support
  • Human Factors
origins and intent of this model
Origins and Intent of this Model
  • Developed by the Marshall School of Business at the University of Southern California by Laree Kiely PhD and Terry Benzel
  • Presents a high level, business focused model, for information security management
  • Built around a core set of principles whose intent is to ensure an optimal balance of protection while maintaining the ability to conduct business
why is a model required
Why is a Model Required?

Most significant challenges confronting information security practitioners:

  • Management commitment to information security
  • Management understanding of information security issues
  • Information security planning prior to implementation of new technologies or processes
  • Integration with all other organizational elements
  • Alignment with the organization’s objectives
specific challenges
Specific Challenges
  • Information protection problems are complex and involve multiple parties
  • Many problems appear not to have been solved regardless of past actions taken
  • Reactive, “Cause and effect”linear thinking is not effective
  • Continuous fire fighting crisis mode results in little time for innovation
  • Organization “silos” reduce opportunities for strategic solutions
  • Over-reliance on technology to solve problems
the systems approach
The Systems Approach
  • Systemic approach is relational. Relationships between participants, systems, processes are crucial
  • Concentrates on the interaction among components of systems rather than individuals
  • Systems strive to preserve themselves; participants become habituated – “we’ve always done it this way”
    • Adaptability suffers, change is difficult
the systems approach1
The Systems Approach

“You really can’t understand completely any one piece without looking at an interaction from other elements or dynamic interconnections”

        • Ron Hale, Director of Information Security Practices, ISACA
  • The old notion of the whole is greater than the sum of the parts
systems thinking is
“Systems Thinking” is . . . . . .
  • A conceptual framework; a body of knowledge and tools that are used to make full patterns clearer and help us see how to effectively manage change
  • A discipline for seeing wholes and dynamic inter-relationships rather than static snapshots
  • A discipline for seeing the structures that underlie complex situations and for discerning high from low leverage change

A.K.A.. “Holistic” or “Whole Body” Approach

holistic
Holistic?
  • The Term is well known in Medicine
    • Taking a “Whole Body” approach
    • Identify & treat the CAUSE not simply the Symptoms . . . . .
    • Root cause analysis?
problem analysis
Problem Analysis
  • Traditional approach breakS down complex tasks into manageable bits BUT takes away our intrinsic connection to the larger whole – i.e. REDUCTIONISM
  • Problem resolution can become an attempt to address obvious symptoms without identifying the underlying cause. This results in short term benefit and long term problems.
problem analysis1
Problem Analysis
  • Must understand how our actions extend beyond the boundary of our position.
    • Results in consequences that appear to come from the outside when they return to bite us.
  • If we just focus on events the best we can do is predict an event before it happens.
    • Can’t create an environment where the event won’t happen
  • “Either/Or” thinking is a point in time correction and does not provide lasting improvement.
understand the whole problem
Understand the Whole Problem
  • Tendency is to push harder and harder on familiar solutions while the fundamental problem persists.
  • The easy or familiar solution may be addictive and dangerous.
  • Short term improvements can lead to long term dependency.
  • There is an optimal rate of growth which is not Fast, Fast, Fast. When growth becomes excessive the system will respond by slowing down.
  • Seeing interrelationships underlying a problem leads to new insight.
benefits of systems thinking
Benefits of Systems Thinking
  • Create a better understanding of the “big picture”
  • Obtain the greatest benefit from innovation efforts
  • Make innovation more strategically useful and beneficial
  • See security as part of the big picture
  • Understand the feedback relationship between what is studied and other parts of the system
  • Envision different environments so that change becomes indispensable. Creative Vision Statements are essential to creating change.
for example
For example?

Audit

CEO

LAN

Board of Directors

Critical

Business

Operational

Function

Information

Technology

Support

Functions

(Finance, HR,

Security etc.)

Critical

Business

Operational

Function

Information

Technology

Information

Technology

business model for information security
Business Model for Information Security

BMIS was developed to address the complexity of security.

It is a business oriented model that promotes a balance between protection and business.

  • Elements
  • Organization Design and Strategy
  • People
  • Process
  • Technology
  • Dynamic Interconnections
  • Culture
  • Architecture
  • Governing
  • Emergence
  • Enabling and Support
  • Human Factors
core concept
Core Concept

The BMIS can be viewed as a three dimensional fluid model best visualized as a pyramid.

All aspects of the model interact with each other.

If any one part of the model is changed, not addressed, or managed inappropriately, it will distort the balance of the model.

organization design strategy element
Organization Design & Strategy Element
  • Organization is a network of people interacting with each other. It contains interactions between people and things. It drives culture governance and architecture. Security as a component needs to map to the larger organization
  • Strategy specifies the goals and objectives to be achieved as well as the values and missions to be pursued. It is the organizations formula for success and sets the basic direction.
  • Design relates to the formal organization structure and reporting relationships

Organization

Governing

Process

Culture

Architecture

Emergence

Enabling &

Support

People

Technology

Human Factors

process element
Process Element
  • Includes formal and informal mechanisms to get things done
  • Provides vital link to all of the dynamic interconnections
  • Process is designed to:
    • identify, measure, manage, and control
      • risk,
      • availability,
      • integrity and
      • confidentiality,
    • and to ensure accountability

Organization

Governing

Process

Culture

Architecture

Emergence

Enabling &

Support

People

Technology

Human Factors

technology element

Technology

Enabling &

Support

Process

Architecture

Human Factors

Governing

Emergence

Organization

People

Culture

Technology Element
  • Organization infrastructure Tools that make processes more efficient.
  • Used to accomplish an organizations mission
  • Part of an organizations infrastructure
  • Can be considered a band-aid for security issues
  • Too often the only place Security is addressed!
  • NOT simply IT . . . . . . .
people element
People Element
  • Represents the human resources and the security issues that surround them
  • Collective of human actors including values and behaviors
  • All whose efforts must be coordinated to accomplish the goals of the organization
  • Not just units of “one” since each individual comes with all their experiences, values

People

Emergence

Process

Culture

Human Factors

Enabling &

Support

Governing

Organization

Technology

Architecture

the systems approach2
The Systems Approach
  • If Information Security activity is centred in one “Element” or “Dynamic Interconnection” . . .
    • What if one of the other elements or DI’s is weak?
    • Can we then rely on the Quality of information?
    • What are the real weaknesses?
    • Where should we strengthen the overall ISMS?
      • Directly in the Element or DI?
      • With compensation in another area?
  • The BMIS aims to assist the Practitioner to:
    • Consider Business areas where there may be a weakness
    • Identify:
      • Weaknesses
      • Possible areas of control
skewing the model
Skewing the Model

ORGANIZATION

Design/Strategy

ORGANIZATION

Design/Strategy

GOVERNING

GOVERNING

ARCHITECTURE

PROCESS

PROCESS

CULTURE

EMERGENCE

ENABLING & SUPPORT

PEOPLE

PEOPLE

TECHNOLOGY

TECHNOLOGY

HUMAN FACTORS

governing
Governing?
  • Policies & Procedures
    • Published & Circulated
  • Understood & Accepted
    • Driven from “The Top”
    • Reviewed & Reissued
  • Covering
    • Information Security
      • Access to Information
  • Leavers & Movers
      • DR & BCP
    • Risk Management
      • Defined Responsibilities
      • Methodology
  • Standards
    • Manageable & Enforceable
    • Consistent
    • Understood
  • Alignment
    • Corporate Strategy
    • Objectives
    • Goals
    • Mission
  • Culture . . . . . . ?
governing1
Governing
  • Links “Organization” with “Process”
    • Thus the Processes in the enterprise are linked to the Organizational structure, Strategic Planning & Business design
    • Both Elements will therefore depend upon the “Will of the Executive” and the effectiveness of their management
    • Therefore:
      • GOOD Governing = strong Processes & Organizational Structure for security as well as Strategic Alignment
      • POOR Governing can represent a security weakness
architecture
Architecture?
  • Form, Fit & Function
    • Alignment with Business Needs
  • Key factors:
    • Space for improvement
    • Reaction to Change
    • Effective & Efficient
    • Maintainable & Useable
  • Includes
    • IT Architecture
    • Buildings & Physical Assets

Culture

OFFICES

Security Systems

Alarm Systems

Environment Mgt.

Voice Comm’s

MAIN

GATE

CAR PARK

LAN

Warehouse

IT Centre

DELIVERY

GATE

Hardware

Operating Systems

Applications

Firewalls

Routers, Hubs etc

Environment

Security & Alarms

Environment & Safety

WAN & Web

architecture1
Architecture
  • Links “Organization” with “Technology”
    • Thus the Technology will reflect the needs of the Organization Structure, where the term includes every Technical aspect not simply IT
      • Buildings; Environment; Health & Safety; Physical Access Control
      • Meeting the Strategic & Design requirements of functional organization
    • Both Elements will therefore depend upon the design and implementation of the Architecture
    • Therefore
      • GOOD Architecture provides inbuilt security with automatic compensation for changes in Organization & Technology
      • POOR Architecture could lead to security weakness through a lack of Physical security or “outdated” methods of Logical security etc
emergence
Emergence?
  • New:
    • Technology
    • Business Opportunities
    • Physical locations
    • Legislation/regulation
    • Threats & Risks
  • Events that are:
    • Unexpected
    • Unplanned
    • Unpredicted
    • ‘Perfect storm’
  • Affecting the Business’
    • Ability to React
    • Ability to Plan
    • Security strengths
    • Security weaknesses
emergence1
Emergence
  • Links “Process” with “People”
    • Thus People can affect Process and the other way around because:
      • People and people-related issues affect process
      • Processes, working methods, external demands etc change
    • People can be affected by sudden and unexpected external and internal changes: new technologies, emerging threats & risks such as “Global Warming”
    • Processes can be affected by new legislation & regulation as well as technical opportunities
    • Therefore:
      • GOOD ADAPTIVE management can respond to emerging issues
      • POOR “planning for the unexpected” can lead to serious security weaknesses AND CONSEQUENCES
enabling support
Enabling & Support?
  • Reflects the way in which Processes and Technology support each other
    • When either changes, the other must change accordingly
    • Enables the business to take advantage of new opportunities
    • Maintains the relationship between the needs of the process and the application of Technology
  • Specific issues:
    • Quality of Information
    • Reliability
    • Availability
    • Confidentiality
  • Security Issues:
    • Managing access
    • Business activities
    • Data exchange
    • Emergency reactions
    • Change management
enabling support1
Enabling & Support
  • Links “Process” with “Technology”
    • Thus Processes enable Technology which, in turn, supports the Processes
    • Also, Processes support the Technology by defining developing needs and Technology enable Processes by meeting those needs
    • Therefore:
      • GOOD linkage manages the effective and efficient use of Technology and provides the essential support for the Business
      • WEAK linkage can lead to security weaknesses such as inappropriate technology, e.g. where a process requires security & technology is inadequate or where there is a lack of alignment so that the technology slows down the process.
culture
Culture?
  • Includes:
    • National
    • Religious
    • Corporate and
    • Personal influences
  • Can represent a security weakness:
    • Culture of “Trust”
    • Blame culture
    • Risk adverse culture
    • Devil may care go-for-it
  • Affect all other DI’s and Elements
    • A poor “security culture“ is hard to address
    • OCAI metrics
culture1
Culture
  • Links “Organization” to “People”
    • Thus the culture affects the way security is organized and the way people react to it
    • Also, Culture affects and can be influenced by every other aspect of Security
    • The potential weaknesses are immense:
      • GOOD security culture may counterbalance weaknesses elsewhere, e.g. some countries have “security aware” culture, some businesses have such obvious risks that security is implicit
      • POOR security culture leads to weaknesses everywhere so strong countermeasures are needed unless the culture can be changed, e.g. a corporate culture of ‘openness’ (or the CEO who likes trees!)
      • Structure indicative of culture – command and control vs flat
human factors
Human Factors?
  • Includes:
    • Human weaknesses
      • Addiction to Alcohol, Drugs, Gambling etc
      • Sickness
    • Comprehension, Awareness & Understanding
    • Strengths
      • Skills, experience, training
    • Application & Compliance
    • External influences
      • Threats, coercion, blackmail, fear
    • Management techniques
      • Sheer bloody-mindedness!
    • Privilege abuse
      • Personal use of resources
human factors1
Human Factors
  • Links “People” and “Technology”
    • Thus the Technology must reflect the potential for Human weaknesses and People must understand and make best use of the technology (remember, NOT simply IT!)
    • Human Factors may be addressed by:
      • Policies, Procedures & Standards: clear management lines (Governing)
      • Defined & documented processes: training (Process)
      • A good security attitude (Culture)
      • Ability to react (Emergence)
      • Automated security (Architecture)
    • Therefore:
      • GOOD, positive Human Factors will enhance security through awareness & understanding
      • POOR Human Factor management will lead to security weaknesses through misunderstanding & attitude problems
slide46
BMIS
  • Works from the Business level
    • Identifies failures to meet the Business need for security by examining defined elements of the Business
    • Suggests points of compensating control . . . .

ORGANIZATION

ORGANIZATION

PEOPLE

PROCESS

PROCESS

TECHNOLOGY

CULTURE

GOVERNING

GOVERNING

ARCHITECTURE

HUMAN FACTORS

EMERGENCE

TECHNOLOGY

PEOPLE

bmis diagnostics
BMIS Diagnostics:

Identifying Strengths and Weaknesses

  • Integrate security solutions with model and align to existing standards
  • Analyze strengths and weaknesses
    • An example is a weakness found in a technical solution where root cause may be an architectural flaw or policy issue.
  • BMIS can help structuring analysis of strengths and weaknesses.
bmis diagnostics1
BMIS Diagnostics:

Situational Analysis

  • First step in identifying strengths and weaknesses is thorough analysis of the situation based on fully populated and standardized BMIS
  • With systemic approach any element or DI is good starting point
  • For each element model should contain the minimum information added previously:

• Existing policies, methods and controls

• Existing detailed solutions, tools and procedures

• Relevant parts of information security standards

• Relevant parts of general IT standards

bmis diagnostics2
BMIS Diagnostics:
  • The simplest way this information may be represented is a tabular format
  • Lists may be long but are easy to manage and update in subsequent cycles of BMIS activity.
bmis diagnostics4
BMIS Diagnostics:
  • Second step in analyzing situation is consider tables in terms of each item.
    • An example is ISO 27001 requirement of having a security policy, which is likely to come up in several tables including:

• Organization element

• People element

• Culture DI

  • In many cases the same item—in this case, the policy—will receive a different rating, depending on the viewpoint
    • E.g. information security policy might be seen as a strength in the Organization element, but as a weakness in terms of the Culture DI.
  • Similarly, employee security leaflets might be a strong point in the People element, but a weakness in the Organization element.
bmis diagnostics5
BMIS Diagnostics:
  • These differences will become even more visible in technical solutions or detailed procedures. In working through the tables, the result might look like this:
bmis diagnostics6
BMIS Diagnostics:

Root-cause Analysis

  • Once the situational analysis has been completed, strengths and weaknesses should be known for the complete set of elements and DIs
  • To maintain strengths and address weaknesses root causes need to be identified.
  • The real reasons for a security weakness may be hidden or located in another part of the organization
  • The systemic approach in BMIS provides a step-by-step guide to finding out about the root causes
bmis diagnostics7
BMIS Diagnostics:
  • For any given security weakness (or strength), the following steps will reveal the full picture:

• Is this a trivial weakness (e.g., the tool is dysfunctional or needs bug fixing)?

• Is the root cause within the element(s) where the weakness is located?

• Is the root cause within the DIs pointing to other elements?

• Is the root cause in other elements and indirectly connected to the weakness?

conclusion
Conclusion
  • ISACA has invested in an academic concept which we believe:
    • Will become a standard model for the Systems Approach to managing Information Security for any Business
      • Whatever the size or complexity
      • Whatever the nature of the organization (Trading, Government, Associations or even individuals)
    • Is being integrated with COBIT
    • Enhances the Practitioner and assists the integration of Information Security throughout the Organization
truly international
Truly International . . . . . .
  • ISACA Security Management Committee:
    • Jo Stewart-Rattray (Australia)
    • Manuel Aceves (Mexico)
    • Kent Anderson (USA)
    • Emil D’Angelo (USA)
    • Yves LeRoux (France)
    • Mark Lobel (USA)
    • Kyong-Hee Oh (Korea)
    • Vernon Poole (UK)
    • Rolf von Roessing (Germany)
  • ISACA BMIS Development Committee
    • Derek Oliver (UK)
    • Jean-Luc Allard (Belgium)
    • Elisabeth Antonsson (Sweden)
    • Sanjay Bahl (India)
    • Krag Brotby (USA)
    • Christos Dimitriadis (Greece)
    • Meenu Gupta (USA)
    • Cristina Ledesma (Uruguay)
    • Ghassan Youssef (UAE)

Assisted (Driven) by:

Ron Hale, Director of Information Security Practices, ISACA

Shannon Donahue, Security Practice development manager, ISACA

status
Status?
  • Development includes:
    • Mapping to CobiT
      • Relevance in IT Governance . . . Corporate Governance
      • A tool to help CobiT implementation
    • Mapping to ISO27k series
      • Implementation of ISMS
    • Other Mappings
      • SOX
      • ISF Standards
      • Other ISO standards? Other Security Organizations?
      • Certifications?

International Information Systems Security Certification Consortium

questions
Questions ?

Thank You

& Goodbye!

Krag Brotby CISM CGEIT

NextStepInfosec.com

kragby@gmail.com

209 206 2469