Date post: | 18-Dec-2015 |
Category: |
Documents |
Upload: | camilla-mccormick |
View: | 216 times |
Download: | 2 times |
Krag BrotbyWith thanks to
Dr. Derek J. OliverRavenswood Consultants Ltd.
A Business Model for Information Security Management (BMIS)
Session Goals
Consider the business challenges that organizational leaders and security managers need to confront
Evaluate traditional approaches to protection used to address these challenges
Introduce systemic thinking as a better way of addressing the business needs for information protection
Review the concepts contained within the Business Model for Information Security Management
Models, frameworks, standards
Model is a representation of something Theoretical description of how a system
worksShould function as foundation for all
standards and frameworks usedHelp define goals, translate strategy into
concepts
Models, frameworks, standards
Frameworks provide structureSkeleton to be ‘fleshed’ inGenerally operational in natureUsually rely on subsidiary standardsOCTAVE, Risk IT are risk frameworksCOBIT is IT management framework
Models, frameworks, standards
A standard is an agreed, repeatable way of doing something (BSI)Or basis for comparison, a reference
pointOr in CISM, a standard sets the
allowable functional boundaries of technologies, people and processes
Information Security Program Models
Provide a means for understanding how components of a program function
Map to and integrate existing frameworks and stovepiped assurance functions
Predict the end result that will be achieved when change is introduced
Enhance communications among individuals and groups who provide or benefit from information security program activities
An information security program model should:
Do existing security approaches meet this criteria?
Existing Models?
While there are many existing models for security they have not looked at security in an holistic way.
The existing models have been successful in specifying rules, e.g. for access controls and integrity of data, but have not looked at security systemically.
There are many areas that contribute to an organizations security posture and all of them need to be considered in order to have a security program that can operate in a dynamic environment.
Systemic Security Management Model
The “Systemic Security Management Model” was developed to address the complexity of “security”.
A business oriented model that promotes a balance between “protection” and “business”. ISACA is developing this Model as the Business Model for Information Security.(BMIS)
BMIS
Elements• Organization Design and Strategy• People• Process• Technology
Dynamic Interconnections• Culture• Architecture• Governing• Emergence• Enabling and Support• Human Factors
Model is comprised of:
Developed by the Marshall School of Business at the University of Southern California by Laree Kiely PhD and Terry Benzel
Presents a high level, business focused model, for information security management
Built around a core set of principles whose intent is to ensure an optimal balance of protection while maintaining the ability to conduct business
Origins and Intent of this Model
Why is a Model Required?
Most significant challenges confronting information security practitioners:
Management commitment to information security
Management understanding of information security
issues
Information security planning prior to implementation
of new technologies or processes
Integration with all other organizational elements
Alignment with the organization’s objectives
Specific Challenges Information protection problems are complex and
involve multiple parties Many problems appear not to have been solved
regardless of past actions taken Reactive, “Cause and effect” linear thinking is not
effective Continuous fire fighting crisis mode results in little
time for innovation Organization “silos” reduce opportunities for
strategic solutions Over-reliance on technology to solve problems
The Systems Approach
Systemic approach is relational. Relationships between participants, systems, processes are crucial
Concentrates on the interaction among components of systems rather than individuals
Systems strive to preserve themselves; participants become habituated – “we’ve always done it this way”Adaptability suffers, change is difficult
The Systems Approach
“You really can’t understand completely any one piece without looking at an interaction from other elements or dynamic interconnections”
– Ron Hale, Director of Information Security Practices, ISACA
The old notion of the whole is greater than the sum of the parts
“Systems Thinking” is . . . . . .
A conceptual framework; a body of knowledge and tools that are used to make full patterns clearer and help us see how to effectively manage change
A discipline for seeing wholes and dynamic inter-relationships rather than static snapshots
A discipline for seeing the structures that underlie complex situations and for discerning high from low leverage change
A.K.A.. “Holistic” or “Whole Body” Approach
Holistic?
The Term is well known in Medicine
Taking a “Whole Body” approach
Identify & treat the CAUSE not simply the Symptoms . . . . .
Root cause analysis?
Linear vs systems
Problem AnalysisTraditional approach breakS down complex
tasks into manageable bits BUT takes away our intrinsic connection to the larger whole – i.e. REDUCTIONISM
Problem resolution can become an attempt to address obvious symptoms without identifying the underlying cause. This results in short term benefit and long term problems.
Problem Analysis Must understand how our actions extend
beyond the boundary of our position. Results in consequences that appear to come from
the outside when they return to bite us.
If we just focus on events the best we can do is predict an event before it happens. Can’t create an environment where the event won’t
happen
“Either/Or” thinking is a point in time correction and does not provide lasting improvement.
Understand the Whole Problem
Tendency is to push harder and harder on familiar solutions while the fundamental problem persists.
The easy or familiar solution may be addictive and dangerous.
Short term improvements can lead to long term dependency.
There is an optimal rate of growth which is not Fast, Fast, Fast. When growth becomes excessive the system will respond by slowing down.
Seeing interrelationships underlying a problem leads to new insight.
Benefits of Systems Thinking Create a better understanding of the “big picture”
Obtain the greatest benefit from innovation efforts
Make innovation more strategically useful and beneficial
See security as part of the big picture
Understand the feedback relationship between what is studied and other parts of the system
Envision different environments so that change becomes indispensable. Creative Vision Statements are essential to creating change.
For example?
CEO
Board of Directors
CriticalBusiness
OperationalFunction
InformationTechnology
SupportFunctions
(Finance, HR,Security etc.)
CriticalBusiness
OperationalFunction
InformationTechnology
InformationTechnology
LANAudit
Business Model for Information Security
BMIS was developed to address the complexity of security.
It is a business oriented model that promotes a balance between protection and business.
Elements• Organization Design and Strategy• People• Process• Technology
Dynamic Interconnections• Culture• Architecture• Governing• Emergence• Enabling and Support• Human Factors
Core Concept
The BMIS can be viewed as a three dimensional fluid model best visualized as a pyramid.
All aspects of the model interact with each other.
If any one part of the model is changed, not addressed, or managed inappropriately, it will distort the balance of the model.
Governing
Organization Design & Strategy Element
Organization is a network of people interacting with each other. It contains interactions between people and things. It drives culture governance and architecture. Security as a component needs to map to the larger organization
Strategy specifies the goals and objectives to be achieved as well as the values and missions to be pursued. It is the organizations formula for success and sets the basic direction.
Design relates to the formal organization structure and reporting relationships
Organization
Process
TechnologyPeople
Culture Architecture
Human Factors
Emergence Enabling & Support
Governing
Process Element
Includes formal and informal mechanisms to get things done
Provides vital link to all of the dynamic interconnections
Process is designed to: identify, measure, manage, and
control• risk, • availability, • integrity and • confidentiality,
and to ensure accountability
Organization
Process
TechnologyPeople
Culture Architecture
Human Factors
Emergence Enabling & Support
Technology Element
Organization infrastructure Tools that make processes more efficient.
Used to accomplish an organizations mission
Part of an organizations infrastructure
Can be considered a band-aid for security issues
Too often the only place Security is addressed!
NOT simply IT . . . . . . .
Technology
Process
PeopleOrganization Culture
Architecture Human Factors
Emergence
Enabling & Support
Governing
Emergence
People Element
Represents the human resources and the security issues that surround them
Collective of human actors including values and behaviors
All whose efforts must be coordinated to accomplish the goals of the organization
Not just units of “one” since each individual comes with all their experiences, values
People
Process
Technology
Culture
Architecture
Human Factors
Enabling & Support
Governing
Organization
Using the BMIS
How the Model has developedsince its Introduction
The Systems Approach If Information Security activity is centred in one
“Element” or “Dynamic Interconnection” . . . What if one of the other elements or DI’s is weak? Can we then rely on the Quality of information? What are the real weaknesses? Where should we strengthen the overall ISMS?
• Directly in the Element or DI?• With compensation in another area?
The BMIS aims to assist the Practitioner to: Consider Business areas where there may be a
weakness Identify:
• Weaknesses• Possible areas of control
GO
VE
RN
ING
GO
VE
RN
ING
ENABLING & SUPPORTEMERGENCE
HUMAN FACTORS
ARCH
ITECTURECULT
URE
Skewing the Model
ORGANIZATIONDesign/Strategy
PEOPLE
PROCESS
TECHNOLOGYTECHNOLOGY
ORGANIZATIONDesign/Strategy
PEOPLE
PROCESS
Looking directly at the Dynamic Interconnections
Governing?
Policies & Procedures Published & Circulated
Understood & Accepted Driven from “The Top” Reviewed & Reissued
Covering Information Security
• Access to Information
Leavers & Movers• DR & BCP
Risk Management• Defined Responsibilities• Methodology
Standards Manageable &
Enforceable Consistent Understood
Alignment Corporate Strategy Objectives Goals Mission
Culture . . . . . . ?
Governing
Links “Organization” with “Process” Thus the Processes in the enterprise are linked to the
Organizational structure, Strategic Planning & Business design
Both Elements will therefore depend upon the “Will of the Executive” and the effectiveness of their management
Therefore:• GOOD Governing = strong Processes & Organizational
Structure for security as well as Strategic Alignment• POOR Governing can represent a security weakness
Architecture?
Form, Fit & Function Alignment with
Business Needs Key factors:
Space for improvement Reaction to Change Effective & Efficient Maintainable & Useable
Includes IT Architecture Buildings & Physical
Assets
OFFICES
CAR PARK
MAINGATE
DELIVERYGATE Warehouse
IT Centre
LAN
WAN & Web
HardwareOperating SystemsApplicationsFirewallsRouters, Hubs etcEnvironment
Security SystemsAlarm SystemsEnvironment Mgt.Voice Comm’s
Security & AlarmsEnvironment & Safety
Culture
Architecture
Links “Organization” with “Technology” Thus the Technology will reflect the needs of the
Organization Structure, where the term includes every Technical aspect not simply IT
• Buildings; Environment; Health & Safety; Physical Access Control• Meeting the Strategic & Design requirements of functional
organization
Both Elements will therefore depend upon the design and implementation of the Architecture
Therefore• GOOD Architecture provides inbuilt security with automatic
compensation for changes in Organization & Technology• POOR Architecture could lead to security weakness through a lack
of Physical security or “outdated” methods of Logical security etc
Emergence?
New: Technology Business Opportunities Physical locations Legislation/regulation Threats & Risks
Events that are: Unexpected Unplanned Unpredicted ‘Perfect storm’
Affecting the Business’ Ability to React Ability to Plan Security strengths Security weaknesses
Emergence
Links “Process” with “People” Thus People can affect Process and the other way
around because:• People and people-related issues affect process• Processes, working methods, external demands etc change
People can be affected by sudden and unexpected external and internal changes: new technologies, emerging threats & risks such as “Global Warming”
Processes can be affected by new legislation & regulation as well as technical opportunities
Therefore:• GOOD ADAPTIVE management can respond to emerging issues• POOR “planning for the unexpected” can lead to serious security
weaknesses AND CONSEQUENCES
Enabling & Support? Reflects the way in
which Processes and Technology support each other When either changes,
the other must change accordingly
Enables the business to take advantage of new opportunities
Maintains the relationship between the needs of the process and the application of Technology
Specific issues: Quality of Information Reliability Availability Confidentiality
Security Issues: Managing access Business activities Data exchange Emergency reactions Change management
Enabling & Support
Links “Process” with “Technology” Thus Processes enable Technology which, in turn,
supports the Processes Also, Processes support the Technology by defining
developing needs and Technology enable Processes by meeting those needs
Therefore:• GOOD linkage manages the effective and efficient use of
Technology and provides the essential support for the Business• WEAK linkage can lead to security weaknesses such as
inappropriate technology, e.g. where a process requires security & technology is inadequate or where there is a lack of alignment so that the technology slows down the process.
Culture?
Includes: National Religious Corporate and Personal influences
Can represent a security weakness: Culture of “Trust” Blame culture Risk adverse culture Devil may care go-for-it
Affect all other DI’s and Elements A poor “security
culture“ is hard to address
OCAI metrics
Culture
Links “Organization” to “People” Thus the culture affects the way security is organized
and the way people react to it Also, Culture affects and can be influenced by every
other aspect of Security The potential weaknesses are immense:
• GOOD security culture may counterbalance weaknesses elsewhere, e.g. some countries have “security aware” culture, some businesses have such obvious risks that security is implicit
• POOR security culture leads to weaknesses everywhere so strong countermeasures are needed unless the culture can be changed, e.g. a corporate culture of ‘openness’ (or the CEO who likes trees!)
• Structure indicative of culture – command and control vs flat
Human Factors?
Includes: Human weaknesses
• Addiction to Alcohol, Drugs, Gambling etc• Sickness
Comprehension, Awareness & Understanding Strengths
• Skills, experience, training
Application & Compliance External influences
• Threats, coercion, blackmail, fear
Management techniques• Sheer bloody-mindedness!
Privilege abuse• Personal use of resources
Human Factors
Links “People” and “Technology” Thus the Technology must reflect the potential for
Human weaknesses and People must understand and make best use of the technology (remember, NOT simply IT!)
Human Factors may be addressed by:• Policies, Procedures & Standards: clear management lines
(Governing)• Defined & documented processes: training (Process)• A good security attitude (Culture)• Ability to react (Emergence)• Automated security (Architecture)
Therefore:• GOOD, positive Human Factors will enhance security through
awareness & understanding• POOR Human Factor management will lead to security weaknesses
through misunderstanding & attitude problems
Using BMIS to address the issues
BMIS
Works from the Business level Identifies failures to meet the Business need for security
by examining defined elements of the Business Suggests points of compensating control . . . .
HUMAN FACTORS
CULTUREGOVERNINGPROCESSORGANIZATION PEOPLE
TECHNOLOGY
EMERGENCE
GOVERNINGARCHITECTURETECHNOLOGYORGANIZATION PROCESS
PEOPLE
ImplementingFrameworks to populate BMIS
Implementing Frameworks to populate BMIS
BMIS Diagnostics:
Identifying Strengths and Weaknesses
Integrate security solutions with model and align to existing standards
Analyze strengths and weaknesses An example is a weakness found in a technical solution
where root cause may be an architectural flaw or policy issue.
BMIS can help structuring analysis of strengths and weaknesses.
BMIS Diagnostics:
Situational Analysis First step in identifying strengths and weaknesses
is thorough analysis of the situation based on fully populated and standardized BMIS
With systemic approach any element or DI is good starting point
For each element model should contain the minimum information added previously:• Existing policies, methods and controls• Existing detailed solutions, tools and procedures• Relevant parts of information security standards• Relevant parts of general IT standards
BMIS Diagnostics:
The simplest way this information may be represented is a tabular format
Lists may be long but are easy to manage and update in subsequent cycles of BMIS activity.
BMIS Diagnostics:
BMIS Diagnostics:
Second step in analyzing situation is consider tables in terms of each item. An example is ISO 27001 requirement of having a security
policy, which is likely to come up in several tables including:• Organization element• People element• Culture DI
In many cases the same item—in this case, the policy—will receive a different rating, depending on the viewpoint E.g. information security policy might be seen as a strength in
the Organization element, but as a weakness in terms of the Culture DI.
Similarly, employee security leaflets might be a strong point in the People element, but a weakness in the Organization element.
BMIS Diagnostics:
These differences will become even more visible in technical solutions or detailed procedures. In working through the tables, the result might look like this:
BMIS Diagnostics:
Root-cause Analysis Once the situational analysis has been
completed, strengths and weaknesses should be known for the complete set of elements and DIs
To maintain strengths and address weaknesses root causes need to be identified.
The real reasons for a security weakness may be hidden or located in another part of the organization
The systemic approach in BMIS provides a step-by-step guide to finding out about the root causes
BMIS Diagnostics:
For any given security weakness (or strength), the following steps will reveal the full picture:• Is this a trivial weakness (e.g., the tool is dysfunctional or needs bug fixing)?• Is the root cause within the element(s) where the weakness is located?• Is the root cause within the DIs pointing to other elements?• Is the root cause in other elements and indirectly connected to the weakness?
BMIS Diagnostics:Simple sample
BMIS Diagnostics: Simple sample
BMIS Diagnostics: Complex sample
Conclusion
ISACA has invested in an academic concept which we believe: Will become a standard model for the Systems Approach
to managing Information Security for any Business• Whatever the size or complexity• Whatever the nature of the organization (Trading, Government,
Associations or even individuals)
Is being integrated with COBIT Enhances the Practitioner and assists the integration of
Information Security throughout the Organization
Truly International . . . . . .
ISACA Security Management Committee: Jo Stewart-Rattray (Australia) Manuel Aceves (Mexico) Kent Anderson (USA) Emil D’Angelo (USA) Yves LeRoux (France) Mark Lobel (USA) Kyong-Hee Oh (Korea) Vernon Poole (UK) Rolf von Roessing (Germany)
ISACA BMIS Development Committee Derek Oliver (UK) Jean-Luc Allard (Belgium) Elisabeth Antonsson (Sweden) Sanjay Bahl (India) Krag Brotby (USA) Christos Dimitriadis (Greece) Meenu Gupta (USA) Cristina Ledesma (Uruguay) Ghassan Youssef (UAE)
Assisted (Driven) by: Ron Hale, Director of Information Security Practices, ISACAShannon Donahue, Security Practice development manager, ISACA
International Information Systems Security Certification Consortium
Status?
Development includes: Mapping to CobiT
• Relevance in IT Governance . . . Corporate Governance• A tool to help CobiT implementation
Mapping to ISO27k series• Implementation of ISMS
Other Mappings• SOX• ISF Standards• Other ISO standards? Other Security Organizations?• Certifications?