Krag BrotbyWith thanks to

Dr. Derek J. OliverRavenswood Consultants Ltd.

A Business Model for Information Security Management (BMIS)

Session Goals

Consider the business challenges that organizational leaders and security managers need to confront

Evaluate traditional approaches to protection used to address these challenges

Introduce systemic thinking as a better way of addressing the business needs for information protection

Review the concepts contained within the Business Model for Information Security Management

Models, frameworks, standards

Model is a representation of something Theoretical description of how a system

worksShould function as foundation for all

standards and frameworks usedHelp define goals, translate strategy into

concepts

Models, frameworks, standards

Frameworks provide structureSkeleton to be ‘fleshed’ inGenerally operational in natureUsually rely on subsidiary standardsOCTAVE, Risk IT are risk frameworksCOBIT is IT management framework

Models, frameworks, standards

A standard is an agreed, repeatable way of doing something (BSI)Or basis for comparison, a reference

pointOr in CISM, a standard sets the

allowable functional boundaries of technologies, people and processes

Information Security Program Models

Provide a means for understanding how components of a program function

Map to and integrate existing frameworks and stovepiped assurance functions

Predict the end result that will be achieved when change is introduced

Enhance communications among individuals and groups who provide or benefit from information security program activities

An information security program model should:

Do existing security approaches meet this criteria?

Existing Models?

While there are many existing models for security they have not looked at security in an holistic way.

The existing models have been successful in specifying rules, e.g. for access controls and integrity of data, but have not looked at security systemically.

There are many areas that contribute to an organizations security posture and all of them need to be considered in order to have a security program that can operate in a dynamic environment.

Systemic Security Management Model

The “Systemic Security Management Model” was developed to address the complexity of “security”.

A business oriented model that promotes a balance between “protection” and “business”. ISACA is developing this Model as the Business Model for Information Security.(BMIS)

BMIS

Elements• Organization Design and Strategy• People• Process• Technology

Dynamic Interconnections• Culture• Architecture• Governing• Emergence• Enabling and Support• Human Factors

Model is comprised of:

Developed by the Marshall School of Business at the University of Southern California by Laree Kiely PhD and Terry Benzel

Presents a high level, business focused model, for information security management

Built around a core set of principles whose intent is to ensure an optimal balance of protection while maintaining the ability to conduct business

Origins and Intent of this Model

Why is a Model Required?

Most significant challenges confronting information security practitioners:

Management commitment to information security

Management understanding of information security

issues

Information security planning prior to implementation

of new technologies or processes

Integration with all other organizational elements

Alignment with the organization’s objectives

Specific Challenges Information protection problems are complex and

involve multiple parties Many problems appear not to have been solved

regardless of past actions taken Reactive, “Cause and effect” linear thinking is not

effective Continuous fire fighting crisis mode results in little

time for innovation Organization “silos” reduce opportunities for

strategic solutions Over-reliance on technology to solve problems

The Systems Approach

Systemic approach is relational. Relationships between participants, systems, processes are crucial

Concentrates on the interaction among components of systems rather than individuals

Systems strive to preserve themselves; participants become habituated – “we’ve always done it this way”Adaptability suffers, change is difficult

The Systems Approach

“You really can’t understand completely any one piece without looking at an interaction from other elements or dynamic interconnections”

– Ron Hale, Director of Information Security Practices, ISACA

The old notion of the whole is greater than the sum of the parts

“Systems Thinking” is . . . . . .

A conceptual framework; a body of knowledge and tools that are used to make full patterns clearer and help us see how to effectively manage change

A discipline for seeing wholes and dynamic inter-relationships rather than static snapshots

A discipline for seeing the structures that underlie complex situations and for discerning high from low leverage change

A.K.A.. “Holistic” or “Whole Body” Approach

Holistic?

The Term is well known in Medicine

Taking a “Whole Body” approach

Identify & treat the CAUSE not simply the Symptoms . . . . .

Root cause analysis?

Linear vs systems

Problem AnalysisTraditional approach breakS down complex

tasks into manageable bits BUT takes away our intrinsic connection to the larger whole – i.e. REDUCTIONISM

Problem resolution can become an attempt to address obvious symptoms without identifying the underlying cause. This results in short term benefit and long term problems.

Problem Analysis Must understand how our actions extend

beyond the boundary of our position. Results in consequences that appear to come from

the outside when they return to bite us.

If we just focus on events the best we can do is predict an event before it happens. Can’t create an environment where the event won’t

happen

“Either/Or” thinking is a point in time correction and does not provide lasting improvement.

Understand the Whole Problem

Tendency is to push harder and harder on familiar solutions while the fundamental problem persists.

The easy or familiar solution may be addictive and dangerous.

Short term improvements can lead to long term dependency.

There is an optimal rate of growth which is not Fast, Fast, Fast. When growth becomes excessive the system will respond by slowing down.

Seeing interrelationships underlying a problem leads to new insight.

Benefits of Systems Thinking Create a better understanding of the “big picture”

Obtain the greatest benefit from innovation efforts

Make innovation more strategically useful and beneficial

See security as part of the big picture

Understand the feedback relationship between what is studied and other parts of the system

Envision different environments so that change becomes indispensable. Creative Vision Statements are essential to creating change.

For example?

CEO

Board of Directors

CriticalBusiness

OperationalFunction

InformationTechnology

SupportFunctions

(Finance, HR,Security etc.)

CriticalBusiness

OperationalFunction

InformationTechnology

InformationTechnology

LANAudit

Business Model for Information Security

BMIS was developed to address the complexity of security.

It is a business oriented model that promotes a balance between protection and business.

Elements• Organization Design and Strategy• People• Process• Technology

Dynamic Interconnections• Culture• Architecture• Governing• Emergence• Enabling and Support• Human Factors

Core Concept

The BMIS can be viewed as a three dimensional fluid model best visualized as a pyramid.

All aspects of the model interact with each other.

If any one part of the model is changed, not addressed, or managed inappropriately, it will distort the balance of the model.

Governing

Organization Design & Strategy Element

Organization is a network of people interacting with each other. It contains interactions between people and things. It drives culture governance and architecture. Security as a component needs to map to the larger organization

Strategy specifies the goals and objectives to be achieved as well as the values and missions to be pursued. It is the organizations formula for success and sets the basic direction.

Design relates to the formal organization structure and reporting relationships

Organization

Process

TechnologyPeople

Culture Architecture

Human Factors

Emergence Enabling & Support

Governing

Process Element

Includes formal and informal mechanisms to get things done

Provides vital link to all of the dynamic interconnections

Process is designed to: identify, measure, manage, and

control• risk, • availability, • integrity and • confidentiality,

and to ensure accountability

Organization

Process

TechnologyPeople

Culture Architecture

Human Factors

Emergence Enabling & Support

Technology Element

Organization infrastructure Tools that make processes more efficient.

Used to accomplish an organizations mission

Part of an organizations infrastructure

Can be considered a band-aid for security issues

Too often the only place Security is addressed!

NOT simply IT . . . . . . .

Technology

Process

PeopleOrganization Culture

Architecture Human Factors

Emergence

Enabling & Support

Governing

Emergence

People Element

Represents the human resources and the security issues that surround them

Collective of human actors including values and behaviors

All whose efforts must be coordinated to accomplish the goals of the organization

Not just units of “one” since each individual comes with all their experiences, values

People

Process

Technology

Culture

Architecture

Human Factors

Enabling & Support

Governing

Organization

Using the BMIS

How the Model has developedsince its Introduction

The Systems Approach If Information Security activity is centred in one

“Element” or “Dynamic Interconnection” . . . What if one of the other elements or DI’s is weak? Can we then rely on the Quality of information? What are the real weaknesses? Where should we strengthen the overall ISMS?

• Directly in the Element or DI?• With compensation in another area?

The BMIS aims to assist the Practitioner to: Consider Business areas where there may be a

weakness Identify:

• Weaknesses• Possible areas of control

GO

VE

RN

ING

GO

VE

RN

ING

ENABLING & SUPPORTEMERGENCE

HUMAN FACTORS

ARCH

ITECTURECULT

URE

Skewing the Model

ORGANIZATIONDesign/Strategy

PEOPLE

PROCESS

TECHNOLOGYTECHNOLOGY

ORGANIZATIONDesign/Strategy

PEOPLE

PROCESS

Looking directly at the Dynamic Interconnections

Governing?

Policies & Procedures Published & Circulated

Understood & Accepted Driven from “The Top” Reviewed & Reissued

Covering Information Security

• Access to Information

Leavers & Movers• DR & BCP

Risk Management• Defined Responsibilities• Methodology

Standards Manageable &

Enforceable Consistent Understood

Alignment Corporate Strategy Objectives Goals Mission

Culture . . . . . . ?

Governing

Links “Organization” with “Process” Thus the Processes in the enterprise are linked to the

Organizational structure, Strategic Planning & Business design

Both Elements will therefore depend upon the “Will of the Executive” and the effectiveness of their management

Therefore:• GOOD Governing = strong Processes & Organizational

Structure for security as well as Strategic Alignment• POOR Governing can represent a security weakness

Architecture?

Form, Fit & Function Alignment with

Business Needs Key factors:

Space for improvement Reaction to Change Effective & Efficient Maintainable & Useable

Includes IT Architecture Buildings & Physical

Assets

OFFICES

CAR PARK

MAINGATE

DELIVERYGATE Warehouse

IT Centre

LAN

WAN & Web

HardwareOperating SystemsApplicationsFirewallsRouters, Hubs etcEnvironment

Security SystemsAlarm SystemsEnvironment Mgt.Voice Comm’s

Security & AlarmsEnvironment & Safety

Culture

Architecture

Links “Organization” with “Technology” Thus the Technology will reflect the needs of the

Organization Structure, where the term includes every Technical aspect not simply IT

• Buildings; Environment; Health & Safety; Physical Access Control• Meeting the Strategic & Design requirements of functional

organization

Both Elements will therefore depend upon the design and implementation of the Architecture

Therefore• GOOD Architecture provides inbuilt security with automatic

compensation for changes in Organization & Technology• POOR Architecture could lead to security weakness through a lack

of Physical security or “outdated” methods of Logical security etc

Emergence?

New: Technology Business Opportunities Physical locations Legislation/regulation Threats & Risks

Events that are: Unexpected Unplanned Unpredicted ‘Perfect storm’

Affecting the Business’ Ability to React Ability to Plan Security strengths Security weaknesses

Emergence

Links “Process” with “People” Thus People can affect Process and the other way

around because:• People and people-related issues affect process• Processes, working methods, external demands etc change

People can be affected by sudden and unexpected external and internal changes: new technologies, emerging threats & risks such as “Global Warming”

Processes can be affected by new legislation & regulation as well as technical opportunities

Therefore:• GOOD ADAPTIVE management can respond to emerging issues• POOR “planning for the unexpected” can lead to serious security

weaknesses AND CONSEQUENCES

Enabling & Support? Reflects the way in

which Processes and Technology support each other When either changes,

the other must change accordingly

Enables the business to take advantage of new opportunities

Maintains the relationship between the needs of the process and the application of Technology

Specific issues: Quality of Information Reliability Availability Confidentiality

Security Issues: Managing access Business activities Data exchange Emergency reactions Change management

Enabling & Support

Links “Process” with “Technology” Thus Processes enable Technology which, in turn,

supports the Processes Also, Processes support the Technology by defining

developing needs and Technology enable Processes by meeting those needs

Therefore:• GOOD linkage manages the effective and efficient use of

Technology and provides the essential support for the Business• WEAK linkage can lead to security weaknesses such as

inappropriate technology, e.g. where a process requires security & technology is inadequate or where there is a lack of alignment so that the technology slows down the process.

Culture?

Includes: National Religious Corporate and Personal influences

Can represent a security weakness: Culture of “Trust” Blame culture Risk adverse culture Devil may care go-for-it

Affect all other DI’s and Elements A poor “security

culture“ is hard to address

OCAI metrics

Culture

Links “Organization” to “People” Thus the culture affects the way security is organized

and the way people react to it Also, Culture affects and can be influenced by every

other aspect of Security The potential weaknesses are immense:

• GOOD security culture may counterbalance weaknesses elsewhere, e.g. some countries have “security aware” culture, some businesses have such obvious risks that security is implicit

• POOR security culture leads to weaknesses everywhere so strong countermeasures are needed unless the culture can be changed, e.g. a corporate culture of ‘openness’ (or the CEO who likes trees!)

• Structure indicative of culture – command and control vs flat

Human Factors?

Includes: Human weaknesses

• Addiction to Alcohol, Drugs, Gambling etc• Sickness

Comprehension, Awareness & Understanding Strengths

• Skills, experience, training

Application & Compliance External influences

• Threats, coercion, blackmail, fear

Management techniques• Sheer bloody-mindedness!

Privilege abuse• Personal use of resources

Human Factors

Links “People” and “Technology” Thus the Technology must reflect the potential for

Human weaknesses and People must understand and make best use of the technology (remember, NOT simply IT!)

Human Factors may be addressed by:• Policies, Procedures & Standards: clear management lines

(Governing)• Defined & documented processes: training (Process)• A good security attitude (Culture)• Ability to react (Emergence)• Automated security (Architecture)

Therefore:• GOOD, positive Human Factors will enhance security through

awareness & understanding• POOR Human Factor management will lead to security weaknesses

through misunderstanding & attitude problems

Using BMIS to address the issues

BMIS

Works from the Business level Identifies failures to meet the Business need for security

by examining defined elements of the Business Suggests points of compensating control . . . .

HUMAN FACTORS

CULTUREGOVERNINGPROCESSORGANIZATION PEOPLE

TECHNOLOGY

EMERGENCE

GOVERNINGARCHITECTURETECHNOLOGYORGANIZATION PROCESS

PEOPLE

ImplementingFrameworks to populate BMIS

Implementing Frameworks to populate BMIS

BMIS Diagnostics:

Identifying Strengths and Weaknesses

Integrate security solutions with model and align to existing standards

Analyze strengths and weaknesses An example is a weakness found in a technical solution

where root cause may be an architectural flaw or policy issue.

BMIS can help structuring analysis of strengths and weaknesses.

BMIS Diagnostics:

Situational Analysis First step in identifying strengths and weaknesses

is thorough analysis of the situation based on fully populated and standardized BMIS

With systemic approach any element or DI is good starting point

For each element model should contain the minimum information added previously:• Existing policies, methods and controls• Existing detailed solutions, tools and procedures• Relevant parts of information security standards• Relevant parts of general IT standards

BMIS Diagnostics:

The simplest way this information may be represented is a tabular format

Lists may be long but are easy to manage and update in subsequent cycles of BMIS activity.

BMIS Diagnostics:

BMIS Diagnostics:

Second step in analyzing situation is consider tables in terms of each item. An example is ISO 27001 requirement of having a security

policy, which is likely to come up in several tables including:• Organization element• People element• Culture DI

In many cases the same item—in this case, the policy—will receive a different rating, depending on the viewpoint E.g. information security policy might be seen as a strength in

the Organization element, but as a weakness in terms of the Culture DI.

Similarly, employee security leaflets might be a strong point in the People element, but a weakness in the Organization element.

BMIS Diagnostics:

These differences will become even more visible in technical solutions or detailed procedures. In working through the tables, the result might look like this:

BMIS Diagnostics:

Root-cause Analysis Once the situational analysis has been

completed, strengths and weaknesses should be known for the complete set of elements and DIs

To maintain strengths and address weaknesses root causes need to be identified.

The real reasons for a security weakness may be hidden or located in another part of the organization

The systemic approach in BMIS provides a step-by-step guide to finding out about the root causes

BMIS Diagnostics:

For any given security weakness (or strength), the following steps will reveal the full picture:• Is this a trivial weakness (e.g., the tool is dysfunctional or needs bug fixing)?• Is the root cause within the element(s) where the weakness is located?• Is the root cause within the DIs pointing to other elements?• Is the root cause in other elements and indirectly connected to the weakness?

BMIS Diagnostics:Simple sample

BMIS Diagnostics: Simple sample

BMIS Diagnostics: Complex sample

Conclusion

ISACA has invested in an academic concept which we believe: Will become a standard model for the Systems Approach

to managing Information Security for any Business• Whatever the size or complexity• Whatever the nature of the organization (Trading, Government,

Associations or even individuals)

Is being integrated with COBIT Enhances the Practitioner and assists the integration of

Information Security throughout the Organization

Truly International . . . . . .

ISACA Security Management Committee: Jo Stewart-Rattray (Australia) Manuel Aceves (Mexico) Kent Anderson (USA) Emil D’Angelo (USA) Yves LeRoux (France) Mark Lobel (USA) Kyong-Hee Oh (Korea) Vernon Poole (UK) Rolf von Roessing (Germany)

ISACA BMIS Development Committee Derek Oliver (UK) Jean-Luc Allard (Belgium) Elisabeth Antonsson (Sweden) Sanjay Bahl (India) Krag Brotby (USA) Christos Dimitriadis (Greece) Meenu Gupta (USA) Cristina Ledesma (Uruguay) Ghassan Youssef (UAE)

Assisted (Driven) by: Ron Hale, Director of Information Security Practices, ISACAShannon Donahue, Security Practice development manager, ISACA

International Information Systems Security Certification Consortium

Status?

Development includes: Mapping to CobiT

• Relevance in IT Governance . . . Corporate Governance• A tool to help CobiT implementation

Mapping to ISO27k series• Implementation of ISMS

Other Mappings• SOX• ISF Standards• Other ISO standards? Other Security Organizations?• Certifications?

Questions ?

Krag Brotby CISM CGEITNextStepInfosec.comkragby@gmail.com

209 206 2469

Thank You

& Goodbye!