O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

381
Appendix B: Business
Model of Information
Security (BMIS)
BMIS (Figure B.1) is described by ISACA thus as follows:
1. Organization design and strategy: an organization is a network of people,
assets, and processes interacting with each other in defined roles and working
toward a common goal. An enterprise’s strategy specifies its business goals
and the objectives to be achieved as well as the values and missions to be
pursued. It is the enterprise’s formula for success and sets its basic direction.
e strategy should adapt to external and internal factors. Resources are the
primary material to design the strategy and can be of different types (people,
equipment, know-how).
Design defines how the organization implements its strategy. Processes,
culture, and architecture are important in determining the design.
2. People: this encompasses the human resources and the security issues that
surround them. It defines who implements (through design) each part of the
strategy. It represents a human collective and must take into account values,
behaviors, and biases.
Internally, it is critical for the information security manager to work with
the human resources and legal departments to address issues, such as the
following:
Recruitment strategies (access, background checks, interviews, roles, and
responsibilities)
Employment issues (location of office, access to tools and data, training
and awareness, movement within the enterprise)
Termination (reasons for leaving, timing of exit, roles and responsibili-
ties, access to systems, access to other employees)
382 ◾  Appendix B
Externally, customers, suppliers, media, stakeholders, and others can have
a strong influence on the enterprise and need to be considered within the
security posture.
3. Process: this includes formal and informal mechanisms (large and small,
simple and complex) to get things done and provides a vital link to all of the
dynamic interconnections. Processes identify, measure, manage, and control
risk, availability, integrity, and confidentiality, and they also ensure account-
ability. ey derive from the strategy and implement the operational part of
the organizational element.
To be advantageous to the enterprise, processes must do the following:
Meet business requirements and align with policy
Consider emergence and be adaptable to changing requirements
Be well documented and communicated to appropriate human resources
Be reviewed periodically, once they are in place, to ensure efficiency and
effectiveness
4. Technology: this is composed of all of the tools, applications, and infrastruc-
ture that make processes more efficient. As an evolving element that expe-
riences frequent changes, it has its own dynamic risks. Given the typical
Organization
Design/strategy
Architecture
Culture
Governance
Process
Emergence
Enabling and support
Human factors
People Technology
Figure B.1 Business model for information security. (From ISACA, An Introduction
to the Business Model for Information Security, 2009. With permission.)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required