Appendix B: Business
Model of Information
BMIS (Figure B.1) is described by ISACA thus as follows:
1. Organization design and strategy: an organization is a network of people,
assets, and processes interacting with each other in deﬁned roles and working
toward a common goal. An enterprise’s strategy speciﬁes its business goals
and the objectives to be achieved as well as the values and missions to be
pursued. It is the enterprise’s formula for success and sets its basic direction.
e strategy should adapt to external and internal factors. Resources are the
primary material to design the strategy and can be of diﬀerent types (people,
Design deﬁnes how the organization implements its strategy. Processes,
culture, and architecture are important in determining the design.
2. People: this encompasses the human resources and the security issues that
surround them. It deﬁnes who implements (through design) each part of the
strategy. It represents a human collective and must take into account values,
behaviors, and biases.
Internally, it is critical for the information security manager to work with
the human resources and legal departments to address issues, such as the
◾ Recruitment strategies (access, background checks, interviews, roles, and
◾ Employment issues (location of oﬃce, access to tools and data, training
and awareness, movement within the enterprise)
◾ Termination (reasons for leaving, timing of exit, roles and responsibili-
ties, access to systems, access to other employees)