Abstract
In recent years, information security management has matured into a professional discipline that covers both technical and managerial aspects in an organisational environment. Information security is increasingly dependent on business-driven parameters and interfaces to a variety of organisational units and departments. In contrast, common security models and frameworks have remained largely technical. A review of extant models ranging from [LaBe73] to more recent models shows that technical aspects are covered in great detail, while the managerial aspects of security are often neglected.Likewise, the business view on organisational security is frequently at odds with the demands of information security personnel or information technology management. In practice, senior and executive level management remain comparatively distant from technical requirements. As a result, information security is generally regarded as a cost factor rather than a benefit to the organisation.
ISACA’s Business Model for Information Security (BMIS) has been developed to address the weaknesses in existing models. It addresses information security primarily from a management perspective, by placing it in the context of a functioning, profit-oriented organisation. The model further outlines approaches and key organisational factors influencing the success or failure of security. The paper presents the BMIS in its entirety, and reflects on the individ-ual components and their significance for information security. It will be shown that the current framework for the BMIS can interface with existing models as well as common control frameworks and international standards. The paper will demonstrate that the complete integration of information security with business is an essential prerequisite to overcoming the technical restrictions and managerial disadvantages often experienced in the past. In relating some of the aspects of BMIS to typical incidents and security violations, the paper will conclude by presenting an outlook on practical BMIS use and addressing typical security risks by means of the BMIS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Literature
American Institute of Certified Public Accountants (AICPA). Top Technologies Survey 2006.
American Institute of Certified Public Accountants (AICPA). Top Technologies Survey 2007.
American Institute of Certified Public Accountants (AICPA). Top Technologies Survey 2008.
Bell, D. E., L. J. LaPadula. Secure Computer Systems: Mathematical Foundations. MITRE Technica Report 2547, vol. I. [https://wiki.cac.washington.edu/download/attachments/10000785/Bell73.pdf]
Cavusoglu, H., B. Mishra, S. Ragunathan. The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers, in Inter national Journal of Electronic Commerce, vol. 9 no. 1, 2004. 69-104.
Colley, J., J. L. Doyle, W. Stettinius, G. Logan. Corporate Governance, in The McGraw-Hill Executive MBA Series. New York: McGraw-Hill, 2003.
Fink, D. A Security Framework for Information Systems Outsourcing, in Information Management & Computer Security vol. 2 no. 4, 1994. 3-8.
Gonzalez, J. J., A. Sawicka. A Framework for Human Factors in Information Security. Proceedings of WSEAS 2002, Rio de Janeiro.
ISACA. An Introduction to the Business Model for Information Security. Rolling Meadows IL: ISACA, 2006.
ISACA. IT Control Objectives for Basel II. Rolling Meadows IL: ISACA, 2007.
ISACA. An Introduction to the Business Model for Information Security. Rolling Meadows IL: ISACA, 2009.
Kiely, L., T Benzel. Systemic Security Management: A new conceptual framework for understanding the issues, inviting dialogue and debate, and identifying future research needs. White Paper, Institute for Critical Information Infrastructure Protection (ICIIP), University of Southern California 2006.
Pauchant, T., I. I. Mitroff. Transforming the Crisis-Prone Organization. San Francisco: Jossey-Bass, 1992.
Perrow, C. Normal Accidents. New York: Basic Books, 1984.
von Roessing, R. Quantified Risk and Business Impact: A Strategic Decision Support Model for Security and Business Continuity Management. Proceedings of ISSE 2003.
von Roessing, R. IT-Sicherheit und Basel II: Security als operationelles Risiko [IT Security and Basel II: Security as Operational Risk]. Proceedings of D-A-CH Security 2004.
von Roessing, R. Sicherheit und Krisenanfälligkeit - Erfolgsfaktoren und Warnindikatoren [Security and Crisis Proneness – Success Factors and Warning Indicators]. Proceedings of D-A-CH Security 2006.
von Roessing, R. Business Resilience – Wege aus der Krisenanfälligkeit [Business Resilience – Ways Out of Crisis Proneness]. Proceedings of D-A-CH Security 2009.
Schein, E. H. Organizational Culture and Leadership. 3rd ed, Wiley 2004.
von Solms, S. H. Information security governance – compliance management versus operational management, in Computers & Security vol. 24, 2005. 443-447.
von Solms, S. H., R. von Solms. From information security to… business security? in Computers & Security vol. 24, 2005. 271-273.
Turner, B. A. The Organizational and Interorganizational Development of Disasters. Administrative Science Quarterly, vol. 21, September 1976.
Turner, B. A. Man-Made Disasters. New York: Crane, Russak & Co., 1978.
Editor information
Rights and permissions
Copyright information
© 2010 Vieweg+Teubner | GWV Fachverlage GmbH
About this chapter
Cite this chapter
von Roessing, R. (2010). The ISACA Business Model for Information Security: An Integrative and Innovative Approach. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2009 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9363-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9363-5_4
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-0958-2
Online ISBN: 978-3-8348-9363-5
eBook Packages: Computer ScienceComputer Science (R0)