business model for information security
DESCRIPTION
TRANSCRIPT
![Page 1: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/1.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Business Model for Information Security
“The Learning Organization”
Marco Melo RaposoOct 2011
![Page 2: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/2.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Security Challenges
Many times, interaction between business and security is similar to a train wreck…
![Page 3: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/3.jpg)
The BMIS model
![Page 4: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/4.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
The BMIS model
� Introduced by ISACA in January 2009
� Provides the frame and mindset to structure communications amongst senior management and security professionals
� Addresses the security program at the strategic level
� Is a model. Must be supported by additional standards and frameworks
![Page 5: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/5.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Combining Model, Frameworks and Standards
� BMIS is a model. Must be supported by additional standards and frameworks
� Model - ‘A schematic description of a system, theory or phenomenon that accounts for its known or inferred properties and may be used for further study of its characteristics’� Need to be flexible, and refined periodically
� HLD
� Flexibility to mutate: High
� Frameworks – provide structure � skeletal system
� Operational Tool
� Examples: COBIT, OCTAVE, ITIL, RiskIT
� Flexibility to mutate : Medium
� Standard – Provide Guidelines� Agreed, repeatable way of doing something
� Flexibility to mutate: Low
![Page 6: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/6.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
BMIS Overview
� Proactive, interconnected mode
� Holistic and dynamic
� Systemic
� Maximizes elements efficiency
� Allow assets to create value
![Page 7: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/7.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Elements
7
OrganizationOrganizationOrganizationOrganization
• Higher level, Lower level
• Formal and informal
• High-priority strategic objectives
PeoplePeoplePeoplePeople
• Employees, contractors, vendors
and service providers
• Own beliefs, values and behaviors
ProcessProcessProcessProcess
• Instrumental tool
• Structured activities
• Maturity—Can utilize formal or informal
mechanisms
• Span all aspects and areas
of an organization
TechnologyTechnologyTechnologyTechnology
• "the practical application of knowledge“
• "‘a capability given by the
practical application of knowledge"
![Page 8: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/8.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Di’s ( )
8
Governance
‘governance is the set of responsibilities and
practices exercised by the board and executive
management with the goal of providing
strategic direction, ensuring that objectives
are achieved.
Culture
Culture is a pattern of behaviors, beliefs,
assumptions, attitudes and ways of doing
things
People are the key to culture, and culture, in
turn, creates a set of perceptions in people.
Architecture
The fundamental organization of a system,
embodied in its components, their
relationships to each other and the
environment, and the principles governing its
design and evolution Affected directly or indirectly by changes imposed
on any of the other components within the model
![Page 9: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/9.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
…More Di’s (Everything has beauty, but not everyone sees it)
9
Emergence
‘the arising of novel and coherent structures,
patterns and properties during the process of
self-organization in complex systems (positive
or negative)
LEARNING
Human Factors
Culture is a pattern of behaviors, beliefs,
assumptions, attitudes and ways of doing
things
People are the key to culture, and culture, in
turn, creates a set of perceptions in people.
Enabling & Support
• High-level business objectives
• Detailed business requirements
• Enterprise architecture and process
frameworks
• Cross-functional work group
… flexible and also represents the potential
tension between the elements
![Page 10: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/10.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
![Page 11: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/11.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
The Importance of Systems Thinking
� Process of understanding how
things influence one another
within a whole.
� "problems" as parts of an overall
system
� A set of habits or practices within
a framework understanding a
component as part of the system
� Action-Feedback
Personal
Mastery
Mental
Models
Shared
Vision
Team
Learning
Systems
Thinking
![Page 12: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/12.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Feedback on System Thinking
Password
Policy
Enforcement
Vision
Objectives
![Page 13: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/13.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
“The Art and Practice of the Learning Organization”*
1) Today's problems come from yesterday's "solutions."
2) The harder you push, the harder the system pushes back.
3) Behavior grows better before it grows worse.
4) The easy way out usually leads back in.
5) The cure can be worse than the disease.
6) Faster is slower.
7) Cause and effect are not closely related in time and space.
8) Small changes can produce big results...but the areas of highest leverage are often
the least obvious.
9) You can have your cake and eat it too ---but not all at once.
10) Dividing an elephant in half does not produce two small elephants.
11) There is no blame.*“The Fifth Discipline: The Art and Practice of the Learning Organization”,
Peter Senge, 1990
![Page 14: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/14.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Using BMIS
� Fully integrate the existing security program.
� Analyze and internalize the detailed security measures and solutions in place.
� Align current standards, regulations and frameworks to BMIS.
� Clearly identify strengths and weaknesses in existing security.
� Use the dynamic security system that BMIS introduces.
� Manage emergence within the organization to maximize security improvements.
![Page 15: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/15.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Using BMISInternal attacks addressed in a step-by-step manner using the available factors of influence
![Page 16: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/16.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Control Mapping to Elements or BI’s
![Page 17: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/17.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
“Take-Away’s”
� Security must interact with business to ensure an
EVA
� BMIS is a Model for matching business and IS
� Understand Systemic, dynamic approach
� Maximize system results by acting in key points
� Feedback and Delay as system attributes
� Adjust security to system feedback
![Page 18: Business Model For Information Security](https://reader034.vdocuments.us/reader034/viewer/2022050801/5464568eb4af9f5d3f8b49bf/html5/thumbnails/18.jpg)
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Discussion
M: +351 968779278