A Business Model for Information Security presented at AUScert 2009

by Derek Oliver,

Summary : Business Model for Information Security
The University of Southern California's Marshall School of Business created an academic model for systemic security anagement. ISACA, the Information Systems Audit & Control Association, are developing this academic exercise into a fully commercial model showing the integration and interdependencies of every aspect of Business in managing the security of information.
This presentation, by the Chair of the ISACA committee charged with the development, will explain the initial concepts of the model, its relevance to organizations of every size and complexity and how ISACA see its continuing evolution into a globally recognized 'product'.
This tutorial will be of interest not only to information security professionals but to all who have a responsibility for or interest in maintaining the security of an organization's precious information. The Model takes the form of a flexible pyramid, linking key business elements, for example People, Technology and Processes, by Dynamic Interconnections such as Culture, Architecture, Governance and Emergence. It encourages a systemic, holistic approach to Information Security holding that it is not a specific issue relating to “technology”, as it is so often regarded, but has a multiplicity of dependencies throughout the organization, Information Security is, simply, only as good as the weakest link in all of the dynamic interconnections and business elements.
ISACA’s Committee for the Development of the Security Model, chaired by Dr. Derek J. Oliver of the UK’s Ravenswood Consultants Ltd. and comprising experienced and qualified security experts from all over the world, was set up in July, 2008 by the Association’s Security Management Committee, itself chaired by Jo Stewart-Rattray, Director of Information Security at RSM Bird Cameron in Adelaide.
ISACA has already prepared two initial documents: an Executive Guide and a Practitioner’s Guide to the Model. Both are scheduled for publication in the first quarter of 2009 and will be free downloads to help the Model to take its place in The Security Evolution. They are currently considering the individual concepts of the Model which need to be further developed and taken forward to further, more detailed publications.
Today’s ISACA was founded in 1969 as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.
Today, ISACA’s membership, more than 75,000 strong worldwide, is characterized by its diversity. Members live and work in more than 160 countries and cover a variety of professional IT-related positions including Internal and External Audit and Information Security Management. Since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide. Its research pinpoints professional issues challenging its constituents. Its Certified Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than 60,000 professionals since inception. The Certified Information Security Manager (CISM) certification uniquely targets the information security management audience and has been earned by more than 9,000 professionals.
As ISACA’s ‘flagship’ product, Control Objectives for Information and Related Technology (CobiT) has become the most highly regarded framework for IT and Corporate Governance, the development of an integrated, systemic, business model for information security is the latest, and possibly the most exciting in a long line of successful research projects undertaken by ISACA and its associated Foundation and promises to become the most recognized, international approach to the holistic management of corporate information security.