Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes. Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo Business Model for Information Security “The Learning Organization” Marco Melo Raposo Oct 2011
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Business Model for Information Security
“The Learning Organization”
Marco Melo RaposoOct 2011
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Security Challenges
Many times, interaction between business and security is similar to a train wreck…
The BMIS model
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
The BMIS model
� Introduced by ISACA in January 2009
� Provides the frame and mindset to structure communications amongst senior management and security professionals
� Addresses the security program at the strategic level
� Is a model. Must be supported by additional standards and frameworks
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Combining Model, Frameworks and Standards
� BMIS is a model. Must be supported by additional standards and frameworks
� Model - ‘A schematic description of a system, theory or phenomenon that accounts for its known or inferred properties and may be used for further study of its characteristics’� Need to be flexible, and refined periodically
� HLD
� Flexibility to mutate: High
� Frameworks – provide structure � skeletal system
� Operational Tool
� Examples: COBIT, OCTAVE, ITIL, RiskIT
� Flexibility to mutate : Medium
� Standard – Provide Guidelines� Agreed, repeatable way of doing something
� Flexibility to mutate: Low
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
BMIS Overview
� Proactive, interconnected mode
� Holistic and dynamic
� Systemic
� Maximizes elements efficiency
� Allow assets to create value
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Elements
7
OrganizationOrganizationOrganizationOrganization
• Higher level, Lower level
• Formal and informal
• High-priority strategic objectives
PeoplePeoplePeoplePeople
• Employees, contractors, vendors
and service providers
• Own beliefs, values and behaviors
ProcessProcessProcessProcess
• Instrumental tool
• Structured activities
• Maturity—Can utilize formal or informal
mechanisms
• Span all aspects and areas
of an organization
TechnologyTechnologyTechnologyTechnology
• "the practical application of knowledge“
• "‘a capability given by the
practical application of knowledge"
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Di’s ( )
8
Governance
‘governance is the set of responsibilities and
practices exercised by the board and executive
management with the goal of providing
strategic direction, ensuring that objectives
are achieved.
Culture
Culture is a pattern of behaviors, beliefs,
assumptions, attitudes and ways of doing
things
People are the key to culture, and culture, in
turn, creates a set of perceptions in people.
Architecture
The fundamental organization of a system,
embodied in its components, their
relationships to each other and the
environment, and the principles governing its
design and evolution Affected directly or indirectly by changes imposed
on any of the other components within the model
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
…More Di’s (Everything has beauty, but not everyone sees it)
9
Emergence
‘the arising of novel and coherent structures,
patterns and properties during the process of
self-organization in complex systems (positive
or negative)
LEARNING
Human Factors
Culture is a pattern of behaviors, beliefs,
assumptions, attitudes and ways of doing
things
People are the key to culture, and culture, in
turn, creates a set of perceptions in people.
Enabling & Support
• High-level business objectives
• Detailed business requirements
• Enterprise architecture and process
frameworks
• Cross-functional work group
… flexible and also represents the potential
tension between the elements
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
The Importance of Systems Thinking
� Process of understanding how
things influence one another
within a whole.
� "problems" as parts of an overall
system
� A set of habits or practices within
a framework understanding a
component as part of the system
� Action-Feedback
Personal
Mastery
Mental
Models
Shared
Vision
Team
Learning
Systems
Thinking
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Feedback on System Thinking
Password
Policy
Enforcement
Vision
Objectives
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
“The Art and Practice of the Learning Organization”*
1) Today's problems come from yesterday's "solutions."
2) The harder you push, the harder the system pushes back.
3) Behavior grows better before it grows worse.
4) The easy way out usually leads back in.
5) The cure can be worse than the disease.
6) Faster is slower.
7) Cause and effect are not closely related in time and space.
8) Small changes can produce big results...but the areas of highest leverage are often
the least obvious.
9) You can have your cake and eat it too ---but not all at once.
10) Dividing an elephant in half does not produce two small elephants.
11) There is no blame.*“The Fifth Discipline: The Art and Practice of the Learning Organization”,
Peter Senge, 1990
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Using BMIS
� Fully integrate the existing security program.
� Analyze and internalize the detailed security measures and solutions in place.
� Align current standards, regulations and frameworks to BMIS.
� Clearly identify strengths and weaknesses in existing security.
� Use the dynamic security system that BMIS introduces.
� Manage emergence within the organization to maximize security improvements.
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Using BMISInternal attacks addressed in a step-by-step manner using the available factors of influence
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
Control Mapping to Elements or BI’s
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo
“Take-Away’s”
� Security must interact with business to ensure an
EVA
� BMIS is a Model for matching business and IS
� Understand Systemic, dynamic approach
� Maximize system results by acting in key points
� Feedback and Delay as system attributes
� Adjust security to system feedback
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
Marco Raposo 2011 http://pt.linkedin.com/in/marcoraposo