信息安全业务模型

BUSINESS MODEL FOR INFORMATION SECURITY
Business orientated model conceived by the University of Southern California Marshall School of Business to address the complex challenges of protection. Developed by ISACA to provide a practical approach to information security management comprehensible and useable by business and security practitioners.
Enterprise Structure
Security Organization Structure
Application System Designs
Policy Standards Awareness Programs
ANATOMY OF A FRAUD
Rogue trader causes $7 billion loss - unauthorized transactions
WHAT YOU WILL LEAVE WITH
An understanding of what the Business Model for Information Security is. An understanding of what the components of an information security program are An appreciation of how these components interact and influence A better understanding of how to think about security, security problems, and the role of security in the enterprise
Anatomy of a Systemic Security Problem
18
COMPONENTS OF A SECURITY Authentication SYSTEM Authorization
Monitoring Employee Procedures Account Management Procedures Departmental Procedures Audit Procedures Reporting Procedures Incident Response Procedures
BMIS Basics
12
A MODEL IS
Representation of something A representative form, style or pattern A simplified representation or description of a system or complex entity, esp one designed to facilitate calculations and predictions A systematic description of an object or phenomenon that shares important characteristics A description of a complex entity or process
3
PROBLEM STATEMENT
Current models/frameworks for information security do not adequately represent what the components of an information security program are or how they function. This session will: Present a systemic view of information security. Describe how taking a holistic view of security more effectively addresses business risk, value, resource utilization and program effectiveness.
Security Organization Structure
Employee Procedures Account Procedures Department Procedures Audit Procedures Reporting Procedures Incident Response Procedures
THE TRUTH IS
Technology will never be able to solve our information security problems Security awareness programs do not change behavior Point solutions only solve point problems. More effort will not provide better results Quick solutions quickly come back as even more difficult problems
THE PROBLEMS WE FACE
56% 52% 52% 43% 43% 43% 42% Regulatory environment has become more complex and burdensome Increased risk has elevated the role & importance of security Cost reduction efforts make adequate security more difficult to achieve Threats to the security of our information assets has increased Risks have increased due to weakened business partners Risks to data have increased due to employee layoffs Risks have increased due to weakened suppliers
WE NEED AN APPROACH THAT…
Help us to envision solutions to problems Communicates in business language Aligns information security and organization goals and strategies Makes the best use of available resources Focuses on business risk Contributes to value creation
INFORMATION SECURITY & GOVERNANCE
GOVERNANCE OF THE ENTERPRISE Outcomes of Governance Strategic Alignment Resource Management Risk Management Performance Measurement Culture People Technology Operations Structure Architecture Human Factors Governing Emergence Enabling & Support Value Delivery
Holistic Approach
Emphasizing the importance of the whole and the interdependence of its parts
Systemic Thinking
Relating to or affecting the entire body or an entire organism
A SECURITY MODEL CAN TEACH US
How to look at a problem – to determine causes rather than symptoms How to use resources for maximum impact – less often provides more How components interact and influence How to identify and use leverage points
Compromise of system accounts Lack of investigative follow up Poor management supervision Spoofed activity Inadequate application controls Awareness used for malicious activities Misaligned corporate culture
YOU WILL BE ABLE TO
Think differently about how we design, structure, implement and manage information security See the security program as a whole instead of as a collection of single components Look for leverage points where less effort can lead to better results Relate to security program customers in a different way
WHAT WENT WRONG?
Authentication Authorization Detection
Enterprise Structure
Security Organization Structure
Employee Procedures Account Procedures Department Procedures Audit Procedures Reporting Procedures Incident Response Procedures
Source PWC Information Security Global Survey 2010
IF ONLY………...
I had better tools Users understood security I had enough resources Security was a top priority We had stronger regulations People read and understood security policies
wk.baidu.com
Application & System Designs
MAJOR SYSTEM FAILURE
Policy Standards Awareness Programs
WHAT WENT WRONG?
Authentication Authorization Detection
Enterprise Structure
Business Model for Information Security
AGENDA
Setting the foundation BMIS Basics Anatomy of a Problem Designing Security as a System
2
Setting the foundation