The Information Systems Audit and Control Association (ISACA), a leading non-profit organization for IT governance, has launched the Business Model for Information Security (BMIS), which aims to provide a complete guide to address the people, process, organization and technology aspects of information security.
Sanjay Bahl, CISO, Microsoft India, who is also a member of ISACA’s India Task Force, says, “Security professionals have been trying to comply with multiple standards, regulations and frameworks and have been missing an overarching model that would assist them in keeping information protected.” BMIS aims to bridge this gap by presenting a dynamic solution for designing, implementing and managing information security. “The Business Model for Information Security integrates frameworks and standards for information security, defining the boundaries of an information security program and how the program functions. Existing frameworks and standards do not adequately address organizational culture or human factors, or provide for the unexpected (as BMIS does through the concept of emergence),” explained Bahl, who also actively participated in developing the BMIS.
The Business Model for Information Security recognizes that it is a dynamic and complex world, and provides a holistic approach to manage information security issues, while directly addressing business objectives. The model also provides a common language for information security and business management to talk about information protection.
The model is made up of four elements (people, process, technology and a critical fourth element – organizational strategy and design) and six dynamic interconnections such as governing, culture, architecture, enabling and support, emergence, and human factors.“The BMIS fills various gaps existing today, such as the integration between business and information security, alignment of information security with the organization’s objectives, addressing culture, executive and line management ownership, and accountability for implementing, monitoring, and reporting on information security,” Bahl informed.
Business Model for Information Security will benefit a range of stakeholders by reducing costs, improving performance, fostering a better understanding of organizational risks, increasing collaboration and reducing duplication of effort. Citing the example of a Fortune-50 company that improved its sales by adopting BMIS, Bahl explained, “The sales division of the company was witnessing a significant decline and attributed it to increased competition and pricing pressures from customers. However, the security group believed that lack of proper security procedures was contributing to the decline.”
The security team listed loss of proprietary data by traveling sales personnel, vulnerable network security systems and procedures, and refusal by the sales force to adhere to corporate security guidelines and policies, as the key factors for the decline. A fundamental lack of alignment between the security function and the sales team was inhibiting the ability of the company to meet its sales and corporate goals. By adopting BMIS, the company experienced record sales, reversing several years of decline, and its stock price soared by more than 25 percent.
Diligent utilization of the model is expected to equip enterprises to deal with current and future issues such as regulatory requirements, globalization, growth and scalability, organizational synergies, evolving technology, economic markets, human resources, competition, ever-changing threats, and innovation.
BMIS can be used in enterprises of all sizes and is compatible with other information security frameworks. It is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems.
A free introductory guide on BMIS is available to all as a free download at www.isaca.org/bmis.