Thursday, January 13, 2011

A Business Model for Information Security

Since security began, there has been an inherent conflict between safety and freedom. The words of Benjamin Franklin have been quoted often during the recent controversy over airline security policies - "The man (sic) who gives up his freedom for his safety deserves neither."  For him the conflict was real, and the resolution simple.

In the world of information security, the conflict has been between security (or privacy) and efficient running of a business. Heavy security procedures can be a burden to efficient business processes. This has been the burden that IS auditors have had to carry; the reason why their recommendations often go unheeded year after year.

ISACA recognized this conundrum when it introduced its Business Model for Information Security. a set of comprehensive guidance, "a series planned around the Business Model for Information Security. Based on the white paper “Systemic Security Management,” developed by the USC Marshall School of Business Institute for Critical Information Infrastructure Protection, this guide provides a starting point for discussion and future development. It defines the core concepts that will evolve into practical aids information security and business unit managers can use to align security program activities with organizational goals and priorities, effectively manage risk, and increase the value of information security program activities to the enterprise."

Serious thought needs to be given to the concepts in this guidance by all IS Security professionals. Blind adherence to the idea of safety for its own sake impinges unnecessarily on business efficiency, which is just not good enough.

Perhaps the TSA and Transport Canada could learn from these concepts as well.

No comments: