The Information Systems Audit and Control Association (ISACA), a leading non-profit organization for IT governance, has launched the Business Model for Information Security (BMIS), which aims to provide a complete guide to address the people, process, organization and technology aspects of information security.
Sanjay Bahl, CISO, Microsoft India, who is also a member of ISACA’s India Task Force, says, “Security professionals have been trying to comply with multiple standards, regulations and frameworks and have been missing an overarching model that would assist them in keeping information protected.” BMIS aims to bridge this gap by presenting a dynamic solution for designing, implementing and managing information security. “The Business Model for Information Security integrates frameworks and standards for information security, defining the boundaries of an information security program and how the program functions. Existing frameworks and standards do not adequately address organizational culture or human factors, or provide for the unexpected (as BMIS does through the concept of emergence),” explained Bahl, who also actively participated in developing the BMIS.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Model for Information Security recognizes that it is a dynamic and complex world, and
provides a holistic approach to manage information security issues, while directly addressing
business objectives. The model also provides a common language for information security and
business management to talk about information protection.
The model is made up of four elements (people, process, technology and a critical fourth element – organizational strategy and design) and six dynamic interconnections such as governing, culture, architecture, enabling and support, emergence, and human factors.“The BMIS fills various gaps existing today, such as the integration between business and information security, alignment of information security with the organization’s objectives, addressing culture, executive and line management ownership, and accountability for implementing, monitoring, and reporting on information security,” Bahl informed.
Business Model for Information Security will benefit a range of stakeholders by reducing costs, improving performance, fostering a better understanding of organizational risks, increasing collaboration and reducing duplication of effort. Citing the example of a Fortune-50 company that improved its sales by adopting BMIS, Bahl explained, “The sales division of the company was witnessing a significant decline and attributed it to increased competition and pricing pressures from customers. However, the security group believed that lack of proper security procedures was contributing to the decline.”
The security team listed loss of proprietary data by traveling sales personnel, vulnerable network security systems and procedures, and refusal by the sales force to adhere to corporate security guidelines and policies, as the key factors for the decline. A fundamental lack of alignment between the security function and the sales team was inhibiting the ability of the company to meet its sales and corporate goals. By adopting BMIS, the company experienced record sales, reversing several years of decline, and its stock price soared by more than 25 percent.
Diligent utilization of the model is expected to equip enterprises to deal with current and future issues such as regulatory requirements, globalization, growth and scalability, organizational synergies, evolving technology, economic markets, human resources, competition, ever-changing threats, and innovation.
BMIS can be used in enterprises of all sizes and is compatible with other information security frameworks. It is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems.
A free introductory guide on BMIS is available to all as a free download at www.isaca.org/bmis.