Information security managers have struggled to create programs that are aligned with enterprise goals and priorities, that bring value to the enterprise, and that support the ability of management to innovate while controlling risks. What is missing is a descriptive model that business unit managers and their counterparts in information security can use to talk about information security in business, rather than technical, terms.
In 2008, ISACA entered into a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection to continue the development of its Systemic Security Management Model. The Business Model for Information Security takes a business-oriented approach to managing information security. It utilizes systems thinking to clarify complex relationships within the enterprise, and thus to more effectively manage security.
The elements and dynamic interconnections that form the basis of the model establish the boundaries of an information security program and model how the program functions and reacts to internal and external change. The Business Model for Information Security provides the context in which frameworks such as Control Objectives for Information
and related Technology (CobiT) and standards that enterprises currently use to structure information security program activities come together. In coming together, they form a holistic and dynamic approach to information security that is both predictive and proactive as it adapts to changes, considers the organizational culture and delivers value to the business.
Information Security Research Library