In cooperation with the Institute for Critical Information Infrastructure Protection at the University of Southern California, ISACA has develop a model that enterprises can use to tie together technical solutions, processes, people, and the organization into a coherent information security strategy.
“We wanted to look at the broader [information security] challenges of an enterprise and flesh out the model with policies and processes, so that it is not just an audit program. We wanted to leverage the framework with other frameworks inside and outside of ISACA and add tools and techniques for implementation,” said Mark Lobel, a principal at PricewaterhouseCoopers who worked on the ISACA model.
In a statement, ISACA said that the model can be used in enterprises of all sizes and is compatible with other information security frameworks already in place. The model is independent of any particular technology and is applicable across industries, countries, and regulatory and legal systems. It encompasses traditional information security and privacy, and provides links to risk, physical security, and compliance.
The model looks at the problem of information security “systemically, so systemic thinking is built into the approach,” Lobel told Infosecurity. “When you look at a problem, you can try to just solve that problem or you can look at a range of causes for that problem, look across the entire system, and try to find solutions that go to the root cause instead of addressing the problem symptom by symptom,” he explained.
Lobel provided an example of the systemic approach to information security.
“If, while doing an assessment, you find that databases don’t have administrative passwords on them, you can make a list of the databases and draft an action item to put passwords on those databases. If you think about it systemically, you say, ‘We don’t have an effective process for administering our databases; we have to go back and look at that entire process and make sure it is effective for all of our databases. So we are not just solving the data point, we are solving the entire system.’”
The ISACA model consists of four elements, or nodes – people, process, technology, and organization – and six “dynamic interconnections” – culture, architecture, governing, emergence, support, and human factors – that link the four elements. Company executives responsible for information security must factor in all of these elements and connections in order to put in place an effective information security program, Lobel said.
What is unique about the ISACA model is that technical solutions are tied into the broader enterprise objectives and strategy. “It’s important not just to have the people, process and technology, but the organizational piece [of the model] is a key factor as well….Security has to link to the business,” he said.
For example, the model provides tools to develop an information security culture within the enterprise. The model takes organizational behavior theory and sociological concepts and applies them to information security.
“Security professionals promote security awareness by passing out key chains, putting up posters, and holding a security awareness day once every six months in the cafeteria. Well, that’s nice. But how do we launch this forward toward something more meaningful, defining what the behaviors are that we want and what are the current behaviors. Are employees still using yellow stickies to remember their password or are they still holding doors open for people they don’t know to have authorization inside their organization. What behaviors do we want? What should the culture look like? How do we measure the gaps. How do we create metrics to measure progress? Those are the questions the model prompts you to answer,” Lobel said.