Risk Management | Security Management
Risk management solutions presented by security services and product companies tend to either focus on the business aspects of security with the development of a Information security policy or on the security infrastructure.
Policy development focuses on the technical and process controls defined within ISO/IEC 27002 and security infrastructure focuses on the products being used as countermeasures. Some products try to link Information Security policy development with the technical controls being deployed.
It is clear from the analysis of current information security losses that a security solution based on just IT infrastructure hardware and software will not resolve the security issues. These security events point to the need to have more than just isolated security components and randomly placed process and people.
These focus areas do not consider what is the appropriate protection for the information assets and business processes. Information risk management (both security and business continuity) is about the protection of information assets and business processes from loss of confidentiality, integrity and availability through people, process and technology as a part of a business application.
To enable an effective risk management framework, the acceptable level of risk needs to be understood and woven into the solutions, the business processes, service and products, application and supporting components. These need to reflect and sustain the agreed risk appetite of the business as documented in the business risk policy. The security and business continuity controls within a business application tend not to be considered because the focus is placed on the infrastructure components. Additionally, where they are considered, they often do not provide a balance the technology, processes and people aspects of information risk management.
The security models proposed by solution providers reinforce this view by focusing on security solutions. Some standards organisations such as the Open Group are starting to describe business scenarios to specify the technical interfaces in security standards. But the products being delivered by the solution providers still focus on the technical mechanisms. This paper proposes a generalised architecture framework which can be used to describe security to the business, IT and security communities. The framework provides a linkage between the business and applications with the supporting IT infrastructure. It then uses this as a framework to overlay security models to describe how security can be practically delivered for an organisation.