An Organisation Model | Security Management Framework

One example of how the security management framework can be used it to describe how a business organization operates.

This model can then be overlaid with security models to relate organization back to the perspective on security being examined.

It is important to understand how an organization operates to find the most appropriate way to manage the risk to the business and understand their key drivers to enable change to happen.
Security-Organization-Model

Figure 1 Business Organization Model

  • A Distributed approach – which offers more individuality and competitive advantage by creating a structure more attuned to the specific market place the various Business Divisions participate in. This model is often seen in a mergers and de-acquisition market or where there is outsourcing. The level of investment in particular areas, such as security may vary, hence reducing a common level of trust amongst the Divisions.
  • A Federated approach – which places all the common and shared business activities and responsibilities within a centralized group, and then allows separate business division to have some level of autonomy in ownership of function that allows them to be unique and competitive.

Also, the horizontal lines between the IT Division, Business Divisions and Group will move up or down depending on the type of organisation.

Larger organisations that are regulated are moving towards a federated approach and more controls is being brought back into the central group of an organisation. This enables the organisation to gain more control of the business divisions and enable them to meet their legal and regulatory obligations more easily.

With a federated approach, the central group sets the business direction. Each division defines how they will meet the business direction for the group in terms of the business products and services being provided to customers. The business divisions are then responsible for definition and the development of the applications that support the delivery of the products and services.

The IT Division at the bottom delivers the IT infrastructure and generic services used by applications. There is tension between the Business Divisions and the IT Division that can impact the type of model being operated and the effectiveness of security being employed. The Business Divisions want to deliver applications as quickly as possible without the overheads of creating shared services. The Group wants the IT Division to reduce IT operational costs by creating a common infrastructure than can be shared between Business Divisions. The horizontal line between the IT Divisions and Business Division will move up or down depending on this tension.