BORIS - Business-Oriented Management of Information Security

The present chapter aims to successfully deal with the needs of information security functions by providing a management tool which links business and information security objectives. In the past terms, information security has fortunately become a top management topic due to the recognition of the continuously increasing dependencies of the overall business success on secure information and information processing technologies and means. While the focus of information security management primarily lay on the implementation of solutions to assure the achievement of the enterprises’ security objectives and their management, the business oriented management objectives were typically not regarded as major concern. Today, information security management executives are severely confronted with a different situation. An increasing pressure forces them to manage the security measures not only using their security, but also business glasses. To handle this challenge, a framework is presented in this chapter. It supports any information security functions with a strong economic focus, whereby it specifically links business and information security objectives. The core of the presented methodology has proven to be reliable, user friendly, consistent and precise under real conditions over several years.

[1]  Todd Fitzgerald Building Management Commitment through Security Councils , 2005, Inf. Secur. J. A Glob. Perspect..

[2]  Thomas R. Peltier,et al.  Implementing an Information Security Awareness Program , 2005, Inf. Secur. J. A Glob. Perspect..

[3]  L. Camp Economics of Information Security , 2006 .

[4]  Brent Carlson,et al.  Turning Application Security Inside Out: Security for Service-Oriented Architectures (SOAs) , 2005, Inf. Secur. J. A Glob. Perspect..

[5]  Lawrence A. Gordon,et al.  Return on information security investments: Myths vs. Realities. , 2002 .

[6]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[7]  R. Kaplan,et al.  The balanced scorecard--measures that drive performance. , 2015, Harvard business review.

[8]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[9]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[10]  Huseyin Cavusoglu,et al.  Economics of ITSecurity Management: Four Improvements to Current Security Practices , 2004, Commun. Assoc. Inf. Syst..

[11]  Jochen Wiedemann,et al.  Improving information security compliance - A process-oriented approach for managing organizational change , 2008, Multikonferenz Wirtschaftsinformatik.

[12]  Jean-Claude Laprie,et al.  Dependability of computer systems: concepts, limits, improvements , 1995, Proceedings of Sixth International Symposium on Software Reliability Engineering. ISSRE'95.

[13]  Sebastian Sowa,et al.  Business Oriented Information Security Management - A Layered Approach , 2007, OTM Conferences.

[14]  Michael Lardschneider Security Awareness — Grundlage aller Sicherheitsinvestitionen , 2007, Datenschutz und Datensicherheit - DuD.

[15]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[16]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[17]  Larry Lapide,et al.  Questions to Ask While Reviewing the Benchmarking Data , 2006 .

[18]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[19]  A. Clark,et al.  Enterprise Security Architecture: A Business-Driven Approach , 2005 .

[20]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[21]  W. Edwards Deming,et al.  Out of the Crisis , 1982 .

[22]  R. Kaplan,et al.  Using the balanced scorecard as a strategic management system , 1996 .

[23]  Jörg Andreas Lange Sicherheit und Datenschutz als notwendige Eigenschaften von computergestützten Informationssystemen , 2005 .

[24]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[25]  Huseyin Cavusoglu,et al.  Economics of IT Security Management , 2004, Economics of Information Security.

[26]  Matunda Nyanchama Enterprise Vulnerability Management and Its Role in Information Security Management , 2005, Inf. Secur. J. A Glob. Perspect..

[27]  Timothy Giles,et al.  The Business of Security , 2008 .

[28]  Dirk C. Loomans Information Risk Scorecard macht Unsicherheitskosten transparent , 2004, HMD Prax. Wirtsch..

[29]  Bruce Murphy,et al.  Enterprise Security Architecture , 2000, Inf. Secur. J. A Glob. Perspect..