Well, ok, there are a number of useful best practice guidelines for information security management, e.g. ISO 27000 family, COBIT, ISMS, ITIL, which help communicate the processes and requirements to management, select controls, and measure success. So far, so good. However, these documents are so business-centric that IT security enforcement does not simply "fall out at the bottom".
But beware: What ultimately matters is not the documentation produced, but the actual enforcement across your information systems. Real-world attacks are obviously not thwarted with documents!
Today, mapping the requirements from the produced documents down to concrete IT enforcement (and bringing measurements back up) is typically done in a pretty ad-hoc way. The focus is primarily on what the management wants to (not) see, rather than in what matters.
Model-driven security (e.g. OpenPMF), tied into an overall security management methodology, can help close (parts of) this gap in a traceable, runtime, automatic way - therefore model-driven security should be a critical element of effective "business-driven compliance management".
No comments:
Post a Comment