Home > Articles > Software Development & Management

  • Print
  • + Share This
From the author of

Integrated Management

Tying security threats to an organization's mission and business objectives illustrates a concept called integrated management. Integrating information security and business processes requires personnel to proactively consider tradeoffs among business and security issues when creating policy, striking a balance between business and security goals.

In fact, the results of an information-security risk evaluation illustrate how security issues and business drivers are linked. Consider the following statement of risk identified by the hospital's analysis team:

People external to the organization (attackers) could exploit technological weaknesses and interrupt access to PIDS [Patient Information Data System]. The hospital has become computer-dependent in order to function and is rendered virtually helpless without PIDS capability. Disruptions to PIDS could affect a provider's ability to treat a patient. Ultimately, this could affect the health of patients, result in lawsuits, and affect the reputation of the hospital.

The first part of the risk focuses on the security threat. In the above risk statement, the threat is

People external to the organization (attackers) could exploit technological weaknesses and interrupt access to PIDS.

The rest of the risk statement provides the link to the organization's business objectives. The following statement ties the above threat to the hospital's business objectives:

The hospital has become computer-dependent in order to function and is rendered virtually helpless without PIDS capability. Disruptions to PIDS could affect a provider's ability to treat a patient. Ultimately, this could affect the health of patients, result in lawsuits, and affect the reputation of the hospital.

Notice that a security threat in which an attacker exploits vulnerabilities to interrupt access to PIDS ultimately could

  • affect the life and health of patients

  • result in lawsuits against the hospital

  • affect the reputation of the hospital

Each security threat is tied to an organization's key business drivers, creating a statement of risk. A comprehensive information-security risk evaluation, like the OCTAVE approach, also discloses organizational and technological weaknesses. Those weaknesses are linked to risk statements, enabling an analysis team to analyze organizational and technological weaknesses in relation to the organization's highest-priority risks. This technique provides the basis for a security-improvement strategy. The OCTAVE approach enables an analysis team to chart a course for improvement by examining the organization's unique risks and current security practices in relation to its key business drivers.

  • + Share This
  • 🔖 Save To Your Account