New ISACA business model for information security fills gap

Which is why ISACA has released ‘An Introduction to the Business Model for Information Security’, outlining the model and providing appropriate guidance. The guide is now available as a free download at www.isaca.org/security. “Information security managers spend too much of their time reacting and applying short-term, technology-focused fixes to rapidly changing threats and regulatory and technological environments,” says Jo Stewart-Rattray, chair of ISACA’s Security Management Committee. “These solutions are deficient because many security weaknesses result from poor governance, a dysfunctional culture or untrained staff – all aspects that ISACA’s Information Security Model addresses.” Stewart-Rattray says the model can be used for businesses of all sizes and with any other information security framework already in place. Me makes the point that it is technology independent and applicable across all industries, countries, and regulatory and legal systems. It also includes traditional information security, and privacy and linkages to risk, physical security and compliance. “This is ISACA’s first step in transforming the theoretical model into a practical tool that can be used by information security practitioners to unify security initiatives with the business mission,” says Kent Anderson, part of ISACA’s Security Management Committee. “The ISACA model is valuable guidance because it takes a strong business-oriented approach, focusing on people and processes rather than on technology.”