ISACA Signs License Agreement With USC Marshall Institute to Develop a Definitive Information Security Model for Businesses

To help companies bridge the divide between information security and business objectives, ISACA has entered a license agreement with the University of Southern California’s Marshall School of Business to develop a business model for information security.

The model will be based on the Systemic Security Management framework developed by the Institute for Critical Information Infrastructure Protection (ICIIP), which was formed by the Marshall School of Business.

“The Systemic Security Management framework recognizes that security is not just a technology problem,” said Charles P. Meister, executive director of the ICIIP. “Traditionally, frameworks for looking at security have considered people (employees), process (controls that are in place to ensure security) and technology. This model is unique in that it adds the concepts of an organization’s design and strategy.”

ISACA, a nonprofit association that serves more than 86,000 IT security, assurance and governance professionals, will transform the theoretical model into a practical tool that can be used by information security practitioners to unify security initiatives with the business mission. Called the Business Model for Information Security Management, the model will apply internationally, across different cultures and regulatory environments, and will be suitable for all types of enterprises, including for-profit and nonprofit organizations and governmental bodies.

“We have high expectations for the agreement with the Marshall School of Business,” said Kent Anderson, member of ISACA’s Security Management Committee. “The Systemic Security Management model is a valuable approach to making the link between security activities and business priorities more transparent. ISACA looks forward to creating practical materials based on the model that will be useful to information security managers and information systems auditors around the world.”

ISACA will issue two deliverables based on the model in the next six months:
an executive guide and a practitioner guide to the business model for information security.

“The work we have accomplished thus far on the model will provide fertile ground for the additional research that lies ahead,” said Meister. “Partnering with ISACA will help the model have a profound impact on the global information security industry because of the association’s reach.”