[ISM3 Users] Tuesday Insight - Blast from the Past - Business Modeling

[Vicente Aceituno]

****Business Modeling****originally posted May 7, 2007 9:07 am***
The way you model your business is a "hidden" step in any information
security management activity. Normally a business will be modeled as a
set of assets.

Using the following list business functions it is possible to model
the business:

1. Governance	Goals definition, steering the company with rules and instructions
2. Research	Creation of new knowledge
3. Advertising	Letting others know about your services and products
4. Business Intelligence	Knowledge maintenance and delivery
5. Human Resources	Finding, Selecting and Procuring, Promoting and Firing people
6. Information Technology	Finding, Filtering and Procuring Information
and Communications
6. Legal	Fullfil obligations, claim obligations from third parties
7. Relationships	Creating and maintaining Trust, Association and
Remembrance with customers, suppliers, etc
8. Administration	Paperwork
9. Financing / Accounting	Finding, Selecting and Procuring money
10. Infrastructure	Real state, air conditioning-heating, water supply,
energy supply, furniture, food supply, waste management, recycling
management, physical access control,  etc
11. Logistics	carry/deliver products or services
12. Maintenance	Prevent decay of infrastructure, tools, etc
13. Procurement	Finding, Compare, Cchoose, Select and Procure
information, tools, fungibles, supplies and assets.
14. Production	Produce products and services
15. Sales	Sell products or services

This modeling is more meaningful than using simple assets. If I list
500 assets and rate them in terms of IAC, I miss the business view,
and I don't have a business case for seucrity investment. If I find
out that the most important function of a business is (human resources
for example), and I use IAML to find out what is important for HR, I
will be prepared to protect the systems HR depends upon with a clear
business case for it.

My best

Vicente