Toward a target and coupling function of three different Information Security Management Systems

SUMMARY The limits of traditional (static) policies are well known in many areas of computer science and information security and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure today's enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a ‘management system’, is borrowed from discrete event system theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. In this article, we present also an analytical description of the optimal structure through which the three management systems (Information Security Management System (ISMS), Business Continuity Management System, and IT Service Management) should be linked in a company. We define a coupling parameter and, using an equation for the discrete control loop, show that ISMS and IT Service Management should ideally be strongly coupled, and ISMS and Business Continuity Management System should be weakly coupled. Furthermore, two types of management system can be defined. A simple management system (1 st order management system) responds to and regulates only perturbations. An advanced management system (2 nd order management system) has an overarching target function that influences the controller. This target function is usually economically oriented. Copyright © 2011 John Wiley & Sons, Ltd.