• Nem Talált Eredményt

Identifying the basic pillars of corporate operations

In document Óbudai Egyetem (Pldal 29-33)

Due to the already mentioned opposite direction of the priorities, that PCUBE-SEC and BMIS (ISACA Business Modell for Information Security) represents, concerning the relations between corporate success, business goals, and information security, the building blocks of the two methodologies are also different. BMIS 2010 relies on four so-called elements: process, organization, people, and technology. In 2009 organization had been detailed as organization design and strategy [BMIS 2009, 2010].

The PCUBE-SEC pillars are: organization, regulation, and technics.

A kind of predecessor of the PCUBE-SEC pillars are the COBIT resources. It is interesting to notice the slight change of their list at the main milestones of COBIT development.

The five 1998 COBIT "information technology resources", Data, Application systems, Technology, Facilities, and People, and their definitions remain the same till COBIT 2000.

In 2005 the COBIT 4 resources did not change much, they were: Applications, Information, Infrastructure, and People. The COBIT 4.1 IT resources are exactly the same, defined word by word the same way, as those of COBIT 4. Throughout these versions the resources are used in the description of the IT processes and control objectives suggested to be reached by these processes. [COBIT 1998, COBIT 2000, COBIT 4.0 - 2005, COBIT 4.1 - 2007]

PCUBE-SEC uses its pillars in a bit different way. The operational activity is a mapping between two subsets of pillars. From the operational scope of the improving activity, that is from the area, where the activity "works", to the possibly, but not necessarily different pillar, from which the goal of the activity is taken. A goal can be reached through a series of activities. One of the help, that PCUBE-SEC intends to give to its user is just to find such a series of activity, that can lead to a goal activity (that can contribute to achieving a given goal activity). The final goals can be of strategic level. This way the series of activities can be considered as a series of improving activities, that - hopefully - "leads" to this strategic goal. The activities of the series "step from pillar element to pillar element", improving corporate operations.

Even if the names of the BMIS elements are partially similar to those of the PCUBE-SEC pillars, and to the resource names in COBIT, their meaning is different. According to BMIS, information security programs have to take into consideration such interaction or rather - dynamic interconnections - of these elements, as, e.g. "governing", "culture". The PCUBE-SEC operational pillars are used very differently. Their union is the domain of the

SEC improving activities, and their range is a subset of this union. Thus PCUBE-SEC pillars help classifying the improving activities according to two viewpoints: the type of pillar elements they improve from the domain viewpoint, and according to the type of the effect of the activities, that is, according to the range.

The history of the pillars is quite long now. In 2002, when I began developing a risk management methodology, I defined them to facilitate the partitioning of the IT security architecture [Szenes, 2002, risk]. Having realized, that using them, as classification aspects, they help in collecting information, and support, this way, to establish order concerning IT assets, I used them again in 2010, for basic pillars of IT and IT security. They facilitated the identification of the scope of responsibility, and the identification of problem domains, too.

This way it is easier to find, to whom the responsibilities and tasks are to be assigned [Szenes, 2010, GRC]. Using the pillars it turned out, that they are extendable towards the whole scope of enterprise operations [Szenes, 2011, Hack.].

In the Appendix I. will show an example to illustrate PCUBE-SEC technics, it will show, among others, the way of using the pillars for this identification and for collecting infomation.

Just as COBIT or BMIS "does" with their resources or elements, I will define here the three operational pillars through the set of their elements.

Let an organizational element be any of the followings, or any combination of the followings:

• the whole organizational structure

• any part of this structure

• their creation / modification.

Thus any combination of these parts belong here, too.

Let a regulational element be any of the followings, or any combination of the followings:

• any prescription, regulating the activities of the staff

• the tools available at the company for o producing,

o maintaining and

o processing the regulations.

Let a technical element be any of the followings, or any combination of the followings:

• any physical (concrete) element of the enterprise infrastructure (fixed and wasting assets just as well)

• together with the technical realization of the conditions for using them.

The reason of the complexity of the second clause is, that we want to exclude rulebooks from here, as they belong to the regulational pillar, but to include such technical conditions, as, e.g., the actual, or the adequate way of setting parameters.

It is not necessary to dwell upon defining, what is a sensible combination of the organizational, regulational or technical elements, as a non-sensible combination can very well be permitted, only it might not be worth the effort of working with it.

It should be noted, that the notion of "distance", introduced as an optional feature for other PCUBE-SEC terms, too, can be used here just as well. As always in this dissertation, it serves to show the "importance" of an operational pillar element. Importance is evaluated again in a subjective way, as a kind of distance from the enterprise strategy. It has no individual value, but the evaluators give two different values to two different elements, and the relation of these values will show, which is the "more important" element. The example of one of the Appendices will show, how does the systems analyst work with this.

Just as the ISACA methodologies do, we

define the pillars through enumerating their elements:

Organizational elements are:

the whole organizational structure, and its parts, that is the individual organizational units, together with the "building parts" of these units, that is the roles, that are assigned, as duties, to the employees, working in the unit. Let's put the people themselves into this category, too.

PCUBE-SEC classifies these, and the structures composed from them, as organizational elements, but these assignments themselves, that are part of the job descriptions of the employee - of the people - belong to another pillar, to the regulational one.

In addition, to the regulational pillar belong, besides the procedural rulebooks themselves, that regulate the activities of the staff, both the intended, and the undesigned relations of these rulebooks to each other. This involves the facilities to search for given terms or rules, the hierarchy of the rulebooks themselves, if any, the contradictions embedded, the structure of the whole system, all these belong to our regulational pillar.

Should the management be committed to ethical values, a code of ethics defining the principles of staff behaviour can also be available [Belak, 2011]. This set of requirements is also a regulational element.

Technics covers all physical, infrastructural property assets, that are necessary to perform operational activities, together with the technical conditions, that determine their use.

Example for technical elements are the elements of the physical infrastructure, together with the buildings and other facilities, machines, actually the elements of the inventory belong here, together with their descriptive technical features, and the actual and best practice technical way of using them.

A special subset of the technical elements is the IT architecture of the institution.

IT architectural infrastructure elements, or, shortly, IT infrastructural elements are:

the computers themselves, their software (operating systems, utilities), the application systems serving the business processes, the database management systems, the network communication devices, the defense elements providing for the quality of the IT services.

This quality, together with the non-IT type of operations, will be characterized here by so-called excellence criteria, to be introduced later. Actually every component of the IT infrastructure belongs here, even those, that have some computer system embedded into them, like the ATM-s of the financial institutions, or other kind of customer serving tools.

4. THE STRATEGY-DRIVEN OPERATIONAL RISK MANAGEMENT OF

In document Óbudai Egyetem (Pldal 29-33)