A Comparison between Business Process Management and Information Security Management
Information Security Standards such as NIST SP 800-39 and ISO/IEC 27005:2011 are turning their scope towards business process security. And rightly so, as introducing an information security control into a business-processing environment is likely to affect business process flow, while redesigning a business process will most certainly have security implications. Hence, in this paper, we investigate the similarities and differences between Business Process Management (BPM) and Information Security Management (ISM), and explore the obstacles and opportunities for integrating the two concepts. We compare three levels of abstraction common for both approaches; top-level implementation strategies, organizational risk views & associated tasks, and domains. With some minor differences, the comparisons shows that there is a strong similarity in the implementation strategies, organizational views and tasks of both methods. The domain comparison shows that ISM maps to the BPM domains; however, some of the BPM domains have only limited support in ISM.(original abstract)
- "The bpm methodology framework," http:www.BPTrends.com, visited April 2014.
- Aalst W. M. van der , "Business process management: A comprehensive survey," ISRN Software Engineering, vol. 2013, 2013. [Online]. Available: http://dx.doi.org/10.1155/2013/507984
- Aalst W. M. Van Der, Ter Hofstede A. H., and Weske M., "Business process management: A survey," in Business process management. Springer, 2003, pp. 1-12. [Online]. Available: http://dx.doi.org/10.1007/3-540-44895-0_1
- Aguilar-Saven R. S., "Business process modelling: Review and framework," International Journal of production economics, vol. 90, no. 2, pp. 129-149, 2004.
- Asnar Y. and Massacci F., "A method for security governance, risk, and compliance (grc): a goal-process approach," in Foundations of security analysis and design VI. Springer, 2011, pp. 152-184.
- Bier V., "Challenges to the acceptance of probabilistic risk analysis," Risk Analysis, vol. 19, no. 4, pp. 703-710, 1999. [Online]. Available: http://dx.doi.org/10.1023/A%3A1007093805693
- Burlton R., Business process management: profiting from process. Pearson Education, 2001.
- Caralli R. A., Allen J. H., and White D. W., CERT Resilience Management Model (CERT-RMM): A Maturity Model for Managing Operational Resilience. Addison-Wesley Professional, 2010.
- Damelio R., The basics of process mapping. Taylor & Francis US, 2011.
- Ekelhart A., Fenz S., and Neubauer T., "Aurum: A framework for information security risk management," in System Sciences, 2009. HICSS '09. 42nd Hawaii International Conference on, 2009, pp. 1-10.
- Gregory P. H., All in one - CISA - Certified Information Systems Auditor - Exam Guide. McGraw-Hill Companies, 2012.
- Harmon P. et al., Business process change: A guide for business managers and BPM and Six Sigma professionals. Morgan Kaufmann, 2010. [Online]. Available: http://dx.doi.org/10.1016/b978-012374152-3/50043-4
- Herrmann P. and Herrmann G., "Security requirement analysis of business processes," Electronic Commerce Research, vol. 6, no. 3-4, pp. 305-335, 2006. [Online]. Available: http://dx.doi.org/10.1007/s10660-006-8677-7
- Information technology - Secuirty techniques - Information security management systems - Requirements, International Organization for Standardization Norm, ISO/IEC 27001:2013. [Online]. Available: http://dx.doi.org/10.3403/30192065
- Information Technology, Security Techniques, Code of Practice for Information Security Management, International Organization for Standardization Std., ISO/IEC 27002:2013. [Online]. Available: http://dx.doi.org/10.3403/30186138
- Information technology, Security techniques, Information Security Risk Management, International Organization for Standardization Std., ISO/IEC 27005:2011.
- Information technology, Security techniques, ISMS, Overview and vocabulary, International Organization for Standardization Norm, ISO/IEC 27000:2009. [Online]. Available: http://dx.doi.org/10.3403/30236519
- Jakoubi S. and Tjoa S., "A reference model for risk-aware business process management," in Risks and Security of Internet and Systems (CRiSIS), 2009 Fourth International Conference on. IEEE, 2009, pp. 82-89. [Online]. Available: http://dx.doi.org/10.1109/crisis.2009.5411973
- Jallow A., Majeed B., Vergidis K., Tiwari A., and Roy R., "Operational risk analysis in business processes," BT Technology Journal, vol. 25, no. 1, pp. 168-177, 2007. [Online]. Available: http://dx.doi.org/10.1007/s10550-007-0018-4
- Josey A., TOGAF Version 9: A Pocket Guide. Van Haren Pub, 2009.
- Ko R. K., "A computer scientist's introductory guide to business process management (bpm)," Crossroads, vol. 15, no. 4, p. 4, 2009. [Online]. Available: http://doi.acm.org/10.1145/1558897.1558901
- Ko R. K., Lee S. S., and Lee E. W., "Business process management (bpm) standards: a survey," Business Process Management Journal, vol. 15, no. 5, pp. 744-791, 2009. [Online]. Available: http://dx.doi.org/10.1108/14637150910987937
- Kokolakis S., Demopoulos A., and Kiountouzis E. A., "The use of business process modelling in information systems security analysis and design," Information Management & Computer Security, vol. 8, no. 3, pp. 107-116, 2000. [Online]. Available: http://dx.doi.org/10.1108/09685220010339192
- Kotulic A. G. and Clark J. G., "Why there aren't more information security research studies," Information & Management, vol. 41, no. 5, pp. 597-607, 2004. [Online]. Available: http://dx.doi.org/10.1016/j.im.2003.08.001
- Locke G. and Gallagher P., "800-39 nist sp, managing information security risks - organization, mission, and information systems view," National Institute of Standards and Technology, Tech. Rep., 2008.
- Mahal A., How Work Gets Done: Business Process Management, Basics and Beyond. Technics Publications, LLC, 2010.
- Milanovic N., Milic B., and Malek M., "Modeling business process availability," in Services-Part I, 2008. IEEE Congress on. IEEE, 2008, pp. 315-321. [Online]. Available: http://dx.doi.org/10.1109/services-1.2008.9
- Moen R. and Norman C., Evolution of the PDCA Cycle. Associates in Process Improvement, 2011.
- Ozkan S. and Karabacak B., "Collaborative risk method for information security management practices: A case context within turkey," International Journal of Information Management, vol. 30, no. 6, pp. 567-572, 2010. [Online]. Available: http://dx.doi.org/10.1016/j.ijinfomgt.2010.08.007
- Risk Management - Principles and Guidelines, International Organization for Standardization Std., ISO/IEC 31000:2009. [Online]. Available: http://dx.doi.org/10.3403/30246105
- Stoneburner G., Goguen A., and Feringa A., NIST 800-30, Risk Management Guide for Information Technology Systems, Special publication, National Institue of Standards and Technology (NIST) Std., 2002.
- Taubenberger S. and Jürjens J., "It security risk analysis based on business process models enhanced with security requirements," in Modeling Security Workshop, Toulouse, France, 2008.
- Teece D. J., "Capturing value from knowledge assets: The new economy, markets for know-how, and intagible assets." California management review, vol. 40, no. 3, 1998. [Online]. Available: http://dx.doi.org/10.2307/41165943
- Wangen G. and Snekkenes E., "A taxonomy of challenges in information security risk management," in Proceeding of Norwegian Information Security Conference / Norsk informasjonssikkerhetskonferanse - NISK 2013 - Stavanger, vol. 2013. Akademika forlag, 2013.
- Wetzstein B., Ma Z., Filipowska A., Kaczmarek M., Bhiri S., Losada S., Lopez-Cob J. -M., and Cicurel L., "Semantic business process management: A lifecycle based requirements analysis." in SBPM, 2007.
- Wunder J., Halbardier A., and Waltermire D., Specification for Asset Identification 1.1. NIST - US Department of Commerce, National Institute of Standards and Technology, 2011.
- Zoet M., Welke R., Versendaal J., and Ravesteyn P., "Aligning risk management and compliance considerations with business process development," in E-Commerce and Web Technologies. Springer, 2009, pp. 157-168. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-03964-5_16