BazEkon - The Main Library of the Cracow University of Economics

BazEkon home page

Main menu

Author
Wangen Gaute (Gjovik University College, Norwegia), Snekkenes Einar Arthur (Gjovik University College, Norwegia)
Title
A Comparison between Business Process Management and Information Security Management
Source
Annals of Computer Science and Information Systems, 2014, vol. 2, s. 901-910, rys., tab., bibliogr. 37 poz.
Keyword
Bezpieczeństwo informacji, Procesy biznesowe, Zarządzanie procesami biznesowymi
Information security, Business processes, Business Process Management (BPM)
Note
eng
Abstract
Information Security Standards such as NIST SP 800-39 and ISO/IEC 27005:2011 are turning their scope towards business process security. And rightly so, as introducing an information security control into a business-processing environment is likely to affect business process flow, while redesigning a business process will most certainly have security implications. Hence, in this paper, we investigate the similarities and differences between Business Process Management (BPM) and Information Security Management (ISM), and explore the obstacles and opportunities for integrating the two concepts. We compare three levels of abstraction common for both approaches; top-level implementation strategies, organizational risk views & associated tasks, and domains. With some minor differences, the comparisons shows that there is a strong similarity in the implementation strategies, organizational views and tasks of both methods. The domain comparison shows that ISM maps to the BPM domains; however, some of the BPM domains have only limited support in ISM.(original abstract)
Full text
Show
Bibliography
Show
  1. "The bpm methodology framework," http:www.BPTrends.com, visited April 2014.
  2. Aalst W. M. van der , "Business process management: A comprehensive survey," ISRN Software Engineering, vol. 2013, 2013. [Online]. Available: http://dx.doi.org/10.1155/2013/507984
  3. Aalst W. M. Van Der, Ter Hofstede A. H., and Weske M., "Business process management: A survey," in Business process management. Springer, 2003, pp. 1-12. [Online]. Available: http://dx.doi.org/10.1007/3-540-44895-0_1
  4. Aguilar-Saven R. S., "Business process modelling: Review and framework," International Journal of production economics, vol. 90, no. 2, pp. 129-149, 2004.
  5. Asnar Y. and Massacci F., "A method for security governance, risk, and compliance (grc): a goal-process approach," in Foundations of security analysis and design VI. Springer, 2011, pp. 152-184.
  6. Bier V., "Challenges to the acceptance of probabilistic risk analysis," Risk Analysis, vol. 19, no. 4, pp. 703-710, 1999. [Online]. Available: http://dx.doi.org/10.1023/A%3A1007093805693
  7. Burlton R., Business process management: profiting from process. Pearson Education, 2001.
  8. Caralli R. A., Allen J. H., and White D. W., CERT Resilience Management Model (CERT-RMM): A Maturity Model for Managing Operational Resilience. Addison-Wesley Professional, 2010.
  9. Damelio R., The basics of process mapping. Taylor & Francis US, 2011.
  10. Ekelhart A., Fenz S., and Neubauer T., "Aurum: A framework for information security risk management," in System Sciences, 2009. HICSS '09. 42nd Hawaii International Conference on, 2009, pp. 1-10.
  11. Gregory P. H., All in one - CISA - Certified Information Systems Auditor - Exam Guide. McGraw-Hill Companies, 2012.
  12. Harmon P. et al., Business process change: A guide for business managers and BPM and Six Sigma professionals. Morgan Kaufmann, 2010. [Online]. Available: http://dx.doi.org/10.1016/b978-012374152-3/50043-4
  13. Herrmann P. and Herrmann G., "Security requirement analysis of business processes," Electronic Commerce Research, vol. 6, no. 3-4, pp. 305-335, 2006. [Online]. Available: http://dx.doi.org/10.1007/s10660-006-8677-7
  14. Information technology - Secuirty techniques - Information security management systems - Requirements, International Organization for Standardization Norm, ISO/IEC 27001:2013. [Online]. Available: http://dx.doi.org/10.3403/30192065
  15. Information Technology, Security Techniques, Code of Practice for Information Security Management, International Organization for Standardization Std., ISO/IEC 27002:2013. [Online]. Available: http://dx.doi.org/10.3403/30186138
  16. Information technology, Security techniques, Information Security Risk Management, International Organization for Standardization Std., ISO/IEC 27005:2011.
  17. Information technology, Security techniques, ISMS, Overview and vocabulary, International Organization for Standardization Norm, ISO/IEC 27000:2009. [Online]. Available: http://dx.doi.org/10.3403/30236519
  18. Jakoubi S. and Tjoa S., "A reference model for risk-aware business process management," in Risks and Security of Internet and Systems (CRiSIS), 2009 Fourth International Conference on. IEEE, 2009, pp. 82-89. [Online]. Available: http://dx.doi.org/10.1109/crisis.2009.5411973
  19. Jallow A., Majeed B., Vergidis K., Tiwari A., and Roy R., "Operational risk analysis in business processes," BT Technology Journal, vol. 25, no. 1, pp. 168-177, 2007. [Online]. Available: http://dx.doi.org/10.1007/s10550-007-0018-4
  20. Josey A., TOGAF Version 9: A Pocket Guide. Van Haren Pub, 2009.
  21. Ko R. K., "A computer scientist's introductory guide to business process management (bpm)," Crossroads, vol. 15, no. 4, p. 4, 2009. [Online]. Available: http://doi.acm.org/10.1145/1558897.1558901
  22. Ko R. K., Lee S. S., and Lee E. W., "Business process management (bpm) standards: a survey," Business Process Management Journal, vol. 15, no. 5, pp. 744-791, 2009. [Online]. Available: http://dx.doi.org/10.1108/14637150910987937
  23. Kokolakis S., Demopoulos A., and Kiountouzis E. A., "The use of business process modelling in information systems security analysis and design," Information Management & Computer Security, vol. 8, no. 3, pp. 107-116, 2000. [Online]. Available: http://dx.doi.org/10.1108/09685220010339192
  24. Kotulic A. G. and Clark J. G., "Why there aren't more information security research studies," Information & Management, vol. 41, no. 5, pp. 597-607, 2004. [Online]. Available: http://dx.doi.org/10.1016/j.im.2003.08.001
  25. Locke G. and Gallagher P., "800-39 nist sp, managing information security risks - organization, mission, and information systems view," National Institute of Standards and Technology, Tech. Rep., 2008.
  26. Mahal A., How Work Gets Done: Business Process Management, Basics and Beyond. Technics Publications, LLC, 2010.
  27. Milanovic N., Milic B., and Malek M., "Modeling business process availability," in Services-Part I, 2008. IEEE Congress on. IEEE, 2008, pp. 315-321. [Online]. Available: http://dx.doi.org/10.1109/services-1.2008.9
  28. Moen R. and Norman C., Evolution of the PDCA Cycle. Associates in Process Improvement, 2011.
  29. Ozkan S. and Karabacak B., "Collaborative risk method for information security management practices: A case context within turkey," International Journal of Information Management, vol. 30, no. 6, pp. 567-572, 2010. [Online]. Available: http://dx.doi.org/10.1016/j.ijinfomgt.2010.08.007
  30. Risk Management - Principles and Guidelines, International Organization for Standardization Std., ISO/IEC 31000:2009. [Online]. Available: http://dx.doi.org/10.3403/30246105
  31. Stoneburner G., Goguen A., and Feringa A., NIST 800-30, Risk Management Guide for Information Technology Systems, Special publication, National Institue of Standards and Technology (NIST) Std., 2002.
  32. Taubenberger S. and Jürjens J., "It security risk analysis based on business process models enhanced with security requirements," in Modeling Security Workshop, Toulouse, France, 2008.
  33. Teece D. J., "Capturing value from knowledge assets: The new economy, markets for know-how, and intagible assets." California management review, vol. 40, no. 3, 1998. [Online]. Available: http://dx.doi.org/10.2307/41165943
  34. Wangen G. and Snekkenes E., "A taxonomy of challenges in information security risk management," in Proceeding of Norwegian Information Security Conference / Norsk informasjonssikkerhetskonferanse - NISK 2013 - Stavanger, vol. 2013. Akademika forlag, 2013.
  35. Wetzstein B., Ma Z., Filipowska A., Kaczmarek M., Bhiri S., Losada S., Lopez-Cob J. -M., and Cicurel L., "Semantic business process management: A lifecycle based requirements analysis." in SBPM, 2007.
  36. Wunder J., Halbardier A., and Waltermire D., Specification for Asset Identification 1.1. NIST - US Department of Commerce, National Institute of Standards and Technology, 2011.
  37. Zoet M., Welke R., Versendaal J., and Ravesteyn P., "Aligning risk management and compliance considerations with business process development," in E-Commerce and Web Technologies. Springer, 2009, pp. 157-168. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-03964-5_16
Cited by
Show
ISSN
2300-5963
Language
eng
Share on Facebook Share on Twitter Share on Google+ Share on Pinterest Share on LinkedIn Wyślij znajomemu