{"title":"IT Security Management and Business Process Automation: Challenges, Approaches, and Rewards","authors":"Richard P. Tracy","doi":"10.1080/10658980601051706","DOIUrl":null,"url":null,"abstract":"A favorite idiom among security experts is, “Security isn’t a product, it’s a process.” If security is a process, then why not automate it? Today’s workflow and business process management (BPM) technologies are mature enough to support the automation of essential tasks that underlie risk compliance and assessment, vulnerability testing and management, patching, incident management and response, and other information technology security processes. More important, an enterprise platform for IT security process automation enables cybersecurity specialists to centrally orchestrate the interactions of personnel, their work, and various point products for information security—cutting across departments and functional areas to ensure a resilient, flexible security posture. The results: faster deployment and stronger enforcement of security policies; the ability to achieve sustained compliance with industry and government mandates for information security; comprehensive, error-free documentation of security procedures and policies; and more cost-effective attainment of the enterprise’s security goals. This article will review some of the basic issues that relate to information security process automation, including turning security policies into security requirements; challenges in enforcing security requirements; what’s involved in automating information security and compliance processes; and how a security process automation platform supports that effort.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2007-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"22","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Systems Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1080/10658980601051706","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"Social Sciences","Score":null,"Total":0}
引用次数: 22
Abstract
A favorite idiom among security experts is, “Security isn’t a product, it’s a process.” If security is a process, then why not automate it? Today’s workflow and business process management (BPM) technologies are mature enough to support the automation of essential tasks that underlie risk compliance and assessment, vulnerability testing and management, patching, incident management and response, and other information technology security processes. More important, an enterprise platform for IT security process automation enables cybersecurity specialists to centrally orchestrate the interactions of personnel, their work, and various point products for information security—cutting across departments and functional areas to ensure a resilient, flexible security posture. The results: faster deployment and stronger enforcement of security policies; the ability to achieve sustained compliance with industry and government mandates for information security; comprehensive, error-free documentation of security procedures and policies; and more cost-effective attainment of the enterprise’s security goals. This article will review some of the basic issues that relate to information security process automation, including turning security policies into security requirements; challenges in enforcing security requirements; what’s involved in automating information security and compliance processes; and how a security process automation platform supports that effort.