For some time, organizations have been dependent on IT systems since they support business processes in several ways. The goals of these processes are the direct or indirect increase in value as well as value creation. The overall model resulting from the combination of internal and external processes is constructed in a highly complex network.
This fact is increasingly encountered with a federal strategy. Therefore, individual processes are developed and conducted in the context of local autonomy. The global interplay is restricted to the necessary communication, which is yet to be specified, among the organizations involved. As a result, the complexity is immediately reduced, since each organization only has to observe the boundaries to the next organization instead of paying attention to its individual internal processes. Federal enterprises share their interest in a common value creation network which grants extensive independency to its single members. The connected enterprises yet have to operate within a common range of defined standards, guidelines and, if necessary, of technical specifications – especially in order to ensure that safety requirements are observed.
The realization of information security has to be supported methodologically because of the complexity of the corresponding application landscape. This support is necessary not only in the development, but also in the operation of the application systems. Literature focuses on the perspective of development (process model, methods, etc.) rather than on the operation. Yet the operation includes a problem that is more common (example: in a bank, 70% of all expenditures can be assigned to the operation). The practical relevance of the problem is accordingly high, but the number of scientific contributions at the same time is extremely low.
Basically, information security management focuses on the process of sustained risk reduction in relation to different risks to the three main criteria of information security: confidentiality, availability and integrity. These criteria don’t change when certain processes extend to several enterprises. Also, the risks remain the same. On the other hand, this situation increases the risk significantly which again increases the necessity of the implementation of efficient measures for relevant IT-objects. So far there is no framework to address the growing necessity of IT Governance throughout several enterprises and especially the sustained support of a consistent information security management for federated business processes. The research project addresses this problem.