In looking for a standard metadata format and taxonomy to describe commercial software products/applications I found a research report published by the Information Systems Audit and Control Association. A brief excerpt from their sample of a research report Information Security Harmonisation: Classification of Global Guidance available on their home page states:
The role of the information security manager has evolved over the past few years. It has shifted from a position that focussed essentially on IT to one where business acuity takes equal priority. [...] The purpose of this document is to provide Certified Information Security Manager (CISM) holders and all other information security managers with a road map to the more recognised and widely available information security guidance documents.
I was intrigued by their organization and description. I realized that there are many security standards available but thier report cites [s]eventeen internationally accepted security-focused guidance documents. No wonder there is a need for harmonisation of security guidance. Founded in 1969, the traditional ISACA focus has been on technology and security. This was much easier to do when centralized computer systems dominated the landscape. Business issues have shifted more into focus for their membership as this excerpt states, but what this organization may not yet appreciate fully with regards to SAM practices are the complexities of the intellectual property issues, software licensing schemes and the distributed nature of PC hardware. While some aspects may be different, I am sure that SAM professionals would be wise to explore and apply the principles honed by security organizations such as these to include into their arsenal of tools.
