Uploaded byMargenePurnell14
DOCX, PDF28 views

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx

This document provides an overview of standards for information security risk management, highlighting challenges in implementing assessments and drivers for adopting standards. It analyzes frameworks including ISO 27001, ISO 27002, ISO 27005, ITIL, COBIT, Risk IT, Basel II, PCI DSS, and OCTAVE. While these frameworks provide guidance, there is no single best solution, and organizations face challenges selecting and properly implementing a framework given their unique needs and resources. The document concludes more research is needed to guide selection of the most appropriate framework.

Download to read offline
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 28 Addressing Information Security Risks by Adopting Standards Walid Al-Ahmad*‡, Bassil Mohammad** *Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait **Ernst & Young, Amman, Jordan ‡ P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected] Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance, transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their efforts to properly manage information security risks when adopting international standards and frameworks. To assist in selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations is put forward with further research opportunities on the subject. Keywords- Information security; risk management; security frameworks; security standards; security management. 1. Introduction The use of technology is increasingly covering most aspects of our daily life. Businesses which are heavily dependent on this technology use information systems which were designed and
implemented with concentration on functionality, costs reduction and ease of use. Information security was not incorporated early enough into systems and only recently has it started to get the warranted attention. Accordingly, there is a need to identify and manage these hidden weaknesses, referred to as systems vulnerabilities, and to limit their damaging impact on the information systems integrity, confidentiality, and availability. Vulnerabilities are exploited by attacks which are becoming more targeted and sophisticated. Attacking techniques and methods are virtually countless and are evolving tremendously [1, 2]. In any enterprise, information security risks must be identified, evaluated, analyzed, treated and properly reported. Businesses that fail in identifying the risks associated with the technology they use, the people they employ, or
the environment where they operate usually subject their business to unforeseen consequences that might result in severe damage to the business [3]. Therefore, it is critical to establish reliable information security risk assessment and treatment frameworks to guide organizations during the risk management process. Because risks cannot be completely eliminated, they need to be reduced to acceptable levels. Acceptable risks are risks that the business decides to live with, given that proper assessment for these risks has been performed and the cost of treating these risks outweighs the benefits. To this effect, enterprises spend considerable resources in building proper information security INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
29 risk management programs that would eventually address the risks they are exposed to. These programs need to be established on solid foundations, which is the reason why enterprises look for standards and frameworks that are widely accepted and common across enterprises [4]. However, the fact that several standards and frameworks exist make it challenging for enterprises to select which one to adopt and the question: “which is the best?” warrants further investigation. The main objective of this paper is to provide an answer to this question, thereby assisting enterprises in developing proper understanding of the issue and establishing successful information security risk management programs. This paper provides an analysis of some
existing standards and frameworks for information security risks and consolidates various aspects of the topic. It also presents the challenges that frustrate information security risk management efforts along with how leading market standards and practices can be used to address information security risks with insights on their strengths and weaknesses. Please note that the scope of this paper is limited to the following frameworks: ISO 27001, ISO 27002, ISO 27005, ITIL, COBIT, Risk IT, Basel II, PCI DSS, and OCTAVE. These are the most commonly used frameworks in the market [5]. Other frameworks and methodologies like RMF (by NIST) and M_o_R (by GOC) can be considered in future work. It is also important to mention that this paper is not intended to promote a specific standard or framework; rather it treats
them equally. Conclusions drawn as a result of this work are based on our detailed analyses, research, literature review, and observations from our work experience and engagements with clients from various sectors in the field of information security. The remainder of this paper is organized as follows: section 2 highlights some related work; section 3 details some challenges that disturb information security risk assessments; section 4 provides an overview of the major drivers for standards adoption; section 5 provides detailed analyses and exploration for the standards and frameworks in scope; section 6 details with the strengths and weaknesses of these standards and frameworks when used as a means to address information security risks; section 7 captures the selection considerations to use; section 8 provides some recommendations along with the proposed
approach; section 9 presents a case study to illustrate the benefits of the proposed selection method; finally, section 10 puts forward some conclusions and future research opportunities in relation to our work. 2. Related Work The literature on information security risk management based on international standards is scarce. The literature lacks studies that guide organizations in selecting the standard that fits their needs. Some research works attempt to analyze existing information security risk management standards, mainly ISO 27001 [6]. However, these research works focus mainly on listing advantages and disadvantages of these standards and how to implement and manage them. No comprehensive studies have been done to
holistically compare various frameworks, with the objective of providing selection criteria for the best standard or proposing a better assessment approach. Some papers dealt with frameworks such as COBIT, ITIL, and ISO 17799, as means to manage compliance requirements [7]. Ref. [8] proposes a framework which considers global, national, organizational, and employee standards to guide information security management. Ref. [9] presents framework of information security standards conceptualization, interconnection and categorization to raise awareness among organizations about the available standards (mainly ISO series). As well as exploring existing frameworks used in IT risk management this paper presents the challenges facing organizations to successfully implement information security risk assessments
and the drivers for standards adoption. The main and novel contribution of our research work is the proposal of a practical approach to selecting an appropriate framework to address information security risks. 3. Challenges to Information Security Risk Assessments INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 30 Some of the common challenges to information security risk assessments are discussed briefly in this section. In fact, these challenges represent critical failure factors for an information risk management program.
1) Absence of senior management commitment & support: Management’s buy-in and support is a critical driver for the success of any IT project, including information security risk assessments. Absence of management commitment will result in wasting valuable resources and efforts, producing weak evaluations, and most importantly, will lead to ignoring the assessment findings [10]. 2) Absence of appropriate policies for information security risk management: It is crucial to have information security policies in place to reflect the enterprise objectives and management directions. Although some policies might be created, information security risk management policies tend to be dropped or forgotten. In a research conducted by GAO, the US Government Accountability Office, three out of
four detailed case studies showed that despite the fact that firms used to have some form of information security risk assessment approaches practiced for several years, the risk management and assessment policies and processes were not documented until recently [11]. The absence of this critical steering document will lead to unstructured risk assessment approaches and will openly allow unmanaged evaluations. 3) Disintegrated GRC efforts: The increasingly popular term GRC refers to three critical areas: Governance, Risk Management, and Compliance. According to COBIT 4.1, IT Governance is defined as “the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the
organization’s strategies and objectives” [12]. Risk management is a process through which management identifies, analyses, evaluates, treats, communicates, and monitors risks that might adversely affect realization of the organization's business objectives. Compliance is about making sure that external laws, regulations, mandates and internal policies are being complied with at a level consistent with corporate morality and risk tolerance. Governance, risk, and compliance should always be viewed as a continuum of interrelated functions, best approached in a comprehensive, integrated manner. The disintegration results in increased failure rates, waste of resources, and increased overall assurance cost. 4) Improper assessments management: Despite the importance of security risk assessments, they
are mostly not managed as projects and merely considered as part of IT normal operations. Considering security risk assessments as part of IT routine assignments will exclude these assessments from business review and consequently will result in a definite disconnect between management and their enterprise information security assessments. This exclusion will also increase the possibilities of executing over-budget assessments that will only cause additional efforts and resources to be wasted. 5) Assets ownership is either undefined or unpracticed: In ISO 27001 “the term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets.
[13]. This definition entails major responsibility granted to the person who is assigned the ownership which includes making sure that proper controls are actually implemented in order to protect the asset. Information security standards, best practices and mandates like ISO, COBIT, and ITIL require that information assets are identified, inventoried, and ownership is assigned. This is crucial for the success of any information security assessment. Most organizations fail to develop comprehensive information assets inventories and accordingly do not assign ownership [14]. 6) Limitations of existing automated solutions: Software solutions for information security risk assessment are developed to aid in the automation of this process and to make it more efficient. In a detailed comparison conducted by
“Risk Assessment Accelerator”, seven common solutions were compared with respect to more http://en.wikipedia.org/wiki/Risk_Management http://en.wikipedia.org/wiki/Compliance_(regulation) INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 31 than forty different areas [15]. Features like ease of use, multi-language and client-server architecture support were highlighted as existing limitations in four up to five of these solutions. Three out of the seven compared solutions provide limited customization capabilities for both built-in inventories (for risks, vulnerabilities and threats) and the generated dashboards. All these weaknesses and limitations degrade enterprises’ efforts to have
efficient and reliable information security risk assessment requirements documentation. 7) Existence of several IT risk assessment frameworks: The existence of many information security risk management and assessment frameworks add to the ambiguity and challenge of what is the best one to use. As a matter of fact, analyses of exiting risk assessment frameworks show that there is no one-size-fits- all solution to this issue as it is hard to develop a single precise document that will address the needs of all enterprises given their variant natures and requirements. 4. Drivers for Standards Adoption In order to address their information security risk management and assessment challenges, enterprises adopt internationally accepted
frameworks or best practices. Standards in general are meant to provide uniformity that would ease the understanding and management of concerned areas. Businesses find themselves in need to adopt standards for various reasons which vary from business requirements to regulators and compliance mandates. Establishment of proper corporate governance, increasing risk awareness and competing with other enterprises are some business drivers to mention. Some firms pursue certifications to meet market expectations and improve their marketing image. A major business driver for standards adoption is to fill in the gaps and lack of experience in certain areas where firms are not able to build or establish proprietary standards based on their staff competencies [16]. Providing confidence to trading partners, stakeholders, and customers, reducing liability due
to unimplemented or enforced policies and procedures, getting senior management ownership and involvement and establishing a mechanism for measuring the success of the security controls are some other key drivers for the adoption of standards. 5. Leading Market Best Practices Standards The conclusion section should emphasize the main contribution of the article to literature. Authors may also explain why the work is important, what are the novelties or possible applications and extensions. Do not replicate the abstract or sentences given in main text as the conclusion. In this section, an overview is presented of a number of the more important standards for information security risk management. For detailed
information about these standards, the reader is encouraged to consult the references provided for them. The list of standards presented is absolutely not complete, and as mentioned before a subset of the existing standards are treated in this paper. 5.1. ISO 27000 Set The ISO 27000 is a series of standards, owned by the International Standards Organization, focusing on information security matters. For the purposes of this work, ISO 27001, ISO 27002, and ISO 27005 will be explored to highlight their strengths and weaknesses in relation to current demands for effective and robust frameworks for information security risk assessments. ISO 27001: The ISO 27001 standard is the specification for an Information Security Management System (ISMS). The objective of the
standard is to specify the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System within an organization [13]. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. It is seen as an internationally recognized structured methodology dedicated to information security management. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 32 The standard introduces a cyclic model known as the “Plan-Do-Check-Act” (PDCA) model that aims to establish, implement, monitor and improve
the effectiveness of an organization’s ISMS. The PDCA cycle has these four phases: – establishing the ISMS – implementing and operating the ISMS – monitoring and reviewing the ISMS – maintaining and improving the ISMS Organizations that adopt ISO 27001 in their attempt to pursue an effective means for operational information security risk management overlook the fact that this standard was designed to be used mainly as an ISMS framework – at the high level, not operational level - founding proper bases for information security management. ISO 27001 document mentions valuable details on information security risk assessment – mainly in the statements 4.2.1.C thru 4.2.1.H that can be used as selection criteria for a proper information security risk assessment approach that builds upon
the controls list proposed by the standard. ISO 27002: ISO 27002 is a code of practice that provides suggested controls that an organization can adopt to address information security risks. It can be considered an implementation roadmap or extension to ISO 27001. As stated in the standard document, the code of practice is established to provide “guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization” [17]. The controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of “organizational security standards and effective security management practices, and to help build
confidence in inter-organizational activities” [18]. ISO 27002 as the Code of Practice is best suited to be used as a guidance and direct extension to ISO 27001. ISO 27002 is used by enterprises as the sole source of controls and a means for information security risk assessment, however, not all controls are mandated as firms’ structures and businesses vary. Controls selection must be done based on detailed and structured assessment to determine which specific controls are appropriate and which are not. This standard contains guidelines and best practices recommendations for these 10 security domains: Security Policy; Organization of Information Security; Asset Management; Human Resources Security; Physical and Environmental Security; Communications and Operations Management; Access Control; Information
Systems Acquisition, Development and Maintenance; Information Security Incident Management; Business Continuity Management; and Compliance. Among these 10 security domains, a total of 39 control objectives and hundreds of best-practice information security control measures are recommended for organizations to satisfy the control objectives and protect information assets against threats to confidentiality, integrity and availability. ISO 27005: ISO 27005 standard was proposed to fill in the gaps existing in ISO 27001 and ISO 27002 in terms of information security risk management. The standard builds up on the core that was introduced in ISO 27001 – reference statements 4.2.1.C thru 4.2.1.H – and elaborates by identifying inputs, actions, implementation
guidelines, and outputs for each and every statement. However, during our research we realized that the adoption of this standard as a means for information security risk management is minimal. This was evident in “The Open Group” efforts to support ISO 27005 adoption by releasing a free detailed technical document – called ISO/IEC 27005 Cookbook – that uses ISO 27005 as a cornerstone for a complete risk management methodology [18, 19]. ISO 27005 is not intended to be an information security risk assessment methodology [20]. The standard has six annexes that are all informative but considered of a major value extension to the standard. With proper customization, these annexes along with the ISO 27005 body can be used as the main assessment methodology for security risks.
5.2. IT Infrastructure Library (ITIL 3.0) INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 33 ITIL is one of the IT frameworks used as a best practice adopted to properly manage IT services. ITIL perceives any effort or action done by IT in support to the organization as a service that has value to customers or businesses. The ITIL library focuses on managing IT services and covers all aspects of IT service provisioning starting from service strategy, design, transition, operation, and implementation. It also highlights the continual monitoring and improvement aspect for each and every service.
ITIL does not introduce itself as a framework for information security risk management. However, as an IT governance framework, having it implemented in an enterprise will provide assurance and indication on the organization’s IT maturity. Addressing IT risks associated with incident, change, event, problem, and capacity management would definitely minimize related information security risks as well [21, 22]. The drivers for ITIL adoption in organizations were subject to analyses and study by several researches. A survey conducted by itSMF (IT Service Management Forum) showed that ITIL was adopted by different industry sectors [23] including education, government, and financial sectors amongst others. The ITIL status survey for 2009 [24] showed the increasing adoption of ITIL version 3.0 and elaborated on the major drivers
that are causing this adoption. This includes improving service quality, customer satisfaction and establishing IT stability and successful value delivery for business. ITIL modularity adds to its adoption popularity. Based on the enterprise current priorities, the firm can select to focus on service operations rather than service strategy which typically needs more time to mature. The implementation of ITIL can be implemented gradually in phases. 5.3. COBIT 4.1 & Risk IT Control Objectives for Information and related Technology (COBIT), developed and owned by the Information Systems Audit & Control Association (ISACA), is one of the most increasingly adopted information technology frameworks for IT Governance. COBIT focuses
on defining IT control objectives and developing the controls to meet them. It is made of 34 processes that manage and control information and the technology that supports it [12]. COBIT is adopted by enterprises from various industry sectors [25] which include IT consulting firms, education, financial institutions, government, healthcare, utilities and energy. To get closer understanding on how various enterprises perceive COBIT, thirty case studies were reviewed and analyzed. The case studies showed that COBIT was used to create the needed alignment between business and IT, create the IT Governance framework, improve IT processes and establish the IT risk management organization. Other enterprises used COBIT to meet their compliance needs and requirements. It was realized from the case studies that financial
institutions adopt COBIT for their internal IT audit efforts and risk assessments. They also used it to create IT policies and procedures. Other firms used COBIT as a means to standardize IT processes and increase their effectiveness and maturity level. COBIT was also used as a means to conduct audit. COBIT does not provide a methodology to conduct information security risk assessments but rather establishes the foundation for having a solid IT organization in the firm. ISACA recognized the importance and need for a comprehensive IT risk management framework and as a result developed the Risk IT framework. According to the Risk IT framework document “The Risk IT framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven IT-based solutions
and services. While COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risks [26]. Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. It enables enterprises to understand and manage all significant IT risk types. Risk IT follows the process model used in COBIT and has three major domains: 1) Risk Governance which INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 34
focuses on the establishment and maintenance of common risk view, and making risk-aware business decisions; 2) Risk Evaluation which deals with data collection, risks analyses and maintaining risk profile; 3) The Risk Response component articulates risk, manages risk and reacts to all adverse events identified [26]. Given that Risk IT is still new, its adoption across enterprises is not yet realized, however, it is expected to take more attention and focus in the near future taking use of the wide acceptance and adoption of COBIT. 5.4. Other Frameworks In this section, we briefly discuss other standards and regulations for information security. Some industries, such as banking, are regulated,
and the guidelines or best practices put together as part of those regulations often become a de facto standard among members of these industries. Basel II: Basel II is the most commonly adopted directive across the financial institutions. The reason behind this is the fact that this directive has become a mandated regulation that all financial institutions need to comply with. Its core is about how much capital banks need to put aside to guard against the types of financial and operational risks banks face [27]. It focuses on operational risks as opposed to information security risks. According to Basel II, operational risk (Ops Risk) is any risk that results from failure in any of the following areas: system, process, human or external attack. This definition implies that Basel II has an IT dimension that needs to be properly managed. This area was subject for
detailed research and several publications tried to set clear controls and control objectives to mitigate the related risks. ISACA led this effort and developed a detailed framework in this regards [28]. PCI DSS: Payment Card Industry Data Security Standard (PCI DSS) [29], currently in version 2.0, is a standard that consists of twelve domains and was created by payment brands leaders to help facilitate the broad adoption of consistent data security measures on a global basis. Proper implementation of PCI DSS assists in building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, and implementation of solid access control measures. Compliance with PCI requirements is mandated for any party that stores or transmits credit or debit
card data. It assists enterprises to manage information security risks, reduces losses resulting from fraud, and protects consumer data. PCI DSS is not intended to be used as an information security risk management or assessment framework; however, while efforts are spent towards fulfilling its requirements overall information security maturity level is leveraged making it easier to achieve better security assessments. For organizations that already have ISMS (ISO 27001) implemented, PCI DSS compliance is straight forward. OCTAVE Set: OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination center at Carnegie Mellon University, is a detailed information security risk assessment methodology; it consists of tools, techniques and methods to
conduct risk assessments. It is a formal and detailed set of processes, which assist in ensuring that risks are identified and properly analyzed, … please address the following in a properly formatted research paper: 1)Do you think that ISO 27001 standard would work well in the organization that you currently or previously have worked for? If you are currently using ISO 27001 as an ISMS framework, analyze its effectiveness as you perceive in the organization. 2)Are there other frameworks mentioned has been discussed in the article that might be more effective? 3)Has any other research you uncover suggest there are better frameworks to use for addressing risks? Your paper should meet the following requirements: Be approximately four to six pages in length, not including the required cover page and reference page. Follow APA 7 guidelines. Your paper should include an
introduction, a body with fully developed content, and a conclusion. Support your answers with the readings from the course and at least two scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing. Textbook : Information Governance: Concepts, Strategies and Best Practices; John R.S. Fraser, Betty J. Simkins, Kristina Narvaez; Copyright © 2015 by John R.S. Fraser, Betty J. Simkins, Kristina Narvaez (ISBN 978-1-118-69196-0) Beasley, M. S. (2016). What is Enterprise Risk Management? Retrieved from https://erm.ncsu.edu/az/erm/i/chan/library/What_is_Enterprise_ Risk_Management.pdf

More Related Content

DOCX
INFORMATION SECURITY MANAGEMENT
byNi
 
PDF
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
PPT
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
PPT
ch14.ppt
byFizZaShYkh
 
PDF
Dj24712716
byIJERA Editor
 
PPTX
Risk Assessment
by.AIR UNIVERSITY ISLAMABAD
 
PDF
info sys risk management.pdf
byssuser2209e8
 
PPTX
MANAGEMEN RESIKO KEAMANAN INFORMASI (english).pptx
byUniversitas Teknokrat Indonesia
 
INFORMATION SECURITY MANAGEMENT
byNi
 
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
ch14.ppt
byFizZaShYkh
 
Dj24712716
byIJERA Editor
 
Risk Assessment
by.AIR UNIVERSITY ISLAMABAD
 
info sys risk management.pdf
byssuser2209e8
 
MANAGEMEN RESIKO KEAMANAN INFORMASI (english).pptx
byUniversitas Teknokrat Indonesia
 

Similar to INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx

PDF
IS-Risk-Management-Lecture-2.pdf
byAbdulrafiiMohammed
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
PPTX
Key pillars for effective risk management
byRamana K V
 
PDF
Machine learning methods for classification and prediction information securi...
byIAESIJAI
 
PPT
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
bychaudhryzunair4
 
PDF
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
byIJNSA Journal
 
PDF
A Practical Approach to Managing Information System Risk
byamiable_indian
 
PPTX
IT Security Bachelor in information technology.pptx
byMahmadKasimAnsari
 
PPTX
Information Security Risk Management and Compliance.pptx
byAbraraw Zerfu
 
PPTX
800-30.pptx
byAvniJain836319
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
PPT
ENTERPRISE risk management AWARENESS.ppt
byshiva3305
 
PDF
Ch2 cism 2014
byAladdin Dandis
 
PPTX
Assess risks to IT security.pptx
bylochanrajdahal
 
PDF
Zlatibor risk based balancing of organizational and technical controls for ...
byDejan Jeremic
 
PDF
Taubenberger
byanesah
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
PDF
Microsoft InfoSec for cloud and mobile
byVijayananda Mohire
 
IS-Risk-Management-Lecture-2.pdf
byAbdulrafiiMohammed
 
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
Key pillars for effective risk management
byRamana K V
 
Machine learning methods for classification and prediction information securi...
byIAESIJAI
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
bychaudhryzunair4
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
byIJNSA Journal
 
A Practical Approach to Managing Information System Risk
byamiable_indian
 
IT Security Bachelor in information technology.pptx
byMahmadKasimAnsari
 
Information Security Risk Management and Compliance.pptx
byAbraraw Zerfu
 
800-30.pptx
byAvniJain836319
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
ENTERPRISE risk management AWARENESS.ppt
byshiva3305
 
Ch2 cism 2014
byAladdin Dandis
 
Assess risks to IT security.pptx
bylochanrajdahal
 
Zlatibor risk based balancing of organizational and technical controls for ...
byDejan Jeremic
 
Taubenberger
byanesah
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
Microsoft InfoSec for cloud and mobile
byVijayananda Mohire
 

More from MargenePurnell14

DOCX
Introduction              Ideally, program andor policy interventio.docx
byMargenePurnell14
 
DOCX
INTRO TO PUBLIC ADMINISTRATIONCase Study 11  Who Brought Bern.docx
byMargenePurnell14
 
DOCX
IntroductionGDD’s ResultsCandidate’s ResultsGDD C.docx
byMargenePurnell14
 
DOCX
IntroductionDefine the individual client or community populati.docx
byMargenePurnell14
 
DOCX
Introduction to Public SpeakingWeek 6 AssignmentIn.docx
byMargenePurnell14
 
DOCX
Introduction about topic Intelligence phaseWhat is the .docx
byMargenePurnell14
 
DOCX
Introduction A short summary is provided on the case subject and.docx
byMargenePurnell14
 
DOCX
Introduction Illiteracy is the inability to read and write a.docx
byMargenePurnell14
 
DOCX
Intro to Quality Management Week 3Air Bag Recall.docx
byMargenePurnell14
 
DOCX
Intro to Quality Management Week 3Air Bag RecallAssignment.docx
byMargenePurnell14
 
DOCX
INTERVIEW WITH AMERICAN INDIAN COMMUNITY PRACTITIONERSResourcesD.docx
byMargenePurnell14
 
DOCX
Interview Each team member should interview an educator about his.docx
byMargenePurnell14
 
DOCX
IntroductionRisk management is critical to protect organization.docx
byMargenePurnell14
 
DOCX
Interview two different individuals regarding their positions in soc.docx
byMargenePurnell14
 
DOCX
Internet ExerciseVisit the homepage of Microsoft at www.micros.docx
byMargenePurnell14
 
DOCX
Interpersonal Violence Against Women, The Role of Men by Martin Schw.docx
byMargenePurnell14
 
DOCX
Internet of Vehicles-ProjectIntroduction - what you plan t.docx
byMargenePurnell14
 
DOCX
Interview an ELL instructor from a Title I school about how assessme.docx
byMargenePurnell14
 
DOCX
International Finance Please respond to the followingBased on.docx
byMargenePurnell14
 
DOCX
International capital budgeting analysis and presentationBy the .docx
byMargenePurnell14
 
Introduction              Ideally, program andor policy interventio.docx
byMargenePurnell14
 
INTRO TO PUBLIC ADMINISTRATIONCase Study 11  Who Brought Bern.docx
byMargenePurnell14
 
IntroductionGDD’s ResultsCandidate’s ResultsGDD C.docx
byMargenePurnell14
 
IntroductionDefine the individual client or community populati.docx
byMargenePurnell14
 
Introduction to Public SpeakingWeek 6 AssignmentIn.docx
byMargenePurnell14
 
Introduction about topic Intelligence phaseWhat is the .docx
byMargenePurnell14
 
Introduction A short summary is provided on the case subject and.docx
byMargenePurnell14
 
Introduction Illiteracy is the inability to read and write a.docx
byMargenePurnell14
 
Intro to Quality Management Week 3Air Bag Recall.docx
byMargenePurnell14
 
Intro to Quality Management Week 3Air Bag RecallAssignment.docx
byMargenePurnell14
 
INTERVIEW WITH AMERICAN INDIAN COMMUNITY PRACTITIONERSResourcesD.docx
byMargenePurnell14
 
Interview Each team member should interview an educator about his.docx
byMargenePurnell14
 
IntroductionRisk management is critical to protect organization.docx
byMargenePurnell14
 
Interview two different individuals regarding their positions in soc.docx
byMargenePurnell14
 
Internet ExerciseVisit the homepage of Microsoft at www.micros.docx
byMargenePurnell14
 
Interpersonal Violence Against Women, The Role of Men by Martin Schw.docx
byMargenePurnell14
 
Internet of Vehicles-ProjectIntroduction - what you plan t.docx
byMargenePurnell14
 
Interview an ELL instructor from a Title I school about how assessme.docx
byMargenePurnell14
 
International Finance Please respond to the followingBased on.docx
byMargenePurnell14
 
International capital budgeting analysis and presentationBy the .docx
byMargenePurnell14
 

Recently uploaded

PDF
PTE Answer Short Questions_ 50+ Most Repeated Questions & Smart Tips to Score...
byGurully
 
PDF
Projects_for_Ministries,_Departments_&_Agencies2123341679.pdf
bynservice241
 
PDF
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
PPTX
History in your Hands Class 2 November 2025.pptx
byEilsONeill
 
PDF
Gene Pool in Crop Plants: Diversity, Classification, and Role in Plant Breedi...
bySatyam Sharma
 
PDF
Rise of Magadh under Haryanka, Shishunaga and Nanda dynasties
byPrachiSontakke5
 
PDF
Introduction to Genetics: The Foundation of Heredity and Variation- Understan...
bySatyam Sharma
 
PPTX
LESSON 1.pptx///////////////////////////////
byRoseAnnUsana
 
PDF
BP605 T PHARMACEUTICAL BIOTECHNOLOGY UNIT 4 PART 1
byRushiMandali
 
PPTX
How to Get Ahead in Marketing: Insights for University Students
byCareLineLive
 
PDF
Genetic Erosion in Crop Plants: Causes, Consequences, and Conservation Strate...
bySatyam Sharma
 
PPTX
Overview of Cash on delivery in Odoo 19
byCeline George
 
PDF
How to (Re)Build Your District's Enrollment Numbers
byMebane Rash
 
PDF
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
PPTX
Overview of Uploading a bill in Odoo 19
byCeline George
 
PPTX
Presentation - Opinion Editorial Basics.pptx
bygenelyn tallad
 
PPTX
Everything You Need to Know About Actions in Odoo 18
byCeline George
 
PPTX
NMR Spectroscopy M.Pharm 1st Semester, Pharmacy
bySaurabh Dubey
 
PDF
BP605 T PHARMACEUTICAL BIOTECHNOLOGY UNIT 3 PART 1
byRushiMandali
 
PPTX
10CLA Term 4 Week 6 Exam preparation reminders.pptx
bymansk2
 
PTE Answer Short Questions_ 50+ Most Repeated Questions & Smart Tips to Score...
byGurully
 
Projects_for_Ministries,_Departments_&_Agencies2123341679.pdf
bynservice241
 
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
History in your Hands Class 2 November 2025.pptx
byEilsONeill
 
Gene Pool in Crop Plants: Diversity, Classification, and Role in Plant Breedi...
bySatyam Sharma
 
Rise of Magadh under Haryanka, Shishunaga and Nanda dynasties
byPrachiSontakke5
 
Introduction to Genetics: The Foundation of Heredity and Variation- Understan...
bySatyam Sharma
 
LESSON 1.pptx///////////////////////////////
byRoseAnnUsana
 
BP605 T PHARMACEUTICAL BIOTECHNOLOGY UNIT 4 PART 1
byRushiMandali
 
How to Get Ahead in Marketing: Insights for University Students
byCareLineLive
 
Genetic Erosion in Crop Plants: Causes, Consequences, and Conservation Strate...
bySatyam Sharma
 
Overview of Cash on delivery in Odoo 19
byCeline George
 
How to (Re)Build Your District's Enrollment Numbers
byMebane Rash
 
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
Overview of Uploading a bill in Odoo 19
byCeline George
 
Presentation - Opinion Editorial Basics.pptx
bygenelyn tallad
 
Everything You Need to Know About Actions in Odoo 18
byCeline George
 
NMR Spectroscopy M.Pharm 1st Semester, Pharmacy
bySaurabh Dubey
 
BP605 T PHARMACEUTICAL BIOTECHNOLOGY UNIT 3 PART 1
byRushiMandali
 
10CLA Term 4 Week 6 Exam preparation reminders.pptx
bymansk2
 

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx

  • 1.
    INTERNATIONAL JOURNAL OFINFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 28 Addressing Information Security Risks by Adopting Standards Walid Al-Ahmad*‡, Bassil Mohammad** *Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait **Ernst & Young, Amman, Jordan ‡ P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected] Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance, transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
  • 2.
    including information technologyrisks. Several standards, best practices, and frameworks have been created to help organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their efforts to properly manage information security risks when adopting international standards and frameworks. To assist in selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations is put forward with further research opportunities on the subject. Keywords- Information security; risk management; security frameworks; security standards; security management. 1. Introduction The use of technology is increasingly covering most aspects of our daily life. Businesses which are heavily dependent on this technology use information systems which were designed and
  • 3.
    implemented with concentrationon functionality, costs reduction and ease of use. Information security was not incorporated early enough into systems and only recently has it started to get the warranted attention. Accordingly, there is a need to identify and manage these hidden weaknesses, referred to as systems vulnerabilities, and to limit their damaging impact on the information systems integrity, confidentiality, and availability. Vulnerabilities are exploited by attacks which are becoming more targeted and sophisticated. Attacking techniques and methods are virtually countless and are evolving tremendously [1, 2]. In any enterprise, information security risks must be identified, evaluated, analyzed, treated and properly reported. Businesses that fail in identifying the risks associated with the technology they use, the people they employ, or
  • 4.
    the environment wherethey operate usually subject their business to unforeseen consequences that might result in severe damage to the business [3]. Therefore, it is critical to establish reliable information security risk assessment and treatment frameworks to guide organizations during the risk management process. Because risks cannot be completely eliminated, they need to be reduced to acceptable levels. Acceptable risks are risks that the business decides to live with, given that proper assessment for these risks has been performed and the cost of treating these risks outweighs the benefits. To this effect, enterprises spend considerable resources in building proper information security INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
  • 5.
    29 risk management programsthat would eventually address the risks they are exposed to. These programs need to be established on solid foundations, which is the reason why enterprises look for standards and frameworks that are widely accepted and common across enterprises [4]. However, the fact that several standards and frameworks exist make it challenging for enterprises to select which one to adopt and the question: “which is the best?” warrants further investigation. The main objective of this paper is to provide an answer to this question, thereby assisting enterprises in developing proper understanding of the issue and establishing successful information security risk management programs. This paper provides an analysis of some
  • 6.
    existing standards andframeworks for information security risks and consolidates various aspects of the topic. It also presents the challenges that frustrate information security risk management efforts along with how leading market standards and practices can be used to address information security risks with insights on their strengths and weaknesses. Please note that the scope of this paper is limited to the following frameworks: ISO 27001, ISO 27002, ISO 27005, ITIL, COBIT, Risk IT, Basel II, PCI DSS, and OCTAVE. These are the most commonly used frameworks in the market [5]. Other frameworks and methodologies like RMF (by NIST) and M_o_R (by GOC) can be considered in future work. It is also important to mention that this paper is not intended to promote a specific standard or framework; rather it treats
  • 7.
    them equally. Conclusionsdrawn as a result of this work are based on our detailed analyses, research, literature review, and observations from our work experience and engagements with clients from various sectors in the field of information security. The remainder of this paper is organized as follows: section 2 highlights some related work; section 3 details some challenges that disturb information security risk assessments; section 4 provides an overview of the major drivers for standards adoption; section 5 provides detailed analyses and exploration for the standards and frameworks in scope; section 6 details with the strengths and weaknesses of these standards and frameworks when used as a means to address information security risks; section 7 captures the selection considerations to use; section 8 provides some recommendations along with the proposed
  • 8.
    approach; section 9presents a case study to illustrate the benefits of the proposed selection method; finally, section 10 puts forward some conclusions and future research opportunities in relation to our work. 2. Related Work The literature on information security risk management based on international standards is scarce. The literature lacks studies that guide organizations in selecting the standard that fits their needs. Some research works attempt to analyze existing information security risk management standards, mainly ISO 27001 [6]. However, these research works focus mainly on listing advantages and disadvantages of these standards and how to implement and manage them. No comprehensive studies have been done to
  • 9.
    holistically compare variousframeworks, with the objective of providing selection criteria for the best standard or proposing a better assessment approach. Some papers dealt with frameworks such as COBIT, ITIL, and ISO 17799, as means to manage compliance requirements [7]. Ref. [8] proposes a framework which considers global, national, organizational, and employee standards to guide information security management. Ref. [9] presents framework of information security standards conceptualization, interconnection and categorization to raise awareness among organizations about the available standards (mainly ISO series). As well as exploring existing frameworks used in IT risk management this paper presents the challenges facing organizations to successfully implement information security risk assessments
  • 10.
    and the driversfor standards adoption. The main and novel contribution of our research work is the proposal of a practical approach to selecting an appropriate framework to address information security risks. 3. Challenges to Information Security Risk Assessments INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 30 Some of the common challenges to information security risk assessments are discussed briefly in this section. In fact, these challenges represent critical failure factors for an information risk management program.
  • 11.
    1) Absence ofsenior management commitment & support: Management’s buy-in and support is a critical driver for the success of any IT project, including information security risk assessments. Absence of management commitment will result in wasting valuable resources and efforts, producing weak evaluations, and most importantly, will lead to ignoring the assessment findings [10]. 2) Absence of appropriate policies for information security risk management: It is crucial to have information security policies in place to reflect the enterprise objectives and management directions. Although some policies might be created, information security risk management policies tend to be dropped or forgotten. In a research conducted by GAO, the US Government Accountability Office, three out of
  • 12.
    four detailed casestudies showed that despite the fact that firms used to have some form of information security risk assessment approaches practiced for several years, the risk management and assessment policies and processes were not documented until recently [11]. The absence of this critical steering document will lead to unstructured risk assessment approaches and will openly allow unmanaged evaluations. 3) Disintegrated GRC efforts: The increasingly popular term GRC refers to three critical areas: Governance, Risk Management, and Compliance. According to COBIT 4.1, IT Governance is defined as “the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the
  • 13.
    organization’s strategies andobjectives” [12]. Risk management is a process through which management identifies, analyses, evaluates, treats, communicates, and monitors risks that might adversely affect realization of the organization's business objectives. Compliance is about making sure that external laws, regulations, mandates and internal policies are being complied with at a level consistent with corporate morality and risk tolerance. Governance, risk, and compliance should always be viewed as a continuum of interrelated functions, best approached in a comprehensive, integrated manner. The disintegration results in increased failure rates, waste of resources, and increased overall assurance cost. 4) Improper assessments management: Despite the importance of security risk assessments, they
  • 14.
    are mostly notmanaged as projects and merely considered as part of IT normal operations. Considering security risk assessments as part of IT routine assignments will exclude these assessments from business review and consequently will result in a definite disconnect between management and their enterprise information security assessments. This exclusion will also increase the possibilities of executing over-budget assessments that will only cause additional efforts and resources to be wasted. 5) Assets ownership is either undefined or unpracticed: In ISO 27001 “the term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets.
  • 15.
    [13]. This definitionentails major responsibility granted to the person who is assigned the ownership which includes making sure that proper controls are actually implemented in order to protect the asset. Information security standards, best practices and mandates like ISO, COBIT, and ITIL require that information assets are identified, inventoried, and ownership is assigned. This is crucial for the success of any information security assessment. Most organizations fail to develop comprehensive information assets inventories and accordingly do not assign ownership [14]. 6) Limitations of existing automated solutions: Software solutions for information security risk assessment are developed to aid in the automation of this process and to make it more efficient. In a detailed comparison conducted by
  • 16.
    “Risk Assessment Accelerator”,seven common solutions were compared with respect to more http://en.wikipedia.org/wiki/Risk_Management http://en.wikipedia.org/wiki/Compliance_(regulation) INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 31 than forty different areas [15]. Features like ease of use, multi-language and client-server architecture support were highlighted as existing limitations in four up to five of these solutions. Three out of the seven compared solutions provide limited customization capabilities for both built-in inventories (for risks, vulnerabilities and threats) and the generated dashboards. All these weaknesses and limitations degrade enterprises’ efforts to have
  • 17.
    efficient and reliableinformation security risk assessment requirements documentation. 7) Existence of several IT risk assessment frameworks: The existence of many information security risk management and assessment frameworks add to the ambiguity and challenge of what is the best one to use. As a matter of fact, analyses of exiting risk assessment frameworks show that there is no one-size-fits- all solution to this issue as it is hard to develop a single precise document that will address the needs of all enterprises given their variant natures and requirements. 4. Drivers for Standards Adoption In order to address their information security risk management and assessment challenges, enterprises adopt internationally accepted
  • 18.
    frameworks or bestpractices. Standards in general are meant to provide uniformity that would ease the understanding and management of concerned areas. Businesses find themselves in need to adopt standards for various reasons which vary from business requirements to regulators and compliance mandates. Establishment of proper corporate governance, increasing risk awareness and competing with other enterprises are some business drivers to mention. Some firms pursue certifications to meet market expectations and improve their marketing image. A major business driver for standards adoption is to fill in the gaps and lack of experience in certain areas where firms are not able to build or establish proprietary standards based on their staff competencies [16]. Providing confidence to trading partners, stakeholders, and customers, reducing liability due
  • 19.
    to unimplemented orenforced policies and procedures, getting senior management ownership and involvement and establishing a mechanism for measuring the success of the security controls are some other key drivers for the adoption of standards. 5. Leading Market Best Practices Standards The conclusion section should emphasize the main contribution of the article to literature. Authors may also explain why the work is important, what are the novelties or possible applications and extensions. Do not replicate the abstract or sentences given in main text as the conclusion. In this section, an overview is presented of a number of the more important standards for information security risk management. For detailed
  • 20.
    information about thesestandards, the reader is encouraged to consult the references provided for them. The list of standards presented is absolutely not complete, and as mentioned before a subset of the existing standards are treated in this paper. 5.1. ISO 27000 Set The ISO 27000 is a series of standards, owned by the International Standards Organization, focusing on information security matters. For the purposes of this work, ISO 27001, ISO 27002, and ISO 27005 will be explored to highlight their strengths and weaknesses in relation to current demands for effective and robust frameworks for information security risk assessments. ISO 27001: The ISO 27001 standard is the specification for an Information Security Management System (ISMS). The objective of the
  • 21.
    standard is tospecify the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System within an organization [13]. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. It is seen as an internationally recognized structured methodology dedicated to information security management. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 32 The standard introduces a cyclic model known as the “Plan-Do-Check-Act” (PDCA) model that aims to establish, implement, monitor and improve
  • 22.
    the effectiveness ofan organization’s ISMS. The PDCA cycle has these four phases: – establishing the ISMS – implementing and operating the ISMS – monitoring and reviewing the ISMS – maintaining and improving the ISMS Organizations that adopt ISO 27001 in their attempt to pursue an effective means for operational information security risk management overlook the fact that this standard was designed to be used mainly as an ISMS framework – at the high level, not operational level - founding proper bases for information security management. ISO 27001 document mentions valuable details on information security risk assessment – mainly in the statements 4.2.1.C thru 4.2.1.H that can be used as selection criteria for a proper information security risk assessment approach that builds upon
  • 23.
    the controls listproposed by the standard. ISO 27002: ISO 27002 is a code of practice that provides suggested controls that an organization can adopt to address information security risks. It can be considered an implementation roadmap or extension to ISO 27001. As stated in the standard document, the code of practice is established to provide “guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization” [17]. The controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of “organizational security standards and effective security management practices, and to help build
  • 24.
    confidence in inter-organizationalactivities” [18]. ISO 27002 as the Code of Practice is best suited to be used as a guidance and direct extension to ISO 27001. ISO 27002 is used by enterprises as the sole source of controls and a means for information security risk assessment, however, not all controls are mandated as firms’ structures and businesses vary. Controls selection must be done based on detailed and structured assessment to determine which specific controls are appropriate and which are not. This standard contains guidelines and best practices recommendations for these 10 security domains: Security Policy; Organization of Information Security; Asset Management; Human Resources Security; Physical and Environmental Security; Communications and Operations Management; Access Control; Information
  • 25.
    Systems Acquisition, Developmentand Maintenance; Information Security Incident Management; Business Continuity Management; and Compliance. Among these 10 security domains, a total of 39 control objectives and hundreds of best-practice information security control measures are recommended for organizations to satisfy the control objectives and protect information assets against threats to confidentiality, integrity and availability. ISO 27005: ISO 27005 standard was proposed to fill in the gaps existing in ISO 27001 and ISO 27002 in terms of information security risk management. The standard builds up on the core that was introduced in ISO 27001 – reference statements 4.2.1.C thru 4.2.1.H – and elaborates by identifying inputs, actions, implementation
  • 26.
    guidelines, and outputsfor each and every statement. However, during our research we realized that the adoption of this standard as a means for information security risk management is minimal. This was evident in “The Open Group” efforts to support ISO 27005 adoption by releasing a free detailed technical document – called ISO/IEC 27005 Cookbook – that uses ISO 27005 as a cornerstone for a complete risk management methodology [18, 19]. ISO 27005 is not intended to be an information security risk assessment methodology [20]. The standard has six annexes that are all informative but considered of a major value extension to the standard. With proper customization, these annexes along with the ISO 27005 body can be used as the main assessment methodology for security risks.
  • 27.
    5.2. IT InfrastructureLibrary (ITIL 3.0) INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 33 ITIL is one of the IT frameworks used as a best practice adopted to properly manage IT services. ITIL perceives any effort or action done by IT in support to the organization as a service that has value to customers or businesses. The ITIL library focuses on managing IT services and covers all aspects of IT service provisioning starting from service strategy, design, transition, operation, and implementation. It also highlights the continual monitoring and improvement aspect for each and every service.
  • 28.
    ITIL does notintroduce itself as a framework for information security risk management. However, as an IT governance framework, having it implemented in an enterprise will provide assurance and indication on the organization’s IT maturity. Addressing IT risks associated with incident, change, event, problem, and capacity management would definitely minimize related information security risks as well [21, 22]. The drivers for ITIL adoption in organizations were subject to analyses and study by several researches. A survey conducted by itSMF (IT Service Management Forum) showed that ITIL was adopted by different industry sectors [23] including education, government, and financial sectors amongst others. The ITIL status survey for 2009 [24] showed the increasing adoption of ITIL version 3.0 and elaborated on the major drivers
  • 29.
    that are causingthis adoption. This includes improving service quality, customer satisfaction and establishing IT stability and successful value delivery for business. ITIL modularity adds to its adoption popularity. Based on the enterprise current priorities, the firm can select to focus on service operations rather than service strategy which typically needs more time to mature. The implementation of ITIL can be implemented gradually in phases. 5.3. COBIT 4.1 & Risk IT Control Objectives for Information and related Technology (COBIT), developed and owned by the Information Systems Audit & Control Association (ISACA), is one of the most increasingly adopted information technology frameworks for IT Governance. COBIT focuses
  • 30.
    on defining ITcontrol objectives and developing the controls to meet them. It is made of 34 processes that manage and control information and the technology that supports it [12]. COBIT is adopted by enterprises from various industry sectors [25] which include IT consulting firms, education, financial institutions, government, healthcare, utilities and energy. To get closer understanding on how various enterprises perceive COBIT, thirty case studies were reviewed and analyzed. The case studies showed that COBIT was used to create the needed alignment between business and IT, create the IT Governance framework, improve IT processes and establish the IT risk management organization. Other enterprises used COBIT to meet their compliance needs and requirements. It was realized from the case studies that financial
  • 31.
    institutions adopt COBITfor their internal IT audit efforts and risk assessments. They also used it to create IT policies and procedures. Other firms used COBIT as a means to standardize IT processes and increase their effectiveness and maturity level. COBIT was also used as a means to conduct audit. COBIT does not provide a methodology to conduct information security risk assessments but rather establishes the foundation for having a solid IT organization in the firm. ISACA recognized the importance and need for a comprehensive IT risk management framework and as a result developed the Risk IT framework. According to the Risk IT framework document “The Risk IT framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven IT-based solutions
  • 32.
    and services. WhileCOBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risks [26]. Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. It enables enterprises to understand and manage all significant IT risk types. Risk IT follows the process model used in COBIT and has three major domains: 1) Risk Governance which INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2 34
  • 33.
    focuses on theestablishment and maintenance of common risk view, and making risk-aware business decisions; 2) Risk Evaluation which deals with data collection, risks analyses and maintaining risk profile; 3) The Risk Response component articulates risk, manages risk and reacts to all adverse events identified [26]. Given that Risk IT is still new, its adoption across enterprises is not yet realized, however, it is expected to take more attention and focus in the near future taking use of the wide acceptance and adoption of COBIT. 5.4. Other Frameworks In this section, we briefly discuss other standards and regulations for information security. Some industries, such as banking, are regulated,
  • 34.
    and the guidelinesor best practices put together as part of those regulations often become a de facto standard among members of these industries. Basel II: Basel II is the most commonly adopted directive across the financial institutions. The reason behind this is the fact that this directive has become a mandated regulation that all financial institutions need to comply with. Its core is about how much capital banks need to put aside to guard against the types of financial and operational risks banks face [27]. It focuses on operational risks as opposed to information security risks. According to Basel II, operational risk (Ops Risk) is any risk that results from failure in any of the following areas: system, process, human or external attack. This definition implies that Basel II has an IT dimension that needs to be properly managed. This area was subject for
  • 35.
    detailed research andseveral publications tried to set clear controls and control objectives to mitigate the related risks. ISACA led this effort and developed a detailed framework in this regards [28]. PCI DSS: Payment Card Industry Data Security Standard (PCI DSS) [29], currently in version 2.0, is a standard that consists of twelve domains and was created by payment brands leaders to help facilitate the broad adoption of consistent data security measures on a global basis. Proper implementation of PCI DSS assists in building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, and implementation of solid access control measures. Compliance with PCI requirements is mandated for any party that stores or transmits credit or debit
  • 36.
    card data. Itassists enterprises to manage information security risks, reduces losses resulting from fraud, and protects consumer data. PCI DSS is not intended to be used as an information security risk management or assessment framework; however, while efforts are spent towards fulfilling its requirements overall information security maturity level is leveraged making it easier to achieve better security assessments. For organizations that already have ISMS (ISO 27001) implemented, PCI DSS compliance is straight forward. OCTAVE Set: OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination center at Carnegie Mellon University, is a detailed information security risk assessment methodology; it consists of tools, techniques and methods to
  • 37.
    conduct risk assessments.It is a formal and detailed set of processes, which assist in ensuring that risks are identified and properly analyzed, … please address the following in a properly formatted research paper: 1)Do you think that ISO 27001 standard would work well in the organization that you currently or previously have worked for? If you are currently using ISO 27001 as an ISMS framework, analyze its effectiveness as you perceive in the organization. 2)Are there other frameworks mentioned has been discussed in the article that might be more effective? 3)Has any other research you uncover suggest there are better frameworks to use for addressing risks? Your paper should meet the following requirements: Be approximately four to six pages in length, not including the required cover page and reference page. Follow APA 7 guidelines. Your paper should include an
  • 38.
    introduction, a bodywith fully developed content, and a conclusion. Support your answers with the readings from the course and at least two scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing. Textbook : Information Governance: Concepts, Strategies and Best Practices; John R.S. Fraser, Betty J. Simkins, Kristina Narvaez; Copyright © 2015 by John R.S. Fraser, Betty J. Simkins, Kristina Narvaez (ISBN 978-1-118-69196-0) Beasley, M. S. (2016). What is Enterprise Risk Management? Retrieved from https://erm.ncsu.edu/az/erm/i/chan/library/What_is_Enterprise_ Risk_Management.pdf