Addressing Information Security Risks by Adopting Standards

Abstract

Modern society depends on information technology in nearly every facet of human activity including, finance, transportation, education, government, and defense. Organizations are exposed to various kinds of risks, including information technology risks. Several standards, best practices, and frameworks have been created to help organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their efforts to properly manage information security risks when adopting international standards and frameworks. To assist in selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations is put forward with further research opportunities on the subject.

Keywords

• Information security, risk management, security frameworks, security standards, security management

Walid Al-Ahmad**, Bassil Mohammad

Abstract

References

1. Symantec, “Symantec Global Internet Security Threat Report Trends for 2008”, Symantec’s Publications, Vol. XIV, 2009, pp. 10.
2. www.gocsi.com, “Computer Crime and Security Survey”, accessed January 2012.
3. B., Blakley, E., McDermott, and D., Geer, “Information Security is Information Risk Management”, ACM Digital Library, 2002.
4. E., Humphreys, “Information security management standards: management”, Information Security Technical Report, Vol. 13, No. 4, 2008. governance and risk [5] H., Susanto, M., Almunawar, and Y. Tuan, “Information Security Management System Standards: A Comparative Study of the Big Five”, International Journal of Electrical & Computer Sciences, Vol. 11, No. 5, 2011.
5. Y., Barlette and V., Fomin, The Adoption of Information Security Management Standards: A Literature Review, IGI Global, 2009.
6. S., Schlarman, “Selecting an IT Control Framework”, EDPACS, Vol. 35, No. 2, 2007.
7. , J., Sipiorand and B., Ward, “A Framework for Information Security Management Based on Guiding Standards”, Issues in Informing Science and Information Technology, Vol. 5, 2008.
8. A., Tsohou, S., Kokolakis, C., Lambrinoudakis, and S., Gritzalis, "A security standards' framework to facilitate best practices' awareness and conformity", Information Management & Computer Security, Vol. 18, No. 5, 2010, pp.350 – 365.

9. A., Calder and S., Watk, IT Governance: A Manager’s Guide to Data Security and ISO27001/ISO27002, Kogan Page Limited, UK, 2008.
10. Government Accountability Office (GAO), Information Security Risk Assessment: Practices of Leading Organizations, GAO Publications, 1999.
11. IT Governance Institute (ITGI), COBIT 4.1 (1st edition), ITGI Publication, United States, 2007.
12. International Standards Organization (ISO), Information Technology – Security Techniques – Information Security Management Publications, Switzerland, 2005.
13. – Requirements, ISO/IEC
14. L., Coles-Kemp and R., Overill, “The Information Security Ownership Question in ISO/IEC 27001 – an Implementation Perspective”, 4th Australian Information Security Management Conference, 2006.
15. www.raa.si, “Risk Tools Matrix”, accessed January 2012.
16. K., Brotby, Information Security Governance: A Practical Development and Implementation Approach, Willy & Sons/New Jersey, 2009.
17. International Standards Organization (ISO), Information Technology – Security Techniques – Code of Practice for Information Publications/ Switzerland, 2005 Management, ISO/IEC
18. The Open Group, ISO/IEC 27005 Cookbook, Open Group/UK, 2010.
19. searchcompliance.techtarget.com, Topics”, accessed January 2012. “Compliance
20. International Standards Organization (ISO), Information Technology – Security Techniques –Information Security Risk Management, ISO/IEC Publications/Switzerland, 2008.
21. Office of Government Commerce (OGC), Passing Your ITIL Foundation Exam, OGC Publication/UK, 2007.
22. N., Bruton, The ITIL Experiance: Has it been Worth it?, Bruton Publications, 2004.
23. A., Cater-Steel, W., Tan, and M., Toleman, “Summary of ITIL Adoption Survey Responses”, itSMF Australia 2006 Conference, 2006.
24. Hornbill Systems: “ITIL: State of the Nation Survey Findings, Hornbill Systems Publications, 2009.
25. www.isaca.org, “COBIT 4.1 Case Studies”, accessed January 2012.
26. Information Systems Audit & Controls Association (ISACA), Publication/United States, 2009. IT Framework, ISACA
27. www.bis.org, “Basel II”, accessed January 2012.
28. Information Systems Audit & Controls Association (ISACA), IT Control Objectives for Basel II: the Importance of Governance and Risk Management for Compliance, ISACA Publication/ United States, 2007.
29. Payment Card Industry Council (PCI-Council), PCI DSS 2.0, PCI Council Publication/United States, 2010.
30. Software Engineering Institute (SEI), Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, SEI Publication, 2007.
31. K.J., Knappeat, Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions, IGI Global/United States, pp 119-140, 2009.
32. IT Governance Institute (ITGI), COBIT 4.1 Quick Start, ITGI Publication/United States, 2007.
33. H. A., Simon, The New Science of Management Decision, Harper/New York, 1960.