Risk Management. Upasna Saluja, PhD Candidate. Dato Dr Norbik Bashah Idris
|
|
- Ambrose Nichols
- 8 years ago
- Views:
Transcription
1 Risk Management Upasna Saluja, PhD Candidate Dato Dr Norbik Bashah Idris 1. Abstract Information is a key asset for organizations across industries as they seek to use IT as a differentiator and key business enabler. Just as individuals practice risk assessment on a daily basis in routine activities and in protecting their physical assets, organizations are beginning to realize that they need to create a culture of risk assessment under an overall risk management program. In the absence of a uniform code of practice across industries and countries organizations across different industry sectors and geographies are adopting standards and practices that most closely address their risk perceptions. Some international standards like the ISO and the Australia New Zealand Standard AS NZS 4360:2004: Risk management provide managers with guidance on how to tackle security management of which risk assessment is one part. On the one hand the AS NZS standard provides a generic guide for managing risk from an operational stand point while ISO provides a standard that emphasizes on a security management framework and implementation of necessary controls to mitigate risks to information assets of the organization. A key challenge in the organizations quest to manage risk is to measure it and rank it relative to each other. This is turning out to be essential before managers can decide how much attention (and resources) to allocate towards mitigation of what risks. This paper brings out the efforts being made as part of the research towards designing a framework that addresses security management in line with ISO while providing more quantitativeness in the risk measurement and management process. Such a framework would help organizations in prioritization and there by optimum allocation of resources. Keywords: Information Security, SME, Security, Enterprise Risk, Risk Analysis, Risk Management, IT Risk. 2. Introduction Information is a key asset in most businesses today. Information flow is mandatory for successful running of operations in any organization. Organizations across industry sectors are embracing IT to improve operational efficiencies and automate routine tasks. As a result, most of the information gets handled by computers. One can see this information stored in Personal Computers & servers; could be travelling on the Local Area Network LAN / WAN; could be travelling on the internet within some account; could be getting printed at Printer; could be residing in telecommunication over mobiles by two managers. It could be lying in a hard copy folder on employee s desk. Information can be easily destroyed, copied, stolen, modified, misused or even lost if not managed effectively. Most of this information is available in digital format. Digital information has more risks than hard copy information. A lot of critical business processes and functions depend on the security of information, making it important to manage and protect information. By itself information is often considered intangible therefore businesses and organizations take a stock of their information in terms of information assets. Information assets are all forms of equipment, storage devices, computers, IT systems, paper document, files and even people who carry the organizational information. Upasna Saluja Page 1 of 6
2 The rapid evolution of information technology (IT) during the last few years is challenging information security professionals to rethink the very nature of risk & the ways to manage / mitigate them. The elements of risk is dependent on numerous factors and tends to be dynamic with reference to time, organizational growth / structure, location, type of business / role, complexity of network, information systems etc. At all the times, it is crucial for organization to know, what are the current risks & how can they be managed. 3. Increasing focus on Risk Measurement Look at the trend of the past ten years, brings out very clearly the increasing importance of Information Security. Number of magazines, articles, websites, forums relating to Information Security tells us lot about the awareness / concerns common people have. Today, people are looking for Return on Investment (ROI) analysis as mentioned in Quantifying IT Risks. In olden days, when people wanted to secure their information, they used to secure their network perimeter; but today people have realized that securing network is not adequate. What is required is much more than Network Security. That s how Network Security has been lead to / evolved into Information Security. The paper on Information technology risk management talks about the concept of information technology (IT) risk and it is argued that the generally held conception is too narrow. Information security is an organization s approach to maintain confidentiality, availability, integrity, and reliability of its IT systems. Information Security Management System helps an organization to manage information security in an effective manner. There are many frameworks which help towards this. The most established standard is ISO which has evolved from the British standard BS 7799: 2005 after adoption by ISO. It is today emerging as the de facto standard for organizations to demonstrate measurable efforts in security implementation towards the eventual goal of addressing business risks that their information architecture is exposed to. 4. Associated Frameworks There are a number of Security Management Frameworks & Guidelines to support organizations to address risks faced by them. The fact is that, the most of them need substantial infrastructure in place to implement them. As a result, it is possible for large scale organizations to implement them, whereas Small & Medium Enterprises find it difficult to implement such framework. A few existing guidelines (to be applied manually) or interactive software packages are listed below: 4.1. OCTAVE - The Software Engineering Institute (SEI), a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University has introduced the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), a framework for identifying and managing information security risks CRAMM is based on the UK Government's preferred risk assessment methodology. CRAMM by Siemens provides an approach to both technical (e.g. IT hardware and software) and non-technical (e.g. physical and human) aspects of security. CRAMM includes a comprehensive range of risk assessment tools that are fully compliant with BS NIST has provided a free software program called ASSET to document and manage the risk assessment process Risk Management Guide for Information Technology Systems (SP ) issued by US National Institute of Standards and Technology in July 2002 provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems In July 2003 NIST published the NIST Special Publication Security Metrics Guide for Information Technology Systems that highlights that the requirement to measure IT security performance is driven by regulatory, financial, and organizational reasons Australia and New Zealand have come up with a joint standard AS/NZS 4360:2004: Risk management. The standard provides a generic guide for managing risk. It may be applied to a wide range of activities or operations of any public, private or community enterprise, or group Information Security Management Standards - ISO which was recently adopted by ISO based on the British standard BS The Common Sense Guide to Cyber Security for Small Businesses, Recommended Actions for Information Security, 1st Edition March 2004 from Internet Security Alliance lays down their recommended Best Practices A Twelve Step Program to Cyber Security Homeland Security: Tools for Small Business workbook that was compiled by Risk Management Small Business Development Center, USA argues that there are still far too many small businesses that have unprotected computer systems. It stresses that security for business should be built in layers, it should be appropriate for the location and type of Upasna Saluja Page 2 of 6
3 business and it should be in the form of a written plan. Small businesses will have many variables that are unique to SMEs that the security assessment needs to cover. 5. Risk Assessment Standards Risk Assessment is the first logical step in the pursuit of Risk Management. It is strongly recommended that organizations should not only develop and practice Risk Management but also to go just another mile to accredit it to the standards as well. In Asia Pacific region, the two standards most commonly referred are Australian / New Zealand Standard - AS/NZS 4360 & ISO/IEC IS Risk Assessment Standard. It has been observed that in Malaysia, most of the established big organizations are using Australian / New Zealand Standard - AS/NZS 4360 whereas In India, the most commonly used standard is ISO/IEC IS Risk Assessment Standard. Since AS/NZS 4360 is popular in Malaysia, the research zooms into this area. The standard is good but there is no detailed framework which guides security managers to implement this. The standard outlines what is required but does not provide How Tos of doing it. The detailed methodology based on this is not available. Practitioners (including the researcher) working in the field of information security management systems, are beginning to realize that AS/NZ 4360 caters for operational risk and is qualitative in nature. 6. Requirement for ISMS The best way to strengthen information security is to treat it as a corporate governance matter that involves the attention of senior management, ideally up to the board-level. By developing ISMS an organization expresses its commitment to establishing an appropriate information security framework that: ensures that a high level information security policy is written creates an organizational structure to ensure that roles and responsibilities are established assures the organization that personnel security issues are highlighted confirms that an information assets register is created validates the adequacy of physical & environmental security arrangements substantiates the adequacy of IT technical security measures including communications and operational procedures; logical access controls; systems development / maintenance arrangements; and vulnerability management establishes an effective incident management process validates the existence or adequacy of business continuity arrangements ensures that there is an ongoing compliance and monitoring mechanism is in place. ISO is the de-facto international standard on establishing, maintaining and improving an Information Security Management System (ISMS) for both public and private sector organizations. ISO has been evolved from the British standard BS 7799: 2005 after adoption by ISO. Normally organizations not only develop ISMS but also get certified against the standard. Compliance is important for organizations / business because By having formal documented ISMS which has been independently assessed, an organization can demonstrate to its customers and clients that they are committed to security, and have the ability to handle information in a secure manner. This in turn may improve customer confidence, thereby increasing trust in the brand or image. In respect to regulatory requirement, the organization would be more readily compliant to its security statutory stipulations. The ability to respond quickly to any information security breaches or incidents is one of the key clauses in ISO The ability to minimize the opportunity to incidents to occur is a major advantage for business/service resilience. It also links closely with IT Disaster and Business Continuity work Therefore, gaining compliance to ISO ensures that an organization has addressed confidentiality, integrity and availability of information adequately, thus being seen as a trusted organization which is proving crucial in this fast moving world. 7. Practical requirement As mentioned earlier, ISO is the most established standard for Information Security today across the globe. Organizations everywhere are getting certified against it. The standard is based on Risk Assessment. It is Risk based approach. The standard doesn t quantify which methodology should be executed. There are certain specific requirements which should be met by Risk Assessment methodology. The standard requires organization to conducts Risk Assessment but there are no detailed framework to guide security mangers. How to conduct Risk Assessment which is in line with ISO completely? Upasna Saluja Page 3 of 6
4 8. Quest for an Innovative Framework It would be very good for the industry to have a detailed methodology & framework for this purpose. Research looks at Risk Assessment from the perspective of security managers in small and medium enterprises primarily. It highlights the limitations and challenges faced by SMEs in measuring and consequently managing information security risks. After analyzing the current scenario, it was concluded that the research should formulate a risk assessment framework. It should cater for primarily small and medium enterprises. It is recommended that Risk Assessment should be simple. The adoption of a highly quantitative tool for IT risk management is not advocated. Rather, a more modest approach has been suggested. The knowledge base and the risk assessment methodology would not focus only on network risks but rather cover the other risks areas affecting information security posture like physical risks, operational risks as well as telecommunications related risks. It goes on to propose a methodology for relative risk benchmarking through application of statistics. Effort is to establish a security measurement framework / metrics that would improve security management by giving small and medium enterprises a basis for security assessment. Endeavour would be to make SMEs enable to use this framework to make business decisions about managing security risks. Besides risk assessment this would help in resource prioritization and budgeting. Overview of proposed solution There would be three essential steps in the research Step 1 Consider appropriate Risk Assessment standard Step 2 Develop Risk Assessment Framework based on the above mentioned standard. Work out a framework which is in compliance with ISO Step 3 - Apply Statistics to the results of Risk Assessment & derive RRB - Relative Risk Benchmark Step 1 Consider Appropriate Risk Assessment Methodology It has been observed that in Malaysia, most of the established big organizations are using Australian / New Zealand Standard - AS/NZS 4360 for Risk Assessment. A detailed Risk Assessment Framework could be generated based on this standard. This framework needs to be based on the fundamentals of Information Security. To justify the effectiveness of this framework, this could be judged against the benchmark of ISO Step 2 Develop Risk Assessment Framework Research is pointing towards establishing a framework that would be more quantitative better understood, if the proposed methodology could be implemented in an organization. Step 3 - Apply Statistics to derive RRB - Relative Risk Benchmark Relative Risk Benchmark (RRB) could help in determining these interrelations between different risk elements, understanding relative importance of impacts that each risk element could have on the overall security posture (e.g. determine how the Network Security impacts the overall security posture) and thus provide guidance on which risks need what kind of attention and resources. Upasna Saluja Page 4 of 6
5 This plays an important role not only in resource managers can better manage budgets based on the Assessment Mechanism Results of Assessment Relative Risk Benchmarking Model Relative Risk Measurement Guidance for Resource Allocation and Risk Mitigation prioritization Figure 2: RRB model allocation but also for budget allocation. Step 4 - Model for Relative Risk Benchmarking It is imperative that the assessment mechanism (which maybe in the form of a questionnaire, checklist or such other evaluation method) for risk assessment be based on a comprehensive and complete knowledgebase, which caters for SMEs specific security requirements. The security elements could include but not be limited to Network Security, Physical Security, Administrative Security and Telecommunication Security. The outputs of the assessment mechanism for each separate risk element are used as the input for further derivation of the Relative Risk Benchmark. The information security status (s1, s2, s3) of the organization in terms of each element of information security using statistical measures and methods is linked relative to each other and to the overall security posture of the organization. For example, we can consider s1 as physical security, s2 as network security and s3 as operational security. S represents the overall information security status of the organization. Refer to fig 2. Measures of associations between overall information security status of the enterprise and the different elements are calculated and linked statistically. Drawing from the much established field of financial risk management the methodology based on a mathematical function, models the relationship between the elements of security vis-à-vis the overall security posture of the enterprise, thus making the RA process more quantitative than previously possible. Such a security measurement framework that caters for the specific requirements of the SMEs and is based on relative risk benchmarking would give enterprises a basis for quantifiable security measurement and assessment that would in turn enable them to make business decisions about resource allocation and prioritization (for managing security risks). Security relative importance of different elements of Information Security to the business which can lead to a sort of cost / benefit analysis regarding various controls & measures. In other words relative risk benchmark could help lay down the basis of a sound framework for an Information Security Management System (ISMS) for organizations. 9. References: a. Data-Centric Quantitative Computer Security Risk Assessment - racticals/gsec/3177.php b. A GENERAL, BUT READILY ADAPTABLE MODEL OF INFORMATION SYSTEM RISK - Communications of the Association for Information Systems (Volume14, 2004) 1-28 c. This Risk Management Standard from UK - The Institute of Risk Management (IRM). d. Why ICT Is Important To SMEs ; By By Musalmah Johan In Thestar Online Of May 30, e. Resources for organisations: Small Enterprises ; Middlesex University. f. Information Security is Information Risk Management by Cloudcroft, New Mexico; New Security Paradigms Workshop Proceedings workshop on New security paradigms g. Homeland Security Tools for Small Businesses, Risk Management Small Business Development Center ( 2004 Risk Management Small Business Development Center, 1402 Corinth Street, Suite #1537, Dallas, TX 75215, (214) ). Upasna Saluja Page 5 of 6
6 h. An Evaluation of SME Development in Malaysia by Ali Salman Saleh and NelsonOly Ndubisi; International Review of Business Research Papers; August i. (TEISMEs) (Advances in Information Security) [Year of Publication: 2005; Author: Charles A. Shoniregun, Publisher Springer- Verlag New York, Inc. Secaucus, NJ, USA] j. Information Technology Security Risk Management ; A thesis of Taxas at Dallas; May 2006 k. How much is enough: Approach to information security - A thesis by Kevin John Soo Hoo, University of Stanford. May 2000 l. Developing a Risk Management System for Information Systems Security Incidents - A thesis by Fariborz Farahmand College of Computing; Georgia Institute of Technology; 2004 m. Small and Medium Enterprise (SME) risk metrics - r. A Practical Approach to Security Assessment - ACM: Darrell M. Kienzle, kienzle@mitre.org; William A. Wulf; Department of Computer Science; University of Virginia; wulf@cs.virginia.edu s. Publications/Industry-Sectors/ICT/ICTstandards/BS-ISOIEC-TR / t. AS/NZS 4360:2004: Risk management dard.pdf u. COBIT v. CRAMM w. ASSET ml x. Security Metrics Guide for Information Technology Systems, NIST Special Publication , July 2003, authored by Marianne Swanson, Nadya Bartol, John Sabato, Joan Ha n. Risk Metrics Needed for IT Security, Vol. 6, April 1, 2003, By Will Ozier, President, OPA Inc quoted on IT Audit journal of The Institute of Internal Auditors. o. Metrics Based Security Assessment (MBSA): Combining the ISO Standard with the Systems Security by Jim Goldman & V.R. Christie p. COTS International Conference on Software Engineering; Proceeding of the 28th international conference on Software engineering; Shanghai, China; SESSION: papers: risk analysis table of contents; Pages: ; Year of Publication: 2006 q. Paper Outsourcing to Ensure Successful ICT Systems Implementation and Maintenance by Dr Lim Tong Ming, School Of Information Technology, Monash University Malaysia; ml End of the paper. Upasna Saluja Page 6 of 6
Security Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationInformation Security Management System for Cloud Computing
ICT Innovations 2011 Web Proceedings ISSN 1857-7288 49 Information Security Management System for Cloud Computing Sashko Ristov, Marjan Gushev, and Magdalena Kostoska Ss. Cyril and Methodius University
More informationMethods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, 75009 PARIS
MEHARI 2007 Overview Methods Commission Mehari is a trademark registered by the Clusif CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS 30, rue Pierre Semard, 75009 PARIS Tél.: +33 153 25 08 80 - Fax: +33
More informationInformation Security Risk Management
Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net
More informationSecurity metrics to improve information security management
Security metrics to improve information security management Igli TASHI, Solange GHERNAOUTIHÉLIE HEC Business School University of Lausanne Switzerland Abstract The concept of security metrics is a very
More informationQUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT
QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationIT Governance: The benefits of an Information Security Management System
IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationAdvantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches
Chinese Business Review, ISSN 1537-1506 December 2011, Vol. 10, No. 12, 1106-1110 D DAVID PUBLISHING Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches Stroie Elena
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationApplying Integrated Risk Management Scenarios for Improving Enterprise Governance
Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used
More information74. Selecting Web Services with Security Compliances: A Managerial Perspective
74. Selecting Web Services with Security Compliances: A Managerial Perspective Khaled Md Khan Department of Computer Science and Engineering Qatar University k.khan@qu.edu.qa Abstract This paper proposes
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationSecurity in the Cloud: Visibility & Control of your Cloud Service Providers
Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationThe Role of Standards in Medical Information Security: An Opportunity for Improvement.
The Role of Standards in Medical Information Security: An Opportunity for Improvement. P. A. H. Williams School of Computer and Information Science Edith Cowan University Joondalup, Western Australia Abstract
More informationwww.td.com.au Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012
Business Continuity - IT Disaster Recovery Discussion Paper - - Version V2.0R Wednesday, 5 September 2012 Commercial in Confidence Melbourne Sydney 79-81 Coppin St Level 2 Richmond VIC 3121 414 Kent St
More informationRecent Advances in Automatic Control, Information and Communications
Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards The implementation of IT Service Management frameworks and standards Anel Tanovic*,
More informationIA Metrics Why And How To Measure Goodness Of Information Assurance
IA Metrics Why And How To Measure Goodness Of Information Assurance Nadya I. Bartol PSM Users Group Conference July 2005 Agenda! IA Metrics Overview! ISO/IEC 21827 (SSE-CMM) Overview! Applying IA metrics
More informationISO 27001 Gap Analysis - Case Study
ISO 27001 Gap Analysis - Case Study Ibrahim Al-Mayahi, Sa ad P. Mansoor School of Computer Science, Bangor University, Bangor, Gwynedd, UK Abstract This work describes the initial steps taken toward the
More informationISO/IEC 27001 Information Security Management. Securing your information assets Product Guide
ISO/IEC 27001 Information Security Management Securing your information assets Product Guide What is ISO/IEC 27001? ISO/IEC 27001 is the international standard for information security management and details
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationSector Development Ageing, Disability and Home Care Department of Family and Community Services (02) 8270 2218
Copyright in the material is owned by the State of New South Wales. Apart from any use as permitted under the Copyright Act 1968 and/or as explicitly permitted below, all other rights are reserved. You
More informationThe Resilient IT Infrastructure
The Resilient IT Infrastructure Jeremy Wong Senior Vice President BCM Institute Republic Polytechnic, Block W4, Level 1, LR-W4B 25 November 2013 Jeremy Wong Senior Vice President Business Continuity Management
More informationISO 27001 Information Security Management Services (Lot 4)
ISO 27001 Information Security Management Services (Lot 4) CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. EXPERIENCE...
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationMoving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide
Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the
More informationCyber Security solutions
Cyber Security solutions The scenario IT security has become a highly critical issue for all businesses as a result of the growing pervasiveness and diffusion of ICT technology. Risks can arise both inside
More informationThere are a number of reasons why more and more organizations
Christopher G. Nickell and Charles Denyer Statement on Auditing Standard No. 70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationCourse: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management
Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security
More informationVal-EdTM. Valiant Technologies Education & Training Services. 2-day Workshop on Business Continuity & Disaster Recovery Planning
Val-EdTM Valiant Technologies Education & Training Services 2-day Workshop on Business Continuity & Disaster Recovery Planning All Trademarks and Copyrights recognized Page 1 of 8 Welcome to Valiant Technologies.
More informationCIO, CISO and Practitioner Guidance IT Security Governance
CIO, CISO and Practitioner Guidance IT Security Governance June 2006 (Revision 1, August 2007) 1 CIO, CISO and Practitioner Guidance Whatever your business, security and privacy are key matters that affect
More informationCertifying Information Security Management Systems
Certifying Information Security Management Systems Certifying Information Security Management Systems by Fiona Pattinson CISSP, CSDP July 2007 A brief discussion of the role of an information security
More informationMeasuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia
Measuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia MARIO SPREMIĆ, Ph.D., CGEIT, Full Professor Faculty of Economics and Business Zagreb, University of Zagreb
More informationSI 510 - Special Topics: Data Security and Privacy: Legal, Policy and Enterprise Issues, Winter 2010
University of Michigan Deep Blue deepblue.lib.umich.edu 2010-08 SI 510 - Special Topics: Data Security and Privacy: Legal, Policy and Enterprise Issues, Winter 2010 Blumenthal, Don Blumenthal, D. (2010,
More informationFIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY MANAGEMENT
FIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY MANAGEMENT Elmarie Kritzinger 1 and Prof S.H. von Solms 2 1 School of Computing, University of South Africa, SA. 2 Department of Computer Science,
More informationEnsuring security the last barrier to Cloud adoption
Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationAustralian Computer Society. Policy Statement
Australian Computer Society Policy Statement on SOFTWARE QUALITY ACCREDITATION www.acs.org.au October 2004 ACS POLICY STATEMENT ON SOFTWARE QUALITY ACCREDITATION 2004 CONTENTS Summary of ACS Position...5
More informationUnisys Security Insights: Global Summary A Consumer Viewpoint - 2015
Unisys Security Insights: Global Summary A Consumer Viewpoint - 2015 How consumers in 12 countries feel about: Personal data security, ranked by industry Region-specific security perceptions Research by
More informationISO 27001: Information Security and the Road to Certification
ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks
More informationPractitioner Certificate in Information Assurance Architecture (PCiIAA)
Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationNetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
More informationBusiness Continuity Planning (BCP) 101
2011/EPWG/WKSP/004 Intro 1 Business Continuity Planning (BCP) 101 Submitted by: Business Continuity Management Institute Workshop on Private Sector Emergency Preparedness Sendai, Japan 1-3 August 2011
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification is a unique new certification which
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationCompany Management System. Business Continuity in SIA
Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification differentiates you from your competition.
More informationIMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC 27002 IN A SMALL ORGANISATION
48 IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC 27002 IN A SMALL ORGANISATION MATÚŠ HORVÁTH, MARTIN JAKUB 1 INTRODUCTION Managerial work is directly dependent on information, it is therefore
More informationEnsuring Cloud Security Using Cloud Control Matrix
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationCybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
More informationBusiness Continuity Management Planning Methodology
, pp.9-16 http://dx.doi.org/10.14257/ijdrbc.2015.6.02 Business Continuity Management Planning Methodology Dr. Goh Moh Heng, Ph.D., BCCLA, BCCE, CMCE, CCCE, DRCE President, BCM Institute moh_heng@bcm-institute.org
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationManaging business risk
Managing business risk What senior managers need to know about business continuity bell.ca/businesscontinuity Information and Communications Technology (ICT) has become more vital than ever to the success
More informationRUNNING HEAD: ITIL V3 IMPROVES INFORMATION SECURITY MANAGEMENT
ITIL v3 Improves 1 RUNNING HEAD: ITIL V3 IMPROVES INFORMATION SECURITY MANAGEMENT ITIL V3 Improves Information Security Management Ginger Taylor East Carolina University ICTN 6823 ITIL v3 Improves 2 Abstract
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationInformation System Audit Guide
Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE
More informationThe Information Security Ownership Question in ISO/IEC 27001 an Implementation Perspective
The Information Security Ownership Question in ISO/IEC 27001 an Implementation Perspective Lizzie Coles Kemp and Richard E. Overill Department of Computer Science, King s College London, University of
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from
More informationSECURITY GUIDELINES INFORMATION SECURITY MANAGEMENT SYSTEM FOR COMPUTERISATION OF LAND RECORD
SECURITY GUIDELINES INFORMATION SECURITY MANAGEMENT SYSTEM FOR COMPUTERISATION OF LAND RECORD 1. PURPOSE & SCOPE: The purpose of security initiative is to enlist the procedures and guidelines, which are
More informationour enterprise security Empowering business
our enterprise security Empowering business Introduction Communication is changing the way we live and work. Ericsson plays a key role in this evolution, using innovation to empower people, business and
More informationHKCS RESPONSE COMMONLY ACCEPTED AUDIT OR ASSESSMENT MECHANISM TO CERTIFY INFORMATION SECURITY STANDARDS
Hong Kong Computer Society Room 1915, 19/F, China Merchants Tower, Shun Tak Centre, 168 Connaught Road Central, Hong Kong Tel: 2834 2228 Fax: 2834 3003 URL: http://www.hkcs.org.hk Email: hkcs@hkcs.org.hk
More informationPreparing for the Convergence of Risk Management & Business Continuity
Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationREPORT. Next steps in cyber security
REPORT March 2015 Contents Executive summary...3 The Deloitte and Efma questionnaire...5 Level of awareness...5 Level of significance...8 Level of implementation...11 Gap identification and concerns...15
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationTABLE OF CONTENTS INTRODUCTION... 1
TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5
More informationSLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Framework
International Journal of Computer Networks and Communications Security VOL. 1, NO. 3, AUGUST 2013, 95 101 Available online at: www.ijcncs.org ISSN 2308-9830 C N C S SLA Based Information Security Metric
More informationAsset Management Systems Scheme (AMS Scheme)
Joint Accreditation System of Australia and New Zealand Scheme (AMS Scheme) Requirements for bodies providing audit and certification of 13 April 2015 Authority to Issue Dr James Galloway Chief Executive
More informationWeighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers
Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationAn Overview of ISO/IEC 27000 family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationA COMPARATIVE FRAMEW ORK FOR EVALUATING INFORMATION SECURITY RISK MANAGEMENT METHODS
A COMPARATIVE FRAMEW ORK FOR EVALUATING INFORMATION SECURITY RISK MANAGEMENT METHODS W.G. Bornman wgb@adam.rau.ac.za L. Labuschagne ll@na.rau.ac.za RAU - Standard Bank Academy for Information Technology,
More informationGold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary
Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK Executive Summary Core statements I. Cyber security is now too hard for enterprises The threat is increasing
More informationIs cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary
Is cyber security now too hard for enterprises? Executive Summary Sponsors The creation and distribution of this study was supported by CGI, cybx and Fujitsu/Symantec. Premium sponsors: Gold sponsor: 2
More informationKey Components of a Risk-Based Security Plan
Key Components of a Risk-Based Security Plan How to Create a Plan That Works Authors: Vivek Chudgar Principal Consultant Foundstone Professional Services Jason Bevis Director Foundstone Professional Services
More informationLeveraging Network and Vulnerability metrics Using RedSeal
SOLUTION BRIEF Transforming IT Security Management Via Outcome-Oriented Metrics Leveraging Network and Vulnerability metrics Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
More informationGUIDANCE MATERIAL GUIDANCE ON THE USE OF POSITIVE PERFORMANCE INDICATORS TO IMPROVE WORKPLACE HEALTH AND SAFETY
GUIDANCE MATERIAL GUIDANCE ON THE USE OF POSITIVE PERFORMANCE INDICATORS TO IMPROVE WORKPLACE HEALTH AND SAFETY Office of the Australian Safety and Compensation Council NOVEMBER 2005 IMPORTANT NOTICE The
More informationKey Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing
Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related
More informationInformation Security Management for SMEs: Implementating and Operating a Business Continuity Management System (BCMS) Using PDCA Cycle
Proceedings of FIKUSZ 13 Symposium for Young Researchers, 2013, 133-141 pp The Author(s). Conference Proceedings compilation Obuda University Keleti Faculty of Business and Management 2013. Published by
More informationIT Audit and Compliance
Problem IT Audit and Compliance IT audit is about the formal verification and validation of the quality and effectiveness of IT controls to support the overall business control objectives. From a security
More informationTop 10 Compliance Issues for Implementing Security Programs
www.dyonyx.com Top 10 Compliance Issues for Implementing Security Programs This White Paper articulates the top ten issues that we have encountered in the design and implementation of comprehensive Security
More information