This document proposes a framework called the Bornman Framework for Information Security Risk Management Communication (BFIC) to help organizations effectively communicate information security risk information between different management levels. The BFIC is made up of three groups of indicators - core indicators related to key risk management processes, indicators that support the identification and control processes, and overarching indicators related to risk management program support. The framework is designed to provide concise yet meaningful information on an organization's information security risk management program to ensure strategic management has the information needed for proper governance and oversight.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
Â
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*âĄ, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
âĄ
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
Â
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*âĄ, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
âĄ
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
Â
Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the âhealth statusâ of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
Â
For organizations, the protection of information is of utmost importance. Throughout the years, organizations have experienced numerous system losses which have had a direct impact on their most valuable asset, information. Organizations must therefore find ways to make sure that the appropriate and most effective information security controls are implemented in order to protect their critical or most sensitive classified information. Existing information security control selection methods have been employed in the past, including risk analysis and management, baseline manuals, or random approaches. However, these methods do not take into consideration organization specific constraints such as costs of implementation, scheduling, and availability of resources when determining the best set of controls. In addition, these existing methods may not ensure the inclusion of required/necessary controls or the exclusion of unnecessary controls. This paper proposes a novel approach for evaluating information security controls to help decision-makers select the most effective ones in resource-constrained environments. The proposed approach uses Desirability Functions to quantify the desirability of each information security control taking into account benefits and penalties (restrictions) associated with implementing the control. This provides Management with a measurement that is representative of the overall quality of each information security control based on organizational goals. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls (based on multiple application-specific criteria) for specific organizations.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Â
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with âadequateâ defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit managementâs goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Â
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with âadequateâ defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit managementâs goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Discussion 1Improving Risk Management Capabilities    To .docxcharlieppalmer35273
Â
Discussion 1
Improving Risk Management Capabilities
    To understand risk and how to properly address risk, a risk management framework is required. The objective of a risk management framework (RMF) is to create a common understanding of risk, to ensure the right risks are being addressed at the right levels, and to involve the right people in making risk decisions (McKeen, & Smith, 2015). Those organizations that do not have an effective Risk Management strategy or, in extreme cases, do not have one at all; they risk suffering situations in which the impact of negative events or threats exceeds their response capabilities (Rivas, 2019). So the development of effective risk management is necessary to mitigate against risks. McKeen, & Smith suggested some actions to develop effective risk management capabilities.
Look Beyond Technical Risk
    An effective risk management requires to look beyond the technical aspects of the risks. Rather than only focusing on technical threats, risk management should be able to foresee other category of risks too. Donât ignore risks that are non-quantifiable (Moses, 2018). The presence of risk creates surprises throughout the project life cycle, affecting everything from technical feasibility to cost, market timing, financial performance, and strategic objectives (Loch, Solt, & Bailey, 2007).
Develop a Common Language of Risk
    There should be a common communication medium to understand the risks properly. Everyone such as stockholders, IT, Audit, privacy, legal, business managers should speak the same language to clearly understand and communicate the associated the risks (McKeen, & Smith, 2015). The central purpose of a common risk language is to assist management with evaluating the completeness of its efforts to identify events and scenarios that merit consideration in a risk assessment (âUsing a Risk Model as a Common Languageâ, 2014).
Simplify the Presentation
    The risk management framework should be presented without complexity so that it's easier for everyone to understand. Refining you process is a huge portion of simplifying risk management, but you can make managing risk even more simple and effective by ensuring that youâre using the right tools (Millier, 2018). The most effective approaches are simple: a narrative, a dashboard, a âstoplightâ report, or another graphic style of report (McKeen, & Smith, 2015).
Right Size
    Risk management should exclude the level of risks that are not related. Effective risk management practices not only allow the adaptation of controls, but makes sure that the decisions made are visible and the rationale is communicated (McKeen, & Smith, 2015).
Standardize the Technology Base
    The standards have as purpose the formalization of the risk management process in order to improve their effectiveness (Ciocoiu & Dobrea, 2010). The risk management standards combines best practices and thus is a vital element for an effective risk managem.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
Â
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*âĄ, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
âĄ
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
Â
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*âĄ, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
âĄ
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
Â
Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the âhealth statusâ of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
Â
For organizations, the protection of information is of utmost importance. Throughout the years, organizations have experienced numerous system losses which have had a direct impact on their most valuable asset, information. Organizations must therefore find ways to make sure that the appropriate and most effective information security controls are implemented in order to protect their critical or most sensitive classified information. Existing information security control selection methods have been employed in the past, including risk analysis and management, baseline manuals, or random approaches. However, these methods do not take into consideration organization specific constraints such as costs of implementation, scheduling, and availability of resources when determining the best set of controls. In addition, these existing methods may not ensure the inclusion of required/necessary controls or the exclusion of unnecessary controls. This paper proposes a novel approach for evaluating information security controls to help decision-makers select the most effective ones in resource-constrained environments. The proposed approach uses Desirability Functions to quantify the desirability of each information security control taking into account benefits and penalties (restrictions) associated with implementing the control. This provides Management with a measurement that is representative of the overall quality of each information security control based on organizational goals. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls (based on multiple application-specific criteria) for specific organizations.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Â
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with âadequateâ defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit managementâs goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Â
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with âadequateâ defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit managementâs goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Discussion 1Improving Risk Management Capabilities    To .docxcharlieppalmer35273
Â
Discussion 1
Improving Risk Management Capabilities
    To understand risk and how to properly address risk, a risk management framework is required. The objective of a risk management framework (RMF) is to create a common understanding of risk, to ensure the right risks are being addressed at the right levels, and to involve the right people in making risk decisions (McKeen, & Smith, 2015). Those organizations that do not have an effective Risk Management strategy or, in extreme cases, do not have one at all; they risk suffering situations in which the impact of negative events or threats exceeds their response capabilities (Rivas, 2019). So the development of effective risk management is necessary to mitigate against risks. McKeen, & Smith suggested some actions to develop effective risk management capabilities.
Look Beyond Technical Risk
    An effective risk management requires to look beyond the technical aspects of the risks. Rather than only focusing on technical threats, risk management should be able to foresee other category of risks too. Donât ignore risks that are non-quantifiable (Moses, 2018). The presence of risk creates surprises throughout the project life cycle, affecting everything from technical feasibility to cost, market timing, financial performance, and strategic objectives (Loch, Solt, & Bailey, 2007).
Develop a Common Language of Risk
    There should be a common communication medium to understand the risks properly. Everyone such as stockholders, IT, Audit, privacy, legal, business managers should speak the same language to clearly understand and communicate the associated the risks (McKeen, & Smith, 2015). The central purpose of a common risk language is to assist management with evaluating the completeness of its efforts to identify events and scenarios that merit consideration in a risk assessment (âUsing a Risk Model as a Common Languageâ, 2014).
Simplify the Presentation
    The risk management framework should be presented without complexity so that it's easier for everyone to understand. Refining you process is a huge portion of simplifying risk management, but you can make managing risk even more simple and effective by ensuring that youâre using the right tools (Millier, 2018). The most effective approaches are simple: a narrative, a dashboard, a âstoplightâ report, or another graphic style of report (McKeen, & Smith, 2015).
Right Size
    Risk management should exclude the level of risks that are not related. Effective risk management practices not only allow the adaptation of controls, but makes sure that the decisions made are visible and the rationale is communicated (McKeen, & Smith, 2015).
Standardize the Technology Base
    The standards have as purpose the formalization of the risk management process in order to improve their effectiveness (Ciocoiu & Dobrea, 2010). The risk management standards combines best practices and thus is a vital element for an effective risk managem.
The Significance of IT Security Management & Risk AssessmentBradley Susser
Â
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organizationâs financial impact due to the exploitation of numerous organizational assets.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
Â
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
71 Information Governance Policy Development .docxsleeperharwell
Â
71
Information
Governance Policy
Development
C H A P T E R 6
To develop an information governance (IG) policy, you must inform and frame the policy with internal and external frameworks, models, best practices, and standardsâthose that apply to your organization and the scope of its planned IG
program. In this chapter, we fi rst present and discuss major IG frameworks and models
and then identify key standards for consideration.
A Brief Review of Generally Accepted Recordkeeping
PrinciplesÂŽ
In Chapter 3 we introduced and discussed ARMA Internationalâs eight Generally
Accepted Recordkeeping Principles ÂŽ , known as The Principles 1 (or sometimes GAR
Principles). These Principles and associated metrics provide an IG framework that can
support continuous improvement.
To review, the eight Principles are:
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition2
The Principles establish benchmarks for how organizations of all types and sizes
can build and sustain compliant, legally defensible records management (RM)t
programs. Using the maturity model (also presented in Chapter 3 ), organizations can
assess where they are in terms of IG, identify gaps, and take steps to improve across the
eight areas The Principles cover.
72 INFORMATION GOVERNANCE
IG Reference Model
In late 2012, with the support and collaboration of ARMA International and the Com-
pliance, Governance and Oversight Council (CGOC), the Electronic Discovery Ref-
erence Model (EDRM) Project released version 3.0 of its Information Governance
Reference Model (IGRM), which added information privacy and security âas pri-y
mary functions and stakeholders in the effective governance of information.â 3 The
model is depicted in Figure 6.1 .
The IGRM is aimed at fostering IG adoption by facilitating communication and
collaboration between disparate (but overlapping) IG stakeholder functions, includ-
ing information technology (IT), legal, RM, risk management, and business unit
Figure 6.1 Information Governance Reference Model
Source: EDRM.net
Linking duty + value to information asset = efficient, effective management
Duty:
Legal obligation
for specific
information
Value:
Utility or business
purpose of specific
information
Asset:
Specific container
of information
VALUE
Create, Use
DUTY ASSET
Dispose
Hold,
Discover
Store,
Secure
Retain
Archive
UNI
FIED GOVERNANCE
BUSINESS
Profit
IT
Efficiency
LEGAL
Risk
RIM
Risk
PRIVACY
AND
SECURITY
Risk
PROCESS TRANS
PA
RE
NC
Y
POLIC
Y INTEGRATION
Information Governance Reference Model / Š 2012 / v3.0 / edrm.net
INFORMATION GOVERNANCE POLICY DEVELOPMENT 73
stakeholders. 4 It also aims to provide a common, practical framework for IG that will
foster adoption of IG in t.
If you have problem of not knowing how to build a foundation for information security, if you are faced with questions such as where to start and how to start then this white paper may have the solutions and answers for you. In this paper you learn how to build the foundation step by step. It is written by the expert but in a simple language that is easy to understand. I have seen many papers that addressed this issue but none in the style of this paper.
empirical study on the status of moroccan information systems and proposition...INFOGAIN PUBLICATION
Â
Today, the function of the chief information officer (CIO) has become part of the flow charts of many Moroccan companies [1]. Based on this statement, we did an empirical study in the first part of this work on the state of information systems (IS) Moroccan to know their strengths and weaknesses. The aim of the second part is to propose an approach based on the IT (information technology) frameworks helping CIOs to form their own repository of good practices to be applied in order to have good IT governance.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Â
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organizationâs security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...ijcsit
Â
In todayâs global and complex business environment, security is a major issue for any organization. All
organizations should have the capability to plan and respond to incidents and business disruptions.
Business continuity management is part of information security management and the process of Business
continuity management (BCM) can meet these needs. Indeed, Business Continuity refers to the ability of a
business to continue its operations even if some sort of failure or disaster occurs. Business continuity
management (BCM) requires a holistic approach that considers technological and organizational aspects.
Besides, Enterprise architecture (EA) is a comprehensive view of organizational architecture, business,
and technology architecture and their relationships. EA is also considered by several studies as a
foundation for BC and security management. Our research aims at studying how BCM aspect can be
embedded into the enterprise architecture. In this sense, this paper proposes a metamodel and an
implementation method that considers BC in the design and implementation of EA.
In todayâs global and complex business environment, security is a major issue for any organization. All organizations should have the capability to plan and respond to incidents and business disruptions. Business continuity management is part of information security management and the process of Business continuity management (BCM) can meet these needs. Indeed, Business Continuity refers to the ability of a business to continue its operations even if some sort of failure or disaster occurs. Business continuity management (BCM) requires a holistic approach that considers technological and organizational aspects. Besides, Enterprise architecture (EA) is a comprehensive view of organizational architecture, business, and technology architecture and their relationships. EA is also considered by several studies as a foundation for BC and security management. Our research aims at studying how BCM aspect can be embedded into the enterprise architecture. In this sense, this paper proposes a metamodel and an implementation method that considers BC in the design and implementation of EA.
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
Â
CHAPTER 3
Security Policies and Regulations
In this chapter you will
⢠Explore the different types of regulations associated with secure software
development
⢠Learn how security policies impact secure development practices
⢠Explore legal issues associated with intellectual property protection
⢠Examine the role of privacy and secure software
⢠Explore the standards associated with secure software development
⢠Examine security frameworks that impact secure development
⢠Learn the role of securing the acquisition lifecycle and its impact on secure
development
Regulations and Compliance
Regulations and compliance drive many activities in an enterprise. The primary
reason behind this is the simple fact that failure to comply with rules and
regulations can lead to direct, and in some cases substantial, financial penalties.
Compliance failures can carry additional costs, as in increased scrutiny, greater
regulation in the future, and bad publicity. Since software is a major driver of
many business processes, a CSSLP needs to understand the basis behind various
rules and regulations and how they affect the enterprise in the context of their
own development efforts. This enables decision making as part of the software
development process that is in concert with these issues and enables the
enterprise to remain compliant.
Much has been said about how compliance is not the same as security. In a
sense, this is true, for one can be compliant and still be insecure. When viewed
from a risk management point of view, security is an exercise in risk
management, and so are compliance and other hazards. Add it all together, and
you get an âall hazardsâ approach, which is popular in many industries, as senior
management is responsible for all hazards and the residual risk from all risk
sources.
Regulations can come from several sources, including industry and trade
groups and government agencies. The penalties for noncompliance can vary as
well, sometimes based on the severity of the violation and other times based on
political factors. The factors determining which systems are included in
regulation and the level of regulation also vary based on situational factors.
Typically, these factors and rules are published significantly in advance of
instantiation to allow firms time to plan enterprise controls and optimize risk
management options. Although not all firms will be affected by all sets of
regulations, it is also not uncommon for a firm to have multiple sets of
regulations across different aspects of an enterprise, even overlapping on some
elements. This can add to the difficulty of managing compliance, as different
regulations can have different levels of protection requirements.
Many development efforts may have multiple regulatory impacts, and
mapping the different requirements to the individual data flows that they each
affect is important. For instance, if an application invo ...
The Significance of IT Security Management & Risk AssessmentBradley Susser
Â
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organizationâs financial impact due to the exploitation of numerous organizational assets.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
Â
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
71 Information Governance Policy Development .docxsleeperharwell
Â
71
Information
Governance Policy
Development
C H A P T E R 6
To develop an information governance (IG) policy, you must inform and frame the policy with internal and external frameworks, models, best practices, and standardsâthose that apply to your organization and the scope of its planned IG
program. In this chapter, we fi rst present and discuss major IG frameworks and models
and then identify key standards for consideration.
A Brief Review of Generally Accepted Recordkeeping
PrinciplesÂŽ
In Chapter 3 we introduced and discussed ARMA Internationalâs eight Generally
Accepted Recordkeeping Principles ÂŽ , known as The Principles 1 (or sometimes GAR
Principles). These Principles and associated metrics provide an IG framework that can
support continuous improvement.
To review, the eight Principles are:
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition2
The Principles establish benchmarks for how organizations of all types and sizes
can build and sustain compliant, legally defensible records management (RM)t
programs. Using the maturity model (also presented in Chapter 3 ), organizations can
assess where they are in terms of IG, identify gaps, and take steps to improve across the
eight areas The Principles cover.
72 INFORMATION GOVERNANCE
IG Reference Model
In late 2012, with the support and collaboration of ARMA International and the Com-
pliance, Governance and Oversight Council (CGOC), the Electronic Discovery Ref-
erence Model (EDRM) Project released version 3.0 of its Information Governance
Reference Model (IGRM), which added information privacy and security âas pri-y
mary functions and stakeholders in the effective governance of information.â 3 The
model is depicted in Figure 6.1 .
The IGRM is aimed at fostering IG adoption by facilitating communication and
collaboration between disparate (but overlapping) IG stakeholder functions, includ-
ing information technology (IT), legal, RM, risk management, and business unit
Figure 6.1 Information Governance Reference Model
Source: EDRM.net
Linking duty + value to information asset = efficient, effective management
Duty:
Legal obligation
for specific
information
Value:
Utility or business
purpose of specific
information
Asset:
Specific container
of information
VALUE
Create, Use
DUTY ASSET
Dispose
Hold,
Discover
Store,
Secure
Retain
Archive
UNI
FIED GOVERNANCE
BUSINESS
Profit
IT
Efficiency
LEGAL
Risk
RIM
Risk
PRIVACY
AND
SECURITY
Risk
PROCESS TRANS
PA
RE
NC
Y
POLIC
Y INTEGRATION
Information Governance Reference Model / Š 2012 / v3.0 / edrm.net
INFORMATION GOVERNANCE POLICY DEVELOPMENT 73
stakeholders. 4 It also aims to provide a common, practical framework for IG that will
foster adoption of IG in t.
If you have problem of not knowing how to build a foundation for information security, if you are faced with questions such as where to start and how to start then this white paper may have the solutions and answers for you. In this paper you learn how to build the foundation step by step. It is written by the expert but in a simple language that is easy to understand. I have seen many papers that addressed this issue but none in the style of this paper.
empirical study on the status of moroccan information systems and proposition...INFOGAIN PUBLICATION
Â
Today, the function of the chief information officer (CIO) has become part of the flow charts of many Moroccan companies [1]. Based on this statement, we did an empirical study in the first part of this work on the state of information systems (IS) Moroccan to know their strengths and weaknesses. The aim of the second part is to propose an approach based on the IT (information technology) frameworks helping CIOs to form their own repository of good practices to be applied in order to have good IT governance.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Â
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organizationâs security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...ijcsit
Â
In todayâs global and complex business environment, security is a major issue for any organization. All
organizations should have the capability to plan and respond to incidents and business disruptions.
Business continuity management is part of information security management and the process of Business
continuity management (BCM) can meet these needs. Indeed, Business Continuity refers to the ability of a
business to continue its operations even if some sort of failure or disaster occurs. Business continuity
management (BCM) requires a holistic approach that considers technological and organizational aspects.
Besides, Enterprise architecture (EA) is a comprehensive view of organizational architecture, business,
and technology architecture and their relationships. EA is also considered by several studies as a
foundation for BC and security management. Our research aims at studying how BCM aspect can be
embedded into the enterprise architecture. In this sense, this paper proposes a metamodel and an
implementation method that considers BC in the design and implementation of EA.
In todayâs global and complex business environment, security is a major issue for any organization. All organizations should have the capability to plan and respond to incidents and business disruptions. Business continuity management is part of information security management and the process of Business continuity management (BCM) can meet these needs. Indeed, Business Continuity refers to the ability of a business to continue its operations even if some sort of failure or disaster occurs. Business continuity management (BCM) requires a holistic approach that considers technological and organizational aspects. Besides, Enterprise architecture (EA) is a comprehensive view of organizational architecture, business, and technology architecture and their relationships. EA is also considered by several studies as a foundation for BC and security management. Our research aims at studying how BCM aspect can be embedded into the enterprise architecture. In this sense, this paper proposes a metamodel and an implementation method that considers BC in the design and implementation of EA.
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
Â
CHAPTER 3
Security Policies and Regulations
In this chapter you will
⢠Explore the different types of regulations associated with secure software
development
⢠Learn how security policies impact secure development practices
⢠Explore legal issues associated with intellectual property protection
⢠Examine the role of privacy and secure software
⢠Explore the standards associated with secure software development
⢠Examine security frameworks that impact secure development
⢠Learn the role of securing the acquisition lifecycle and its impact on secure
development
Regulations and Compliance
Regulations and compliance drive many activities in an enterprise. The primary
reason behind this is the simple fact that failure to comply with rules and
regulations can lead to direct, and in some cases substantial, financial penalties.
Compliance failures can carry additional costs, as in increased scrutiny, greater
regulation in the future, and bad publicity. Since software is a major driver of
many business processes, a CSSLP needs to understand the basis behind various
rules and regulations and how they affect the enterprise in the context of their
own development efforts. This enables decision making as part of the software
development process that is in concert with these issues and enables the
enterprise to remain compliant.
Much has been said about how compliance is not the same as security. In a
sense, this is true, for one can be compliant and still be insecure. When viewed
from a risk management point of view, security is an exercise in risk
management, and so are compliance and other hazards. Add it all together, and
you get an âall hazardsâ approach, which is popular in many industries, as senior
management is responsible for all hazards and the residual risk from all risk
sources.
Regulations can come from several sources, including industry and trade
groups and government agencies. The penalties for noncompliance can vary as
well, sometimes based on the severity of the violation and other times based on
political factors. The factors determining which systems are included in
regulation and the level of regulation also vary based on situational factors.
Typically, these factors and rules are published significantly in advance of
instantiation to allow firms time to plan enterprise controls and optimize risk
management options. Although not all firms will be affected by all sets of
regulations, it is also not uncommon for a firm to have multiple sets of
regulations across different aspects of an enterprise, even overlapping on some
elements. This can add to the difficulty of managing compliance, as different
regulations can have different levels of protection requirements.
Many development efforts may have multiple regulatory impacts, and
mapping the different requirements to the individual data flows that they each
affect is important. For instance, if an application invo ...
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
Â
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasnât one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
Â
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Palestine last event orientationfvgnh .pptxRaedMohamed3
Â
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Model Attribute Check Company Auto PropertyCeline George
Â
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
How to Create Map Views in the Odoo 17 ERPCeline George
Â
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Â
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as âdistorted thinkingâ.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
A Framework For Information Security Risk Management Communication
1. A FRAMEWORK FOR INFORMATION SECURITY RISK
MANAGEMENT COMMUNICATION
1
Werner G. Bornman 2
Les Labuschagne
Academy for Information Technology, University of Johannesburg, South Africa
1
werner.bornman@kpmg.co.za 2
ll@na.rau.ac.za
PO Box 524, Auckland Park, Johannesburg, South Africa, 2006
+27 (11) 489-2847
ABSTRACT
Organisations have over the last couple of years become more aware of the importance of
information security risk management and its corresponding due diligence requirements. A
cornucopia of information security risk management approaches exist that can assist organisations
in determining and controlling risks. However, with these choices organisations are finding it
increasingly difficult to communicate the information security risks to the strategic level or for
strategic management to communicate information security goals to the organisation. An approach
is necessary that will enable organisations to communicate information security risk information to
strategic level management quickly and unambiguously. This approach will have to provide
information in accordance with corporate governance requirements and be based on best practice.
This article suggests a framework that was developed from best practice and industry standards, and
takes into consideration various information security risk management approaches.
KEYWORDS
Information security; information security risk management; risk management, risk
communication, corporate governance, IT governance
2. A FRAMEWORK FOR INFORMATION SECURITY RISK
MANAGEMENT COMMUNICATION
1 INTRODUCTION
Information security risk management is a business area that has over the last decade become a
prominent risk management field within organisations. This increased importance is mainly through
the due diligence expected by governmental regulations or recommendations such as King II
[KING 02], Sarbanes-Oxley Act [TUDO 01] and the Turnbull Report [INCA 99].
These recommendations require that management take responsibility and accountability for
risks within their organisations, including the information technology (IT) related risks that radiate
from within and around modern organisations. However, organisations regard IT as a supporting
function that should be managed as such. This âsupportingâ function can have a far greater impact
on organisations that what is sometimes expected.
Management cannot manage what they are not aware of; therefore it is necessary that
management obtain risk management information (including the controls to mitigate those risks) in
a timely manner. Currently various information security risk management (ISRM) methodologies
can be implemented, but these methodologies, approaches or frameworks are targeted at different
levels in the organisation, which makes it difficult to consolidate the risk information.
A solution would have to be developed that can assist organisations in communicating ISRM
information across all levels of the organisation. The framework should fulfil three basic
requirements: it should be easy to implement in any organisation irrespective of size and industry
type, it should be based on corporate governance requirements and industry best practice and finally
it should communicate ISRM information effectively.
The goal of this article is to present a framework that solves the ISRM communication
dilemma that exists between the various managerial levels of the organisation. This goal will be
reached through several objectives. The first is to provide background on why ISRM
communication is a problem in modern organisations. The second objective is to discuss the
processes that were followed in developing the solution, and the third objective is to discuss the
structure and processes involved in implementing the framework. The fourth objective is to provide
an objective evaluation of the framework.
The next section provides a high level overview of the ISRM environment and why
communication within this environment is difficult for modern organisations.
2 INFORMATION SECURITY RISK MANAGEMENT CACOPHONY
Organisations have always been aware of the importance of good corporate governance, none so
much as in the last couple of years. Governments and stock trading institutions require
organisations to demonstrate due diligence [TUDO 01]. With these requirements imposed,
organisations have to institute methodologies, frameworks and approaches in ensuring compliance.
Coupling due diligence with the proliferation of information technology in organisations, there is a
need for organisations to extend their financial and organisational controls to the IT environment to
ensure that the information is kept confidential, accurate and available when required. These three
components form the basis of information security [CRAM 03] [TUDO 01] [SABS 00].
There are numerous information security risk management related methodologies, approaches
and frameworks [CRAM 03] [COBI 00] [IST 03] [ALBE 03]. However, none consider the context
of information security communication within the organisational structure. These approaches,
methodologies and frameworks have a horizontal plane view of risks of either the operational,
3. tactical or strategic levels. Several methodologies such as CRAMM [CRAM 03] and CORAS [IST
03] are operational level ISRM methodologies that rely on software applications. These
applications produce lengthy reports based on technical evaluation of the information security risks
in an organisation.
Several documents can be produced for different divisions or business units. These documents
are not communicated in a business sense for top management to understand the impact the risks
can have on the organisation. Furthermore, the different documents might not provide sufficient
business case or regulatory required information for top management to action the risk controls
[BORN 04]. Organisationsâ strategic decisions are not made on technical reports; therefore
organisations require a framework that will enable the communication of ISRM information to top
management.
3 BUILDING THE FRAMEWORK
Different approaches were considered in solving the communication problem. However, a
framework is a flexible approach that can be applied to all organisations. It is a structure that
enables organisations to âfitâ their requirements, methods and approaches in an organised formation
to achieve a specific goal [OXFO 80]. The goal of the framework is to communicate ISRM
information throughout the organisation in order to ensure due diligence and management of
information security risks accordingly.
A top-down approach was followed in order to determine the components of the framework.
The framework was developed from three different ISRM levels. The levels were corporate
governance, tactical management and operational actions.
At corporate governance level a control set was developed from the King II report on
corporate governance [KING 02] to determine what requirements are set at strategic level for
information security in organisations. From these requirements several strategic/tactical level
methodologies, approaches and guidelines were evaluated to determine which would meet the
requirements. The single PO9 (Planning and Organisation 9) control objective of the CobiT
Framework [COBI 00] was identified to directly address information security at strategic/tactical
level. From this control, throughout the various CobiT products, numerous individual indicators
were identified. An indicator is the set of related data that provides values for the specific
framework component such as assets. The asset indicator will for instance provide data on the
number and types of assets. These indicators were logically grouped to form the Bornman
Framework for ISRM Methodology Evaluation (BFME) [BORN1 04] [BORN 04]. Corresponding
scales were developed that could be applied to the BFME to evaluate which ISRM methodologies
at operational and tactical level meet those requirements. It became evident that these lower level
methodologies do not provide information that complies with the strategic level requirements
[BORN 04].
The BFME is the precursor to the Bornman Framework for ISRM Information
Communication (BFIC) [BORN1 04]. Where the BFME determines whether or not a framework
can deliver on strategic requirements, the BFIC communicates the ISRM status to strategic
management.
4 BORNMAN FRAMEWORK FOR ISRM INFORMATION COMMUNICATION (BFIC)
TAXONOMY
Several indicators were identified from the Planning and Organisation Control number 9 (Assess
Risks) of the Control Objective of Information and Related Technologies set of products [COBI
00]. From the different indicators it became clear that some of the recommended controls are in line
with the generic risk management processes, actions and considerations that support specific
processes, and actions that support the whole risk management programme. Subsequently the BFIC
4. was developed to provide information for the three different groupings of ISRM information. The
identified indicators were grouped according to their function as indicated in Figure 1.
BFIC Core Indicators
BFIC Process Supporting
Indicators
BFIC Risk Management
Supporting Indicators
Figure 1: Indicator groupings
Each of the indicator groupings is discussed below.
4.1 BFIC Core Indicators
The Core Risk Management Indicators provide information about the risk management programme
employed by the organisation. In total there are six functions, four of which consist of
subindicators. In total there are 15 individual indicators that have been defined. Each of these
indicators provides information of the risk management programme as required by corporate
governance. In general these 15 Core Risk Management Indicators correspond to the processes of
ISRM methodologies and approaches. An example of the information that is communicated is type
and number of assets that have been considered during the risk determination phases.
4.2 BFIC Process Supporting Indicators
BFIC Process Supporting Indicators provide information specific to two groupings of the Core Risk
Management Indicators. The two groupings that have Core Risk Management Supporting Indicators
are Identification and Control. The purpose of these supporting indicators is to provide additional
information about the generic risk management steps that is not required by corporate governance
nor forms part of the generic risk management processes. An example would be the various
considerations such as type and value of assets identified as part of the risk identification phase.
4.3 BFIC Risk Management Supporting Indicators
The BFIC Risk Management Supporting Indicators provide information about the supporting
factors to the ISRM function. In particular, they provide information about the soft issues related to
BFIC Core Risk Management Indicator functions and the BFIC Process Supporting Indicators.
More importantly, this indicator grouping provides information specific to corporate governanceâs
due diligence requirements. This grouping supports all the other indicators of the BFIC. An
example is time frames associated with each of the risk management processes, since corporate
governance recommendations specify annual reviews.
Each of the above groupingsâ indicators is discussed in more detail in the next section.
5 FRAMEWORK INDICATORS
The indicators that make up the Framework provide values that are specific to a function of the
ISRM programme. Each of these indicators is discussed as part of their respective BFIC categories.
Figure 2 provides a graphical representation of the BFIC and clearly illustrates the three different
indicator groupings and their related indicators. To the left of the numerous indicators are the labels
indicating the three indicator groupings. At the top of the figure the BFIC core indicators are
5. displayed within their six subgroupings of indicators. In the middle of the diagram the indicators
that support the BFIC Core Indicators are displayed, followed below them by the BFIC Risk
Management Supporting Indicators.
Figure 2: Bornman Framework for ISRM Information Communication
5.1 BFIC Core Risk Management Indicators
The first of the two initial indicators is the Defined risk tolerance profile. This profile provides an
indication of the organisationâs willingness to accept risk. Tolerance has to be defined by strategic
management as it guides the overall risk management programmeâs direction. The second indicator
is the Risk action plan; this plan outlines how risk will be addressed. The high level risks, priority,
impact and related controls are displayed in this high level plan.
The remaining four indicators refer to subgroupings of processes and are in line with a
generic risk management methodology [PELT 01] which is supported by several ISRM
methodologies such as CRAMM [ALBE 03] [CRAM 96] , CORAS [IST 03][IST 03] and
OCTAVE [ALBE 03]. The four generic risk management processes are Identification, Risk
measures, Risk control and Risk monitoring (see Figure 2).
The Identification grouping refers to the process of identifying the various components
necessary to determine risk. The generic risk management process which most closely relates to the
identification of risk is the measurement of the risk. The importance of assigning a comparative
value to risk can never be overstated. The goal of this measurement indicator is to provide
management with an indication of how risks are measured and the risk value per asset-threat
relationship. This provides the user/reader with an indication of how the risks have been measured
and how to interpret the findings.
The remaining two BFIC Core Risk Management Indicators are also closely related. They are
the Risk control and Risk monitoring indicators. Once the risks have been identified, the most
appropriate controls have to be selected for the risks that affect the organisation the most. There are
numerous steps that pre-empt the final selection of the controls, for instance ensuring that controls
do not counteract each other. The Risk control indicator is important as it conveys what controls
have been put in place to address risks as well as what control selection processes were used to
determine the most effective and efficient controls. Considering the investments organisations make
6. in the controlling of risks, monitoring the risk management programme as well as monitoring the
effectiveness and efficiency of the implemented controls is paramount. Monitoring ensures a
feedback loop where the effectiveness of controls is ensured. The indicator can also supply
information of the progress of the selected control action, for instance how many controls should
have been put in place offset by the number currently in place.
The goal of the BFIC Core Risk Management Indicators is to indicate the progress and
findings of the generic risk management processes. However, it has been determined that two
indicator groupings are supported by other actions/considerations. These considerations should also
be communicated as part of the Framework.
5.2 BFIC Process Supporting Indicators
The BFIC Process Supporting Indicators as discussed in 4.2 provide information about the
supporting components to the BFIC Core Risk Management Indicators. There are two groupings of
Process Supporting Indicators; they support the Identification and Risk control process groupings.
5.2.1 Identification Supporting Indicators
There are two indicators that support the Identification Core Risk Management Indicators.
Considerations of Identification are components that are soft issues regarding the identification of
risks. These considerations usually form part of the methodology. Examples of considerations are
business, technology and legal considerations.
Various categories can be taken into consideration when determining the actual risk on
information. For instance, an organisation could store sensitive information that is required to be
handled as confidential due to regulatory requirements. This requires that regulatory and legal risks
be taken into account when determining and communicating the information security risks.
Considerations should not be confused with risk categories. Considerations take into account
different environments and impacts, whereas risk categories use inputs from other risk management
programmes, for instance financial or tax risks.
5.2.2 Control Supporting Indicators
The Control Supporting Indicator grouping consists of four separate indicators. These indicators
provide additional information on how the controls were selected and how they are currently
managed. These supporting indicators provide assurance to top management that the appropriate
processes and actions were taken in the selection and implementation of the controls.
Control assurance is provided through the four Control Supporting Indicators, which provides
information on the control efficiency, for instance return on investment (or similar) calculations.
These types of calculations provide assurance that the most efficient controls were selected. The
Balanced Controls Indicator provides a breakdown of the different types of controls. CobiT
recommends that four different types of control be implemented. These different types of control
should be preventative, detective, corrective and recovery. The indicator provides assurance that if
any of the controls fail; the other controls will ensure that the risk is not as severe as an unbalanced
control.
The purpose of risk management is not to eliminate risk but to minimise it to an acceptable
level [CONR 03]. Management wants to know what risk remains after controls have been put in
place. The Residual Risk Indicator provides management with an idea of the actions that should be
taken to reduce risks even further or over the control of risk. A clear and important indicator should
be the third-party objectivity of risk management actions. The risk action plan dictates what actions
should be taken and the organisation has to implement this. However, CobiT recommends that
management have complete assurance of the actions, processes, controls and implementations that
should be in place. Third-party objectivity, their roles and responsibilities will provide the final
confirmation that risks are controlled as they are intended to be.
7. These two indicator groupings provide information for two BFIC Core Risk Management
Indicator groupings, but some factors have been identified that even support the BFIC Process
Supporting Indicators. These are discussed in the next section.
5.3 BFIC Risk Management Supporting Indicators
The BFIC Risk Management Supporting Indicators are very involved indicators. They support each
indicator of the BFIC Core Risk Management and BFIC Process Supporting Indicators. They
provide supporting information not only to the other two groupings of indicators, but also to each
other. Each BFIC Risk Management Supporting Indicator provides supporting information to the
other BFIC Risk Management Supporting Indicators. Overall the BFIC Risk Management
Supporting Indicators are predominantly targeted at due diligence information. The cross-
supporting nature of the BFIC Risk Management Supporting Indicators has not been investigated as
this would involve superfluous information that would not support the nature of the Framework for
effective and efficient communication.
There are seven BFIC Risk Management Supporting Indicators. These indicators address
issues that show responsibility and ownership, as well as general high level information about each
of the indicators. Each of the seven indicators is briefly discussed:
⢠Global and System Level Assessment â This indicator provides information about the
scope of the risk management programme. Global refers to the macro environment
that can have an impact on the information security, while system level refers only to
the isolated system.
⢠Reassessments â Considering the fact that information technology is constantly
changing and that new risks are introduced on a daily basis, the reassessments provide
status indicators of the latest risk management information. If the reassessments have
not been conducted in a decent time frame, the reliance on the indicators is brought
into doubt.
⢠Defined Risk Ownership and Responsibility â The board and management of
organisations are being held more accountable for their actions. This indicator
provides information on the business owner and the ultimate responsibility for
ensuring that the risk management action is executed.
⢠Risk Management Improvement Projects â As the IT environment evolves, so to
should the processes to manage the risks. This indicator provides information on
current and future projects to better identify, measure, control or monitor risks.
⢠Management Input â Management usually has a holistic view of processes and actions
within the organisation, be it at strategic, tactical or operational level. This indicator
provides information on the participation of management in the management of risks.
⢠Risk Support Documentation â Risk should be based on realistic evidence. This
evidence can be based on system logs, security studies or vulnerability alerts. This
indicator provides information on what supporting documentation was used in the
various steps of the ISRM programme.
⢠Risk Assessment Policies and Procedures Documentation â Risk management has to
be conducted according to a set structure or plan; something that has been proven by a
magnitude of methodologies and approaches. This indicator provides information on
the policies and procedures related to the approach that was followed.
In this section the various indicators of the BFIC were discussed. These indicators on their
own do not clearly provide a framework on how to communicate risks. Figure 3 provides a
graphical representation of how the Framework can be used to communicate ISRM action from
operational level to strategic level. The figure also indicates how the Framework can be used to
8. communicate the strategic actions through the Framework to the tactical and operational levels of
the organisation. Tactical and operational levels provide input for the Framework. While the
Framework is being populated, strategic management can communicate requirements based on the
indicators to the lower managerial levels.
Figure 3: Framework use in relation to generic managerial levels
The next section discusses how the Framework should be used in combination with processes
to communicate ISRM information.
6 FRAMEWORK PROCESSES
Although the Framework has logical indicators that facilitate quick and easy ISRM information
communication, there are processes that should be followed in order to make the Framework
function. There are three steps that should be completed in a specific order as indicated in Figure 4.
9. Figure 4: BFIC Implementation Process
The first step is to select an appropriate ISRM methodology or approach that can be
implemented at operational level. This methodology will have to be able to provide sufficient ISRM
information required by strategic management. The Bornman Framework for ISRM Methodology
Evaluation can be used [BORN 04] for this purpose.
Steps 2 and 3 should be considered as linked. While the selected methodology is
implemented, processes should be put in place to enable the risk management information produced
by the methodology to be transferred to the Framework indicators. The rationale behind splitting
the two processes is that organisations that have already implemented an ISRM methodology can
link their outputs to the Frameworkâs indicators.
Once the ISRM methodology has been implemented along with the linkages to the
Framework, the Framework indicates the status of the ISRM programme. The indicators can
provide information on how to better implement the ISRM methodology or improve the linkages to
the Framework.
The Framework has numerous advantages and some shortcomings. The next section
highlights these advantages and shortcomings.
7 FRAMEWORK EVALUATION
The Framework was constructed with multiple ISRM methodologies and approaches in mind. It
does not prescribe a specific ISRM methodology to be followed in order to obtain valuable
information security information. This methodology independence is not only at operational level
but at all managerial levels.
Due to the relatively independent nature of the indicators, organisations can implement the
Framework at any business level, for instance division, subsidiary or business unit, or provide a
holistic view of information security risks in the organisation.
The Framework has three groupings of indicators that provide specific information to
strategic management. It provides information about the processes that are used and the components
that are taken into consideration. The most valuable information, though, is the BFIC Risk
Management Supporting Indicators that provide due diligence information.
One of the biggest advantages of using this Framework is the fact that the Framework is
entirely based on best practice methodologies, frameworks, approaches, standards and guidelines.
The indicators have been proven to address all of the King II requirements of risk management
controls [BORN1 04].
10. Although there are numerous advantages to the Framework, there are also some
shortcomings. The Framework has not yet been proven in a real-world environment. However, a
software prototype was developed that allows for the viewing of ISRM information in the structure
and indicators of the BFIC. This Framework was based on the CORAS methodology [IST 03]
which enabled the use of an open-source XML based database [EXIS 04]. Through the use of
Microsoft .Net framework [MICR 04] the information was communicated in terms of the
Framework.
The Framework requires the ISRM methodology that is implemented in an organisation to
provide sufficient risk management information to populate the Framework. If the methodology is
not software-based or the stored information is unobtainable, the processes involved in populating
the Framework will be counterproductive. Therefore, it is necessary for organisations wanting to
implement the Framework to evaluate their methodology utilising the BFME [BORN 04].
8 CONCLUSION
Organisations have been made aware by corporate governance recommendations that the IT risks
have to be managed within any organisation. This has led organisations to select methodologies
without taking into consideration the communication of technical risks to strategic management.
The Bornman Framework for ISRM Information Communication discussed in this article provides
management with a structured approach to communicate the information security risk management
information. The structure provides management with a communication framework of risk
information not only to strategic management, but to the tactical and operational levels of the
organisation as well. The BFIC is a bilateral communication framework.
BFIC provides a holistic view of all the ISRM components that are recommended by
corporate governance best practice. The Framework provides indicators for the qualitative and
quantitative, hard and soft issues related to ISRM. It allows for the integration of the strategic,
tactical and operational ISRM principles to merge with a common goal in mind, namely to manage
the risks of information security more effectively and efficiently and most importantly holistically
within the organisation.
The Framework is a set of grouped components that allow for communicating all information
security risk related information. Metrics can be applied to these components that can facilitate
bilateral communication within any organisation. The Framework is structured so that it can be
implemented in any size organisation by applying it in divisions or business units and consolidating
results for an overall risk view. The practical implementation of the Framework has been proven in
a software prototype which enables more effective consolidation of ISRM information.
The goal of the Framework was met by achieving four objectives. The objectives were to
assist in communicating ISRM information, provide an overview of the organisationâs ISRM status,
provide an overview of roles, responsibilities and accountability, and indicate what actions are
taken in the organisation to meet ISRM requirements.
9 REFERENCES
[ALBE 03] Alberts C., Dorofee A.; 2003; Managing Information Security Risks â The
OCTAVESM
Approach. Pearson Education. ISBN: 0- 321-11886-3.
[BORN 04] Bornman W.G., Labuschagne L.; 2004; A Comparative Framework for
Evaluating Information Security Risk Management Methodologies. Conference
proceedings of the 4th annual Information Security South Africa held in
Midrand, South Africa.
[BORN1 04] Bornman W.G., Labuschagne L; 2004; Information Security Risk Management:
A Comparative Framework; University of Johannesburg. MCom Dissertation.
11. [COBI 00] IT Governance Institute; 2000; CobiT 3rd Edition â Framework; Information
Systems Audit and Control Foundation; ISBN: 1-893209-14-8.
[COSO] The Committee of Sponsoring Organizations of the Treadway Commission;
d.u.; Enterprise Risk Management Framework â Executive Summary (Draft);
Available from http://www.erm.coso.org.
[CONR 03] Conrow E.H.; 2003; Effective Risk Management: Some Keys to Success.
American Institute of Aeronautics and Astronautics. ISBN: 1-56347-581-2.
[CRAM 96] CCTA â The Central Computer and Telecommunication Agency; 1996;
CRAMM Management Guide. Crown Copyright.
[CRAM 03] Insight Consulting - CRAMM Methodology; Available from
http://www.cramm.com; Accessed 31 March 2003.
[EXIS 04] Exist-db.org; 2004; eXist Open Source XML Database; Available from
http://exist.sourceforge.net/; Accessed 29 July 2004.
[INCA 99] The Institute of Chartered Accountants in England and Wales; 1999; Internal
Control â Guidance for Directors on the Combined Code; ISBN: 1-84152-010-
1.
[IST 03] Information Society Technologies (IST) Programme; 2003; The CORAS
methodology for Model-Based Risk Assessment â Platform Documentation;
Platform available from http://coras.sourceforge.net.
[KING 02] King Committee on Corporate Governance; 2002; King Report on Corporate
Governance for South Africa; Institute of Directors. ISBN: 0-620-28851-5.
[MICR 04] Microsoft; 2004; Microsoft .Net; Available from:
http://www.microsoft.com/net/; Accessed 29 July 2004.
[OXFO 80] Oxford University Press; 1980; The Oxford Illustrated Dictionary; Book Club
Associates London.
[PELT 01] Peltier, T.R.; 2001; Information Security Risk Analysis; Auerbach; ISBN: 0-
8493-0880.
[SABS 00] South African Bureau of Standards (SABS); 2000; Information Technology â
Code of Practice for Information Technology Risk Management, SABS ISO/IEC
17799. ISBN: 0-626-12835-8.
[SOX 02] Senate and House of Representatives of the United States of America; 2002;
Sarbanes-Oxley Act of 2002; H.R. 3763.
[TUDO 01] Tudor J.K.; 2001; Information Security Architecture â An Integrated Approach
to Security in the Organisation. CRC Press. ISBN: 0-8493-9988-2.