INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
For organizations, the protection of information is of utmost importance. Throughout the years, organizations have experienced numerous system losses which have had a direct impact on their most valuable asset, information. Organizations must therefore find ways to make sure that the appropriate and most effective information security controls are implemented in order to protect their critical or most sensitive classified information. Existing information security control selection methods have been employed in the past, including risk analysis and management, baseline manuals, or random approaches. However, these methods do not take into consideration organization specific constraints such as costs of implementation, scheduling, and availability of resources when determining the best set of controls. In addition, these existing methods may not ensure the inclusion of required/necessary controls or the exclusion of unnecessary controls. This paper proposes a novel approach for evaluating information security controls to help decision-makers select the most effective ones in resource-constrained environments. The proposed approach uses Desirability Functions to quantify the desirability of each information security control taking into account benefits and penalties (restrictions) associated with implementing the control. This provides Management with a measurement that is representative of the overall quality of each information security control based on organizational goals. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls (based on multiple application-specific criteria) for specific organizations.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTScsandit
Several constraints, such as business, financial, and legal can lead organizations to outsource some of their IT services. Consequently, this might introduce different security risks to major security services such as confidentiality, integrity and availability. Analysing and managing the potential security risks in the early stages of project execution allows organizations to avoid or minimize such security risks. In this paper, we propose an approach that is capable of managing the security and compliance risks of outsourced IT projects. Such an approach aims to allow organizations to minimize, mitigate, or eliminate security risks in the early stages of project execution. It is designed to manage variation in security requirements, as well as provide a methodology to guide organizations for the purpose of security management and implementation
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
For organizations, the protection of information is of utmost importance. Throughout the years, organizations have experienced numerous system losses which have had a direct impact on their most valuable asset, information. Organizations must therefore find ways to make sure that the appropriate and most effective information security controls are implemented in order to protect their critical or most sensitive classified information. Existing information security control selection methods have been employed in the past, including risk analysis and management, baseline manuals, or random approaches. However, these methods do not take into consideration organization specific constraints such as costs of implementation, scheduling, and availability of resources when determining the best set of controls. In addition, these existing methods may not ensure the inclusion of required/necessary controls or the exclusion of unnecessary controls. This paper proposes a novel approach for evaluating information security controls to help decision-makers select the most effective ones in resource-constrained environments. The proposed approach uses Desirability Functions to quantify the desirability of each information security control taking into account benefits and penalties (restrictions) associated with implementing the control. This provides Management with a measurement that is representative of the overall quality of each information security control based on organizational goals. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls (based on multiple application-specific criteria) for specific organizations.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTScsandit
Several constraints, such as business, financial, and legal can lead organizations to outsource some of their IT services. Consequently, this might introduce different security risks to major security services such as confidentiality, integrity and availability. Analysing and managing the potential security risks in the early stages of project execution allows organizations to avoid or minimize such security risks. In this paper, we propose an approach that is capable of managing the security and compliance risks of outsourced IT projects. Such an approach aims to allow organizations to minimize, mitigate, or eliminate security risks in the early stages of project execution. It is designed to manage variation in security requirements, as well as provide a methodology to guide organizations for the purpose of security management and implementation
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
With the increasing use of computers in business information security has also become a key issue in organizations. Risk assessment in organizations is vital in order to identify threats and take appropriate measures. There are various risk assessment methodologies exist which organizations use for risk assessment depending the type and need of organizations. In this research OCTAVE methodology has been used following a comparative study of various methodologies due to its flexibility and simplicity. The methodology was implemented in a financial institution and results of its efficacy have been discussed.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
This report from the Security for Business Innovation Council (SBIC), sponsored by RSA, contends that keeping pace with cyber threats requires an overhaul of information-security processes and provides actionable guidance for change.
future internetArticleERMOCTAVE A Risk Management Fra.docxgilbertkpeters11344
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans.
future internetArticleERMOCTAVE A Risk Management FraDustiBuckner14
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans ...
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Issues Identify at least seven issues you see in the case1..docxbagotjesusa
Issues: Identify at least seven issues you see in the case
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
What is the Key issue you see in the case: __________________________
What facts pertain to the case: Identify at least three important facts that pertain to the case
1.
2.
3.
4.
5.
What assumptions do you plan to make in your analysis: None is an acceptable answer
1.
2.
3
What people and organizations may have an impact on the case: There should be at least five.
1.
2.
3.
4.
5.
6.
7.
8.
9.
You are writing the case from the perspective of which person or organization:______________
What tools of Analysis would you use in this case: You only need to identify them and explain what information each will give you that you feel is important.
Based upon the above information – provide three alternatives
Alternative 1 is the Status Quo or to do nothing different that the current situation.
Identify at least three arguments in favor and three against this approach
Pros
1.
2.
3.
4.
5.
Cons
1.
2.
3.
4.
5.
Alternative 2 ____________________________________________________
Identify at least three arguments in favor and three against this approach
Pros
1.
2.
3.
4.
5.
Cons
1.
2.
3.
4.
5.
Alternative 3 ______________________________________________
Identify at least three arguments in favor and three against this approach
Pros
1.
2.
3.
4.
5.
Cons
1.
2.
3.
4.
5.
Given the information above select your recommended alternative and explain why you feel it is the best alternative: This should take three to five paragraphs and be based upon the information presented in your case.
.
Issues and disagreements between management and employees lead.docxbagotjesusa
Issues and disagreements between management and employees lead to formation of labor unions. Over the decades, the role of labor unions has been interpreted in various ways by employees across the globe.
What are some of the reasons employees join labor unions?
Did you ever belong to a labor union? If you did, do you think union membership benefited you?
If you've never belonged to a union, do you think it would have benefited you in your current or past employment? Why or why not?
.
More Related Content
Similar to INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
With the increasing use of computers in business information security has also become a key issue in organizations. Risk assessment in organizations is vital in order to identify threats and take appropriate measures. There are various risk assessment methodologies exist which organizations use for risk assessment depending the type and need of organizations. In this research OCTAVE methodology has been used following a comparative study of various methodologies due to its flexibility and simplicity. The methodology was implemented in a financial institution and results of its efficacy have been discussed.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
This report from the Security for Business Innovation Council (SBIC), sponsored by RSA, contends that keeping pace with cyber threats requires an overhaul of information-security processes and provides actionable guidance for change.
future internetArticleERMOCTAVE A Risk Management Fra.docxgilbertkpeters11344
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans.
future internetArticleERMOCTAVE A Risk Management FraDustiBuckner14
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans ...
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Similar to INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx (20)
Issues Identify at least seven issues you see in the case1..docxbagotjesusa
Issues: Identify at least seven issues you see in the case
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
What is the Key issue you see in the case: __________________________
What facts pertain to the case: Identify at least three important facts that pertain to the case
1.
2.
3.
4.
5.
What assumptions do you plan to make in your analysis: None is an acceptable answer
1.
2.
3
What people and organizations may have an impact on the case: There should be at least five.
1.
2.
3.
4.
5.
6.
7.
8.
9.
You are writing the case from the perspective of which person or organization:______________
What tools of Analysis would you use in this case: You only need to identify them and explain what information each will give you that you feel is important.
Based upon the above information – provide three alternatives
Alternative 1 is the Status Quo or to do nothing different that the current situation.
Identify at least three arguments in favor and three against this approach
Pros
1.
2.
3.
4.
5.
Cons
1.
2.
3.
4.
5.
Alternative 2 ____________________________________________________
Identify at least three arguments in favor and three against this approach
Pros
1.
2.
3.
4.
5.
Cons
1.
2.
3.
4.
5.
Alternative 3 ______________________________________________
Identify at least three arguments in favor and three against this approach
Pros
1.
2.
3.
4.
5.
Cons
1.
2.
3.
4.
5.
Given the information above select your recommended alternative and explain why you feel it is the best alternative: This should take three to five paragraphs and be based upon the information presented in your case.
.
Issues and disagreements between management and employees lead.docxbagotjesusa
Issues and disagreements between management and employees lead to formation of labor unions. Over the decades, the role of labor unions has been interpreted in various ways by employees across the globe.
What are some of the reasons employees join labor unions?
Did you ever belong to a labor union? If you did, do you think union membership benefited you?
If you've never belonged to a union, do you think it would have benefited you in your current or past employment? Why or why not?
.
ISSA Journal September 2008Article Title Article Author.docxbagotjesusa
ISSA Journal | September 2008Article Title | Article Author
1�1�
ISSA The Global Voice of Information Security
Extending the McCumber Cube
to Model Network Defense
By Sean M. Price – ISSA member Northern Virginia, USA chapter
This article proposes an extension to the McCumber
Cube information security model to determine the best
countermeasures to achieve a desired security goal.
Confidentiality, integrity, and availability are the se-curity services of a system. In other words they are the security goals of system defense, intangible at-
tributes� providing assurances for the information protected.
Each service is realized when the appropriate countermea-
sures for a given information state are in place. But, it is not
enough to select countermeasures ad hoc. Countermeasures
should be selected to defend a system and its information
against specific types of attacks. When attacks against partic-
ular information states are considered, the necessary coun-
termeasures can be selected to achieve the desired security
service or goal. This article proposes an extension to the Mc-
Cumber Cube information security model as a way for the
security practitioner to consider the best countermeasures to
achieve the desired security goal.
Security models
Models are useful tools to help understand complex topics. A
well-developed model can often be represented graphically,
allowing a deeper understanding of the relationships of the
components that make the whole. A formal security model
is broadly applicable and rigorously developed using formal
methods.2 In contrast, an informal model is considered lack-
ing one or both of these qualities. There are a variety of in-
formal models in the information security world which are
regularly used by security practitioners to understand basic
information and concepts.
� Security goals often lack explicit definitions and are difficult to quantify. They are
usually based on policies with broad interpretations and tend to be qualitative. It is
true that security goals emerge from the confluence of information states and coun-
termeasures which have measurable attributes. But, the subjective nature of security
goals combined with informal modeling characterizes their attributes as intangible.
2 P. T. Devanbu and S. Stubblebine, “Software Engineering for Security: A Roadmap,”
Proceedings of the Conference on The Future of Software Engineering (2000), 227-239.
One such informal model is the generally accepted risk as-
sessment framework. This model is used to assess risk by
estimating asset values, vulnerabilities, threats with their
likelihood of exploiting a vulnerability, and losses. Figure �
illustrates this model. Note that this commonly used model
requires a substantial amount of estimating on the part of
the risk assessment participants. This is problematic when
reliable estimates cannot be obtained. Another problem with
this model is that it does not guide th.
ISOL 536Security Architecture and DesignThreat Modeling.docxbagotjesusa
ISOL 536
Security Architecture and Design
Threat Modeling
Session 6a
“Processing Threats”
Agenda
• When to find threats
• Playing chess
• How to approach software
• Tracking threats and assumptions
• Customer/vendor
• The API threat model
• Reading: Chapter 7
When to Find Threats
• Start at the beginning of your project
– Create a model of what you’re building
– Do a first pass for threats
• Dig deep as you work through features
– Think about how threats apply to your mitigations
• Check your design & model matches as you
get close to shipping
Attackers Respond to Your Defenses
Playing Chess
• The ideal attacker will follow the road you
defend
– Ideal attackers are like spherical cows — they’re a
useful model for some things
• Real attackers will go around your defenses
• Your defenses need to be broad and deep
“Orders of Mitigation”
Order Threat Mitigation
1st Window smashing Reinforced glass
2nd Window smashing Alarm
3rd Cut alarm wire Heartbeat signal
4th Fake heartbeat Cryptographic signal integrity
By Example:
• Thus window smashing is a first order threat, cutting
alarm wire, a third-order threat
• Easy to get stuck arguing about orders
• Are both stronger glass & alarms 1st order
mitigations? (Who cares?!)
• Focus on the concept of interplay between
mitigations & further attacks
How to Approach Software
• Depth first
– The most fun and “instinctual”
– Keep following threats to see where they go
– Can be useful skill development, promoting “flow”
• Breadth first
– The most conservative use of time
• Best when time is limited
– Most likely to result in good coverage
Tracking Threats and Assumptions
• There are an infinite number of ways to
structure this
• Use the one that works reliably for you
• (Hope doesn’t work reliably)
Example Threat Tracking Tables
Diagram Element Threat Type Threat Bug ID
Data flow #4, web
server to business
logic
Tampering Add orders without
payment checks
4553 “Need
integrity controls on
channel”
Info disclosure Payment
instruments sent in
clear
4554 “need crypto”
#PCI
Threat Type Diagram Element(s) Threat Bug ID
Tampering Web browser Attacker modifies
our JavaScript order
checking
4556 “Add order-
checking logic to
server”
Data flow #2 from
browser to server
Failure to
authenticate
4557 “Add enforce
HTTPS everywhere”
Both are fine, help you iterate over diagrams in different ways
Example Assumption Tracking
Assumption Impact if it’s
wrong
Who to talk
to
Who’s
following up
Follow-up
by date
Bug #
It’s ok to
ignore
denial of
service
within the
data center
Availability
will be
below spec
Alice Bob April 15 4555
• Impact is sometimes so obvious it’s not worth filling out
• Who to talk to is not always obvious, it’s ok to start out blank
• Tracking assumptions in bugs helps you not lose track
• Treat the assumption as a bug – you need to resolve it
The Customer/Vendor Boundary
• There is always.
ISOL 533 Project Part 1OverviewWrite paper in sections.docxbagotjesusa
ISOL 533 Project Part 1
Overview
Write paper in sections
Understand the company
Find similar situations
Research and apply possible solutions
Research and find other issues
Health network inc
You are an Information Technology (IT) intern
Health Network Inc.
Headquartered in Minneapolis, Minnesota
Two other locations
Portland Oregon
Arlington Virginia
Over 600 employees
$500 million USD annual revenue
Data centers
Each location is near a data center
Managed by a third-party vendor
Production centers located at the data centers
Health network’s Three products
HNetExchange
Handles secure electronic medical messages between
Large customers such as hospitals and
Small customers such as clinics
HNetPay
Web Portal to support secure payments
Accepts various payment methods
HNetConnect
Allows customers to find Doctors
Contains profiles of doctors, clinics and patients
Health networks IT network
Three corporate data centers
Over 1000 data severs
650 corporate laptops
Other mobile devices
Management request
Current risk assessment outdated
Your assignment is to create a new one
Additional threats may be found during re-evaluation
No budget has been set on the project
Threats identified
Loss of company data due to hardware being removed from production systems
Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops
Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, and so on
Internet threats due to company products being accessible on the Internet
Insider threats
Changes in regulatory landscape that may impact operations
Part 1 project assignment
Conduct a risk assessment based on the information from this presentation
Write a 5-page paper properly APA formatted
Your paper should include
The Scope of the risk assessment i.e. assets, people, processes, and technologies
Tools used to conduct the risk assessment
Risk assessment findings
Business Impact Analysis
.
Is the United States of America a democracyDetailed Outline.docxbagotjesusa
Is the United States of America a democracy?
Detailed Outline:
-Introduction (2-3 Paragraphs):
Define and discuss the criteria for democracy.
What does a country need to be democratic?
-Thesis Statement (1 Paragraph):
Clearly state whether or not you think America is a democracy. Briefly preview the three pieces of evidence you are going to use. Your thesis statement is your argument. It must be clear and strongly stated so I know what you are arguing.
-Supporting Evidence 1 (1-3 Paragraphs)
Using Freedom House’s 2021 (2020 if 21 is not available)analysis of the U.S., support your argument regarding democracy in the U.S analysis of the U.S., support your argument regarding democracy in the U.S.
Supporting Evidence 2 (1-3 Paragraphs)
Choose a news article and explain the event covered in the article and how it
supports your argument.
Supporting Evidence 3 (1-3 Paragraphs)
Choose another news article
-Conclusion (1-2 Paragraphs)
Summarize your supporting evidence and how it supports your overall argument. This should include a brief discussion about how the other argument could be right
Citations: You will need outside sources for this paper. All sources must be properly cited. This means that the sources need to be parenthetically cited in the text of the paper and need to be included in a bibliography page. You are not allowed to use any user edit web sites (Wikipedia, Yahoo Answers, Ask.com, etc.) or social media as sources
4-5 papers
.
Islamic Profession of Faith (There is no God but God and Muhammad is.docxbagotjesusa
Islamic Profession of Faith (There is no God but God and Muhammad is his prophet.)
1. [contextualize] How are they a reflection of the time and culture which produced them?
2. [evaluate] What were the implications of these beliefs and values during the Middle Ages?
3. [compare] How do the beliefs and values of these cultures compare to your own?
.
IS-365 Writing Rubric Last updated January 15, 2018 .docxbagotjesusa
IS-365 Writing Rubric
Last updated: January 15, 2018
Student:
Score (out of 50):
General Comments:
Other comments are embedded in the document.
Criterion <- Higher - Quality - Lower ->
Persuasiveness The reader is
compelled by solid
critical reasoning,
appropriate usage of
sources, and
consideration of
alternative
viewpoints.
The document is
logical and coherent
enough that the
reader can accept its
points and
conclusions
Gaps in logic and
uncritical review of
sources cause the
reader to have some
doubts about the
points made by the
document, or
whether they’re
relevant to the
question asked.
The reader is unsure
of what the document
is trying to
communicate, or is
wholly unconvinced
by its arguments
Not
applicable
Evidence and support Exceptional use of
authoritative and
relevant sources,
properly cited,
providing strong
support of the
document’s points
Sufficient relevant
and authoritative
sources give
confidence that the
document is based
on adequate
research
Sources are
insufficient in
number, not
authoritative, not
relevant, or
improperly cited
No sources are used,
undermining the
document’s
foundations
Not
applicable
Writing Word choices, flow
of logic, and
sentence and
paragraph structure
engage the reader,
making for a
pleasurable
experience
Writing is clear and
adequately fulfills
the document’s
purpose
Some issues with
word choice and
sentence and
paragraph structure
interfere with the
conveyance of the
document’s ideas
Frequent questionable
choices in writing
make it difficult to
read and understand
Not
applicable
Language Essentially free of
language errors
Minor errors in
grammar,
punctuation, or
spelling
Noticeable language
errors that detract
from the readability
of the document
Significant language
errors that call the
credibility of the
document into
question
Not
applicable
Formatting (heading
styles, fonts, margins,
white space, tables
and graphics)
Professional and
consistent formatting
that enhances
readability.
Appropriate use of
tables and graphics.
Generally acceptable
formatting choices.
Some missed
opportunities for
displaying data via
tables or graphics.
Inconsistent or
questionable
formatting choices
that detract from the
document’s
readability
Critical formatting
issues that make the
document
unprofessional-
looking
Not
applicable
Page 1
Page 1
Page 2
(Name deleted)
IS-365
Art Fifer
2/17/2017
Technical Documents for Varying Audiences
In this paper, I’ll be exploring the differences in presenting technical communications to audiences of varying knowledge. The topic of these two general summaries will be the manner in which computers connect to each other, including summaries of several communication protocols, how information traverses the network, and how it arrives at its destination and is read by th.
ISAS 600 – Database Project Phase III RubricAs the final ste.docxbagotjesusa
ISAS 600 – Database Project Phase III Rubric
As the final step to your proposed database, you submitted your Project Plan. This document should communicate how you intend to complete the project. Include timelines and resources required.
Area
Does not meet expectations
Meets expectations
Exceeds expectations
A. Analysis - how will you determine the needs of the database
Did not identify appropriate plan for analysis phase
Identified appropriate plan for analysis phase
Identified appropriate plan for analysis phase and included additional content
Design - what process will you use to design the database (tables, forms, queries, reports)
Did not sufficiently identify detail on the appropriate process for design phase
Identified appropriate process for design phase
Identified appropriate process for design phase and included additional detail
Prototype/End user feedback - Will you show users a prototype before building the system?
Did not sufficiently identify method for feedback and prototypes during building of the system
Identified method for feedback and prototypes during building of the system
Identified method for feedback and prototypes during building of the system and provided additional detail
Coding - what process will you use to build the database?
Did not sufficiently identify appropriate process for coding the database
Identified appropriate process for coding the database
Identified appropriate process for coding the database and provided additional detail.
Testing - How will you test it?
to build the database?
Did not sufficiently identify appropriate process for testing the database
Identified appropriate process for testing the database
Identified appropriate process for testing the database and provided additional detail.
User Acceptance - describe the final step of determining if you met the user's needs?
Did not sufficiently identify an appropriate process for User Acceptance phase - How to determine if the database meets user’s needs.
Identified appropriate process for User Acceptance phase - How to determine if the database meets user’s needs.
Identified appropriate process for User Acceptance phase - How to determine if the database meets user’s needs. Answer provided additional detail
Training - what is the plan for training end users?
Did not identify appropriate detail for training plan
Identified appropriate detail for training plan
Identified appropriate detail for a training plan and provided additional detail.
Project close out - what steps will you take to finalize the project?
Did not sufficiently identify appropriate steps for closing out the project
Identified appropriate steps for closing out the project
Identified appropriate steps for closing out the project and provided additional detail.
Entity Relationship Diagram1
ERD:
Normalization:
1NF:
For the 1st NF we will have to check the tables’ attributes, like there must not be any multivalued attribute, if there is any multivalued at.
Is teenage pregnancy a social problem How does this topic reflect.docxbagotjesusa
Is teenage pregnancy a social problem? How does this topic reflect the social construction of problems? How does social location impact if you view this as a social problem?
Explain why media representation of social problems is an important issue using the example of teenage pregnancy. What is an example of a problematic representation? Does this vary across race, ethnicity, religion, socioeconomic status and gender?
.
Is Texas so conservative- (at least for the time being)- as many pun.docxbagotjesusa
Is Texas so conservative- (at least for the time being)- as many pundits and observers claim? Or is that just an opinion not supported by analysis and facts? Not only does Texas vote Republican in many elections but has done so for many years. It is also the birthplace of the so-called Tea Party movement and of Ron Paul's campaigns for president. Texas also appears to espouse conservative approaches to government and to issues. You will need to define in a concrete and operational way what conservative means as conservative is more than voting behavior or party affiliation.
Texas is the 2nd largest state in population compared to California and.like California made up of many differing migrant and immigrant groups. Texas like California was also part of Northern Mexico. but Texas is very, very different from California in voting behavior and positions on social issues. Why? Texas and California are good comparisons or are they? Provide explanations of the differences and similarities in this ideological context
Texas was once "Democratic" but even that was not really the case in terms of either past or current Democratic ideals and goals but a historic reaction to the consequences of the civil war and the fact that Texas was on the losing side in that war and of the attempt to defend agrarian interests in the form of slavery.. Being Democratic from post civil war to the middle of the 20th century in part meant for decades being in favor of inequality for minorities and defenders in spirit, if not in fact, of slavery.net
So Texas was never "Democratic" and never a more liberal interpretation of reality but a reflection of conservative thought and a particular view of individualistic man.
Is Texas conservative and why? ( you will need a social, cultural, historical and economic analysis here
with supporting evidence)?
? Need much more than opinions here.
.
Irreplaceable Personal Objects and Cultural IdentityThink of .docxbagotjesusa
Irreplaceable: Personal Objects and Cultural Identity
Think of a
personal object
that is
irreplaceable
to you.
Please answer the following:
1. Describe the item and tell a brief story, memory, or ritual related to the item.
2. How does this possession influence your identity?
3. How does this item represent your cultural identity?
4. How is your selection of this item influenced by your identity and culture?
Instructions:
please answer all 4 questions accordingly. Each answer should have the question re-typed following the answer. A minimum of 500 words in all excluding the re-typed questions. No reference is needed.
.
IRB is an important step in research. State the required components .docxbagotjesusa
IRB is an important step in research. State the required components one should look for in a project to determine if IRB submission is needed. Discuss an example of a research study found in one of your literature review articles that needed IRB approval. Specifically, describe why IRB approval was needed in this instance.
.
irem.org/jpm | jpm® | 47
AND
REWARD
RISK
>>
BY KRISTIN GUNDERSON HUNT
THE FIGHT TO FILL VACANT COMMERCIAL REAL ESTATE SPACE IN RECENT YEARS
HAS FORCED REAL ESTATE OWNERS AND MANAGERS TO CONSIDER NEW USES
FOR THEIR PROPERTIES—EVEN IF THEY REQUIRE TAKING ADDITIONAL RISKS.
especially vacancies,” said Janice
Ochenkowski, managing director
for Jones Lang LaSalle and the com-
mercial real estate firm’s director of
global risk management in Chicago.
“But property owners and manag-
ers have been very creative in how
to use their existing facilities.”
Traditional retail stores have been
transformed into everything from
medical office space and churches
to fitness centers and breweries. In
addition, special events and pop-
up stores are more commonplace;
traditional office spaces have been
converted to daycare centers; in-
dustrial warehouses are being used
as practice facilities for youth base-
ball teams; and the list goes on.
“From a risk management per-
spective, these new uses can bring
new challenges,” Ochenkowski said.
“However, it is the primary goal
of the risk manager to support the
business, which means we need to
be more creative in the way we deal
with these risks.”
DOESN’T MEAN YOU HAVE TO WALK AWAY.”–JANICE OCHENKOWSKI, JONES
LANG LASAL
LE
DO THE ASSESSMENT HONESTLY. JUST BECAUSE THERE IS A HI
GHER RISK
“DON’T BE AFRAID TO THINK ABOUT WHAT THE RISKS ARE.
the tough economy has resulted in a lot of challenges—“
DUE DILIGENCE
The risks associated with new-use tenants are as varied as the tenants them-
selves.
First and foremost, certain tenants could present additional life safety
risks, said Jeffrey Shearman, a Pittsburgh-based senior risk engineering con-
sultant and real estate industry practice leader for commercial insurance
provider, Zurich.
For example, restaurant tenants create increased exposure to fire; church
and/or educational institutions might spur egress concerns because they en-
courage large gatherings in spaces formerly used for different occupancy;
and hazardous waste can be a risk with some medical tenants.
“You have to recognize that certain types of work are going to create cer-
tain types of hazards,” Shearman said.
Beyond life safety risks, certain tenants might be more susceptible than
previous tenants to codes and regulations imposed by state or federal laws,
such as licensing regulations for daycares or American Disabilities Act re-
quirements for medical tenants, said Pat Pollan, CPM, principal at Pollan
Hausman Real Estate Services in Houston.
New-use tenant risks don’t stop there: financial risks also exist. Replac-
ing a unique tenant with a similar occupant after the lease expires can be
difficult—a particular concern if a lot of money was spent customizing the
space for an alternative use.
“It’s not just the risk of liability, it’s the risk of the tenant going out of busi-
ness and losing any money you put into the tenant, or its space, .
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
Classmate 1
The Rise of the Republican Party
The Republican Party was formed due to a split in the Whig Party. The anti-slavery
“Conscience Whigs” split from the pro-slavery “Cotton Whigs”. Some anti-slavery Whigs joined
the American “Know-Nothing” Party, while the remainder joined with independent Democrats
and Free-Soilers to form a new party, the Republicans. The initial members stood for one
principle: the exclusion of slavery from the western territories (Shi, p. 462). Knowing the
Republicans ideology, we will look at how the events leading up to the Kansas-Nebraska Act led
to greater political division that eventually caused the formation of the Republican Party and it’s
rise to the presidency in 1860.
In the 1850’s, America was becoming increasingly divided between those for and against
slavery. The Compromise of 1850 had temporarily appeased both sides by admitting California
as a free state, allowing no slavery restrictions in New Mexico and Utah, paying Texas,
abolishing slave trade but no slavery in the District of Columbia, establishing the Fugitive Slave
Act, and denying congress authority to interfere with interstate slave trade (Shi, p. 457). This
Fugitive Slave Act was highly contested, although very few slaves were returned to the south
under this Act. In fact, it ended up uniting anti-slavery people, more than aiding the South. It was
during this time that Uncle Tom’s Cabin was written, selling more than a million copies
worldwide and detailing the harsh brutality of slavery (Shi, p. 460-461).
In the mid-1850’s, the Kansas-Nebraska Act was passed. The main reason for it was to the
settle the vast territory west of Missouri and Iowa, and to create a transcontinental railroad to
capitalize on Asian markets and goods. New territories brought up questions of whether slavery
would be allowed, with many supporting “popular sovereignty” where voters chose whether they
would have slavery or not. The issue here was that the 1820 Missouri Compromise had said there
would be no new slaver.
In two paragraphs, respond to the prompt below. Journal entries .docxbagotjesusa
In two paragraphs, respond to the prompt below. Journal entries must contain proper grammar, spelling and capitalization.
Consider the communication pattern within your family of origin. How does your family's conversation orientation (how open your family is to discuss a range of topics) and conformity orientation (how strongly your family reinforces the uniformity of attitudes, values and beliefs) affect your interactions with your partner? If you don't think there is any effect, explain your reasoning.
.
Investigative Statement AnalysisInitial statement given by Ted K.docxbagotjesusa
Investigative Statement Analysis
Initial statement given by Ted Kennedy in reference to the accident that occurred on July 18, 1969 in Chappaquiddick, Massachusetts.
Date:
October 30, 2007
Analyst Comments:
Narrative Balance: The Prologue begins with sentence #1 and ends with sentence #3. The Central Issue begins with sentence #4 and ends with sentence #9. The Epilogue begins with sentence #10 and ends with sentence #14. Thus the breakdown is:
Prologue = 3 sentences
Central Issue = 6 sentences
Epilogue = 5 sentences
The narrative is somewhat unbalanced due to the short Prologue and thus can be considered to be possibly deceptive on its face. It is not unbalanced enough to say this conclusively.
Mean Length of Unit:
The narrative has 14 sentences and 237 words, thus giving a MLU of 16.9 rounded to 17. Thus any sentences 23 words or longer and any sentences 11 words or less can be considered deceptive on their face.
Structure of Analysis:
The actual sentences from the narrative are in bold italicized type. After each sentence are the number of words in the sentence, whether or not it is deceptive on its face, and the analyst’s comments. All of these will be in normal type.
1.
On July 18th, 1969, at approximately 11:15 P.M. in Chappaquiddick, Martha’s Vineyard, Massachusetts, I was driving my car on Main Street on my way to get the ferry back to Edgartown.
30 words – Deceptive on its face. There is no mention of the passenger in this sentence. All of the pronouns are singular. It is “my car” “on my way”, etc. When the passenger is mentioned later, it is almost an afterthought. The deception in this sentence may be the last part of the sentence where he relates why he was driving the car. He very well may have been driving for some reason other than to get the ferry. This would be an area to be further explored in an interview.
2.
I was unfamiliar with the road and turned right onto Dike Road, instead of bearing hard left on Main Street.
20 words. “I was unfamiliar with the road” is an explanatory phrase telling us why he ended up on Dike Road. The phrase “instead of bearing hard left on Main Street” is a strange way of phrasing. Most people would say something like “instead of staying on Main Street.”
3.
After proceeding for approximately one-half mile on Dike Road I descended a hill and came upon a narrow bridge.
20 words. There is nothing particularly deceptive about this sentence. The phrasing of the sentence is very formal. The phrasing is almost like a police type report or a legal/lawyer way of phrasing. It also appears that the phrase “came upon a narrow bridge” is almost a passive way of phrasing that indicates he was taken by surprise and had no control over what he was doing.
4.
The car went off the side of the bridge.
9 words – This sentence is deceptive on its face. This is the very first sentence of the Central Issue. It is interesting to note that four of the six s.
Investigating Happiness at College SNAPSHOT T.docxbagotjesusa
Investigating Happiness at College
SNAPSHOT:
TOPIC Either a specific group related to college or a factor within
college life that possibly affects a specified group of college
students or students in general.
PITCH Present your topic and your research question to the class—
shark tank! Sound too scary? How about guppy tank ?).
Tentative due date: 2/5 & 2/7
ESSAY 1 The prospectus and the annotated bibliography.
Tentative due date: 2/21
ESSAY 2 Change in your topic or conducting your own study
Tentative due date: 3/16
ESSAY 3 Argument about a specific controversy within your topic
Tentative due date: 4/6
ESSAY 4 Answers and argues your refined research question about the
importance of your topic.
Tentative due date: 4/24
♥ Rough drafts with reflections about what is working and not working and
WHY will be required for the prospectus and essays 2 and 3. The work
on the rough draft and the reflections will count toward your essay grade.
♥ Final reflections submitted the class period after you submit your final
draft for essays 2-4 will also count as part of your essay grade.
♥ You will upload your drafts on Moodle. You will be asked to identify the
portions of the sources you used and submit hard copies of your sources
in a folder or files of your sources online.
Investigating Happiness at College:
Some questions that will help you form your own research
questions:
● Is happiness a necessity or a perk in college life?
● What do the expectations of happiness and the pursuit of
happiness reveal about a specific college group, college
students in general, or another college-related group?
● Considering both on-campus factors and off-campus factors
(at least at first), what most influences your group’s
happiness (or unhappiness)?
● Is there one major factor (on campus or off campus) you
would want to investigate that affects students’ happiness?
● How do the expectations about happiness that society has in
general or a certain specific segment of society (for
instance, parents) has, relate to college or college students?
● How much do preconceived notions and expectations about
college life affect student happiness?
● Hard work is hard to enjoy. So how do students balance that
hard work with the .
Investigate Development Case Death with Dignity Physician-Assiste.docxbagotjesusa
Investigate Development Case: Death with Dignity / Physician-Assisted Suicide
MAKE A DECISION: Is Ben's decision making being affected by his depression?
Yes
No
Why? Give reasons for why you chose the way you did. Consider the following factors in your reasons:
The effects of depression on decision making
Other stresses in Ben's life contributing to his state of mind
Ben's current quality of life
The family's values and beliefs
Your own values and beliefs
Please see attachment
.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
1. INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science,
Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321,
Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in
nearly every facet of human activity including, finance,
transportation, education, government, and defense.
Organizations are exposed to various and increasing kinds of
risks,
2. including information technology risks. Several standards, best
practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research
work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when
adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the
article presents an overview of the most popular and widely
used
standards and identifies selection criteria. It suggests an
approach to proper implementation as well. A set of
recommendations
is put forward with further research opportunities on the
subject.
Keywords- Information security; risk management; security
frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
3. implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
4. the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be completely eliminated,
they need to be reduced to acceptable levels.
Acceptable risks are risks that the business decides
to live with, given that proper assessment for these
risks has been performed and the cost of treating
these risks outweighs the benefits.
To this effect, enterprises spend considerable
resources in building proper information security
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
5. 29
risk management programs that would eventually
address the risks they are exposed to. These
programs need to be established on solid
foundations, which is the reason why enterprises
look for standards and frameworks that are widely
accepted and common across enterprises [4].
However, the fact that several standards and
frameworks exist make it challenging for
enterprises to select which one to adopt and the
question: “which is the best?” warrants further
investigation. The main objective of this paper is
to provide an answer to this question, thereby
assisting enterprises in developing proper
understanding of the issue and establishing
successful information security risk management
programs. This paper provides an analysis of some
6. existing standards and frameworks for information
security risks and consolidates various aspects of
the topic. It also presents the challenges that
frustrate information security risk management
efforts along with how leading market standards
and practices can be used to address information
security risks with insights on their strengths and
weaknesses.
Please note that the scope of this paper is
limited to the following frameworks: ISO 27001,
ISO 27002, ISO 27005, ITIL, COBIT, Risk IT,
Basel II, PCI DSS, and OCTAVE. These are the
most commonly used frameworks in the market
[5]. Other frameworks and methodologies like
RMF (by NIST) and M_o_R (by GOC) can be
considered in future work. It is also important to
mention that this paper is not intended to promote
a specific standard or framework; rather it treats
7. them equally. Conclusions drawn as a result of this
work are based on our detailed analyses, research,
literature review, and observations from our work
experience and engagements with clients from
various sectors in the field of information security.
The remainder of this paper is organized as
follows: section 2 highlights some related work;
section 3 details some challenges that disturb
information security risk assessments; section 4
provides an overview of the major drivers for
standards adoption; section 5 provides detailed
analyses and exploration for the standards and
frameworks in scope; section 6 details with the
strengths and weaknesses of these standards and
frameworks when used as a means to address
information security risks; section 7 captures the
selection considerations to use; section 8 provides
some recommendations along with the proposed
8. approach; section 9 presents a case study to
illustrate the benefits of the proposed selection
method; finally, section 10 puts forward some
conclusions and future research opportunities in
relation to our work.
2. Related Work
The literature on information security risk
management based on international standards is
scarce. The literature lacks studies that guide
organizations in selecting the standard that fits
their needs. Some research works attempt to
analyze existing information security risk
management standards, mainly ISO 27001 [6].
However, these research works focus mainly on
listing advantages and disadvantages of these
standards and how to implement and manage
them. No comprehensive studies have been done to
9. holistically compare various frameworks, with the
objective of providing selection criteria for the best
standard or proposing a better assessment
approach. Some papers dealt with frameworks
such as COBIT, ITIL, and ISO 17799, as means to
manage compliance requirements [7]. Ref. [8]
proposes a framework which considers global,
national, organizational, and employee standards
to guide information security management. Ref.
[9] presents framework of information security
standards conceptualization, interconnection and
categorization to raise awareness among
organizations about the available standards
(mainly ISO series).
As well as exploring existing frameworks used
in IT risk management this paper presents the
challenges facing organizations to successfully
implement information security risk assessments
10. and the drivers for standards adoption. The main
and novel contribution of our research work is the
proposal of a practical approach to selecting an
appropriate framework to address information
security risks.
3. Challenges to Information Security Risk
Assessments
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
30
Some of the common challenges to information
security risk assessments are discussed briefly in
this section. In fact, these challenges represent
critical failure factors for an information risk
management program.
11. 1) Absence of senior management commitment &
support: Management’s buy-in and support is a
critical driver for the success of any IT project,
including information security risk assessments.
Absence of management commitment will
result in wasting valuable resources and efforts,
producing weak evaluations, and most
importantly, will lead to ignoring the
assessment findings [10].
2) Absence of appropriate policies for information
security risk management: It is crucial to have
information security policies in place to reflect
the enterprise objectives and management
directions. Although some policies might be
created, information security risk management
policies tend to be dropped or forgotten. In a
research conducted by GAO, the US
Government Accountability Office, three out of
12. four detailed case studies showed that despite
the fact that firms used to have some form of
information security risk assessment approaches
practiced for several years, the risk management
and assessment policies and processes were not
documented until recently [11]. The absence of
this critical steering document will lead to
unstructured risk assessment approaches and
will openly allow unmanaged evaluations.
3) Disintegrated GRC efforts: The increasingly
popular term GRC refers to three critical areas:
Governance, Risk Management, and
Compliance. According to COBIT 4.1, IT
Governance is defined as “the responsibility of
executives and the board of directors, and
consists of the leadership, organizational
structures and processes that ensure that the
enterprise’s IT sustains and extends the
13. organization’s strategies and objectives” [12].
Risk management is a process through which
management identifies, analyses, evaluates,
treats, communicates, and monitors risks that
might adversely affect realization of the
organization's business objectives. Compliance
is about making sure that external laws,
regulations, mandates and internal policies are
being complied with at a level consistent with
corporate morality and risk tolerance.
Governance, risk, and compliance should
always be viewed as a continuum of interrelated
functions, best approached in a comprehensive,
integrated manner. The disintegration results in
increased failure rates, waste of resources, and
increased overall assurance cost.
4) Improper assessments management: Despite the
importance of security risk assessments, they
14. are mostly not managed as projects and merely
considered as part of IT normal operations.
Considering security risk assessments as part of
IT routine assignments will exclude these
assessments from business review and
consequently will result in a definite disconnect
between management and their enterprise
information security assessments. This
exclusion will also increase the possibilities of
executing over-budget assessments that will
only cause additional efforts and resources to be
wasted.
5) Assets ownership is either undefined or
unpracticed: In ISO 27001 “the term ‘owner’
identifies an individual or entity that has
approved management responsibility for
controlling the production, development,
maintenance, use and security of the assets.
15. [13]. This definition entails major responsibility
granted to the person who is assigned the
ownership which includes making sure that
proper controls are actually implemented in
order to protect the asset. Information security
standards, best practices and mandates like ISO,
COBIT, and ITIL require that information
assets are identified, inventoried, and ownership
is assigned. This is crucial for the success of
any information security assessment. Most
organizations fail to develop comprehensive
information assets inventories and accordingly
do not assign ownership [14].
6) Limitations of existing automated solutions:
Software solutions for information security risk
assessment are developed to aid in the
automation of this process and to make it more
efficient. In a detailed comparison conducted by
16. “Risk Assessment Accelerator”, seven common
solutions were compared with respect to more
http://en.wikipedia.org/wiki/Risk_Management
http://en.wikipedia.org/wiki/Compliance_(regulation)
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
31
than forty different areas [15]. Features like
ease of use, multi-language and client-server
architecture support were highlighted as
existing limitations in four up to five of these
solutions. Three out of the seven compared
solutions provide limited customization
capabilities for both built-in inventories (for
risks, vulnerabilities and threats) and the
generated dashboards. All these weaknesses and
limitations degrade enterprises’ efforts to have
17. efficient and reliable information security risk
assessment requirements documentation.
7) Existence of several IT risk assessment
frameworks: The existence of many information
security risk management and assessment
frameworks add to the ambiguity and challenge
of what is the best one to use. As a matter of
fact, analyses of exiting risk assessment
frameworks show that there is no one-size-fits-
all solution to this issue as it is hard to develop
a single precise document that will address the
needs of all enterprises given their variant
natures and requirements.
4. Drivers for Standards Adoption
In order to address their information security
risk management and assessment challenges,
enterprises adopt internationally accepted
18. frameworks or best practices. Standards in general
are meant to provide uniformity that would ease
the understanding and management of concerned
areas. Businesses find themselves in need to adopt
standards for various reasons which vary from
business requirements to regulators and
compliance mandates. Establishment of proper
corporate governance, increasing risk awareness
and competing with other enterprises are some
business drivers to mention. Some firms pursue
certifications to meet market expectations and
improve their marketing image. A major business
driver for standards adoption is to fill in the gaps
and lack of experience in certain areas where firms
are not able to build or establish proprietary
standards based on their staff competencies [16].
Providing confidence to trading partners,
stakeholders, and customers, reducing liability due
19. to unimplemented or enforced policies and
procedures, getting senior management ownership
and involvement and establishing a mechanism for
measuring the success of the security controls are
some other key drivers for the adoption of
standards.
5. Leading Market Best Practices Standards
The conclusion section should emphasize the
main contribution of the article to literature.
Authors may also explain why the work is
important, what are the novelties or possible
applications and extensions. Do not replicate the
abstract or sentences given in main text as the
conclusion.
In this section, an overview is presented of a
number of the more important standards for
information security risk management. For detailed
20. information about these standards, the reader is
encouraged to consult the references provided for
them. The list of standards presented is absolutely
not complete, and as mentioned before a subset of
the existing standards are treated in this paper.
5.1. ISO 27000 Set
The ISO 27000 is a series of standards, owned
by the International Standards Organization,
focusing on information security matters. For the
purposes of this work, ISO 27001, ISO 27002, and
ISO 27005 will be explored to highlight their
strengths and weaknesses in relation to current
demands for effective and robust frameworks for
information security risk assessments.
ISO 27001: The ISO 27001 standard is the
specification for an Information Security
Management System (ISMS). The objective of the
21. standard is to specify the requirements for
establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving an
Information Security Management System within
an organization [13]. It is designed to ensure the
selection of adequate and proportionate security
controls to protect information assets. It is seen as
an internationally recognized structured
methodology dedicated to information security
management.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
32
The standard introduces a cyclic model known
as the “Plan-Do-Check-Act” (PDCA) model that
aims to establish, implement, monitor and improve
22. the effectiveness of an organization’s ISMS. The
PDCA cycle has these four phases:
– establishing the ISMS
– implementing and operating the ISMS
– monitoring and reviewing the ISMS
– maintaining and improving the ISMS
Organizations that adopt ISO 27001 in their
attempt to pursue an effective means for
operational information security risk management
overlook the fact that this standard was designed to
be used mainly as an ISMS framework – at the
high level, not operational level - founding proper
bases for information security management. ISO
27001 document mentions valuable details on
information security risk assessment – mainly in
the statements 4.2.1.C thru 4.2.1.H that can be
used as selection criteria for a proper information
security risk assessment approach that builds upon
23. the controls list proposed by the standard.
ISO 27002: ISO 27002 is a code of practice
that provides suggested controls that an
organization can adopt to address information
security risks. It can be considered an
implementation roadmap or extension to ISO
27001. As stated in the standard document, the
code of practice is established to provide
“guidelines and general principles for initiating,
implementing, maintaining, and improving
information security management within an
organization” [17]. The controls listed in the
standard are intended to address the specific
requirements identified via a formal risk
assessment. The standard is also intended to
provide a guide for the development of
“organizational security standards and effective
security management practices, and to help build
24. confidence in inter-organizational activities” [18].
ISO 27002 as the Code of Practice is best suited to
be used as a guidance and direct extension to ISO
27001. ISO 27002 is used by enterprises as the
sole source of controls and a means for
information security risk assessment, however, not
all controls are mandated as firms’ structures and
businesses vary. Controls selection must be done
based on detailed and structured assessment to
determine which specific controls are appropriate
and which are not.
This standard contains guidelines and best
practices recommendations for these 10 security
domains: Security Policy; Organization of
Information Security; Asset Management; Human
Resources Security; Physical and Environmental
Security; Communications and Operations
Management; Access Control; Information
25. Systems Acquisition, Development and
Maintenance; Information Security Incident
Management; Business Continuity Management;
and Compliance.
Among these 10 security domains, a total of 39
control objectives and hundreds of best-practice
information security control measures are
recommended for organizations to satisfy the
control objectives and protect information assets
against threats to confidentiality, integrity and
availability.
ISO 27005: ISO 27005 standard was proposed
to fill in the gaps existing in ISO 27001 and ISO
27002 in terms of information security risk
management. The standard builds up on the core
that was introduced in ISO 27001 – reference
statements 4.2.1.C thru 4.2.1.H – and elaborates by
identifying inputs, actions, implementation
26. guidelines, and outputs for each and every
statement. However, during our research we
realized that the adoption of this standard as a
means for information security risk management is
minimal. This was evident in “The Open Group”
efforts to support ISO 27005 adoption by releasing
a free detailed technical document – called
ISO/IEC 27005 Cookbook – that uses ISO 27005
as a cornerstone for a complete risk management
methodology [18, 19]. ISO 27005 is not intended
to be an information security risk assessment
methodology [20].
The standard has six annexes that are all
informative but considered of a major value
extension to the standard. With proper
customization, these annexes along with the ISO
27005 body can be used as the main assessment
methodology for security risks.
27. 5.2. IT Infrastructure Library (ITIL 3.0)
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
33
ITIL is one of the IT frameworks used as a best
practice adopted to properly manage IT services.
ITIL perceives any effort or action done by IT in
support to the organization as a service that has
value to customers or businesses. The ITIL library
focuses on managing IT services and covers all
aspects of IT service provisioning starting from
service strategy, design, transition, operation, and
implementation. It also highlights the continual
monitoring and improvement aspect for each and
every service.
28. ITIL does not introduce itself as a framework
for information security risk management.
However, as an IT governance framework, having
it implemented in an enterprise will provide
assurance and indication on the organization’s IT
maturity. Addressing IT risks associated with
incident, change, event, problem, and capacity
management would definitely minimize related
information security risks as well [21, 22].
The drivers for ITIL adoption in organizations
were subject to analyses and study by several
researches. A survey conducted by itSMF (IT
Service Management Forum) showed that ITIL
was adopted by different industry sectors [23]
including education, government, and financial
sectors amongst others. The ITIL status survey for
2009 [24] showed the increasing adoption of ITIL
version 3.0 and elaborated on the major drivers
29. that are causing this adoption. This includes
improving service quality, customer satisfaction
and establishing IT stability and successful value
delivery for business. ITIL modularity adds to its
adoption popularity. Based on the enterprise
current priorities, the firm can select to focus on
service operations rather than service strategy
which typically needs more time to mature. The
implementation of ITIL can be implemented
gradually in phases.
5.3. COBIT 4.1 & Risk IT
Control Objectives for Information and related
Technology (COBIT), developed and owned by
the Information Systems Audit & Control
Association (ISACA), is one of the most
increasingly adopted information technology
frameworks for IT Governance. COBIT focuses
30. on defining IT control objectives and developing
the controls to meet them. It is made of 34
processes that manage and control information and
the technology that supports it [12].
COBIT is adopted by enterprises from various
industry sectors [25] which include IT consulting
firms, education, financial institutions,
government, healthcare, utilities and energy. To
get closer understanding on how various
enterprises perceive COBIT, thirty case studies
were reviewed and analyzed. The case studies
showed that COBIT was used to create the needed
alignment between business and IT, create the IT
Governance framework, improve IT processes and
establish the IT risk management organization.
Other enterprises used COBIT to meet their
compliance needs and requirements. It was
realized from the case studies that financial
31. institutions adopt COBIT for their internal IT audit
efforts and risk assessments. They also used it to
create IT policies and procedures. Other firms used
COBIT as a means to standardize IT processes and
increase their effectiveness and maturity level.
COBIT was also used as a means to conduct audit.
COBIT does not provide a methodology to
conduct information security risk assessments but
rather establishes the foundation for having a solid
IT organization in the firm.
ISACA recognized the importance and need
for a comprehensive IT risk management
framework and as a result developed the Risk IT
framework. According to the Risk IT framework
document “The Risk IT framework complements
ISACA’s COBIT, which provides a
comprehensive framework for the control and
governance of business-driven IT-based solutions
32. and services. While COBIT sets good practices for
the means of risk management by providing a set
of controls to mitigate IT risk, Risk IT sets good
practices for the ends by providing a framework
for enterprises to identify, govern and manage IT
risks [26].
Risk IT provides an end-to-end, comprehensive
view of all risks related to the use of IT and a
similarly thorough treatment of risk management,
from the tone and culture at the top, to operational
issues. It enables enterprises to understand and
manage all significant IT risk types. Risk IT
follows the process model used in COBIT and has
three major domains: 1) Risk Governance which
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
34
33. focuses on the establishment and maintenance of
common risk view, and making risk-aware
business decisions; 2) Risk Evaluation which deals
with data collection, risks analyses and
maintaining risk profile; 3) The Risk Response
component articulates risk, manages risk and
reacts to all adverse events identified [26].
Given that Risk IT is still new, its adoption
across enterprises is not yet realized, however, it is
expected to take more attention and focus in the
near future taking use of the wide acceptance and
adoption of COBIT.
5.4. Other Frameworks
In this section, we briefly discuss other
standards and regulations for information security.
Some industries, such as banking, are regulated,
34. and the guidelines or best practices put together as
part of those regulations often become a de facto
standard among members of these industries.
Basel II: Basel II is the most commonly
adopted directive across the financial institutions.
The reason behind this is the fact that this directive
has become a mandated regulation that all
financial institutions need to comply with. Its core
is about how much capital banks need to put aside
to guard against the types of financial and
operational risks banks face [27]. It focuses on
operational risks as opposed to information
security risks. According to Basel II, operational
risk (Ops Risk) is any risk that results from failure
in any of the following areas: system, process,
human or external attack. This definition implies
that Basel II has an IT dimension that needs to be
properly managed. This area was subject for
35. detailed research and several publications tried to
set clear controls and control objectives to mitigate
the related risks. ISACA led this effort and
developed a detailed framework in this regards
[28].
PCI DSS: Payment Card Industry Data
Security Standard (PCI DSS) [29], currently in
version 2.0, is a standard that consists of twelve
domains and was created by payment brands
leaders to help facilitate the broad adoption of
consistent data security measures on a global basis.
Proper implementation of PCI DSS assists in
building and maintaining a secure network,
protecting cardholder data, maintaining a
vulnerability management program, and
implementation of solid access control measures.
Compliance with PCI requirements is mandated
for any party that stores or transmits credit or debit
36. card data. It assists enterprises to manage
information security risks, reduces losses resulting
from fraud, and protects consumer data. PCI DSS
is not intended to be used as an information
security risk management or assessment
framework; however, while efforts are spent
towards fulfilling its requirements overall
information security maturity level is leveraged
making it easier to achieve better security
assessments. For organizations that already have
ISMS (ISO 27001) implemented, PCI DSS
compliance is straight forward.
OCTAVE Set: OCTAVE (Operationally
Critical Threat, Asset and Vulnerability
Evaluation), developed at the CERT Coordination
center at Carnegie Mellon University, is a detailed
information security risk assessment methodology;
it consists of tools, techniques and methods to
37. conduct risk assessments. It is a formal and
detailed set of processes, which assist in ensuring
that risks are identified and properly analyzed,
…
please address the following in a properly formatted research
paper:
1)Do you think that ISO 27001 standard would work well in the
organization that you currently or previously have worked for?
If you are currently using ISO 27001 as an ISMS framework,
analyze its effectiveness as you perceive in the organization.
2)Are there other frameworks mentioned has been discussed in
the article that might be more effective?
3)Has any other research you uncover suggest there are better
frameworks to use for addressing risks?
Your paper should meet the following requirements:
Be approximately four to six pages in length, not including the
required cover page and reference page.
Follow APA 7 guidelines. Your paper should include an