An Open Reference Framework for Enterprise Information Security Risk Management Using the STOPE Scope and the Six-Sigma Process

With the wide-spreading use of e-transactions in enterprises, information security risk management (ISRM) is becoming essential for establishing a safe environment for their activities. This paper is concerned with introducing a new and comprehensive ISRM framework that enables the effective establishment of the target safe environment. The framework has two structural dimensions; and two procedural dimensions. The structural dimensions include: ISRM scope , and ISRM assessment criteria ; while the procedural dimensions include: ISRM process , and ISRM assessment tools . The framework uses the comprehensive STOPE (Strategy, Technology, Organization, People, and Environment) view for the ISRM scope; while its assessment criteria is considered to be open to various standards. For the procedural dimensions, the framework uses the widely known six-sigma DAMIC (Define, Measure, Analyze, Improve, and Control) cycle for the ISRM process; and it considers the use of various assessment tools. It is hoped that the framework provides useful tools for future applications

A High-Level Scheme for an Ontology-Based Compliance Framework in Software Development

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Software development market is currently witnessing an increasing demand for software applications conformance with the international regime of GRC for Governance, Risk and Compliance. In this paper, we propose a compliance requirement analysis method for early stages of software development based on a semantically-rich model, where a mapping can be established from legal and regulatory requirements relevant to system context to software system business goals and contexts. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance and risk assessment domain related to system development along with relationships and rules between concepts that compromise the domain knowledge. The main contribution of the work presented in this paper is a case study that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology

Towards a Sustainable and Efficient Component-based Information Security Framework

Information security and information systems (IS) security both have top management priority in many companies and organizations. In various information security models researchers recommend several important components to sustainably and efficiently enforce information security. There is little research aiming at approaches that combine theoretically and empirically substantiated principles. To fill this research gap, the aim of this paper is to discuss the adequacy of “academic” information security components, to analyze practical relevance using an empirical study and to consolidate identified factors using a principle component analysis to enhance applicability. Findings suggest two main factors which are identified as short-term and long-term as well as 18 sub-components. The results can assist companies and organizations in sustainably and efficiently implementing information security

Compliance Analysis in IT Management

Tato práce se zabývá jednou z významných částí fungování velkých korporací, tedy Compliance, se zvláštní pozorností na IT management. Diplomová práce zevrubně prozkoumává danou oblast. Tento průzkum si klade zároveň za cíl nalezení obtíží, ke kterým dochází v každodenní praxi. Následně je nastíněn způsob možných řešení zjištěných problematických jevů.This Diploma thesis deals with one of the important part in the structure of corporations, it is generally called Compliance with a focus on IT management. This assignment thoroughly explores given area. This research is simultaneously aimed at finding problems that occur in everyday practice. Subsequently are outlined ways of possible solutions to the identified problematic phenomena.

The information security policy unpacked: A critical study of the content of university policies

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualization of information security embedded in the policies. There are two important conclusions to be drawn from this study: 1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and 2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management

Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks.

With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness

A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context

An examination of Information Security (IS) and Information Security Management (ISM) research in Saudi Arabia has shown the need for more rigorous studies focusing on the implementation and adoption processes involved with IS culture and practices. Overall, there is a lack of academic and professional literature about ISM and more specifically IS culture in Saudi Arabia. Therefore, the overall aim of this paper is to identify issues and factors that assist the implementation and the adoption of IS culture and practices within the Saudi environment. The goal of this paper is to identify the important conditions for creating an information security culture in Saudi Arabian organizations. We plan to use this framework to investigate whether security culture has emerged into practices in Saudi Arabian organizations

Equipment-as-Experience: A Heidegger-Based Position of Information Security

Information security (InfoSec) has ontologically been characterised as an order machine. The order machine connects with other machines through interrupting mechanisms. This way of portraying InfoSec focuses on the correct placement of machine entities to protect information assets. However, what is missing in this view is that for the InfoSec we experience in everyday practice, we are not just observers of the InfoSec phenomena but also active agents of it. To contribute to the quest, we draw on Heidegger’s (1962) notion of equipment and propose the concept of equipment-as-experience to understand the ontological position of InfoSec in everyday practice. In this paper we show how equipment-as-experience provides a richer picture of InfoSec as being a fundamental sociotechnical phenomena. We further contend using an example case to illustrate that InfoSec equipment should not be understood merely by its properties (present-at-hand mode), but rather in ready-to-hand mode when put into practice