Practical Methods for Information Security Risk Management

The purpose of this paper is to present some directions to perform the risk man-agement for information security. The article follows to practical methods through question-naire that asses the internal control, and through evaluation based on existing controls as part of vulnerability assessment. The methods presented contains all the key elements that concurs in risk management, through the elements proposed for evaluation questionnaire, list of threats, resource classification and evaluation, correlation between risks and controls and residual risk computation.Risk Management, Threats, Vulnerabilities, Information Security

Risk Management for e-Business

In the new Internet economy, risk management plays a critical role to protect the organization and its ability to perform their business mission, not just its IT assets. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The risk management is an important component of a IT security program. Information and communications technology management and IT security are responsible for ensuring that technology risks are managed appropriately. These risks originate from the deployment and use of IT assets in various ways, such as configuring systems incorrectly or gaining access to restricted software.risk, e-business, threat, vulnerability

The Information Security Management System, Development and Audit

Information security management system (ISMS) is that part of the overall management system, based on a business risk approach, that it is developed in order to establish, implement, operate, monitor, review, maintain and improve information securitysecurity, information management system, audit

An Exploration of Human Resource Management Information Systems Security

In this exploratory study we investigate differences in perception between management and staff with regard to overall information security risk management and human resources security risk management at two Fortune 500 companies. This study is part of a much larger study with regard to organizational information security issues. To our knowledge, this is the first time the issue of security risk management has been discussed in the context of human resource systems. We found significant differences between management and staff perceptions regarding overall security risk management and human resources security risk management. Our findings lay the ground work for future research in this area

A Risk Management Process for Consumers

Simply by using information technology, consumers expose themselves to considerable security risks. Because no technical or legal solutions are readily available, the only remedy is to develop a risk management process for consumers, similar to the process executed by enterprises. Consumers need to consider the risks in a structured way, and take action, not once, but iteratively. Such a process is feasible: enterprises already execute such processes, and time-saving tools can support the consumer in her own process. In fact, given our society's emphasis on individual responsibilities, skills and devices, a risk management process for consumers is the logical next step in improving information security

Methodologies for Evaluating Information Security Investments - What Basel II Can Change in the Financial Industry

The New Basel Capital Accord (Basel II) will include operational risk to the calculation of necessary regulatory capital in financial institutions after year-end 2006. Most of the banks have already developed sophisticated risk management frameworks helping to quantify and manage operational risk. Information security has direct impact on operational risk, but risk managers consider Information Systems (IS) related risks not enough by now. This problem mainly depends on the variety of methods used by security managers to evaluate systems security and to develop security concepts. Even little efforts would enable information security officers to quantify the benefits of information security investments using operational risk quantification methods. The security community has not yet addressed this opportunity. The article discusses models used for decisions about security investments known from the field of security economics and accounting and illustrates the problems by applying these models. Based on a general operational risk management framework of a bank, this article introduces a new approach using accepted risk management methods

The Challenge of Ensuring Business Security in Information Age

Every day, thousands of businesses rely on the services and information ensured by information and communication networks. As the dependence on information systems grows, so the security of information networks becomes ever more critical to any entity, no matter if it is a company or a public institution. The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture. This paper provides arguments regarding the need to implement coherent information security policies at national level, based on cooperation between public and private sectors and in coordination with international initiatives in the field. Since information security is vital for developing and running an efficient business, this study may constitute a strategic approach to improve the information security posture of Romanian organizations.information security; information security risk management; security threats; confidentiality; integrity; availability.

Estimating ToE Risk Level using CVSS

Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time

BANKING INNOVATIONS RISK – PROFITABILITY RELATIONSHIP IN THE BANKING SYSTEM OF THE REPUBLIC OF MOLDOVA

The level of information technologies development in modern banks represents an essential factor in maintenance and consolidation of the position on the market. In this respect all Moldovan banks develop risk management policies with regard to banking IT’s and e-products and services, which they consider as the main part of banking innovations at the moment. The purpose of this article is to analyze each innovation (Information Security Services, Business Systems Controls, Business Continuity Management, IT Outsourcing, Information Systems Governance, IT Performance, Project Risk Management, IT Internal Audit) in terms of risks and benefits when these risks are managed properly.banking system, risk, information technologies