The Information Security Management System, Development and Audit

Information security management system (ISMS) is that part of the overall management system, based on a business risk approach, that it is developed in order to establish, implement, operate, monitor, review, maintain and improve information securitysecurity, information management system, audit

Information Security Risk Management: In Which Security Solutions Is It Worth Investing?

As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies

The Challenge of Ensuring Business Security in Information Age

Every day, thousands of businesses rely on the services and information ensured by information and communication networks. As the dependence on information systems grows, so the security of information networks becomes ever more critical to any entity, no matter if it is a company or a public institution. The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture. This paper provides arguments regarding the need to implement coherent information security policies at national level, based on cooperation between public and private sectors and in coordination with international initiatives in the field. Since information security is vital for developing and running an efficient business, this study may constitute a strategic approach to improve the information security posture of Romanian organizations.information security; information security risk management; security threats; confidentiality; integrity; availability.

Practical Methods for Information Security Risk Management

The purpose of this paper is to present some directions to perform the risk man-agement for information security. The article follows to practical methods through question-naire that asses the internal control, and through evaluation based on existing controls as part of vulnerability assessment. The methods presented contains all the key elements that concurs in risk management, through the elements proposed for evaluation questionnaire, list of threats, resource classification and evaluation, correlation between risks and controls and residual risk computation.Risk Management, Threats, Vulnerabilities, Information Security

Foundations for an Intelligence-driven Information Security Risk-management System

Information security risk management (ISRM) methods aim to protect organizational information infrastructure from a range of security threats by using the most effective and cost-efficient means. We reviewed the literature and found three common deficiencies in ISRM practice: 1) information security risk identification is commonly perfunctory, 2) information security risks are commonly estimated with little reference to the organization’s actual situation, and 3) information security risk assessment is commonly performed on an intermittent, non-historical basis. These deficiencies indicate that, despite implementing ISRM best-practice, organizations are likely to have inadequate situation awareness (SA) regarding their information security risk environments. This paper presents a management system design that organizations can use to support SA in their ISRM efforts

A Risk Management Process for Consumers

Simply by using information technology, consumers expose themselves to considerable security risks. Because no technical or legal solutions are readily available, the only remedy is to develop a risk management process for consumers, similar to the process executed by enterprises. Consumers need to consider the risks in a structured way, and take action, not once, but iteratively. Such a process is feasible: enterprises already execute such processes, and time-saving tools can support the consumer in her own process. In fact, given our society's emphasis on individual responsibilities, skills and devices, a risk management process for consumers is the logical next step in improving information security

An Exploration of Human Resource Management Information Systems Security

In this exploratory study we investigate differences in perception between management and staff with regard to overall information security risk management and human resources security risk management at two Fortune 500 companies. This study is part of a much larger study with regard to organizational information security issues. To our knowledge, this is the first time the issue of security risk management has been discussed in the context of human resource systems. We found significant differences between management and staff perceptions regarding overall security risk management and human resources security risk management. Our findings lay the ground work for future research in this area

Interpreting the management of information systems security

The management of adverse events within organisations has become a pressing issue as the perceptions of risk continue to heighten. However the basic need for developing secure information systems has remained unfulfilled. This is because the focus has been on the means of delivery of information, i.e. the technology, rather than on the various contextual factors related to information processing. The overall aim of this research is to increase understanding of the issues and concerns in the management of information systems security. The study is conducted by reviewing the analysis, design and management of computer based information in two large organisations - A British national Health Service Hospital Trust and a Borough Council. The research methodology adopts an interpretive mode of inquiry. The management of information systems security is evaluated in terms of the business environment, organisational culture, expectations and obligations of different roles, meanings of different actions and the related patterns of behaviour. Findings from the two case studies show that an inappropriate analysis, design and management of computer based information systems affects the integrity and wholeness of an organisation. As a result, the probability of occurrence of adverse events increases. In such an environment there is a strong likelihood that security measures may either be ignored or are inappropriate to the real needs of an organisation. Therefore what is needed is coherence between the computer based information systems and the business environment in which they are embedded. In conclusion, this study shows that to resolve the problem of managing information systems security, we need to understand the deep seated pragmatic aspects of an organisation. Solutions to the problem of security can be provided by interpreting the behavioural patterns of the people involved

The Information Security Ownership Question in ISO/IEC 27001 – an Implementation

The information security management standard ISO/IEC 27001 is built on the notion that information security is driven by risk assessment and risk treatment. Fundamental to the success of risk assessment and treatment is the decision making process that takes risk assessment output and assigns decisions to this output in terms of risk treatment actions. It is argued that the effectiveness of the management system lies in its ability to make effective, easytoimplement and measurable decisions. One of the key issues in decision making is ownership. In this paper two aspects of information security ownership are considered: ownership of the asset (as per the ISO/IEC 27001 definition) and ownership of the risk treatment actions. This paper discuses how traditional information security risk assessment methodologies confuse the ownership issue and raises the question as to whether this is simply because they are rebadged computer security risk assessment methodologies or because the significance and the complexity of ownership is underestimated in many forms of information security risk assessment. This paper also presents some observations from practical attempts at implementing an organisationwide information security risk assessment methodology. The observations were made as part of ISO/IEC 27001 certification assessment visits