Enhancing Information Security Risk Management for Organizations
Citation
Subir Kochar, Sachin Goyal, Ratish Agarwal, Mahesh Pawar"Enhancing Information Security Risk Management for Organizations", International Journal of Computer & organization Trends (IJCOT), V5(2):55-59 Mar - Apr 2015, ISSN:2249-2593, www.ijcotjournal.org. Published by Seventh Sense Research Group.
Abstract - Risk is defined as the uncertainty of results which can be either positive opportunity or a threat for the organization. The research will start from introduction of risks, impact of risk, Risk Factors, Type of Risks. Risk management which is a critical area is then focused for assessing, optimizing risks. A major part in risk management is risk assessment and analysis which derives data for decision making. Risk management is summarized including the different phases of it including risk identification, assessment and mitigation. A glimpse of desirable characteristics of an ideal risk management is also mentioned. After that problem like no identification procedure for critical controls, problem with management of dynamic risks and selection of existing methodology are discussed. The research will go through the comparative framework of existing methodologies for easing selection and also Talks about ISO 27005 and COBIT framework for overcoming the problems.
References
[1] Bob Blakley, Ellen McDermott, Dan Geer, Information Security is Information Risk Management.
[2] Elena Ramona Stroie, Alina Cristina RUSU, Security Risk Management - Approaches and Methodology, 2011
[3] Gary Stoneburner, Alice Goguen and Alexis Feringa, Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology Special Publication 800-30, 2002
[4] Information Security Risk Assessment Practices of Leading Organizations, US General accounting office, GAO, 1999
[5] Venkata Kiran Maram, A Study of Risk Management of an Information System by Assessing Threat, Vulnerability and Countermeasure, International Journal of Advanced Research in Computer Science and Software Engineering
[6] W.G. Borman, L. Labuschagne, A comparative framework for evaluating information security risk management methods, South Africa, 2004
[7] Dan Ionita, Current Established Risk Assessment Methodologies and Tools, 2013
[8] Armaghan Behnia et al, A Survey of Information Security Risk Analysis Methods, Smart Computing Review, vol. 2, 2012
[9] K.V.D.Kiran et al, Performance And Analysis of Risk Assessment Methodologies In Information Security, International Journal of Computer Trends and Technology (IJCTT), Vol. 4 Issue 10, 2013
[10] Stefan Taubenberger et al, Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing domain.
[11] Denis Smith & Moira Fischbacher, The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience, Editorial Review, 2009
[12] Chitra Baggar, Richa Sinha, Identification And Analysis Of Risks For Cloud Computing In IAAS, PAAS And SAAS, International Journal of Computer Organization Trends Volume 3 Issue 9, 2013
[13] John W. Lainhart, Journal of information systems, Vol. 14, 2000, Cobit: A methodology for managing and controlling information technology risks and vulnerabilities.
[14] Pyka Marek, Januszkiewicz Paulina, The OCTAVE methodology as a risk analysis tool for business resources, Proceedings of the International Multi conference on Computer Science and Information Technology, 2006
[15] Bob Blakley, Ellen McDermott, Dan Geer, Information Security is Information Risk Management
[16] Ketil Stølen, Folker den Braber, Theo Dimitrakos, Rune Fredriksen, Bjørn Axel Gran, Siv-Hilde Houmb, Mass Soldal Lund, Yannis C. Stamatiou and Jan Øyvind Aagedal, Model-based risk assessment – the CORAS approach
[17] Guide for Conducting Risk Assessments, Computer Security Division and Information Technology Laboratory, NIST Special Publication 800-30, 2013
[18] Artur Rot, IT Risk Assessment: Quantitative and Qualitative Approach, Proceedings of the World Congress on Engineering and Computer Science, 2008
[19] Michel Crouhy, Dan Galai and Robert Mark, The Essentials of Risk Management, McGraw-Hill publication, 2009
[20] ISO/IEC 27001: 2011, Information technology – Security techniques – Information security risk management, BSI, 2011
Keywords
Risk Management, Risk Assessment, Risk Identification, Risk Mitigation, COBIT.