Jeb Webb,Atif Ahmad,Sean B. Maynard,Graeme Shanks

DOI: https://doi.org/10.1016/j.cose.2014.04.005

2014-07-01

Abstract:Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

computer science, information systems

Thamer Alhussain,Ahmad Ali AlZubi,Osama AlFarraj,Salem Alkhalaf,Musab S. Alkhalaf

DOI: https://doi.org/10.1007/978-3-030-44041-1_108

2020-01-01

Abstract:This article proposes an information security management system (ISMS) model for automated data processing systems of critical applications (ADPS-CAs). The model allows users to carry out an assessment of the risk level for information security (IS) purposes and provides support for decision-making related to countering unauthorized access to the information circulating in an ADPS-CA. Further, this article analyzes the effect of a control parameter on the probability of launching an information integrity monitoring service (IMS) during a procedure that launches a typical ADPS-CA and its IS subsystem. The results present system quality indicators for protecting information from unauthorized access. The simulation was performed in relation to automated workstations as part of the ADPS-CA of a large enterprise.

Sabine Goldes,Ralf Schneider,Christian M. Schweda,Jawed Zamani

DOI: https://doi.org/10.1109/cybconf.2017.7985763

2017-06-01

Abstract:Information Security is a topic of increasing importance for organizations today. The triad of professionalization and industrialization of cyber-crime, globalization and digitalization of business models, and increasing regulatory focus on data protection exerts pressure on organizations and enterprises to implement sophisticated Information Security Management Systems (ISMS). Best-practices for implementing such systems are given by multiple de-facto standards, whereas blueprints for ISMS are relatively scarce. In this paper we discuss design requirements for a modern Information Security Management System, derive a blueprint for such a system based on the viable system approach, and exemplify constituents of the blueprint from the environment of an insurance enterprise.

YU Zhi-wei,TANG Ren-zhong

DOI: https://doi.org/10.3785/j.issn.1008-973x.2007.11.026

2007-01-01

Abstract:In order to overcome the shortcomings of the existing information system models,an information system security model was proposed to protect business activities and describe information systems from security view.Through analyzing the characteristic and security of information systems,this work presented the fundamental elements and their operation relationships,and the need,permit,can security constraints between the elements.The security relationships of the fundamental elements were described with formal method.The security model substantially reflects the security relationship between the assets of information systems,explicitly posts the essence that the information system supports the business operation,and clarities the relationship between business activities and the assets of information systems.Finally a case of security model of a manufacturing enterprise information system was given.

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P Syam

DOI: https://doi.org/10.48550/arXiv.1204.0240

2012-04-02

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security,Software Engineering

Sayed Amir Reza Mortazavi,Faramarz Safi-Esfahani

DOI: https://doi.org/10.1007/s41870-019-00302-0

2019-04-22

International Journal of Information Technology

Abstract:Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

Oluwasefunmi 'Tale Arogundade,Olusola J. Adeniran,Zhi Jin,Xiaoguang Yang

DOI: https://doi.org/10.4018/ijsse.2016070101

2016-01-01

International Journal of Secure Software Engineering

Abstract:Resource allocation decisions can be enhanced by performing risk assessment during the early development phase. In order to improve and maintain the security of the Information System IS, hereafter, there is need to build risk analysis model that can dynamically analyze threat data collected during the operational lifetime of the IS. In this paper the authors propose an ontological approach to accomplishing this goal. They present analyzer model and architecture, an agent-based risk analysis system ARAS which gathers identified threats events, probe them and correlates those using ontologies. It explores both quantitative and qualitative risk analysis techniques using real events data for probability predictions of threats based on an existing designed security ontology. To validate the feasibility of the approach a case study on e-banking system has been conducted. Simulated IDS output serves as input into the risk analysis system. The authors used JADE to implement the agents, protégé OWL to create the ontology and ORACLE 11g SQL developer for the database. Optimistic results were obtained.

Lam‐for Kwok,Dennis Longley

DOI: https://doi.org/10.1108/09685229910255179

1999-03-01

Abstract:Information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. They may also place demands on security managers to provide convincing demonstration of conformance to the standards. The risk data repository (RDR) computer model described in this paper was developed to manage organisational information security data and facilitate risk analysis studies. The RDR provides a form of computer documentation that can assist the security officer to maintain a continuous record of the organisational information security scenario and facilitate system security development, business continuity planning and standards conformance audits.

Aib Abdelatif,Djamel Nettour,Rachid Chaib,Ion Verzea,Salim Bensehamdi

DOI: https://doi.org/10.15587/2706-5448.2023.291959

2023-12-04

Technology audit and production reserves

Abstract:The object of the study is the risks that disrupt the accomplishment of any enterprise's missions. Therefore, mastering these risks is a significant asset for organizations and the overall health of the enterprise. Thus, working comprehensively on organizational risk prevention enables the enterprise to formulate a strategy aimed at guarding against all risk factors. Simultaneously, it identifies areas where more targeted actions need to be undertaken, potentially leading to positive changes within the company. To achieve this and allow for a robust and reliable assessment for better governance of harmful elements in the enterprise, we have used the risk mapping method. It is a data visualization tool aimed at highlighting vulnerabilities in various processes and activities that an organization faces, even allowing for informed decisions to prevent and cope with risks. Risk mapping is defined as the approach of identifying, evaluating, prioritizing, and managing risks inherent in an enterprise's activities. It even delves into a thorough investigation of all managerial, operational, and support processes that activities require implementing. This mapping technique is based on an objective, structured, and documented description of existing risks. The assessment allows for a more detailed analysis of initial and residual risks at all levels of the enterprise, thereby facilitating the development of a prioritized action plan accompanied by an analysis of its funding. This obligation is part of a continuous improvement approach to the quality of life and working conditions, even engaging in a sustainable management process. As a case study, we have chosen to focus on the SAIDAL Group of Constantine. Through this case study, we aim to illustrate the practical implications and benefits of using risk mapping as a strategic tool for risk management in a complex organizational context. Now, having a risk map not only promotes a proactive approach to risk mitigation but also contributes to broader goals of continuous improvement and sustainable risk management practices: a necessity for any enterprise.

E. Kritzinger,E. Smith

DOI: https://doi.org/10.1016/j.cose.2008.05.006

2008-10-01

Abstract:The purpose of this paper is to present a conceptual view of an Information Security Retrieval and Awareness (ISRA) model that can be used by industry to enhance information security awareness among employees. A common body of knowledge for information security that is suited to industry and that forms the basis of this model is accordingly proposed. This common body of knowledge will ensure that the technical information security issues do not overshadow the non-technical human-related information security issues. The proposed common body of knowledge also focuses on both professionals and low-level users of information. The ISRA model proposed in this paper consists of three parts, namely the ISRA dimensions (non-technical information security issues, IT authority levels and information security documents), information security retrieval and awareness, and measuring and monitoring. The model specifically focuses on the non-technical information security that forms part of the proposed common body of knowledge because these issues have, in comparison with the technical information security issues, always been neglected.

computer science, information systems

J. Initiative

DOI: https://doi.org/10.6028/nist.sp.800-37r2

2018-12-01

Abstract:This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It also includes activities to help prepare organizations to execute the RMF at the information system level. The RMF promotes the concept of near real-time risk management and ongoing system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy into the system development life cycle. Executing the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented in organizational information systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the well-established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.

Computer Science,Business

Oyelami Julius Olusegun,Norafida Binti Ithnin

DOI: https://doi.org/10.48550/arXiv.1309.0189

2013-09-01

Computers and Society

Abstract:Information sharing in organization has been considered as an important approach in increasing organizational efficiency, performance and decision making. With the present and advances in information and communication technology, sharing information and exchanging of data across organizations has become more feasible in organization. However, information sharing has been a complex task over the years and identifying factors that influence information sharing across organization has becomes crucial and critical. Researchers have taken several methods and approaches to resolve problems in information sharing at all levels without a lasting solution, as sharing is best understood as a practice that reflects behavior, social, economic, legal and technological influences. Due to the limitation of the conventional ISM3 standards to address culture, social, legislation and human behavior, the findings in this paper suggest that, a centralized information structure without human practice, distribution of information and coordination is not effective. This paper reviews the previous information sharing research, outlines the factors affecting information sharing and the different practices needed to improve the management of information security by recommending several combinations of information security and coordination mechanism for reducing uncertainty during sharing of information .This thesis proposes information security management protocol (ISMP) as an enhancement towards ISM3 to resolve the above problems. This protocol provides a means for practitioners to identify key factors involved in successful information sharing.....

Abdou Karim Jallow,Peter Demian,Chimay J. Anumba,Andrew N. Baldwin

DOI: https://doi.org/10.1016/j.ijinfomgt.2017.04.005

IF: 18.958

2017-10-01

International Journal of Information Management

Abstract:Managing information about client requirements effectively can contribute to improve the quality of built facilities, and their related services. However, the process has been challenging to construction project management often resulting in failed projects. This necessitates an overwhelming need for a better approach. This paper presents a novel enterprise architecture framework for managing information about client requirements across all phases of a construction project and through-life of a built facility. The Integrated electronic Requirements Information Management Framework (eRIM) defines an information-centric, and process and service-oriented enterprise architecture approach to requirements management. It also describes how Information and Communication Technology (ICT)/Information Systems (IS) can support this information management. In developing the framework, findings from three case study projects were collated through observations, a questionnaire and interviews of construction practitioners. It is concluded that when implemented and incorporated in the management of construction projects, the eRIM architecture framework can potentially contribute towards improved and more efficient and effective management of client requirements across all stages of a project. Further work is outlined to operationalize the framework.

information science & library science

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Knut Haufe,Ricardo Colomo-Palacios,Srdan Dzombeta,Knud Brandis,Vladimir Stantchev

DOI: https://doi.org/10.12821/ijispm040402

2022-02-02

International Journal of Information Systems and Project Management

Abstract:Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Dmitriy Titarev,Andrey Serikov,Sergei Krivtsanov

DOI: https://doi.org/10.30987/2658-6436-2020-4-53-59

2020-12-31

Automation and modeling in design and management

Abstract:The paper provides an overview of the architectures for the repair and maintenance management software package for a service enterprise. As part of the research work, asset management (EAM) and service management (ITSM) methodologies were studied. Three different architectures for the designed software package are proposed, their descriptions, advantages and disadvantages are given.

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Abir Elmir,Badr Elmir,Bouchaib Bounabat

DOI: https://doi.org/10.48550/arXiv.1505.02508

2015-05-11

Software Engineering

Abstract:Service sharing is a prominent operating model to support business. Many large inter-organizational networks have implemented some form of value added integrated services in order to reach efficiency and to reduce costs sustainably. Coupling Service orientation with enterprise architecture paradigm is very important at improving organizational performance through business process optimization. Indeed, enterprise architecture management is increasingly discussed because of information system role as part of achieving the strategic direction of value creation and contribution to economic growth. Also, system architecture promotes synergy and business efficiency for inter-organizational collaboration. For this purpose, this work proposes a review of service oriented enterprise architecture. This review, enumerates several integrative and collaborative frameworks for integrated service delivery.

Kwame Owusu Kwateng,Christopher Amanor,Francis Kamewor Tetteh

DOI: https://doi.org/10.1108/ics-11-2020-0185

2022-02-08

Information and Computer Security

Abstract:Purpose This study aims to empirically investigate the relationship between enterprise risk management (ERM) and information technology (IT) security within the financial sector. Design/methodology/approach Risk officers of financial institutions licensed by the Central Bank of Ghana constituted the sample frame. A structured questionnaire was used to elicit data from the respondents. The structural equation modeling method was employed to analyze the hypothesized model. Findings The results revealed that ERM has a strong positive substantial effect on IT security within financial institutions. However, organizational culture failed to moderate the relationship between ERM and IT security. Practical implications A well-managed risk helps to eliminate ineffective, archaic and redundant technology as the originator of rising perils and organizational concerns in today's corporate financial institutions since ERM established a substantially strong positive correlation among the variables. Originality/value ERM studies in the African context are rare. This paper adds to contemporary literature by providing a new perspective toward the understanding of the relationship between ERM and IT security, especially in the financial industry.

English Else