Knut Haufe,Ricardo Colomo-Palacios,Srdan Dzombeta,Knud Brandis,Vladimir Stantchev

DOI: https://doi.org/10.12821/ijispm040402

2022-02-02

International Journal of Information Systems and Project Management

Abstract:Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

Thamer Alhussain,Ahmad Ali AlZubi,Osama AlFarraj,Salem Alkhalaf,Musab S. Alkhalaf

DOI: https://doi.org/10.1007/978-3-030-44041-1_108

2020-01-01

Abstract:This article proposes an information security management system (ISMS) model for automated data processing systems of critical applications (ADPS-CAs). The model allows users to carry out an assessment of the risk level for information security (IS) purposes and provides support for decision-making related to countering unauthorized access to the information circulating in an ADPS-CA. Further, this article analyzes the effect of a control parameter on the probability of launching an information integrity monitoring service (IMS) during a procedure that launches a typical ADPS-CA and its IS subsystem. The results present system quality indicators for protecting information from unauthorized access. The simulation was performed in relation to automated workstations as part of the ADPS-CA of a large enterprise.

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P Syam

DOI: https://doi.org/10.48550/arXiv.1204.0240

2012-04-02

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security,Software Engineering

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Ahmed I. Al-Darwish,Pilsung Choe

DOI: https://doi.org/10.1007/978-3-030-22351-9_15

2019-01-01

Abstract: Information systems support organizations to achieve strategic competitiveness over other organizations and assist senior management in the decision-making process. In addition, they help organizations in timely implementation of projects and effective risk management. A reliable and coherent Information System requires a solid security framework that ensures Confidentiality, Integrity, Availability, Authenticity and Auditability of the critical information assets; therefore, managing security is essential for organizations doing business in a globally networked and competitive environment whilst seeking to achieve their objectives and goals and ensuring the continuity of business. This paper provides an integrated framework that classifies and holistic view of challenges in Information Security Systems, and their interrelationships. The framework is expected to provide a basis that can be used to evaluate individual organizational members’ behavior and the adequateness of existing security measures.

Kwo‐Shing Hong,Yen‐Ping Chi,Louis R. Chao,Jih‐Hsing Tang

DOI: https://doi.org/10.1108/09685220310500153

2003-12-01

Abstract:With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

Sayed Amir Reza Mortazavi,Faramarz Safi-Esfahani

DOI: https://doi.org/10.1007/s41870-019-00302-0

2019-04-22

International Journal of Information Technology

Abstract:Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

Rainer Diesch,Matthias Pfaff,Helmut Krcmar

DOI: https://doi.org/10.1016/j.cose.2020.101747

2020-05-01

Abstract:<p>Decision-making in the context of organizational information security is highly dependent on various information. For information security managers, not only relevant information has to be clarified but also their interdependencies have to be taken into account. Thus, the purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to identify factors influencing information security. These factors were categorized into 12 areas: physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance &amp; policy. Second, an interview series with 19 experts from the industry was used to evaluate the relevance of these factors in practice and explore interdependencies between them. Third, a comprehensive model was developed. The model shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Based on these results, information security managers should be aware of direct and indirect MSFs to make appropriate decisions.</p>

computer science, information systems

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Marek Amanowicz,Mariusz Kamola

DOI: https://doi.org/10.3390/electronics11223835

IF: 2.9

2022-11-22

Electronics

Abstract:Protection against a growing number of increasingly sophisticated and complex cyberattacks requires the real-time acquisition of up-to-date information on identified threats and their potential impact on an enterprise's operation. However, the complexity and variety of IT/OT infrastructure interdependencies and the business processes and services it supports significantly complicate this task. Hence, we propose a novel solution here that provides security awareness of critical infrastructure entities. Appropriate measures and methods for comprehensively managing cyberspace security and resilience in an enterprise are provided, and these take into account the aspects of confidentiality, availability, and integrity of the essential services offered across the underlying business processes and IT infrastructure. The abstraction of these entities as business objects is proposed to uniformly address them and their interdependencies. In this paper, the concept of modeling the cyberspace of interdependent services, business processes, and systems and the procedures for assessing and predicting their attributes and dynamic states are depicted. The enterprise can build a model of its operation with the proposed formalism, which takes it to the first level of security awareness. Through dedicated simulation procedures, the enterprise can anticipate the evolution of actual or hypothetical threats and related risks, which is the second level of awareness. Finally, simulation-driven analyses can serve in guiding operations toward improvement with respect to resilience and threat protection, bringing the enterprise to the third level of awareness. The solution is also applied in the case study of an essential service provider.

engineering, electrical & electronic,computer science, information systems,physics, applied

Moneer Alshaikh,Sean B. Maynard,Atif Ahmad,Shanton Chang

DOI: https://doi.org/10.48550/arXiv.1606.00890

2016-05-28

Computers and Society

Abstract:Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.

Jeb Webb,Atif Ahmad,Sean B. Maynard,Graeme Shanks

DOI: https://doi.org/10.1016/j.cose.2014.04.005

2014-07-01

Abstract:Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley&#x27;s situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

computer science, information systems

Florence Sèdes

2024-06-17

Abstract:Major transformations related to information technologies affect InformationSystems (IS) that support the business processes of organizations and their actors. Deployment in a complex environment involving sensitive, massive and heterogeneous data generates risks with legal, social and financial impacts. This context of transition and openness makes the security of these IS central to the concerns of organizations. The digitization of all processes and the opening to IoT devices (Internet of Things) has fostered the emergence of a new formof crime, i.e. cybercrime.This generic term covers a number of malicious acts, the majority of which are now perpetrated using social engineering strategies, a phenomenon enabling a combined exploitation of ``human'' vulnerabilities and digital tools. The maliciousness of such attacks lies in the fact that they turn users into facilitators of cyber-attacks, to the point of being perceived as the ``weak link'' of <a class="link-external link-http" href="http://cybersecurity.As" rel="external noopener nofollow">this http URL</a> deployment policies prove insufficient, it is necessary to think about upstream steps: knowing how to anticipate, identifying weak signals and outliers, detect early and react quickly to computer crime are therefore priority issues requiring a prevention and cooperation <a class="link-external link-http" href="http://approach.In" rel="external noopener nofollow">this http URL</a> this overview, we propose a synthesis of literature and professional practices on this subject.

Cryptography and Security,Databases

Wissam Abbass,Amine Baina,Mostafa Bellafkih

DOI: https://doi.org/10.1109/cist.2016.7805039

2016-10-01

Abstract:The Information System Security Risk management (ISSRM) in organizations is ultimate for business success. ISSRM protects information availability, integrity, and privacy. However, this latter remains a difficult area to establish and maintain, especially in the environment of today&#x27;s organizations where operations are conducted in a complex and interconnected context. The aim of this paper is to highlight the contribution of Enterprise Architecture Management (EAM) in order to improve ISSRM. When organization business services and strategic planning are aligned with proactive ISSRM activities, a well-defined strategy to reach business value is achieved. For this purpose, we will first explore risk management methods and security modeling languages to understand why EAM would be benefic. The contribution of this paper is an ISSRM model described by the constructs of ArchiMate, a well-known EAM modeling language.

Mikko Siponen,Robert Willison

DOI: https://doi.org/10.1016/j.im.2008.12.007

2009-06-01

Abstract:International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

information science & library science,management,computer science, information systems

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

M.M Eloff,S.H von Solms

DOI: https://doi.org/10.1016/s0167-4048(00)88613-7

2000-03-01

Abstract:The present article is aimed at clarifying the oft-times confusing terminology and at elucidating the various approaches obtaining to the realm of Information Security (IS) management. The IS management approaches selected for discussion in this article will specifically address those rudiments and concepts that play a key role in the assessment of the IS status of an organization. Following, a hierarchical framework will be developed in terms of which to elucidate ill-defined terms and concepts. By so doing, issues such as certification, benchmarking, guidelines and codes of practice will come under consideration. IS management approaches widely accepted in the international arena will also be mapped onto the said hierarchical framework.

computer science, information systems