Taxonomy of information security risk assessment (ISRA)

Shameli‐Sendi, Alireza; Aghababaei-Barzegar, Rouzbeh; Cheriet, Mohamed

doi:10.1016/j.cose.2015.11.001

Cited by 168 publications

(132 citation statements)

References 27 publications

Supporting

Mentioning

119

Contrasting

Unclassified

Order By: Relevance

“…Estimación del riesgo: Para estimar el riesgo, se pueden llevar a cabo análisis cualitativo, semicuantitativo o cuantitativo, o bien, una combinación de los tres (Shameli-Sendi, Aghababaei-Barzegar, & Cheriet, 2016). En cualquier caso, el tipo de análisis que se lleve a cabo debe ser congruente con los criterios desarrollados en el establecimiento del contexto.…”

Section: Escenario De Riesgo= Amenaza F (Activo De Información)unclassified

Metodología para la implementación de un Sistema de Gestión de Seguridad de la Información basado en la familia de normas ISO/IEC 27000

2017

risti

View full text Add to dashboard Cite

Resumen: Se propone una metodología de implementación de un Sistema de Gestión de Seguridad de la Información (SGSI) basado en la familia de normas de la ISO/IEC 27000, con énfasis en la interrelación de cuatro normas fundamentales a través de las cuales se desarrollan las actividades requeridas para cumplir con lo establecido en la ISO/IEC 27001, los controles de seguridad presentados en la ISO/ IEC 27002, el esquema de riesgos de la ISO/IEC 27005 y los pasos recomendados en la ISO/IEC 27003. Se genera como resultado un proceso metodológico que da respuesta al cómo abordar un proyecto de este nivel de importancia en el contexto actual de las organizaciones y basado en estándares internacionales. Este proceso metodológico representa un aporte a los profesionales que emprenden esta labor, y que buscan un método para una implementación exitosa de un SGSI.Palabras-clave: Seguridad de la Información, ISO/IEC 27000; SGSI, Riesgos de TI, Metodologías.A methodology for implementing an information security management system based on the family of ISO/IEC 27000 standards Abstract: A methodology for the implementation of an Information Security Management System (ISMS) based on the ISO/IEC 27000 family of standards is proposed, with an emphasis on the interrelationship of four fundamental standards which break down the activities to be developed in order to comply with the requirements established in the ISO/IEC 27001, the safety controls presented in the ISO/IEC 27002, the ISO/IEC 27005 risk scheme and the steps recommended in the ISO/IEC 27003. The result is a methodological process that explains how to face a project of this level of importance in the current context of organizations and based on international standards. This methodological process represents a contribution to the professionals who undertake this work, and who are looking for a method to carry out a successful implementation of an ISMS.

show abstract

Section: Escenario De Riesgo= Amenaza F (Activo De Información)unclassified

Metodología para la implementación de un Sistema de Gestión de Seguridad de la Información basado en la familia de normas ISO/IEC 27000

2017

risti

View full text Add to dashboard Cite

show abstract

“…The difficulty to select an appropriate principle found in the study of Shameli-Sendi et al (2015). Additionally, there was inappropriateness in ITRM adoptions such as the integration of the ITRM process to build the overall ITRM system (Bandyopadhyay et al, 1999), the insufficient models (Pereira and Santos, 2012), the improper estimation of loss by considering the value of IT assets (Suh and Han, 2003) and misunderstanding the concepts of ISO/IEC 27005:2011 by various stakeholders (Agrawal, 2016).…”

Section: Theoretical Backgroundmentioning

confidence: 99%

“…Nevertheless, there were some issues in the adoption of those principles and frameworks into the practice (Bandyopadhyay et al, 1999;Suh and Han, 2003;Pereira and Santos, 2012;Shameli-Sendi et al, 2015;Agrawal, 2016).…”

Section: Introductionmentioning

confidence: 99%

A Study of Success Factors of Principle and Practice in Information Technology Risk Management

Maneerattanasak¹,

Wongpinunwatana²

2017

Proceedings of the 32nd International Academic Conference, Geneva

View full text Add to dashboard Cite

The purpose of studying the success factors of principle and practice in Information Technology Risk Management (ITRM) is initiated from the proposition that appropriate ITRM principle and practice can mitigate IT risks and losses which is a result of security threats. The literature showed that various general principles and frameworks are widely published but the established principle cannot be put into the practice. Additionally, there is a research study regarding the difficulty to maintain independent in identifying, reviewing and reporting tasks of IT risk and internal audit functions. The methodology consisted of the review of general principles and frameworks' documents and the interview from case studies. The general principles and frameworks in this research collected from the question "Which principles and frameworks are applied to ITRM in your organization?". The question was asked to people in IT risk and IT internal audit functions from banking organizations and other industries which advanced information technologies IntroductionNowadays the financial institutions have obviously adopted the advantage of the internet or other electronic channels to provide accurate and reliable services (Omariba et al., 2012;Malami et al., 2012;Khrais, 2015). Nevertheless, there has been frequently updated news regarding various patterns of cybercrime causing abundant individual or financial institution's losses. Security threats are events that damage the information system resources or reduce the confidentiality, integrity and availability of information (Geriè and Hutinski, 2007). The proposition in the study is an appropriate Information Technology Risk Management (ITRM) principle and practice can mitigate IT risks and losses which is a result of security threats.From our review, several ITRM principles and frameworks have been developed and updated by various well-known professional associations and organizations. Nevertheless, there were some issues in the adoption of those principles and frameworks into the practice (Bandyopadhyay et al., 1999;Suh and Han, 2003;Pereira and Santos, 2012;Shameli-Sendi et al., 2015;Agrawal, 2016).Furthermore, another issue was that the fast developed principles and frameworks cannot be effectively practiced in real circumstances (Gelbstein, 2016).As a result, the study of ITRM practice seems to be essential and contributed to an organization to acknowledge the success factors for appropriation in the ITRM principle and practice. The organization of this paper starts with introduction. The theoretical background is explained followed by the research methodology. Subsequently, the research results are explained. The success factors from reviewing documents and the interviews were compared as a triangulation in analysis and interpretation. Finally, the conclusion and suggestion for future work are described. Theoretical BackgroundAccording to the review of relevant documents, there are several ITRM principle and framework Research MethodologyWe designed the methods t...

show abstract

“…Risks related impact of project management is negative on performance [7]. In [8] the key features that risk assessment should be included in a management information system are discussed. Source [9] has offered a new approach that involves managing financial risks.…”

Section: Introductionmentioning

confidence: 99%

A COBIT5 Framework for IoT Risk Management

Latifi¹,

Zarrabi²

2017

IJCA

View full text Add to dashboard Cite

Use of information technology management framework plays a major influence on organizational success. This article focuses on the field of Internet of Things (IoT) management. In this study, a number of risks in the field of IoT is investigated, then with review of a number of COBIT5 risk management schemes, some associated strategies, objectives and roles are provided. According to the in-depth studies of this area it is expected that using the best practices of COBIT5 can be very effective, while the use of this standard considerably improve some criteria such as performance, cost and time. Finally, the paper proposes a framework which reflects the best practices and achievements in the field of IoT risk management. General TermsIoT, COBIT5, IT

show abstract

Taxonomy of information security risk assessment (ISRA)

Cited by 168 publications

References 27 publications

Metodología para la implementación de un Sistema de Gestión de Seguridad de la Información basado en la familia de normas ISO/IEC 27000

Metodología para la implementación de un Sistema de Gestión de Seguridad de la Información basado en la familia de normas ISO/IEC 27000

A Study of Success Factors of Principle and Practice in Information Technology Risk Management

A COBIT5 Framework for IoT Risk Management

Contact Info

Product

Resources

About