A Weighted Monte Carlo Simulation Approach to Risk Assessment of Information Security Management System

2015 ◽  
Vol 11 (4) ◽  
pp. 63-78 ◽  
Author(s):  
Seyed Mojtaba Hosseini Bamakan ◽  
Mohammad Dehghanimohammadabadi
Keyword(s):  
Risk Assessment ◽  
Monte Carlo Simulation ◽  
Monte Carlo ◽  
Information Security ◽  
Risk Analysis ◽  
Management System ◽  
Security Management ◽  
International Standards ◽  
Information Security Management ◽  
Information Security Management System

In recent decades, information has become a critical asset to various organizations, hence identifying and preventing the loss of information are becoming competitive advantages for firms. Many international standards have been developed to help organizations to maintain their competitiveness by applying risk assessment and information security management system and keep risk level as low as possible. This study aims to propose a new quantitative risk analysis and assessment methodology which is based on AHP and Monte Carlo simulation. In this method, AHP is used to create favorable weights for Confidentiality, Integrity and Availability (CIA) as security characteristic of any information asset. To deal with the uncertain nature of vulnerabilities and threats, Monte Carlo simulation is utilized to handle the stochastic nature of risk assessment by taking into account multiple judges' opinions. The proposed methodology is suitable for organizations that require risk analysis to implement ISO/IEC 27001 standard.

scholarly journals A Systems Approach to Information Security for the Twenty-First Century Organization

2020 ◽  
Vol 8 ◽  
pp. 167-178
Author(s):  
Dimitrios S. Varsos ◽  
Stergiani A. Giannakou ◽  
Nikitas A. Assimakopoulos
Keyword(s):  
Information Security ◽  
Management System ◽  
Systems Approach ◽  
Security Management ◽  
International Standards ◽  
Information Security Management ◽  
Risk Management Process ◽  
Information Security Management System ◽  
Iso 31000 ◽  
Structured Information

A crisis resulting from disruptive events that threaten to harm the organization or its stakeholders can originate from a plethora of sources. Data breaches, unauthorized disclosures of confidential information, and data leaks, are on the news almost daily. Most guidelines and standards published by prominent International Standards Organizations hold that risk-based thinking supports public, private, and community enterprises (referred for convenience in this work by the generic term “organization”) in determining the forces that could cause their key and enabling processes to deviate from planned arrangements, to apply preventive measures to modify risk, and to take advantage of opportunities as they arise. A well-structured Information Security Management System that is developed, implemented, and maintained through sound risk-based thinking, enables the organization to take appropriate actions to address the risks and opportunities associated with its information resources, in a manner that is commensurate to the complexity of its socio-technical infrastructure and the external environmentassociated with its activities. In this work we explore the Risk Management Process that is outlined in the ISO 31000 international standard, through the requirements/guidelines defined in the ISO/IEC 27000-series of international standards. The knowledge gained is applied to develop a systems driven conceptual structure thatcan be employed by any organization operating on the complexities of an interconnected environment, for the purpose of designing, implementing, monitoring, reviewing and continually improving a structured Information Security Management System.

A pattern-based method for establishing a cloud-specific information security management system

2013 ◽  
Vol 18 (4) ◽  
pp. 343-395 ◽  
Author(s):  
Kristian Beckers ◽  
Isabelle Côté ◽  
Stephan Faßbender ◽  
Maritta Heisel ◽  
Stefan Hofbauer
Keyword(s):  
Information Security ◽  
Management System ◽  
Security Management ◽  
Specific Information ◽  
Information Security Management ◽  
Information Security Management System

scholarly journals Analisis Sistem Manajemen Keamanan Informasi Menggunakan ISO/IEC 27001 : 2013 Serta Rekomendasi Model Sistem Menggunakan Data Flow Diagram pada Direktorat Sistem Informasi Perguruan Tinggi

2016 ◽  
Vol 6 (1) ◽  
pp. 38
Author(s):  
Yuni Cintia Yuze ◽  
Yudi Priyadi ◽  
Candiwan .
Keyword(s):  
Information Security ◽  
Asset Management ◽  
Management System ◽  
Security Management ◽  
Maturity Level ◽  
Information Security Management ◽  
Capability Maturity ◽  
Information Security Management System ◽  
Level 3 ◽  
Iec 27001

The importance of information and the possible risk of disruption, therefore the universities need to designed and implemented of the information security.  One of the standards that can be used to analyze the level of information security in the organization is ISO/IEC 27001 : 2013 and this standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The objective of this research is to measure the level of information security based on standard ISO/IEC 27001: 2013 and modeling systems for information security management. This research uses descriptive qualitative approach, data collection and validation techniques with tringulasi (interview, observation and documentation). Data was analyzed using gap analysis and to measure the level of maturity this research uses SSE-CMM (Systems Security Engineering Capability Maturity Model). Based on the research results, Maturity level clause Information Security Policy reaches level 1 (Performed-Informally), clause Asset Management reaches level 3 (Well-Defined), clause Access Control reaches level 3 (Well-Defined), clause Physical and Environmental Security reaches level 3 (Well-Defined), clause Operational Security reaches level 3 (Well-Defined), Communication Security clause reaches the level 2 (Planned and Tracked). Based on the results of maturity level discovery of some weakness in asset management in implementing the policy. Therefore, the modeling system using the flow map and CD / DFD focused on Asset Management System.

scholarly journals The effectiveness of the Centralized Use of Digital Technologies, Information Resources and Information Protection Tools in Government by the Example of the Republic of Tyva

2020 ◽  
Vol 23 (6) ◽  
pp. 99-114
Author(s):  
B. S. Dongak ◽  
A. S. Shatohin ◽  
R. V. Meshcheryakov
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Management System ◽  
Economic Effect ◽  
Security Management ◽  
Information Resources ◽  
Information Protection ◽  
Information Security Management ◽  
Information Security Management System ◽  
Software And Hardware

Purpose of research. The purpose of this study is to assess the possibility of applying the methodology for centralized management of systems and information risks using the example of informatization of public departments of Republic of Tyva in order to optimize the cost of purchasing technical, software and hardware-software means of protecting information, as well as the payroll of maintenance technical personnel.Methods. One of the main research methods is the creation of an experimental model of the mechanism of a single information and computing network, combining various government departments located within the same administrative building, which allows working simultaneously with distributed or centralized applications, databases and other services, as well as centralized information risk management security. The next research method is the analysis and study of the principle of operation of information resources, information systems, databases, and the increase in the number of domain users if they are combined into a single data transfer network. The interaction and effectiveness of personnel, a specialized unit based on one government agency, ensuring the regular functioning of the network and the necessary level of information security for all government departments.Results. As a result, an economic effect is achieved by eliminating the acquisition of duplicate software and hardware information protection, increasing the efficiency of using unified information services, and creating a centralized structural unit that uses risk management tools and makes information security management decisions based on the principles of system analysis , structuring method and expert survey methods. The results of the study have been used in solving problems of improving the information security management system of the authorities of Republic of Tyva.Conclusion. We have developed the original information technology architecture of the information security management system and centralized use of information technologies for the government of Republic of Tyva. The distinctive features of the structure of software tools for the centralized approach are the multi-agent implementation of the control elements of the decision support system and the integration of various types of security management models into a single complex. 

Sign in / Sign up

Export Citation Format

Share Document