INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be completely eliminated,
they need to be reduced to acceptable levels.
Acceptable risks are risks that the business decides
to live with, given that proper assessment for these
risks has been performed and the cost of treating
these risks outweighs the benefits.
To this effect, enterprises spend considerable
resources in building proper information security
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
29
risk management programs that would eventually
address the risks they are exposed to. These
programs need to be established on solid
foundations, which is the reason why enterprises
look for standards and frameworks that are widely
accepted and common across enterprises [4].
However, the fact that several standards and
frameworks exist make it challenging for
enterprises to select which one to adopt and the
question: “which is the best?” warrants further
investigation. The main objective of this paper is
to provide an answer to this question, thereby
assisting enterprises in developing proper
understanding of the issue and establishing
successful information security risk management
programs. This paper provides an analysis of some
existing standards and frameworks for information
security risks and consolidates various aspects of
the topic. It also presents the challenges that
frustrate information security risk management
efforts along with how leading market standards
and practices can be used to address information
security risks with insights on their strengths and
weaknesses.
Please note that the scope of this paper is
limited to the following frameworks: ISO 27001,
ISO 27002, ISO 27005, ITIL, COBIT, Risk IT,
Basel II, PCI DSS, and OCTAVE. These are the
most commonly used frameworks in the market
[5]. Other frameworks and methodologies like
RMF (by NIST) and M_o_R (by GOC) can be
considered in future work. It is also important to
mention that this paper is not intended to promote
a specific standard or framework; rather it treats
them equally. Conclusions drawn as a result of this
work are based on our detailed analyses, research,
literature review, and observations from our work
experience and engagements with clients from
various sectors in the field of information security.
The remainder of this paper is organized as
follows: section 2 highlights some related work;
section 3 details some challenges that disturb
information security risk assessments; section 4
provides an overview of the major drivers for
standards adoption; section 5 provides detailed
analyses and exploration for the standards and
frameworks in scope; section 6 details with the
strengths and weaknesses of these standards and
frameworks when used as a means to address
information security risks; section 7 captures the
selection considerations to use; section 8 provides
some recommendations along with the proposed
approach; section 9 presents a case study to
illustrate the benefits of the proposed selection
method; finally, section 10 puts forward some
conclusions and future research opportunities in
relation to our work.
2. Related Work
The literature on information security risk
management based on international standards is
scarce. The literature lacks studies that guide
organizations in selecting the standard that fits
their needs. Some research works attempt to
analyze existing information security risk
management standards, mainly ISO 27001 [6].
However, these research works focus mainly on
listing advantages and disadvantages of these
standards and how to implement and manage
them. No comprehensive studies have been done to
holistically compare various frameworks, with the
objective of providing selection criteria for the best
standard or proposing a better assessment
approach. Some papers dealt with frameworks
such as COBIT, ITIL, and ISO 17799, as means to
manage compliance requirements [7]. Ref. [8]
proposes a framework which considers global,
national, organizational, and employee standards
to guide information security management. Ref.
[9] presents framework of information security
standards conceptualization, interconnection and
categorization to raise awareness among
organizations about the available standards
(mainly ISO series).
As well as exploring existing frameworks used
in IT risk management this paper presents the
challenges facing organizations to successfully
implement information security risk assessments
and the drivers for standards adoption. The main
and novel contribution of our research work is the
proposal of a practical approach to selecting an
appropriate framework to address information
security risks.
3. Challenges to Information Security Risk
Assessments
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
30
Some of the common challenges to information
security risk assessments are discussed briefly in
this section. In fact, these challenges represent
critical failure factors for an information risk
management program.
1) Absence of senior management commitment &
support: Management’s -in and support is a
critical driver for the success of any IT project,
including information security risk assessments.
Absence of management commitment will
result in wasting valuable resources and efforts,
producing weak evaluations, and most
importantly, will lead to ignoring the
assessment findings [10].
2) Absence of appropriate policies for information
security risk management: It is crucial to have
information security policies in place to reflect
the enterprise objectives and management
directions. Although some policies might be
created, information security risk management
policies tend to be dropped or forgotten. In a
research conducted by GAO, the US
Government Accountability Office, three out of
four detailed case studies showed that despite
the fact that firms used to have some form of
information security risk assessment approaches
practiced for several years, the risk management
and assessment policies and processes were not
documented until recently [11]. The absence of
this critical steering document will lead to
unstructured risk assessment approaches and
will openly allow unmanaged evaluations.
3) Disintegrated GRC efforts: The increasingly
popular term GRC refers to three critical areas:
Governance, Risk Management, and
Compliance. According to COBIT 4.1, IT
Governance is defined as “the responsibility of
executives and the board of directors, and
consists of the leadership, organizational
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organization’s strategies and objectives” [12].
Risk management is a process through which
management identifies, analyses, evaluates,
treats, communicates, and monitors risks that
might adversely affect realization of the
organization’s business objectives. Compliance
is about making sure that external laws,
regulations, mandates and internal policies are
being complied with at a level consistent with
corporate morality and risk tolerance.
Governance, risk, and compliance should
always be viewed as a continuum of interrelated
functions, best approached in a comprehensive,
integrated manner. The disintegration results in
increased failure rates, waste of resources, and
increased overall assurance cost.
4) Improper assessments management: Despite the
importance of security risk assessments, they
are mostly not managed as projects and merely
considered as part of IT normal operations.
Considering security risk assessments as part of
IT routine assignments will exclude these
assessments from business review and
consequently will result in a definite disconnect
between management and their enterprise
information security assessments. This
exclusion will also increase the possibilities of
executing over-budget assessments that will
only cause additional efforts and resources to be
wasted.
5) Assets ownership is either undefined or
unpracticed: In ISO 27001 “the term ‘owner’
identifies an individual or entity that has
approved management responsibility for
controlling the production, development,
maintenance, use and security of the assets.
[13]. This definition entails major responsibility
granted to the person who is assigned the
ownership which includes making sure that
proper controls are actually implemented in
to protect the asset. Information security
standards, best practices and mandates like ISO,
COBIT, and ITIL require that information
assets are identified, inventoried, and ownership
is assigned. This is crucial for the success of
any information security assessment. Most
organizations fail to develop comprehensive
information assets inventories and accordingly
do not assign ownership [14].
6) Limitations of existing automated solutions:
Software solutions for information security risk
assessment are developed to aid in the
automation of this process and to make it more
efficient. In a detailed comparison conducted by
“Risk Assessment Accelerator”, seven common
solutions were compared with respect to more
http://en.wikipedia.org/wiki/Risk_Management
http://en.wikipedia.org/wiki/Compliance_(regulation)
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
31
than forty different areas [15]. Features like
ease of use, multi-language and client-server
architecture support were highlighted as
existing limitations in four up to five of these
solutions. Three out of the seven compared
solutions provide limited customization
capabilities for both built-in inventories (for
risks, vulnerabilities and threats) and the
generated dashboards. All these weaknesses and
limitations degrade enterprises’ efforts to have
efficient and reliable information security risk
assessment requirements documentation.
7) Existence of several IT risk assessment
frameworks: The existence of many information
security risk management and assessment
frameworks add to the ambiguity and challenge
of what is the best one to use. As a matter of
fact, analyses of exiting risk assessment
frameworks show that there is no one-size-fits-
all solution to this issue as it is hard to develop
a single precise document that will address the
needs of all enterprises given their variant
natures and requirements.
4. Drivers for Standards Adoption
In to address their information security
risk management and assessment challenges,
enterprises adopt internationally accepted
frameworks or best practices. Standards in general
are meant to provide uniformity that would ease
the understanding and management of concerned
areas. Businesses find themselves in need to adopt
standards for various reasons which vary from
business requirements to regulators and
compliance mandates. Establishment of proper
corporate governance, increasing risk awareness
and competing with other enterprises are some
business drivers to mention. Some firms pursue
certifications to meet market expectations and
improve their marketing image. A major business
driver for standards adoption is to fill in the gaps
and lack of experience in certain areas where firms
are not able to build or establish proprietary
standards based on their staff competencies [16].
Providing confidence to trading partners,
stakeholders, and customers, reducing liability due
to unimplemented or enforced policies and
procedures, getting senior management ownership
and involvement and establishing a mechanism for
measuring the success of the security controls are
some other key drivers for the adoption of
standards.
5. Leading Market Best Practices Standards
The conclusion section should emphasize the
main contribution of the article to literature.
Authors may also explain why the work is
important, what are the novelties or possible
applications and extensions. Do not replicate the
abstract or sentences given in main text as the
conclusion.
In this section, an overview is presented of a
number of the more important standards for
information security risk management. For detailed
information about these standards, the reader is
encouraged to consult the references provided for
them. The list of standards presented is absolutely
not complete, and as mentioned before a subset of
the existing standards are treated in this paper.
5.1. ISO 27000 Set
The ISO 27000 is a series of standards, owned
by the International Standards Organization,
focusing on information security matters. For the
purposes of this work, ISO 27001, ISO 27002, and
ISO 27005 will be explored to highlight their
strengths and weaknesses in relation to current
demands for effective and robust frameworks for
information security risk assessments.
ISO 27001: The ISO 27001 standard is the
specification for an Information Security
Management System (ISMS). The objective of the
standard is to specify the requirements for
establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving an
Information Security Management System within
an organization [13]. It is designed to ensure the
selection of adequate and proportionate security
controls to protect information assets. It is seen as
an internationally recognized structured
methodology dedicated to information security
management.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
32
The standard introduces a cyclic model known
as the “Plan-Do-Check-Act” (PDCA) model that
aims to establish, implement, monitor and improve
the effectiveness of an organization’s ISMS. The
PDCA cycle has these four phases:
Plan – establishing the ISMS
Do – implementing and operating the ISMS
Check – monitoring and reviewing the ISMS
Act – maintaining and improving the ISMS
Organizations that adopt ISO 27001 in their
attempt to pursue an effective means for
operational information security risk management
overlook the fact that this standard was designed to
be used mainly as an ISMS framework – at the
high level, not operational level – founding proper
bases for information security management. ISO
27001 document mentions valuable details on
information security risk assessment – mainly in
the statements 4.2.1.C thru 4.2.1.H that can be
used as selection criteria for a proper information
security risk assessment approach that builds upon
the controls list proposed by the standard.
ISO 27002: ISO 27002 is a code of practice
that provides suggested controls that an
organization can adopt to address information
security risks. It can be considered an
implementation roadmap or extension to ISO
27001. As stated in the standard document, the
code of practice is established to provide
“guidelines and general principles for initiating,
implementing, maintaining, and improving
information security management within an
organization” [17]. The controls listed in the
standard are intended to address the specific
requirements identified via a formal risk
assessment. The standard is also intended to
provide a guide for the development of
“organizational security standards and effective
security management practices, and to help build
confidence in inter-organizational activities” [18].
ISO 27002 as the Code of Practice is best suited to
be used as a guidance and direct extension to ISO
27001. ISO 27002 is used by enterprises as the
sole source of controls and a means for
information security risk assessment, however, not
all controls are mandated as firms’ structures and
businesses vary. Controls selection must be done
based on detailed and structured assessment to
determine which specific controls are appropriate
and which are not.
This standard contains guidelines and best
practices recommendations for these 10 security
domains: Security Policy; Organization of
Information Security; Asset Management; Human
Resources Security; Physical and Environmental
Security; Communications and Operations
Management; Access Control; Information
Systems Acquisition, Development and
Maintenance; Information Security Incident
Management; Business Continuity Management;
and Compliance.
Among these 10 security domains, a total of 39
control objectives and hundreds of best-practice
information security control measures are
recommended for organizations to satisfy the
control objectives and protect information assets
against threats to confidentiality, integrity and
availability.
ISO 27005: ISO 27005 standard was proposed
to fill in the gaps existing in ISO 27001 and ISO
27002 in terms of information security risk
management. The standard builds up on the core
that was introduced in ISO 27001 – reference
statements 4.2.1.C thru 4.2.1.H – and elaborates by
identifying inputs, actions, implementation
guidelines, and outputs for each and every
statement. However, during our research we
realized that the adoption of this standard as a
means for information security risk management is
minimal. This was evident in “The Open Group”
efforts to support ISO 27005 adoption by releasing
a free detailed technical document – called
ISO/IEC 27005 Cookbook – that uses ISO 27005
as a cornerstone for a complete risk management
methodology [18, 19]. ISO 27005 is not intended
to be an information security risk assessment
methodology [20].
The standard has six annexes that are all
informative but considered of a major value
extension to the standard. With proper
customization, these annexes along with the ISO
27005 body can be used as the main assessment
methodology for security risks.
5.2. IT Infrastructure Library (ITIL 3.0)
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
33
ITIL is one of the IT frameworks used as a best
practice adopted to properly manage IT services.
ITIL perceives any effort or action done by IT in
support to the organization as a service that has
value to customers or businesses. The ITIL library
focuses on managing IT services and covers all
aspects of IT service provisioning starting from
service strategy, design, transition, operation, and
implementation. It also highlights the continual
monitoring and improvement aspect for each and
every service.
ITIL does not introduce itself as a framework
for information security risk management.
However, as an IT governance framework, having
it implemented in an enterprise will provide
assurance and indication on the organization’s IT
maturity. Addressing IT risks associated with
incident, change, event, problem, and capacity
management would definitely minimize related
information security risks as well [21, 22].
The drivers for ITIL adoption in organizations
were subject to analyses and study by several
researches. A survey conducted by itSMF (IT
Service Management Forum) showed that ITIL
was adopted by different industry sectors [23]
including education, government, and financial
sectors amongst others. The ITIL status survey for
2009 [24] showed the increasing adoption of ITIL
version 3.0 and elaborated on the major drivers
that are causing this adoption. This includes
improving service quality, customer satisfaction
and establishing IT stability and successful value
delivery for business. ITIL modularity adds to its
adoption popularity. Based on the enterprise
current priorities, the firm can select to focus on
service operations rather than service strategy
which typically needs more time to mature. The
implementation of ITIL can be implemented
gradually in phases.
5.3. COBIT 4.1 & Risk IT
Control Objectives for Information and related
Technology (COBIT), developed and owned by
the Information Systems Audit & Control
Association (ISACA), is one of the most
increasingly adopted information technology
frameworks for IT Governance. COBIT focuses
on defining IT control objectives and developing
the controls to meet them. It is made of 34
processes that manage and control information and
the technology that supports it [12].
COBIT is adopted by enterprises from various
industry sectors [25] which include IT consulting
firms, education, financial institutions,
government, healthcare, utilities and energy. To
get closer understanding on how various
enterprises perceive COBIT, thirty case studies
were reviewed and analyzed. The case studies
showed that COBIT was used to create the needed
alignment between business and IT, create the IT
Governance framework, improve IT processes and
establish the IT risk management organization.
Other enterprises used COBIT to meet their
compliance needs and requirements. It was
realized from the case studies that financial
institutions adopt COBIT for their internal IT audit
efforts and risk assessments. They also used it to
create IT policies and procedures. Other firms used
COBIT as a means to standardize IT processes and
increase their effectiveness and maturity level.
COBIT was also used as a means to conduct audit.
COBIT does not provide a methodology to
conduct information security risk assessments but
rather establishes the foundation for having a solid
IT organization in the firm.
ISACA recognized the importance and need
for a comprehensive IT risk management
framework and as a result developed the Risk IT
framework. According to the Risk IT framework
document “The Risk IT framework complements
ISACA’s COBIT, which provides a
comprehensive framework for the control and
governance of business-driven IT-based solutions
and services. While COBIT sets good practices for
the means of risk management by providing a set
of controls to mitigate IT risk, Risk IT sets good
practices for the ends by providing a framework
for enterprises to identify, govern and manage IT
risks [26].
Risk IT provides an end-to-end, comprehensive
view of all risks related to the use of IT and a
similarly thorough treatment of risk management,
from the tone and culture at the top, to operational
issues. It enables enterprises to understand and
manage all significant IT risk types. Risk IT
follows the process model used in COBIT and has
three major domains: 1) Risk Governance which
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
34
focuses on the establishment and maintenance of
common risk view, and making risk-aware
business decisions; 2) Risk Evaluation which deals
with data collection, risks analyses and
maintaining risk profile; 3) The Risk Response
component articulates risk, manages risk and
reacts to all adverse events identified [26].
Given that Risk IT is still new, its adoption
across enterprises is not yet realized, however, it is
expected to take more attention and focus in the
near future taking use of the wide acceptance and
adoption of COBIT.
5.4. Other Frameworks
In this section, we briefly discuss other
standards and regulations for information security.
Some industries, such as banking, are regulated,
and the guidelines or best practices put together as
part of those regulations often become a de facto
standard among members of these industries.
Basel II: Basel II is the most commonly
adopted directive across the financial institutions.
The reason behind this is the fact that this directive
has become a mandated regulation that all
financial institutions need to comply with. Its core
is about how much capital banks need to put aside
to guard against the types of financial and
operational risks banks face [27]. It focuses on
operational risks as opposed to information
security risks. According to Basel II, operational
risk (Ops Risk) is any risk that results from failure
in any of the following areas: system, process,
human or external attack. This definition implies
that Basel II has an IT dimension that needs to be
properly managed. This area was subject for
detailed research and several publications tried to
set clear controls and control objectives to mitigate
the related risks. ISACA led this effort and
developed a detailed framework in this regards
[28].
PCI DSS: Payment Card Industry Data
Security Standard (PCI DSS) [29], currently in
version 2.0, is a standard that consists of twelve
domains and was created by payment brands
leaders to help facilitate the broad adoption of
consistent data security measures on a global basis.
Proper implementation of PCI DSS assists in
building and maintaining a secure network,
protecting cardholder data, maintaining a
vulnerability management program, and
implementation of solid access control measures.
Compliance with PCI requirements is mandated
for any party that stores or transmits credit or debit
card data. It assists enterprises to manage
information security risks, reduces losses resulting
from fraud, and protects consumer data. PCI DSS
is not intended to be used as an information
security risk management or assessment
framework; however, while efforts are spent
towards fulfilling its requirements overall
information security maturity level is leveraged
making it easier to achieve better security
assessments. For organizations that already have
ISMS (ISO 27001) implemented, PCI DSS
compliance is straight forward.
OCTAVE Set: OCTAVE (Operationally
Critical Threat, Asset and Vulnerability
Evaluation), developed at the CERT Coordination
center at Carnegie Mellon University, is a detailed
information security risk assessment methodology;
it consists of tools, techniques and methods to
conduct risk assessments. It is a formal and
detailed set of processes, which assist in ensuring
that risks are identified and properly analyzed,
…
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more