Modeling the Impact of Controls on Information System Risks
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32771
Modeling the Impact of Controls on Information System Risks

Authors: M. Ndaw, G. Mendy, S. Ouya

Abstract:

Information system risk management helps to reduce or eliminate risk by implementing appropriate controls. In this paper, we propose a quantification model of controls impact on information system risks by automatizing the residual criticality estimation step of FMECA which is based on a inductive reasoning. For this, we defined three equations based on type and maturity of controls. For testing, the values obtained with the model were compared to estimated values given by interlocutors during different working sessions and the result is satisfactory. This model allows an optimal assessment of controls maturity and facilitates risk analysis of information system.

Keywords: Information System, Risk, Control, FMECA.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1111965

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1520

References:


[1] G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, Sweden: Special Publication 800-30, July 2002.
[2] Risk Management and Accreditation of Information Systems, National Infrastructure Security, August 2005.
[3] G. Hardy, J. Heschl, Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit, IT Governance Institute, 2008.
[4] Risk Assessment and Risk Management Methods: Information Packages for Small and Medium Sized Enterprises (SMEs), ENISA adhoc working group on risk assessment and risk management: Deliverable 2, Final version, March 2006.
[5] K. Kohout, IT Risk Register, Faculty of informatics and statistics, Prague, December 2012.
[6] M. Gehrmann, Combining ITIL, COBIT and ISO/IEC 27002 for structuring comprehensive information technology for management in organizations, Navus Revista de Gesto e Tecnologia. Florianpolis: ISSN 2237-4558, August 2012.
[7] I. Mukherjee, Cloud Security through COBIT, ISO 27001 ISMS Controls, Assurance and Compliance, ISACA, RSA Conference ASIA PACIFIC, Singapore, 2013.
[8] V. Arora, Comparing different information security standards: COBIT v s. ISO 27001, Carnegie Mellon University, Qatar.
[9] A. Syalim,Y. Hori and K. Sakurai, Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft’s Security Management Guide, Kyushu University, Fukuoka, Japan.
[10] CMS Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR), Enterprise Information Security Group, Baltimore, Maryland: FINAL Version 2.0, September 20, 2013.
[11] Residual Risk Assessment for the Pulp & Paper, EPAs Office of Air Quality Planning and Standards Office of Air and Radiation, December 2011.
[12] L. Lipol and J. Haq, Risk Analysis Method: FMEA/FMECA in the Organizations, University of Boras, Sweden:IJBAS-IJENS Vol: 11 No:05, 2011.
[13] G. Tolbert, Residual Risk Reduction, Georgia, November 2005.
[14] B. Jenkins, Risk Analysis helps establish a good security posture; Risk Management keeps it that way, Countermeasures Inc., 1998.
[15] L. Lipol, J. Haq, COBIT Mapping: Mapping of ITIL V3 with COBIT 4.1, IT Governance Institute, USA: ISBN 978-1-60420-035-5, 2008.