Design of information security risk management using ISO/IEC 27005 and NIST SP 800-30 revision 1: A case study at communication data applications of XYZ institute

Setiawan, Hermawan; Putra, Fandi Aditya; Pradana, Anggi Rifa

doi:10.1109/icitsi.2017.8267952

Cited by 11 publications

(6 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The term "segregation of duties" encompasses a wide range of guidelines that outline how the duties of different employees should be differentiated in order to achieve higher levels of responsibility. ISO 27002 provides the tools for enterprises to embrace ISO 27001 more efficiently and with a world-wide recognized method [6][7][8][15][16][17]. It explains the constraints that need to be utilized throughout the corporation (such as clear determining factors of commitments via explicitly delineated job assertions of employees).…”

Section: Iso 27000: 27001 27002mentioning

confidence: 99%

“…The following procedures may be performed as part of the risk assessment: identification of potential dangers, categorization of how likely it is that a threat will materialize with respect to a given entity, confirmation of the impact, which usually includes upcoming expenditures, structural failure, and recovery expenses, and reduction in losses by combining risk management into preexisting business processes [8].…”

Section: Iso 27001: Risk Assessmentmentioning

confidence: 99%

“…The body of academic research on the subject presents a number of distinct methodologies that can be utilized by businesses to create and carry out an information security plan. A conceptual model of "Institute XYZ" was presented by Putra et al (2017) [8] to help identify key risk factors. By referencing ISO 27005, they implemented the NIST SP 800-30 version.…”

Section: Introductionmentioning

confidence: 99%

“…By referencing ISO 27005, they implemented the NIST SP 800-30 version. The group concluded that ISO 27005 could perhaps be used in conjunction with alternative recommendations, such as one that includes an "incident risk scenario" [8]. Agrawal (2017) [9] also presented a framework for ISO 27005 that may be used to locate records that pertain to risky organizational processes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector

2023

View full text Add to dashboard Cite

In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced.

show abstract

Section: Iso 27000: 27001 27002mentioning

confidence: 99%

Section: Iso 27001: Risk Assessmentmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector

2023

View full text Add to dashboard Cite

show abstract

“…Lim and Suparman [21] used NIST SP 800-30 along with a subjective approach called Review Document, Interview Key Personnel, Inspect Security Control, Observes Personnel Behaviour and Test Security Control (RIIOT) to collect the required information for the risk assessment within the Indonesian cloud providers environment. Setiawan et al [34] used a similar approach by integrating the techniques from NIST SP 800-30, ISO 27000 series with interviews, questionnaires and observations for information security risk management and risk treatment. On the other hand, Supriyadi and Hardani [37] used COBIT 5 with NIST SP 800-30 to assess risk on critical application systems.…”

Section: Related Workmentioning

confidence: 99%

MITRE ATT&CK-driven Cyber Risk Assessment

Ahmed

Panda

Xenakis

et al. 2022

Proceedings of the 17th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Assessing the risk posed by Advanced Cyber Threats (APTs) is challenging without understanding the methods and tactics adversaries use to attack an organisation. The MITRE ATT&CK provides information on the motivation, capabilities, interests and tactics, techniques and procedures (TTPs) used by threat actors. In this paper, we leverage these characteristics of threat actors to support informed cyber risk characterisation and assessment. In particular, we utilise the MITRE repository of known adversarial TTPs along with attack graphs to determine the attack probability as well as the likelihood of success of an attack. We further identify attack paths with the highest likelihood of success considering the techniques and procedures of a threat actor. The assessment is supported by a case study of a health care organisation to identify the level of risk against two adversary groups-Lazarus and menuPass.

show abstract