Printer Friendly

Can a single security framework address information security risks adequately?

1. Introduction

The use of technology is increasingly covering most aspects of our daily life. Businesses which are heavily dependent on this technology use information systems which were designed and implemented with concentration on functionality, costs reduction and ease of use. Information security was not incorporated early enough into systems and only recently has it started to get the warranted attention. Accordingly, there is a need to identify and manage these hidden weaknesses, referred to as systems vulnerabilities, and to limit their damaging impact on the information systems integrity, confidentiality, and availability. Vulnerabilities are exploited by attacks which are becoming more targeted and sophisticated. Attacking techniques and methods are virtually countless and are evolving tremendously [1, 2].

In any enterprise, information security risks must be identified, evaluated, analyzed, treated and properly reported. Businesses that fail in identifying the risks associated with the technology they use, the people they employ, or the environment where they operate usually subject their business to unforeseen consequences that might result in severe damage to the business [3]. Therefore, it is critical to establish reliable information security risk assessment and treatment frameworks to guide organizations during the risk management process.

To this effect, enterprises spend considerable resources in building proper information security risk management programs that would eventually address the risks they are exposed to. These programs need to be established on solid foundations which is the reason why enterprises look for standards and frameworks that are widely accepted and common across enterprises. However, the fact that several standards and frameworks exist make it challenging for enterprises to select which one to adopt and the question: "which is the best?" warrants further investigation. The main objective of this paper is to provide an answer to this question, thereby assisting enterprises in developing proper understanding of the issue and establishing successful information security risk management programs. This paper provides an analysis of some existing standards and frameworks for information security risks and consolidates various aspects of the topic. It also presents the challenges that frustrate information security risk management efforts along with how leading market standards and practices can be used to address information security risks with insights on their strengths and weaknesses.

Please note that the scope of this paper is limited to the following frameworks: ISO 27001, ISO 27005, ITIL, COBIT, Risk IT, RMF by NIST, Basel II, PCI DSS, and OCTAVE. These are the most commonly used frameworks in the market. It is also important to mention that this paper is not intended to promote a specific standard or framework; rather it treats them equally. Conclusions drawn as a result of this work are based on our detailed analyses, research, literature review, and observations from our work experience and engagements with clients from various sectors in the field of information security.

2. Related work

The literature on information security risk management based on international standards is scarce. The literature lacks studies that guides organizations in selecting the standard that fits their needs. Some research works attempt to analyze existing information security risk management standards, mainly ISO 27001 [4]. However, these research works focus mainly on listing advantages and disadvantages of these standards and how to implement and manage them. No comprehensive studies have been done to holistically compare various frameworks, with the objective of providing selection criteria for the best standard or proposing a better assessment approach. Some papers dealt with frameworks such as COBIT, ITIL, and ISO 17799, as means to manage compliance requirements [5]. In [6], the authors propose a framework which considers global, national, organizational, and employee standards to guide information security management.

As well as exploring existing frameworks used in IT risk management, this paper presents the challenges facing organizations to successfully implement information security risk assessments and the drivers for standards adoption. The main and novel contribution of our research work is the proposal of a practical approach to selecting an appropriate framework to address information security risks.

3. Challenges

Some of the common challenges to information security risk management are discussed briefly in this section. In fact, these challenges represent critical failure factors for an information risk management program.

1) Absence of senior management commitment & support: Management's buy-in and support is a critical driver for the success of any IT project, including information security risk assessments. Absence of management commitment results in wasting valuable resources, weak evaluations, and most importantly, leads to ignoring the assessment findings [7].

2) Absence of appropriate policies for information security risk management: It is crucial to have information security policies in place to reflect the enterprise objectives and management directions. Although some policies might be created, information security risk management policies tend to be dropped or forgotten. The absence of this critical steering document leads to unstructured risk assessment approaches and allows unmanaged evaluations [8].

3) Disintegrated GRC efforts: The term GRC refers to Governance, Risk Management, and Compliance. IT Governance consists of the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the organization's strategies and objectives [9]. Risk management is a process through which management identifies, analyses, evaluates, treats, communicates, and monitors risks that might adversely affect realization of the organization's business objectives. Compliance is about making sure that external laws, regulations, mandates and internal policies are being complied with at a level consistent with corporate morality and risk tolerance. GRC should always be viewed as a continuum of interrelated functions, best approached in a comprehensive, integrated manner. The disintegration results in increased failure rates, waste of resources, and increased overall assurance cost.

4) Improper assessments management: Despite the importance of security risk assessments, they are considered as part of IT normal operations. This will exclude these assessments from business review and will result in a definite disconnect between management and their enterprise information security assessments, thereby increasing the possibilities of executing over-budget assessments that will cause additional efforts and resources to be wasted.

5) Assets ownership is either undefined or unpracticed: In ISO 27001, the term 'owner' identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets [10]. This definition entails major responsibility granted to the person who is assigned the ownership which includes making sure that proper controls are actually implemented in order to protect the asset. This is crucial for the success of any information security assessment. Most organizations fail to develop comprehensive information assets inventories and thus do not assign ownership [11].

6) Limitations of existing automated solutions: In a detailed comparison conducted by "Risk Assessment Accelerator", seven common solutions were compared with respect to more than forty different areas [12]. Features like ease of use, multi-language and client-server architecture support were highlighted as limitations in four up to five of these solutions. Only three solutions provide limited customization capabilities for both built-in inventories (for risks, vulnerabilities and threats) and the generated dashboards. These limitations degrade enterprises' efforts to have efficient and reliable information security risk assessment.

7) Existence of several IT risk assessment frameworks: The existence of many information security risk management frameworks add to the ambiguity and challenge of what is the best one to use. As a matter of fact, analyses of exiting risk assessment frameworks show that there is no one-size-fits-all solution to this issue as it is hard to develop a single precise document that will address the needs of all enterprises given their variant natures and requirements.

4. Why adopting standards

In order to address their information security risk management challenges, enterprises adopt internationally accepted frameworks or best practices. Standards in general are meant to provide uniformity that would ease the understanding and management of concerned areas. Businesses find themselves in need to adopt standards for various reasons which vary from business requirements to regulators and compliance mandates. Establishment of proper corporate governance, increasing risk awareness and competing with other enterprises are some business drivers to mention. Some firms pursue certifications to meet market expectations and improve their marketing image. A major business driver for standards adoption is to fill in the gaps and lack of experience in certain areas where firms are not able to build or establish proprietary standards based on their staff competencies [13].

Providing confidence to trading partners, stakeholders, and customers, reducing liability due to unimplemented or enforced policies and procedures, getting senior management ownership and involvement and establishing a mechanism for measuring the success of the security controls are some other key drivers for the adoption of standards.

5. Leading market Security Frameworks

Due to limitation in space, only an overview is presented of a number of the more important standards for information security risk management. For detailed information about these standards, the reader is encouraged to consult the references provided for them. The list of standards presented is absolutely not complete, and as mentioned before a subset of the existing standards are treated in this paper.

5.1. ISO 27000 set

The ISO 27000 is a series of standards, owned by the International Standards Organization, focusing on information security matters. For the purposes of this work, ISO 27001 and ISO 27005 will be explored to highlight their strengths and weaknesses in relation to current demands for effective and robust frameworks for information security risk assessments.

5.1.1. ISO 27001. The ISO 27001 standard is the specification for an Information Security Management System (ISMS). The objective of the standard is to specify the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System within an organization [10]. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. It is seen as an internationally recognized structured methodology dedicated to information security management.

The standard introduces the "Plan-Do-Check-Act" (PDCA) model that aims to establish, implement, monitor and improve the effectiveness of an organization's ISMS. The PDCA cycle has four phases: Plan--establishing the ISMS; Do--implementing and operating the ISMS; Check--monitoring and reviewing the ISMS; Act--maintaining and improving the ISMS.

Organizations that adopt ISO 27001 in their attempt to pursue an effective means for operational information security risk management overlook the fact that this standard was designed to be used mainly as an ISMS framework--at the high level, not operational level--founding proper bases for information security management. ISO 27001 document mentions valuable details on information security risk assessment--mainly in the statements 4.2.1.C thru 4.2.1.H that can be used as selection criteria for a proper information security risk assessment approach that builds upon the controls list proposed by the standard.

The ISO 27000 set also includes ISO 27002 which is a code of practice that provides suggested controls that an organization can adopt to address information security risks. It can be considered an implementation roadmap or extension to ISO 27001.

5.1.2. ISO 27005. ISO 27005 standard was proposed to fill in the gaps existing in ISO 27001 and ISO 27002 in terms of information security risk management. The standard builds up on the core that was introduced in ISO 27001--reference statements 4.2.1.C thru 4.2.1.H--and elaborates by identifying inputs, actions, implementation guidelines, and outputs for each and every statement. However, during our research we realized that the adoption of this standard as a means for information security risk management is minimal. This was evident in "The Open Group" efforts to support ISO 27005 adoption by releasing a free detailed technical document--called ISO/IEC 27005 Cookbook--that uses ISO 27005 as a cornerstone for a complete risk management methodology [15, 16]. ISO 27005 is not intended to be an information security risk assessment methodology [17].

The standard has six annexes that are all informative but considered of a major value extension to the standard. With proper customization, these annexes along with the ISO 27005 body can be used as the main assessment methodology for security risks.

5.2. IT Infrastructure Library (ITIL 3.0)

ITIL is one of the IT frameworks used to properly manage IT services. ITIL perceives any effort or action done by IT in support to the organization as a service that has value to customers or businesses. ITIL focuses on managing IT services and covers all aspects of IT service provisioning starting from service strategy, design, transition, operation, and implementation. It also highlights the continual monitoring and improvement aspect for each service.

ITIL does not introduce itself as a framework for information security risk management. However, as an IT governance framework, having it implemented in an enterprise will provide assurance and indication on the organization's IT maturity. Addressing IT risks associated with incident, change, event, problem, and capacity management would definitely minimize related information security risks as well [18, 19].

The drivers for ITIL adoption in organizations were subject to analyses and study by several researches. A survey conducted by the IT Service Management Forum showed that ITIL was adopted by different industry sectors [20]. The ITIL status survey for 2009 [21] showed the increasing adoption of ITIL version 3.0 and elaborated on the major drivers that are causing this adoption. This includes improving service quality, customer satisfaction and establishing IT stability and successful value delivery for business. ITIL modularity adds to its adoption popularity. Based on the enterprise current priorities, the firm can select to focus on service operations rather than service strategy which typically needs more time to mature. The implementation of ITIL can be implemented gradually in phases.

5.3. COBIT 4.1 and Risk IT

Control Objectives for Information and related Technology (COBIT), developed by the Information Systems Audit & Control Association (ISACA), is one of the most increasingly adopted information technology frameworks for IT Governance [22]. COBIT focuses on defining IT control objectives and developing the controls to meet them. It is made of 34 processes that manage and control information and the technology that supports it [9].

To get closer understanding on how various enterprises perceive COBIT, thirty case studies were reviewed and analyzed. The case studies showed that COBIT was used to create the needed alignment between business and IT, create the IT Governance framework, improve IT processes and establish the IT risk management organization. Other enterprises used COBIT to meet their compliance needs and requirements. It was realized from the case studies that financial institutions adopt COBIT for their internal IT audit efforts and risk assessments. They also used it to create IT policies and procedures. Other firms used COBIT as a means to standardize IT processes and increase their effectiveness and maturity level. COBIT was also used as a means to conduct audit. COBIT does not provide a methodology to conduct information security risk assessments but rather establishes the foundation for having a solid IT organization in the firm.

ISACA recognized the importance and need for a comprehensive IT risk management framework and as a result developed the Risk IT framework, which complements COBIT. While COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risks [23]. Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. It enables enterprises to understand and manage all significant IT risk types. Risk IT follows the process model used in COBIT and has three major domains: 1) Risk Governance which focuses on the establishment and maintenance of common risk view, and making risk-aware business decisions; 2) Risk Evaluation which deals with data collection, risks analyses and maintaining risk profile; 3) The Risk Response component articulates risk, manages risk and reacts to all adverse events identified [23]. Given that Risk IT is still new, its adoption across enterprises is not yet realized, however, it is expected to take more attention and focus in the near future taking use of the wide acceptance and adoption of COBIT.


The National Institute of Standards and Technology (NIST) provides a suite of standards that address information security risk management [14]. The risk assessment guidance in Special Publication 800-30 has been significantly expanded by Special Publication 800-30, Revision 1 to include more in-depth information on a wide variety of risk factors essential to determining information security risk. A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results. The activities include: Categorizing information systems and the information within those systems; Implementing security controls in the systems; Assessing the security controls using appropriate methods and procedures; Authorizing information systems operation based on a determination of the risk to organizational operations and assets; Monitoring and assessing selected security controls in information systems on a continuous basis.

In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy: the organization level, mission/business process level, and information system level. To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations [14].

5.5. Basel II

Basel II is the most commonly adopted directive across the financial institutions. The reason behind this is the fact that this directive has become a mandated regulation that all financial institutions need to comply with. Its core is about how much capital banks need to put aside to guard against the types of financial and operational risks banks face [24]. It focuses on operational risks as opposed to information security risks. According to Basel II, operational risk (Ops Risk) is any risk that results from failure in any of the following areas: system, process, human or external attack. This definition implies that Basel II has an IT dimension that needs to be properly managed. This area was subject for detailed research and several publications tried to set clear controls and control objectives to mitigate the related risks. ISACA led this effort and developed a detailed framework in this regards [25].

5.6. PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) [26], currently in version 2.0, is a standard that consists of twelve domains and was created by payment brands leaders to help facilitate the broad adoption of consistent data security measures on a global basis. Proper implementation of PCI DSS assists in building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, and implementation of solid access control measures. Compliance with PCI requirements is mandated for any party that stores or transmits credit or debit card data. It assists enterprises to manage information security risks, reduces losses resulting from fraud, and protects consumer data. PCI DSS is not intended to be used as an information security risk management or assessment framework. For organizations that already have ISO 27001 implemented, PCI DSS compliance is straight forward.

5.7. OCTAVE set

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination center at Carnegie Mellon University, is a detailed information security risk assessment methodology; it consists of tools, techniques and methods to conduct risk assessments. It is a formal and detailed set of processes, which assist in ensuring that risks are identified and properly analyzed, following the standard techniques used in most risk analysis procedures. However, due to the level of activity and overhead involved in OCTAVE, it is probably best suited to large organizations or projects. It has three models that are carefully developed to fit into various enterprises needs [27]. There are three OCTAVE methods:

* the original OCTAVE method, which forms the basis for the OCTAVE body of knowledge

* OCTAVE-S, for smaller organizations

* OCTAVE-Allegro, a streamlined approach for information security assessment and assurance

The OCTAVE Method Implementation Guide provides everything that an analysis team needs to use the OCTAVE Method to conduct an evaluation in their organization. It includes a complete set of detailed processes, worksheets, and instructions for each step in the method, as well as support material and guidance for tailoring.

6. Framework strengths and weaknesses

Several researches tried to identify shortcomings and limitations associated with standards which impact their adoption [28]. Despite that a lot of research was related to ISO 27000 standards, we found that most of the reported items were easily realized in other frameworks as well. Issues like high implementation costs, lack of skilled people, and standards generality apply to all the previously discussed standards with the exception of OCTAVE.

For most SMEs (Small-Medium Enterprises) costs for standards implementation are hard to justify especially when senior management is insufficiently concerned about information security, and associated risks are continuously underestimated. Accordingly, large enterprises lead the statistics in standards adoption compared with SMEs [28]. The standards generality (used for risk assessment only or for other purposes) does not count for differences in enterprises security risk requirements and might result into inconsistent interpretations by various parties.

Complexity and lack of guidance is another limitation found in several standards. For example, using the ISO 27001 standard source document alone is not sufficient to implement an effective ISMS organization. This is where detailed guidelines are needed as various processes and controls are merely described in the standard without detailing the "how to" implement for practitioners. Providing detailed guidelines for standards surfaced as a need to assist in better understanding and to encourage more adoption. ISACA has done this for its frameworks- "Risk IT Practitioner Guide" and various COBIT publications support Risk IT and COBIT. The Office of Government Commerce (OGC) has done the same for ITIL through the release of their complete library of publications that details how to effectively implement ITIL. The PCI Council continuously releases explanations and guidelines for PCI DSS implementation. A step-by-step detailed manual on how to use OCTAVE was made available as well [27]. ISO 27003 was introduced recently to cover the need for guidance for ISO 27001 and ISO 27002.

From our observations through engagements with clients, we realized a considerable acceptance for COBIT framework as a means to achieve various objectives. For various industries, COBIT assists in structuring IT governance and risk management, ensuring business-IT objectives alignment, standardizing IT processes, unifying processes and ensuring IT management quality. Because of its process-based structure, availability of detailed controls and controls objectives, and potential to automate; COBIT is used as a structured audit approach for internal IT audits. Most importantly, it is best selected for mergers and acquisitions reviews and compliance with external (e.g. regulators, organizations or third-party) requirements.

Like other frameworks, COBIT's complexity is limiting its adoption in some enterprises that lack the expertise and budgets for its implementation. In order to address this concern, ISACA released a light version of COBIT--called "COBIT Quick Start" which is considered a special version of COBIT that can be used as a baseline for many SMEs and other entities where IT is not mission-critical or essential for survival. It can also serve as a starting point for enterprises in their move towards an appropriate level of control and governance of IT [29].

ISO implementations are recognized especially in the financial sector driven by regulators compliance requirements. Based on our experience, we find ISO 27001 and ISO 27002 the easiest to automate and use for information security policies development and for conducting automated information security risk assessments. However, several organizations that pursue ISO certifications target marketing gains and overlook the fact that being certified does not necessarily means that you are secure. If not properly managed, ISMS certifications might lead to a false sense of security. On the other side, ISO 27005 is not a step by step risk assessment methodology compared to OCTAVE, but yet can be customized and used for this purpose and provide qualitative or quantitative security risk assessments.

The concept of IT management as a service is the core of ITIL which came as a result of the increased dependence on IT and accordingly required more focus on high quality. Among the business drivers for ITIL implementation is the need for mature, well performing IT processes improvement of the quality of services, and considering IT users as service customers. ITIL can be used indirectly to achieve proper governance and risk management. Similar to COBIT, ITIL is process-based which facilitates its adoption and implementation by allowing focus groups to build it gradually. Despite its high adoption costs, ITIL is highly recommended for enterprises that have large IT back-office operations that support critical business operations. PCI DSS and Basel II are considered exceptional standards since their adoption is mandated by regulators and closely monitored for performance and possible weaknesses. However, having them fully implemented would reflect higher understanding of security requirements and would improve enterprises immunity against external and internal threats.

The focus of the NIST RMF framework is on the IT systems used by government agencies and their contractors in the united states, and on their certification and accreditation to operate. This has limited its use outside the states or by non- government organizations. Also since the standards are very system oriented, leaving organizational matters outside the scope, there is a lack of a holistic view of information security risk management. NIST RMF is mainly intended more for large governmental organizations and may not be relevant to small organizations. Contrary to ISO 27001, NIST RMF not only prescribes a risk assessment methodology, but also prescribes at least some of the risk assessment. Similar to ISO27000 set, NIST RMF provides a set of security controls and provides a guide to implement the framework.

The OCTAVE methods have several important characteristics such as easy to execute and do not require large teams or advanced technical knowledge. They are also flexible and can be customized to address an organization's particular risk environment, security needs and level of skill. Also, risks are addressed in business contexts providing easy to understand results. It can be used also as the foundation risk-assessment component or process for other risk methodologies in a "hybrid-risk assessment" approach. OCTAVE information security risk assessments covers all information security aspects being physical, technical or people. A drawback in OCTAVE's various models is that they employ qualitative methodology only as opposed to quantitative approaches.

7. Framework Selection considerations

Based on the analysis presented in the previous sections, we found that various existing frameworks and standards have many strengths and weaknesses that promote or limit their adoption. The question of which is the best is a reasonable question to ask and we try to answer that in this section. To successfully select an appropriate framework, organizations should understand both the business objectives and requirements and the existing frameworks.

The answer to the above question depends heavily on understanding enterprises requirements and specific needs. If the exercise of requirements and needs analysis is not done, the adoption of a common standard just because it is widely used may be appropriate in some cases, and may be excessive or insufficient in others. The solution in this case is not a one size fits all solution and the decision to invest in implementing a certain standard should be carefully considered [13]. The expectation that one standard will fully address enterprises needs is not reasonable as it is difficult to develop a generic high level document that applies to all firms. We found no such study that promotes a specific standard as a solution for all issues related to information security risk management. This is where a customized-approach could actually be the best fit solution. A customized solution builds on the expertise of personnel and takes it into an aligned solution that matches enterprise requirements. Instead of using suggested content provided by the standards, the firm can build its own inventories of threats, vulnerabilities, and risks specific to its business type. Associated controls and control objectives need also to be customized based on the firm's objectives and risk appetite. A research conducted by GAO [8] detailed four case studies on information security risk assessment that show the added value of a customized approach in addressing information security risk management issues. Locally developed customized approaches tend to mature and evolve over time and maintain close alignment with enterprise needs.

Another approach to use is the hybrid-approach which differs slightly from a customized-approach as it considers adopting more than one standard or framework to use on the bases of selecting which parts achieve the enterprise risk management objectives. For instance, an enterprise might select to adopt ISO 27001 for its ISMS organization structure and use OCTAVE as a risk assessment methodology. To build a comprehensive inventory of controls, COBIT might be selected for use, etc.

Understanding existing frameworks is the second key issue in selecting an appropriate standard. Before investing in the implementation of any specific framework or standard, it is imperative to make sure that those responsible for selecting a standard understand the exact characteristics of the standard in hand, what it is designed for, and accordingly can provide an initial estimate on its adequacy. Using case studies, benchmarking, and previous credentials the enterprise can have better understanding of the extent to which the selected standard would actually achieve the desired results. Because information security is becoming increasingly realized as a business issue, the selection team should include a knowledgeable business representative. This team member is expected to be aware of all compliance or regulatory requirements that the selected framework should address.

Once the business needs are specified and the available standards are explored, several other important factors should be considered in order to select a framework to use.

* Business nature: this includes the business sector (financial, health, government, etc) and size. The type of threats, vulnerabilities, and risks associated with financial institutions are not the same for telecom operators or hospitals. Accordingly, the information security risk assessment requirements vary from business to business and these are addressed differently in the standards. The enterprise size has a direct relation to what standard to adopt. SMEs might consider adopting frameworks that have light weight versions. Many standards such as ISO 27001 and NIST RMF do not have light versions [5].

* Cost of implementation: this factor can be considered a differentiator when more than one framework fulfills the enterprise needs and the cost of their implementation is different. Usually such implementations are executed through consultants or third parties who have specific fees for their services; however, this is not the only expense to account for. Project management, required organizational changes and resources (awareness programs), day-to-day operation to maintain compliance with the implemented standard are some other expenses to mention [5].

* Needed skills: the needed skills to implement and operate an ISMS are not the same for all frameworks. Some frameworks require business knowledge, project management and budgeting skills whereas other standards require more technical skills. PCI DSS for instance requires more technical knowledge than ISO 27001 or COBIT which focus more on business understanding.

* Generality: when selecting a framework to use for information security risk assessment, it is quite important to recognize whether the framework being inspected provides the needed details and how-to or it just covers the topic in general. Comprehensiveness is another aspect to inspect as well, which indicates the degree of coverage provided by the framework. ISO 27001 is a general standard to use for information security risk management contrary to ISO 27005 which is specific to security risk management. ISO 27002 does not provide a comprehensive inventory of all controls to implement but NIST RMF does [5, 28].

* Adoption by other enterprises: adoption by others can act as a main indicator that assists enterprises in selecting a standard or framework that best fits into their needs, especially if used to provide a benchmark that compares to similar implementations in similar businesses. ISACA for instance publishes case studies on COBIT's implementation that detail why COBIT was used and how it assisted in addressing enterprises requirements [28].

* Availability of detailed guidelines from owner: this aspect is important especially if the enterprise decided to implement the standards or frameworks depending on its own resources without the assistance of a third party or external consultant. However, not all standards have detailed guidelines from the owners such as NIST RMF.

* Implementation complexity: a standard that meets the enterprise requirements and is yet simple to implement is considered a better option. In some cases, a standard that looks theoretically appropriate may have a very complex implementation. This issue might be standard-neutral, but it reflects on the overall framework adoption [5]. The implementation complexity can be measured in terms of the number of teams involved, estimated changes to be introduced to existing processes or operations, etc.

* Flexibility and customization: a key feature that should be considered in selecting a standard for adoption is its flexibility and ability to be customized. This assists in implementing a customized-approach based on the enterprise needs. Customization is usually done to aid the development of an automated solution for the assessment.

* Others: the existence of suggested controls and control objectives inventories, compliance mandatory or not, is there a certification to acquire after implementation, availability of automated tools and multi-lingual support.

8. Framework selection model

In order to assist in the resolution of the problem resulting from the existence of multiple information security risk management frameworks and standards, we propose a selection model. We strongly believe that if the proposed model is implemented and used effectively it will clarify the ambiguity associated with this issue and help select the appropriate standard/framework. The proposed approach to standard/framework selection is shown in Figure 1.

It is a simple five-step approach that starts with understanding the requirements and documenting the objectives the enterprise wants to achieve. Next, existing frameworks or standards are explored and mapped to the requirements specified in the previous step. The result of this step is a set of potential standards that meet the requirements. Then, we apply the selection considerations discussed earlier to the shortlisted standards. At this point, the decision of what approach to use, customized, hybrid, or none is made. The selected approach is set into implementation taking into consideration all the challenges that were identified in section 3. The output of this step is the program to be used that will be subject to continuous monitoring and evaluation to make sure that it is fulfilling the requirements identified in the first step. Reporting to senior management and metrics evaluation is done in this step as well.

Based on our analysis and research, we put forward some recommendations that, when implemented properly, can add value and consolidate the efforts for advancing this field:

* Spend more efforts to understand existing frameworks: More efforts should be spent to reach comprehensive understanding of the existing information security frameworks. This will assist in building a systematic approach for selecting the best for the enterprise in addition to making it easier to implement and eliminate possible complexities and weaknesses. Deep understanding is important when the enterprise decides to customize a framework to fit into its specific needs.

* Maintaining consistency: Whether the enterprise decided to adopt a standard as is or customized, the information security risk management program must maintain consistency for all aspects. This is imperative especially when implementing customized or hybrid approaches where the need for making sure that no conflicts exist is important. If consistency is not maintained conflicts might result into waste of time, efforts and resources.

* Building local competencies: Enterprises should consider investing in leveraging staff competencies in information security risk assessment. This can be in the form of continuous awareness sessions, training and motivating staff to complete education or acquire degrees in related fields. It is important to notice that the competency needed is not limited to technical knowledge but includes project management and analytical skills as well.


9. Case Study

The key objective of the case study used in this research is to support the proposed model findings and provide an additional evidence through comparing theory with practice in the field of information security risk management. The purpose of this case study is thus to show how the suggested approach can benefit organizations in addressing their technology and information security risks. The case study is related to one of the largest banks in Jordan, namely Al-Ahli Bank that relies heavily on the use of technology. The bank wanted to leverage the maturity of its IT processes and conduct a detailed risk assessment for the existing processes in addition to suggesting areas of improvement. The organization management believed that becoming ISO 27001 certified will address their requirements. The major driver behind their selection for ISO 27001 was increasing marketability. We applied our five step approach and started the engagement with a detailed current state assessment. The understanding was done through one-to-one meetings, questionnaires and group discussions. According to the conducted understanding, the initial requirements were tuned and discussed with management in order to specifically identify detailed objectives to target. We realized that both the IT and the information security entities were not mature and needed improvement. We discussed with management that trying to apply ISO 27001 blindly, in the absence of proper foundations, would not add value to the firm. Based on our detailed understanding of the existing frameworks, the results of the gap analyses conducted, as well as using our proposed model, we decided to use the "Hybrid" approach. We agreed to use ISO 27001 to establish the information security entity. This included mainly the development of all missing policies, processes, and procedures. ISO 27005 was used to conduct the IT risk assessment utilizing the detailed list of controls and control objectives from ISO 27002. To properly establish the IT entity, COBIT was used. COBIT, which focuses on IT governance and alignment of all IT activities with business objectives, was well accepted by the firm's management.

Initially, the company strongly believed that ISO 27001 ISMS implementation would address their IT and information security risks. However, when we applied our five-step approach it turned out that a combination of standards would better satisfy the needs of the company and was of more added value. We provided detailed understanding of what ISMS could provide, and based on the firm's real needs we used different frameworks effectively to achieve the desired objectives. ISMS was used only to establish the information security organization where risk assessment was based mainly on ISO27005. The use of COBIT provided comprehensive evaluation for their IT entity which cannot be separated from the security entity but yet won't be covered or evaluated while using ISMS. Highlighting the importance of aligning IT objectives with business objectives along with providing detailed understanding of the current IT processes effectiveness gave the organization much more than what ISMS alone could do.

As a result, our approach has changed the organization focus from increasing marketability to establishing well structured and robust information security entities that would eventually assist the firm in achieving its business objectives and strategic goals.

10. Conclusion and future work

Risks associated with the use of technology need to be properly managed in order for enterprises to maintain their businesses. Some of the challenges that hinder IT risk assessments were discussed in this paper. In response to these challenges, enterprises tend to adopt best practices and frameworks to assist in conducting consistent assessments. However, the existence of many frameworks and standards adds to the ambiguity and raises the concern of which is better. This paper discussed the most common frameworks used in information security management. Strengths and weaknesses of these frameworks were also discussed. Based on our research and experience, we proposed a selection model along with a set of recommendations to be considered during the selection process. The successful implementation of the proposed solution will contribute to a holistic approach to IT risk management. As a proof of concept, the proposed approach has been applied using a real-life case study, which has proved its adequacy and usefulness.


[1] Symantec, "Symantec Global Internet Security Threat Report Trends for 2008", Symantec's Publications, Vol. XIV, 2009.

[2] CSI, Computer Security Institute,, accessed January 2012.

[3] B. Blakley, McDermott, E., and Geer, D., "Information Security is Information Risk Management", ACM Digital Library, 2002.

[4] Barlette, Y., and Fomin, V., "The Adoption of Information Security Management Standards: A Literature Review", IGI Global, 2009.

[5] Schlarman, S., "Selecting an IT Control Framework", EDPACS, 35(2), 2007.

[6] Sipior, J., and Ward, B., "A Framework for Information Security Management Based on Guiding Standards", Issues in Informing Science and Information Technology, Vol. 5, 2008.

[7] Calder, A., and Watkins, S., IT Governance: A Manager's Guide to Data Security and ISO27001/ISO27002 (4th edition), Kogan Page Limited, UK, 2008.

[8] Government Accountability Office (GAO), "Information Security Risk Assessment: Practices of Leading Organizations", GAO Publications, 1999.

[9] IT Governance Institute (ITGI), COBIT 4.1 (1st edition), ITGI Publication, United States, 2007.

[10] International Standards Organization (ISO), Information Technology--Security Techniques--Information Security Management Systems--Requirements, (1st edition) ISO/IEC Publications, Switzerland, 2005.

[11] Coles-Kemp, L., and Overill, R., "The Information Security Ownership Question in ISO/IEC 27001--an Implementation Perspective", Proceedings of 4th Australian Information Security Management Conference, 2006.

[12] Risk Assessment Accelerator, "Risk Tools Matrix",, accessed January 2012.

[13] Brotby, K., Information Security Governance: A Practical Development and Implementation Approach (1st edition), Willy & Sons, New Jersey, 2009.

[14] NIST Special Publication 800-30, Revision 1, "Guide for Conducting Risk Assessments", 2011,, accessed February 2012

[15] The Open Group, ISO/IEC 27005 Cookbook (1st edition), Open Group, UK, 2010.

[16] Tech Target, "Compliance Topics", http://searchcompliance., accessed January 2012.

[17] International Standards Organization (ISO), Information Technology--Security Techniques -Information Security Risk Management, ISO/IEC Publications, Switzerland, 2008.

[18] Office of Government Commerce (OGC), Passing Your ITIL Foundation Exam, OGC Publication, UK, 2007.

[19] Bruton, N., "The ITIL Experiance: Has it been Worth it?", Bruton Publications, 2004.

[20] Cater-Steel, A., Tan, W., and Toleman, M., "Summary of ITIL Adoption Survey Responses", itSMFAustralia 2006, 2006.

[21] Hornbill Systems, "ITIL: State of the Nation Survey Findings", Hornbill Systems Publications, 2009.

[22] ISACA, "COBIT 4.1 Case Studies",, accessed January 2012.

[23] ISACA, Risk IT Framework (1st edition), ISACA Publication, United States, 2009.

[24] Bank of International Settlements (BIS). "Basel II",, accessed January 2012.

[25] ISACA, IT Control Objectives for Basel II: the Importance of Governance and Risk Management for Compliance (1st edition), ISACA Publication, United States, 2007.

[26] Payment Card Industry Council (PCI-Council), PCI DSS 2.0, PCI Council Publication, United States, 2010.

[27] Software Engineering Institute (SEI), Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, SEI Publication, 2007.

[28] Knappeat, K.J., Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions, IGI Global, United States, 2009.

[29] IT Governance Institute (ITGI), COBIT 4.1 Quick Start (2nd edition), ITGI Publication, United States, 2007.

Walid Al-Ahmad and Bassil Mohammad *

Department of Software Engineering, King Saud University--Saudi Arabia

* Ernst and Young, Jordan, *
COPYRIGHT 2012 The Society of Digital Information and Wireless Communications
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2012 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Ahmad, Walid Al-; Mohammad, Bassil
Publication:International Journal of Digital Information and Wireless Communications
Article Type:Report
Date:Jul 1, 2012
Previous Article:MobileQuiz--a lecture survey tool using smartphones and QR tags.
Next Article:When is a student-centered, technology supported learning a success?

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |