Information Security Risk Management Framework for A Governmental Educational Institute
DOI:
https://doi.org/10.24191/jikm.v13i1.4714Keywords:
Information security risk management, ISO/IEC 27005, ECC, Regulatory Compliance, information managementAbstract
As the high increase usage of technology, the higher the risks that are associated with it. Therefore, it has become a necessity for organizations to rely on an information security risk management framework as a defense mechanism against these risks. This paper discusses information security risk management approaches available with an emphasis on the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27005 method to propose an information security risk management framework that suits a governmental educational institute in Saudi Arabia. This framework will be designed and implemented for a governmental educational institute that lacks adequate information security risk management while being out of compliance with Saudi Arabia’s Essential Cybersecurity Controls (ECC). In this framework, 34 application assets have been analyzed and 37 controls have been recommended in order to meet the minimum requirements of ECC.
References
Agrawal, V. (2017, June). A framework for the information classification in ISO 27005 standard. In 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud) (pp. 264-269). IEEE.
Aleksandrova, S. V., Vasiliev, V. A., & Aleksandrov, M. N. (2020, September). Problems of implementing information security management systems. In 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS) (pp. 78-81). IEEE.
Alshareef, N. (2016). A Model for an Information Security Risk Management (ISRM) Framework for Saudi Arabian Organisations. International Association for Development of the Information Society.
Badamasi, B., & Utulu, S. C. A. (2021). Framework for Managing Cybercrime Risks in Nigerian Universities. arXiv preprint arXiv:2108.09754.
Bakar, N. A. A., Ramli, W. M. W., & Hassan, N. H. (2019). The internet of things in healthcare: an overview, challenges and model plan for security risks management process. Indonesian Journal of Electrical Engineering and Computer Science (IJEECS), 15(1), 414-420.
Bergström, E., Lundgren, M., & Ericson, Å. (2019). Revisiting information security risk management challenges: a practice perspective. Information & Computer Security.
Brunner, M., Sauerwein, C., Felderer, M., & Breu, R. (2020). Risk management practices in information security: Exploring the status quo in the DACH region. Computers & Security, 92, 101776.
Chapman, J. (2019). How Safe is Your Data?: Cyber-security in Higher Education (Vol. 12, pp. 1-6). Oxford, UK: Higher Education Policy Institute.
Custer, W. L. (2010). Information security issues in higher education and institutional research. New Directions for Institutional Research, 146, 23-49.
Fahrurozi, M., Tarigan, S. A., Tanjung, M. A., & Mutijarsa, K. (2020, October). The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence). In 2020, 12th International Conference on Information Technology and Electrical Engineering (ICITEE) (pp. 86-91). IEEE.
Fenz, S., Ekelhart, A., & Neubauer, T. (2011). Information security risk management: In which security solutions is it worth investing?. Communications of the Association for Information Systems, 28(1), 22.
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2014). Current challenges in information security risk management. Information Management & Computer Security, 22(5), 410-430.
Framework for higher education institutions in Saudi Arabia. PeerJ Computer Science, 7,e703.
Framework, CURF. International Journal of Information Security, 17, 681-699.
Grishaeva, S. A., & Borzov, V. I. (2020, September). Information security risk management. In 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS) (pp. 96-98).
Hamit, L. C., Sarkan, H. M., Azmi, N. F. M., & Naz’ri, M. Adopting an ISO/IEC 27005: 2011-based Risk Treatment Plan to Prevent Patients from Data Theft.
IEEE Kaspersky Lab (2020). Available at: https://www.kaspersky.ru National Cybersecurity Authority, 2018. Essential Cybersecurity Controls(ECC1:2018). Saudi Arabia,p.40.
ISO-ISO/IEC27005:2018-Information technology—Security techniques—Information security risk management, [online] Available: https://www.iso.org/standard/75281.html.References
Lanz, J., & Sussman, B. I. (2020). Information Security Program Management in A COVID-19 World. The CPA Journal, 90(6), 28-36.
Monev, V. (2021, September). The" Self-Assessment" Method within a Mature ThirdParty Risk Management Process in the Context of Information Security. In 2021 International Conference on Information Technologies (InfoTech) (pp. 1-7). IEEE.
Nunes, S. (2019). INFORMATION SECURITY RISK MANAGEMENT: A SYSTEMATIC LITERATURE REVIEW. Journal of Information System Security, 15(3).
Putra, I. M. M., & Mutijarsa, K. (2021, April). Designing information security risk management on bali regional police command center based on ISO 27005. In 2021 3rd East Indonesia Conference on Computer and Information Technology (EIConCIT) (pp. 14-19). IEEE.
Putra, S. J., Gunawan, M. N., Sobri, A. F., Muslimin, J. M., & Saepudin, D. (2020, October). Information Security Risk Management Analysis Using ISO 27005: 2011 For The Telecommunication Company. In 2020 8th International Conference on Cyber and IT Service Management (CITSM) (pp. 1-5). IEEE.
Safonova, O. M., Lontsikh, N. P., Golovina, E. Y., Elshin, V. V., & Koniuchov, V. Y. (2020, September). Methodology for Creating, Implementing and System Effectiveness Evaluation of the Business Processes' Information Security System. In 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS) (pp. 127-131). IEEE.
Sensuse, D. I., Syahrizal, A., Aditya, F., & Nazri, M. (2020, November). Information Security Risk Management Planning of Digital Certificate Management Case Study: Balai Sertifikasi Elektronik. In 2020 Fifth International Conference on Informatics and Computing (ICIC) (pp. 1-7). IEEE.
Singh, U. K., & Joshi, C. (2017). Information Security Risk Management Framework for University Computing Environment. Int. J. Netw. Secur., 19(5), 742-751.
V. G. Semin, E. G. Shmakova and A. B. Los, 2017, "The information security risk management," 2017 International Conference "Quality Management, Transport and Information Security, Information Technolo- gies", pp. 106-109, (IT&QM&IS)
Wangen, G., Hallstensen, C., & Snekkenes, E. (2018). A framework for estimating information security risk assessment method completeness: Core Unified Risk
Wei, Y. C., Wu, W. C., & Chu, Y. C. (2018). Performance evaluation of the recommendation mechanism of information security risk identification. Neurocomputing, 279, 48-53.
Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. In 2010 10th IEEE international conference on computer and information technology (pp. 1328- 1334). IEEE.
Zhang, Z. (2020, December). A New Method for information security risk management in big data environment. In 2020 2nd International Conference on Information Technology and Computer Application (ITCA) (pp. 1-4). IEEE.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Fajer Al-Mudaires, Aida Al-Samawi, Ahmed Aljughaiman, Liyth Nissirat
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Copyright of articles that appear in the journal belongs exclusively to Faculty of Information Management, Universiti Teknologi MARA (Publisher). This copyright covers the rights to reproduce the article, including reprints, electronic reproductions or any other reproductions of similar nature.
