Scribd Logo
Unggah

Selamat datang di Scribd!

  • ICT Risk Assessment Impact Score

    Diunggah oleh

    axaz sah
    55 tayangan7 halaman
    ICT Risk Assessment Impact Score Sample

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    ICT Risk Assessment Impact Score Sample

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    55 tayangan7 halaman

    ICT Risk Assessment Impact Score

    Diunggah oleh

    axaz sah
    ICT Risk Assessment Impact Score Sample

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 7

    1.

    ICT Risk Sample Methodology

    This paper will apply the information security model to primary data. Due to the time
    and resource constraints use of existing model is the only practically possible method
    to apply the conceptual framework to real world data. The employee of the
    organization will be provided with a set of questions and the response will be one of
    the available options. Indicators shown in table 1 and table 2 below will be given each
    a score for evaluation and mathematical model would be used for determining the
    final information security level of the organization.

    Table 1 : Impact Score and Criteria

    Criteria Very High High Medium Low Very Low


    Score 5 4 3 2 1

    Table 2 : Likelihood Score and Criteria

    Criteria Very High High Medium Low Very Low


    Score 5 4 3 2 1

    1.1. Data collection Technique


    Primary data will be collected from the various IT colleges. Questionnaires will be
    prepared and collect inputs from the head of information security. Question will be
    presented with alternatives.

    1
    1.2. ISMS Contexts
    Question will administer to obtain the strength of all the six ISMS factors in a college.
    ➢ Context of the college: It will determine external and internal issues that are
    relevant to its purpose and that affect its ability to achieve the intended
    outcome(s) of its information security management system.
    ➢ Leadership: This factor helps to ensure the integration of the information
    security management system requirements into the organization’s processes.
    Also for the communicating the importance of effective information security
    management and of conforming to the information security management
    system requirements.
    ➢ Planning and risk management: This factor helps to ensure the information
    security management system can achieve its intended outcome(s). It also helps
    to prevent, or reduce, undesired effects and achieve continual improvement. It
    ensures that repeated information security risk assessments produce
    consistent, valid and comparable results.
    ➢ Support and resources: This factor determines the necessary competence of
    person(s) doing work under its control that affects it information security
    performance. It helps to retain appropriate documented information as
    evidence of competence.
    ➢ Operation and performance evaluation: The organization shall keep
    documented information to the extent necessary to have confidence that the
    processes have been carried out as planned. The organization shall control
    planned changes and review the consequences of unintended changes, taking
    action to mitigate any adverse effects, as necessary. The organization
    determines what needs to be monitored and managed, including information
    security processes and controls.

    ➢ Improvement: This is another one of the important factor that evaluates the
    need for action to eliminate the causes of nonconformity.
    Table 3 : Question Structure

    2
    S.No Questionnaire Based on No of Questions

    1 Context 3

    2 Leadership 4

    3 Planning and Risk Assessment 10

    4 Support and Resources 2

    Operation and Performance 4


    5
    Evaluation

    6 Improvement 7

    1.3. Mathematical Model of Risk Level

    The universal formula for calculation of risk is

    Risk = Impact x Likelihood


    Where:
    Impact = A measure of the effect of an event
    Likelihood = A measurement of how likely it is that particular event will occur.

    For Calculation,
    Impact = Level of estimated effect
    n

    Likelihood = ( X i ) / n
    i =1

    Xi = Level of estimated likelihood,


    n =Total number of colleges

    3
    The final risk level is calculated by simply taking the average of the score of risk in each
    criterion.
    Hence,

     Risk
    i =1
    Final Risk Level =
    t

    Where:
    t = Total number of criteria of the questionnaire

    1.4. Risk Level Analysis

    To analyze the risk level obtained from above mathematical model, a risk threshold
    chart is used. The chart helps in classification of the obtained risk value into the level
    of risk such as low risk, moderate risk or high risk.

    The output of the risk value obtained from each domain is labeled separately into the
    chart so that it becomes easy in identifying the stronger and weaker aspects involved
    in IT security.

    2. Impact Values of indicators


    The impact values of indicator based on ISO standard calculation of the questionnaire
    are presented below:

    4
    Table 4 : Score of the Contexts

    Context Indicator Impact

    INFORMATION SECURITY FRAMEWORK 5

    INFORMATION SECURITY RESPONSIBILITY 4


    Context of
    FAMILIARITY OF INFORMATION SECURITY
    the college
    AMONG DEDICATED STAFF 3

    MEMBERS INFORMATION SECURITY EDUCATION 2

    CLASSIFICATION AND PROTECTION OF


    5
    INFORMATION

    SECURITY TEAM
    Leadership 4

    TYPES OF HANDLED INFORMATION AND


    APPLICABLE REGULATION 3

    CONTACT WHEN HACKED 5

    TRANSMITTING, STORING AND HANDLING


    SENSITIVE INFORMATION 4

    PREVENTION OF UNAUTHORIZED ACCESS OF


    INFORMATION STORED ON MEDIA 4
    Planning and
    Risk ENSURE AUTHORIZED ACCESS 4
    Assessment
    PROTECTION USING CRYPTOGRAPHY 5

    POLICIES FOR WEBSITE VISITS 3

    CRITICAL DATA STORAGE 4

    SECURE DISPOSAL OF SENSITIVE INFORMATION 3

    5
    BROWSING OR DOWNLOAD FROM TRUSTED
    SITES 3

    ABIDE LICENSE/COPYRIGHT LAWS WHEN


    DOWNLOAING 2

    ENCOUNTERED WITH VIRUS OR TROJAN ON


    COMPUTER NETWORK 4

    LOSS OF INFORMATION WHILE FORMATTING


    HARD DRIVE 5

    WORK FROM HOME USING PERSONAL COMPUTER 3

    LOGGING IN TO WORK ACCOUNT USING PUBLIC


    NETWORK 4

    PROTECTION AGAINST SOCIAL ENGINEERING,


    PHISHING, CYBERCRIME 5

    VIOLATION OF POLICY AND REGULATION USING


    THIRD PARTY STORAGE 3

    BUSINESS PLAN AND RESPONSIBILITY 3

    EFFECTIVE EVALUATION OF SAFETY PLAN 4

    PROTECTION OF INFORMATION AND IT’S


    FACILITIES AGAINST MALWARE 4
    Support and
    Resources PROTECTION AGAINST LOSS OF DATA 5

    STORAGE OF SENSITIVE DATA IN SECURED


    LOCATION 4

    INTERNET CONNECTION 2

    6
    AMOUNT SPENT ON ANTI-VIRUS 4

    SUDDEN SHUTDOWN OF INTERNET 3

    DEPARTMENT OF INFORMATION SECURITY


    PERFORM INFORMATION SECURITY BASED 3
    ASSESSMENT

    USAGE OF LOCAL INTRUSION DETECTION


    Operation
    SYSTEM (IDS) 2
    and
    Performance
    USAGE OF LOCAL INTRUSION PROVISION
    Evaluation 3
    SYSTEM (IPS)

    USAGE VIRTUAL PRIVATE NETWORK (VPN) 1

    PENETRATION TESTING 2

    REGULAR REVIEW OF INFORMATION SECURITY


    2
    POLICIES

    REGULAR UPDATE OF INFORMATION SECURITY


    POLICIES 3

    EMPLOYEE TRAINING TO RAISE AWARENESS


    ABOUT INFORMATION SECURITY 3

    Improvement
    DIFFICULTY IN CONVINCING 2

    INFORMATION OF NEW FORM OF INFORMATION


    SECURITY ATTACKS 5

    TOOLS USED TO DETECT ATTACKS 4

    INVESTMENT IN SECURITY SOLUTION 2

    Anda mungkin juga menyukai