Information security risk assessment and mitigation strategies development - Thesis Proposal Example

Information security risk assessment and mitigation strategies development The importance of information technology cannot be denied nowadays. This proposal concerns the study of information security risk assessment and mitigation strategies development. The suggested risk assessment strategy is proposed as a universal paradigm of potential risk occurrence measurement and is positioned as a universal principle relevant to any organization. Introduction Currently, information technologies play a crucial role in the life and activities of any organization. Every company in the modern world is subjected to external threats of hackers or third parties violating the security of data they have. Therefore, it is relevant to any company to develop security risk assessment and mitigation strategy to save data from potential external risk. In order to facilitate the process security risk assessment and mitigation strategies with regards to information security, it is relevant to work out a mechanism of dealing with the potential hazard of data steal from any company. On the basis of modern studies, it is relevant to develop a holistic strategy to data security provision that would be based on the principles applicable for any company. Research question This research is focused on considering strategic steps of security management taken in case potential information hazards may occur. The research question is the following: “How is it possible for any organization to improve and apply effective information security risk assessment and mitigation strategies”. Moreover, it is further on suggested how to work out security risk assessment process. Therefore, a practical aspect of security management is correlated with recent theoretical findings presented in contemporary researches and studies. Goal of research This research has been mainly developed for the needs of the organizations requiring improvement of information security risk assessment and mitigation strategies. This research is relevant from practical point of view. Though it is based on recent researches and findings in the field of information security, it brings in an innovative vision about the role of information security and strategies directed on dealing with it. Research Hypothesis Further research is focused on the idea that the information security of military and the intelligence departments should be protected from cyber attacks and other online hazards or negative impact of the virtual world on the information that if violated would be destructive for the company. Thus, it is supposed that security risk management is an integrative part of any modern organization. Data security provision is an inevitable step taken by organization for prevention of potential hazards or threats. The research importance This research project is focused on modern companies chosen at random in order to develop risk management strategy concerning data security within the companies. Further attempt is made to evaluate the level of information security risk and suggest the risk mitigation strategies applied for different companies (on the example of Delloitte consultancy). Definition of terms Information security implies information protection process. It is focused on protecting information availability, privacy and integrity. Risk assessment – identification and evaluation of risks in a certain situation in comparison with a standard situation. Risk mitigation strategies – a systematic reduction of risk exposure. Literature review The potential risk of information security is the issue that has to be considered throughout the life and activity of the company. Therefore, a modern attention of researchers and scientists to the ways of mitigation strategies development is justified in the framework of risk management (Gary Stoneburner, 2002) On the basis of recent researches and studies IT security issues are considered as “a part of the risk management process and infect it is the first and foremost process of the risk management process, in this process the organization basically identifies the extent and the magnitude of any potential threat related to the information technology systems and processes in a company like the inventory system, and the data encapsulation and data hiding process” (Gary Stoneburner, 2002). Moreover, it is relevant to any organization to be well-equipped with a special network and hardware providing information security. The next step important for provision of information security should be outlined in terms of security awareness. Research methodology and approach Information security risk assessment and mitigation strategies will be further discussed on the example of Delloitte consultancy and the information security risk assessment and mitigation strategies implied by the company. A qualitative approach is applied further on. Thus, On the basis of empirical data obtained from books and journals, security risk assessment process is considered further on. The most effective risk mitigation strategies consist from Firewall and intrusion detection systems (Team, 2005). Research Methods A twofold analysis of information security risk assessment and the mitigation strategies is implemented on the basis of questionnaires filled in by risk managers of Delloitte consultancy. In accordance with a detailed analysis of the information risk assessment process, a set of nine steps will be developed in order to measure steps decreasing risk by applying different security measures. Discussion In the result of the study conducted, the security risk assessment follows such steps: the character of the system is identified; potential threats are identified; system vulnerability is identified; control measures are applied; possibility of further threat occurrence is determined; threat impact is determined; system risk identification; risk control policies are recommended; the result is documented. These are steps that were developed in accordance with the needs of Delloitte and can be supposedly applied for any organization. Figure 1: security risk assessment process On the second stage of the research conducted, security risk mitigation strategies are developed. It is relevant to note that harm caused to the system may be of different extent and in accordance with it, it is necessary to implement security risk mitigation strategies. Risk mitigation strategy should be cost-saving one and the primary concern for risk managers is to decrease risk occurrence. Damage and harm that may occur in the result of risk occurrence, should be facilitated by risk mitigation strategies. Therefore, the suggested information security risk assessment and mitigation strategies are relevant to any organization and prove a practical aspect and universality of the developed strategies.     Timescale 1. Research question, goals, methodology development (1 week).   2. Theoretical background collection – 2 weeks.        3. The process of strategies development – 1 week.       4. Results analysis – 10 days.     5. Conclusions and recommendations development – 1 week.  Limitation of research The abundance of researches in the field of security risk assessment and mitigation strategies is the first challenge for a researcher to reveal something new in this field. Another drawback is the lack of time for a proper analysis and research conduct implemented to different organizations. Practical Implementation of the research The processes of information security risk assessment and mitigation strategies are relevant to the majority of organizations. Therefore, it is relevant to develop a number of special steps taken by risk managers of the company to mitigate risks and hazards of potential risk occurrence. Moreover, information security risk assessment suggested in this research can be applied for any organization and should be considered as a first attempt to unify risk assessment strategies relevant to any type of the organizations. Works Cited Alan Calder & Steve Watkins, S. G. (2010). Information Security Risk Management for ISO27001/ISO27002. IT Governance Ltd. Andy Jones, D. A. (2005). Risk management for computer security: Protecting your network and information assets. Butterworth-Heinemann. Bob Blakley, E. M. (2002). Information Security is Information Risk Management. NSPW'01 , 97-104. deloitte. (n.d.). IT Risk Assessment Methodology. Retrieved 5 24, 2011, from www.deloitte.com: http://www.deloitte.com/view/en_GR/gr/services/enterprise-risk-services/tools/it-risk-assessment-methodology/index.htm Gary Stoneburner, A. G. (2002). risk management guide for infomation technology system. NIST-special publication , 1-55. Hoh Peter In, Y.-G. K.-J. (2005). A Security Risk Analysis Model for Information Systems. AsiaSim , 505-513. Jake Kouns, D. M. (2010). Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. Wiley-Interscience. Rees, J. J. (n.d.). Value at Risk: A methodology for Information Security Risk Assessment. . Krannert Graduate School of Management Purdue University . Team, M.-S. I. (2005). Malware Threats and mitigation strategies. US-CERT Informational Whitepaper , 1-10. Voss, A. L. (2004). Information Security Risk Assessment,Aggregation, and Mitigation. ACISP , 391-401. Read More