Information Technology Reference
In-Depth Information
include hardware, software and network as well as people and facilities playing a
role in the IS and therefore in its security, e.g., people encoding data, and arguably
such things as air conditioning of a server room. All of these are subject to risks
and those risks have to be evaluated with respect to the IS properties that could
be damaged. Those properties include
confidentiality
,
integrity
and
availability
of
information and/or processes in an organisation [
23]
:
•
Confidentiality
is the property that information is not made available or disclosed
to unauthorised individuals, entities, or processes.
•
Integrity
is the property of safeguarding the accuracy and completeness of assets.
•
Availability
is the property of being accessible and usable upon demand by an
authorised entity.
Some other criteria like authenticity, non-repudiation or accountability [
23]
might be added when the context requires, but they are usually deemed secondary.
Summing up, the objective of ISSRM is to protect essential constituents of an IS,
from all harm to their security (confidentiality, integrity, availability).
3.2 Risk Management Standards, Methods and Studies
The first family of sources that we review are
RM standards
. Those documents
typically contain general considerations about RM and form the basis upon which
domain-specific RM approaches are built.
•
ISO/IEC Guide 73 [
22]
: This guide defines the RM vocabulary and guidelines for
use in ISO standards. It mainly focuses on terminology, which is of great interest
with respect to our research method.
•
AS/NZS 4360 [
3]
: This joint Australian/New-Zealand standard provides a
generic guide for RM. The document proposes an overview of the RM termi-
nology and process.
The second family of sources consists of (IS and IT)
security standards
. The selected
documents often contain a section on security-specific terminology. Sometimes,
some RM concepts are mentioned.
•
ISO/IEC 27001 [
25]
: The purpose of this standard is to act as a reference for
establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an Information Security Management System (ISMS), that is the part
of an organisation that is concerned with information security. The principles and
terminology related to IS Management System are provided.
•
ISO/IEC 13335-1 [
23]
: This standard is the first of the ISO/IEC 13335 guide-
lines series that deals with the planning, management and implementation of
IT security. It describes concepts and principles of IT security that may be
applicable to different organisations.
Search WWH ::
Custom Search