Information Technology Reference
In-Depth Information
methods was proposed. Our work has a different scope, that is, ISSRM. Here, the
core concept to consider is
risk
. Yet, risk is not an isolated concept. A risk (i)
depends on the
security needs
placed on the IS
assets
and (ii) is the subject of
risk
treatments
. These are the concepts that we include in our first iteration on step 1,
but our scope is likely to expand along the way. Conversely, specific usages of our
concept alignment table could consider only subsets of it if not all concepts are
needed.
4.2 Overview of the Alignment Table
In this section, we analyse the concept of
risk
starting from the definitions found in
standards; RMmethods and RE security frameworks are addressed in [
38]
. Content-
wise, we focus on the notion of risk and its associated components. Risk-related
considered.
4.2.1 Risk Management Standards
ISO Guide 73 gives the following definition of a risk:
Risk:
combination of the probability of an event and its consequence.
AS/NZS 4360 proposes a similar definition in its glossary:
Risk:
the chance of something happening that will have an impact on objectives
NOTE 1: A risk is often specified in terms of an event or circumstance and the consequences
that may flow from it.
Both sources indicate that a risk is composed of two related elements: a cause, called
event or “something happening”; and a consequence, also called impact. This con-
sideration is valid in all risk-related domains. To refine our analysis, we compare
the above definitions with the ones from the security domain.
4.2.2 Security Related Standards
In ISO/IEC 27001 [
25]
, the concept of risk is not present in the glossary, but in an
excerpt of the standard presenting the risk identification step, we find:
Identify the
risks
.
1)
Identify the assets within the scope of the ISMS, and the owners of these assets.
2)
Identify the threats to those assets.
3)
Identify the vulnerabilities that might be exploited by the threats.
4)
Identify the impacts that losses of confidentiality, integrity and availability may have on
the assets.
Search WWH ::
Custom Search