Information Technology Reference
In-Depth Information
4
Data Collection and Research Instrument
Information security assessment is defined by U.S. Department of Commerce,
National Standards and Technology (NIST) in 2008 in a publication entitled
Technical Guide to Information Security Testing and Assessment [10]. NIST defines
Information Security Assessment as: “the process of determining how effectively an
entity being assessed (e.g., host, system, network, procedure, person - known as the
assessment object) meets specific security objectives”. NIST also guides
organizations in their information security assessments by providing descriptions of
the information security assessment methods. In this regard, three assessment
methods -testing, examining and interviewing- can be used for information security
assessments according to NIST [10]. In this respect, examining, which is defined by
NIST as: “the process of checking, inspecting, reviewing, observing, studying, or
analyzing one or more assessment objects to facilitate understanding, achieve
clarification, or obtain evidence” and interviewing methods were used to gather data
about information security approaches in the defense industry organization.
In parallel with the study's research design and objectives, data were gathered via
an assessment tool and structured individual interviews with information security
experts who work in the defense industry organization. Also, in line with the research
objectives, legal regulations, assessment tools, and information security standards were
reviewed. As a result of the reviews, Information Security Assessment Tool for State
Agencies, derived from Information Security Governance Assessment Tool for Higher
Education, which was developed by EDUCAUSE in 2004 to support U.S. National
Cyber Security Partnership Corporate Governance Task Force Information Security
Government recommendations, was chosen for analysis.
Information Security Assessment Tool for State Agencies was developed with the
aim of evaluation of the people, process, and technology components of cyber security
[11]. This tool is also viewed as a pointer for organizations in terms of the maturity of
their information security program. The sections in this tool can be divided into two
main parts consisting of reliance of information technology and the maturity of
information security governance.
The assessment tool consists of five sections and a scoring tool. Each section has
multiple choice and/or Likert scale questions (0 - Not implemented, 4 - Fully
implemented). The quantitative data presented in the study were gathered via additional
information areas that are provided by the assessment tool for every question. The
sections of the assessment tool are organizational reliance on IT, risk management,
people, processes and technology. Plus, the scoring tool section of the tool provides total
score of each section and reflects organizations' general level. In this respect results
obtained from the scoring tool were evaluated under the general overview title
according to percentage values.
5
Data Analysis
Qualitative and quantitative findings obtained via the assessment tool were analyzed
according to scoring section of the tool. The data that were gathered via the tool created
Search WWH ::
Custom Search