Information Technology Reference
In-Depth Information
Lastly, potential impacts on reputation of security incidents (i.e. negative press
and political pressure) are in low level for the organization according to information
security experts. It is also stated that the organization has low business programs in a
politically sensitive area that may make it a target of a violent physical or cyber-attack
from any groups.
6.2
Risk Management
Information security experts were asked to describe risk management approaches of
the organization via nine Likert scale questions provided by the second part of the
assessment tool. Risk management approaches are one of the main functions of the
organizations in the defense industry. Experts stated that the whole of the risk
management metrics are fully implemented. These risk management metrics are as
follows:
•
Information security and privacy program were fully documented,
•
Risk assessments to identify key objectives that need to be supported by the
information security and privacy program were conducted within the last two
years,
•
Critical assets and relevant business functions were fully identified,
•
Information security threats and vulnerabilities associated with each of the
critical assets and functions were fully identified,
•
Costs and cost analysis for the loss of each critical asset or function were
carried out,
•
A written information security strategy that seeks to cost-effectively measure
risk and specify actions to manage risk at an acceptable level with minimal
business disruptions was developed,
•
Information security strategy of the organization fully includes plans that seek
to cost effectively reduce the risks to acceptable level,
•
Information security strategy of the organization is reviewed and updated at
least annually or more frequently when significant business changes require it,
•
Processes to monitor legislation or regulations and determine their
applicability to the organization were fully implemented.
6.3
People
Another section of the assessment tool within the scope of information security
approaches is assessment of people in the organization. In this regard, the analyses
involve the answers given to questions about responsibilities, management, information
security functions, and education and training program. The results obtained from the
analyses about this part of the assessment tool are displayed at Fig. 1.
Search WWH ::
Custom Search