The Experts below are selected from a list of 26772 Experts worldwide ranked by ideXlab platform
Emmanuel Aroms - One of the best experts on this subject based on the ideXlab platform.
-
nist special publication 800 30 Risk Management Guide for information technology systems
2012Co-Authors: Emmanuel AromsAbstract:This is a Hard copy of the NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems. The objective of performing Risk Management is to enable the organization to accomplish its mission(s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling Management to make well-informed Risk Management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting Management in authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation resulting from the performance of Risk Management. TARGET AUDIENCE This Guide provides a common foundation for experienced and inexperienced, technical, and non-technical personnel who support or use the Risk Management process for their IT systems. These personnel include Senior Management, the mission owners, who make decisions about the IT security budget. Federal Chief Information Officers, who ensure the implementation of Risk Management for agency IT systems and the security provided for these IT systems The Designated Approving Authority (DAA), who is responsible for the final decision on whether to allow operation of an IT system The IT security program manager, who implements the security program Information system security officers (ISSO), who are responsible for IT security IT system owners of system software and/or hardware used to support IT functions. Information owners of data stored, processed, and transmitted by the IT systems Business or functional managers, who are responsible for the IT procurement process Technical support personnel (e.g., network, system, application, and database administrators; computer specialists; data security analysts), who manage and administer security for the IT systems IT system and application programmers, who develop and maintain code that could affect system and data integrity 2 Disclaimer This hardcopy is not published by National Institute of Standards and Technology (NIST), the US Government or US Department of Commerce. The publication of this document should not in any way imply any relationship or affiliation to the above named organizations and Government.
Alexis Feringa - One of the best experts on this subject based on the ideXlab platform.
-
sp 800 30 Risk Management Guide for information technology systems
2002Co-Authors: Gary Stoneburner, Alice Y Goguen, Alexis FeringaAbstract:Risk Management is the process of identifying Risk, assessing Risk, and taking steps to reduce Risk to an acceptable level. Organizations use Risk assessment, the first step in the Risk Management methodology, to determine the extent of the potential threat, vulnerabilities, and the Risk associated with an information technology (IT) system. The output of this process helps to identify appropriate controls for reducing or eliminating Risk during the Risk mitigation process, the second step of Risk Management, which involves prioritizing, evaluating, and implementing the appropriate Risk-reducing controls recommended from the Risk assessment process. This Guide provides a foundation for the development of an effective Risk Management program, containing both the definitions and the practical guidance necessary for assessing and mitigating Risks identified within IT systems throughout their system development life cycle (SDLC). The ultimate goal is to help organizations to better manage IT-related mission Risks.Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this Guide and tailor them to their site environment in managing IT-related mission Risks. In addition, this Guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate Risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information.The third step in the process is continual evaluation and assessment. In most organizations, IT systems will continually be expanded and updated, their components changed, and their software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new Risks will surface and Risks previously mitigated may again become a concern. Thus, the Risk Management process is ongoing and evolving.
Arenas Bustamante Dalgys - One of the best experts on this subject based on the ideXlab platform.
-
Propuesta metodológica para la administración del riesgo en las instituciones educativas públicas del departamento del Atlántico soportada en las TIC
'Corporation Universidad de la Costa CUC', 2020Co-Authors: Arenas Bustamante DalgysAbstract:Maestría En Gestión De Las Tecnologías De La Información - Modalidad InvestigativaEducational Institutions -EI, as any other organization in the world, are exposed to different types of Risks that must be treated or handled in a properly way, however this can affect their normal operation of the EI. Some of these Risks could be the physical Management, corruption, and digital security. For these reason the EI are not exempt to being affected by natural disasters, so they must be able to formulate contingency plans and execute emergency response actions that ensure the continuity of the service and guarantee the education rights to the students. In fact it is very important that the EI would be capable to manage the Risks, before than they may to materialize, indistinct of their nature, and establish adequate controls to guarantee a total compliance of the goals and aims of the EI. Consequently, this Dissertation proposes to develop the creation of a methodology based in the Risk Management Guide of the Administrative Department of the Public Function - DAFP and 59th Guide of the Ministry of National Education. - MEN, in order to mitigate the impact or the probability of occurrence of the Risks that may affect the normal operation of the IE. The proposed methodology will be developed through a technological tool that will systematize and will unify the Risk Management methodology, the design of the controls and the way to perform the attention to emergencies and disasters.Las Instituciones Educativas -IE, al igual que cualquier organización en general, se encuentran expuestas a diferentes tipos de riesgos que si no se tratan o administran de manera adecuada pueden llegar a afectar su normal operación. Entre los riesgos que pueden encontrarse en las IE están los físicos, los de gestión, los de corrupción, y los de seguridad digital. De igual forma las IE no están exentas de ser afectadas por desastres naturales, por lo que deben estar en capacidad de formular planes de contingencia y ejecutar acciones de respuesta a emergencias con las que aseguren la continuidad de la prestación del servicio y garanticen el derecho a la educación. Por lo anterior, es de suma importancia que las IE estén en la capacidad de administrar los riesgos que se puedan materializar, sea cual sea su naturaleza, y establecer controles que garanticen el cumplimiento de sus objetivos institucionales. Por consiguiente, el presente trabajo de grado, propone la creación de una metodología basada en la guía para la administración del riesgo del Departamento Administrativo de la Función Pública - DAFP y en la guía 59 del Ministerio de Educación Nacional - MEN, con la finalidad de mitigar el impacto u ocurrencia de los riesgos que puedan afectar la normal operatividad de las IE. La metodología propuesta será operacionalizada por medio de una herramienta tecnológica que sistematizará y unificará la metodología de administración del riesgo, el diseño de controles y la atención a emergencias y desastres
Gary Stoneburner - One of the best experts on this subject based on the ideXlab platform.
-
sp 800 30 Risk Management Guide for information technology systems
2002Co-Authors: Gary Stoneburner, Alice Y Goguen, Alexis FeringaAbstract:Risk Management is the process of identifying Risk, assessing Risk, and taking steps to reduce Risk to an acceptable level. Organizations use Risk assessment, the first step in the Risk Management methodology, to determine the extent of the potential threat, vulnerabilities, and the Risk associated with an information technology (IT) system. The output of this process helps to identify appropriate controls for reducing or eliminating Risk during the Risk mitigation process, the second step of Risk Management, which involves prioritizing, evaluating, and implementing the appropriate Risk-reducing controls recommended from the Risk assessment process. This Guide provides a foundation for the development of an effective Risk Management program, containing both the definitions and the practical guidance necessary for assessing and mitigating Risks identified within IT systems throughout their system development life cycle (SDLC). The ultimate goal is to help organizations to better manage IT-related mission Risks.Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this Guide and tailor them to their site environment in managing IT-related mission Risks. In addition, this Guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate Risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information.The third step in the process is continual evaluation and assessment. In most organizations, IT systems will continually be expanded and updated, their components changed, and their software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new Risks will surface and Risks previously mitigated may again become a concern. Thus, the Risk Management process is ongoing and evolving.
Jake Kouns - One of the best experts on this subject based on the ideXlab platform.
-
information technology Risk Management in enterprise environments a review of industry practices and a practical Guide to Risk Management teams
2010Co-Authors: Daniel Minoli, Jake KounsAbstract:PREFACE. ABOUT THE AUTHORS . PART I INDUSTRY PRACTICES IN Risk Management. 1. INFORMATION SECURITY Risk Management IMPERATIVES AND OPPORTUNITIES. 1.1 Risk Management Purpose and Scope. 1.1.1 Purpose of Risk Management. 1.1.2 Text Scope. References. Appendix 1A: Bibliography of Related Literature. 2. INFORMATION SECURITY Risk Management DEFINED. 2.1 Key Risk Management Definitions. 2.2 A Mathematical Formulation of Risk. 2.3 Typical Threats/Risk Events. 2.4 What is an Enterprise Architecture?. References. Appendix 2A: The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008. Appendix 2B: What is Enterprise Risk Management (ERM)? 3. INFORMATION SECURITY Risk Management STANDARDS. 3.1 ISO/IEC 13335. 3.2 ISO/IEC 17799 (ISO/IEC 27002:2005). 3.3 ISO/IEC 27000 SERIES. 3.3.1 ISO/IEC 27000, Information Technology-Security Techniques-Information Security Management Systems-Fundamentals and Vocabulary. 3.3.2 ISO/IEC 27001:2005, Information Technology-Security Techniques-Specification for an Information Security Management System. 3.3.3 ISO/IEC 27002:2005, Information Technology-Security Techniques-Code of Practice for Information Security Management. 3.3.4 ISO/IEC 27003 Information Technology-Security Techniques-Information Security Management System Implementation Guidance. 3.3.5 ISO/IEC 27004 Information Technology-Security Techniques-Information Security Management-Measurement. 3.3.6 ISO/IEC 27005:2008 Information Technology-Security Techniques-Information Security Risk Management. 3.4 ISO/IEC 31000. 3.5 NIST STANDARDS. 3.5.1 NIST SP 800-16. 3.5.2 NIST SP 800-30. 3.5.3 NIST SP 800-39. 3.6 AS/NZS 4360. References. Appendix 3A: Organization for Economic CoOperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security. 4. A SURVEY OF AVAILABLE INFORMATION SECURITY Risk Management METHODS AND TOOLS. 4.1 Overview. 4.2 Risk Management/Risk Analysis Methods. 4.2.1 Austrian IT Security Handbook. 4.2.2 CCTA Risk Assessment and Management Methodology (CRAMM). 4.2.3 Dutch A&K Analysis. 4.2.4 EBIOS. 4.2.5 ETSI Threat Vulnerability and Risk Analysis (TVRA) Method. 4.2.6 FAIR (Factor Analysis of Information Risk). 4.2.7 FIRM (Fundamental Information Risk Management). 4.2.8 FMEA (Failure Modes and Effects Analysis). 4.2.9 FRAP (Facilitated Risk Assessment Process). 4.2.10 ISAMM (Information Security Assessment and Monitoring Method). 4.2.11 ISO/IEC Baselines. 4.2.12 ISO 31000 Methodology. 4.2.13 IT-Grundschutz (IT Baseline Protection Manual). 4.2.14 MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management). 4.2.15 MEHARI (Methode Harmonisee d'Analyse de Risques-Harmonised Risk Analysis Method). 4.2.16 Microsoft's Security Risk Management Guide. 4.2.17 MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale). 4.2.18 NIST. 4.2.19 National Security Agency (NSA) IAM / IEM /IA-CMM. 4.2.20 Open Source Approach. 4.2.21 PTA (Practical Threat Analysis). 4.2.22 SOMAP (Security Officers Management and Analysis Project). 4.2.23 Summary. References. 5. METHODOLOGIES EXAMPLES: COBIT AND OCTAVE. 5.1 Overview. 5.2 COBIT. 5.2.1 COBIT Framework. 5.2.2 The Need for a Control Framework for IT Governance. 5.2.3 How COBIT Meets the Need. 5.2.4 COBIT's Information Criteria. 5.2.5 Business Goals and IT Goals. 5.2.6 COBIT Framework. 5.2.7 IT Resources. 5.2.8 Plan and Organize (PO). 5.2.9 Acquire and Implement (AI). 5.2.10 Deliver and Support (DS). 5.2.11 Monitor and Evaluate (ME). 5.2.12 Processes Need Controls. 5.2.13 COBIT Framework. 5.2.14 Business and IT Controls. 5.2.15 IT General Controls and Application Controls. 5.2.16 Maturity Models. 5.2.17 Performance Measurement. 5.3 OCTAVE. 5.3.1 The OCTAVE Approach. 5.3.2 The OCTAVE Method. References. PART II DEVELOPING Risk Management TEAMS. 6. Risk Management ISSUES AND ORGANIZATION SPECIFICS. 6.1 Purpose and Scope. 6.2 Risk Management Policies. 6.3 A Snapshot of Risk Management in the Corporate World. 6.3.1 Motivations for Risk Management. 6.3.2 Justifying Risk Management Financially. 6.3.3 The Human Factors. 6.3.4 Priority-Oriented Rational Approach. 6.4 Overview of Pragmatic Risk Management Process. 6.4.1 Creation of a Risk Management Team, and Adoption of Methodologies. 6.4.2 Iterative Procedure for Ongoing Risk Management. 6.5 Roadmap to Pragmatic Risk Management. References. Appendix 6A: Example of a Security Policy. 7. ASSESSING ORGANIZATION AND ESTABLISHING Risk Management SCOPE. 7.1 Assessing the Current Enterprise Environment. 7.2 Soliciting Support From Senior Management. 7.3 Establishing Risk Management Scope and Boundaries. 7.4 Defining Acceptable Risk for Enterprise. 7.5 Risk Management Committee. 7.6 Organization-Specific Risk Methodology. 7.6.1 Quantitative Methods. 7.6.2 Qualitative Methods. 7.6.3 Other Approaches. 7.7 Risk Waivers Programs. References. Appendix 7A: Summary of Applicable Legislation. 8. IDENTIFYING RESOURCES AND IMPLEMENTING THE Risk Management TEAM. 8.1 Operating Costs to Support Risk Management and Staffing Requirements. 8.2 Organizational Models. 8.3 Staffing Requirements. 8.3.1 Specialized Skills Required. 8.3.2 Sourcing Options. 8.4 Risk Management Tools. 8.5 Risk Management Services. 8.5.1 Alerting and Analysis Services. 8.5.2 Assessments, Audits, and Project Consulting. 8.6 Developing and Implementing the Risk Management/Assessment Team. 8.6.1 Creating Security Standards. 8.6.2 Defining Subject Matter Experts. 8.6.3 Determining Information Sources. References. Appendix 8A: Sizing Example for Risk Management Team. Appendix 8B: Example of Vulnerability Alerts by Vendors and CERT. Appendix 8C: Examples of Data Losses-A One-Month Snapshot. 9. IDENTIFYING ASSETS AND ORGANIZATION Risk EXPOSURES. 9.1 Importance of Asset Identification and Management. 9.2 Enterprise Architecture. 9.3 Identifying IT Assets. 9.4 Assigning Value to IT Assets. 9.5 Vulnerability Identification/Classification. 9.5.1 Base Parameters. 9.5.2 Temporal Parameters. 9.5.3 Environmental Parameters. 9.6 Threat Analysis: Type of Risk Exposures. 9.6.1 Type of Risk Exposures. 9.6.2 Internal Team Programs (to Uncover Risk Exposures). 9.7 Summary. References. Appendix 9A: Common Information Systems Assets. 10. REMEDIATION PLANNING AND COMPLIANCE REPORTING. 10.1 Determining Risk Value. 10.2 Remediation Approaches. 10.3 Prioritizing Remediations. 10.4 Determining Mitigating Timeframes. 10.5 Compliance Monitoring and Security Metrics. 10.6 Compliance Reporting. References. BASIC GLOSSARY OF TERMS USED IN THIS TEXT. INDEX.
