DEVELOPING A RISK ANALYSIS FRAMEWORK FOR IMPACT ASSESSMENT IN INFORMATION SECURITY MANAGEMENT SYSTEMS: A CASE STUDY FROM THE IT CONSULTING INDUSTRY. PART 1
This article is a free translation of the work of Fotis Kitsios, Elpinica Hatzidimitriou and Maria Kamariotou.
Information has always been an important asset of every company and this asset must be protected. In today’s world, most information is stored digitally and is available on the Internet, making it easier to access and minimizing archiving time. However, this has one drawback: all this information can be exposed to different risks and threats depending on its importance. Cyberattacks on confidential or sensitive information have increased over the years. A company’s growth can make it a more attractive target for cyberattacks, and leaked information can damage its reputation, revenues and credibility. For all of the above reasons, establishing an information security management system (ISMS) is essential to attracting more customers and retaining existing ones. Every customer needs to know that shared information is securely and properly managed.
International Organization for Standardization (ISO) 27001 is a management system to identify, assess and find mechanisms to overcome any imminent risk. It can provide guidance for a company to develop an effective SMIB based on its needs. Implementing a SMIB means that each company must develop its own strategy to better deal with risks and threats to information security and, ultimately, create an ISO 27001-compliant SMIB. The standard does not define specific procedures for implementing the conditions, but instead they must be established and implemented for a specific company.
While there are many different approaches to successfully implementing a company’s media security, the desired outcome is the same: secure information and find the best solution that meets the company’s needs. Moreover, one of the most important and time-consuming parts of establishing a company’s media security is the risk assessment. All possible risks must be identified, assessed and classified. Since every company is unique, risks can also vary, and there is not just one approach that every company can use to assess risks.
For this reason, it is important to provide more case studies and more theoretical background regarding the implementation of a company’s SMIB so that each company or stakeholder can have access to all of this information and use it for their own purposes. The purpose of this document is to develop a risk assessment framework that the company has used in the information technology sector to conduct a risk assessment process in accordance with ISO 27001.
The company’s policy ensures that the information it handles, both electronically and in hard copy, is adequately protected from the consequences of a breach of confidentiality, a violation of the integrity or a violation of the availability of that information. The company already had many processes in place. Most of them, however, were not routinely recorded or recorded at all. In other words, many threats were not identified and therefore not accounted for. The company’s rapid growth showed that a standardized information security model could make some aspects of the business more functional. Moreover, it became clear that rapid growth would make the company a target for cyber threats. This became a goal for the company to embark on a more detailed and expanded information security policy. The traditional way of ensuring information security was not sustainable in a fast-growing company. Risks related to human factors multiplied as the company’s workforce grew. Finally, the company kept getting the same question from numerous customers: “Why should we trust our information with you?” Over the years, it became increasingly difficult to come back to customers with well-documented evidence. Moreover, customers became less tolerant of the uncertainty of information security
2. Theoretical framework
2.1 Information security management systems and benefits
According to Hauffe et al., information security is considered part of IT management. Based on this statement, we can understand the importance of information security in the business strategy of a modern and competitive company. A company may process or maintain different types of data classified into different categories of information. From customer and employee records to accounting data, all of this information must be accessible and available for the proper functioning of the company. All of this information must be protected, and the citing company must select and apply appropriate safeguards to protect its physical and financial assets, reputation, legal position, personnel, and other physical and intangible assets. This is where an ISMS comes in. However, what is the purpose of an ISMS?
There are several discussions in the literature about the purpose of an ISMS. Dish et al. (2020) and Paananen et al. (2020) note that the primary purpose of information security is to protect an organization’s information, software, and hardware, which are its valuable resources. According to Von Solms and Van Niekerk (2013), the media security plan, application, and process should be able to stop and protect users’ hardware, software, and information from external and internal threats, even if the company or organization is under threat.
In light of the above, we can understand that SMIB is vital because it can protect one’s critical assets. However, implementing a SMIB is not an easy task, and poor planning can have a negative impact on a company. In particular, it is possible to adopt processes or policies that create barriers in its functions when implementing a SMIB. Employees may find it more difficult to perform day-to-day tasks because more time will be needed to review information security. In addition, the workload will be increased because of restrictions on access to information. Likewise, it may not be possible to maintain work standards prior to the implementation of the SMIB, and the quality of work may be lower. Finally, either existing staff will have to devote time to processing additional information security checks.
For the above reasons, regulation and cost-effectiveness are important components of an effective SMIB. The media security procedure as an integral component of every media security should be aligned with the organization’s goals and mission. This should be considered during the process of developing a successful media security, not at a later stage, to avoid additional costs, increased workloads or reduced quality. A fundamental concept of the SMIB is to ensure the confidentiality, integrity and availability of all information and data. Confidentiality refers to the idea that information and data should not be available to outsiders. Companies handle financial records, know-how, proprietary code, customer data, personal information, etc. Integrity refers to unauthorized changes to data and information. Although SMIB cannot guarantee the accuracy of stored information and data, it includes processes and tools that verify that changes are intended and correctly applied and are not fraudulent events. Accessibility refers to information and systems that must be available upon request at all times. The most common threats are denial of service and loss of processing capabilities. Denial of service refers to user or attacker actions that block computing services. In contrast, loss of processing capability refers to the destruction of computing hardware or software resources, either physically (due to natural disasters or human actions) or due to software inaccessibility (due to malicious system access or operator error).
Although a company will implement controls to provide a physical, technical and administrative environment, the importance of balancing confidentiality, integrity and availability should not be overlooked. The golden ratio is difficult to achieve and seems to be the Achilles’ heel of external attacks. For example, to ensure high availability, confidentiality can be compromised. On the other hand, if a company provides privacy, accessibility can become too difficult.
The dependence of companies on Internet connectivity is increasing more and more. Conversely, at the same time, companies are operating in a very complex and advanced security threat environment that exposes their information infrastructure to a whole range of security threats. This leads to unprecedented challenges and finally forces companies to create a more secure information technology (IT) infrastructure. Cyberattacks on a company can cause serious damage to the reputation and investments of the affected company. Although the number of attacks is increasing, the economic impact of security incidents is less obvious. Nevertheless, there is no doubt that a single security breach can cause irreparable damage to a firm in terms of corporate liability, loss of trust and reduced revenue.
While everyone involved is affected by security incidents, at the same time, to paraphrase, employees are not aware of the importance of company data privacy and are not taking the actions necessary to ensure there is no breach. While corporations, organizations and companies recognize the importance of analyzing, assessing and effectively mitigating risks, responsibilities and plans for dealing with information security threats are generally not comprehensively established. Implementing an information security information system, such as ISO 27001, is an effective and vital way to address these threats and process data safely and securely.
According to Velasco et al. (2018), Dish et al. (2020), Hsu et al. (2016) and Shojaie et al. (2016), the benefits of ISO 27001 are as follows: ISO 27001 can provide many significant benefits to a company or organization. By implementing ISO 27001, companies consistently protect and manage their sensitive data by establishing a transparent processing process for information access, control, and processing. To do this, the data processing must be unambiguous and constantly managed. In addition, with ISO 27001, a company’s reputation is enhanced. Since customers are more willing to trust their data to an ISO 27001 certified company, this is also interpreted as an increase in profits and market share. Thus, the company becomes more confident and competitive to grow and attract more customers. Another factor worth mentioning is compliance with international regulations such as the General Data Protection Regulation (GDPR) and legal compliance. Legal penalties for leaks of confidential information can lead to lengthy litigation and huge financial losses. An ISO 27001-certified company can avoid all of the adverse consequences of a data breach. Based on the provisions of ISO 27001, a well-developed information security incident response system must be in place. This means that there is a system in place that will report any information security threats and address them as early as possible. Cyberattacks can happen every day, and it’s important to detect them early. For example, in the case of the Target store data breach, it took more than a week for the company to detect the attack. If the attack had been detected earlier, there would have been fewer data breaches, which would have affected fewer customers. An IS incident response system could have helped identify and stop the attack at an earlier stage. In addition, an ISO-certified company would regularly analyze the root causes of such attacks or incidents through tests that would identify any system flaws before an actual attack occurs. Identifying vulnerabilities before an actual attack occurs gives the company valuable time to prepare for any data breach scenario. Finally, an ISO 27001 certified company should have a disaster recovery plan in place. This will be activated in the event of an emergency, in other words, when an attack has already occurred. It is very important to have a recovery plan in place after an attack. If the company manages to get back to its normal functions as soon as possible, the losses from the attack will be negligible. Every day the company is down costs a significant amount of money.
2.2. ISO 27000: 27001, 27002
ISO/IEC 27001:2013 is a standard that defines the conditions for the establishment, application, maintenance, and ongoing development of media security within a company. It also includes prerequisites for assessing and addressing information security threats designed to meet the needs of the organization. The conditions outlined in ISO/IEC 27001:2013 are not specific and should apply to all organizations, regardless of their type, size or nature. It is a respected and internationally recognized security standard.
The ISO 27000 standards provide good practice guidelines for a complete SMIB. ISO 27000 provides a summary and terminology, while ISO 27002 provides general guidelines for information security actions and controls, expanding the rules of practice for media security. In early 2007, ISO 17799 was renamed ISO 27002, which provides management-level guidelines for IT security. When implementing media security, ISO 27002 guides the selection of generally recognized controls focused on a company’s or organization’s specific information security risk environment.
To achieve ISO 27001 certification, a company must implement all security controls as mentioned in ISO 27002. The authorities in ISO 27002 are named in the same way as in Annex A of ISO 27001 – for example, for ISO 27002, control 6.1.2 is called “Segregation of duties” and for ISO 27001 it is called “A.6.1.2 Segregation of duties”. The differences are found in the level of detail. Segregation of duties refers to general guidelines on how to differentiate between employee responsibilities in order to achieve greater accountability. In particular, ISO 27002 explains the controls to be implemented in the organization (e.g., clear segregation of duties through clear employee job descriptions), giving companies the necessary tools to apply ISO 27001 more effectively by generally accepted means.
Without the details provided in ISO 27002, the management tools outlined in Annex A of ISO 27001 cannot be implemented. However, without the governance structure from ISO 27001, ISO 27002 will remain the remote work of a few information security experts, with no board recognition and no actual impact on the organization. The two standards exist separately because, if they existed as a single standard, it would be too complex and broad for practical application.
2.3 ISO 27001: Risk Assessment
According to Çavuşoğlu et al. (2015), within information security, a well-structured security investment intent offers top managers a set of conditions for rationalizing corporate information security funding. Organizations can consider both economic and non-economic consequences of investment decisions. Financial requirements, such as return on investment (ROI), assess the economic feasibility of controls on the value of assets to be protected by the controls and the cost of the investment. Noneconomic conditions consist of customer cooperation and emphasize organizational and operational viability. The organizational and management literature also suggests that a clearly delineated strategic investment objective is an important component of development processes leading to organizational acceptance and change.
Risk is the keyword and the answer to the questions above, and risk management drives prioritization. As stated in ISO 27000:2013, SMIB maintains the confidentiality, integrity and availability of information through a risk management process that gives stakeholders confidence that risks are handled effectively. Risk assessment is a tool for analyzing and interpreting risk. It refers to the recognition and assessment of an organization’s susceptibility. It requires defining the scope and procedure of the assessment, collecting and analyzing data, and reviewing risk assessment reports. The implementation team must collect and analyze risk data. This requires identifying all assets, risks, vulnerabilities, security measures and their importance, residual and probability of successful attacks.
The risk assessment must not be limited to the current problems, but also to the future ones, taking into account new systems and inventions that already exist and those that are yet to come. The implementation of a risk assessment also leads to an in-depth knowledge of the organization and its activities. The risk assessment team tries to understand how systems and procedures interact, allowing the company to identify gaps in its processes. However, it should be noted here that the people who will manage the risk assessment process must have a clear, expanded understanding and extensive knowledge of the entire company.
Risk management is the next step and is the selection and implementation of appropriate controls to reduce risk to a level acceptable to the organization. As with the rest of ISO 27001, there is no reinforcer or mandatory template to follow when it comes to risk assessment. The information security team can perform a risk assessment that makes sense for the structure of the organization. A risk assessment, as described in ISO 27001 paragraph 6.1.2, establishes and maintains information security risk criteria; provides consistent, accurate, and relative results; identifies risks in conjunction with risk owners; and analyzes and evaluates those risks. The risk assessment may include the following activities: identifying assets at risk and determining importance status by magnitude, sensitivity, and criticality; identifying potential threats; labeling how likely a threat is to occur for a particular asset; determining impact, which typically includes expected loss, damage, and recovery costs; reducing risk by implementing risk management into the asset structure; and limiting the controls the company has adopted for the budget.
2.4 ISO 31000: Risk Management
The ISO 31000 Risk Management Standard is one of the risk management standards, which is a series of international standards for the application of risk management guidelines issued by the International Organization for Standardization. As with most other ISO management standards, ISO 31000 establishes a structured framework designed to meet the needs of companies of all sizes and types. In addition, ISO 31000:2018 has been proposed as a suitable framework for dealing with uncertainties when assessing risks in operations. The ISO 31000:2018 risk management framework has recently been introduced as a viable framework for scrutinizing risk management. Although primarily used by industry participants, the standard is adaptable and not industry- or sector-specific. The definition of risk in ISO 31000:2018 differs from other risk definitions used in traditional risk assessments in that risk is not defined only in terms of the likelihood of bad or undesirable outcomes; rather, the emphasis is on risk management.
ISO 31000:2018 risk management is an iterative process that includes the following steps:
(1) identification of scope, context, and criteria;
(2) risk assessment (including risk identification, risk analysis, and risk assessment);
(3) risk processing; (4) data collection and reporting;
(5) monitoring and review; and
(6) communication and consultation.
ISO 31000 makes a distinction between the risk management architecture and two other components of the organization’s risk management system, namely the risk management principles and the risk management process. The risk management architecture consists of these three components. The risk management framework is a set of components that serve as the foundation and organizational structures for the design, implementation, monitoring, review and continuous improvement of the company’s risk management. Some risk management systems, such as ISO 31000, are also called risk management standards. Organizations often use the two names interchangeably. Risk management is a process that focuses on risk management, namely information sharing, advising, establishing context, and identifying, analyzing, processing.
ISO 31000 establishes the basic principles, structure and methods. It is not intended to impose uniformity on risk management systems, but to define the risk management process for any particular business, including security. It provides organizations with risk management standards that can be used to create and achieve their objectives, regardless of their size or type of business. The ideas, framework and processes are applicable to both public and private organizations and to all types of groups, associations and businesses. It establishes a unified approach to risk management that is neither industry-specific nor industry-specific. Any form of risk can be managed with a risk management approach. It is applicable throughout the life of the organization and to any activity, including decision making at all levels. Risk mitigation, risk forecasting, and risk management are all components of managing an organization with risk management integrated into its business plan. As a result, businesses often look to ISO 31000 to help with this task. ISO 31000 can be used to make strategic decisions at the organizational level as well as to manage processes, operations, projects, programs, goods, services and assets.
3. Description of the case study
3.1 Case Study: Implementing ISO 27001 in an IT Company
For security reasons, the name of the company is hidden. To keep the text short, the name of the company has been changed to Venus. Venus automates and optimizes data-driven business processes through software and services. Venus’ consulting practices are well known around the world, and they are a world leader on a well-known platform.
Venus’ specialists have deep industry knowledge across multiple institutions and verticals. The company understands the complexities of implementing new systems into a business and works carefully with its clients’ business and IT professionals to help them recognize perspectives and goals. Venus then works with them to provide full project lifecycle services, effectively coordinating all aspects of the project, from process re-engineering to system design, development and optimization. Venus can assess the organization’s change management needs and offer the most effective training to ensure full adoption of new procedures and technologies. Finally, the company moves into focused, long-term production support.
Venus combines know-how with sound science and problem solving to provide effective software solutions to computerize and improve business processes on time and on budget. The technology specialists at the company have several qualifications in science and engineering. The Venus Solutions Center is certified as a European Union research organization and has won several European Union research programs. The company’s scientists and engineers have developed several advanced tools to solve the company’s precise and everyday problems. Crucially, Venus has tested these solutions on massive amounts of precision data from some of the world’s largest companies, and has reaped significant and measurable commercial rewards.
Venus is a project-based company. The company’s technology consultants are assigned to each project for each client. Teams are dynamic; people move in and out of teams depending on the phase and workload of the project. A team can consist of 4-30 people.
A separate, specific infrastructure is created for each client. This infrastructure consists of a centralized code repository. This archive of code files allows projects with multiple developers to work with different versions; a centralized document library, a special catalog in the project management tool; special mailing lists; special containers for development and testing; a project problem tracker; and a separate login to the time management tool. The tools and infrastructure described above provide the team with the appropriate structure to create, manage, and deliver the project, the basis for collaboration, metrics, and analytics for quality assurance.
3.2 Company status prior to ISO implementation
It is Venus’ policy to ensure that the information it handles, both electronically and in hard copy, is adequately protected from the consequences of a breach of confidentiality, a breach of integrity, or a violation of access to that information. The company already had many processes in place. However, most of them were not routinely recorded or recorded at all. In other words, many threats were not identified and therefore not accounted for. Annual and preparatory information security trainings were held to ensure that employees were aware of the company’s perceived information security policy. An information security team was already in place. Members were trained, and all employees were able to address any information security concerns. In light of the above, the company already had some processes in place that would have made it easier to comply with ISO 27001. However, many threats and vulnerabilities had not been identified. The company’s rapid growth showed that a standardized information security model could make some aspects of the business more functional. Moreover, it became clear that rapid growth would make the company a target for cyber threats. This became a goal for the company to embark on a more detailed and expanded information security policy. The traditional way of ensuring information security was not sustainable in a fast-growing company. Risks associated with the human element multiplied as the company’s workforce grew. Finally, the company kept getting the same question from numerous customers: “Why should we trust our information with you?” Over the years, it became increasingly difficult to come back to customers with well-documented evidence. Moreover, customers became less tolerant of the uncertainty of information security.