The term information security can be defined as the practice of preventing the unauthorized disclosure, access, disruption, use, inspection, modification, destruction or recording of information. In other word, information security is a state when the information (particularly electronic data) is protected from the unauthorized use or certain measures are taken for the purpose of achieving this (Vacca, 2013). However, there are a variety of reasons which put the security of the information in risk such as inadequate system logging, overreliance on security monitoring software, technological innovations that result in outpacing of security, outdated operating systems, lack of encryption, segregation of duties, lack of management support, etc. This report provides the guidelines for managing information security risks of the organization Cosmos.
Overview of the Company
Cosmos is an online newspaper publishing company situated in Sydney, Australia. The company has a large network of freelance reporters across the globe who are engaged in reporting news from different parts of the globe. It charges a small online fee for allowing the customers to read online newspapers and watch live video feeds. Suitable telecommunication devices are provided by the company to the freelance reporters for reporting live from the areas where there is no internet connectivity. Moreover, Cosmos is now bringing an upgrade in the information security policies for its information system.
Guidelines for Managing the Information Security Risks of the Organization
Information security risk management can be defined as the process which manages risks which re linked with the usage of information technology. For managing the information security risk, a company should identify, assess and treat the risk to the integrity, confidentiality and availability of the assets of an organization (Webb, Ahmad, Maynard & Shanks, 2014). The adoption of such process will assist the organization in treating the risk according to the overall risk tolerance of the organization. It should not be expected by the business that all risks will be eliminated, rather it should undertake the identification and achievement of an acceptable risk level for the concerned organization.
The International Standard ISO/IEC 27005:2011 provides a framework for the implementation of risk management approach for assisting the IT department of the organization in the management of information security risks. The standard describes the process for the information security risk management and the actions associated with it (International Organization for Standardization, 2011).
Cosmos should undertake the management of information security risk by following the undermentioned guidelines in the form of the stages of ISRM (Information Security Risk Management) and ae according to International Standard ISO/IEC 27005:2011.
Stages of ISRM
Identification- This stage of the information security risk management process should involve the identification of assets, vulnerabilities, threats and controls. Firstly, Cosmos should follow a risk identification process for the purpose of determining the potential risks that are required to be further analyzed. It should undertake the identification of the assets that are expected to have most significant impact on Cosmos in case its integrity, confidentiality or availability is compromised. At this stage, Cosmos should aim at identifying the software or system vulnerabilities that are putting the integrity, confidentiality of availability of the assets at risk (Soomro, Shah & Ahmed, 2016). It should also recognize the deficiencies or weaknesses in the organizational processes that can result in loss of information. After the identification of vulnerabilities, the threats are also aimed to be identified which can cause the realization of risks through the exploitation of vulnerabilities. Then Cosmos should recognize the controls which can directly address the identified threat or vulnerability by altogether fixing the issue or reducing the likelihood its occurrence or mitigating its impact (Stamp, 2011).
Assessment- Assessment is the next stage in the information security risk management process. Assessment can be defined as the process in which the information gathered relating to vulnerabilities, assets and control for the purpose of defining the risk is combined. There are a number of approaches and frameworks for the purpose of assessing the risks (Whitman & Mattord, 2017). Cosmos should use the following equation for assessment:
Risk= (threat * vulnerability (exploit impact * exploit likelihood) * asset value) – security controls
Risk assessment and preparing the relevant documentation is considered to be an integral part of adhering with the HIPAA security standards. The assessment of risk will allow Cosmos to define the acceptable level of risk and the required level of security for each level (Shimeall & Spring, 2013). After this, Cosmos should devise, implement and monitor the security measures that have the capability of addressing the identified risk level. Further, Cosmos should undertake such assessments at regular basis throughout the System Development Life Cycle (SDLC).
Following are some of the types of information security risk assessments which can be adopted by Cosmos:
Enterprise risk Assessments- in this type of assessment, risks are assessed to operational processes, core agency assets and functions.
Systems and Physical Infrastructure Assets Risk Assessment- in this type of assessment, Cosmos will be able to identify and assess the risks and vulnerabilities to systems and core physical infrastructure assets (Shameli-Sendi, Aghababaei-Barzegar & Cheriet, 2016).
Project Security Risk Assessments (New Applications) - This type of assessment will allow Cosmos to identify and assess vulnerabilities that are introduced due to the development of new IT systems and applications (Peltier, 2010).
Project Security Risk Assessment (New Risks) - This type can help Cosmos in the identification and assessment of new risks which can be caused to the existing components as a result of the introduction of new service offerings or new technology.
Change Request Risk Assessments- this type can assist Cosmos in allowing the assessment of risk of change for the purpose of ensuring that no compromise is made with the security as a result of the proposed change (Hohan, Olaru & Keppler, 2015).
Though any of the above specified information security risk assessment type can be adopted by Cosmos, but it is recommended that Cosmos should adopt Systems and Physical Infrastructure Assets Risk Assessment as it will fulfill its requirements to a great extent.
Treatment- after the assessment and analysis of risk, Cosmos will be required to select an option for the purpose of treating the risk out of remediation, mitigation, transference, risk acceptance and risk avoidance.
Remediation- Remediation will involve the implementation of a control that will result in fixing of the underlying risk either completely or to the extent which is near to complete. A patch for the identified vulnerability can be applied for fixing the risks.
Mitigation- this option can also be adopted by Cosmos which will facilitate the reduction in the likelihood of the risk or lessening the impact of such risk but will not entirely fix it. The mitigation of risk is the most common approach which is adopted by majority of the organizations and is considered to be appropriate where the identified risks can be reduced through the application of controls (Wheeler, 2011). For example, for the purpose of reducing the risk of network intrusion, firewall can be deployed by the organization.
Transference- Cosmos can also opt for transferring the risk to some other entity such that it can get a change of recovering from the costs incurred of the risk being realized. The risk can be transferred by Cosmos by way of purchasing insurance which will help in covering the losses that can occur in case of exploitation of the vulnerable systems.
Risk acceptance- Risk acceptance will not result in the fixing of risk for Cosmos. Cosmos should opt for risk acceptance if the risk is low and the efforts and time required for fixing the cost of risks are greater than the costs that are expected to be incurred at the time of realization of risk.
Risk avoidance- risk avoidance will help Cosmos in removing the entire exposure to the risk identified at the earlier stage. For avoiding the risk which compromises with the sensitive data of the organization, the entire process will require to be changed by developing a plan so that the risk can be avoided (Agarwal, Campoe & Pierce, 2014). For example, if the establishment of a connection between two networks includes some risks that are unacceptable and the countermeasures available are also not feasible then Cosmos can altogether decide of not establishing such a connection.
Communication- communication constitutes an important part of the managing the information security risk. Regardless of the manner of the treatment of risk, the communication of the decision plays an important role in the organization (Safa, Von Solms & Futcher, 2016). It is important for the stakeholders to gain understanding regarding what were the costs of treating the risks or not treating such risks along with the reasoning behind the decision. The accountability and responsibility also requires to be defined in a clear manner. Cosmos should also ensure that the accountability and responsibility lies with the correct individual and team within the company (Hoffmann, Kiedrowicz & Stanik, 2016). This will further help Cosmos in ensuring that right person is engaged in the performance of the right task in the process.
Monitoring- Cosmos should firstly understand that the information security risk management is an ongoing process. In case Cosmos adopts a treatment plan in which the implementation of control is required, such control will need to be monitored on continuous basis. The system also changes on constant basis therefore; the implementation of control also requires to be changed from time to time. The codes for the system will change in accordance with the requirements and there are a number of factors which can result in the breaking down of the control after some months or years of its initial implementation (Da Veiga & Martins, 2015).
For the purpose of ensuring that the process of information security risk management goes on smoothly, Cosmos should define the roles of different stakeholders along with the responsibilities tied to their roles. This is due to the fact that there are number of stakeholders linked with the process of managing the information security risk, and all of them have different varied responsibilities.
Process Owners- Cosmos already has a finance manager that overlooks the finance related processes of the company. Such finance team might own their Enterprise Risk Management (ERM) program. Also, there is a technical manager which who should be made responsible for feeding into ERM through ISRM program. The members of the team under technical manager should be guided by Cosmos for being in the field by persistently driving the process forward.
Risk Owners- Members of the organization, Cosmos, should bear the individual risks who at the end make the use of the budgets for the purpose of fixing the problems. The risk owners are considered to be accountable for ensuring that the treatment of risk is made accordingly. In other words, if the budget is approved by the risk owners, they also own the risk (Modarres, 2016).
There are also various other types of stakeholders in addition to risk owners who are either involved or impacted by the implementation, chosen treatment plan such as system engineers/ administrator, system users, etc.
In other words, the Cosmos should ensure that its information security team i.e. the process owners drives the information security process forward.
A number of issues may arise during the process of managing the information security risk.
Lack of accountability for risk decisions and lack of risk decision making structure- Cosmos should be aware of the issue that when right people are not engaged in decision making then they might not be comfortable with risk decision making. Moreover, it is recommended that Cosmos should develop a structure in order to ensure that the right risk based decisions are made by the right people. Cosmos should also make them accountable for the good and bad impact of such decisions. I other words, Cosmos should ensure a risk governance structure in the company which will clearly define the decision making power of every level in the organization along with an oversight structure and a path for the escalation of risks for the risks that require monitoring and management (Zorz. 2014).
Lack of significant risk assessment process- Some organizations conduct assessment of risk in a superficial manner while some others does not make the use of right skills for the purpose of developing a significant risk assessment process. The lack of meaningful process of risk assessment has the capability of creating severe issues for Cosmos. A meaningful process simply means a process through which the identification of risks is enabled on the basis of organizational goals and accordingly provides the description of the risks in terms of business either qualitatively or quantitatively with the help of common risk taxonomy (Layton, 2016).
Cosmos should adopt control based approach for risk assessment for making right decisions. Such issue can be overcome by Cosmos by adopting the goal-based strategy for risk management which in turn will facilitate a more effective risk mitigation or allocation and will also result in money saving (Peltier, 2016).
Lack of an open, risk aware culture- An issue will arise in the managing of information security risk if the culture of the organization is not transparent and is not aware of the risks that can be caused to the information security. The lack of awareness regarding the presence of risks can lead to the resistance of the senior management from undertaking information security risk management.
Cosmos should built a culture in the organization where all its managers namely the Finance manager, HR manager, Technical manager and Publishing manager along with the CEO are willing to maintain transparency towards their executives. Such transparency will result in complete assistance from the side of the executives for the implementation of processes that will ensure the information security risk is managed in a proper manner (Ghazouani, Faris, Medromi & Sayouti, 2014).
Execution of risk management is facilitated by the risk management assumptions. The main assumption made is regarding the risk assessment methodology. The risk assessment methodology is required to be selected by Cosmos in a wise manner. The suggested guidelines for information security risk management are based on OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) methodology. The OCTAVE methodology is considered to be one of the best methodologies for managing the information security risk (Lee, 2014). Such methodology is considered to be appropriate for Cosmos and is flexible for adoption. OCTAVE risk assessment methodology is based on the notion- threat, vulnerability, impact/ consequence (Talabis & Martin, 2012).
Another assumption include that there are certain factors which have the capability of influencing the final risk level of the organization. Such factors involve the activities that are undertaken for-
Reduction of the probability of the occurrence of an incident (for example, security measures)
Reduction of the impact that will be caused by the incident (for example, recovery measures)
Another assumption comprise of the fact that there is a correlation that a threat can result in the exploitation of vulnerability. This can cause an incident to occur with particular consequences. A specific threat (for example, a hacker) is not considered to be a danger until there is no vulnerability which can be exploited (for example, unpatched operating system). Therefore, it is assumed that there is a correlation between vulnerability and threat in the risk assessment methodology as the final risk level in the risk scenario of Cosmos is influenced by both of these factors.
Therefore, it can be concluded that it is important to prevent the information of an organization from unauthorized disclosure, access, disruption, use, inspection, modification, destruction or recording. The information security is vulnerable to a number of risks due to variety of reasons. This report provided guidelines for managing the information security risks for the organization Cosmos. Cosmos is recommended to follow International Standard ISO/IEC 27005:2011 for the implementation of risk management approach in the organization. Moreover, for managing the information security risk in a proper manner, Cosmos should properly follow the stages of information security risk management. In the first stage, the threats and vulnerabilities will be identified followed by their proper assessment by adopting any of the type of information security risk management. After the assessment of the risk, Cosmos will be required to treat the risk by mitigating, avoiding, transferring or accepting it. The process of risk management will not end with the treatment of risk but requires its communication to the stakeholders and constant monitoring. Furthermore, Cosmos is recommended to define the roles of different stakeholders along with the responsibilities tied to their roles.
A number of issues can arise during the process of managing the information security risk which should be kept in mind while adopting the process. Execution of risk management is facilitated by the risk management assumptions which have been discussed in the later part of the report.
Agarwal, M., Campoe, A. and Pierce, E. 2014. Information Security and IT Risk Management. John Wiley and Sons.
Da Veiga, A. and Martins, N., 2015. Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, pp.162-176.
Ghazouani, M., Faris, S., Medromi, H. and Sayouti, A., 2014. Information Security Risk Assessment--A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications, 103(8).
Hoffmann, R., Kiedrowicz, M. and Stanik, J., 2016. Risk management system as the basic paradigm of the information security management system in an organization. In MATEC Web of Conferences (Vol. 76, p. 04010). EDP Sciences.
Hohan, A.I., Olaru, M. and Keppler, T., 2015. Integration Of Risk Management Practices In The Framework Of An Integrated Management System Environment-Health And Safety-Information Security. Calitatea, 16(S1), p.289.
International Organization for Standardization. 2011. Are information security risks threatening your business? New and improved ISO/IEC 27005 standard beefs up protection. [Online]. Available at: [Accessed on: 18 May 2018].
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. CRC Press.
Lee, M.C., 2014. Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. International Journal of Computer Science & Information Technology, 6(1), p.29.
Modarres, M., 2016. Risk analysis in engineering: techniques, tools, and trends. CRC press.
Peltier, T.R., 2010. Information security risk analysis. Auerbach publications.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Safa, N.S., Von Solms, R. and Futcher, L., 2016. Human aspects of information security in organisations. Computer Fraud & Security, 2016(2), pp.15-18.
Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2016. Taxonomy of information security risk assessment (ISRA). Computers & security, 57, pp.14-30.
Shimeall, T. and Spring, J. 2013. Introduction to Information Security: A Strategic-Based Approach. Newnes.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Stamp, M. 2011. Information Security: Principles and Practice. John Wiley & Sons.
Talabis, M. and Martin, J. 2012. Information Security Risk Assessment Toolkit: Practical Assessments Through Data Collection and Data Analysis. Newnes.
Vacca, J. R. 2013. Managing Information Security. Elsevier.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
Wheeler, E. 2011. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Elsevier.
Whitman, M. E. and Mattord, H. J. 2017. Principles of Information Security. Cengage Learning.
Zorz. M. 2014. Risk management issues, challenges and tips, [Online]. Available at: [Accessed on: 18 May 2018].