Information technology risk assessment methods and improvement solutions
Abstract
The legal tools applied in the context of IT technology development failing to solve the problems facing society. On the other hand, the development of innovation is sometimes hindered. The intensity of the development of information systems and technologies requires highly flexible and adaptive approaches to cybersecurity. One of these approaches is IT risk assessment. There are currently many methodologies that can be used to effectively assess cyber threats. For institutions with multiple exposures, the correlation between different positions may not be correctly estimated. Measuring known risk is a common problem in risk assessment practice. In order to develop a simple IT risk assessment method, the article examines existing IT risk assessment methods, proposes IT risk assessment solutions and presents the results of practical application.
Article in Lithuanian.
Informacinių technologijų rizikos vertinimo metodai ir tobulinimo sprendimai
Santrauka
IT plėtros konteksto atžvilgiu taikomos teisinės priemonės nesugeba išspręsti problemų, su kuriomis tenka susidurti visuomenei, antra vertus, tam tikrais atvejais stabdoma inovacijų plėtra. Informacinių sistemų ir technologijų plėtros intensyvumas reikalauja labai lanksčių ir adaptyvių kibernetinės saugos užtikrinimo metodų taikymo būdų. Vienas iš šių metodų – IT rizikos vertinimas. Šiuo metu yra daug metodologijų, kuriomis remiantis būtų galima efektyviai vertinti kibernetinių grėsmių riziką. Įstaigai, turinčiai daugybę rizikų, skirtingų pozicijų koreliacija gali būti neteisingai įvertinta. Žinomos rizikos matavimas yra dažna rizikos vertinimo praktikos problema. Siekiant sukurti paprastą IT rizikos vertinimo metodą, straipsnyje nagrinėjami esami IT rizikos vertinimo metodai, siūlomi IT rizikos vertinimo sprendimai ir pateikiami praktinio pritaikymo rezultatai.
Article in Lithuanian.
Reikšminiai žodžiai: IT rizikos, metodas, kibernetinis saugumas, pažeidžiamumas, grėsmės.
Keyword : IT risks, method, cybersecurity, vulnerabilities, threats
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Alberts, C. J., & Dorofee, A. J. (2002). Managing information security risks – the OCTAVE approach. Boston: Addison Wesley. https://doi.org/10.21236/ADA634134
Bjørn, A. G. (2002). CORAS, a platform for risk analysis on security critical systems − model-based risk analysis targeting security. In International Conference on Telemedicine (ICT2002), Regenburg. Prieiga per internetą: http://www.ewics.org/attachments/security-subgroup-boppard-2002/CORAS+framework.pdf
Chandrashekhar, A. M., Sachin Kumar, H. S., & Huded, Y. (2015). Advances in information security risk practices. International Journal of Advanced Research in Datamining and Cloud Computing, 3, 47-48.
Committee on National Security Systems. (2015, April 6). Committee on National Security Systems (CNSS) Glossary (No. 4009). Prieiga per internetą: https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf
Committee on National Security Systems. (2005). National Policy on certification and Accreditation of National Security Systems (No. 6). Prieiga per internetą: http://www.cnss.gov/Assets/pdf/CNSSP-6.PDF
CORAS Tool 2.0. (n.d.). Programinės įrangos paketai. Prieiga per internetą: https://sourceforge.net/projects/coras/
Dimitrakos, T., Ritchie, B., Raptis, D., & Stølen, K. (2002). Model based security risk analysis for web applications: the CORAS approach. In EuroWeb 2002 Conference, St Anne’s College, Oxford, UK.
International Organization for Standardization. (2000). Information technology — Security techniques — Code of practice for information security management (No. 1799-1). Prieiga per internetą: http://antoanthongtin.vn/Portals/0/UploadImages/kiennt2/Tieu-ChuanKyThuat/TCQT/ISO%20IEC%2017799-2005%20en.pdf
International Organization for Standardization. (2001). Information technology — Guidelines for the management of IT Security (No. TR 13335). Prieiga per internetą: https://www.sis.se/api/document/preview/897890/
Insight Consulting. (2003). CRAMM expert walkthrough and overview. Prieiga per internetą: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools/t_cramm.html
International Electrotechnical Commission. (1999). Functional safety of electrical/electronic/programmable electronic safety-related systems (Nr. 61508). Prieiga per internetą: http://www.cechina.cn/eletter/standard/safety/iec61508-2.pdf
International Organization for Standardization. (2018). Information technology – Security techniques – Information security risk management (ISO/IEC No. 27005). Prieiga per internetą: https://view.elaba.lt/standartai/view?search_from=a-leph&id=1273235
National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (NIST SP No. 800-30). Prieiga per internetą: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
National Institute of Standards and Technology. (2014). FIPS publication 200: minimum security requirements for federal information and information systems. Prieiga per internetą: https://csrc.nist.gov/publications/detail/fips/200/final
Stulz, M. (2008). Risk management failures: what are they and when do they happen? Journal of Applied Corporate Finance, 4, 58-67. https://doi.org/10.2139/ssrn.1278073
Standards Australia/Standards New Zealand Committee. (1999). Risk management (No. 4360). Prieiga per internetą: http://www.epsonet.eu/mediapool/72/723588/data/2017/AS_NZS_4360-1999_Risk_management.pdf