Professional Documents
Culture Documents
This paper will apply the information security model to primary data. Due to the time
and resource constraints use of existing model is the only practically possible method
to apply the conceptual framework to real world data. The employee of the
organization will be provided with a set of questions and the response will be one of
the available options. Indicators shown in table 1 and table 2 below will be given each
a score for evaluation and mathematical model would be used for determining the
final information security level of the organization.
1
1.2. ISMS Contexts
Question will administer to obtain the strength of all the six ISMS factors in a college.
➢ Context of the college: It will determine external and internal issues that are
relevant to its purpose and that affect its ability to achieve the intended
outcome(s) of its information security management system.
➢ Leadership: This factor helps to ensure the integration of the information
security management system requirements into the organization’s processes.
Also for the communicating the importance of effective information security
management and of conforming to the information security management
system requirements.
➢ Planning and risk management: This factor helps to ensure the information
security management system can achieve its intended outcome(s). It also helps
to prevent, or reduce, undesired effects and achieve continual improvement. It
ensures that repeated information security risk assessments produce
consistent, valid and comparable results.
➢ Support and resources: This factor determines the necessary competence of
person(s) doing work under its control that affects it information security
performance. It helps to retain appropriate documented information as
evidence of competence.
➢ Operation and performance evaluation: The organization shall keep
documented information to the extent necessary to have confidence that the
processes have been carried out as planned. The organization shall control
planned changes and review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary. The organization
determines what needs to be monitored and managed, including information
security processes and controls.
➢ Improvement: This is another one of the important factor that evaluates the
need for action to eliminate the causes of nonconformity.
Table 3 : Question Structure
2
S.No Questionnaire Based on No of Questions
1 Context 3
2 Leadership 4
6 Improvement 7
For Calculation,
Impact = Level of estimated effect
n
Likelihood = ( X i ) / n
i =1
3
The final risk level is calculated by simply taking the average of the score of risk in each
criterion.
Hence,
Risk
i =1
Final Risk Level =
t
Where:
t = Total number of criteria of the questionnaire
To analyze the risk level obtained from above mathematical model, a risk threshold
chart is used. The chart helps in classification of the obtained risk value into the level
of risk such as low risk, moderate risk or high risk.
The output of the risk value obtained from each domain is labeled separately into the
chart so that it becomes easy in identifying the stronger and weaker aspects involved
in IT security.
4
Table 4 : Score of the Contexts
SECURITY TEAM
Leadership 4
5
BROWSING OR DOWNLOAD FROM TRUSTED
SITES 3
INTERNET CONNECTION 2
6
AMOUNT SPENT ON ANTI-VIRUS 4
PENETRATION TESTING 2
Improvement
DIFFICULTY IN CONVINCING 2