IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach

Gunnar Wahlgren (Department of Computer and Systems Sciences, Stockholm University, Kista, Sweden) and Stewart Kowalski (Department of Computer and Systems Sciences, Stockholm University, Kista, Sweden)
Copyright: © 2013 |Pages: 19
DOI: 10.4018/ijeei.2013100101
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The authors combined ISO 27005 framework for IT Security Risk Management with NIST Multitier framework. With this combined framework the authors create a new approach to IT Security Risk Management where IT Security Risk Management is place at the strategic, tactical and operational levels of an organizational. In this paper the authors concentrate on the monitoring and communication steps of IT Security Risk Management and especially escalation of new IT Security Incidents. The authors present a first draft to an IT Security Risk Escalation Capability Maturity Model based on ISACA´s Risk IT Framework. Finally the authors apply the approach to typical cloud computing environment as a first step to evaluate this new approach.
Article Preview

In this section we present different fields that are related to this paper. A short description of how the fields relates to the paper and some examples of tools and frameworks used within each field. The different fields are outlined in Figure 1.

Figure 1.

Related works in the cloud computing and IT security risk management area

IT Security Risk Management

IT Security Risk Management is a part of Information Security Management which in turn is related to IT Security Governance. International Standard Organization (ISO) has established a standard for Information Security Management (ISMS) which is described in ISO 27001 (ISO/IEC, 2005) and other document which represent one of the main documents in the area. The concept of IT Security Governance is described in Guidance for Information Security Managers (ITGI, 2008) and the Risk IT Framework (ISACA, 2009).

As a part of Information Security Management, ISO has also established a standard for IT Security Risk Management (ISO/IEC 27005, 2008).

National Institute of Standard and Technology (NIST) has introduced the framework of Enterprise-wide Risk Management using three different levels (Tiers) where one can look at the organization from different views. The Multitier concept is described in a number of Special Publication from NIST (NIST 800-30, 2011; NIST 800-37, 2010; NIST 800-39, 2011; NIST 800-137, 2011).

ENISA has published a survey of Risk Management methods where a total of 13 methods have been considered (ENISA, 2005). The survey includes a number of methods but excluded general management oriented methods like COBIT, Basel II and product or system security oriented methods like Common Criteria. Examples of some well-known methods are presented below.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 2 Issues (2017): 1 Released, 1 Forthcoming
Volume 6: 2 Issues (2016)
Volume 5: 2 Issues (2015)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing