Security Risk Management
VerifiedAdded on 2023/04/24
|13
|2432
|197
AI Summary
This report discusses the risk analysis processes in relation to the combination of quantitative and qualitative methodologies. Learn about risk assessment and risk management in the IT sector with Desklib's Security Risk Management guide. Get insights on the risk analysis process, threat analysis, vulnerability assessment, and risk management considerations.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running Head: RISK ASSESSMENT & RISK MANAGEMENT 0
Security Risk Management
Student detail
3/6/2019
Security Risk Management
Student detail
3/6/2019
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Risk Assessment & Risk Management 1
Contents
Introduction................................................................................................................................2
Risk Analysis for IT Sector........................................................................................................2
Risk Management Process.....................................................................................................3
Risk Analysis Process............................................................................................................4
............................................................................................................................................5
Analysing Threats..............................................................................................................5
Assessing Vulnerabilities...................................................................................................6
Evaluating Consequences...................................................................................................7
Risk Management Considerations..............................................................................................7
Conclusion..................................................................................................................................9
References................................................................................................................................10
Contents
Introduction................................................................................................................................2
Risk Analysis for IT Sector........................................................................................................2
Risk Management Process.....................................................................................................3
Risk Analysis Process............................................................................................................4
............................................................................................................................................5
Analysing Threats..............................................................................................................5
Assessing Vulnerabilities...................................................................................................6
Evaluating Consequences...................................................................................................7
Risk Management Considerations..............................................................................................7
Conclusion..................................................................................................................................9
References................................................................................................................................10
Risk Assessment & Risk Management 2
Introduction
Information Technology has become significant in the present scenario, and this is the reason
that managers of an organization are becoming more concerned about the risk management in
the IT sector. Recently various companies suffer losses due to the problems occurred in their
refined information systems and also grabbed the attention of the managers. Various
quantitative and qualitative risk analysis methodologies are adopted by managers to avoid or
eliminate these losses (QLD, 2019). This report discusses the risk analysis processes in
relation to the combination of quantitative and qualitative methodologies. This process will
provide risk posture for the overall information system of the organization in a better way.
This proposed method will also help the practicing managers to develop and formulate new
risk analysis methods as well as provide a framework for the evaluation of the existing risk
analysis procedures (Willcocks, 2013).
Risk Analysis for IT Sector
To manage the daily operations and to achieve the strategic objectives of an organization,
information technology resources play an essential role. Therefore, risk management has an
essential role in the context of the resources of the IT sector. As companies are becoming
more dependent on IT resources, so it can be critical for them to bear the consequences of IT
assets loss. Risk management for IT resources is a fresh field which is actually an extension
of management's concern for the entire risk posture of the organization (Ahlan & Arshad,
2012). IT risk management focuses on the reduction of expected cost of loss through the
selection and implementation of prime security measures combination.
Introduction
Information Technology has become significant in the present scenario, and this is the reason
that managers of an organization are becoming more concerned about the risk management in
the IT sector. Recently various companies suffer losses due to the problems occurred in their
refined information systems and also grabbed the attention of the managers. Various
quantitative and qualitative risk analysis methodologies are adopted by managers to avoid or
eliminate these losses (QLD, 2019). This report discusses the risk analysis processes in
relation to the combination of quantitative and qualitative methodologies. This process will
provide risk posture for the overall information system of the organization in a better way.
This proposed method will also help the practicing managers to develop and formulate new
risk analysis methods as well as provide a framework for the evaluation of the existing risk
analysis procedures (Willcocks, 2013).
Risk Analysis for IT Sector
To manage the daily operations and to achieve the strategic objectives of an organization,
information technology resources play an essential role. Therefore, risk management has an
essential role in the context of the resources of the IT sector. As companies are becoming
more dependent on IT resources, so it can be critical for them to bear the consequences of IT
assets loss. Risk management for IT resources is a fresh field which is actually an extension
of management's concern for the entire risk posture of the organization (Ahlan & Arshad,
2012). IT risk management focuses on the reduction of expected cost of loss through the
selection and implementation of prime security measures combination.
Risk Assessment & Risk Management 3
Risk Management Process
The aim of risk management is to analyze the combination which is optimum for loss
prevention and reasonable cost for every organization. The opportunity of impacting an asset
by threat is known as vulnerability (NIST, 2008). When an asset is vulnerable to threat then
there would be more chances of risk. IT assets include software, hardware, personnel, data,
and facilities (Taylor et al., 2012). Below table describes the threats associated with the
information technology sector which originate from various unauthorized access, physical
sources, internal and external sources, and authorized access.
Physical Threats Unauthorized Physical or
Electronic Access
Authorized Physical or
Electronic Access
1. Equipment failure
2. Air contaminants
3. Humidity
4. Power interruption
5. Fire
6. Personnel’s injury or
death
7. Weather
8. Personnel turnover
9. Damage to equipment
or facility by humans
1. Microcomputer theft
2. Hackers
3. Phantom nodes on
network
4. Theft of data
5. Viruses, bombs,
worms
6. Software piracy
7. Modification,
disclosure, and
destruction of data
8. Voice mail fraud
9. EDI fraud
1. Obsolete od outdated
I/S applications
portfolio
2. Increase in end-user
computing
The cycle of risk management starts with the process of risk analysis which analyses assets of
IT, threats and vulnerabilities of those assets. There are two reasons related to the risk
management process (FHFA, 2017). Firstly, new external threats keep on generating for IT
assets due to the altering environment and secondly, new internal threats to IT assets due to
the audit process and security surveillance (QLD, 2019). Therefore, it is important for
management to analyze the organization's exposure to loss periodically. Below figure shows
the risk management cycle:
Risk Management Process
The aim of risk management is to analyze the combination which is optimum for loss
prevention and reasonable cost for every organization. The opportunity of impacting an asset
by threat is known as vulnerability (NIST, 2008). When an asset is vulnerable to threat then
there would be more chances of risk. IT assets include software, hardware, personnel, data,
and facilities (Taylor et al., 2012). Below table describes the threats associated with the
information technology sector which originate from various unauthorized access, physical
sources, internal and external sources, and authorized access.
Physical Threats Unauthorized Physical or
Electronic Access
Authorized Physical or
Electronic Access
1. Equipment failure
2. Air contaminants
3. Humidity
4. Power interruption
5. Fire
6. Personnel’s injury or
death
7. Weather
8. Personnel turnover
9. Damage to equipment
or facility by humans
1. Microcomputer theft
2. Hackers
3. Phantom nodes on
network
4. Theft of data
5. Viruses, bombs,
worms
6. Software piracy
7. Modification,
disclosure, and
destruction of data
8. Voice mail fraud
9. EDI fraud
1. Obsolete od outdated
I/S applications
portfolio
2. Increase in end-user
computing
The cycle of risk management starts with the process of risk analysis which analyses assets of
IT, threats and vulnerabilities of those assets. There are two reasons related to the risk
management process (FHFA, 2017). Firstly, new external threats keep on generating for IT
assets due to the altering environment and secondly, new internal threats to IT assets due to
the audit process and security surveillance (QLD, 2019). Therefore, it is important for
management to analyze the organization's exposure to loss periodically. Below figure shows
the risk management cycle:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Risk Assessment & Risk Management 4
Source: (Irfandhi, 2016)
The first step in the process of risk management is to determine the appropriate security
measure by the management then the process of its installation started. After installation,
surveillance and audit process is applied through evaluation and testing of the IT security
system (IT-SCC, 2011).
Risk Analysis Process
It is the method of determining and examining the threats which are faced by IT assets and
assets' vulnerability to the risks of an organization. On the basis of risk analysis, risk
Source: (Irfandhi, 2016)
The first step in the process of risk management is to determine the appropriate security
measure by the management then the process of its installation started. After installation,
surveillance and audit process is applied through evaluation and testing of the IT security
system (IT-SCC, 2011).
Risk Analysis Process
It is the method of determining and examining the threats which are faced by IT assets and
assets' vulnerability to the risks of an organization. On the basis of risk analysis, risk
Risk Assessment & Risk Management 5
management decisions are made (DHS, 2019). There are two categories for risk analysis
methodologies: quantitative or qualitative. Below figure shows the risk analysis process:
Risk Analysis Process
Analysing Threats
To analyze the traditional and manmade deliberate threats, motives, intentions, and
capabilities of compromising a given target of an actor are identified. These approaches of
threat analysis depend on present intelligence, previous data, and analysts' speculation to
calculate threats (Talet et al., 2014). The traditional approach of threat assessment for the
analysis of threats to the IT sector is not sufficient because it is not easy to trace or identify
the actors who attack deliberately or unintentionally and can go from formation to
exploitation within few hours (DHS, 2011). Threat analysis approach of IT sector considers
threats that have national significance depending on the capability of threat. The main focus
of the IT sector is on the capability of the threat to exploit vulnerabilities before recognizing
actors due to the difficulty in determining threat actors (Alcantara & Melgar, 2016).
Identification and analysis of assets
Identification and analysis of threats
Identification and analysis of
Vulnerability
Risk analysis
management decisions are made (DHS, 2019). There are two categories for risk analysis
methodologies: quantitative or qualitative. Below figure shows the risk analysis process:
Risk Analysis Process
Analysing Threats
To analyze the traditional and manmade deliberate threats, motives, intentions, and
capabilities of compromising a given target of an actor are identified. These approaches of
threat analysis depend on present intelligence, previous data, and analysts' speculation to
calculate threats (Talet et al., 2014). The traditional approach of threat assessment for the
analysis of threats to the IT sector is not sufficient because it is not easy to trace or identify
the actors who attack deliberately or unintentionally and can go from formation to
exploitation within few hours (DHS, 2011). Threat analysis approach of IT sector considers
threats that have national significance depending on the capability of threat. The main focus
of the IT sector is on the capability of the threat to exploit vulnerabilities before recognizing
actors due to the difficulty in determining threat actors (Alcantara & Melgar, 2016).
Identification and analysis of assets
Identification and analysis of threats
Identification and analysis of
Vulnerability
Risk analysis
Risk Assessment & Risk Management 6
Threat capability for the IT sector is defined as the ease of usage and accessibility of methods
or tools that can be used to abolish, interrupt, or mutilation critical functions. As the
capability of natural threats is inherent, hence natural threats that have national significance
would be considered (DHS, 2009). For intentional manmade threats, the approach based on
capability is applied differently. Due to the high reliance of the IT sector on human skill sets
and interaction, it is also vulnerable to unintentional manmade threat (Patterson, 2015).
Assessing Vulnerabilities
The approach for vulnerability analysis considers technology, people, physical, and process
vulnerabilities which affect integrity, privacy, or accessibility of important process if
exploited. Four consistent criteria are used to assess vulnerabilities for manmade
unintentional and deliberate threats such as the extent of exposure, simplicity, applicability,
and availability (NIST, 2012). From the given table2 below, it is clear that a very slight
difference exists among factors related to each threat type. Also, availability and extent to
exposure factors do not exist for assessing vulnerabilities in relation to the natural threats.
Vulnerability factors also define the nature of vulnerability (availability and simplicity) in the
infrastructure isolation and the relationship between the vulnerability and the threat (the
extent to exposure and applicability) (Patterson, 2015).
Table 2: Vulnerability Factors IT Sector Risk Assessment Methodology
Manmade deliberate Manmade Unintentional Natural
Applicability:Alignment
level of vulnerability and
threat (based on the
capabilities, intent, and
operational constraint of
threat)
Availability: The time period
for which the vulnerabilities
are able to be exploited.
Extent of Exposure:
Identifiable and discoverable
Applicability: Alignment
level of vulnerability and
threat (based on the
capabilities, intent, and
operational constraint of
threat)
Availability: The time period
for which the vulnerabilities
are able to be exploited.
Extent of Exposure:
Identifiable and discoverable
Applicability: Alignment
level of vulnerability and
threat (based on the
capabilities, intent, and
operational constraint of
threat)
Availability: The time period
for which the vulnerabilities
are able to be exploited.
Threat capability for the IT sector is defined as the ease of usage and accessibility of methods
or tools that can be used to abolish, interrupt, or mutilation critical functions. As the
capability of natural threats is inherent, hence natural threats that have national significance
would be considered (DHS, 2009). For intentional manmade threats, the approach based on
capability is applied differently. Due to the high reliance of the IT sector on human skill sets
and interaction, it is also vulnerable to unintentional manmade threat (Patterson, 2015).
Assessing Vulnerabilities
The approach for vulnerability analysis considers technology, people, physical, and process
vulnerabilities which affect integrity, privacy, or accessibility of important process if
exploited. Four consistent criteria are used to assess vulnerabilities for manmade
unintentional and deliberate threats such as the extent of exposure, simplicity, applicability,
and availability (NIST, 2012). From the given table2 below, it is clear that a very slight
difference exists among factors related to each threat type. Also, availability and extent to
exposure factors do not exist for assessing vulnerabilities in relation to the natural threats.
Vulnerability factors also define the nature of vulnerability (availability and simplicity) in the
infrastructure isolation and the relationship between the vulnerability and the threat (the
extent to exposure and applicability) (Patterson, 2015).
Table 2: Vulnerability Factors IT Sector Risk Assessment Methodology
Manmade deliberate Manmade Unintentional Natural
Applicability:Alignment
level of vulnerability and
threat (based on the
capabilities, intent, and
operational constraint of
threat)
Availability: The time period
for which the vulnerabilities
are able to be exploited.
Extent of Exposure:
Identifiable and discoverable
Applicability: Alignment
level of vulnerability and
threat (based on the
capabilities, intent, and
operational constraint of
threat)
Availability: The time period
for which the vulnerabilities
are able to be exploited.
Extent of Exposure:
Identifiable and discoverable
Applicability: Alignment
level of vulnerability and
threat (based on the
capabilities, intent, and
operational constraint of
threat)
Availability: The time period
for which the vulnerabilities
are able to be exploited.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Risk Assessment & Risk Management 7
extent of vulnerabilities.
Simplicity: Difficulty level of
vulnerabilities exploitation.
extent of vulnerabilities.
Simplicity: Difficulty level of
vulnerabilities exploitation.
Evaluating Consequences
The consequence framework is the same for all types of threats. First order impacts such as
reliability, privacy, and accessibility of important functions as well as the second order affect
the cascade to users using the four consequence factors derived from HSPD-7 are assessed by
this framework (Protiviti, 2019).
Risk Management Considerations
The risks associated with the IT Sector functions are characterized by likelihood and
consequence in order to define priorities for mitigating and managing risks (DHS, 2011).
Below given table shows the likelihood and consequence of risks for each function as
negligible, low, medium, or high.
IT Sector Function Risks of Concern Mitigations
(Existing, Being Increased,
or Potential Future)
Develop and provide IT
services and Products
Construction and
circulation of not
trustworthy service or
product through a
manmade deliberate
attack on
vulnerability of
supply chain.
(Likelihood: Low;
Consequence: High)
Resiliency of supply
chain through process
controls and
redundancy- Existing
Mitigation
Strategies’ sourcing-
Existing Mitigation
Recall of product by
timely response and
situational awareness
to negotiated
production- Existing
Mitigation.
Provide Services of Domain
Name Resolution
A manmade attack
breakdown a single
interoperable internet
resulting in
governance policy’s
failure.
(Likelihood: Medium;
Continuous
monitoring and
quality enhancement
processes of DNS
infrastructure-
Existing Mitigation.
Anycast’s
extent of vulnerabilities.
Simplicity: Difficulty level of
vulnerabilities exploitation.
extent of vulnerabilities.
Simplicity: Difficulty level of
vulnerabilities exploitation.
Evaluating Consequences
The consequence framework is the same for all types of threats. First order impacts such as
reliability, privacy, and accessibility of important functions as well as the second order affect
the cascade to users using the four consequence factors derived from HSPD-7 are assessed by
this framework (Protiviti, 2019).
Risk Management Considerations
The risks associated with the IT Sector functions are characterized by likelihood and
consequence in order to define priorities for mitigating and managing risks (DHS, 2011).
Below given table shows the likelihood and consequence of risks for each function as
negligible, low, medium, or high.
IT Sector Function Risks of Concern Mitigations
(Existing, Being Increased,
or Potential Future)
Develop and provide IT
services and Products
Construction and
circulation of not
trustworthy service or
product through a
manmade deliberate
attack on
vulnerability of
supply chain.
(Likelihood: Low;
Consequence: High)
Resiliency of supply
chain through process
controls and
redundancy- Existing
Mitigation
Strategies’ sourcing-
Existing Mitigation
Recall of product by
timely response and
situational awareness
to negotiated
production- Existing
Mitigation.
Provide Services of Domain
Name Resolution
A manmade attack
breakdown a single
interoperable internet
resulting in
governance policy’s
failure.
(Likelihood: Medium;
Continuous
monitoring and
quality enhancement
processes of DNS
infrastructure-
Existing Mitigation.
Anycast’s
Risk Assessment & Risk Management 8
Consequence: High)
Manmade Denial-of-
service attack on the
large scale DNS
infrastructure.
(Likelihood: Low;
Consequence: High)
provisioning and use-
existing Mitigation.
Protection enhanced
resiliency and
redundancy and
infrastructure
diversity- Being
enhanced Mitigation.
Provide internet based
services such as information,
content, and communications
Manmade
unintentional threats
in services of internet
content resulting in e-
commerce
capabilities loss.
(Likelihood:
Negligible;
Consequence: High)
Access and policy
controls- Existing
Mitigation
Training of security
for small business and
users- Being
enhanced Mitigation
Improve the rerouting
capabilities of IT
sectors and
communications-
Potential future
Mitigation.
Provide services of internet
access, routing, and
connection
Manmade deliberate
attack on the routing
infrastructure of
internet resulting in
loss of routing
capabilities.
(Likelihood: Low;
Consequence: High)
Improved routers-
Existing mitigation
Receptiveness to
internet traffic
increment- Being
enhanced mitigation
Increment in the
physical security of
internet exchange
points and network
access points- Being
enhanced mitigation
Provide Incident
Management Capabilities
A natural threat
impacts the detection
abilities due to lack of
data accessibility.
(Likelihood: Medium;
Consequence: High)
Coordination
capabilities and
incident response at
national-level-
Existing Mitigation
Workforce and
infrastructure
diversity- Existing
Mitigation
Developing common
situational awareness
through information
sharing
improvements-
Existing Mitigation
Consequence: High)
Manmade Denial-of-
service attack on the
large scale DNS
infrastructure.
(Likelihood: Low;
Consequence: High)
provisioning and use-
existing Mitigation.
Protection enhanced
resiliency and
redundancy and
infrastructure
diversity- Being
enhanced Mitigation.
Provide internet based
services such as information,
content, and communications
Manmade
unintentional threats
in services of internet
content resulting in e-
commerce
capabilities loss.
(Likelihood:
Negligible;
Consequence: High)
Access and policy
controls- Existing
Mitigation
Training of security
for small business and
users- Being
enhanced Mitigation
Improve the rerouting
capabilities of IT
sectors and
communications-
Potential future
Mitigation.
Provide services of internet
access, routing, and
connection
Manmade deliberate
attack on the routing
infrastructure of
internet resulting in
loss of routing
capabilities.
(Likelihood: Low;
Consequence: High)
Improved routers-
Existing mitigation
Receptiveness to
internet traffic
increment- Being
enhanced mitigation
Increment in the
physical security of
internet exchange
points and network
access points- Being
enhanced mitigation
Provide Incident
Management Capabilities
A natural threat
impacts the detection
abilities due to lack of
data accessibility.
(Likelihood: Medium;
Consequence: High)
Coordination
capabilities and
incident response at
national-level-
Existing Mitigation
Workforce and
infrastructure
diversity- Existing
Mitigation
Developing common
situational awareness
through information
sharing
improvements-
Existing Mitigation
Risk Assessment & Risk Management 9
Conclusion
Therefore, from the above discussion, it can be concluded that the major challenge faced by
IT project managers is identification and actions for potential risks. The risks to the IT sector
are identified in three categories: physical, unauthorized, and authorized threats. The risk
management process is cyclic due to changing environment resulting in the generation of
external threats and internal threats due to surveillance and audit processes.
Conclusion
Therefore, from the above discussion, it can be concluded that the major challenge faced by
IT project managers is identification and actions for potential risks. The risks to the IT sector
are identified in three categories: physical, unauthorized, and authorized threats. The risk
management process is cyclic due to changing environment resulting in the generation of
external threats and internal threats due to surveillance and audit processes.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Risk Assessment & Risk Management 10
References
Ahlan, A.R. & Arshad, Y. (2012). Information Technology Risk Management: The case of
the International Islamic University Malaysia. Journal Of Research And Innovation In
Information Systems, 1, 58-67.
Alcantara, M. & Melgar, A. (2016). Risk management in information security: a systematic
review. Journal of Advances in Information Technology, 7(1).
DHS. (2009). Information Technology Sector Baseline Risk Assessment. Retrieved
from:https://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf.
DHS.(2011). Risk Management Strategy for the Provide Domain Name Resolution Services
Critical Function. Retrieved from: https://www.dhs.gov/xlibrary/assets/it-sector-risk-
management-strategy-domain-name-resolution-services-june2011.pdf.
DHS .(2019). Information Technology Sector. Retrieved from
https://www.dhs.gov/cisa/information-technology-sector.
FHFA. (2017). Information Technology Risk Management Program. Retrieved from
https://www.fhfa.gov/SupervisionRegulation/Documents/Information_Technology_Ri
sk_Management_Program_Module_Final_Version_1.1.pdf.
Irfandhi, K. (2016). Risk Management in Information Technology Project: An Empirical
Study. ComTech: Computer, Mathematics and Engineering Applications, 7(3), 191-99.
IT-SCC .(2011). Risk Management Strategy – Internet Routing, Access and connection
services. Retrieved from
https://www.it-scc.org/uploads/4/7/2/3/47232717/itsrm_for_internet_routing_report_ju
ly20_v3.pdf.
References
Ahlan, A.R. & Arshad, Y. (2012). Information Technology Risk Management: The case of
the International Islamic University Malaysia. Journal Of Research And Innovation In
Information Systems, 1, 58-67.
Alcantara, M. & Melgar, A. (2016). Risk management in information security: a systematic
review. Journal of Advances in Information Technology, 7(1).
DHS. (2009). Information Technology Sector Baseline Risk Assessment. Retrieved
from:https://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf.
DHS.(2011). Risk Management Strategy for the Provide Domain Name Resolution Services
Critical Function. Retrieved from: https://www.dhs.gov/xlibrary/assets/it-sector-risk-
management-strategy-domain-name-resolution-services-june2011.pdf.
DHS .(2019). Information Technology Sector. Retrieved from
https://www.dhs.gov/cisa/information-technology-sector.
FHFA. (2017). Information Technology Risk Management Program. Retrieved from
https://www.fhfa.gov/SupervisionRegulation/Documents/Information_Technology_Ri
sk_Management_Program_Module_Final_Version_1.1.pdf.
Irfandhi, K. (2016). Risk Management in Information Technology Project: An Empirical
Study. ComTech: Computer, Mathematics and Engineering Applications, 7(3), 191-99.
IT-SCC .(2011). Risk Management Strategy – Internet Routing, Access and connection
services. Retrieved from
https://www.it-scc.org/uploads/4/7/2/3/47232717/itsrm_for_internet_routing_report_ju
ly20_v3.pdf.
Risk Assessment & Risk Management 11
NIST (2008). Risk Management Guide for Information Technology Systems. Retrieved from
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/
nist800-30.pdf.
NIST.(2012). Information Security. Retrieved from
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf.
Patterson, T. ( 2015). The Use of Information Technology in Risk Management. Retrieved
from
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/
downloadabledocuments/asec-whitepapers/risk-technology.pdf.
Protiviti. (2019). Technology Risk Management 2.0. Retrieved from
https://www.protiviti.com/sites/default/files/united_states/insights/technology-risk-
management-2.0-a-new-approach-protiviti.pdf.
QLD.( 2019). Information Technology (IT) Risk Management. Retrieved from
https://www.business.qld.gov.au/running-business/protecting-business/risk-
management/it-risk-management.
Talet, A.N., Mat-Zin, R. & Houari, M. (2014). Risk management and information technology
projects. International Journal of Digital Information and Wireless Communications,
4(1),1-10.
Taylor, H., Artman, E. & Woelfer, J.P.(2012). Information technology project risk
management: bridging the gap between research and practice. Journal of Information
Technology, 27(1), 17-34.
Willcocks, L. (2013). Information management: the evaluation of information systems
investments. Berlin: Springer.
NIST (2008). Risk Management Guide for Information Technology Systems. Retrieved from
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/
nist800-30.pdf.
NIST.(2012). Information Security. Retrieved from
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf.
Patterson, T. ( 2015). The Use of Information Technology in Risk Management. Retrieved
from
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/
downloadabledocuments/asec-whitepapers/risk-technology.pdf.
Protiviti. (2019). Technology Risk Management 2.0. Retrieved from
https://www.protiviti.com/sites/default/files/united_states/insights/technology-risk-
management-2.0-a-new-approach-protiviti.pdf.
QLD.( 2019). Information Technology (IT) Risk Management. Retrieved from
https://www.business.qld.gov.au/running-business/protecting-business/risk-
management/it-risk-management.
Talet, A.N., Mat-Zin, R. & Houari, M. (2014). Risk management and information technology
projects. International Journal of Digital Information and Wireless Communications,
4(1),1-10.
Taylor, H., Artman, E. & Woelfer, J.P.(2012). Information technology project risk
management: bridging the gap between research and practice. Journal of Information
Technology, 27(1), 17-34.
Willcocks, L. (2013). Information management: the evaluation of information systems
investments. Berlin: Springer.
Risk Assessment & Risk Management 12
1 out of 13
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.