Comprehensive IT/IS Risk Management Report for Caduceus Partners
VerifiedAdded on 2020/04/07
|25
|5698
|242
Report
AI Summary
This report provides a comprehensive analysis of IT/IS risk management for Caduceus Partners Pty Ltd, an infrastructural service provider to the medical sector. The report identifies and assesses various threats and vulnerabilities, including technical, operational, and managerial risks. It emphasizes the importance of a robust risk mitigation framework, specifically the ISO/IEC 27001 standard, to protect sensitive data and ensure business continuity. The analysis includes data collection and impact evaluation methodologies, such as quantitative and qualitative approaches. Furthermore, the report examines legal and regulatory requirements related to IT/IS security, concluding with recommendations for enhancing the organization's risk management practices. The study provides solutions for risks and produces an effective risk analysis.
Running head: IT/IS RISK MANAGEEMENT
IT/IS Security Management
Name of the Student
Name of the University
Author Note
IT/IS Security Management
Name of the Student
Name of the University
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1
IT/IS SECURITY MANAGEMENT
Table of Contents
Introduction......................................................................................................................................2
Usage of Salient Features of an Established Risk Mitigation Framework:.....................................2
Identification and Analysis of the Threats and Vulnerabilities within Caduceus...........................5
The Technical Threats.................................................................................................................5
The operational threats................................................................................................................6
Managerial risks...........................................................................................................................7
Impact Analysis...............................................................................................................................7
Data Collection and Analysis......................................................................................................7
Planning Data Collection and Analysis.......................................................................................8
Data Collection............................................................................................................................9
Quantitative and Qualitative Approaches in Impact Evaluation.................................................9
Threats, risk and vulnerabilities assessment..............................................................................11
Risk severity matrix...................................................................................................................16
Legal and Regulatory Requirements.............................................................................................16
Conclusion.....................................................................................................................................18
References:....................................................................................................................................20
IT/IS SECURITY MANAGEMENT
Table of Contents
Introduction......................................................................................................................................2
Usage of Salient Features of an Established Risk Mitigation Framework:.....................................2
Identification and Analysis of the Threats and Vulnerabilities within Caduceus...........................5
The Technical Threats.................................................................................................................5
The operational threats................................................................................................................6
Managerial risks...........................................................................................................................7
Impact Analysis...............................................................................................................................7
Data Collection and Analysis......................................................................................................7
Planning Data Collection and Analysis.......................................................................................8
Data Collection............................................................................................................................9
Quantitative and Qualitative Approaches in Impact Evaluation.................................................9
Threats, risk and vulnerabilities assessment..............................................................................11
Risk severity matrix...................................................................................................................16
Legal and Regulatory Requirements.............................................................................................16
Conclusion.....................................................................................................................................18
References:....................................................................................................................................20
2
IT/IS SECURITY MANAGEMENT
Introduction
The Caduceus Partners Pty Ltd, Australia, also recognized as Caduceus, has specialized
in supplying the infrastructural services to the medical services. It has comprised of the Strategic
IS/IT division, the ream responsible to oversee the IT infrastructure. Moreover, it has been
looking actively for the latest technologies and applications bringing value to the organization.
The internet security management at Caduceus has been the set of procedures and
policies to manage the sensitive data of the organization systematically. The aim has been to
minimize the risk and assure the business continuity through limiting the effect of the security
breach proactively.
The report has identified the key components of the risks, threat and vulnerabilities along
with effect on Caduceus. It has determined the future scopes of risk management and the security
risk mitigation procedures. The study has provided the solution for the risks and produced an
effective risk analysis.
Usage of Salient Features of an Established Risk Mitigation Framework:
The risk management framework for the IS/IT Risk Management Project is needed to be
developed to eradicate the risks related to the development or inclusion of the technologies. The
framework is intended to deal with the variation of risks from the nominal values designed
inherent by any manufacturing process. For mitigating the risks the processes and products
should be characterized clearly (Shamala, Ahmad and Mariana 2013). The simulations are
helpful tools for modeling the behavior of the process and the product. The outcomes of the
numerical simulations help in recognizing the optimal design and conditions. Despite all this, the
IT/IS SECURITY MANAGEMENT
Introduction
The Caduceus Partners Pty Ltd, Australia, also recognized as Caduceus, has specialized
in supplying the infrastructural services to the medical services. It has comprised of the Strategic
IS/IT division, the ream responsible to oversee the IT infrastructure. Moreover, it has been
looking actively for the latest technologies and applications bringing value to the organization.
The internet security management at Caduceus has been the set of procedures and
policies to manage the sensitive data of the organization systematically. The aim has been to
minimize the risk and assure the business continuity through limiting the effect of the security
breach proactively.
The report has identified the key components of the risks, threat and vulnerabilities along
with effect on Caduceus. It has determined the future scopes of risk management and the security
risk mitigation procedures. The study has provided the solution for the risks and produced an
effective risk analysis.
Usage of Salient Features of an Established Risk Mitigation Framework:
The risk management framework for the IS/IT Risk Management Project is needed to be
developed to eradicate the risks related to the development or inclusion of the technologies. The
framework is intended to deal with the variation of risks from the nominal values designed
inherent by any manufacturing process. For mitigating the risks the processes and products
should be characterized clearly (Shamala, Ahmad and Mariana 2013). The simulations are
helpful tools for modeling the behavior of the process and the product. The outcomes of the
numerical simulations help in recognizing the optimal design and conditions. Despite all this, the
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3
IT/IS SECURITY MANAGEMENT
presented uncertainties in the product and the process parameters, the effect on the capability and
performance could use in manufacturing the related products. This are evaluated and the related
risks for the basic parameters are to be decreased or mitigated completely by the framework.
In this report the ISO/IEC 27001 is chosen for controlling the selection addressing the
multiple risks. It has been the internationally identified excellent framework that could help
Caduceus to protect and manage the data resources such that stay secure and safe (Safa, Von and
Furnell 2016). This has been helping to continually review and the refine the method done by
this, not for the present and also for the future. In this way the ISO/IEC 27001 could protect the
business of Caduceus along with their reputation and adding value. As documented, the
framework was created with the intention to deliver the model to establish, implement, operate,
monitor, review, maintain and develop the IS\IT management system (Safa et al. 2015). It has
been using the risk-based top down approach. I have been technologically neutral in nature. The
specification has been defining the following planning process.
Defining the security policy.
Defining the scope of ISMS.
Conducting the risk assessment.
Managing of the identified risks.
Selecting the control objectives and controls for implementation.
Preparing the statement of applicability (Ogutcu, Testik and Chouseinoglou
2016).
IT/IS SECURITY MANAGEMENT
presented uncertainties in the product and the process parameters, the effect on the capability and
performance could use in manufacturing the related products. This are evaluated and the related
risks for the basic parameters are to be decreased or mitigated completely by the framework.
In this report the ISO/IEC 27001 is chosen for controlling the selection addressing the
multiple risks. It has been the internationally identified excellent framework that could help
Caduceus to protect and manage the data resources such that stay secure and safe (Safa, Von and
Furnell 2016). This has been helping to continually review and the refine the method done by
this, not for the present and also for the future. In this way the ISO/IEC 27001 could protect the
business of Caduceus along with their reputation and adding value. As documented, the
framework was created with the intention to deliver the model to establish, implement, operate,
monitor, review, maintain and develop the IS\IT management system (Safa et al. 2015). It has
been using the risk-based top down approach. I have been technologically neutral in nature. The
specification has been defining the following planning process.
Defining the security policy.
Defining the scope of ISMS.
Conducting the risk assessment.
Managing of the identified risks.
Selecting the control objectives and controls for implementation.
Preparing the statement of applicability (Ogutcu, Testik and Chouseinoglou
2016).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
IT/IS SECURITY MANAGEMENT
The above specification has been including the details to documentation, management,
roles, continual improvement and internal audits, preventive and corrective actions. The standard
has needed the cooperation. This has been among every sections of Caduceus.
The standard has not been mandating the particular controls on information security.
However it has been providing the controlling of checklists considered in the codes of practice of
ISO/IEC 27002:2005. The later one has been describing the comprehensive set of the controls of
information security aims. This has been setting the generally accepted of the good practice of
the security controls.
The ISMS has been the system of documents, processes, technology and individuals that
has been helping to monitor, manage, improve and audit of the information security of Caduceus.
It has been helping to control the security practices at a place cost-effectively and consistently
(Cheng et al. 2013).
The ISO 27001-compliant ISMS have been depending on the risk assessments regularly
(Carter and Zheng 2015). Thus it has been helpful to recognize and the control the security
threats as the risk appetite and the tolerance of Caduceus.
IT/IS SECURITY MANAGEMENT
The above specification has been including the details to documentation, management,
roles, continual improvement and internal audits, preventive and corrective actions. The standard
has needed the cooperation. This has been among every sections of Caduceus.
The standard has not been mandating the particular controls on information security.
However it has been providing the controlling of checklists considered in the codes of practice of
ISO/IEC 27002:2005. The later one has been describing the comprehensive set of the controls of
information security aims. This has been setting the generally accepted of the good practice of
the security controls.
The ISMS has been the system of documents, processes, technology and individuals that
has been helping to monitor, manage, improve and audit of the information security of Caduceus.
It has been helping to control the security practices at a place cost-effectively and consistently
(Cheng et al. 2013).
The ISO 27001-compliant ISMS have been depending on the risk assessments regularly
(Carter and Zheng 2015). Thus it has been helpful to recognize and the control the security
threats as the risk appetite and the tolerance of Caduceus.
5
IT/IS SECURITY MANAGEMENT
Identification and Analysis of the Threats and Vulnerabilities within Caduceus
The Technical Threats
Threats Description
Inadequate procedure The foreseeable events have not been supported by
the accurate and the complete training and
documentation.
Improper operation The equipment operating beyond the capacity of
the constraints of the manufacturer (Siponen,
Mahmood and Pahnila 2014).
Improper Hardware The prescribed hardware has been configured
during is configured other than the proposed
manner while installing.
Improper software configuration The suggested software configured other than the
prescribed way while installing.
Unauthorized logical access Retrieving the use of the system where no access
in authorized (Fenz et al. 2014).
Malfeasance Having the system usage more than what has been
authorized.
Exceeding licensing or unsanctioned use Using the authorized system resources for the
unauthorized reasons.
Over or under classification The labeling of the resources at improper level of
sensitivity for Caduceus.
Malicious software It purposes is to deteriorate the performance if the
system, destroying or modifying the data, subvert
IT/IS SECURITY MANAGEMENT
Identification and Analysis of the Threats and Vulnerabilities within Caduceus
The Technical Threats
Threats Description
Inadequate procedure The foreseeable events have not been supported by
the accurate and the complete training and
documentation.
Improper operation The equipment operating beyond the capacity of
the constraints of the manufacturer (Siponen,
Mahmood and Pahnila 2014).
Improper Hardware The prescribed hardware has been configured
during is configured other than the proposed
manner while installing.
Improper software configuration The suggested software configured other than the
prescribed way while installing.
Unauthorized logical access Retrieving the use of the system where no access
in authorized (Fenz et al. 2014).
Malfeasance Having the system usage more than what has been
authorized.
Exceeding licensing or unsanctioned use Using the authorized system resources for the
unauthorized reasons.
Over or under classification The labeling of the resources at improper level of
sensitivity for Caduceus.
Malicious software It purposes is to deteriorate the performance if the
system, destroying or modifying the data, subvert
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6
IT/IS SECURITY MANAGEMENT
the security in any way.
The operational threats
Threats Description
Cyber risk and the data security The cyber criminals have not been discriminating
between the companies on the basis of location and
size (Peltier 2016).
Regulation The regulatory change is not consistent for last few
years. This has been the top-most risk for any
company. Along with the changes come the
elevated operational risks. It needs to be managed
appropriately for IS/IT Management.
Outsourcing It has been cheaper but with various downsides.
Here one of the key risks is the reputational risk.
This also includes the continuity of services,
quality, service delivery and others. Other primary
risk here is the huge disruption to the services
(Soomro, Shah and Ahmed 2016).
Organizational change There has been huge evolution seen in many new
systems and technologies. This is being
implemented denoting it to be at the top of the
innovation. Hence changing the technology for
Caduceus has been demanding the change
IT/IS SECURITY MANAGEMENT
the security in any way.
The operational threats
Threats Description
Cyber risk and the data security The cyber criminals have not been discriminating
between the companies on the basis of location and
size (Peltier 2016).
Regulation The regulatory change is not consistent for last few
years. This has been the top-most risk for any
company. Along with the changes come the
elevated operational risks. It needs to be managed
appropriately for IS/IT Management.
Outsourcing It has been cheaper but with various downsides.
Here one of the key risks is the reputational risk.
This also includes the continuity of services,
quality, service delivery and others. Other primary
risk here is the huge disruption to the services
(Soomro, Shah and Ahmed 2016).
Organizational change There has been huge evolution seen in many new
systems and technologies. This is being
implemented denoting it to be at the top of the
innovation. Hence changing the technology for
Caduceus has been demanding the change
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
IT/IS SECURITY MANAGEMENT
management and the redesigning controls and
processes in the other spaces. It has been the central
of the operational risks, the systems and processes,
staying at the top of the changes in that area.
Managerial risks
The managerial risks have been another critical aspect of the strategic management at
Caduceus. For improving the competitive performance and advantage the managers require to
take the risks. However it has been in the uncertain environment. The formal economic
assumptions of risks have been suggesting that it has been the excepted values regarding the two
strategies. They have been similar but however one has been more uncertain in nature. The
managers need to choose the strategy more definite results for the IS/IT Risk Management
Project (Whitman and Mattord 2013). On the basis of those assumptions the agency theory has
been assuming that the top managers must be monitored or compensated for achieving the better
outcomes for Caduceus.
Impact Analysis
Data Collection and Analysis
There is the necessity of well-chosen and well implementation of chosen data for any
type of evaluation. Impact evaluation is an approach that should go beyond assessing the size of
the effects that means average impact in manner to identify for whom and in what manner the
policy and the program has been successful (Oliveira, Thomas and Esadanal 2014). Main
objectives regarding the impact analysis can be stated as the collection of the data and methods
IT/IS SECURITY MANAGEMENT
management and the redesigning controls and
processes in the other spaces. It has been the central
of the operational risks, the systems and processes,
staying at the top of the changes in that area.
Managerial risks
The managerial risks have been another critical aspect of the strategic management at
Caduceus. For improving the competitive performance and advantage the managers require to
take the risks. However it has been in the uncertain environment. The formal economic
assumptions of risks have been suggesting that it has been the excepted values regarding the two
strategies. They have been similar but however one has been more uncertain in nature. The
managers need to choose the strategy more definite results for the IS/IT Risk Management
Project (Whitman and Mattord 2013). On the basis of those assumptions the agency theory has
been assuming that the top managers must be monitored or compensated for achieving the better
outcomes for Caduceus.
Impact Analysis
Data Collection and Analysis
There is the necessity of well-chosen and well implementation of chosen data for any
type of evaluation. Impact evaluation is an approach that should go beyond assessing the size of
the effects that means average impact in manner to identify for whom and in what manner the
policy and the program has been successful (Oliveira, Thomas and Esadanal 2014). Main
objectives regarding the impact analysis can be stated as the collection of the data and methods
8
IT/IS SECURITY MANAGEMENT
for the analysis should be chosen specifically in manner to match the specific evaluations with
respond to the KEQs (Key Evaluation Questions) and the available resources. Other objective
can be stated as there should be use of proper existing data and the gaps that have been created
should be filled with new data (Van 2016). The collection and analysis of data should be chosen
in a manner that both will be complement of strengths and weaknesses of each other in the IS/IT
Risk Management.
Planning Data Collection and Analysis
There are various phases in this approach that includes the following:
The start should be made with the whole planning for the evaluation that includes this
consists of various questions that have been stated in the table 1. A well-developed ‘theory of
change’ can be described as the essential tool in the process of impact analysis for Caduceus that
can be helpful in describing the policy or program understandings (webb et al. 2014). This will
depict a casual model that can be helpful in linking the activities and inputs with the desired
outcomes, outputs, and impacts.
Maximum usage of existing data can be stated as the next approach for the data collection
planning considering the data that has been already existing. Considering the term indicators, the
aim of the evaluation should be on drawing different types of indicators such as outputs, inputs,
impacts, outcomes in manner to reflect the key result in the programs of ‘theory of change’.
Identifying and addressing important data gaps, which focuses on reviewing the
information those are available in manner to consider whether the qualitative or quantitative
analysis is capable of answering the key questions that has been stated in the table (Durn 2015).
IT/IS SECURITY MANAGEMENT
for the analysis should be chosen specifically in manner to match the specific evaluations with
respond to the KEQs (Key Evaluation Questions) and the available resources. Other objective
can be stated as there should be use of proper existing data and the gaps that have been created
should be filled with new data (Van 2016). The collection and analysis of data should be chosen
in a manner that both will be complement of strengths and weaknesses of each other in the IS/IT
Risk Management.
Planning Data Collection and Analysis
There are various phases in this approach that includes the following:
The start should be made with the whole planning for the evaluation that includes this
consists of various questions that have been stated in the table 1. A well-developed ‘theory of
change’ can be described as the essential tool in the process of impact analysis for Caduceus that
can be helpful in describing the policy or program understandings (webb et al. 2014). This will
depict a casual model that can be helpful in linking the activities and inputs with the desired
outcomes, outputs, and impacts.
Maximum usage of existing data can be stated as the next approach for the data collection
planning considering the data that has been already existing. Considering the term indicators, the
aim of the evaluation should be on drawing different types of indicators such as outputs, inputs,
impacts, outcomes in manner to reflect the key result in the programs of ‘theory of change’.
Identifying and addressing important data gaps, which focuses on reviewing the
information those are available in manner to consider whether the qualitative or quantitative
analysis is capable of answering the key questions that has been stated in the table (Durn 2015).
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9
IT/IS SECURITY MANAGEMENT
Data Collection
Option
Objectives that should be included Examples
Retrieving existing
data and
documents
Official stats
Program records
Formal implementation plan, policy documents,
including the report
Reviewing the documents related
to the planning program a little
earlier before the meeting
The socio-economic, political,
and health profile of the state
(Cardenas, Manafhata and Rajan
2013).
Collection of data
from the groups or
individuals
Surveys or Questionnaires using web, mail
face-to face or any other communication means.
Interviews that includes groups, individual, key
informant, projective techniques, focus group
discussions
Methods such as dotmocracy, hierarchical card
sorting, projective techniques
Interview with the program and
program managers.
Key informant interviews from
relevant departments with the
representatives.
Observation Non-structured or structured
Non-participant or participant
Non-participatory or participatory
Saved notes, videos or photos.
Interaction with participants
while observing the program
activities.
Physical
measurement
Geographical information
Biophysical measurements
Location of highly HIV infected
individuals
Infant weight (lIfinedo 2014)
Quantitative and Qualitative Approaches in Impact Evaluation
Questions
Prompts
Impact Evaluation identification and design
Whether it has been identified or
not that what is about to evaluate?
Are the objectives and aims clear for the statement of evaluation?
Whether the theory of change has Is there possibility of articulating the main effects and hypotheses
IT/IS SECURITY MANAGEMENT
Data Collection
Option
Objectives that should be included Examples
Retrieving existing
data and
documents
Official stats
Program records
Formal implementation plan, policy documents,
including the report
Reviewing the documents related
to the planning program a little
earlier before the meeting
The socio-economic, political,
and health profile of the state
(Cardenas, Manafhata and Rajan
2013).
Collection of data
from the groups or
individuals
Surveys or Questionnaires using web, mail
face-to face or any other communication means.
Interviews that includes groups, individual, key
informant, projective techniques, focus group
discussions
Methods such as dotmocracy, hierarchical card
sorting, projective techniques
Interview with the program and
program managers.
Key informant interviews from
relevant departments with the
representatives.
Observation Non-structured or structured
Non-participant or participant
Non-participatory or participatory
Saved notes, videos or photos.
Interaction with participants
while observing the program
activities.
Physical
measurement
Geographical information
Biophysical measurements
Location of highly HIV infected
individuals
Infant weight (lIfinedo 2014)
Quantitative and Qualitative Approaches in Impact Evaluation
Questions
Prompts
Impact Evaluation identification and design
Whether it has been identified or
not that what is about to evaluate?
Are the objectives and aims clear for the statement of evaluation?
Whether the theory of change has Is there possibility of articulating the main effects and hypotheses
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
IT/IS SECURITY MANAGEMENT
been established or not that are about to be tested within the impact evaluation?
Whether the research strategy
clear or not?
Is overall strategy definable in manner to meet the aims of the
impact analysis (Feng et al. 2014)?
Is there need of collecting additional in manner to inform the desk
review this could be happened by restricting the number of key
information interview?
Whether there is any convincing argument for various features of the
research strategy?
Whether there is the availability
of well-defended sampling or any
case selection methodology?
Is it clear or not about the fact that what should be generalized and
what can be generalized to the population from where the data has
been collected?
Is it clear about the fact of the limitations of the design for drawing
the wider inference?
Whether it can be defined the
impact evaluation is within the
budget or not?
IS it considered or not on which research could be helpful in
generating the impact analysis with much efficiency (Lee 2014)?
Consideration should be raised on whether the design is over
resourced or over overdesigned for the purpose
Data Collection and analysis
Consideration has been made on the combining methods that could better impact the valuation or not?
Sequencing information Through qualitative study for generating ‘working hypotheses’ that
can be evaluated further.
Through conducting contextual study as a non-contextual survey, or
a sub-sample of a large survey.
Through qualitative research for assessing the importance of “the
average is at the local level”.
Through qualitative research for explaining trends or relationship, or
patterns
Through qualitative research for triangulating the survey results
(Taha et al. 2014)
Through qualitative research for enriching the analysis of trends or
relationship, or patterns using the survey.
Integrating methodologies Using qualitative analysis for the following: survey for selecting
qualitative investigation sample
IT/IS SECURITY MANAGEMENT
been established or not that are about to be tested within the impact evaluation?
Whether the research strategy
clear or not?
Is overall strategy definable in manner to meet the aims of the
impact analysis (Feng et al. 2014)?
Is there need of collecting additional in manner to inform the desk
review this could be happened by restricting the number of key
information interview?
Whether there is any convincing argument for various features of the
research strategy?
Whether there is the availability
of well-defended sampling or any
case selection methodology?
Is it clear or not about the fact that what should be generalized and
what can be generalized to the population from where the data has
been collected?
Is it clear about the fact of the limitations of the design for drawing
the wider inference?
Whether it can be defined the
impact evaluation is within the
budget or not?
IS it considered or not on which research could be helpful in
generating the impact analysis with much efficiency (Lee 2014)?
Consideration should be raised on whether the design is over
resourced or over overdesigned for the purpose
Data Collection and analysis
Consideration has been made on the combining methods that could better impact the valuation or not?
Sequencing information Through qualitative study for generating ‘working hypotheses’ that
can be evaluated further.
Through conducting contextual study as a non-contextual survey, or
a sub-sample of a large survey.
Through qualitative research for assessing the importance of “the
average is at the local level”.
Through qualitative research for explaining trends or relationship, or
patterns
Through qualitative research for triangulating the survey results
(Taha et al. 2014)
Through qualitative research for enriching the analysis of trends or
relationship, or patterns using the survey.
Integrating methodologies Using qualitative analysis for the following: survey for selecting
qualitative investigation sample
11
IT/IS SECURITY MANAGEMENT
Highlighting the priority issues
Identifying knowledge gaps
Identifying categories for the responses from survey
For constructing indicators of non-material impacts.
“Using insights from qualitative and quantitative studies help to
define population sub-group sampling frames” (Kriaa et al. 2015)
Merging findings Through analytical framework that can be helpful in interpreting
quantitative and qualitative data
Whether the identification of qualitative methods have been done or not?
Change observation Through the scoring module of survey for the qualitative perception
Measuring the observable change in behavior
Community score card
Change analysis Through contextual methods that includes ethnography, participatory
research methods, interviews, theatre,focus group discussions,
video analysis, andobservationand documentary.
Contextual research has been
considered or not
The primarily extractive and transformative has been considered or
not?
Whether the approach of
quantifying and measuring non-
material (qualitative) impacts
have been considered or not?
Perception scoring, observable change and a mix of perception
scoring and observable have been considered or not (Silva et al
2014)?
Threats, risk and vulnerabilities assessment
Sl.No Vulnerabilities
in IS security
management
Likelihood
Impact
Priority
Description Preventive measures
R. 1 Dust/ Airborne
particles
M H M Dust and airborne particles
travelling in the environment
could alter the function of IT
technologies and could result
in inaccurate results or failure
of information security
management
Physical security of the
IT infrastructure should
be given very high
priority in manner to
protect the infrastructure
and related devices.
IT/IS SECURITY MANAGEMENT
Highlighting the priority issues
Identifying knowledge gaps
Identifying categories for the responses from survey
For constructing indicators of non-material impacts.
“Using insights from qualitative and quantitative studies help to
define population sub-group sampling frames” (Kriaa et al. 2015)
Merging findings Through analytical framework that can be helpful in interpreting
quantitative and qualitative data
Whether the identification of qualitative methods have been done or not?
Change observation Through the scoring module of survey for the qualitative perception
Measuring the observable change in behavior
Community score card
Change analysis Through contextual methods that includes ethnography, participatory
research methods, interviews, theatre,focus group discussions,
video analysis, andobservationand documentary.
Contextual research has been
considered or not
The primarily extractive and transformative has been considered or
not?
Whether the approach of
quantifying and measuring non-
material (qualitative) impacts
have been considered or not?
Perception scoring, observable change and a mix of perception
scoring and observable have been considered or not (Silva et al
2014)?
Threats, risk and vulnerabilities assessment
Sl.No Vulnerabilities
in IS security
management
Likelihood
Impact
Priority
Description Preventive measures
R. 1 Dust/ Airborne
particles
M H M Dust and airborne particles
travelling in the environment
could alter the function of IT
technologies and could result
in inaccurate results or failure
of information security
management
Physical security of the
IT infrastructure should
be given very high
priority in manner to
protect the infrastructure
and related devices.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 25
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.