UNIT 3

Security & Compliance Management: Foundations Of Risk Management, Compliance Management,

Information Security Management (Ism), Technology

Electronic Payment: Business and Money, the Payment Challenge, Payment Procedures,
Receivables Management, Cyber Money

FOUNDATIONS OF RISK MANAGEMENT

A risk is the extent of loss, which may happen if a threat occurs.
Measurement of risks
1.Single risk
The standard approach (Ackermann 2013, p. 14) is, that the risk value is expressed by the product of
the probability of occurrence and the expected amount of loss. The amount of loss is considered as a
random variable. Thus it would be “more” correct to define the risk value as the expectation value of
the random variable “amount of loss” with its underlying probability distribution
2.Risk portfolio
A very naïve approach to value the total volume of risks of a management object (e.g. a total
organization or a portfolio of specific objects or a specific E-Commerce system) is the number of
identified risks. Many people think, that such an approach is too simple but it is much better to work
with such a very simple list and to discuss about the risk situation than to ignore the risks.

Risk analysis
A risk analysis according to ISO/IEC 27001 (IEC = International Electro-technical
Commission, ISO = International Organization for Standardization) has to run through
the following steps:
• Inventory of information assets,
• Determination of protection requirements,
• Identification and assignments of threats
• Identification and assignment of weaknesses,
• Determination of potential extent of loss,
• Determination of probabilities of loss occurring,
• Determination of risks,
• Decision on acceptance of risk,
• Selection of safeguards,
• Documentation of residual risks,
• Documented approval of management.

 Basic Risk management strategies

We see a lot of threats, which could lead to a damage or destruction of ICT systems. Management has
to deal with it. Though the variety of threats and corresponding risks is extremely large there are only
four basic risk management strategies:
• Avoidance of threats, which means that you are able to completely eliminate the threat of your
management object. Normally you will not be able to completely avoid a threat.
• Reduction of threats, which means that you lower the risk resulting from that threat. In most cases
you will be able to reduce the potential amount of loss.
Whether you can change the probabilities of occurrence can only answered if the specific situation is
known.
• Transfer of risks to a third party, e.g. insurance. This means that the third party will take over and
pay the amount of loss if the risk occurs. You will have to pay a fee for that.
• Acceptance of threats, which is selected when you do not have any chance to
change the situation.

 BASIC RISK MANAGEMENT TASKS

Obviously, it is not sufficient to know the risks. Management has to actively work on it. This does not
only include the application of the risk management strategies listed above. They also have to be
prepared for the situation when a risk occurs. This leads to the following elementary management
tasks:
• Avoid, reduce or accept threats. Transfer risks, if this is the best strategy.
• Know what must be done when a risk occurs.
The latter leads to business continuity management, which has to supplement risk management.

COMPLIANCE MANAGEMENT
In general, compliance means conforming to a rule, such as a specification, policy, standard or law.
Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure
that they are aware of and take steps to comply with relevant laws and regulations

- Relevance of compliance management

The reason for the high attention of management towards compliance (management) is, that if any part
of an organization is not compliant then there is a significant risk for that organization. Missing
compliance can lead to punishment through governmental authorities and a loss of reputation in the
business world.

- Integration into GRC management

Governance, Risk and Compliance (GRC) are three pillars that work together for the purpose of
assuring that an organization meets its objectives
Governance is the combination of processes established and executed by the board of directors that are
reflected in the organization’s structure and how it is managed and led towards achieving given
objectives.
Risk management is predicting and managing risks that could hinder the organization to achieve its
objectives.
Compliance with the company’s policies and procedures, laws and regulations, strong and efficient
governance is considered to be a key factor to an organization’s success.

INFORMATION SECURITY MANAGEMENT (ISM)

Security is a status where a person, a resource or a process is protected against a threat or its negative
consequences. Information security means the security of our information assets

- Protection goals
With respect to information there are several common protection goals:
• Authenticity: Realness/credibility of an object/subject, which is verifiable,
• Integrity: Data cannot be manipulated unnoticed and without proper authorization,
• Confidentiality: Information retrieval not possible without proper authorisation,
• Availability: Authenticated and authorized subjects will not be restricted in their rights without
proper authorization,
• Obligation: A transaction is binding if the executing subject is not able to disclaim the transaction
afterwards,
• Authorization: Power and right to conduct an activity.

- Objectives of ISM
The overall objective of information security management is to protect the information assets of the
organization due to the above-mentioned protection goals.
This leads to specific ISM objectives:
• Fulfil organizational duties: give precise, binding and complete orders to your people; select people
carefully with respect to duties and responsibilities
• Build an efficient and transparent organization.
• Build a professional security, continuity and risk management.
• Increase efficiency with general and unified rules and methods.
• Reduce time consumption and costs with security and security audits integrated into business
processes.
• Run a continual improvement process to minimize risks and maximize economic Efficiency
• Have a good reputation at customers, shareholders, authorities and the public.
• Parry liability claims and plead the organization in criminal procedures.
• Be integrated into the corporate security management system

- ISM Process
The information security management process has four major steps, which are subsequently
described:
• Initialize:
o Understand information security requirements,
o Build information security policy to define overall security objectives,
o Establish information security representative and organization,
• Analyse and develop information security strategy:
o Determine protection needs,
o Analyse threats,
o Analyse risks,
o Deduce information security requirements

• Plan and implement:

o Define, what has to be regulated,
o Define, how it should be regulated (comprehensively or detailed),
o Prepare information security concepts,
o Define policies and guidelines,
o Prepare for implementation projects,
o Run initial trainings,
• Operation and monitoring:
o Administer activities and manage documentation,
 o Run trainings and increase security awareness,
o Identify key performance indicators,
o Conduct audits/assessments.

-ISM ACTIONS
Information security management includes a great variety of activities, which can be categorized due
to the focus of the different activities.
Organization:
• Establish access profiles.
• Provide and file task descriptions for IT administrators and information security representatives.
• Conduct administration of keys.
• Run evacuation and emergency exercises.
Technique:
• IT security: Implement and operate firewalls, virus scanner, spam filter, encryption software.
• Facility management: Install access control system, door locks, fire detection system, burglar alarm
system, emergency power generator, uninterruptable power supply (UPS).
• Safety of buildings: Install fences, observation cameras.
People:
• Conduct a professional recruiting and include security aspects.
• Do a proper placement of employees (duties of employees).
• Ensure a careful adjustment to the job.
• Establish a continuous supervision: rising of awareness, training.
• Conduct a professional separation of employees.

-ISM DOCUMENTS
A professional information security management will lead to several documents:
• Information Security Process Framework,
• Information Security Declaration:
o Requirements to information security, continuity and risk management with respect to risk
capacity, risk propensity und aspired security level: corporate principles, corporate objectives,
requirements of stakeholders, requirements through laws, regulations and standards,
o Description of ISM process with continual improvement process, organization and
responsibilities,
o Responsibility of top management,
o Integrated, transparent and auditable process model: information security principles, processes
and organization, technical resources, employees and external experts, life cycle,
communication, training, motivation, raising of awareness, surveys, Commitment of
employees,
o Penalties,
• Information security concepts (e.g. job safety, human resources, facility management, IT security),
• Subject oriented concepts (e.g. virus protection, network, E-Mail or IT processes),
• Policies/guidelines:
o End user policy incl. password policy and Internet policy,
o Communication policy incl. communication with external parties and E-Mail policy,
o Access authorization for buildings and rooms (incl. request and authorization process),
 o Firewall policy,
o Backup policy incl. off site storage of backup data,
o Access authorization for IT systems and networks (incl. request and authorization
o process),
o Access protection of data (incl. request and authorization process),
o Encryption policy,
o Emergency plan (incl. alerting, emergency operation, transformation to regular
o operation),
o Configuration of security related facilities,
o Fire protection,
o Sourcing policy

TECHNOLOGY