Abstract
Business continuity management (BCM) and risk management (RM) processes are very important to current organizations. The former ensures that organizations can limit losses after severe contingencies or disasters. The latter helps organizations identify potential security incidents and adopt the most cost-effective countermeasures. However, current risk management approaches or methodologies do not reflect the important differences between RM and BCM processes. Therefore, even an organization that has established RM processes may need to re-assess the risks for BCM processes. In light of this, this study proposes RiskPatrol, a risk management system that provides an integrated view of risks associated with RM and BCM processes. RiskPatrol provides an easy way for users to retain enough information for BCM while they perform risk assessment in RM processes, and vice versa. The proposed approach can improve the efficiency of establishing information security management systems by minimizing redundancies in RM and BCM processes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Although the concept of risk is wildly used in several domains, this chapter focuses on the risk in information security. This chapter uses risk as information security risk.
References
Alberts CJ, Dorofee A (2002) Managing Information Security Risks: The OCTAVE Approach. Boston: Addison-Wesley Longman Publishing Co., Inc
Anderson AM (1991) Comparing risk analysis methodologies. In: D. T. Lindsay and W. L. Price (eds) IFIP TC11, Seventh International Conference on Information Security (IFIP/Sec’91). Elsevier, pp. 301–311
British Standards Institute (BSI) (2003) Guide to business continuity management. BSI Publicy Available Specification PAS56
British Standards Institute (BSI) (2006) Business continuity management. Code of practice. BSI Standard 25999-1:2006
British Standards Institute (BSI) (2006) Information security management systems – part 3: Guidelines for information security risk management. BSI Standard 7799-3:2006
Cha SC, Tung HW, Hsu CH, Lee HC, Tsai TM, Lin R (2005) Take Risks into Consideration while Job Dispatching, ser. IFIP International Federation for Information Processing. Springer, Boston, vol. 191/2005, pp. 1–14
Eloff JHP, Labuschagne L, Badenhorst KP (1993) A comparative framework for risk analysis methods. Computers & Security, vol. 12, no. 6, pp. 597–603
Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 4, pp. 438–457
Hausken K (2006) Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, vol. 8, no. 5, pp. 338–349
Hoo KJS (2000) How much is enough: a risk management approach to computer security. Ph.D. dissertation, Stanford University
ISO/IEC (1998) Information technology – security techniques – management of information and communications technology security – part 3: Techniques for the management of IT security. ISO/IEC TR 13335-3 Technical Report
ISO/IEC (2005) Information technology – security techniques – information security management systems – code of practice for information security management. ISO/IEC 17799:2005 International Standard
ISO/IEC (2005) Information technology – security techniques – information security management systems – requirements. ISO/IEC 27001:2005 International Standard
Karabacaka B, Sogukpinarb I (2005) ISRAM: information security risk analysis method. Computers & Security, vol. 24, no. 2, pp. 147–159
Karabacaka B, Sogukpinarb I (2006) A quantitative method for ISO 17799 gap analysis. Computers & Security, vol. 25, no. 6, pp. 413–419
Lund MS, Braber F, Stølen K, Vraalsen F (2004) A UML profile for the identification and analysis of security risks during structured brainstormings. SINTEF report
Microsoft Solutions for Security and Compliance group (MSSC), Microsoft Security Center of Excellence (SCOE) (2006) The security risk management guide v1.2. Microsoft Corporation
Office of Government Commerce (OGC) (2000) Service Support. TSO
Office of Government Commerce (OGC) (2001) Service Delivery. TSO
Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. Recommendations of the NIST Special Publication 800-30
Swanson M, Wohl A, Pope L, Grance T, Hash J, Thomas R (2002) Contingency planning guide for information technology systems. NIST Special Publication 800-34
Taiwan Financial Supervisory Commission (2007) Regulations governing establishment of internal control systems by public companies
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004) Enterprise risk management – integrated framework. COSO Publications
U.S. Department of Commerce (1979) Guidelines for automatic data processing risk analysis. FIPS Publications 65
U.S. Department of Commerce (1995) An introduction to computer security: The NIST handbook. NIST Special Publication 800-12
Whitman ME, Mattord HJ (2006) Principles of incident response and disaster recovery. Course Technology
Whitman ME, Mattord HJ (2007) Management of information security, 2nd edn. Course Technology
Yazar Z (2002) A qualitative risk analysis and management tool – CRAMM. SANS InfoSec Reading Room White Paper
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Cha, SC., Juo, PW., Liu, LT., Chen, WN. (2010). Duplicate Work Reduction in Business Continuity and Risk Management Processes. In: Yang, C., Chau, M., Wang, JH., Chen, H. (eds) Security Informatics. Annals of Information Systems, vol 9. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-1325-8_9
Download citation
DOI: https://doi.org/10.1007/978-1-4419-1325-8_9
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-1324-1
Online ISBN: 978-1-4419-1325-8
eBook Packages: Computer ScienceComputer Science (R0)