Corporate Governance

CHAPTER NO 1

1.1 INTRODUCTION

Today, many organizations and companies use information systems and network frameworks on a large scale, thus IT dependency is increasing daily. Security is one of the most important issues for the stability and development of these systems. Therefore, most organizations invest in this area and are establishing Information Security Management Systems (ISMS). Although many organizations understand the importance of security, many could not find an efficient solution to implement ISMS. The main process of an ISMS implementation is risk assessment. Risk assessment provides organizations with an accurate evaluation of the risks to their assets. It can help them prioritize and develop a comprehensive strategy to reduce risks. Information security risk assessment does not have an old history. There are some standards and methodologies for risk assessment, such as NIST and ISO27001, but while they explain general principles and guidelines, they do not give any implementation details. This may cause ambiguities to the users.

Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk.

An effective risk management process is an important component of a successful IT security program. The principal goal of an organization's risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.

Parker stated the importance of IT to an organization when he noted that the amount of time that an organization can go without computer services, or the' 'mean time to belay-up," was steadily decreasing. While IT risk management is a relatively new field, it is a natural extension of management's concern for the organization's overall risk posture. The objective of IT risk management is to minimize the total expected cost of loss by selecting and implementing an optimal combination of security measures. In spite of the growing importance of IT risk management, a majority of companies do not have a tested, up-to-date risk management program

The rapid change of Information Technology has made technology transition a necessity rather than an option. Organizations constantly need to evaluate technologies and their adequacy for space programs. The Technology Readiness Levels were developed for this purpose and serve a critical role in the management and acquisition of space systems. Rapid changes in software (i.e., COTS integration) and hardware (indicated by Moore's Law) have introduced new questions that need to be addressed by organizations making large investments in technologies: How much risk is involved in adopting a technology? In order to answer this question there needs to be a method to account for obsolescing or negative factors that may influence the amount of risk involved in adopting a technology.

1.2 RESEARCH QUESTION:

This study is based on to find out how risk can be asses and manage regarding Technology, being using by the Iqra National University. Therefore we developed the following research questions.

What are the possible threats available that are associated with the technology use by Iqra National University?

What is the better strategy to secure the IT system that store, process or transmit organizational information?

1.3 OBJECTIVES OF THE STUDY:

Objectives of this study are given below:

* To find out what are the possible threats available that are associated with the technology use by the existing organization.

* To suggest management, better securing the IT systems that store, process, or transmit organizational information.

1.4 SIGNIFICANCE OF THE STUDY:

This study is beneficial for the organizations that are using technology. They can identify the major threats that has significantly related to the organization and can affect the organization negatively to prevent them from achieve their mission.

1.5 SCHEME OF THE STUDY:

First chapter of this study consist of the brief introduction to the research topic, research question, research objective, significance of the study & scheme of the study.

Second chapter of this study give a glance to past literature which is conducted previously.

Third chapter consist of research design, research instrument, samples size & population of the study.

Fourth chapter the study provides results of the study.

Fifth chapter of the study turn toward conclusion and recommendation of the study.

CHAPTER NO 2

2.1 LITERATURE REVIEW

Multi-criteria decision-making (MCDM) for technology risk assessment have been applied to many issues such as risk of E-business development, software development, groundwater contamination, forestry, health centers and etc. Different methods have been used in determining the level of risk, most often based on measuring the impact of risk. Likewise some proposed techniques use predefined rule based techniques. Information security risk assessment has a recent history, and related standards and methodologies are in progress.

Zhao et al. evaluated network security risk by using probabilities, impact severity, AHP techniques and Shannon entropy technique. Decisions were made using fuzzy logic through linguistic variables. Shannon entropy technique was also applied in weighting decision matrix. Shannon entropy technique is useful to prioritize risks but cannot be used in calculations to determine the risk level.

Guan et al. assessed risks according to the likelihood and impact factors of threats. In this method, risk factors are determined according to standard ISO17799 categorization.