article

A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls

Authors:

Lynette Barnard,

Rossouw Von SolmsAuthors Info & Claims

Computers and Security, Volume 19, Issue 2

Pages 185 - 194

https://doi.org/10.1016/S0167-4048(00)87829-3

Published: 01 February 2000 Publication History

Abstract

Electronic commerce holds many advantages for the commercial world, but before it can really take off, the associated information security problems need to be addressed satisfactorily. The identification, implementation and management of the most effective set of controls to provide an adequate level of security is the first step towards this goal. The second step is the possible evaluation and certification of the installed controls in an IT-environment. The selection of the security controls should be driven by the business needs and the associated security requirement. This security requirement should be clearly defined in the information security policy and the security policy should dictate the set of controls that will provide the required protection. If this set of controls can be evaluated and certified as meeting the business needs of the organization, the trust that is required for electronic commerce can be provided. This paper will provide a formalized approach towards identifying a set of controls meeting the business needs and also suggest a model whereby this can be evaluated and certified.

References

[1]

British Standards Institute (1993). BS 7799 : Code of practice for information security management (CoP). PD0003, United Kingdom.

Google Scholar

[2]

Bruce, G. & Dempsey, R. (1997) Security in distributed computing. New Jersey : Prentice-Hall.

Digital Library

Google Scholar

[3]

Institute for Certification of Information Technology (ICIT). (1997). Scheme for self assessment and certification of information security against BS 7799.

Google Scholar

[4]

Von Solms, R. (1997). Driving safely on the information superhighway. Information management & computer security, 5(1), pp. 20 - 22.

Google Scholar

Cited By

View all

Tariq MTayyaba SAli Mian NSarfraz MDe-la-Hoz-Franco EButt SSantarcangelo VRad DBalas VJain L(2020)Combination of AHP and TOPSIS methods for the ranking of information security controls to overcome its obstructions under fuzzy environmentJournal of Intelligent & Fuzzy Systems: Applications in Engineering and Technology10.3233/JIFS-17969238:5(6075-6088)Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.3233/JIFS-179692
Yu CChu CLu P(2018)Applying a Security Management Mechanism to a System Development LifecycleInternational Journal of E-Adoption10.4018/IJEA.201801010110:1(1-17)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.4018/IJEA.2018010101
Khajouei HKazemi MMoosavirad S(2017)Ranking information security controls by using fuzzy analytic hierarchy processInformation Systems and e-Business Management10.1007/s10257-016-0306-y15:1(1-19)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1007/s10257-016-0306-y
Show More Cited By

Index Terms

A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Capturing industry experience for an effective information security assessment

An Information System (IS) security programme consists of several essential security controls. In order to verify and maintain the effectiveness of an IS security programme, it is pertinent to identify how security controls are compared to each other in ...
Security Controls Evaluation, Testing, and Assessment Handbook
Risks, Controls, and Security: Concepts and Applications

Comments

Information & Contributors

Information

Published In

Computers and Security Volume 19, Issue 2

February, 2000

79 pages

ISSN:0167-4048

Issue’s Table of Contents

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 February 2000

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Tariq MTayyaba SAli Mian NSarfraz MDe-la-Hoz-Franco EButt SSantarcangelo VRad DBalas VJain L(2020)Combination of AHP and TOPSIS methods for the ranking of information security controls to overcome its obstructions under fuzzy environmentJournal of Intelligent & Fuzzy Systems: Applications in Engineering and Technology10.3233/JIFS-17969238:5(6075-6088)Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.3233/JIFS-179692
Yu CChu CLu P(2018)Applying a Security Management Mechanism to a System Development LifecycleInternational Journal of E-Adoption10.4018/IJEA.201801010110:1(1-17)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.4018/IJEA.2018010101
Khajouei HKazemi MMoosavirad S(2017)Ranking information security controls by using fuzzy analytic hierarchy processInformation Systems and e-Business Management10.1007/s10257-016-0306-y15:1(1-19)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1007/s10257-016-0306-y
Mukhopadhyay AChatterjee SSaha DMahanti ASadhukhan S(2013)Cyber-risk decision modelsDecision Support Systems10.5555/2747904.274821256:C(11-26)Online publication date: 1-Dec-2013
https://dl.acm.org/doi/10.5555/2747904.2748212
Siougle EZorkadis V(2002)A Model Enabling Law Compliant Privacy Protection through the Selection and Evaluation of Appropriate Security ControlsProceedings of the International Conference on Infrastructure Security10.5555/647333.722880(104-114)Online publication date: 1-Oct-2002
https://dl.acm.org/doi/10.5555/647333.722880
Janczewski LXinli Shi F(2002)Development of Information Security Baselines for Healthcare Information Systems in New ZealandComputers and Security10.1016/S0167-4048(02)00212-221:2(172-192)Online publication date: 1-Mar-2002
https://dl.acm.org/doi/10.1016/S0167-4048%2802%2900212-2

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Capturing industry experience for an effective information security assessment

Security Controls Evaluation, Testing, and Assessment Handbook

Risks, Controls, and Security: Concepts and Applications

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations