BG
RU
|
Scientific paper ID 1158 : 2015/3
RISK MANAGEMENT IN NIST AND ISO/IEC 27K INFORMATION SECURITY MANAGEMENT STANDARDS’ FAMILY – A BRIEF ANALYSIS
Maciej Szmit, Anna Szmit Risk management approach (in contrast to deterministic, compliance-based strategies) is the most popular one in contemporary security management . There are a lot of methodologies, frameworks and standards concerning information’s and information systems’ security referring to the concept of risk management. This approach is also implemented in ISO standards – beginning from ISO 31000 – especially in ISO/IEC 27k family, the most important standards family concerning information security. NIST (National Institute of Standards and Technology – a U.S. federal agency within the U.S. Department of Commerce) has developed a set of publicly available guidance documents concerning different aspects of information systems’ security (also based on risk management approach) intended primarily for U.S. federal government organizations. The aim of this article is to analyze the selected NIST documents for the proposed methods and ways of risk management.
управление на информационната сигурност управление на риска ISO/IEC 27001Information security management Risk management ISO/IEC 27001Maciej Szmit Anna Szmit BIBLIOGRAPHY [1] Szmit M.: A Few Words About Technical Information Security Risk Management In IT Projects, INFORMATsIONNA SIGURNOST 2014, Svishtov, 2015 (INFORMACIONNA SIGURNOST 2014, Sviszov 2015) ( [1] Szmit M.: A Few Words About Technical Information Security Risk Management In IT Projects, ИНФОРМАЦИОННА СИГУРНОСТ 2014, Свищов, 2015 (INFORMACIONNA SIGURNOST 2014, Sviszov 2015) ) [2] Szmit M.: Security Management And Risk Management Approach In Cybersecurity And Information Security Management, 20. Medzinárodná vedecká konferencia Riešenie krízových situácií v špecifickom prostredí, Fakulta bezpečnostného inžinierstva ŽU, Žilina, 20. - 21. máj 2015, pp. 651-656 [3] Lusková M., Buganová K.: Risk management and transport companies, Mechanics, Transport, Communications, 2011, art. ID: 491, http://www.mtc- aj.com/library/491_EN.pdf [4] Spiridonova H.,Andonov A., Mihova M.: Analiz i otsenka na riska pri zashtita na informatsiyata v analitichni sistemi za upravlenie, Mechanics, Transport, Communications, 2013, art. ID:863 ( [4] Спиридонова Х.,Андонов А., Михова М.: Анализ и оценка на риска при защита на информацията в аналитични системи за управление, Mechanics, Transport, Communications, 2013, art. ID:863 ) [5] Loveček T.: Bezpečnosť informačných systémov, Žilina 2007 [6] Korzeniowski L.F.: Securitologia. Nauka o bezpieczeństwie człowieka i organizacji społecznych, EAS, Kraków 2008, [7] International Organization for Standardization homepage http://www.iso.org [8] NIST SP 800-30, Guide for Conducting Risk Assessments (Revision 1) http://csrc.nist.gov/publications/nistpubs/... [9] Polish Standardization Committee homepage http://www.pkn.pl [10] NIST ITL July 2009 Risk Management Framework: Helping Organizations Implement Effective Information Security Programs http://csrc.nist.gov/publications/nistbul/j... [11] NIST RMF overview http://csrc.nist.gov/groups/SMA/fisma/frame... [12] Lokuciejewski P., Wilop K., Syndikus W.: Using COBIT to Support IT Risk, COBIT Focus vol. 4/2011, p. 15, http://www.isaca.org/Knowledge-Center/cobit... [13] NIST 800-53 (revision 4) Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPub... [14] NIST Cybersecurity framework http://www.nist.gov/cyberframework |
