- Richard Light
By Sourabh Kishore
The fields of IT Security, IT Governance and IT Services Management are excellent grounds for academic researchers to undertake their dissertation and thesis research projects. The researches can result in very practical outcomes given that the standards, frameworks and best practices pertaining to these fields are widely implemented in organisations across the world.
The dissertation/thesis projects in the fields of IT Security, IT Services and IT Governance shall essentially comprise of studies on world class standards, frameworks and best practices that are widely accepted and implemented in organisations. Students may like to conduct case studies in organisations where these standards, frameworks and best practices are implemented or else conduct interviews or surveys among thousands of IT security professionals across the world that are connected via community groups on social networking websites (Like Linkedin, Plaxo, Google Groups, etc.). The culture of sharing knowledge in the world of IT security is excellent because the security controls, threat management and best practices can be established effectively by practicing organized knowledge sharing only. The IT security, services and governance consulting companies support academic researches whole heartedly to prepare the young minds for the future challenges such that the acute shortage of human capital in these fields can be addressed. In this article, I recommend the following standards and frameworks in which hundreds of topics pertaining to dissertations and thesis research projects can be developed.
(a) NIST (US Department of Commerce) Recommendations: As per NIST recommendations, all the critical IT systems should be categorized at the first place such that the risks to these systems can to be identified, assessed and recorded. Thereafter, appropriate mitigation actions can be taken to reduce them to acceptable levels by either reducing the vulnerabilities (applying controls), by avoiding the risks (disallowing activities that can cause risks) or by transferring the risks to third parties (like outsourcing the controls to specialist security agencies). This entire process has been termed as IT Risk Management by NIST which is now regarded as the baseline for the industry. It requires management commitment and assignment of security roles to strategic business process owners in the organization. NIST recommends that the key roles that should contribute to IRM should be Senior Management, Chief Information Officer, System/Information owners, Business Managers, Functional Managers, IT Security Officers, Security Awareness Trainers, and Internal Auditors. The risk assessment recommended by NIST is a nine step structured analytics procedure that should be carried out by the key roles such that the outcome can be collated to form an organization wide risk registry.
(b) ISO 27005 Standard: The ISO 27005:2008 is the formal replacement of ISO 13335-3 & ISO 13335-4:2000 which essentially recommends a 100% metrics based evaluation of all the steps of risk assessment described in ISO 13335-3 using quantitative techniques. This standard considers Risk Management, Configuration Management and Change Management as part of an integrated framework to deliver IT security in an organization. The risk management framework recommended by this standard can be viewed as a model comprising of “concentric spheres” with the information assets placed at the core of the model, vulnerabilities prevailing at the sphere above the core, controls applied over the vulnerability sphere and threats prevailing at the periphery of the model. This model was originally part of ISO 13335-3 that represents an environment of threats changing continuously thus changing the risk baselines (residual acceptable risk level) of the organizations. Hence, periodic assessment of the effectiveness of controls is required such that the vulnerabilities are not exploited by the emerging external or internal threats to affect the information assets.
(c) ISO 27002 Standard: The ISO 27002:2008 standard was formerly known as ISO 17799:2005 code of practice for information security that was used as the supplement document of ISO 27001:2005 standard which is the largest framework of standards describing Information Security implementation in an organization. The ISO 27002:2008 standard recommends the practices documented in ISO 13335-3 which essentially is a wider framework of Information Security because it covers the impacts in terms of confidentiality, integrity, availability, accountability, authenticity and reliability. Unlike “system characterization” recommended as the starting point by NIST, this standard recommends “asset characterization” as the starting point which includes tangibles as well as intangibles. The asset characterization is carried out by assuming that anything that is critical for the business to produce the products & services and retain customers as well as market share is treated as critical asset for the organization. It may be the systems (IT Systems, power systems, admin systems, etc.), people, documents, records, databases, applications, intellectual properties, etc. thus forming a much wider coverage of subjects on which the risks analysis needs to be carried out. The threat & vulnerability analysis is carried out employing steps that are similar to NIST recommendations but the impact analysis is carried out based on multiple business impacts categorized by the business stake holders – like financial loss, business loss, customer loss, market share loss, key people loss, premises loss, intellectual property breaches, regulatory breaches, productivity loss, inventory loss, etc. Protection against such losses is the direct interest of business stake holders and hence the topmost priority of the risk management teams. The final stages of risk analysis, control analysis, and control recommendations are similar to those of NIST recommendations. This framework also recommends periodic control effectiveness testing which is recommended by NIST in their special publication 800-115 released in 2008.
(d) The COBIT Framework: The COBIT (Control Objectives for Information and Related Technology) framework is developed by IT Governance Institute which is a community of expert developers and reviewers from IT governance field that have contributed to the framework to arrive at the best practices published in its current form. The IT Governance Institute comprises of board of trustees, IT governance committee, COBIT steering committee, advisory panel and affiliates & sponsors. The framework is a wonderful effort of putting together all the best practices of IT governance & Risk Management which organizations can adopt to support their Business Governance & Risk Management frameworks effectively. The COBIT framework helps in effective alignment of IT systems & processes with business requirements such that the business risks due to IT enablement can be effectively mitigated.
(e) CRAMM Framework: CRAMM is the Risk Management Methodology developed the Central Computing and Telecommunications Agency (CCTA) which is based on qualitative methods of risk analysis. In this mechanism the steps called ‘asset identification & valuation’, ‘identification & assessment of threat & vulnerability’, ‘identification of security measures’, ‘identification of risks’ and ‘identification & assessment of risk mitigation’ are carried out using structured questionnaire defined by the CRAMM framework. Each question has either ‘yes’ or ‘no’ answer and the scores are collated by counting the numbers of ‘yes’ and ‘no’ responses which is done automatically by the CRAMM system. If the target respondents of the CRAMM questionnaire are selected very carefully (like asset owners, IT administrators, application engineers, database administrators, etc), then CRAMM can result in accurate identification & mitigation strategies of IT risks.
(f) OCTAVE Framework: OCTAVE is the abbreviation for ‘Operationally Critical Threat, Asset and Vulnerability Evaluation’ which is a model developed by Carnegie Mellon University. This framework takes into account operational risk, security practices and technology and leverages the existing knowledge of vulnerabilities within an organization. The assessment is carried out in three phases – ‘development of asset based threat profiles’, ‘identification of infrastructure vulnerabilities’ and ‘building security strategies & plans’. The first phase requires an organizational view whereas second phase requires technological view. The OCTAVE assessment criteria is self driven without the need for external experts to guide the organization. Just like CRAMM it is a self guided process but is carried out by few experts in the company that have extensive knowledge of IT systems in the company whereas CRAMM is carried out by all asset owners of the company. One good aspect about OCTAVE is that it captures the knowledge of threats to business and internal weaknesses from the people at all levels and then uses the knowledge to develop the asset based threat profiles. This ensures that the risk assessment is very close to the people’s perspective of threat exposures of the business and not based on some kind of threat database purchased from external consultants.
(g) FRAP Framework: Facilitated Risk Management Process (FRAP) is the framework which essentially takes into account prioritized threats and asset vulnerabilities that can potentially cause maximum damage to the business. This again is a qualitative approach and is popularly known as “four hour risk assessment”. FRAP is not accepted by many organizations because the threat perceptions do not allow scaled down list of assets, threats and vulnerabilities to be addressed. However, this is an effective framework given that the 80-20 rule applies in risk management as well – i.e., 20% threats cause 80% of the damages.
(h) ITIL version 2 and version 3 Frameworks: ITIL versions 2 and 3 are publications by the Office of Government Commerce (OGC) UK. They are end to end IT service management frameworks that can effectively align the IT services of an organization to business requirements at the operations level. ITIL version 2 is very popular due to its wide implementation base across the world in many countries. It has two major disciplines – IT Service Support and IT Service Delivery. The IT Service Support discipline comprises of the Service desk function of an organization and five management functions – Incident management, Problem management, Change management, Release management and Configuration management. These management functions are also included in ISO 27001 and ISO 20000 standards as well as in COBIT framework. The IT Service delivery discipline comprises of five management functions as well – Service Level management, Capacity management, Availability management, IT Financials management and IT Business Continuity management.
The ITIL version 3 is much wider framework compared to ITIL version 2. It comprises of five disciplines as against two in the version 2: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. There are many new management functions included in ITIL version 3 in addition to the ten functions recommended by ITIL version 3. This is a new framework and hence the global roll out is evolving gradually. The students can find vast opportunities of research in both these areas in the form of Phenomenography or case studies.
(i) Val IT: This is the latest framework developed by IT Governance Institute that can be seamlessly integrated with the COBIT framework. This framework can be implemented to tangibly demonstrate the value of IT investments to the Business. This framework has not yet been researched by academic researchers and hence offers an entirely new world of opportunities.
(j) ISO 27001: This is the mother of all standards in Information Security Management System (ISMS). No standard possesses such wide coverage as offered by ISO 27001 in the field of IT Security. The purpose of ISO 27001:2005 is to guide an organization on the level of ISMS implementation feasible as per the business needs. It guides the organization to implement a structured Information Security Management System with an approach of Risk Assessment & Business Impact Analysis that incorporates world class best practices in management of the existing systems running in the organization in the form of a structured Framework. The Framework includes:
— Adequately documented and implemented Security Policy(ies) and Procedures.
— Asset Master comprising of ALL critical Information Assets.
— Risk Assessment and Business Impact Analysis Worksheets.
— Risk Treatments Plans and Reports.
— ISMS Management and Operations Group with detailed roles.
— ISMS Operating Manual with Statement of Applicability.
— ISMS Operating Procedures, activity log-sheets and reports.
— ISMS Security Procedures pertaining to every operating area.
— Access Control Policies and Procedures for all the Information Processing and Storage Facilities.
— Incident, Problem, Change, Release, Configuration, Capacity & Availability Policies and Procedures.
— Detailed Implementation of the 133 Normative controls as defined in Annexure A of BS ISO/IEC 27001:2005.
— Internal and External Audit Procedures, audit sheets and corrective/preventive actions.
— Information Classification, Transit, Storage and Destruction Policies & Procedures.
— Disaster Recovery Plan and Procedures.
— Business Continuity Plan and Procedures.
About the Author: The Author is an IT Systems, IT Services/Governance, Information Security, and Telecommunications Research Analyst. Interest Areas – WiMax, LTE, WiFi, LBS, Cloud Computing, Virtualisation, Intrusion Detection and Prevention, Ethical Hacking, ITIL v2 & 3, COBIT, Val IT, MoF, Risk IT, etc.
Research Projects by AuthorResearch Services of Author
Tuesday, February 15, 2005
Dublin — Yahoo!, the internet portal, today announced it has chosen Dublin, Ireland as the location of its European Headquarters. Ireland beat off stiff competition from other European countries to win the investment. The move is expected to create over 400 jobs – two thirds of which are expected to be for graduates with skills in information technology, financial services, customer support and website editorial.
Earlier in the month, Ireland lost a potentially multi-billion euro investment by Dell for a new manufacturing facility to Scotland. This was a huge disappointment for IDA Ireland – the countries main development agency – which had offered heavy incentives to the US computer maker. This brought about fears that Ireland had lost its ability to attract high-value investments from foreign multinationals – the driving force of Ireland’s Celtic Tiger economy.
Speaking about the investment, the Irish Minister for Enterprise, Trade and Employment, Micheál Martin, said winning the Yahoo project was a “truly outstanding achievement for Ireland”. Yahoo’s Senior Vice President International, John Marcom, said the decision to locate its European operations headquarters in Ireland was influenced by a “number of factors” which included “the calibre and volume of graduates available in Ireland, the up to date cost competitive telecommunications and data centre infrastructure, and the assistance of IDA Ireland.”
Yahoo is one of the world’s largest internet companies. Its decision to locate in Ireland confirms Dublin’s continued attractiveness to internet and technology companies – Google, Bell Labs, eBay, Microsoft, Amazon and Oracle all have significant Irish operations.
Wednesday, February 5, 2020
On Sunday in London, England, according to witness accounts and authorities, a man wearing a fake suicide vest entered a store, grabbed a large knife, ran outside with it and began to stab people. Reportedly he injured a man and two women on Streatham High Road, London. Armed plainclothes officers, already surveilling him for counter-terrorism purposes, chased him on foot. The officers eventually shot him dead, reportedly outside a Boots store, at around 14:00 local time in what the police declared a “terrorist-related” attack.
An eyewitness described for news agency PA Media how the attack unfolded, stating, “I was crossing the road when I saw a man with a machete and silver canisters on his chest being chased by what I assume was an undercover police officer […] The man was then shot. I think I heard three gunshots but I can’t quite remember.”
Two women and a man were injured, according to the reports. The man was briefly listed in critical condition. A woman had minor injuries reportedly from glass shattering after police discharged their firearms, and the remaining woman was in “not life-threatening” condition.
The attacker, identified as Sudesh Amman, 20, was placed under police surveillance after being released from prison a week ago. He was imprisoned in 2018 when he was 18 and served half his sentence for 13 separate terror offenses. Amman, who was described as “knife-obsessed” by the police, sent his girlfriend videos of beheadings and extremist text messages, and advised her to kill her “kuffar” (non-Muslim) parents. He told her on one occasion: “If you can’t make a bomb because family, friends or spies are watching or suspecting you, take a knife, molotov, sound bombs or a car at night and attack the tourists (crusaders), police and soldiers of taghut [idolatry], or western embassies in every country you are in this planet.”
|Terrorists seek to divide us and to destroy our way of life — here in London we will never let them succeed.|
Alexis Boon, the head of the Metropolitan Police Counter Terrorism Command, said about Amman: “His fascination with dying in the name of terrorism was clear in a notepad we recovered from his home. Amman had scrawled his ‘life goals’ in the notepad and top of the list, above family activities, was dying a martyr and going to ‘Jannah’ — the afterlife. It’s not clear how Amman became radicalised but it is apparent from his messages that it had been at least a year in development. Whatever the circumstances, this case is a reminder of the need to be vigilant to signs of radicalisation and report it.”
Police also recovered a bomb-making guidebook in his position and, on investigation in his family home in London, a black flag and an air gun.
The mayor of London, Sadiq Khan, thanked “the police, security and emergency services staff for their swift and courageous response”.
“Terrorists seek to divide us and to destroy our way of life,” said Khan, “here in London we will never let them succeed.”
The prime minister, Boris Johnson, tweeted: “Thank you to all emergency services responding to the incident in Streatham, which the police have now declared as terrorism-related. My thoughts are with the injured and all those affected.”
Saturday, March 15, 2008
A tornado, spawned from a large storm, has hit the United States city of Atlanta, Georgia, causing extensive damage throughout the city.
The National Weather Service confirmed Saturday morning that it was a tornado that struck the city. After reviewing the aftermath of the storm, they classified it as an EF2 tornado on the Enhanced Fujita scale. Atlanta mayor Shirley Franklin says she is beginning to apply for federal disaster aid.
There have been no confirmed deaths, but the mayor’s spokeswoman says there may be dead victims trapped within the ruins of a collapsed loft complex. The Fulton Cotton Mill Lofts are located in the historic Cabbagetown neighborhood, where at least 20 homes were destroyed. “It looks like a bomb went off, it looks like World War III,” said Mahsud Olufani, who has an art studio in the neighbourhood. “It’s a disaster area.”
At least 27 people suffered injuries, mostly cuts and bruises. One person is reported to be in critical condition. Grady Memorial Hospital, where many of the injured were taken, had suffered some window damage but was still operating. Around 50 people have been taken to a local Red Cross shelter for displaced residents.
The tornado struck during the semifinal game of the SEC Basktetball Tournament between Mississippi State and Alabama. Play was stopped with around 2 minutes to go in overtime when heavy wind could be heard outside with rippling of the roof. Damage was done to the roof as debris fell to the floor. No injuries were reported in the Dome. “I thought it was a tornado or a terrorist attack,” said Mississippi State guard Ben Hansbrough.
The storm arrived with little forewarning. A tornado warning was issued for the downtown area a few minutes before the storm hit. “Ironically, the guy behind me got a phone call saying there was a tornado warning,” said Lisa Lynn, who was attending the game at the Georgia Dome. “And in two seconds, we heard the noise and things started to shake. It was creepy.”
The CNN Center in downtown Atlanta was severely damaged, especially in the atrium, where the ravaged ceiling allowed water to pour in. Police closed several streets near the CNN Center because of the debris, which included power lines, billboards, and even office chairs.
The Omni Hotel, which is attached to the CNN Center, also sustained damage, with many of its windows shattered. Visitors at the hotel were evacuated to the exhibition hall at street level. “It was crazy. There was a lot of windows breaking and stuff falling,” said Terrence Evans, a valet at the hotel.
At Centennial Olympic Park, located near CNN and the Omni Hotel, two Olympic torch sculptures had fallen over, and a performance pavilion was destroyed. A high-rise dorm at Georgia State University was damaged by the tornado, as evidenced by a large hole in the building’s 14th floor. University students were evacuated on buses.
According to Georgia Power, more than 13,000 of their customers are currently without electricity. Crews are working to fix downed power lines, but they said it would be difficult with all the debris.
Another large storm, currently in Mississippi, is heading towards Atlanta, and is forecast to arrive around 3 p.m. National Weather Service meteorologist Mike Leary said Friday’s storm could be “nothing to compare with what’s coming in tomorrow”.
All downtown events scheduled to occur Saturday have been cancelled. This includes the city’s Saint Patrick’s Day parade. The remaining SEC tournament games are to be played at Georgia Tech‘s Alexander Memorial Coliseum, located in the undamaged midtown.
This is the category for Health.
Refresh this list to see the latest articles.
You can also browse through all articles in this category alphabetically.
From Wikinews, the free news source you can write.
Pages in category “Health”
(previous page) ()(previous page) ()
Sunday, June 10, 2018
In findings published on Friday in PeerJ, an open-access peer-reviewed scientific journal, researchers from the University of York and Maldives Whale Shark Research Programme have mapped key habitats of the world’s largest fish, the whale shark, shedding light on congregation sites that have perplexed marine biologists.
According to the researchers, Whale sharks, Rhincodon typus, listed as endangered under the IUCN Red List, do feed in the open ocean, but juveniles tend to form large groups in only about 20 to 25 specific places around the coasts of Mexico, Belize, the Maldives, and Australia, which previous research has not explained. The research team reviewed dozens of previous papers, compiled their findings into a database, and performed spatial analysis with the aggregate shark-related event data. Results showed the sharks’ frequented sites had areas of very shallow water near a steep drop-off into the depths, such as a shelf break or reef slope.
The whale shark can grow to eighteen metres (60 ft) in length. Unlike its better-known relatives, the Great white shark and other predatory sharks, the whale shark is a filter feeder, meaning that it draws water into its mouth and extracts small organisms from the liquid. They can search for food at the surface of the ocean but are also known to dive deep. According to supervising author Dr Bryce Stewart, PhD, “Sharks are ectotherms, which means they depend on external sources of body heat. Because they may dive down to feed at depths of more than 1900 metres, where the water temperature can be as cold as four degrees, they need somewhere close by to rest and get their body temperature back up. Steep slopes in the seabed also cause an upwelling of sea currents that stimulate plankton and small crustaceans such as krill that the whale sharks feed on.”
Such sites are also attractive to fishing and recreational boating, and collisions can injure sharks. Stewart emphasized the importance of using research to help preserve and protect the sharks, calling them, “extremely valuable to local people on the coastlines where they gather, which are often in developing countries. While a whale shark can be worth as much as $250,000 USD dead, alive it can provide more than $2 Million USD over the course of its life span.” The latter figure specifically estimates only ecotourism.
- Civil Construction Equipment Australia
When it comes to considering your funeral someday, many already know exactly what they want in terms of a burial. There are so many options available to those who can stomach it. One idea that is coming back into popularity from ancient rituals is the idea of Mausoleum Services, or virtually being mummified in an above-ground tomb. Here are a few reasons to consider choosing a mausoleum.
It is a Type of Preservation
If you are interested in a unique way to be buried, this is certainly for you. By being buried in an encapsulated above-ground casket, the deterioration process cannot really take place. In turn, this actually begins a type of mummification, the preservation process on your body. Many people go for this option for the possibility of being used in scientific experiments in the future.
It Can Be Cheaper
Mausoleum Services are sometimes complicated, but, for the most part, can sometimes be cheaper. Because the casket does not have to be sealed in the same way that an underground casket does, it can essentially knock a few dollars off of your burial fee. Depending on the time of year and the circumstances, you can be sure to get a fairly inexpensive burial with a mausoleum.
It Does Not Need Maintenance
With a gravesite underground, your loved ones consistently have to maintain your plot. Weeds and things may grow and even the tombstone is not always weather-proof. With a mausoleum, you eliminate the maintenance work for your loved ones and put yourself in a grave that needs none at all. This can keep them from having to go back regularly, reliving the pain of losing you once again.
As you can see, there are many benefits to this unique form of burial. Not only will you stand out from everyone else, but it can also be cheaper and does not require as much maintenance to your gravesite. If you are planning your funeral and are looking for a cheap and unique way to be buried, consider a mausoleum as your first option. For more information on funerals and burials, check out Newcrowncemetery.com. You can also visit them on Facebook.
Thursday, February 18, 2016
On Monday, US singer Taylor Swift won the 58th Grammy Awards Album of the Year for her album 1989, and her video song Bad Blood won the Grammy Award for the Best Music Video.
|There will be people who will try to undercut your success|
This was the second time Swift has won the award for the Album of the Year. She previously won for her album Fearless in 2010. Swift collected three Grammys at this year’s awards ceremony: Best Music Video, Best Pop Vocal Album and Album of the Year.
With this Album of the Year win, she became the first woman to win two Grammy Awards in the category. At the beginning of the award ceremony, Swift performed her song Out of the Woods live.
The other nominees for the Album of The Year were Alabama Shakes’ Sound & Color, Kendrick Lamar’s To Pimp a Butterfly, Chris Stapleton’s Traveller, and The Weeknd’s Beauty Behind the Madness. Canadian singer The Weeknd won two awards for Best Urban Contemporary Album and Best R&B Performance.
While receiving her award, Swift left a message for younger women saying “there will be people along the way who will try to undercut your success or take credit for your accomplishments […] don’t let those people sidetrack you, someday when you get where you’re going you’ll look around and you’ll know that it was you and the people who love you who put you there, and that will be the greatest feeling in the world.”
Kendrick Lamar, who featured in the Bad Blood video, won five awards including for Bad Blood. Swift’s friend Ed Sheeran won the Song of the Year for Thinking Out Loud ahead of her song Blank Space from the album 1989.