How to Increase the Inventory Efficiency in Information Security Risk and Compliance Management

Authors

Stefan Fenz, Vienna University of Technology and SBA ResearchFollow
Johannes Heurix, XYLEM TechnologiesFollow
Thomas Neubauer, Vienna University of TechnologyFollow

DOI

10.18151/7217311

Abstract

The inventory process, i.e. the assessment of assets and implemented countermeasures, consumes a significant amount of time in the risk and compliance management process. Assets and countermeasures have to be identified and classified in terms of confidentiality, integrity and availability requirements. Depending on the organization's size this process may include thousands of assets and countermeasures. This paper presents a novel inventory approach for assets and already implemented technical, physical, and organizational countermeasures (based on tools for network device mapping, software inventory, asset management, etc.). To efficiently assess implemented organizational countermeasures (policies, guidelines, etc.) we developed a keyword- and rule-based approach which automatically identifies existing policies in the ISO 27002 control context. The method and its implementation support middle and large organizations at efficiently assessing assets and implemented countermeasures by highly automating the inventory process. The method is not bound to any organization type or industry sector.

Recommended Citation

Fenz, Stefan; Heurix, Johannes; and Neubauer, Thomas, "How to Increase the Inventory Efficiency in Information Security Risk and Compliance Management" (2015). ECIS 2015 Completed Research Papers. Paper 44.
ISBN 978-3-00-050284-2
https://aisel.aisnet.org/ecis2015_cr/44