Topic development for Research Projects in Theses and Dissertations related to IT Security, IT Services and IT Governance
Frameworks

Keywords applicable to this article: dissertation, research, topics, information, technology, security, services, governance, cobit, itil, risk, management, information security, risk it, val it, computer security,
incident management, problem management, change management, business continuity, disaster recovery, isms.
By: Sourabh Kishore, Chief Consulting Officer

The fields of IT Security, IT Governance and IT Services Management are excellent grounds for academic researchers to undertake their
dissertation and thesis research projects. The researches can result in very practical outcomes given that the standards, frameworks and
best practices pertaining to these fields are widely implemented in organisations across the world.

The dissertation/thesis projects in the fields of IT Security, IT Services and IT Governance shall essentially comprise of studies on world
class standards, frameworks and best practices that are widely accepted and implemented in organisations. Students may like to conduct
case studies in organisations where these standards, frameworks and best practices are implemented or else conduct interviews or
surveys among thousands of IT security professionals across the world that are connected via community groups on social networking
websites (Like Linkedin, Facebook, Google+, Plaxo, etc.). The culture of sharing knowledge in the world of IT security is excellent because
the security controls, threat management and best practices can be established effectively by practicing organized knowledge sharing
only. The IT security, services and governance consulting companies support academic researches whole heartedly to prepare the young
minds for the future challenges such that the acute shortage of human capital in these fields can be addressed. With the rapid growth of
cloud computing, the IT Security Challenges and Risks in Virtualisation and Cloud Computing (
please click here to gain a deep insight
into them
) have opened multiple research opportunities for students and professionals. In this article, I present a brief introduction on the
following standards and frameworks in which hundreds of topics pertaining to dissertations and thesis research projects can be
developed in the context of
Cloud Computing Risks and IT Security.

(a)
NIST (US Department of Commerce) Recommendations (SP 800-37, 800-39, 800-30, 800-53, 800-60, 800-137, & 800-144), : As per
NIST recommendations, all the critical IT systems should be categorized at the first place such that the risks to these systems can to be
identified, assessed and recorded. Thereafter, appropriate mitigation actions can be taken to reduce them to acceptable levels by either
reducing the vulnerabilities (applying controls), by avoiding the risks (disallowing activities that can cause risks) or by transferring the
risks to third parties (like outsourcing the controls to specialist security agencies). This entire process has been termed as IT Risk
Management by NIST which is now regarded as the baseline for the industry. It requires management commitment and assignment of
security roles to strategic business process owners in the organization. NIST recommends that the key roles that should contribute to IRM
should be Senior Management, Chief Information Officer, System/Information owners, Business Managers, Functional Managers, IT
Security Officers, Security Awareness Trainers, and Internal Auditors. The risk assessment recommended by NIST is a nine step
structured analytics procedure that should be carried out by the key roles such that the outcome can be collated to form an organization
wide risk registry.

(b)
ISO 27005 Standard: The ISO 27005:2008 is the formal replacement of ISO 13335-3 & ISO 13335-4:2000 which essentially recommends
a 100% metrics based evaluation of all the steps of risk assessment described in ISO 13335-3 using quantitative techniques. This standard
considers Risk Management, Configuration Management and Change Management as part of an integrated framework to deliver IT
security in an organization. The risk management framework recommended by this standard can be viewed as a model comprising of
"concentric spheres" with the information assets placed at the core of the model, vulnerabilities prevailing at the sphere above the core,
controls applied over the vulnerability sphere and threats prevailing at the periphery of the model. This model was originally part of ISO
13335-3 that represents an environment of threats changing continuously thus changing the risk baselines (residual acceptable risk level)
of the organizations. Hence, periodic assessment of the effectiveness of controls is required such that the vulnerabilities are not exploited
by the emerging external or internal threats to affect the information assets.
Please also see the DETAILED PROCESS OF
INFORMATION RISK ASSESSMENT
.

(c) ISO 27002 Standard: The ISO 27002:2008 standard was formerly known as ISO 17799:2005 code of practice for information security
that was used as the supplement document of ISO 27001:2005 standard which is the largest framework of standards describing
Information Security implementation in an organization. The ISO 27002:2008 standard recommends the practices documented in ISO
13335-3 which essentially is a wider framework of Information Security because it covers the impacts in terms of confidentiality,
integrity, availability, accountability, authenticity and reliability. Unlike "system characterization" recommended as the starting point by
NIST, this standard recommends "asset characterization" as the starting point which includes tangibles as well as intangibles. The asset
characterization is carried out by assuming that anything that is critical for the business to produce the products & services and retain
customers as well as market share is treated as critical asset for the organization. It may be the systems (IT Systems, power systems,
admin systems, etc.), people, documents, records, databases, applications, intellectual properties, etc. thus forming a much wider
coverage of subjects on which the risks analysis needs to be carried out. The threat & vulnerability analysis is carried out employing steps
that are similar to NIST recommendations but the impact analysis is carried out based on multiple business impacts categorized by the
business stake holders - like financial loss, business loss, customer loss, market share loss, key people loss, premises loss, intellectual
property breaches, regulatory breaches, productivity loss, inventory loss, etc. Protection against such losses is the direct interest of
business stake holders and hence the topmost priority of the risk management teams. The final stages of risk analysis, control analysis,
and control recommendations are similar to those of NIST recommendations. This framework also recommends periodic control
effectiveness testing which is recommended by NIST in their special publication 800-115.
Dear Visitor: Please visit the page detailing SUBJECT AREAS OF SPECIALIZATION pertaining to our services to view the broader
perspective of our offerings for Dissertations and Thesis Projects. Please also visit the page having
TOPICS DELIVERED by us. With
Sincere Regards, Sourabh Kishore. Apologies for the interruption!! Please continue reading!!

(d) The COBIT 5 Framework: The COBIT (Control Objectives for Information and Related Technology) framework is developed by IT
Governance Institute which is a community of expert developers and reviewers from IT governance field that have contributed to the
framework to arrive at the best practices published in its current form. The IT Governance Institute comprises of board of trustees, IT
governance committee, COBIT steering committee, advisory panel and affiliates & sponsors. The framework is a wonderful effort of
putting together all the best practices of IT governance & Risk Management which organizations can adopt to support their Business
Governance & Risk Management frameworks effectively. The COBIT framework helps in effective alignment of IT systems & processes
with business requirements through enterprise-wide visibility into risks such that establishment and maintaining a common risks view,
risk-aware decision-making, timely reaction to risky events, proactive protection against foreseen risky scenarios, continuous
improvements in IT governance strategies, policies, and approaches can be achieved.

(e)
The COSO (Committee of Sponsoring Organizations of the Treadway Commission) Framework: COSO is a scientific, data-driven,
and metrics-driven risk management framework for applying internal controls in an organisation. It employs statistical and
mathematical modeling methods for risk assessment such that an appropriate environment of controls, controlling activities, monitoring,
and communications can be established. The success of COSO depends upon internal data collection through effective monitoring and
conducting continuous controls effectiveness assessments such that periodic reports (like, daily, weekly, and fortnightly reports) can be
generated after appropriate statistical and mathematical analysis. The reports provide visibility into variations in the strength of the
controls such that timely measures can be taken whenever the variances breach the pre-defined limits. Both COSO and COBIT 5.0
encourage maturity modeling of enterprise risk management such that the organisations can raise their standards for maturing to a
higher level with higher benchmarks and quality targets.

(f)
CRAMM Framework: CRAMM is the Risk Management Methodology developed the Central Computing and Telecommunications
Agency (CCTA) which is based on qualitative methods of risk analysis. In this mechanism the steps called "asset identification &
valuation", "identification & assessment of threat & vulnerability", "identification of security measures", "identification of risks" and
"identification & assessment of risk mitigation" are carried out using structured questionnaire defined by the CRAMM framework. Each
question has either "yes" or "no" answer and the scores are collated by counting the numbers of "yes" and "no" responses which is done
automatically by the CRAMM system. If the target respondents of the CRAMM questionnaire are selected very carefully (like asset
owners, IT administrators, application engineers, database administrators, etc), then CRAMM can result in accurate identification &
mitigation strategies of IT risks.

(g)
OCTAVE Framework: OCTAVE is the abbreviation for "Operationally Critical Threat, Asset and Vulnerability Evaluation" which is
a model developed by Carnegie Mellon University. This framework takes into account operational risk, security practices and technology
and leverages the existing knowledge of vulnerabilities within an organization. The assessment is carried out in three phases -
"development of asset based threat profiles", "identification of infrastructure vulnerabilities" and "building security strategies & plans".
The first phase requires an organizational view whereas second phase requires technological view. The OCTAVE assessment criteria is
self driven without the need for external experts to guide the organization. Just like CRAMM it is a self guided process but is carried out
by few experts in the company that have extensive knowledge of IT systems in the company whereas CRAMM is carried out by all asset
owners of the company. One good aspect about OCTAVE is that it captures the knowledge of threats to business and internal weaknesses
from the people at all levels and then uses the knowledge to develop the asset based threat profiles. This ensures that the risk assessment
is very close to the people's perspective of threat exposures of the business and not based on some kind of threat database purchased from
external consultants.

(h)
FRAP Framework: Facilitated Risk Management Process (FRAP) is the framework which essentially takes into account prioritized
threats and asset vulnerabilities that can potentially cause maximum damage to the business. This again is a qualitative approach and is
popularly known as "four hour risk assessment". FRAP is not accepted by many organizations because the threat perceptions do not allow
scaled down list of assets, threats and vulnerabilities to be addressed. However, this is an effective framework given that the 80-20 rule
applies in risk management as well - i.e., 20% threats cause 80% of the damages.

(i)
ITIL version 2 and version 3 Frameworks: ITIL versions 2 and 3 are publications by the Office of Government Commerce (OGC) UK.
They are end to end IT service management frameworks that can effectively align the IT services of an organization to business
requirements at the operations level. ITIL version 2 is very popular due to its wide implementation base across the world in many
countries. It has two major disciplines - IT Service Support and IT Service Delivery. The IT Service Support discipline comprises of the
Service desk function of an organization and five management functions - Incident management, Problem management, Change
management, Release management and Configuration management. These management functions are also included in ISO 27001 and
ISO 20000 standards as well as in COBIT framework. The IT Service delivery discipline comprises of five management functions as well -
Service Level management, Capacity management, Availability management, IT Financials management and IT Business Continuity
management.

The ITIL version 3 is much wider framework compared to ITIL version 2. It comprises of five disciplines as against two in the version 2:
Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. There are many new
management functions included in ITIL version 3 in addition to the ten functions recommended by ITIL version 3. This is a new
framework and hence the global roll out is evolving gradually. The students can find vast opportunities of research in both these areas in
the form of Phenomenography or case studies.

(j)
Val IT: This is the latest framework developed by IT Governance Institute that can be seamlessly integrated with the COBIT
framework. This framework can be implemented to tangibly demonstrate the value of IT investments to the Business. This framework
has not yet been researched by academic researchers and hence offers an entirely new world of opportunities. Val IT has been integrated
with the COBIT for Risk framework under COBIT 5.0.

(k)
ISO 27001:2013: This is the umbrella standard of all other standards and frameworks in Information Security Management System
(ISMS). No standard possesses such wide coverage as offered by ISO 27001 in the field of IT Security. The purpose of ISO 27001:2013
(formerly ISO 27001:2005) is to guide an organization on the level of ISMS implementation feasible as per the business needs. It guides
the organization to implement a structured Information Security Management System with an approach of Risk Assessment & Business
Impact Analysis that incorporates world class best practices in management of the existing systems running in the organization in the
form of a structured Framework. The Framework includes the following:

Adequately documented and implemented Security Policy(ies) and Procedures.
Asset Master comprising of ALL critical Information Assets.
Risk Assessment and Business Impact Analysis Worksheets.
Risk Treatments Plans and Reports.
ISMS Management and Operations Group with detailed roles.
ISMS Operating Manual with Statement of Applicability.
ISMS Operating Procedures, activity log-sheets and reports.
ISMS Security Procedures pertaining to every operating area.
Access Control Policies and Procedures for all the Information Processing and Storage Facilities.
Incident, Problem, Change, Release, Configuration, Capacity & Availability Policies and Procedures.
Detailed Implementation of the 133 Normative controls as defined in Annexure A of BS ISO/IEC 27001:2013.
Internal and External Audit Procedures, audit sheets and corrective/preventive actions.
Information Classification, Transit, Storage and Destruction Policies & Procedures.
Disaster Recovery Plan and Procedures.
Business Continuity Plan and Procedures.

(l)
ISO 27017:2015: The ISO 27001 standard is extended to Cloud Computing in this standard. A significant number of businesses are
now maintaining their IT systems on cloud computing services offered by Amazon, Google, Microsoft, Rackspace, IBM, and many others.
The services are primarily offered in three categories: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and
Infrastructure-as-a-Service (IaaS). We have made several recommendations on research ideas in the field of virtualisation and cloud
computing in our article on Dissertation, Thesis Research Topics on Modern IT Systems and Governance. From the perspective of
information security, cloud computing offers significantly wider challenges as compared to self-hosted and self-managed IT systems. Our
page on Dissertation, Thesis Topics on Cloud Computing Security presents numerous such challenges opening massive research
opportunities for students. The ISO 27017:2015 presents multiple additional security controls needed when the IT systems are hosted on
cloud computing. Some of the key controls are the following:

Access control of cloud service customer's data in shared virtual environment
Operational procedures and responsibilities for cloud-hosted information assets
Logging and Monitoring of cloud-hosted information assets
Virtual Network security management
Cryptography on cloud computing
Security in System acquisition, development, and maintenance on cloud computing
Information Security incident management on cloud computing
Change management on cloud computing
Legal, Regulatory, and Statutory compliance related to information assets hosted on cloud computing
Information Security aspects of Disaster Recovery and Business Continuity Management on cloud computing

(m)
ISO 27018:2014: Perhaps, this is the first ever international standard covering privacy controls comprehensively. In many ways, it is
similar to the European Commission's General Data Protection Act (EU GDPR), which is a significantly large regulatory framework. The
common principles between EU GDPR and ISO 27018:2014 related to data privacy are of consent, fairness, transparency, unambiguity,
limitation of purpose, data minimisation, accuracy, storage limitation, confidentiality, and integrity were considered. In some cases, EU
GDPR allows that storing and processing privacy data without explicit consent is possible provided it represents a legitimate interest of
the controller without overriding the rights or freedoms of the data subjects. For example, an application may be perceived to be
qualifying in that category if its sole purpose is to protect the premises and employees of an organisation from malicious intruders.
However, this does not override the need for implementing effective data protection controls to prevent proliferation and misuse of the
individual data collected. ISO 27018:2014 helps in not only making this decision but also helps in implementing a framework of controls
closely aligned with ISO 27001 and ISO 27017 ensuring protection of privacy data held by an organisation in their information systems.
The controls of ISO 27018:2014 are defined in following categories:

A.1 Consent and Choice: A Privacy policy and process document exists defining the process of informed consent taken for maintaining
privacy records. Verify if permanent secured records of the consent has been maintained for each record in the databases or flat data files.
A.2 Purpose legitimacy and specification: A Privacy policy and process document exists defining the process of informed consent taken
for purpose legitimacy and specification for usage of the privacy records. Verify if permanent and secured records of the consent has been
maintained for each record in the databases or flat data files.
A.3 Collection Limitation: A Privacy policy and process document exists defining the process of collection limitation for usage of the
privacy records. Verify if permanent and secured records of the data fields required for the purpose has been maintained for each class of
the record in the databases or flat data files.
A.4 Data Minimization: A Privacy policy and process document exists defining the process of minimisation of privacy records as per the
defined legitimate purpose. Verify if permanent and secured records of the data fields required for the purpose has been maintained for
each class of the record in the databases or flat data files.
A.5 Use, retention, and disclosure limitation: A Privacy policy and process document exists defining the process of usage, retention, and
disclosure of privacy records as per the defined legitimate purpose. Verify if permanent and secured records of the usage, retention, and
disclosure required for the purpose has been maintained for each class of the record in the databases or flat data files.
A.6 Accuracy and Quality; Standard: A Privacy policy and process document exists defining the process for ensuring accuracy and
quality of data stored in the databases and data files.
A.7 Openness, Transparency, and Notice; Standard: A Privacy policy and process document exists defining the process for ensuring
openness, transparency, and notice of data stored in the databases and data files.
A.8 Individual participation and access: A Privacy policy and process document exists defining the process for Individual participation
and access of data stored in the databases and data files.
A.9 Accountability; Standard: A Privacy policy and process document exists defining the process for accountability of data stored in the
databases and data files.
A.10 Information Security; Standard: A Privacy policy and process document exists defining the process for information security of data
stored in the databases and data files. The applicable controls are the following: A.10.1 Confidentiality or non-disclosure agreements;
A.10.2 Restriction of the creation of hardcopy material; A.10.3 Control and logging of data restoration; A.10.4 Protecting data on storage
media leaving the premises; A.10.5 Use of unencrypted portable storage media and devices; A.10.6 Encryption of PII transmitted over
public data-transmission networks; A.10.7 Secure disposal of hardcopy material; A.10.8 Unique use of user IDs; A.10.9 Records of
authorized users; A.10.10 User ID management; A.10.11 Contract measures; A.10.12 Sub-contracted Personally Identifiable Information
processing; A.10.13 Access to data on pre-used data storage space.
A.11 Privacy Compliance: A Privacy policy and process document exists defining the process for privacy compliance of data stored in the
databases and data files.

Please contact us at consulting@etcoindia.co.in or consulting@etcoindia.net.in to discuss your topic or to get
ideas about new topics pertaining to your subject area.
We will be happy to assist you in developing your
narrow research topic with an original contribution based on the research context, research problem, and the
research aim, and objectives.
Further, We also offer you to develop the "problem description and
statement", "aim, objectives, research questions", "design of methodology and methods", and "15 to 25
most relevant citations per topic" for
three topics of your choice of research areas at a nominal fee. Such a
synopsis shall help you in focussing, critically thinking, discussing with your reviewer, and developing
your research proposal. To avail this service, Please Click Here for more details.

Previous Article

Next Article

Copyright 2023 - 2026 ETCO INDIA. All Rights Reserved