Information Technology Risk Management: The case of … Paper/H... · Information Technology Risk Management: The ... develop an information technology risk management framework for

JOURNAL OF RESEARCH AND INNOVATION IN INFORMATION SYSTEMS

http://seminar.utmspace.edu.my/jisri/

ISSN: 2289-1358 P a g e | 58

Information Technology Risk Management: The case of the

International Islamic University Malaysia

Abdul Rahman Ahlan1

e-mail: [email protected] Yusri Arshad

2

e-mail: [email protected] Author(s) Contact Details: 1,2 Department of Information System, Kulliyyah of Information and Communication Technology (KICT), International Islamic

University Malaysia (IIUM), P.O. Box 10, 50728 Kuala Lumpur, Malaysia

Abstract—Managing risks are crucial in all fields. Information technology risks pose more threats to organisations in three

categories: 1) technical and operational risk; 2) data and information security risk; and 3) organisation, project and human

risk. Therefore, modern organisations have to face the challenging new and increasing threats from IT risks in more

sophisticated manners. This task is difficult if it is not properly given due care by top management and implemented

diligently with duty of care by the responsible teams. The main objective of the paper is to develop an information

technology risk management framework for International Islamic University Malaysia (IIUM) based upon series of

consultant group discussions, risk management formulation, business process identification, quantification of risk

weightage and classification of core risk factors in a university environment. The proposed risk management method has

been applied to IIUM case. This study uses an action research approach with the active involvement of the researchers and

stakeholders in order to identify, analyse and respond to risks. The analysis draws upon both empirical research and a real

case study. The study finds that top management acknowledges the important pervasive role of information technology in

organisations and that consequential threats originating and created from the use of IT hardware and software can be

detrimental to organisational effectiveness and efficiency. The dangers could cause financial, privacy, security and data

losses. As a result, IIUM engaged its ICT strategic business unit to draw and design a new IT risk management framework

based on the current problems and settings. The framework, however, can be applied to other Malaysia public and private

universities. Moreover, it is also suitable for replication in non-academic institutions with a few minor adjustments.

Keywords – information technology; risk management; action research; Malaysia universities; public sector

1. INTRODUCTION

Risk is a common terminology adopted in every field including Information technology/system (IT/IS). IT refers to the

technical means available–equipment and attendant techniques, (which) is essentially activity-based, supply-oriented and technology- and delivery-focused. Whereas, IS, on the other hand, are business applications, more or less IT-based. While many definitions offered from different perspectives, IT risk in this study adopt the definition of IT risk being the uncertainty that a foreseeable loss or damage can result for such uncertain probabilistic events. IT risk nature depends largely on types of assets, information or projects. Each IT hardware, software, system or project has its own inherent and incidental risk associated to it. This chapter classifies IT risk into three types, namely: 1) technical and operational risk; 2) data and information security risk; and 3) organisation, project and human risk [2].

IT security requirements in modern organisations might stem from within the organisation (work practices, corporate regulations, organisational policies) or the environment (market trends and data protection acts). Because of this, there is a need for the identification and implementation of security controls to ensure that assets, data and information are protected against potential threats.

One cannot reasonably develop IT security policies and procedures without clearly understanding the systems, assets, data and information that must be protected and how valuable they are to the enterprise. In addition, one must determine the probability that the assets will be threatened. Therefore, the objective of IT risk analysis is to identify and assess the risks to which the IT/IS and its assets are exposed in order to select appropriate and justified security safeguards. The analysis of IT risks is performed in five stages (based also on Joint Technical Committee 1 of the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC/JTC1, 1996): 1) asset identification and valuation; 2) threats assessment; 3) vulnerabilities assessment; 4) existing/planned safeguards assessment; and 5) risk assessment.

This paper aims to answer the following research questions and objectives respectively: 1) What IT risks are prevalent in International Islamic University Malaysia?

• This paper invites the readers to understand IT risks, risk management and framework specifically within institutes of higher learnings (IHLs) in Malaysia context, particularly International Islamic University Malaysia. IHLs include public and private universities.

2) How IT risk analysis and management is carried out in the university?



ISSN: 2289-1358 P a g e | 59

• To investigate on the practices of IT risk analysis and management adopted and undertaken in the university.

Nonetheless, the literature review exposes in global perceptions on the subject which is used as the basis for formulation

of IT risk management framework in Malaysia IHLs particularly and all organisations generally. We first review the relevant literature. In methodology section, we describe and explain on the qualitative research design for the study. Then, we describe and discuss the research findings before ending the paper with conclusion and implication of the study.

2. LTERATURE REVIEW

2.1. IT risk analysis and management

Chapman and Cooper [11] define risk as an exposure to the possibility of economic or financial loss or gains, physical

damage or injury or delay as a consequence of the uncertainty associated with pursuing a course of action. The task of risk

management can be approached systematically by breaking it down to the following three stages: (1) risk identification; (2)

risk analysis; and (3) risk responses. Tummala and Leung [30] develop a methodology for risk management governing risk

identification, measurement, assessment, evaluation and risk control and monitoring. Turner [18] suggests expert judgment,

plan decomposition, assumption analysis, decision drives and brainstorming for identification of risk factors effectively in a

project. Perry and Hayes [16] suggest a checklist of risk that may occur throughout the life span of any project. The Delphi

technique has been used by Dey [24] to identify risk factors. Outside the field of engineering and construction, an approach

for risk identification in product innovation has been reported by Halman and Keizer [17]. However, despite many

researches on IT, information system development and operation risk management available in the literature, there is no

research done in public university environment particularly in Malaysia context.

Information represents a key resource in the decision-making process for all organisations. Where decision makers face

degrees of uncertainty and risk in the decision situation encountered, it appears that information gathering is particularly

significant. The developments in information and communication technologies (ICTs) are designed to enhance the

availability and quality of information provided to organisations, e.g. databases, geographic information systems and the

Internet. Organisations now have access to a wider range of data sources internally and externally; improved quality of

information (e.g. accuracy, timeliness, detail, relevance); more readily available data at any time and the support of the

necessary analytical tools to manipulate the data available. Hence, many organisations might suggest that they have

experienced less confidence and perceived greater risks as a result of the improved information flow.

Information security is an organisation’s approach to maintaining confidentiality, availability, integrity,

nonrepudiation, accountability, authenticity and reliability of its IT systems [3]. Information security is required because the

technology applied to information creates risks. Commonly, information might be improperly disclosed because its

confidentiality could be exposed, modified in an inappropriate way because its integrity could be jeopardised, and

destroyed or lost because its availability could be threatened [5]. Managing of information security risk consist of six

generic process namely risk identification, analysis, treatment plan, treatment plan implementation, monitoring and control.

In addition, with the growing size and applications of network in organisations, more varieties of invasions begin to

appear recently. More and more security equipment are deployed in the enterprise of network as a result. Nevertheless,

network security managers are confronted with several risks and challenges [32].

• Since security equipment and the network applications produced a large amount of network security events (all

warning data and security log data), it is difficult to artificially handle these vast volumes of data.

• There exist serious false positives, and a few of true positives hiding behind false positives are difficult to identify.

• Different security equipment has different detective capabilities, which causes different false negatives and false

positives to some extent.

• Security administrators lack the overall real-time security sense of the entire network.

Moreover, there was a great concern regarding year 2000 (Y2K) bugs during that time. Organisations were pressured

to find and develop an enterprise transformation methodology to mitigate Y2K risks. The basic idea behind the Y2K

problem is the storage of calendar year dates in two-digit form. Much of the software in use will either cease to perform or

even worse, will provide incorrect information with the date change from 99 to 00. While the exact nature of the Y2K

consequences could not be known before year 2000, the possibility of major disruptions of normal business exists. The year

2000 problem may possibly exceed the great stock market crash of 1929 and the following depression as an issue that can

damage the careers and finances of corporate executives and elected officials.

In the case of IT outsourcing, projects entail complicated risks which can lead to project failures [2]. In Malaysia

public sector ITO projects, for instance, many agencies have to rely on expertise and capabilities of service providers and

therefore, the risks increase as many players are involved in the outsourcing projects. Service receiver teams often lack

resources and capabilities to manage big projects. This supply and demand side deficiencies and problems pose a lot of



ISSN: 2289-1358 P a g e | 60

risks [31]. Service receiver agencies are inviting disaster if those risks are not assessed. Those risks if carefully and

deliberately assessed and managed will attenuate the level of the risks exposure [4].

In any risk-analysis exercise, there are two major tasks need to be carried out: 1) the elements of risk, which are

specific to the area under study, have to be identified; and 2) those elements of risks have to be measured and the risk itself

given value. The identification of asset is straightforward in theory that is hardware, software and data. Hardware and

software assets may be valued by estimated replacement costs. Data, however, may need to be valued separately for each

impact type. When data assets are identified, each user is asked to define a “worst-case scenario” for each of four impact

types: 1) denial of access to data; 2) destruction of data; 3) disclosure of data; and 4) modification of data [25].

Many studies prove that the practice of risk management will increase the likelihood of successful projects including a

survey done to show a positive association between risk management and project success [2]. Therefore, risk management

should be recognised as one of critical success factor in IT outsourcing projects. In Malaysia, even though the awareness of

risk management is high, the practice is still low whereby only 8.0 percent of IS project integrate risk management in the

development process due to no formal training in risk management.

Risk Management help to answer questions such as whether passing on the new database upgrade will increase chances

of being hacked, whether really need to implement that secure e-mail system, and whether purchasing the latest intrusion-

detection technology will reduce the likelihood that web server will be successfully attacked [1]. Furthermore, risk

management help prioritise issues. Prioritisation helps organisation to know which issues are more critical to resolve and

allocate available resources to the most critical area first. It could be very useful if organisation have limited amount

resources and cannot address all areas of risk instantaneously and concurrently. An important tenet of the field of risk

management is the integration and interaction of the terms risk and uncertainty within the commonly used term of risk

itself.

2.2. IT risk management framework

Risk analysis, an orderly process adapted from practices in management, is a valuable methodology for every attempt

towards the establishment of a secure IT/IS, as it addresses two important issues. 1) The need for a systematic method to

identify IT/IS-related risks. Continuous technological evolution, IT/IS complexity, diversity in applications, technologies

and configurations are some of the reasons why identifying and assessing risks is considered such a laborious task. 2) Total

security is not feasible. In addition, an enterprise must justify expenditures for security. This brings out the need for a

method to improve the basis for decisions. One can, thus, select a set of safeguards that will provide a level of security

analogous to the level of risk in a cost-effective manner.

IT/IS and Information security risk management methodologies and analysis approaches are widely available where

some of which are qualitative while others are more quantitative in nature. However, these methodologies have a common

goal of estimating the overall risk value. Risk management methodology namely OCTAVE [12] and CORAS [22] provide

a qualitative information security risk analysis for information communication technology.

Meanwhile, quantitative methodologies include Information Security Risk Analysis Methodology (ISRAM) [7], Cost-

of-Risk Analysis (CORA) [15], Information System Analysis based on a Business Model [8], MyRAM [20, 21] and HiLRA

[21]. Other related risk assessment approaches to manage information security risk namely are Historical Analysis [1],

Event Tree Analysis [9], Failure Mode and Effects Analysis [14, 23], Probabilistic Risk Assessment [26], Human-error

analysis [29], and HAZOP (hazard and operability) [30]. As mentioned in the introduction, the analysis of IT risks in this study is performed in five stages (based also on Joint

Technical Committee 1 of the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC/JTC1, 1996): 1) asset identification and valuation; 2) threats assessment; 3) vulnerabilities assessment; 4) existing/planned safeguards assessment; and 5) risk assessment. The framework is modified for the purpose of the study which is based on the framework designed by IT strategic business unit in the university.

3. METHODOLOGY

Action research (AR) is the main method employed in the study. We began with review of related literature and several

meetings with the stakeholders or management of IIUM. Consequently, series of discussions were developed to understand

the needs for IIUM IT/IS risk management and how to approach them. Many stakeholders were involved from all levels.

Top management was very supportive and granted all access to assets, data and information in the university for the

purpose of the study.

“Action research can be described as a family of research methodologies which pursue action (or change) and research

(or understanding) at the same time” [6]. It is characterised by the cyclic revision of action followed by reflection often

culminating in the refinement of the understanding using methods such as modeling. The iterative nature of the

methodology promotes convergence to a greater understanding [6]. Figure 2 characterises this cyclic process and shows



ISSN: 2289-1358 P a g e | 61

how action research sets out to analyse a state of affairs in a given context. Once analysed, action (change) can be

consciously added to the situation to improve it, and its resultant effect observed. Reflection on the change and resultant

effects are then made to produce possible further action. The assessment, action and reflection are key elements of the

research methodology.

In addition, qualitative content analysis method was also used in exploring the vast information available. It has been

long and widely used in many disciplines including nursing research and education [31]. Despite this, many articles and

books shows different opinions and unsolved issues regarding meaning and use of concepts, procedures and interpretation

in qualitative content analysis. The diversities can be understood partly from a historical point of view and partly from

various beliefs of the nature of reality among researchers [31]. They assert that an assumption underlying a study is that

reality can be interpreted in various ways and the understanding is dependent on subjective interpretation.

For instance, qualitative research, based on data from narratives and observations, requires understanding and co-

operation between the researcher and the participants, such that texts based on interviews and observations are mutual,

contextual and value bound. Thus, our presumption is that a text always involves multiple meanings and there is always

some degree of interpretation when approaching a text. This is an essential issue when discussing trustworthiness of

findings in qualitative content analysis.

In this study, we obtained some information on the IT policy and practices from meetings with top management such

as Chief information officer, director of IT division and head of department of some faculties. The lower level information

was obtained from the middle management staff involved in the project. The staff involved was selected by IT director and

his team comprising all managers and immediate subordinates in each area. IT strategic business unit was the main

consultant in this project. Further explanation on vague or jargons were sought when necessary. IIUM website, internet

sources and intranet information were also searched.

3. CASE STUDY FINDINGS

A. Scenario background

IIUM is a publicly funded university, established in 23 May 1983, and was founded on Islamic principles with the aim to

become the premier Islamic university in the world. It was meant to be a comprehensive international high education institution, "inspired by the world-view of Tawhid and the Islamic philosophy of the unity of knowledge as well as its concept of holistic education". Islamic values are inculcated into all disciplines. At present, the University offers various bachelor, master's degree and doctorates (Phd) courses at its 13 faculties, also known as kulliyyah. As of 2005, there were approximately 20,000 students from over 40 Muslim majority countries studying in IIUM, as well as students from non-Muslim majority countries (such as Germany, China, Japan, India, United States of America, Russia, Kyrgyzstan, Vietnam, Sri Lanka, the Philippines and Thailand). To date, IIUM has produced 28,065 and 10,767 graduates at bachelor's, and master's and doctorate levels respectively. Of these 38,832 graduates, 4,270 were international students from more than 100 countries. As such, IIUM is recognised by OIC countries as an institution that produces many international graduates.

B. Findings

B.i) IT governance and security policy At the top management support level, IT physical security policy recognises the threats posed by ICT hardware, systems

and infrastructure facilities in the university environment. The main objectives for IT security policy are to preserve confidentiality, integrity and availability of information, services and ICT infrastructure.

a) Confidentiality of information is by protecting classified electronic information from unauthorised disclosure or intelligible interception.

b) Integrity of information and ICT infrastructure is by safeguarding the accuracy and completeness of information, software and ICT infrastructure

c) Availability of information, services and ICT infrastructure is by ensuring that information and vital services are available to users when required.

The ICT Security Policy shall apply to all IT resources, IT users and administrators with the aim to prevent, detect and respond to unauthorised access, usage and modification of information, system and network, to ensure business continuity. In addition, Corporate-wide Security Policy and Physical Security Policy are also drawn for IT governance purpose.



ISSN: 2289-1358 P a g e | 62

Figure 1 shows the responsibility matrix matching the IT physical security layers. It is divided into x-axis: physical,

network and system security while on the y-axis shows the roles responsibilities within the university environment.

IT Physical Security

- System ✔ ✔ ✔ ✔

- Network ✔ ✔ ✔ ✔

- General ✔ ✔ ✔ ✔

IT users IT administrators IT Division Human resources

Roles and Responsibilities Owners Note: Penalties and Non Compliance Business Continuity Management is for IT Division and Administrators

FIGURE 1: IT security and roles and responsibilities matrix In general security, IT user is responsible for ensuring security, integrity, backup and recovery of information on IT

equipment and electronic storage devices in their custody. All IT users are accountable for all use of IIUM systems performed using their user-ID. Moreover, all IT users are to immediately inform the Security Operations Centre on becoming aware of any loss, compromise, or possible compromise of information, or any other incident which has ICT security implications. The IT user is responsible for the security and confidentiality of the data and information which they obtain access to.

On the network level, the network security for IT resources shall be in compliance with the Policy for Network Services and Policy for Wireless Networking. In addition, IT resources which require public, non-VPN access from the Internet shall be located in a designated Data Centre facility operated by the IT Department (ITD). All outgoing connections are subject to network monitoring and filtering.

On the system level, all users of system and application with passwords are to comply with the Policy for Electronic Accounts. Workstations, computers terminals, notebook computers and PCs, must not be left unattended in a state whereby unauthorised parties could gain access to the system and data. It is recommended to use password protected screen saver and auto log-out or auto session termination, upon a specified idle limit. Furthermore, physical access to critical servers, such as entering the Data Centre, without prior authorisation from ITD is strictly prohibited. Dealing, distributing, installing, or using unlicensed or pirated software is strictly prohibited.

B.ii) IT risk or security management model or approach From Figure 1, the team has developed the IT security risk management processes to be applied to the risk management

exercise in IIUM environment. It consists of four main processes including risk assessment, risk treatment option, risk treatment plan and risk framework.

FIGURE 2: IT risk management processes

Figure 2 shows the proposed IT risk management model or approach. It consists of four main processes: 1) Risk assessment – this process has five steps including context establishment, business process definition, key assets

identification, risk registration and assessment valuation. 2) Risk treatment option – this process involves making decision on risk assessment and treat them based on certain

criteria whether to accept or mitigate the risks assessed. 3) Risk treatment plan – then, the risks chosen for mitigations are carefully planned on the best available treatment. 4) Risk framework – finally, a comprehensive risk framework for a given environment scenario is developed.

Risk assessment Risk treatment option

Risk treatment plan Risk framework



ISSN: 2289-1358 P a g e | 63

B.ii.a) The risk assessment workshop - Selection of participants Initial analysis revealed that the ten key business processes were indeed fully represented within the programme’s

stakeholders, namely Admissions & records management (A&R), Building & facilities management (BFM), Common facilities services (CFM), Finance services (FS), Health & wellness services (HWS), Human resource services (HRS), IT services (ITS), Residential management (RM), Safety and security management (SSM) and Teaching & learning (T&L).

Having identified the ten constituencies, the team hypothesised that, if asked to articulate the risks to the programme, A&R might focus on the students’ academic and personal records risks to the accuracy and availability of their division, while ITS and SSM would be more worried about threats to the IT hardware, software and buildings that house them as well as their related procedures and structures. Health and wellness services would identify how their programmes and services would be disrupted or threatened by the ICT security risks and threats that could lead to severe conditions of their patients or even fatalities. All business processes were concerned with the availability, confidentiality and integrity of the systems, hardware, software and data. In order to maximise the chances of identifying and properly assessing all the sources of risk, it was therefore seen as essential that all ten business processes stakeholders representatives should participate in the risk assessment as equal partners.

Equal numbers of representatives of each process were therefore invited to attend a risk assessment workshop at the IT division in October 2010. While the actual attendees from each type were not quite equal in numbers on the day, nevertheless each group was represented. The introduction to the workshop emphasised the differences in risk perception and that there was no right or wrong answers. Of equally important, all the participants were assured that nothing they could say would cause any offence. On the contrary, their candour would be welcome and the validity of their views recognised.

B.iii) IT risk management – The application IIUM has developed its own IT risk assessment model based on its contextual settings. This is shown in Figure 2 above.

The model includes four-step approach in determining the level of IT risks existing in the university environment. The risk analysis entails five main steps which are 1) Context Establishment; 2) Business Process; 3) Key Assets; 4) Risk Register; and 5) Assessment Value. All the four steps of the risk management process applied in IIUM project is described below.

1) Risk assessment

FIGURE 3: IT risk assessment workflow

In step one, the team began with identifying and clarifying the organisation’s vision, mission and objectives. This is done

to obtain the overall comprehensive views of what are the crucial business processes that need to be focused on. This first step is important to guide for the consequent steps in risk assessment exercise. The mnemonic PESTLE was used to facilitate the identification of political, economic, social, technological legal and ecological risks arising from threats in the external environment. Risks arising from weaknesses in the internal environment were generated through consideration of the core business areas of infrastructure, human resources, finance, technology, logistics and marketing. These broad headings were intended to guide the participants in thinking about any possible issues which might have adverse consequences for the programme. Participants had been circulated with worksheets in advance of the workshop and asked to give some thought to the issues, feeling free to interpret the headings in any way they wished.

In step two, it is concerned with identification of physical and information assets. The risk identification exercise involved the consideration of potential risks arising from both the external and internal environments. Assets can be of certain types belonging either to building, information, people, system or physical. The exercise team must look for and investigate thoroughly on the available assets in the organisation. In this case the team refers to definition of asset ownership by ISO/IEC 27001:2005.

Define business process

Identify key assets that support the business process

Assess criticality of the business process

Perform risk assessment on the key assets



ISSN: 2289-1358 P a g e | 64

In step three, the criticality is assigned values of low to severe. Then, following from step two, the team analyse the key assets and identify the possible threats. Values for likelihood are attached to each of the threats by using certain formula. Consequently, criticality of an event or asset is mapped to the business process in order to obtain the percentage level of the assets required by the business processes. Each risk was then considered by the whole group, debated and a collective judgement made about the probability of the risk occurring. The probability was judged on a four-point scale of criticality as follows: 1 = low; 2 = medium; 3 = high; 4 = severe and risk index was labelled as 1) low; 2) medium; and 3) high. Judgement was then needed about the potential adverse consequences of the risk. We had decided there were four types of adverse consequences to consider, namely that the programme or its projects could not: 1) be completed at all and had to be cancelled; 2) be completed on time; 3) be completed within budget; or 4) meet the quality required.

Different risks have different levels of adverse impact. For example, the prolonged absence of the business change manager might have a high impact on quality, a medium impact on timescales, a low impact on budgets and no impact at all on the overall survival of the programme. The constraints of time did not allow for all four types of consequences to be considered by the whole group. The participants were therefore split into four groups, with each constituency represented in each group, and each group allocated one of the four types of adverse consequences, for judging on the same four-point scale as before.

Finally, risk assessment or evaluation process is performed on the identified key assets to identify the confidentiality, integrity and availability values. The threats were identified and assigned the likelihood and vulnerability before total risk values were calculated. This was all recorded in the risk register. In the end, risk summary chart was tabulated. The assets were ranked according to the risk values or percentage in descending orders to show their rankings. Each of the 300 or so key risks in the register was then plotted on a 3 x 4 matrix. Although adding to the complexity, a separate matrix was plotted for each of the four types of adverse consequences. The distribution of the risk issues on each matrix was then evaluated by the ITD and project directors. The directors set the risk indicators and allocated an identifier to each of the four boxes above the line. It is important to note that the directors’ role were to set the risk indicators, not to review the risks themselves to decide whether he agreed with them or not. The fact that a senior manager does not agree with a risk is fine but should not lead to any changes to the risk issues register. The risk may be something he or she would prefer to ignore or their own bias may simply mean they would not have thought of the issue as a risk. The whole point of engaging in the risk assessment process in the way we have outlined is to maximise the richness, diversity, honesty and objectivity of the risk issues register. The project directors fully accepted this argument.

2) Risk treatment option

From the risk assessment exercise above, the team then moved on to the next step of treating the identified risks. Several options were available to decision making purposes. The decision criteria are whether to accept or mitigate the risks. This was based on the risk index and business process criticality matrix. In the matrix, risk index was ranked from low, medium to high while business criticality was labeled as low, medium, high and severe. Low-low and low-medium combinations were accepted and the rest were mitigated.

After briefing and discussion at a private meeting with the researchers and project directors, the directors decided that any risk appearing in the matrix with medium/medium, medium/high and high/high risk combinations would be designated as mitigated and have to be addressed by a countermeasure. Any risk appearing below those combinations or under the line in at least a few boxes would be designated as low/low and low/medium risks and would not be subjected to mitigation process or to be addressed by a countermeasure, if the participants at the risk management workshop felt this was appropriate. A risk assessment report was prepared to reflect the directors’ decisions and as a working document to inform the participants at the risk management workshop. 3) Risk treatment plan

In this step, the mitigated risks were given risk treatment identifications (ID). The relevant policies and procedures along with responsibility owner and stage status were identified. Accordingly, technology controls or acculturation programs were matched to each risk treatment IDs if they were related to technology or acculturation for instance. 4) Risk framework

Finally, from all the risk assessment steps carried out above, a summary risk framework for IIUM was developed. The framework is basically encompassing all the main information regarding context organisation, approach, controls, business processes and assets. Figure 5 illustrates the final risk framework developed for IIUM case.



ISSN: 2289-1358 P a g e | 65

FIGURE 4: IIUM IT risk management framework

4. CONCLUSION AND IMPLICATION

The study shows that International Islamic University Malaysia, a public university, had implemented and managed

information technology security and risks in her organisation at all business process levels. The risk management processes

and workflows were designed internally from the risk management project while referring to relevant international

standards at the same time. While the top management acknowledges the information and communication technology risks

and security in the university, all business processes must support the policies and initiatives undertaken at all times.

Without continuous overseeing and monitoring by the middle and lower level staff, the policies would just remain as

policies.

Being a public university with a mission towards development of human capital for the Malaysia and ummah, the

university must be proactive at all times towards improving the policies and risk management techniques. Security threats

become more and more sophisticated every year and therefore, it is important for the university to update itself with the

rapid advancement of information and communication technology security risks as well. Hence, a full and extensive risk

management exercise must be carried out every year extensively so that all risks are mitigated at early stage without

compromising the confidentiality, availability and integrity of the university’s assets. Quarterly reviews and monitoring are

recommended in all departments.

The communication of risk issues between the project levels and divisions and business processes should of course be a

two-way process and a number of IT/IS security risks had already been identified from management of risk activities

undertaken by individual projects. Similarly, several of the risk action plans required action at the project level. To

reinforce the need for communication and to raise their awareness, the project managers and key stakeholders of the project

were visited.

The visit was also used to identify and report on the management of risk activities and processes at the business

processes or divisions levels. These were found to range between little and comprehensive and it was noted that the IT

division had carried out the suggested risk options and plans comprehensively while some others which did not have more

experience and knowledge on IT/IS security risk management activities tended to follow the findings of the risk

management exercise leniently. Thus, this would force for quarterly reviews or meetings on the development of ICT risk

management activities within the ten business processes as planned in the previous project.

We have described in some detail the rationale, processes and activities adopted to manage IT/IS risks within the

offices, faculties, departments and divisions for International Islamic University Malaysia, Gombak campus. We have

demonstrated how taking account of research findings from the behavioural sciences, combined with the use of concepts

and methods proposed in international standards and practices in Malaysia, has allowed us to involve a broad range of

perspectives and thus, maximise the richness and diversity of our risk assessment.

We have shown how the risks of most concern to the business processes were prioritised, and action plans developed to

deal with them. We have acknowledged the difficulties in progressing the action plans but nevertheless believe the whole

process has been worthwhile. Without this work, the key areas of concern we have outlined might not have been brought

into the open, discussed, tackled and progressed.

Corporate wide security

� Risk management scope

IIUM context RM

Approach

Business Processes

Assets

Controls



ISSN: 2289-1358 P a g e | 66

In sum, we believe that our practical approach to the management of IT/IS risks will have helped to control costs,

minimise delays and sustain the quality of the work being carried out within the business processes and relevant

departments. We hope that the case of International Islamic University Malaysia may contain something of interest to other

public or private institutes of higher learnings as well as other private and public organisations.

ACKNOWLEDGMENT

This study is funded by Malaysia Ministry of Higher Education (MOHE) under Fundamental research grant scheme

(FRGS) 10-029-0148. Our sincere thanks go to IIUM management for granting the permission to publish the article. We

would also like to thank all the stakeholders and participants involved in the project.

REFERENCES

[1] A. Adress, Surviving Security: How to integrate People, Process and Technology, 2nd ed., Auerbach Publications,

2003.

[2] A. R. Ahlan and Y. Arshad " Understanding Components of IT risks and Enterprise Risk Management: A Literature Review” in Risk Management / Book 1", InTech Open Access Publisher, 2012.

[3] A. Vorster and L. Labuschagne, A Framework Comparing Information Security Risk Analysis Methodology, 2005

[4] B. A. Aubert, M. Patry, S. Rivard, and H. Smith, IT Outsourcing Risk management at British Petroleum, Cirano (Scientific Series), Canada, 2000.

[5] B. Blakley, E. McDermott, and D. Geer, Information Security is Information Risk Management, 2001.

[6] B. Dick, Qualitative action research: improving rigour and economy, 1999. [Online], Available: http://www.scu.edu.au/schools/gcm/ar/arp/rigour2.html [Accessed on 20

th June 2012].

[7] B. Karabacak and I. Sogukpinar, ISRAM: Information Security Risk Analysis Methodology, Elsevier Computer & Security Journal, vol.24, no.2, 2005, pp.147–159.

[8] B. Suh and I. Han, Information System (IS) analysis based on a business model, 2003.

[9] C. Ericson, “Fault Three Analysis – A History,” Proceedings of the 17th International System Safety Conference, 1999.

[10] C. Jones, The Year 2000 Software Problem: Quantifying the Costs and Assessing the Consequences, ACM Press Books, New York, NY, 1998.

[11] C.B. Chapman and D.F. Cooper, “Risk analysis: testing some prejudices”, European Journal of Operational Research, vol. 14, 1983, pp.238–47.

[12] C.J. Alberts and A.J. Dorofee, Managing Information Security Risk, Addison-Wesley, 2003.

[13] D. Spinellis, S. Kokolakis, and S. Gritzalis, "Security requirements, risks and recommendations for small enterprise and home-office environments", Information Management & Computer Security, vol.7, no.3, 1999, pp.121–128.

[14] D.H Stamatis, Failure mode and effect analysis: FMEA from theory to execution, Second Edition, Quality Press, 2003.

[15] International Security Technology Inc, CORA: Cost-of Risk Analysis, 2000.

[16] J.G. Perry and R.W. Hayes, “Risk and its management in construction projects”, Proceedings of the Institute of Civil Engineering, vol.78, no.1, 1985, pp.499–521.

[17] J.I.M. Halman and J.A. Keizer, “Risk management in product innovation projects”, International Journal of Project and Business Risk Management, vol.2, no.2, 1998.

[18] J.R. Turner, Handbook of Project-based Management, McGraw Hill, New York, NY, 1999.

[19] MAMPU, The Malaysian Public Sector Information Security High-Level Risk Assessment (HiLRA), Perpustakaan Negara Malaysia, 2005.

[20] MAMPU, The Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM), Perpustakaan Negara Malaysia, 2005.

[21] MAMPU, The Malaysian Public Sector Management of ICT Security Handbook (MyMIS), Perpustakaan Negara Malaysia, 2002.

[22] NISER, Information Security Management System (ISMS) Survey, 2003.

[23] P. Palady, Failure Modes and Effects Analysis: Predicting and Preventing Problems Before They Occur, PT Publications Inc, 1995.

[24] P.K. Dey, “Process re-engineering for effective implementation of projects”, International Journal of Project Management, vol.17, no.3, 1999, pp.147–59.

[25] S. Maguire, "Identifying risks during information system development: managing the process", Information Management & Computer Security, vol.10, no.3, 2002, pp.126–134.

[26] T. Bedford and R. Cooke, Probabilistic Risk Analysis: Foundations and Methods, Cambridge University Press, 2003.

[27] U.H. Graneheim and B. Lundman, Qualitative content analysis in nursing research: concepts, procedures and measures to achieve trustworthiness. Nurse Education Today, vol.24, 2004, pp.105–112

[28] V.M.R. Tummala and Y.H. Leung, “Applying a risk management process (RMP) to manage cost risk for an EHV transmission line project”, International Journal of Project Management, vol.17, no.4, 1999, pp.223–35.



ISSN: 2289-1358 P a g e | 67

[29] C.M. Thompson, S.E. Cooper, A.M. Kolaczkowski, D.C. Bley, J.A. Forester and John Wreathall, “The Application of ATHEANA: A Technique for Human Error Analysis”, IEEE Sixth Annual Human Factors Meeting, 1997, pp. 13–17.

[30] E. Habibi, M. Zare, A. Barkhordari, SJ. Mirmohammadi and GhH. Halvani, “Application of a Hazard and Operability Study Method to Hazard Evaluation of a Chemical Unit of the Power Station”, Journal of Research Health Science, Vol.8, No.2, 2008, pp.13-20.

[31] Y. Arshad, IT outsourcing decision and implementation in Malaysia public healthcare sector: A qualitative approach, Doctroral dissertation. International Islamic University Malaysia. Unpublished dissertation. 2012.

[32] Z. Li, Y. Ma, L. Wang, J. Lei and J Ma, "A novel real-time aggregation method on network security events", Kybernetes, vol.40, no.5, 2011, pp.912–920.

Documents

Information Technology Risk Management: The case of … Paper/H... · Information Technology Risk Management: The ... develop an information technology risk management framework for