Assessment of Information Security Risk Management System based on ISO/IEC27005 in the Independent High Electoral Commission: A Case Study

Abstract

The current research aims to study the extent to which the Independent High Electoral Commission applies to information security risk management by the international standard (ISO / IEC27005) in terms of policies, administrative and technical procedures, and techniques used in managing information security risks, based on the opinions of experts in the sector who occupy positions (General Manager The directorate, department heads and their agents, project managers, heads of divisions, and those authorized to access systems and software). The importance of the research comes by giving a clear picture of the field of information security risk management in the organization in question because of its significant role in identifying risks and setting appropriate controls to manage or get rid of them, flexibility in setting controls at work and gaining the confidence of stakeholders and customers that Their data is protected. Compliance with controls gives the organization the confidence of customers that it is the best supplier and raises the level of ability to meet the requirements of tenders and then get new job opportunities, which encouraged addressing this topic by focusing on the basic standards of this specification and trying to study these standards and identify the most critical problems that This prevents its application in the commission understudy in particular. The Independent High Electoral Commission/National Office in Baghdad was chosen as a site to conduct the research, and the approach of the case study and applied research was followed and through field coexistence, observations, interviews, access to documents and information extracted from records and documents in order to determine the extent of the gap Between the Information Security Department of the commission in question and the system that the specification came with, analyzing the causes of the gaps and developing solutions, and considering The research was extended to the checklists prepared by the International Standardization Organization, and for the purpose of data analysis, the heptagonal scale was used in the checklists to measure the extent to which the implementation and actual documentation conform to the requirements of the specification, while determining the weights for the answers to the questions contained in the checklists by allocating a specific weight to each paragraph of the scale. The research used two statistical methods, the percentage and the weighted mean to express the extent of application and documentation of the specification paragraphs above and relied on the statement of the main reasons for surgery in the emergence of those gaps. The results that were reached showed several reasons that prevented the application of information security risk management, in the light of which treatments were developed that would reduce the gaps that appeared, the most important of which are: that the Commission did not adopt a clear and documented strategy to address risks, and that information security risk management Ineffective and completely secured from external and internal threats. There was also interest in documenting fixed Hardware and portable Hardware represented by computers used at the headquarters of the directorate, servers and small computers used as workstations in divisions and departments and their connection to senior management, as well as laptops and personal digital assistants, which showed a gap attributed to the total undocumented application of Hardware (automatic data processing), processing accessories, and electronic media), while the application was partially and undocumented for other electronic media, including disk drives, printers, paper, and documents.