Analysis of information security risks and protection management requirements for enterprise networks

Saleh, Mohamed Saad Morsy

January 2011

With widespread of harmful attacks against enterprises' electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness.

338.0068

Modelo de suporte a políticas e gestão de riscos de segurança voltado à terceirização de TIC, computação em nuvem e mobilidade. / Support framework for security policies and risk management focused on ITC outsourcing, cloud computing and mobility.

Leandro José Aguilar Andrijic Malandrin

05 April 2013

O cenário tecnológico é um fator importante a ser considerado ao se trabalhar com Sistemas de Gestão de Segurança da Informação (SGSI). No entanto, nos últimos anos esse cenário se alterou profundamente, aumentando em complexidade de maneira até antes não vista. Caracterizado principalmente por tendências tecnológicas como a terceirização de infraestrutura de TIC, a computação em nuvem e a mobilidade, o cenário externo atual gera grandes novos desafios de segurança. A abordagem típica para tratar com mudanças de cenário em SGSIs é uma revisão da análise de riscos e a implantação de novos controles de segurança. No entanto, frente a um cenário tão disruptivo, riscos podem passar despercebidos, devido à falta de conhecimento sobre os novos elementos introduzidos por esse cenário. Por causa disso, adaptações mais profundas, durante o próprio planejamento do SGSI, são necessárias. Usando a norma de segurança ISO/IEC 27001 como referência, esse trabalho introduz um modelo de suporte que permite a identificação dessas adaptações. Para construir esse modelo, foram inicialmente levantados os riscos referentes a cada uma das três tendências tecnológicas listadas. Esses riscos foram compilados e analisados em conjunto, buscando a identificação de temas de preocupação recorrentes entre eles. Para endereçar cada um dos temas dentro do modelo de suporte, foram levantadas adaptações do SGSI sugeridas na literatura e na prática de segurança. Essas adaptações foram transformadas em pontos de checagem a serem observados durante a execução das duas atividades principais da fase de Planejamento do SGSI da ISO/IEC 27001: definição de políticas de segurança e gestão de riscos. A contribuição principal do trabalho é um modelo de suporte de segurança com o qual as organizações podem adaptar o seu SGSI e assim melhor protegerem suas informações frente ao cenário tecnológico externo descrito. Como contribuição secundária está a sugestão de uma análise unificada com foco em segurança das tendências tecnológicas desse cenário. / The technological scenario is an important factor to be considered while working with Information Security Management Systems (ISMS). However, in the latter years this scenario has changed deeply, increasing in complexity in a way not seen so far. Characterized mainly by the heavy use of ITC infrastructure outsourcing, cloud computing and mobility, the current external scenario creates big new security challenges. The typical approach to handle changes of scenarios in ISMSs is a risk assessment review and deployment of new security controls. However, when considering such a disruptive scenario, some risks may go unnoticed, due to the lack of knowledge of the elements introduced by this scenario. Because of that, deeper adaptations are needed, during the actual ISMS planning. Using the ISO/IEC 27001 as a reference, this research introduces a framework for the identification of these adaptations. To build this framework, risks related to each of the three technological trends mentioned were identified. These risks were compiled and analyzed together, searching for recurring themes of concern among them. To address each of these themes in the framework, ISMS adaptations suggested in the security literature and practice were identified. These adaptations were transformed in checkpoints to be verified during the execution of the two main activities of the ISO/IEC 27001 ISMS Plan phase: security policies definition and risk management. The main contribution of this research is a framework which can help organizations adapt their ISMSs and better protect their information in the technological scenario described. As a secondary contribution is the proposal of a unified security analysis of the distinct security trends of the external scenario.

Computação em nuvem

Gestão de riscos

Gestão de segurança da informação

Mobilidade

Políticas de segurança

Segurança da informação

Terceirização

Cloud computing

Information security

Information security management

Mobility

Outsourcing

Risk analysis

Security policies

Gest?o da seguran?a da informa??o: um olhar a partir da Ci?ncia da Informa??o / Information security management: a look from the Information Science

Silva, Claudete Aurora da

18 February 2009

Made available in DSpace on 2016-04-04T18:36:39Z (GMT). No. of bitstreams: 1 Claudete Aurora da Silva.pdf: 1031678 bytes, checksum: bdfa6d499e859240a0c9c4fd8e401725 (MD5) Previous issue date: 2009-02-18 / The information has been identified as the main source of power in organizations and therefore is necessary to be protected. For that NBR ISO/ IEC 27001 defines guidelines for implementation of a Management System of Information Security, dirty the objective is to safeguard the assets of the organization, ensuring continuity of business and provide confidence in stakeholders. This study aimed to characterize the theoretical and methodological aspects used in the processing of information can help in implementing a safety management system the necessary information. The methods used for this research was qualitative, based on a literature review to contribute to the theoretical foundation on the topic and readings of works for reasons of research. From the discussion of concepts, tried to explain how the management of information in view of information science can provide evidence to suggest the safety management system of information. As the main result is a conceptual model of information system that is effective to support the managers in the implementation process of SGSI. / A informa??o tem sido apontada como a principal fonte de poder nas organiza??es e, portanto faz necess?rio ser protegida. Para isso NBR ISO/ IEC 27001 define diretrizes para implementa??o de um Sistema de Gest?o de Seguran?a da Informa??o, sujo o objetivo ? salvaguardar os ativos da organiza??o, garantir a continuidade dos neg?cios e propiciar confian?as nas partes interessadas. O objetivo deste estudo foi caracterizar os aspectos te?rico-metodol?gicos utilizada no tratamento da informa??o pode ajudar na implementa??o de um sistema de gest?o de seguran?a da informa??o necess?ria. Os m?todos utilizados para essa pesquisa foram qualitativos, partindo-se de um levantamento bibliogr?fico visando contribuir com a fundamenta??o te?rica sobre o tema e leituras de obras para fundamenta??o da pesquisa. A partir da discuss?o dos conceitos, pretendeu-se explicitar como a gest?o da informa??o na perspectiva da ci?ncia da informa??o pode fornecer elementos para propor o sistema de gest?o de seguran?a da Informa??o. Como principal resultado ? um modelo conceitual de sistema de informa??o que seja eficaz ao apoiar os gestores no processo de implementa??o do SGSI.

seguran?a da informa??o

sistema de informa??o

information security

information system

Modelo de suporte a políticas e gestão de riscos de segurança voltado à terceirização de TIC, computação em nuvem e mobilidade. / Support framework for security policies and risk management focused on ITC outsourcing, cloud computing and mobility.

Malandrin, Leandro José Aguilar Andrijic

05 April 2013

O cenário tecnológico é um fator importante a ser considerado ao se trabalhar com Sistemas de Gestão de Segurança da Informação (SGSI). No entanto, nos últimos anos esse cenário se alterou profundamente, aumentando em complexidade de maneira até antes não vista. Caracterizado principalmente por tendências tecnológicas como a terceirização de infraestrutura de TIC, a computação em nuvem e a mobilidade, o cenário externo atual gera grandes novos desafios de segurança. A abordagem típica para tratar com mudanças de cenário em SGSIs é uma revisão da análise de riscos e a implantação de novos controles de segurança. No entanto, frente a um cenário tão disruptivo, riscos podem passar despercebidos, devido à falta de conhecimento sobre os novos elementos introduzidos por esse cenário. Por causa disso, adaptações mais profundas, durante o próprio planejamento do SGSI, são necessárias. Usando a norma de segurança ISO/IEC 27001 como referência, esse trabalho introduz um modelo de suporte que permite a identificação dessas adaptações. Para construir esse modelo, foram inicialmente levantados os riscos referentes a cada uma das três tendências tecnológicas listadas. Esses riscos foram compilados e analisados em conjunto, buscando a identificação de temas de preocupação recorrentes entre eles. Para endereçar cada um dos temas dentro do modelo de suporte, foram levantadas adaptações do SGSI sugeridas na literatura e na prática de segurança. Essas adaptações foram transformadas em pontos de checagem a serem observados durante a execução das duas atividades principais da fase de Planejamento do SGSI da ISO/IEC 27001: definição de políticas de segurança e gestão de riscos. A contribuição principal do trabalho é um modelo de suporte de segurança com o qual as organizações podem adaptar o seu SGSI e assim melhor protegerem suas informações frente ao cenário tecnológico externo descrito. Como contribuição secundária está a sugestão de uma análise unificada com foco em segurança das tendências tecnológicas desse cenário. / The technological scenario is an important factor to be considered while working with Information Security Management Systems (ISMS). However, in the latter years this scenario has changed deeply, increasing in complexity in a way not seen so far. Characterized mainly by the heavy use of ITC infrastructure outsourcing, cloud computing and mobility, the current external scenario creates big new security challenges. The typical approach to handle changes of scenarios in ISMSs is a risk assessment review and deployment of new security controls. However, when considering such a disruptive scenario, some risks may go unnoticed, due to the lack of knowledge of the elements introduced by this scenario. Because of that, deeper adaptations are needed, during the actual ISMS planning. Using the ISO/IEC 27001 as a reference, this research introduces a framework for the identification of these adaptations. To build this framework, risks related to each of the three technological trends mentioned were identified. These risks were compiled and analyzed together, searching for recurring themes of concern among them. To address each of these themes in the framework, ISMS adaptations suggested in the security literature and practice were identified. These adaptations were transformed in checkpoints to be verified during the execution of the two main activities of the ISO/IEC 27001 ISMS Plan phase: security policies definition and risk management. The main contribution of this research is a framework which can help organizations adapt their ISMSs and better protect their information in the technological scenario described. As a secondary contribution is the proposal of a unified security analysis of the distinct security trends of the external scenario.

Cloud computing

Computação em nuvem

Gestão de riscos

Gestão de segurança da informação

Information security

Information security management

Mobilidade

Mobility

Outsourcing

Políticas de segurança

Risk analysis

Security policies

Segurança da informação

Terceirização

Managing Security Objectives for Effective Organizational Performance Information Security Management

Gutta, Ramamohan

01 January 2019

Information is a significant asset to organizations, and a data breach from a cyberattack harms reputations and may result in a massive financial loss. Many senior managers lack the competencies to implement an enterprise risk management system and align organizational resources such as people, processes, and technology to prevent cyberattacks on enterprise assets. The purpose of this Delphi study was to explore how the managerial competencies for information security and risk management senior managers help in managing security objectives and practices to mitigate security risks. The National Institute of Standards and Technology framework served as the foundation for this study. The sample was made up of 12 information security practitioners, information security experts, and managers responsible for the enterprise information security management. Participants were from Fortune 500 companies in the United States. Selection was based on their level of experience and knowledge of the topic being studied. Data were collected using a 3 round Delphi study of 12 experts in information security and risk management. Statistical analysis was performed on the collected data during a 3 round Delphi study. The mean, standard deviation, majority agreement, and ranges were used to determine the final concensus for this research study. Findings of this study included the need for managerial support, risk management strategies, and developling the managerial and technical talent to mitigate and respond to cyberattacks. Findings may result in a positive social change by providing information that helps managers to reduce the number of data breaches from cyberattacks, which benefits companies, employees, and customers.

Cyberattack

Governance

Databases and Information Systems

The Challenges of Implementing Bring Your Own Device

DeShield, Leslie

01 January 2017

Research conducted by Tech Pro (2014) indicated that the Bring Your Own Device (BYOD) concept is gaining momentum with 74% of organizations already having some BYOD program or planning to implement one. While BYOD offers several benefits, it also presents challenges that concern information technology leaders and information security managers. This correlational study used the systems theory framework to examine the relationship between information security managers' intentions, perceptions of security, and compliance regarding BYOD implementation. Participants of the study consisted of information security managers in the eastern United States who had obtained the Certified Information Systems Manager certification. Data was collected from 94 information security managers through a survey instrument. The survey instrument integrated three other instruments with proven reliability developed by other researchers. Data was analyzed using a multiple regression analysis to test for a relationship between the variables of the study (security, compliance, and intent to implement BYOD). The multiple regression conducted in this study was insignificant indicating a relationship did not exist between the study's variables (F(2, 86) = 0.33, p = .718, R2 = .00). A significant negative relationship was found between security and compliance indicating a weakly negative correlation (r = -.26, p = .016). Using the results from the study, information technology leaders may be able to develop strategies from which to implement BYOD successfully. Implications for social change include increased knowledge of securing personal devices for employees and consumers in general and reduction in costs associated with security and data breaches.

Bring Your Own Device

Bring Your Own Device Framework

BYOD

BYOD Framework

Certified Information Security Managers

Information Security

Databases and Information Systems

我國行政機關資訊安全管理之研究

黃慶堂, Huang, Chin-Tung

Unknown Date

環顧辦公室自動化的演進歷史，早期從降低事務管理成本，提升行政運作效率輔助機具的發展，至今日電腦大量引用，四通八達的網際網路，資訊科技的洪流，正一波波的衝擊著各組織，行政部門亦難置身於外。就以組織內環境系統而言，資訊科技正嚴厲考驗傳統金字塔式的組織結構，網路流通訊息的便利，使中層管理者的地位岌岌可危，影響著整個組織的決策模式與管理方式；就組織外環境系統而言，電子化政府正透過網路連線，讓民眾享用更加便捷、高品質的服務、取得更多的訊息，更加暢通的溝通管道，甚至影響著整個民主政治的內涵。資訊科技對行政組織運作過程與其產出的衝擊與日俱增，而其帶來的正、負面效益，是吾人必須面對的嚴肅課題。 資訊科技所帶來的正面效益，資訊取得質與量上的變革，減低了民眾與行政機關間溝通障礙，人民可隨時取得機關相關訊息，滿足需求，電子化政府成為政府施政目標，『行政公開化』成為未來必然趨勢；就機關資訊財產權維護而言，因資訊科技使得整個檔案資料庫『數位化』、公文訊息『電子化』，傳統的公文流程、檔案保存方式起了根本轉變，檔案室不再是案牘勞形的儲藏大批卷宗，未來各機關中資訊室(中心)才是訊息流通、資料保存的中心。因此行政機關在面對未來民主行政要求、『行政公開化』的趨勢下，應有效的管理機關資料、維護機密資訊及民眾個人隱私，防止不法者破壞、竊取、竄改，在公共資訊的運用與機關資訊財產權的維護上求取一效率公平的管理方法，行政機關應認知到： (一) 資訊安全管理因時代進展而有不同意義，隨著資訊科技的突飛猛進，在行政公開化民意要求下﹐資訊安全管理問題具有的相依､主觀､人為及動態等特性將逐漸浮顯出來﹐深深影響組織內部及外部的運作。 (二) 一個完整的資訊安全管理系統，需完整的包含組織內、外各次級系統、並在整個大環境中具有政治、法律、經濟、行政、技術、及時間上的可行性。 (三) 行政機關資訊安全管理系統之目的在求取機關資訊運用上的機密性(confidentiality)、完整性(integrity)與可用性(avaliability)，而其功用則在機關財產､隱私權的維護及機關所應提供的公共資訊的合理運用上求得一均衡點。 (四) 妥善的資訊安全管理，除了管理當局的支持與專家協助之外，有賴完善的組織環境使用管理規定及資訊運用者資訊安全倫理的建構。 (五) 資訊安全管理研究將隨著資訊科技的永續發展，在內容上不斷的擴充與更新，政府應以更前瞻性的眼光規劃新的法令與訓練，建構資訊安全倫理以應未來所需。 早在二十六年前(1973)，公共行政學者H. A.Simon就曾對資訊科技對組織的衝擊研究，研擬如何有效地建構組織俾利於資訊之處理與儲存。另Norman J.Ream(1968)在『電腦對政府組織之影響』中指出在可預見之將來，政府組織將日趨依照資訊流動及決策點所在而建構。而為因應資訊化社會，行政院研考會在民國七十三年即完成『資訊立法之研究』，確立資訊科技的發展必須『尊重智慧財產權』、『防範電腦犯罪』、『加強資訊安全』、『確立文件法律地位』等層面，近來又陸續制定『電腦處理個人資料保護法』、『政府所屬各級機關電腦軟體管理作業要點』等資訊安全法案，唯上述理論與實務研究，仍著重於機關財產權與機密資訊的維護，為免陷入以『效率』掛帥的功能主義典範窠臼，對於溝通、公平與尊重等新人性主義典範應予適度關注。也就是在民主行政的環境下，資訊公平合理的運用應視為資訊安全管理的目的，而非僅具工具性價值，公部門應摒棄以往『閉關自守』的心態，以恢宏的胸襟與氣度，兼具『效率』與『公正』觀，來面對資訊社會的挑戰。

資訊安全

資訊安全倫理

資訊問題

資訊管理

Information security

Information security ethics

Information problem

Information management

Die Rolle der Social Media im Information Security Management

Humpert-Vrielink, Frederik

30 May 2014

No description available.

Konferenz

GeNeMe 2011

Social Media

Informationssicherheitsmanagement

Informationssicherheit

conference

new media

online community

Social Media

Information Security Management

information security

ddc:330

rvk:QR 760

POLÍTICA DE SEGURANÇA DA INFORMAÇÃO: UMA ESTRATÉGIA PARA GARANTIR A PROTEÇÃO E A INTEGRIDADE DAS INFORMAÇÕES ARQUIVÍSTICAS NO DEPARTAMENTO DE ARQUIVO GERAL DA UFSM / INFORMATION SECURITY POLICY: A STRATEGY TO ENSURE THE SECURITY AND INTEGRITY OF THE DEPARTMENT OF ARCHIVAL INFORMATION IN THE GENERAL ARCHIVING DEPARTMENT OF THE UFSM

Sfreddo, Josiane Ayres

06 December 2012

Presents a study on information security in order to propose an Information Security Policy for the Department of General Archives (DAG), Federal University of Santa Maria (UFSM) as a way of enabling the protection, availability and secure access to archival information (not digital), in the university context. It is characterized as an exploratory qualitative approach, assuming a case study form, because it involves the study of a certain subject allowing its wide and detailed knowledge. It was first conducted a more detailed study of the Standard ISO/IEC 27002 which is a code of practice for information security, providing guidelines for the implementation of an Information Security Policy, based on regulations according to the institutional purposes. The study aimed, at first, to adapt the requirements and controls present in this standard archival context, focusing on the protection of not digital information, a research in the Heritage Documentary line. Thus, the adaptation of the standard for archival followed the structure of the original standard, seeking to provide for the archival institutions a tool to subsidize the development of an Information Security Policy, providing a more secure and reliable protection. In order to compose this policy a data collection was carried out through interviews, structured within questions about security information, based on the standard ISO/IEC 27002, on the previous study and the Adaptation of the Standard for the archival context. With the data collected and analyzed, along with the DAG, it can be verified that the problems causer of threats to the security of not digital archives in the department are directly related to the lack of security to the perimeter and to the absence of a physical control, including entries and exits. These security actions made it possible, together with the adaption of the standard, to propose control in order to prevent further incidents. This way it was possible to structure the Document of the Security Policy representing the materialization of the Security Policy according to the needs presented by DAG. This document will serve as an instrument to support and guide employees, users and third parties in the conduct of institutional activities. However, it is up to the department to approve it and implement it for the purpose of preventing incidents, thereby providing safe reliable and continuous access to not digital information by him guarded. / Apresenta um estudo sobre a segurança da informação a fim de propor uma Política de Segurança da Informação para o Departamento de Arquivo Geral (DAG) da Universidade Federal de Santa Maria (UFSM), possibilitando a proteção, a disponibilidade e o acesso seguro às informações arquivísticas (não digitais), no contexto universitário. Caracteriza-se como uma pesquisa exploratória com abordagem qualitativa, assumindo a forma de estudo de caso, pois envolve o estudo sobre um determinado assunto permitindo o seu amplo e detalhado conhecimento. Primeiramente foi realizado um estudo mais aprofundado da Norma ABNT NBR ISO/IEC 27002 que é um código de prática para a segurança da informação, apresentando diretrizes para a aplicação de uma Política de Segurança da Informação, baseada em regulamentos de acordo com os propósitos institucionais. O estudo objetivou, em um primeiro momento, adaptar os requisitos e controles presentes nessa norma ao contexto arquivístico, tendo como foco a proteção de informação não digital, caracterizando, deste modo, uma pesquisa na linha do Patrimônio Documental. Assim, a Adaptação da Norma para a arquivologia seguiu a estrutura da Norma original, buscando proporcionar às instituições arquivísticas um instrumento que subsidiasse a elaboração de uma Política de Segurança da Informação, possibilitando a proteção de informações não digitais de uma forma mais segura e confiável. Para a composição dessa Política, foi realizada a coleta de dados por meio de entrevista estruturada com questões sobre a segurança da informação, fundamentada na Norma ABNT NBR ISO/IEC 27002, tendo como base o estudo anterior e a Adaptação da Norma para o contexto arquivístico. Com a análise dos dados coletados junto ao DAG, podese verificar que os problemas que causam ameaças à segurança da informação não digital no departamento estão relacionados diretamente à deficiência dos perímetros de segurança e à inexistência de um controle de acesso físico incluindo entradas e saídas. A partir dessas ações de segurança, foi possível, juntamente com a Adaptação da Norma, propor controles a serem aplicados a fim de evitar a ocorrência de novos incidentes. Dessa forma, foi possível estruturar o Documento da Política de Segurança da Informação representando a materialização da Política de Segurança de acordo com as necessidades apresentadas pelo DAG. Esse documento servirá com um instrumento de apoio fundamental para instruir funcionários, usuários e terceiros na realização das atividades institucionais. No entanto, cabe ao departamento aprová-lo e implementá-lo, a fim de prevenir incidentes proporcionando, assim, acesso seguro, confiável e contínuo às informações não digitais por ele custodiadas.

Política de segurança da informação

Segurança da informação

Informação arquivística não digital

Patrimônio documental

Information security policy

Information security

Archival information not digital

Documentary heritage

CNPQ::CIENCIAS HUMANAS::HISTORIA

Information Security Culture and Threat Perception : Comprehension and awareness of latent threats in organisational settings concerned with information security

Lambe, Erik

January 2018

A new challenge for organisations in the 21st century is how they should ensure information security in a time and environment where the widespread use of Information Communication Technologies (ICTs), such as smartphones, means that information has been made vulnerable in numerous new ways. Recent research on information security has focused on information security culture and how to successfully communicate security standards within an organisation. This study aims to examine how latent threats to information security are conceptualised and examined within an organisation in which information security is important. Since threats posed by ICTs are said to be latent, this study wishes to explore in what ways an inclusion of threat conceptualisation can have in understanding what constitutes an efficacious information security culture when the intention is to ensure information security. The study focuses on the Swedish armed forces, and compare how threats to information security posed by interaction with private ICTs are communicated in information security policies and how they are conceptualised by the members of the organisation. Through interviews conducted with service members, the findings of this study indicate that it is possible to successfully communicate the contents of information security policies without mandating the members of the organisation to read the sources themselves. Furthermore, the study identified a feature of information security culture, in this paper called supererogatory vigilance to threats to information security, which might be of interest for future studies in this area, since it offers adaptive protection to new threats to information security that goes beyond what the established sources protects against.

Information security

information security culture

information security policy

administration

policy implementation

latent threats

ICT

dynamic frame analysis

Political Science

Statsvetenskap