Systémové řešení bezpečnosti informací v organizaci / Systematic Solution for Information Security in Organisation

Palička, Jan

January 2017

This diploma thesis deals with ISMS implementation in Netcope Technologies, a. s., which is involved in the production of network cards for high speed acceleration. This thesis is divided into two logical parts. In the first part the theoretical basis information is presented, including selected methods for implementing information security. In the second part, the analysis of the company and the proposed measures are presented.

A risk based approach for managing information technology security risk within a dynamic environment

Mahopo, Ntombizodwa Bessy

11 1900

Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world. Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk. Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks. Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk. Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes. The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves. / Computing / M. Sc. (Computing)

IT

IT security

Risk

Risk management

IT security threat modelling

IT security management

OCTAVE

COBIT

ITIL

ISO 27001/2

ISF Standard of Good Practice

005.82

Computer security -- Standards

Cyberterrorism

Stanovení zásad systému managementu informatiky kompatibilního s ISO 9001:2008 pro malé IS/IT neintenzivní podniky / ISO 9001:2008 compatible IT Management System Specification for IS/IT Non-intensive Small Businesses

Lozan, Petr

January 2012

Information systems and technologies (IT) are ubiquitous and play a significant role in everyday life of people and enterprises. Even the smallest organisations need to be sure, that their information systems are working properly, appropriately support their operations, are cost-effective and comply with regulations and other requirements. The service-based management approach to management of enterprise IT is the most promoted and widely used. But what if this approach is not equally suitable for enterprises of all sizes? This thesis presents an alternative approach to IT management, directly built on requirements of well-known International Standard ISO 9001:2008. For many people who know and understand ISO 9001 and its requirements, it should be easier to use their knowledge about management of quality for managing of IT than learn and implement IT service management and -- probably -- try to find out how to scale service management down to the environment of limited resources which is typical for small businesses. Author describes ISO 9001 as universal management system model and investigates requirements of ISO 9001:2008 related to information technology. Then attention is aimed to existing International Standards for various aspects of IT governance and management. Text describes main content of ISO/IEC 38500 for IT Governance, ISO/IEC 20000 for service management, selected standards from ISO/IEC 27000 series for information security management and ISO/IEC 19770-1 for software asset management. Next chapter shows mainly approach of COBIT5 and COBIT solutions suitable for small businesses -- COBIT Quickstart and COBIT Security Baseline. Last part of text explains, how ISO 9001:2008 was used and adapted to create the main subject of this thesis -- ISO 9001:2008 compatible IT Management System Specification for IS/IT Non-intensive Small Businesses.

Význam a design evaluačního výzkumu v oblasti managementu informačních služeb / The Importance and the design of evaluation research on information management

Šidlichovská, Zuzana

January 2016

Univerzita Karlova v Praze Filozofická fakulta Ústav informačních studií a knihovnictví Informační věda PhDr. Zuzana Šidlichovská Význam a design evaluačního výzkumu v oblasti managementu informačních služeb řízení informačních aktivit a toků v organizacích ze sektoru soukromých bezpečnostních služeb The importance and the design of evaluation research on information management management of information activities and flows in private security service organization Abstrakt dizertační práce v angličtině Vedoucí práce: Prof. Ing. Josef Basl, CSc. Praha 2015 3 Abstrakt dizertační práce v angličtině In the first part, the dissertation describes the importance and the design of evaluation research on information management at small and medium-sized enterprises in the area of private security services. Secondly, it provides a general mapping of current evaluation practices trends from all over the world as well as from the Czech Republic. Thirdly, the dissertation depicts the main characteristics of evaluation and evaluation research methodology focused on the target group of small and medium-sized enterprises in private security service sector. The main goal of the dissertation project is to map and discuss the current importance of evaluation research on information management. Its main output is to explore an...