Clarifying roles and responsibilities in information security : A case study of policy implementation in high-stakes environments

Alndawi, Tara

January 2024

In information security, the success of security policies is critically dependent on their implementation in organizations. This thesis explores the gap between formal definitions and the actual implementation of security policies, focusing on roles within a Swedish defense company. Using a qualitative research approach, this study employs semi-structured interviews to gather in-depth insights from individuals directly involved in security management, with the aim of uncovering the real-world complexities and challenges faced in policy implementation. This study identifies several core issues that affect policy implementation: ambiguity in role definitions, inconsistencies in policy communication at different organizational levels, and the frequent need for individuals to adapt policies to practical and situational needs. These factors contribute to the risk of security breaches by creating conditions in which policies are misunderstood or incorrectly applied. The findings highlight a significant discrepancy between how policies are intended to function and how they are implemented in daily operations, revealing a critical vulnerability in organizational security frameworks. This thesis contributes to the existing body of knowledge by mapping the landscape of security policy implementation within the context of the highly regulated defense industry. The results provide empirical evidence that improves the understanding of the interaction between policy, practice and the human element in security regimes with the aim of improving clarity and reducing the incidence of human error in security practices.

Practical policy application

policy compliance

security policy gaps

role clarity

role ambiguity

information security management

Swedish defense industry

Information Systems, Social aspects

Demonstrate and document : the development of a best practice model for biometric access control management

Norris-Jones, Lynne

January 2011

This thesis investigates the social, legal and ethical perceptions of participants towards the implementation of biometric access control systems within a sample of United Kingdom work-based environments. It focuses on the application of fingerprint scanning and facial recognition systems, whilst alluding to the development of more advanced (bleeding edge) technologies in the future. The conceptual framework is based on a tripartite model in which Maslow's Hierarchy of Needs is applied to the workforce whilst the principles of Utilitarianism and the Psychological Contract are applied to both management strategies and workforce perceptions. A qualitative paradigm is used in which semi-structured interviews are conducted with management and workforce participants within a sample of United Kingdom-based organisations (represented by Case Studies A-D). Discourse from these interviews are analysed, leading to the development of a series of first-cut findings for suggested "Best Practice " in the social, legal and ethical management of biometric access control systems. This process is subsequently developed with a refined sample of respondents (Case Studies A and C) culminating in the presentation of a suggested "Best Practice Model" for application to all four case studies. The model is based upon elements of a pre-determined Code of Practice (ISO/IEC 27002lnformation Technology - Security techniques - Code of Practice for Information Security Management) towards fostering acceptance of biometric technology within the workplace, in answering the question: How should organisations using biometric access control systems address social, legal and ethical concerns in the management of specific working environments in the United Kingdom?

006.4

Θέματα στην εφαρμογή προτύπων ποιότητας στην ασφάλεια των πληροφοριακών συστημάτων : Η περίπτωση της Εθνικής Τράπεζας της Ελλάδος

Παναγόπουλος, Αιμίλιος-Χρήστος

13 January 2015

Η χρήση των Πληροφοριακών Συστημάτων συνεχώς αυξάνεται. Πλέον οι περισσότεροι οργανισμοί βασίζονται στην λειτουργία τους. Αχίλλειος πτέρνα αυτών είναι η ασφάλεια τους. Στη παρούσα μελέτη παρουσιάζονται τα βασικά θέματα που αφορούν την διαχείριση προσωπικών δεδομένων αναλύοντας την πολιτική ασφαλείας μιας εταιρείας του ελληνικού τραπεζικού τομέα . Αρχικά εντάσσεται η έννοια των Πληροφοριακών Συστημάτων. Ακολουθεί η έννοια της Πολιτικής Ασφάλειας στον ευρύτερο τομέα της Διαχείρισης της Ασφάλειας των Πληροφοριακών Συστημάτων καθώς και οι κατηγοριοποιήσεις των κινδύνων και των ζημιογόνων γεγονότων. Έπειτα προσδιορίζονται οι βασικές αρχές για την ανάπτυξη Πολιτικών Ασφάλειας των Πληροφοριακών Συστημάτων, διευκρινίζοντας το νομικό πλαίσιο προστασίας τραπεζικών δεδομένων και το απόρρητο τους. Η επόμενη ενότητα αφορά την εφαρμογή των Πολιτικών Ασφάλειας στο πλαίσιο της εταιρείας και καταγράφει τα απαραίτητα μέτρα για την επιτυχή και αποτελεσματική εφαρμογή τους. Ακολουθούν τα αποτελέσματα της μελέτης και οι προτάσεις για την βελτιστοποίηση της παρούσας κατάστασης και την αποφυγή μελλοντικών κινδύνων. / The use of Information Systems is constantly increasing. Now most of the organizations rely on them for their operation. Their vulnerable spot is their security. This study presents the main issues related to the management of personal data by analyzing the security policy of a company of Greek banking sector. Firstly, the concept of Information Systems is presented.Then a part of the concept of security policy in the broader field of Safety Management Information Systems and classifications of risks and loss events is presented. Afterwards identifying the key principles for the development of Rules of Security of Information Systems, specifying the legal framework for the protection of bank data and their privacy. The next section involves the implementation of security policies within the company and record the necessary steps for the successful and effective implementation. Then are the results of the study presented and recommendations for optimization of this situation and avoiding future risks.

Πολιτική ασφάλειας

Λογαριασμοί

Απάτη

005.8

Information Systems (IS)

Information security management systems

Security policy

National Bank of Greece

Regulatory compliance

Accounts

Fraud

Credit institutions (CIs)

O descarte seguro de documentos arquivísticos em suporte digital: um estudo de caso na Justiça Trabalhista paraibana

Silva, Silvio Lucas da

23 February 2015

Submitted by Clebson Anjos (clebson.leandro54@gmail.com) on 2015-05-07T18:27:39Z No. of bitstreams: 1 arquivototal.pdf: 3587950 bytes, checksum: 38dd5cef79d4e1983ebff9852b061940 (MD5) / Made available in DSpace on 2015-05-07T18:27:39Z (GMT). No. of bitstreams: 1 arquivototal.pdf: 3587950 bytes, checksum: 38dd5cef79d4e1983ebff9852b061940 (MD5) Previous issue date: 2015-02-23 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPES / This work develops a case study about the safe discard of digital archival documents present in lawsuits within the Labor Justice of the state of Paraíba through the system entitled "Sistema Unificado de Administração de Processos (SUAP)". The SUAP is an information system that aims to quicken the Labor Justice of Paraíba since it uses Information and Communication Technologies to achieve that goal. After filing a lawsuit - whether in digital or physical media and respecting the table of temporality - it must be fully eliminated (discarded) so as to prevent the subsequent recovery of the information contained therein and thus preserving the confidentiality of such information. The safe discard of digital information differs from the discard of physical information because it requires software applications, procedures and/or mechanisms to ensure that the information stored in digital devices becomes unrecoverable. This research aims to study procedures for the proper disposal of digital archival documents present in lawsuits, is classified as qualitative, has its data collection implemented empirically and performed by laboratory tests of notes, focus group technique and on- line questionnaire, using discourse analysis for the consolidation of the data collected. As a result, mechanisms and software are appointed to enable the safe disposal of digital archival documents, SUAP improvements and the mapping of the organization's processes, besides the disposal model of digital archival documents, which takes into account the characteristics of the TRT- PB and the types of available computer media, based on the literature and analyzed data. / Este trabalho desenvolve um estudo de caso sobre o descarte seguro de documentos arquivísticos digitais presentes em ações judiciais no âmbito da Justiça Trabalhista Paraibana, mediante a utilização do sistema intitulado “Sistema Unificado de Administração de Processos (SUAP)”. O SUAP consiste em um sistema de informação que tem por objetivo dar celeridade à Justiça Trabalhista Paraibana, posto que se utiliza das Tecnologias da Informação e Comunicação para alcançar tal objetivo. Após o arquivamento de uma ação judicial – seja ela em suporte digital ou físico e respeitada a tabela de temporalidade –, os autos respectivos devem ser eliminados totalmente (descarte), de forma que impossibilite a recuperação posterior das informações ali contidas, de modo que reste preservada, assim, a confidencialidade da informação. O descarte seguro de documentos digitais difere do descarte em suporte físico, pois necessita de aplicativos de software, procedimentos, e/ou mecanismos que assegurem a irrecuperabilidade da informação armazenada nos dispositivos digitais. Esta pesquisa tem, como objetivo, estudar os procedimentos que permitam a correta eliminação de documentos arquivísticos digitais presentes em ações judiciais, a qual é classificada como qualitativa, cuja coleta de dados é implementada de forma empírica e realizada mediante anotações de testes de laboratório, técnica de grupo focal e questionário on-line, o qual se utiliza da análise do discurso para a consolidação dos dados coletados. Como resultado, são apontados mecanismos e softwares que permitam o descarte seguro de documentos arquivísticos digitais, melhorias no SUAP e a necessidade de um mapeamento dos processos da organização, além de um modelo de descarte de documentos arquivísticos em suporte digital, que leva em conta as características do TRT-PB e os tipos de mídias informáticas disponíveis, fundamentadas na literatura e nos dados analisados.

Gestão da Segurança da Informação

Documento digital

Processo Judicial Eletrônico

Information and communication technology

Information security management

Digital document

Electronic lawsuit

Discard of digital archival documents

Information and Knowledge Management

Fatores que influenciam a aceita??o de pr?ticas avan?adas de gest?o de seguran?a da informa??o: um estudo com gestores p?blicos estaduais no Brasil

Nobre, Anna Cl?udia dos Santos

04 September 2009

Made available in DSpace on 2014-12-17T13:53:24Z (GMT). No. of bitstreams: 1 AnnaCSN.pdf: 3032779 bytes, checksum: c9b62b38c5e42ff883e6b2946ccff0e1 (MD5) Previous issue date: 2009-09-04 / This study examines the factors that influence public managers in the adoption of advanced practices related to Information Security Management. This research used, as the basis of assertions, Security Standard ISO 27001:2005 and theoretical model based on TAM (Technology Acceptance Model) from Venkatesh and Davis (2000). The method adopted was field research of national scope with participation of eighty public administrators from states of Brazil, all of them managers and planners of state governments. The approach was quantitative and research methods were descriptive statistics, factor analysis and multiple linear regression for data analysis. The survey results showed correlation between the constructs of the TAM model (ease of use, perceptions of value, attitude and intention to use) and agreement with the assertions made in accordance with ISO 27001, showing that these factors influence the managers in adoption of such practices. On the other independent variables of the model (organizational profile, demographic profile and managers behavior) no significant correlation was identified with the assertions of the same standard, witch means the need for expansion researches using such constructs. It is hoped that this study may contribute positively to the progress on discussions about Information Security Management, Adoption of Safety Standards and Technology Acceptance Model / Este estudo analisa os fatores que influenciam os gestores p?blicos na ado??o de pr?ticas van?adas de Gest?o de Seguran?a da Informa??o. A pesquisa utilizou como base assertivas a Norma de Seguran?a ISO 27001:2005 e modelo te?rico baseado no TAM (Technology Acceptance Model) descrito em Venkatesh e Davis (2000). O m?todo adotado foi a esquisa de campo de alcance nacional que contou com a participa??o de oitenta gestores p?blicos dos Estados do Brasil, sendo todos coordenadores na ?rea de gest?o e planejamento dos governos estaduais. A abordagem da pesquisa foi quantitativa e foram utilizados m?todos de estat?stica descritiva, an?lise fatorial e regress?o linear m?ltipla para an?lise dos dados. Os resultados da pesquisa apresentaram correla??o entre os construtos do modelo TAM (facilidade na utiliza??o, percep??o sobre a utilidade, atitude e inten??o de utiliza??o) e a concord?ncia com as assertivas elaboradas de acordo com a norma ISO 27001, demonstrando que estes fatores influenciam os gestores na ado??o de tais pr?ticas. J? as outras vari?veis independentes do modelo (perfil organizacional, perfil demogr?fico e comportamental dos gestores) n?o tiveram correla??o significante com as assertivas da referida norma, demonstrando necessidade de amplia??o de pesquisas com utiliza??o de tais construtos. Espera-se que este estudo possa contribuir de forma positiva ao avan?o nas discuss?es sobre o tema Gest?o de Seguran?a da Informa??o e Ado??o de Normas de Seguran?a, bem como, Modelos de Aceita??o de Tecnologia

Gest?o de seguran?a da informa??o

Certifica??o ISO 27001

Modelo de aceita??o de tecnologia TAM

Information security management

ISO 27001 certification

Technology Acceptance Model TAM

Melhores práticas para implantar política de segurança da informação e comunicação em instituições federais de ensino superior

RIOS, Orlivaldo Kléber Lima

30 November 2016

Submitted by Rafael Santana (rafael.silvasantana@ufpe.br) on 2017-08-31T19:26:08Z No. of bitstreams: 2 license_rdf: 811 bytes, checksum: e39d27027a6cc9cb039ad269a5db8e34 (MD5) Dissertação_Orlivaldo_Kléber_Ciência da Computação_UFPE_.pdf: 2557373 bytes, checksum: ce725c091789d262ff35ae1f87b18a37 (MD5) / Made available in DSpace on 2017-08-31T19:26:08Z (GMT). No. of bitstreams: 2 license_rdf: 811 bytes, checksum: e39d27027a6cc9cb039ad269a5db8e34 (MD5) Dissertação_Orlivaldo_Kléber_Ciência da Computação_UFPE_.pdf: 2557373 bytes, checksum: ce725c091789d262ff35ae1f87b18a37 (MD5) Previous issue date: 2016-11-30 / O Tribunal de Contas da União, por meio da Secretaria de Fiscalização de TI, publicou, em 2015, por meio do Acórdão 3117/2014-TCU-Plenário, o quadro crítico em que se encontravam os órgãos da Administração Pública Federal, direta e indireta, concernente aos processos de segurança da informação, onde apenas 51% daqueles órgãos utilizavam integralmente a Política de Segurança da Informação. Considerando que há recomendações e orientações do Governo Federal para a institucionalização da Política de Segurança da Informação e Comunicação em todos seus órgãos, essa pesquisa buscou identificar o cenário em que se encontram as Instituições Federais de Ensino Superior, quanto à existência e às práticas utilizadas para implantação de Política de Segurança da Informação, considerando que tais instituições estão inseridas nesse panorama de fiscalização do Tribunal de Contas da União. Como objetivo de pesquisa, buscou-se a elaboração de um guia de melhores práticas para implantação e revisão de Política de Segurança da Informação e Comunicação nas Instituições Federais de Ensino Superior. Como metodologia foram utilizadas as abordagens quantitativa e qualitativa, empregando procedimentos bibliográficos, com o uso da revisão sistemática, e o levantamento de campo com aplicação de questionário Survey. Ao final da pesquisa, percebeu-se que o fator humano é a maior criticidade para o sucesso da implantação da Política de Segurança da Informação e Comunicação, principalmente a participação da Alta Gestão, entretanto, a elaboração do guia promoverá ações estratégicas nos processos de segurança da informação das Instituições Federais de Ensino Superior, quanto à implantação e revisão de Política de Segurança da Informação e Comunicação. / The Court of Auditors of Unity, IT Supervisory Office, published in 2015, through Decision 3117/2014 - TCU-Plenary, the critical situation in which they found the agencies of the Federal Public Administration Office, both direct as indirectly, concerning the information security processes, where only 51% of those agencies fully used the Security Policy information. Whereas there are recommendations and guidelines of the Federal Government for the institutionalization of the Information and Communication Security Policy in all its agencies, this research sought to identify the scenario where the Federal Institutions of Higher Education are, regarding the existence and the practices adopted in the implementation of information security policy, considering that such institutions are inserted in this prospect of the Brazilian Federal Accountability Office surveillance. In this research we aimed to formulate the a Guide for the best practices to the implementation and revision of Information Security Policy in Federal Institutions of Higher Education. It were used both quantitative and qualitative approaches, employing, employing bibliographic procedures, with the use of a systematic review and also a field survey. At the end of this research it was realized that the human factor is the most critical aspect for the successful implementation of Security Policy information, especially the participation of the High Management. However, the formulation of a guidance will promote strategic actions in the information security processes of Federal Institutions of Higher Education, towards the implementation and revision of Information and Communication Security Policy.

Kyberbezpečnost v průmyslu / Cybersecurity in the engineering industry

Jemelíková, Kristýna

January 2021

The master’s thesis deals with the management of cyber security in a manufacturing company. The theoretical part contains concepts and knowledge of cyber security and discusses the current requirements of legislation and standards of the ISO/IEC 27000 series. In practical part are proposed measures to increase cyber security and information security based on the theoretical background and analysis of current state in the selected company.

Informační bezpečnost jako jeden z ukazatelů hodnocení výkonnosti v energetické společnosti / Information security as one of the performance indicators in energy company

Kubík, Lukáš

January 2017

Master thesis is concerned with assessing the state of information security and its use as an indicator of corporate performance in energy company. Chapter analysis of the problem and current situation presents findings on the state of information security and implementation stage of ISMS. The practical part is focused on risk analysis and assessment the maturity level of processes, which are submitted as the basis for the proposed security measures and recommendations. There are also designed metrics to measure level of information security.

Návrh metodiky budování bezpečnostního povědomí na střední škole / Design Methodology of Security Awareness at the Secondary School

Sobotková, Hana

January 2017

The diploma thesis addresses the topic of security awareness education at secondary schools. The goal is to develop a standardized methodology for building security awareness, which can be used by secondary schools to ensure the protection of their perimeter, their users and others from the user’s actions. The introductory part deals with the basic terminology, existing and forthcoming Czech and international legal acts, norms, regulations and certification in the area of information and cyber security. The practical part includes the methodology chapters describing the building of security awareness at secondary schools.

Návrh zavedení bezpečnostních opatření podle ISMS ve společnosti vyvíjející finanční aplikaci. / Proposal for the implementation security measures according to ISMS in the company developing financial application.

Bukovský, Luděk

January 2019

The goal of this Master Thesis is a proposal for the implementation security measures in the company developing financial software application focused primarily on the Swiss market. These measures are based on results from present state of security in the company. There are the proposal for the security measures on the risk analysis results which are recommendation of the series of standards ISO/IEC 27000 and should lead to the risk reduction affecting the company.