Spelling suggestions: "subject:"forminformation technology - 2security"" "subject:"forminformation technology - bsecurity""
21 |
User compliance with the organisation's information security policy: a deterrence theory studyFachin, Dario January 2016 (has links)
MCom Information Systems
Research report
2015 / In today’s age of increasing cyber-attacks, with even national governments
interests forming cyber warfare departments to defend their countries, there is no
company globally which cannot be prepared for their critical infrastructure or
information to be stolen, destroyed, manipulated or be made unavailable from
various cyber-attacks. In most organisations, the user of the Information Systems
is vital to ensuring that systems are protected by adhering to the Information
Security Policy. Failure to comply with the Information Security Policy by end
users exposes the company to the risk of the loss of sensitive information which
could have major reputational, legal and financial impacts.
The study followed a positivist research philosophy using a hypothetical model to
test various hypotheses. Through the lens of deterrence theory, using a survey
method to gather the information, the hypotheses are tested and analysed to
further understand user compliance with an organisation’s Information Security
Policy.
The findings reveal that some elements of the deterrence theory are strong
predictors to ensuring user compliance within a large global mining firm. The
certainty of being caught for end users and the celerity of not adhering to the
Information Security policy are strong predictors to ensure user compliance. The
awareness of severity for not complying with the Information Security Policy or the
awareness of being monitored is reflected to not be strong predictors to ensure
user compliance. The research is intended to further assist both academics and
practitioners to further their understanding of user compliance to the Information
Security Policy. / MT2017
|
22 |
The design, development and evaluation of a holistic cloud migration decision frameworkMushi, Tumelo Nicholas January 2020 (has links)
No keywords provided in dissertation / Cloud Computing has gained traction since its emergence and client organisations that want to benefit from the Cloud are looking for ways to migrate their on-premise applications to the Cloud. To assist client organisations with migration projects, researchers and practitioners
have proposed various Cloud migration approaches. However, these approaches differ in applicability depending on the type of application being migrated and the Cloud Service Provider where the application is being migrated to. The various approaches to Cloud migration create complexity in Cloud migration decisions as client organisations have to
consider various approaches depending on the migration project. The purpose of this dissertation is to create a universal Cloud migration approach that can be applied to every Cloud migration project. In this dissertation, a cloud migration decision framework is proposed; namely, A Holistic Cloud Migration Decision Framework (HCMDF). The research strategy that was followed is Design Science Research (DSR) and was selected since the output of the research is going to be an Information Technology (IT) research artefact. By applying the DSR strategy, the HCMDF was successfully developed and evaluated in the real world using an adaptive case study. The analysis of the results indicated that the HCMDF solves Cloud migration problem and that it can be applied to every Cloud migration project.
Throughout the evaluation, areas of improvement were identified and these will be considered in future research. / School of Computing / M. Tech (Information Technology)
|
23 |
Perception of employees concerning information security policy compliance : case studies of a European and South African universityLububu, Steven January 2018 (has links)
Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018. / This study recognises that, regardless of information security policies, information about institutions continues to be leaked due to the lack of employee compliance. The problem is that information leakages have serious consequences for institutions, especially those that rely on information for its sustainability, functionality and competitiveness. As such, institutions ensure that information about their processes, activities and services are secured, which they do through enforcement and compliance of policies. The aim of this study is to explore the extent of non-compliance with information security policy in an institution. The study followed an interpretive, qualitative case study approach to understand the meaningful characteristics of the actual situations of security breaches in institutions. Qualitative data was collected from two universities, using semi-structured interviews, with 17 participants. Two departments were selected: Human Resources and the Administrative office. These two departments were selected based on the following criteria: they both play key roles within an institution, they maintain and improve the university’s policies, and both departments manage and keep confidential university information (Human Resources transects and keeps employees’ information, whilst the Administrative office manages students’ records). This study used structuration theory as a lens to view and interpret the data. The qualitative content analysis was used to analyse documentation, such as brochures and information obtained from the websites of the case study’s universities. The documentation was then further used to support the data from the interviews. The findings revealed some factors that influence non-compliance with regards to information security policy, such as a lack of leadership skills, favouritism, fraud, corruption, insufficiency of infrastructure, lack of security education and miscommunication. In the context of this study, these factors have severe consequences on an institution, such as the loss of the institution’s credibility or the institution’s closure. Recommendations for further study are also made available.
|
24 |
Um modelo de sistema de gestão da segurança da informação baseado nas normas ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008 / A model of information security management system based in the NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008 ABNT standardsSantos, Valdeci Otacilio dos 21 August 2018 (has links)
Orientador: Renato Baldini Filho / Dissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação / Made available in DSpace on 2018-08-21T18:11:43Z (GMT). No. of bitstreams: 1
Santos_ValdeciOtaciliodos_M.pdf: 1681366 bytes, checksum: 4ed0e181fcbc30a368afc34e5d374cec (MD5)
Previous issue date: 2012 / Resumo: O crescimento constante de ameaças e vulnerabilidades nos sistemas de informação faz com que a preocupação por parte dos administradores sobre a segurança desses sistemas também seja intensificada. Na busca de um nível adequado de segurança da informação, estão sendo criadas e aperfeiçoadas, não somente no Brasil, mas em escala mundial, legislações e normatizações que tratam sobre esse tema tão importante nos dias atuais. Este trabalho tem como objetivo propor um modelo de sistema de gestão da segurança da informação, com modelagem de processos e descrição das atividades, que contemple as principais diretrizes preconizadas nas normas ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008. O modelo proposto visa guiar a implementação de um novo sistema de gestão da segurança da informação em uma organização ou verificar a conformidade de um sistema já existente. O trabalho compreende uma aplicação prática do modelo proposto, em que foi executado um levantamento do nível de aderência das atividades desenvolvidas nos diversos processos que compõem um sistema de gestão da segurança da informação de uma organização, com o que está previsto no modelo e, consequentemente, nas normas utilizadas como referência. Na avaliação dos resultados da verificação realizada foi possível obter uma visão geral da situação em que se encontra a gestão da segurança da informação da organização, bem como a verificação dos pontos que estão de acordo com a normatização e daqueles que necessitam aprimoramentos / Abstract: The steady growth of threats and vulnerabilities in the information systems causes an intensified concern among administrators about the security of these systems. In search of an appropriate level of information security are being created and improved, not only in Brazil but worldwide, laws and regulations that deal with this important issue. This work aims to propose a model of information security management system with process modeling and description of activities, covering the main guidelines recommended in the standards ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008. The proposed model aims to guide the implementation of a new system for managing information security in an organization or verify the conformity of an existing system. The work includes a practical application of the proposed model, that was carried out a survey on the level of activities adhesion in the various processes that comprise a information security management system within an organization, what is envisaged in the model and consequently, the standards used as reference. In assessing the results of the verification carried out was possible to obtain an overview of the situation in which the information security management system of the organization is, as well as the verification of the points that are in accordance with norms and those that need improvement / Mestrado / Telecomunicações e Telemática / Mestre em Engenharia Elétrica
|
25 |
Cloud information security : a higher education perspectiveVan der Schyff, Karl Izak January 2014 (has links)
In recent years higher education institutions have come under increasing financial pressure. This has not only prompted universities to investigate more cost effective means of delivering course content and maintaining research output, but also to investigate the administrative functions that accompany them. As such, many South African universities have either adopted or are in the process of adopting some form of cloud computing given the recent drop in bandwidth costs. However, this adoption process has raised concerns about the security of cloud-based information and this has, in some cases, had a negative impact on the adoption process. In an effort to study these concerns many researchers have employed a positivist approach with little, if any, focus on the operational context of these universities. Moreover, there has been very little research, specifically within the South African context. This study addresses some of these concerns by investigating the threats and security incident response life cycle within a higher education cloud. This was done by initially conducting a small scale survey and a detailed thematic analysis of twelve interviews from three South African universities. The identified themes and their corresponding analyses and interpretation contribute on both a practical and theoretical level with the practical contributions relating to a set of security driven criteria for selecting cloud providers as well as recommendations for universities who have or are in the process of adopting cloud computing. Theoretically several conceptual frameworks are offered allowing the researcher to convey his understanding of how the aforementioned practical concepts relate to each other as well as the concepts that constitute the research questions of this study.
|
26 |
A methodology for measuring and monitoring IT riskTansley, Natalie Vanessa January 2007 (has links)
The primary objective of the research is to develop a methodology for monitoring and measuring IT risks, strictly focusing on internal controls. The research delivers a methodology whereby an organization can measure its system of internal controls, providing assurance that the risks are at an acceptable level. To achieve the primary objective a number of secondary objectives were addressed: What are the drivers forcing organizations to better corporate governance in managing risk? What is IT risk management, specifically focusing on operational risk. What is internal control and specifically focusing on COSO’s internal control process. Investigation of measurement methods, such as, Balance Scorecards, Critical Success Factors, Maturity Models, Key Performance Indicators and Key Goal Indicators. Investigation of various frameworks such as CobiT, COSO and ISO 17799, ITIL and BS 7799 as to how they manage IT risk relating to internal control.
|
27 |
Towards a framework to ensure alignment among information security professionals, ICT security auditors and regulatory officials in implementing information security in South AfricaBasani, Mandla 02 1900 (has links)
Information security in the form of IT governance is part of corporate governance. Corporate
governance requires that structures and processes are in place with appropriate checks and
balances to enable directors to discharge their responsibilities. Accordingly, information
security must be treated in the same way as all the other components of corporate
governance. This includes making information security a core part of executive and board
responsibilities.
Critically, corporate governance requires proper checks and balances to be established in an
organisation; consequently, these must be in place for all information security
implementations. In order to achieve this, it is important to have the involvement of three
key role players, namely information security professionals, ICT security auditors and
regulatory officials (from now on these will be referred to collectively as the ‘role players’).
These three role players must ensure that any information security controls implemented
are properly checked and evaluated against the organisation’s strategic objectives and
regulatory requirements.
While maintaining their individual independence, the three role players must work together
to achieve their individual goals with a view to, as a collective, contributing positively to the
overall information security of an organisation. Working together requires that each role
player must clearly understand its individual role, as well the role of the other players at
different points in an information security programme. In a nutshell, the role players must
be aligned such that their involvement will deliver maximum value to the organisation. This
alignment must be based on a common framework which is understood and accepted by all
three role players.
This study proposes a South African Information Security Alignment (SAISA) framework to
ensure the alignment of the role players in the implementation and evaluation of
information security controls. The structure of the SAISA framework is based on that of the
COBIT 4.1 (Control Objectives for Information and Related Technology). Hence, the SAISA framework comprises four domains, namely, Plan and Organise Information Security (PO-IS),
Acquire and Implement Information Security (AI-IS), Deliver and Support Information
Security (DS-IS) and Monitor and Evaluate Information Security (ME-IS).
The SAISA framework brings together the three role players with a view to assisting them to
understand their respective roles, as well as those of the other role players, as they
implement and evaluate information security controls. The framework is intended to
improve cooperation among the role players by ensuring that they view each other as
partners in this process. Through the life cycle structure it adopts, the SAISA framework
provides an effective and efficient tool for rolling out an information security programme in
an organisation / Computer Science / M. Sc. (Computer Science)
|
28 |
The governance of significant enterprise mobility security risksBrand, Johanna Catherina 12 1900 (has links)
Thesis (MComm)--Stellenbosch University, 2013. / ENGLISH ABSTRACT: Enterprise mobility is emerging as a megatrend in the business world. Numerous
risks originate from using mobile devices for business-related tasks and most of
these risks pose a significant security threat to organisations’ information.
Organisations should therefore apply due care during the process of governing the
significant enterprise mobility security risks to ensure an effective process to mitigate
the impact of these risks.
Information technology (IT) governance frameworks, -models and -standards can
provide guidance during this governance process to address enterprise mobility
security risks on a strategic level. Due to the existence of the IT gap these risks are
not effectively governed on an operational level as the IT governance frameworks,
-models and -standards do not provide enough practical guidance to govern these
risks on a technical, operational level.
This study provides organisations with practical, implementable guidance to apply
during the process of governing these risks in order to address enterprise mobility
security risks in an effective manner on both a strategic and an operational level.
The guidance given to organisations by the IT governance frameworks, -models and
-standards can, however, lead to the governance process being inefficient and
costly. This study therefore provides an efficient and cost-effective solution, in the
form of a short list of best practices, for the governance of enterprise mobility
security risks on both a strategic and an operational level. / AFRIKAANSE OPSOMMING: Ondernemingsmobiliteit kom deesdae as ‘n megatendens in die besigheidswêreld te
voorskyn. Talle risiko's ontstaan as gevolg van die gebruik van mobiele toestelle vir
sake-verwante take en meeste van hierdie risiko's hou 'n beduidende
sekuriteitsbedreiging vir organisasies se inligting in. Organisasies moet dus tydens
die risikobestuursproses van wesenlike mobiliteit sekuriteitsrisiko’s die nodige sorg
toepas om ‘n doeltreffende proses te verseker ten einde die impak van hierdie
risiko’s te beperk.
Informasie tegnologie (IT)- risikobestuurraamwerke, -modelle en -standaarde kan op
‘n strategiese vlak leiding gee tydens die risikobestuursproses waarin mobiliteit
sekuriteitsrisiko’s aangespreek word. As gevolg van die IT-gaping wat bestaan, word
hierdie risiko’s nie effektief op ‘n operasionele vlak bestuur nie aangesien die ITrisikobestuurraamwerke,
-modelle en -standaarde nie die nodige praktiese leiding
gee om hierdie risiko’s op ‘n tegniese, operasionele vlak te bestuur nie.
Om te verseker dat organisasies mobiliteit sekuriteitsrisiko’s op ‘n effektiewe manier
op beide ‘n strategiese en operasionele vlak bestuur, verskaf hierdie studie praktiese,
implementeerbare leiding aan organisasies wat tydens die bestuursproses van
hierdie risiko’s toegepas kan word.
Die leiding aan organisasies, soos verskaf in die IT-risikobestuurraamwerke, -
modelle en -standaarde, kan egter tot’n ondoeltreffende en duur
risikobestuursproses lei. Hierdie studie bied dus 'n doeltreffende, koste-effektiewe
oplossing, in die vorm van 'n kort lys van beste praktyke, vir die bestuur van die
mobiliteit sekuriteitsrisiko’s op beide 'n strategiese en 'n operasionele vlak.
|
29 |
Defining the Information Security Posture: An Empirical Examination of Structure, Integration, and Managerial EffectivenessYoung, Randall Frederick 08 1900 (has links)
The discipline of information security management is still in its infancy as evidenced by the lack of empirical scholarly work in this area. Most research within the information security domain focuses on specific technologies and algorithms and how it impacts the principles of confidentiality, integrity, and availability. But, an important area receiving little attention is the antecedents of effective information security management at the organizational level (Stanton, Guzman, Stam & Caldera, 2003). The little empirical research that has been conducted in this area has shown that information security management in many organizations is poor (Baskerville, 1993; Shimeall & McDermott, 1999). Several researchers have identified the need for methods to measure the organization-wide information security posture of organizations (Eloff & Von Solms, 2000; James, 1996). This dissertation attempts to measure the organization-wide information security posture by examining benchmark variables that assess role, planning orientation, and performance structure within the organization. Through this conceptualization of an organization's information security posture, a means is presented to measure overall information security and how it impacts the effective utilization of information security strategies. The presence of the dependent variable, effectiveness, gives academics and practitioners a success measure which can guide more effective decision making in the information security domain. An additional aim of this dissertation is to empirically examine the influence of management practices and decisions on effective use of information security strategies within the organization. The issues of centralization versus decentralization of information security activities will be evaluated along with its impact on information security posture of organizations and the effectiveness of the organization's information security strategies. Data was collected from 119 IT and information security executives. Results show that how the organization structures information security activities is not correlated with more effective utilization of information security strategies. Meanwhile, the organization's information security posture is significantly correlated with more effective utilization of information security strategies. The implications of this research is discussed.
|
30 |
Information technology audits in South African higher education institutionsAngus, Lynne 11 September 2013 (has links)
The use of technology for competitive advantage has become a necessity, not only for corporate organisations, but for higher education institutions (HEIs) as well. Consequently, corporate organisations and HEIs alike must be equipped to protect against the pervasive nature of technology. To do this, they implement controls and undergo audits to ensure these controls are implemented correctly. Although HEIs are a different kind of entity to corporate organisations, HEI information technology (IT) audits are based on the same criteria as those for corporate organisations. The primary aim of this research, therefore, was to develop a set of IT control criteria that are relevant to be tested in IT audits for South African HEIs. The research method used was the Delphi technique. Data was collected, analysed, and used as feedback on which to progress to the next round of data collection. Two lists were obtained: a list of the top IT controls relevant to be tested at any organisation, and a list of the top IT controls relevant to be tested at a South African HEI. Comparison of the two lists shows that although there are some differences in the ranking of criteria used to audit corporate organisations as opposed to HEIs, the final two lists of criteria do not differ significantly. Therefore, it was shown that the same broad IT controls are required to be tested in an IT audit for a South African HEI. However, this research suggests that the risk weighting put on particular IT controls should possibly differ for HEIs, as HEIs face differing IT risks. If further studies can be established which cater for more specific controls, then the combined effect of this study and future ones will be a valuable contribution to knowledge for IT audits in a South African higher education context.
|
Page generated in 0.1246 seconds