Global ETD Search

1	An Information Security Control Assessment Methodology for Organizations Otero, Angel Rafael 01 January 2014 (has links) In an era where use and dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by organizations is more and more serious. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation of information security controls in organizations. Research efforts have resulted in various methodologies developed to deal with the information security controls assessment problem. A closer look at these traditional methodologies highlights various weaknesses that can prevent an effective information security controls assessment in organizations. This dissertation develops a methodology that addresses such weaknesses when evaluating information security controls in organizations. The methodology, created using the Fuzzy Logic Toolbox of MATLAB based on fuzzy theory and fuzzy logic, uses fuzzy set theory which allows for a more accurate assessment of imprecise criteria than traditional methodologies. It is argued and evidenced that evaluating information security controls using fuzzy set theory addresses existing weaknesses found in the literature for traditional evaluation methodologies and, thus, leads to a more thorough and precise assessment. This, in turn, results in a more effective selection of information security controls and enhanced information security in organizations. The main contribution of this research to the information security literature is the development of a fuzzy set theory-based assessment methodology that provides for a thorough evaluation of ISC in organizations. The methodology just created addresses the weaknesses or limitations identified in existing information security control assessment methodologies, resulting in an enhanced information security in organizations. The methodology can also be implemented in a spreadsheet or software tool, and promote usage in practical scenarios where highly complex methodologies for ISC selection are impractical. Moreover, the methodology fuses multiple evaluation criteria to provide a holistic view of the overall quality of information security controls, and it is easily extended to include additional evaluation criteria factor not considered within this dissertation. This is one of the most meaningful contributions from this dissertation. Finally, the methodology provides a mechanism to evaluate the quality of information security controls in various domains. Overall, the methodology presented in this dissertation proved to be a feasible technique for evaluating information security controls in organizations. assessment design science evaluation fuzzy logic fuzzy set theory information security controls Computer Sciences
2	IT-säkerhet i små organisationer Magnusson, Roberth, Rydkvist, Rikard January 2013 (has links) IT- och informationssäkerhet är ett ständigt aktuellt ämnesområde. ITsäkerhetsarbetei små organisationer framstår som ett underforskat område. Föratt göra en kartläggning av hur arbete med risk, hot och säkerhet kan se ut i småorganisationer har vi genomfört en explorativ intervjustudie med representanterför små organisationer om deras arbete med IT- och informationssäkerhet. Vihar dessutom genomfört intervjuer med experter på området för att få ettbredare perspektiv. Tolkningen och analysen av intervjusvaren har utförtsgenom att först tolka svaren utifrån Security Controls och därefter analyserasvaren utifrån fem temaområden som vi funnit i materialet. Vi går däreftervidare med en diskussion kring hur vi funnit att de studerade organisationernaser på hot, risk och säkerhet och hur de arbetar med Security Controls settgenom de tre säkerhetsdimensionerna. Avslutningsvis föreslår vi fortsattforskning inom området. / IT and information security is a recurring theme. IT security in smallorganizations appear to be an under-researched area. To make a survey of thework on risk, threat and security might look like in small organizations, weconducted an exploratory interview with representatives of small organizationsabout their work with IT and information security. We also conducted interviewswith experts in the field to get a broader perspective. The interpretation andanalysis of the interview responses have been carried out by first interpret theresponses based Security Controls, and then analyze the responses on fivethematic areas which we found in the material. We will then continue with adiscussion of how we have found that the studied organizations, look at threats,risk and safety and how they work with the Security Controls seen through thethree security dimensions. Finally, we suggest further research in this area. Security Controls IT-säkerhet Riskarbete Upplevd säkerhet Små organisationer Information Systems
3	Propuesta de una Arquitectura de Software para la Mejora del Proceso de Gestión de Monitoreo de Controles de Seguridad / Proposed Software Architecture for the Improvement of the Management Process for Monitoring Security Controls of the Security Management System Chávez Luna, Manuel Ángel, Paredes Jara, Armando Victor 05 August 2020 (has links) El objetivo del presente trabajo de investigación es una propuesta de Arquitectura de Software para la gestión de monitoreo de controles de seguridad del Programa Integral Nacional para el bienestar Familia – INABIF, siguiendo buenas prácticas de enfoques predictivos, análisis de procesos, marcos de trabajo de la arquitectura empresarial y diseño arquitectónico de software. El modelo propuesto proveerá al negocio un diseño de arquitectura de software que optimice las tareas asociadas al control y medición de los controles de seguridad de la organización. Entonces, para el desarrollo de la propuesta de trabajo, se presentará el análisis del negocio, que, mediante la metodología de Zachman, se mostrará una vista a alto nivel del giro de negocio de la organización, sus objetivos estratégicos y su posicionamiento en la actualidad. Seguidamente, se presentará el enfoque desde el punto de vista del proceso estudio, conocer el rol que cumple dentro de los procesos macros de la compañía, su trazabilidad con los objetivos de la compañía, así como el grado de responsabilidad que tienen asignada. Asimismo, una vez identificado las tareas que hacen deficiente el proceso, se generará los casos de uso de sistema (basado en lenguaje de modelamiento unificado), que representen el comportamiento del sistema que el diseño de arquitectura de software deberá soportar. Finalmente, y bajo lineamientos de calidad de arquitectura, se emplearán herramientas de modelado que definan la estructura arquitectónica de la presente propuesta, de tal forma garanticen calidad de análisis, diseño y cumplimiento de objetivos trazados por el negocio. / The objective of this research work is to provide a Software for the management of security controls and monitoring of the National Comprehensive Program for Families well-being - INABIF, following practices of predictive approach, process analysis, structure of the business, construction and software design. The proposed model will provide a software design that optimizes the tasks associated with the control and study of the organization's security controls. Also, for the development of the proposed work, a business analysis will be presented, which, through the Zachman methodology, it will present a high-level view of the organization's business line, its strategic objectives, and its current positioning. The approach will be visible from the point of view of the study process, knowing the role it plays within the company's macro processes, following the company's objectives, as well as the degree of responsibility assigned to it. Once deficient tasks have been identified, the system will generate case studies (based on the unified modeling language), which represent the behavior of the system that the software design must support. Finally, under design quality guidelines, modeling tools will be used to define the structure of this proposal, thereby guaranteeing quality of analysis, design and compliance with objectives set by the organization. / Tesis Arquitectura de software Controles de seguridad Software architecture Security controls
4	Zavádění bezpečnostní politiky ve firmě / Security policy implementation in a selected company Doležalová, Eliška January 2017 (has links) This diploma thesis examines the process of preparation and implementation of a security policy as a means of information asset security management. The theoretical part describes security policies as an important part of information security management systems in a company and discusses the issue of virtual teams in terms of safety risks they pose for information security. This theoretical knowledge is applied in the practical part of the thesis where a security policy is composed for a small IT company with virtual team organization.
5	The economics of information security Dlamini, Moses Thandokuhle 20 September 2010 (has links) In the year 2008, world markets suffered a huge economic crisis. The extent of the economic crisis has been so severe and has had a global impact. As a contingency strategy, governments of wealthy nations have resorted to extensive bailouts and rescue packages to stop organisations from going bankrupt. A skyrocketing amount of money has been spent on rescue packages and bailouts for the tumbling organisations. However, this could not stop some of the world’s wealthiest financial institutions e.g. Lehman Brothers, Northern Rock, etc from collapsing. Most of the surviving organisations froze their expenditure, implemented cost-cutting measures and in the process, numerous employees lost their jobs. Executives were compelled to ‘achieve more with less’ in order to save their organisations from going bankrupt. It is on this premise that this research proposed the BC3I (Broad Control Category Cost Indicators) model, which is a step towards ‘achieving more with less’ within information security budgeting. The tumbling world markets and increased requirements for legal and regulatory compliance have made this a timely and relevant research that addressed a current, spot-on and global problem. The BC3I model as the main outcome of this research has indeed come at the right time. The BC3I model as proposed in this research makes a real contribution towards assisting information security managers as they make informed decisions regarding the optimal and cost-effective allocation of financial resources to information security activities. The proposed model can be argued to be a good start towards the selection of appropriate controls to optimally and cost-effectively protect organisations’ information assets and simultaneously achieve compliance with legal and regulatory mandates. As a proof of concept, the practicality of the BC3I model has been demonstrated in three different scenarios. The model has been illustrated for an organisation chosen from the financial sector; being the hardest hit by the economic crisis. Furthermore, the financial sector is chosen because of its high reliance on information security for the most obvious reasons that of dealing with money and confidential customer information. Finally and for acceptance purposes, the model has been discussed and reviewed by industry experts from the financial sector. Copyright / Dissertation (MSc)--University of Pretoria, 2010. / Computer Science / unrestricted Broad control categories Information security standards Budget constraints Information security Information security investment Information security budget Information security controls UCTD
6	Russia’s war against Ukraine : The effect on IT security in Sweden’s municipalities / Rysslands krig mot Ukraina : Effekten på IT-säkerheten i Sveriges kommuner Götlind, Hampus, Olsson, Rickard January 2023 (has links) This report aims to look at how Russia’s war in Ukraine has affected the work with IT security at Swedish municipalities, what actions have been taken, if any, and see if there has been an increase in attacks towards the municipalities’ networks. This was done by sending out a questionnaire to all of Sweden’s 290 municipalities via email with four questions regarding their IT security. 103 of Sweden’s municipalities responded to the email. Ten municipalities declined to participate in the report, which means that 32% (93) of Sweden’s municipalities participated in this survey. We chose to evaluate the Swedish municipalities and their preparedness in case of war for several reasons. They are a uniform group which we believed adhere to the same guidelines and regulations regarding cybersecurity, and the fact that they store and engage with critical and sensitive data about Sweden and its population, making them prime targets for attacks by foreign powers. The results were presented anonymously and based on the voluntary responses of the municipalities. Answers were then compiled and sorted into the five main categories from the NIST framework for cybersecurity. The report concludes that Swedish municipalities have taken significant actions to protect their networks in response to Russia’s war and aggressions towards Ukraine. For example, 18 municipalities reported that they had trained their staff in some way, which was the most common measure, and 11 municipalities had implemented two-factor authentication. However, more can be done in terms of responding to threats and enhancing recovery plans and systems. In summary, there seemed to be a lack of consensus on how municipalities should handle their own IT-security, as there was a high variation in the responses. The follow-up questions revealed a significant increase in attacks towards the municipalities’ networks, with many considering their networks potential targets for future attacks from foreign powers. cybersecurity security controls survey performance evaluation Russia Ukraine war municipalities information security management risk assessment cybersäkerhet säkerhetskontroller undersökning prestationsutvärdering Ryssland Ukraina krig kommuner informationssäkerhetshantering riskbedömning. Computer Systems Datorsystem
7	A Solution to Selecting Cyber-Security Software Tools for an Organization Using Security Controls Marcos Conca, Alexandre January 2017 (has links) In the last decade, cyber-threats have evolved dramatically, forcing organizations yearafter year to use increasingly sophisticated security measures, security software amongothers. This has led to a huge increase in the number of security tools available in theindustry. The result of the increase is that that companies often do not know in whichsoftware to invest in order to meet their security needs. The purpose of this thesis isto address this problem by developing a solution that helps companies to choose theright security software based on their security needs and that allows to do the selectionprocess in a systematic and reliable way.The solution proposed in the thesis builds on interviews with experts in information security,data collection from the literature and Internet and on a case study. The solutionconsists of rstly an investigate method with which it is possible to categorize any securitytool according to the list of cyber-security controls proposed by CIS Critical SecurityControls (CSC), which were chosen after a comparative study with other publicly availablecontrols because they are actionable, relevant and updated frequently. Secondly,the solution proposes a user-friendly web tool that has been developed to allow the usersto visualize the collected information for comparison. The visualization tool will helpthe users to select the security tools in which the company could be interested to investin. The visualization is done in a simple way and the CSCs that would be covered areshown together with the gaps and the overlaps of the selected tools. In order to verifythe viability of the solution that was developed with real data, the project includes acase study with a representative set of security tools. The case study facilitates thecomprehension of the process undertaken and shows how this method could be appliedin a real case scenario. / Under det senaste decenniet har cyberhot utvecklats dramatiskt. Hotet tvingar organisationeratt år efter år använda allt mer sofistikerade säkerhetsåtgärder, bland annatsäkerhetsmjukvara. Detta har lett till en enorm ökning av antalet av säkerhetsverktygsom finns i branschen. Resultatet av ökningen är att företag ofta inte vet i vilken programvarade borde investera i för att möta sina säkerhetsbehov. Syftet med dennarapporten är att ta itu med detta problem genom att utveckla en lösning som hjälperföretag att välja rätt säkerhetsprogramvara baserat på deras säkerhetsbehov och somgör urvalsprocessen på ett systematiskt och tillförlitligt sätt.Den lösning som föreslås i rapporten bygger på intervjuer med experter inom informationssäkerhet, datainsamling från litteraturen och Internet och på en fallstudie. Lösningenbestår först av en utredningsmetod med vilken det är möjligt att kategorisera vilketsäkerhetsverktyg som helst enligt listan över cybersäkerhetskontroller som publiceras avCIS Critical Security Controls (CSC). CSC valdes efter en jämförande studie som inkluderadeandra allmänt tillgängliga förteckningar över kontrollerna, eftersom CSC kontrollerär genomförbara, relevanta och uppdateras ofta. För det andra föreslår lösningen ettanvändarvänligt webbverktyg som har utvecklats för att göra det möjligt för användareatt visualisera den insamlade informationen för jämförelse. Visualiseringsverktyget kommeratt hjälpa användarna välja säkerhetsverktyg som företaget kan vara intresseradeav att investera i. Visualiseringen sker på ett enkelt sätt och CSCs som omfattas visastillsammans med de luckor och överlappningar som finns i den valda programvaran.För att bekräfta genomförbarhet för den lösning som utvecklats med verkliga data,omfattar projektet en fallstudie med ett representativt urval av säkerhetsverktyg. Fallstudienunderlättar förståelsen för klassificeringen och urvalsprocessen genom att visahur denna metod skulle kunna tillämpas i ett verkligt fall. Information Security Critical Security Controls Investigative Method Security Tools Web Tool Informationssakerhet Kritiska Sakerhetskontroller Undersokande Metod Sakerhetsverktyg Webbverktyg Elektroteknik och elektronik
8	Uma arquitetura para agrupamento de controles de segurança em ambientes de tecnologia da informação baseada em barganhas cooperativas irrestritas. / An architecture to grouping security controls in information technology environments based on unrestricted cooperative bargains. Silva, Anderson Aparecido Alves da 15 December 2016 (has links) Controles de segurança, também chamados de mecanismos de proteção, voltados para previsão e detecção de eventos indesejados são cada vez mais empregados em ambientes de Tecnologia da Informação (TI). O pouco entendimento sobre as características dos eventos indesejados que agem nos sistemas e a baixa compatibilidade existente entre os diversos mecanismos de proteção são problemas que se destacam neste tipo de cenário. Diferentes configurações dificultam a combinação dos resultados destes mecanismos e raramente dois ou mais controles de segurança se complementam. Por esse motivo, o agrupamento entre mecanismos de detecção e de previsão não é trivialmente resolvido. Neste trabalho é proposta uma arquitetura, denominada de Arquitetura Estratégica de Agrupamento - Strategic Grouping Architecture (SGA) - para agrupamento de controles de segurança voltados para detecção e/ou previsão, que tem como base a busca de um equilíbrio entre as configurações e os resultados individuais de cada mecanismo de proteção envolvido. Para alcançar este equilíbrio a arquitetura proposta divide a análise dos eventos (legítimos e maliciosos) que passam pelos controles de segurança em dois níveis de abstração: o técnico, onde são coletadas as configurações e os resultados dos controles de segurança; e o estratégico, onde os dados obtidos no nível técnico são analisados por meio de barganhas cooperativas irrestritas - Unrestricted Cooperative Bargains (UCB), conceito proveniente da Teoria dos Jogos, que busca a otimização e equilíbrio entre resultados. Justamente por ser realizada em um nível de abstração diferente, a análise gerada pelo SGA identifica a influência que cada configuração exerce nos resultados agrupados. Para explorar a capacidade da arquitetura proposta, dois experimentos, bastante diferentes, que envolvem a ação de eventos indesejados em ambientes de TI são conduzidos. Os resultados obtidos mostram a viabilidade do agrupamento de controles de segurança de detecção e previsão e a possibilidade do uso do SGA em outros ambientes, que não estejam necessariamente ligados à segurança de TI. Baseada na literatura científica a validação do SGA consiste de uma transformação prévia na categoria dos jogos estratégicos usados - cooperativos para não-cooperativos - e na busca de situações como o Equilíbrio de Nash (EN) e o ótimo de Pareto, que indicam os melhores resultados de um jogo. / Security controls, also called protection mechanisms, focused on forecasting and detection of unwanted events are increasingly employed in Information Technology (IT) environments. The little understanding about the characteristics of unwanted events which act on the systems and the low rate of compatibility among several protection mechanisms are both problems that arise in that scenario. Different settings make difficult combining the results of these mechanisms and two or more controls rarely complement each other. Due to that, grouping mechanisms of detection and forecasting is not a trivial matter. In this work a framework called Strategic Grouping Architecture (SGA) is proposed to grouping security controls focused on detection and/or forecasting. SGA is based on the search for equilibrium between the settings and the individual results of each protection mechanism involved. In order to reach this equilibrium the proposed framework divide the analysis of events (legitimates and malicious) which go through the security controls in two abstract levels: the technical level, where the settings and the results of security controls are collected; and the strategic level, where the data obtained in the technical level are analyzed through Unrestricted Cooperative Bargains (UCB), concept from Game Theory that seeks to optimize and balance the results. Precisely because it is performed on a different level of abstraction, the analysis generated by the SGA identifies the influence that each setting has on the clustered results. In order to exploit the capability of the proposed architecture, two experiments, quite different, involving the action of unwanted events in IT environments, are conducted. The obtained findings show the feasibility of grouping detection and forecasting security controls and the possibility of using the SGA in other environments that are not necessarily related to IT security. Based on scientific literature SGA validation consists of a previous transformation in the category of strategy games used - cooperative to non-cooperative - and the search for situations such as the Nash Equilibrium (NE) and the Pareto optimal, indicating the best results a game. Barganhas cooperativas irrestritas Controles de segurança Detection and forecasting attacks Game theory Kackers (Prevenção e Controle) Mobile Ad hoc NETwork (MANET) Mobile Ad hoc NETwork (MANET) Security controls Teoria dos jogos Unrestricted cooperative bargains
9	Uma arquitetura para agrupamento de controles de segurança em ambientes de tecnologia da informação baseada em barganhas cooperativas irrestritas. / An architecture to grouping security controls in information technology environments based on unrestricted cooperative bargains. Anderson Aparecido Alves da Silva 15 December 2016 (has links) Controles de segurança, também chamados de mecanismos de proteção, voltados para previsão e detecção de eventos indesejados são cada vez mais empregados em ambientes de Tecnologia da Informação (TI). O pouco entendimento sobre as características dos eventos indesejados que agem nos sistemas e a baixa compatibilidade existente entre os diversos mecanismos de proteção são problemas que se destacam neste tipo de cenário. Diferentes configurações dificultam a combinação dos resultados destes mecanismos e raramente dois ou mais controles de segurança se complementam. Por esse motivo, o agrupamento entre mecanismos de detecção e de previsão não é trivialmente resolvido. Neste trabalho é proposta uma arquitetura, denominada de Arquitetura Estratégica de Agrupamento - Strategic Grouping Architecture (SGA) - para agrupamento de controles de segurança voltados para detecção e/ou previsão, que tem como base a busca de um equilíbrio entre as configurações e os resultados individuais de cada mecanismo de proteção envolvido. Para alcançar este equilíbrio a arquitetura proposta divide a análise dos eventos (legítimos e maliciosos) que passam pelos controles de segurança em dois níveis de abstração: o técnico, onde são coletadas as configurações e os resultados dos controles de segurança; e o estratégico, onde os dados obtidos no nível técnico são analisados por meio de barganhas cooperativas irrestritas - Unrestricted Cooperative Bargains (UCB), conceito proveniente da Teoria dos Jogos, que busca a otimização e equilíbrio entre resultados. Justamente por ser realizada em um nível de abstração diferente, a análise gerada pelo SGA identifica a influência que cada configuração exerce nos resultados agrupados. Para explorar a capacidade da arquitetura proposta, dois experimentos, bastante diferentes, que envolvem a ação de eventos indesejados em ambientes de TI são conduzidos. Os resultados obtidos mostram a viabilidade do agrupamento de controles de segurança de detecção e previsão e a possibilidade do uso do SGA em outros ambientes, que não estejam necessariamente ligados à segurança de TI. Baseada na literatura científica a validação do SGA consiste de uma transformação prévia na categoria dos jogos estratégicos usados - cooperativos para não-cooperativos - e na busca de situações como o Equilíbrio de Nash (EN) e o ótimo de Pareto, que indicam os melhores resultados de um jogo. / Security controls, also called protection mechanisms, focused on forecasting and detection of unwanted events are increasingly employed in Information Technology (IT) environments. The little understanding about the characteristics of unwanted events which act on the systems and the low rate of compatibility among several protection mechanisms are both problems that arise in that scenario. Different settings make difficult combining the results of these mechanisms and two or more controls rarely complement each other. Due to that, grouping mechanisms of detection and forecasting is not a trivial matter. In this work a framework called Strategic Grouping Architecture (SGA) is proposed to grouping security controls focused on detection and/or forecasting. SGA is based on the search for equilibrium between the settings and the individual results of each protection mechanism involved. In order to reach this equilibrium the proposed framework divide the analysis of events (legitimates and malicious) which go through the security controls in two abstract levels: the technical level, where the settings and the results of security controls are collected; and the strategic level, where the data obtained in the technical level are analyzed through Unrestricted Cooperative Bargains (UCB), concept from Game Theory that seeks to optimize and balance the results. Precisely because it is performed on a different level of abstraction, the analysis generated by the SGA identifies the influence that each setting has on the clustered results. In order to exploit the capability of the proposed architecture, two experiments, quite different, involving the action of unwanted events in IT environments, are conducted. The obtained findings show the feasibility of grouping detection and forecasting security controls and the possibility of using the SGA in other environments that are not necessarily related to IT security. Based on scientific literature SGA validation consists of a previous transformation in the category of strategy games used - cooperative to non-cooperative - and the search for situations such as the Nash Equilibrium (NE) and the Pareto optimal, indicating the best results a game. Barganhas cooperativas irrestritas Controles de segurança Kackers (Prevenção e Controle) Mobile Ad hoc NETwork (MANET) Teoria dos jogos Detection and forecasting attacks Game theory Mobile Ad hoc NETwork (MANET) Security controls Unrestricted cooperative bargains
10	Informationssäkerhet i organisationer - Utvärdering av Folktandvårdens informationssäkerhet inom Region Jönköpings län / Information security in organizations- Evaluation of Folktandvården's information security within Region Jönköping County Al-Botani, Nidaa January 2015 (has links) Information är idag en värdefull resurs i organisationer som blir mer och mer beroende av sina informationssystem. Information utsätts för olika hot och den behöver skyddas för att organisationer effektivt ska kunna driva sin verksamhet. Ett systematiskt informationssäkerhetsarbete hjälper organisationer att uppnå och upprätthålla en tillräcklig nivå av informationssäkerhet. Studiens syfte är att undersöka hur informationssäkerhet hanteras inom organisationer i allmänhet i nuläget. En fallstudie har genomförts på Folktandvården, Region Jönköpings län för att undersöka hur Folktandvårdens medarbetare hanterar informationssäkerheten. Dessutom syftar studien till att utvärdera medvetenhet om informationssäkerhet hos medarbetarna på Folktandvården och att presentera förslag på hur hanteringen av personuppgifter kan förbättras i organisationer. Blandade tekniker har använts för att samla information. Litteraturstudier inom området informationssäkerhet har genomförts. Empirisk data har samlats in genom en enkätundersökning, intervjuer och skriftliga frågor som har skickats via e-post till utvalda ansvariga som jobbar specifikt med frågor som berör informationssäkerhet inom Folktandvården. Denna studie använder de svenska standarderna SS-ISO/IEC 27001:2014 och SS-ISO/IEC 27002:2014 för att utvärdera informationssäkerhet på Folktandvården, Region Jönköpings län samt att få en bild av hur informationssäkerhet hanteras inom organisationer. Organisationer kan upprätthålla säkerhet i sin informationshantering genom att tillämpa ett ledningssystem för informationssäkerhet (LIS) som bevarar konfidentialitet, riktighet (integritet) och tillgänglighet av information. Informationssäkerhetsarbetet och införandet av LIS skiljer sig mellan organisationer eftersom de kan påverkas av organisationens behov och mål, storlek och struktur. Fallstudiens resultat visar att Folktandvården, Region Jönköpings län genomför en aktiv hantering av informationssäkerhet. Folktandvården klarar de flesta kraven som ställdes i standarderna. Däremot föreslås det i studien att fler utbildningsprogram ordnas för att öka medvetenheten kring informationssäkerhet. Dessa utbildningsprogram bör uppdateras regelbundet för att det fortsätter att vara i linje med organisatoriska policy och rutiner. Det rekommenderas även att organisationen utför informationsklassning fullt ut enligt den modellen som Folktandvården har. Dessutom rekommenderas att utveckla planeringen av kontinuitet för informationssäkerhet. Resultatet från enkätundersökningen visar att medarbetarna är medvetna om hur de hanterar informationssäkerhetsincidenter och upplever att systemen är tillgängliga för de behöriga. Flera av de förslag som presenterades av denna studie har hörsammats och kommer att leda till vidare arbete inom Folktandvården. Organisationers personuppgifter bör skyddas genom att tillämpa regler enligt gällande författningar. En ansvarig person i organisationen bör ge vägledning till de anställda om sitt ansvar för hantering av personuppgifter. / Information today is a valuable resource for organizations which become more and more dependent on their information systems. Information subject to various threats and the need to be protected in order that organizations can effectively run their business. A systematic information security helps organizations to achieve and maintain a sufficient level of information security. The study aims to investigate how information is managed within organizations in general. A case study has been performed in Folktandvården (the Public Dental Service), Region Jönköping County to investigate how the organization handle information security. In addition, the study aims to evaluate awareness of information security among employees at the business and to present proposals on how to improve handling of personal data. Mixed techniques have been used to gather information. Literature studies in the field of information security has been implemented. The empirical data collected through a questionnaire, interviews and written questions sent by e-mail to managers in Folktandvården. This study uses the standards SS-ISO / IEC 27001:2014 and SS-ISO / IEC 27002:2014 to evaluate the information in Folktandvården, Region Jönköping County and to get a picture of how information is managed within organizations. Organizations can maintain the security of their information by implementing an information security management system (ISMS) that preserves the confidentiality, integrity and availability of information. Information security and ISMS application differs between organizations, which could be affected by the organization's needs and goals, size and structure. Case study results show that Folktandvården, Region Jönköping County implements an active management of information. The organization manages most of the specifications in the standards. However this study proposes to organize more training programs for information security awareness. These programs should be updated regularly in order to continue to be in line with organizational policies and procedures. It is recommended that the organization performs information classification fully in accordance with the model it has. Additionally, it is recommended to develop the planning of continuity for information. The results from the questionnaire show that the employees are aware of how they handle information security incidents and they think that the systems are available for authorized access. Several of the proposals presented by this study have been heeded and will lead to further work in Folktandvården. Organizations' personal information should be protected by applying the rules in accordance with applicable regulations. A responsible person in the organization should provide guidance to employees about their responsibility for the handling of personal data. Information security SS-ISO/IEC 27001:2014 SS-ISO/IEC 27002:2014 ISMS information security controls. Informationssäkerhet SS-ISO/IEC 27001:2014 SS-ISO/IEC 27002:2014 LIS säkerhetsåtgärder.

Search results