Governing information security using organisational information security profiles

Tyukala, Mkhululi

January 2007

The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.

Data protection

Computer security -- Management

Computer networks -- Security measures

The information security policy: an important information security management control.

Hone, Karin

22 April 2008

This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it. / Prof. J.H.P. Ehlers

computer security

computer security management

computer security standards

data protection

Návrh zavedení bezpečnostních opatření na základě ISMS pro malý podnik / Design of security countermeasures implementation based on ISMS for small company

Tomko, Michal

January 2019

The master`s thesis deals with implementation of security countermeasures in accordance with information security management system for small company. Main concern of the master`s thesis will be design of security countermeasures in company. Solution of the design comes from the analysis of current state of the company including all important parts and assist evaluation which has been processed along with responsible persons.

Dilemata bezpečnostního profilování: Případ Spojených států amerických / The Dilemmas of Surveillance Profiling: The Case of the United States

Petrosyan, Davit

January 2018

1 Introduction to the Thesis and the Importance of the Topic The sorting and the categorization of individuals and groups by their capacity and inclination to risky behavior or level of dangerousness has been and remains an essential function of security apparatus of the state and a vital component in state security. Practices of this kind became even more important in the age of international terror. The western world and specifically the United States has been the primary target of international terror suffering numerous terrorist attacks including the 9/11 attacks that became thedefining moment of how security functions in themodern world. While what we call "western world" is dominantly defined by liberal democratic political order, many of its societies and specifically the US is also defined by atechnology-enabled environment that scholarship characterizes as "surveillance society" (Gandy 1989, Lyon 2001, Lyon & Bauman 2012). Withintechnology-enabled environments the technologization of security was inevitable (Ceyhan 2008), and the 9/11 generated even more intense and enhanced efforts ofspeeding this process up (Lyon 2004, Ball and Webster 2003). In the post 9/11 US war on terror, specifically surveillance technologies became central to security policies (Ceyhan 2006) as universal security enablers...

Developing security metrics scorecard for health care organizations

Elrefaey, Heba

22 January 2015

Information security and privacy in health care is a critical issue, it is crucial to protect the patients’ privacy and ensure the systems availability all the time. Managing information security systems is a major part of managing information systems in health care organizations. The purpose of this study is to discover the security metrics that can be used in health care organizations and to provide the security managers with a security metrics scorecard that enable them to measure the performance of the security system in a monthly basis. To accomplish this a prototype with a suggested set of metrics was designed and examined in a usability study and semi-structured interviews. The study participants were security experts who work in health care organizations. In the study security management in health care organizations was discussed, the preferable security metrics were identified and the usable security metrics scorecard specifications were collected. Applying the study results on the scorecard prototype resulted in a security metrics scorecard that matches the security experts’ recommendations. / Graduate / 0723 / 0769 / 0454 / hebae@uvic.ca

health care information security

An Empirical Investigation of the Economic Value of Information Security Management System Standards

Shoraka, Babak

01 January 2011

Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management. The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification. The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms

Event study

Information secuity

Information security incidents

ISMS

Standards

Computer Sciences

Towards an Integrated Framework for Quality and Information Security Management in Small Companies

Große, Christine

January 2016

This master thesis elaborates the construction of an integrated framework for the simultaneous initiation of quality management and information security management within micro and small enterprises. Called QISMO, the model collection consists of three parts: (1) a holistic framework as structure dedicated to achieving a shared understanding among key stakeholders concerned about relations and dependencies, (2) a reference process model for visualising the entire process with the activities related, and (3) a lifecycle model for illustrating the process loop and for clarifying specific phases therein. This study offers an analysis of alternative approaches that results in premises and requirements adapted to micro and small enterprises. Furthermore, major barriers to the improvement of quality and information security management of micro and small enterprises are identified in this study. These include miscalculation of risks, lack of competence, and absence of structured processes. Aside from valuable insights for further development of enhanced training programs, the study contributes a comprehensive analysis of standards and good practices within the field of IT governance. Moreover, the study shares a concrete reference process model that is adapted to the preconditions of micro and small enterprises. These preconditions are acquired throughout the study. The proposition is to provide a basis for the further improvement of business processes and the models related to them, both in practice and in research.

Quality Management

Information Security Management

Information Systems Modelling

Reference Process Modelling

BISE

BPMN

Briefing paper two: the National Security Management System

January 1900

The aim of the government' s state of emergency in June 1986 was to try and bring the country under control through the use of force. Tens of thousands of people were detained, and many were tilled. At the same time, the government has been building a National Security Management System (NSMS). This is a series of structures throughout South Africa, designed to defend apartheid. The main type of structure is called a Joint Management Centre (JHC). Before we explain what a JMC is and what it does, it is useful to know where the idea for a National Security Management System comes from.

National security -- South Africa

An Automated Tool For Information Security Management System

Erkan, Ahmet

01 September 2006

This thesis focuses on automation of processes of Information Security Management System. In accordance with two International Standards, ISO/IEC 27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a documented ISMS as much as possible helps organizations. Some of the well known tools in this scope are analyzed and a comparative study on them including &ldquo / InfoSec Toolkit&rdquo / , which is developed for this purpose in the thesis scope, is given. &ldquo / InfoSec Toolkit&rdquo / is based on ISO/IEC 27001:2005 and ISO 17799:2005. Five basic integrated modules constituting the &ldquo / InfoSec Toolkit&rdquo / are &ldquo / Gap Analysis Module&rdquo / , &ldquo / Risk Module&rdquo / , &ldquo / Policy Management Module&rdquo / , &ldquo / Monitoring Module&rdquo / and &ldquo / Query and Reporting Module&rdquo / . In addition a research framework is proposed in order to assess the public and private organizations&rsquo / information security situation in Turkey.

A Security Management System Design

Onder, Hulusi

01 July 2007

This thesis analyzes the difficulties of managing the security of an enterprise network. The problem that this thesis study deals with is the central management of a large number and variety of services that provide organization-wide network and information security. This study addresses two problem areas: how to better manage the security of a network, and how to explain the security issues to upper management better. The study proposes a Security Management System (SMS) to be used for network security management, monitoring and reporting purposes. The system is a custom made, central management solution, which combines the critical performance indicators of the security devices and presents the results via web pages.

H General Social Sciences 1-99