The information security policy: an important information security management control.

Hone, Karin

22 April 2008

This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it. / Prof. J.H.P. Ehlers

computer security

computer security management

computer security standards

data protection

Optimizing the advanced encryption standard on Intel's SIMD architecture

Godbole, Pankaj

15 January 2004

The Advanced Encryption Standard (AES) is the new standard for cryptography and has gained wide support as a means to secure digital data. Hence, it is beneficial to develop an implementation of AES that has a high throughput. SIMD technology is very effective in increasing the performance of some cryptographic applications. This thesis describes an optimized implementation of the AES in software based on Intel's SIMD architecture. Our results show that our technique yields a significant increase in the performance and thereby the throughput of AES. They also demonstrate that AES is a good candidate for optimization using our approach. / Graduation date: 2004

Data encryption (Computer science)

Computer security -- Standards

Computer architecture

Computers -- Access control

How Far Web Services Tools Support OASIS Message Security Standards?

Sistla Shambhu, Maharaj Sastry

January 2005

<p>There is a great deal of interest burgeoning in the intellectual community regarding Web Services and their usage. Many writers have tried to bring awareness about some unconceived threats lurking behind the enticing Web Services. Threats due to Web Services are on an all time high giving an alarming knock to the Web Services security community. This led to the, Organization for the Advancement of Structured Information Standards (OASIS) made some constraints mandatory in order to standardize message security and these constraints and specifications are presented through a document called WS Security -2004. This work is an attempt to check the support offered by various Web Services Tools available currently. It introduces the reader to Web Services and presents an overview of how far some of the tools have reached in order to make the Web Services environment safe, secure and robust to meet the current day’s requirements. A quantitative approach was taken to investigate the support offered by servers like BEA, Apache Axis etc. The conclusions drawn show that most of the tools meet the imposed standards but a lot more is expected from the web community and these tools; if at all the visions about safe and secure Web Services are to be realized.</p>

WSS-2004

Web Services

Digital Signatures

Encryption

Security Standards

Computer science

Datavetenskap

How Far Web Services Tools Support OASIS Message Security Standards?

Sistla Shambhu, Maharaj Sastry

January 2005

There is a great deal of interest burgeoning in the intellectual community regarding Web Services and their usage. Many writers have tried to bring awareness about some unconceived threats lurking behind the enticing Web Services. Threats due to Web Services are on an all time high giving an alarming knock to the Web Services security community. This led to the, Organization for the Advancement of Structured Information Standards (OASIS) made some constraints mandatory in order to standardize message security and these constraints and specifications are presented through a document called WS Security -2004. This work is an attempt to check the support offered by various Web Services Tools available currently. It introduces the reader to Web Services and presents an overview of how far some of the tools have reached in order to make the Web Services environment safe, secure and robust to meet the current day’s requirements. A quantitative approach was taken to investigate the support offered by servers like BEA, Apache Axis etc. The conclusions drawn show that most of the tools meet the imposed standards but a lot more is expected from the web community and these tools; if at all the visions about safe and secure Web Services are to be realized.

WSS-2004

Web Services

Digital Signatures

Encryption

Security Standards

Computer Sciences

Datavetenskap (datalogi)

GESTÃO DE RISCOS DE SEGURANÇA DA INFORMAÇÃO BASEADA NA NORMA NBR ISO/IEC 27005 USANDO PADRÕES DE SEGURANÇA / RISK MANAGEMENT OF INFORMATION SECURITY BASED ON STANDARD NBR ISO/IEC 27005 USING SECURITY PATTERNS

Konzen, Marcos Paulo

26 February 2013

In the last years more vulnerabilities and threats have emerged, compromising information security in Information and Communication Technology (ICT) systems. In addition, many organizations are unprepared to deal with the risks of information security, making them the most vulnerable to such threats. Thus the negative impact caused by security incidents tends to be more frequent. The implementation of information security risk management based on a set of best practices is critical, but still a challenge for most companies. This work proposes a methodology for managing risks based on NBR ISO/IEC 27005:2008. The methodology presents a sequence of activities and a series of guidelines and goals that must be achieved to make the risk management effective. As with most standards and reference models, the methodology does not describe how activities should be implemented, which makes it difficult to implement for organizations less experienced in security procedures. The reuse of solutions already tested and consolidated to recurring security problems it can assist in ensuring the use of best practices. These solutions can be found in security standards that capture and document the knowledge of security experts, but its application to develop standards for risk management activities is unknown. Thus, this work reviews the guidelines of NBR ISO/IEC 27005:2008 standards and pattern catalogs in order to identify security patterns to develop activities in accordance with the guidelines described by the standard. Therefore, the main contribution of this work is to develop a methodology for risk management centered in solutions, tasks and techniques described by 22 security standards. An analysis and risk assessment using security standards was applied to a DC (Data Center) of a private university, whose result shows the final risk for each asset, meeting the guidelines of NBR ISO/IEC 27005:2008. / Nos últimos anos, cada vez mais novas ameaças e vulnerabilidades surgem comprometendo a segurança das informações em sistemas de Tecnologia da Informação e Comunicações (TIC), e muitas organizações encontram-se despreparadas para lidar com os riscos de segurança da informação, tornando-as mais vulneráveis às ameaças, e os impactos negativos causados pelos incidentes de segurança tendem a ser mais frequentes. A implantação de uma gestão de riscos de segurança da informação baseada no conjunto das melhores práticas é fundamental, porém ainda um desafio para a maioria das empresas. Este trabalho propõe uma metodologia de gestão de riscos baseada na norma NBR ISO/IEC 27005:2008, que apresenta uma sequência de atividades e uma série de diretrizes e objetivos que devem ser alcançados para que o gerenciamento dos riscos seja efetivo. Como na maioria das normas e modelos de referência, elas não descrevem como as atividades devem ser implementadas, o que acaba dificultando a sua adoção por organizações menos experientes em processos de segurança. A reutilização de soluções já testadas e consolidadas para resolver problemas recorrentes de segurança pode auxiliar na garantia de utilização de melhores práticas. Estas soluções podem ser encontradas em padrões de segurança que capturam e documentam o conhecimento de especialistas em segurança, mas se desconhece a sua aplicação para desenvolver atividades das normas de gestão de riscos. Desta forma, este trabalho faz uma revisão das diretrizes da norma NBR ISO/IEC 27005:2008 e de catálogos de padrões, a fim de identificar padrões de segurança para desenvolver as atividades de acordo com as diretrizes descritas pela norma. Portanto, a principal contribuição deste trabalho é o desenvolvimento de uma metodologia de gestão de riscos centrada em soluções, tarefas e técnicas descritas por 22 padrões de segurança. Uma análise e avaliação de riscos utilizando padrões de segurança foi aplicada em um CPD de uma instituição privada de ensino superior, cujo resultado mostra o risco final de cada ativo, atendendo as diretrizes da norma NBR ISO/IEC 27005:2008.

Gestão de riscos

Padrões de segurança

Normas de segurança

Risk management

Security patterns

Security standards

Design Better Content Development Process for SCAP Standards / Design Better Content Development Process for SCAP Standards

Beňas, Petr

January 2013

Cílem této práce je nastudovat a zjednodušeně popsat standardy SCAP používané pro standardizované předávání informací o zranitelnostech a dalších dat souvisejících s informační bezpečností, se zaměřením na formáty XCCDF a OVAL. V textu jsou zkoumány existující přístupy a nástroje sloužící k tvorbě obsahu těchto standardů. Na základě získaných poznatků je navržen nový nástroj s cílem řešit nedostatky existujících přístupů. Text práce také popisuje implementaci a testování navrženého nástroje.

Cyber Security and Security Frameworks for Cloud and IoT Architectures

Haar, Christoph

20 October 2023

Das Cloud Computing hat die Art und Weise unserer Kommunikation in den letzten Jahren rapide verändert. Es ermöglicht die Bereitstellung unterschiedlicher Dienste über das Internet. Inzwischen wurden sowohl für Unternehmen, als auch für den privaten Sektor verschiedene Anwendungen des Cloud Computing entwickelt. Dabei bringt jede Anwendung zahlreiche Vorteile mit sich, allerdings werden auch neue Herausforderungen an die IT-Sicherheit gestellt. In dieser Dissertation werden besonders wichtige Anwendungen des Cloud Computing auf die aktuellen Herausforderungen für die IT-Sicherheit untersucht. 1. Die Container Virtualisierung ermöglicht die Trennung der eigentlichen Anwendung von der IT-Infrastruktur. Dadurch kann ein vorkonfiguriertes Betriebssystem-Image zusammen mit einer Anwendung in einem Container kombiniert und in einer Testumgebung evaluiert werden. Dieses Prinzip hat vor allem die Software-Entwicklung in Unternehmen grundlegend verändert. Container können verwendet werden, um software in einer isolierten Umgebung zu testen, ohne den operativen Betrieb zu stören. Weiterhin ist es möglich, verschiedene Container-Instanzen über mehrere Hosts hinweg zu verwalten. In dem Fall spricht man von einer Orchestrierung. Da Container sensible unternehmensinterne Daten beinhalten, müssen Unternehmen ihr IT-Sicherheitskonzept für den Einsatz von Container Virtualisierungen überarbeiten. Dies stellt eine große Herausforderung dar, da es derzeit wenig Erfahrung mit der Absicherung von (orchestrierten) Container Virtualisierungen gibt. 2. Da Container Dienste über das Internet bereitstellen, sind Mitarbeiterinnen und Mitarbeiter, die diese Dienste für ihre Arbeit benötigen, an keinen festen Arbeitsplatz gebunden. Dadurch werden wiederum Konzepte wie das home o

info:eu-repo/classification/ddc/500

ddc:500

Návrh bezpečnostní politiky české pobočky nadnárodní společnosti / The Proposal of a Safety Policy in the Czech Branch of an International Compan

Filip, Tomáš

January 2009

Safety policy deals with processes of security in company to protect assets regardless of a branch office size. Nowadays is the company exposed to a lot of threats and risks, which the company has to face to prevent work threats. This risks and threats don't have to be caused by competition, they can caused randomly, sporadically and someone can't be avoided or its protection is too expensive, whereas protection against some hazards can be easy or cheap. Analysis and appropriate safety actions are made for correct examination. This thesis put mind to create complete suggestion of safety policy for a small Czech branch of an international company. It contains required analyses, tips, theoretical solutions, policy for personal management and changes for easier suggestion of necessary safety documents. I made use of up-to-date information from the domain of security during the process, but special care has been made while writing the concepts, so that the document's contents wouldn't age so quickly.

Etude de l’interaction mécanique entre un dispositif médical implantable actif crânien et le crâne face à des sollicitations dynamiques / Analysis of the mechanical interaction between an active cranial implantable medical device and the skull subjected to impact loadings

Siegel, Alice

05 April 2019

Dans le cadre du développement accru d’implants crâniens actifs, l’étude de la résistance du complexe crâne-implant face à des chocs modérés est nécessaire afin d’assurer la sécurité du patient. Le but de cette thèse est de quantifier l’interaction mécanique entre le crâne et l’implant afin de développer un modèle éléments finis prédictif utilisable pour la conception des futurs dispositifs. Dans un premier temps, des essais matériaux sur titane et silicone ont permis d’extraire les paramètres élastiques, plastiques et de viscosité de leurs lois de comportement. Ces paramètres ont ensuite été implémentés dans un modèle éléments finis de l’implant sous sollicitations dynamiques, validé par des essais de choc de 2,5 J. L’implant dissipe une partie de l’énergie du choc et le modèle obtenu permet d’optimiser la conception de l’implant afin qu’il reste fonctionnel et étanche après l’impact. La troisième partie porte sur l’élaboration d’un modèle éléments finis du complexe crâne-implant sous sollicitations dynamiques. Des essais sur têtes cadavériques ovines ont permis d’optimiser les paramètres d’endommagement du crâne. Le modèle complet du complexe crâne-implant, corrélé à des essais de choc, apporte des éléments de réponses sur le comportement du crâne implanté face un choc mécanique, permettant ainsi d’optimiser la conception de l’implant afin de garantir l’intégrité du crâne.Ce modèle représente un premier outil pour l’analyse de l’interaction mécanique entre crâne et implant actif, et permet de dimensionner ce dernier de sorte à garantir son fonctionnement et son étanchéité, tout en assurant l’intégrité du crâne. / Active cranial implants are more and more developed to cure neurological diseases. In this context it is necessary to evaluate the mechanical resistance of the skull-implant complex under impact conditions as to ensure the patient’s security. The aim of this study is to quantify the mechanical interactions between the skull and the implant as to develop a finite element model for predictive purpose and for use in cranial implant design methodologies for future implants. First, material tests were necessary to identify the material law parameters of titanium and silicone. They were then used in a finite element model of the implant under dynamic loading, validated against 2.5 J-impact tests. The implant dissipates part of the impact energy and the model enables to optimize the design of implants for it to keep functional and hermetic after the impact. In the third part, a finite element model of the skull-implant complex is developed under dynamic loading. Impact tests on ovine cadaver heads are performed for model validation by enhancing the damage parameters of the three-layered skull and give insight into the behavior of the implanted skull under impact.This model is a primary tool for analyzing the mechanical interaction between the skull and an active implant and enables for an optimized design for functional and hermetic implants, while keeping the skull safe.

Dispositif médical implantable actif

Sécurité normative

Choc

Crâne

Modélisation éléments finis

Expérimentations

Active implatntable medical device

Security standards

Impact

Skull

Finite element modeling

Experiments

An investigation of information security in small and medium enterprises (SME's) in the Eastern Cape

Upfold, Christopher Tennant

January 2005

Small and Medium Enterprises (SME’s) embrace a wide range of information systems and technology that range from basic bookkeeping and general purpose office packages, through to advanced E-Business Web portals and Electronic Data Interchange (EDI). A survey, based on SABS ISO/IEC 17799 was administered to a select number of SME’s in the services sector, in the Eastern Cape. The results of the survey revealed that the level of information security awareness amongst SME leadership is as diverse as the state of practice of their information systems and technology. Although a minority of SME’s do embrace security frameworks such as SABS ISO/IEC 17799 or the International equivalent, BS7799, most SME leaders have not heard of security standards, and see information security as a technical intervention designed to address virus threats and data backups. Furthermore, there are several “stripped-down” standards and guidelines for SME’s, based mostly on SABS ISO/IEC 17799, but designed as streamlined, more easily implemented options. Again, these “lighter” frameworks are scarcely used and largely unknown by SME’s. Far from blaming SME leadership for not understanding the critical issues surrounding information security, the research concludes that SME leadership need to engage, understand and implement formal information security processes, failing which their organisations may be severely impacted by inadvertent threats / deliberate attacks on their information systems which could ultimately lead to business failure.

Computer security -- South Africa