Information security service management : a service management approach to information security management

Rastogi, Rahul

January 2011

In today’s world, information and the associated Information Technology are critical assets for many organizations. Any information security breach, or compromise of these assets, can lead to serious implications for organizations that are heavily dependent on these assets. For such organizations, information security becomes vital. Organizations deploy an information security infrastructure for protecting their information assets. This infrastructure consists of policies and controls. Organizations also create an information security management system for managing information security in the organization. While some of the policies and controls are of a purely technical nature, many depend upon the actions of end-users. However, end-users are known to exhibit both compliant and noncompliant behaviours in respect of these information security policies and controls in the organization. Non-compliant information security behaviours of end-users have the potential to lead to information security breaches. Non-compliance thus needs to be controlled. The discipline of information security and its management have evolved over the years. However, the discipline has retained the technology-driven nature of its origin. In this context, the discipline has failed to adequately appreciate the role played by the end-users and the complexities of their behaviour, as it relates to information security policies and controls. The pervasive information security management philosophy is that of treating end-users as the enemy. Compliance is sought to be achieved through awareness programs, rewards, punishments and evermore strict policies and controls. This has led to a bureaucratic information security management approach. The philosophy of treating end-users as the enemy has had an adverse impact on information security in the organization. It can be said that rather than curbing non-compliance by end-users, the present-day bureaucratic approach to information security management has contributed to non-compliance. This thesis calls this the end-user crisis. This research aims at resolving this crisis by identifying an improved approach to information security management in the organization. This research has applied the service management approach to information security management. The resultant Information Security Service Management (ISSM) views end-users as assets and resources, and not as enemies. The central idea of ISSM is that the end-user is to be treated as a customer, whose needs are to be satisfied. This research presents ISSM. This research also presents the various components of ISSM to aid in its implementation in an organization.

Preservation of privacy in sensitive data publishing. / 隱私保護數據發佈 / Yin si bao hu shu ju fa bu

January 2008

Li, Jiexing. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2008. / Includes bibliographical references (leaves [105]-110). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Problem Statement --- p.1 / Chapter 1.2 --- Contributions --- p.3 / Chapter 1.3 --- Thesis Organization --- p.5 / Chapter 2 --- Background Study --- p.7 / Chapter 2.1 --- Generalization Algorithms --- p.7 / Chapter 2.2 --- Privacy Principles --- p.10 / Chapter 2.3 --- Other Related Research --- p.11 / Chapter 3 --- Anti-Corruption Privacy Preserving Publication --- p.13 / Chapter 3.1 --- Motivation --- p.13 / Chapter 3.2 --- Problem Settings --- p.14 / Chapter 3.3 --- Defects of Generalization --- p.18 / Chapter 3.4 --- Perturbed Generalization --- p.23 / Chapter 3.5 --- Modeling Privacy Attacks --- p.26 / Chapter 3.5.1 --- Corruption-Aided Linking Attacks --- p.26 / Chapter 3.5.2 --- Posterior Confidence Derivation --- p.28 / Chapter 3.6 --- Formal Results --- p.30 / Chapter 3.7 --- Experiments --- p.34 / Chapter 3.8 --- Summary --- p.37 / Chapter 4 --- Preservation of Proximity Privacy --- p.39 / Chapter 4.1 --- Motivation --- p.39 / Chapter 4.2 --- Formalization --- p.40 / Chapter 4.2.1 --- Privacy Attacks --- p.41 / Chapter 4.2.2 --- "(ε, m)-Anonymity" --- p.42 / Chapter 4.3 --- Inadequacy of the Existing Methods --- p.44 / Chapter 4.3.1 --- Inadequacy of Generalization Principles --- p.45 / Chapter 4.3.2 --- Inadequacy of Perturbation --- p.49 / Chapter 4.4 --- "Characteristics of (Epsilon, m) Anonymity" --- p.51 / Chapter 4.4.1 --- A Reduction --- p.51 / Chapter 4.4.2 --- Achievable Range of m Given e1and e2 --- p.53 / Chapter 4.4.3 --- Achievable e1 and e2 Given m --- p.57 / Chapter 4.4.4 --- Selecting the Parameters --- p.60 / Chapter 4.5 --- Generalization Algorithm --- p.61 / Chapter 4.5.1 --- Non-Monotonicity and Predictability --- p.61 / Chapter 4.5.2 --- The Algorithm --- p.63 / Chapter 4.6 --- Experiments --- p.65 / Chapter 4.7 --- Summary --- p.70 / Chapter 5 --- Privacy Preserving Publication for Multiple Users --- p.71 / Chapter 5.1 --- Motivation --- p.71 / Chapter 5.2 --- Problem Definition --- p.74 / Chapter 5.2.1 --- K-Anonymity --- p.75 / Chapter 5.2.2 --- An Observation --- p.76 / Chapter 5.3 --- The Butterfly Method --- p.78 / Chapter 5.3.1 --- The Butterfly Structure --- p.78 / Chapter 5.3.2 --- Anonymization Algorithm --- p.83 / Chapter 5.4 --- Extensions --- p.89 / Chapter 5.4.1 --- Handling More Than Two QIDs --- p.89 / Chapter 5.4.2 --- Handling Collusion --- p.91 / Chapter 5.5 --- Experiments --- p.93 / Chapter 5.6 --- Summary --- p.101 / Chapter 6 --- Conclusions and Future Work --- p.102 / Chapter A --- List of Publications --- p.104 / Bibliography --- p.105

Data protection

Computer security

Aplicação de metricas a analise de segurança em redes metropolitanas de acesso aberto / Metrics application in metropolitan broadband access network security analysis

Miani, Rodrigo Sanches,

03 May 2009

Orientador: Leonardo de Souza Mendes / Dissertação (mestrado) - Universidade Estdual de Campinas, Faculdade de Engenharia Eletrica e de Computação / Made available in DSpace on 2018-08-13T09:33:37Z (GMT). No. of bitstreams: 1 Miani_RodrigoSanches_M.pdf: 1458322 bytes, checksum: 8aae1af3ae9789f087bb70e07f08660a (MD5) Previous issue date: 2009 / Resumo: As questões relacionadas à garantia de segurança influenciam diretamente o sucesso da implantação de redes metropolitanas de acesso aberto. Dessa forma, são necessários métodos eficientes para analisar a segurança destas redes em todos os níveis (organizacional, físico e de sistemas), a fim de propor soluções e implementar melhorias. Nossa proposta consiste em criar métricas de segurança específicas para as redes metropolitanas de acesso aberto que visam medir a eficiência dos programas de segurança e apoiar o planejamento das ações contra os problemas detectados. Este trabalho apresenta um conjunto de doze métricas de segurança para tais redes e os parâmetros para a sua definição, tais como dois modelos para o cálculo do indicador de segurança de uma métrica. Também serão apresentados os resultados obtidos com a aplicação de tais métricas para o estabelecimento de políticas de segurança na rede metropolitana de acesso aberto de Pedreira, cidade localizada no interior do estado de São Paulo. Os resultados mostraram que a aplicação de métricas bem definidas pode ser eficiente na detecção de vulnerabilidades e correção de problemas de segurança. / Abstract: Information security has direct influence on any successful deployment of metropolitan broadband access networks. Efficient methods are required for security analysis of metropolitan networks in all levels: organization, structure and system. This work proposes the development and application of specific security metrics for metropolitan broadband access networks that aim to measure the efficiency of security programs and support action planning against detected problems. The approach presented in this work show metrics developed for these networks and parameters for metrics definition, such as a model for calculation of a security indicator of a metric. This paper also presents results achieved from application of the metrics reported here to establish security policies in the metropolitan broadband access network of Pedreira, a city located in the state of São Paulo, Brazil. These results show that well formed security metrics can be efficient in vulnerability detection and solutions of security issues. / Mestrado / Telecomunicações e Telemática / Mestre em Engenharia Elétrica

Uma arquitetura baseada em um modelo gerente-agente para análise integrada e automação da coleta dos dados de métricas de segurança / An architecture based on agent-manager model for integrated analysis and automated data collection of security metrics

Vieira, Liniquer Kavrokov, 1986-

23 August 2018

Orientador: Leonardo de Souza Mendes / Dissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação / Made available in DSpace on 2018-08-23T07:06:39Z (GMT). No. of bitstreams: 1 Vieira_LiniquerKavrokov_M.pdf: 2833674 bytes, checksum: cfa01ff7e4008f52022430c9b3fba925 (MD5) Previous issue date: 2013 / Resumo: A dependência cada vez maior das redes de computadores torna a segurança da informação um elemento chave para os avanços e a continuidade dos serviços em nossa sociedade. Métricas de segurança são desenvolvidas com o intuito de oferecer uma base quantitativa e objetiva para auxiliar o gerenciamento da segurança em uma organização. Porém, a utilização de métricas para medir o nível de segurança, quando realizada de uma forma manual, pode exigir uma grande quantidade de tempo e esforço para coleta dos dados. Este trabalho propõe uma arquitetura baseada em um modelo gerente-agente para permitir a automação da coleta dos dados de diversos componentes de uma rede de computadores, visando ampliar a aplicação das métricas e auxiliar no gerenciamento de segurança. Uma ferramenta para medição e coleta automatizada dos dados foi desenvolvida baseada na arquitetura proposta e aplicada em uma rede de computadores. A ferramenta, além de auxiliar o administrador de rede nas tomadas de decisões, também facilita o gerenciamento das métricas através de um modelo de visualização. Testes foram realizados e mostraram que a arquitetura proposta é capaz de integrar o controle das informações e auxiliar o processo de monitoramento da segurança / Abstract: The requirement of organizations on computer network makes information security a key element to the evolution and continuity of services in our society. Security metrics are developed in order to offer a quantitative and objective basis for security assurance. However, the use of metrics to measuring security level, when performed in manually, can require a higher time and effort for data collection. This study proposes architecture based on agent-manager management model to allow the automated data collection from several components in a computer network, aiming to expand the security metrics application and support the security management. A tool for measurement and automated data collection based on the proposed architecture were developed and applied in a real computer network. This tool helps the network administrator in decision making and also facilitates the metrics management through a visualization model. Tests were performed showing that the proposed architecture is able to integrate the control of information and support the security monitoring process / Mestrado / Telecomunicações e Telemática / Mestre em Engenharia Elétrica

An information security policy architecture with special reference to a tertiary institution.

Jordaan, Ansa

02 June 2008

This dissertation will be limited to the compilation of an Information Security Policy Architecture for a Tertiary Institution. An Information Security Policy Architecture for a Tertiary Institution is probably the most challenging architecture to develop in an environment where information accessibility is promoted. The Security Policy Architecture is a component of a complete Information Security Architecture, which will not be addressed in this dissertation. To mitigate and manage risks, it is essential to know what the information technology risks are and as a second step, to actively manage these risks to ensure that they stay within acceptable limits. The reporting and the monitoring of these risks open new fields of research and will not be discussed in this dissertation. / von Solms, S.H., Prof.

Information technology security measures

Computer security

Information security risk management: a holistic framework.

Bornman, Werner George

22 April 2008

Information security risk management is a business principle that is becoming more important for organisations due to external factors such as governmental regulations. Since due diligence regarding information security risk management (ISRM) is necessitated by law, organisations have to ensure that risk information is adequately communicated to the appropriate parties. Organisations can have numerous managerial levels, each of which has specific functions related to ISRM. The approaches of each level differ and this makes a cohesive ISRM approach throughout the organisation a daunting task. This task is compounded by strategic and tactical level management having specific requirements imposed on them regarding risk management. Tactical level management has to meet these requirements by instituting processes that can deliver on what is required. Processes in turn should be executed by operational level management. However, the available approaches of each managerial level make it impossible to communicate and consolidate information from the lower organisational levels to top level management due to the differing terminology, concepts and scope of each approach. This dissertation addresses the ISRM communication challenge through a systematic and structured solution. ISRM and related concepts are defined to provide a solid foundation for ISRM communication. The need for and institutions that impose risk management requirements are evaluated. These requirements are used to guide the solution for ISRM communication. At strategic level, governmental requirements from various countries are evaluated. These requirements are used as the goals of the communication processes. Different approaches at tactical and operational level are evaluated to determine if they can meet the strategic level requirements. It was found that the requirements are not met by most of the evaluated approaches. The Bornman Framework for ISRM Methodology Evaluation (BFME) is presented. It allows organisations to evaluate ISRM methodologies at operational level against the requirements of strategic management. This framework caters for the ability of ISRM methodologies to be adapted to organisational requirements. Developed scales allow for a qualitative comparison between different methodologies. The BFME forms the basis of the Bornman Framework for ISRM Information Communication (BFIC). This communication framework communicates the status of each ISRM component. This framework can be applied to any ISRM methodology after it has been evaluated by the BFME. The Bornman Risk Console (BRC) provides a practical implementation of the BFIC. The prototype utilises an existing ISRM methodology’s approach and provides decision-enabling risk information to top level management. By implementing the BRC and following the processes of the BFME and BFIC the differences in the approaches at each managerial level in different organisational structures are negated. These frameworks and prototype provide a holistic communication framework that can be implemented in any organisation. / Prof. L. Labuschagne

risk management

information technology security measures

computer security management

Epirismm: an enterprise information risk management model

Lategan, Neil

January 2006

Today, information is considered a commodity and no enterprise can operate without it. Indeed, the information and the supporting technology are pivotal in all enterprises. However, a major problem being experienced in the business environment is that enterprise risk cannot be managed effectively because business and information-related risk are not congruently aligned with risk management terminology and practices. The business environment and information technology are bound together by information. For this reason, it is imperative that risk management is synergised in the business, ICT (Information and Communication Technology) and information environments. A thorough, all inclusive, risk analysis exercise needs to be conducted in business and supporting environments in order to develop an effective internal control system. Such an internal control system should reduce the exposure of risk and aid the safeguarding of assets. Indeed, in today’s so-called information age, where business processes integrate the business and ICT environments, it is imperative that a unary internal control system be established, based on a holistic risk management exercise. To ensure that the enterprise, information and ICT environments operate free of the risks that threaten them, the risks should be properly governed. A model, EPiRISMM (Enterprise Information Risk Management Model) is proposed that offers to combine risk management practices from an ICT, information, governance, and enterprise perspective because there are so many overlapping aspects inherent in them. EPiRISMM combines various well-known standards and frameworks into one coherent model. By employing EPiRISMM, an enterprise will be able to eliminate the traditional segmented approach of the ICT department and thus eliminate any previous discontinuity in risk management practices.

Risk management

Small business

Fostering information security culture through intergrating theory and technology

Van Niekerk, Johannes Frederick

January 2010

Today information can be seen as a basic commodity that is crucial to the continuous well-being of modern organizations. Many modern organizations will be unable to do business without access to their information resources. It is therefor of vital importance for organizations to ensure that their infor- mation resources are adequately protected against both internal and external threats. This protection of information resources is known as information security and is, to a large extent, dependent on the behavior of humans in the organization. Humans, at various levels in the organization, play vital roles in the pro- cesses that secure organizational information resources. Many of the prob- lems experienced in information security can be directly contributed to the humans involved in the process. Employees, either intentionally or through negligence, often due to a lack of knowledge, can be seen as the greatest threat to information security. Addressing this human factor in information security is the primary focus of this thesis. The majority of current approaches to dealing with the human factors in information security acknowledge the need to foster an information security culture in the organization. However, very few current approaches attempt to adjust the "generic" model(s) used to define organizational culture to be specific to the needs of information security. This thesis firstly proposes, and argues, such an adapted conceptual model which aims to improve the understanding of what an information security culture is. The thesis secondly focuses on the underlying role that information security educational programs play in the fostering of an organizational information security culture. It is argued that many current information security edu- cational programs are not based on sound pedagogical theory. The use of learning taxonomies during the design of information security educational programs is proposed as a possible way to improve the pedagogical rigor of such programs. The thesis also argues in favor of the use of blended and/or e-learning approaches for the delivery of information security educational content. Finally, this thesis provides a detailed overview demonstrating how the various elements contributed by the thesis integrates into existing trans- formative change management processes for the fostering of an organizational information security culture.

Data protection

Corporate culture -- South Africa

Mejora al Proceso de Monitoreo Continuo de Vulnerabilidades / Improvement in the Continuous Vulnerability Monitoring Process

Leon Vidalon, Igmar, Medina Ampuero, Pablo Jorge

05 August 2020

El presente trabajo de investigación tiene como objetivo mejorar el proceso de Monitoreo Continuo de Vulnerabilidades de la gerencia de Operaciones de Seguridad Tecnológica lo cual contribuye en gran medida a estar prevenidos y mitigar en gran medida cualquier problema que pueda aprovechar una amenaza externa e interna de Mibanco. El presente trabajo de investigación contiene seis capítulos entre los principales la definición del Marco Teórico, se desarrollaron los principales conceptos, antecedentes y se definieron las palabras claves relacionadas al tema principal del presente trabajo de investigación; en el capítulo de Desarrollo del Proyecto se evidenciara el problema con más detalle donde se formula el problema principal y el objetivo de mejora el cual estaría enfocado en la reducción sustancial de tiempo con el apoyo de tecnologías de información. / This research work aims to improve the Continuous Vulnerability Monitoring process of Technology Security Operations management, which greatly contributes to being prevented and greatly mitigating any problem that may take advantage of an external and internal threat from Mibanco. This research work contains six chapters, the main ones being the definition of the Theoretical Framework, the main concepts, antecedents were developed and the key words related to the main topic of this research work were defined; In the Project Development chapter the problem will be shown in more detail where the main problem is formulated and the improvement objective which would be focused on the substantial reduction of time with the support of information technologies. / Tesis

Seguridad tecnológica

Vulnerabilidades

Monitoreo tecnológico

Technology security

Vulnerability

Technology monitoring

Dynamic capabilities and strategic management : explicating the multi-level nature of dynamic capabilities : insights from the information technology security consulting industry

Akpobi, Tega Cosmos

January 2017

The dynamic capabilities perspective has become one of the most vibrant approaches to strategic management. Despite its growing popularity, it has faced criticism because of ambiguity and contradictions in dynamic capabilities literature. There has been increasing calls to address the fragmentation in the literature and provide empirically collaborated insights if it is to fulfil its potential as a distinct approach to strategic management. The microfoundations research agenda remains an emerging theme in the dynamic capabilities literature and since the overarching emphasis of a microfoundational approach is in the explanatory primacy of the micro-level especially in its relation to macro-level entities, it covers a wide array of subjects at several levels. One of the main criticisms of the microfoundations approach is a lack of multi-level analysis and there has been calls for multi-level theory development to connect levels within particular contexts since dynamic capabilities are path dependent and context-specific. This thesis explores the multi-level nature of dynamic capabilities in the Information Technology Security context and empirically investigates the impact of microfoundations of dynamic capabilities on firm capability renewal and reconfiguration. It overcomes the challenge associated with fragmentation in dynamic capabilities by presenting a conceptual model for the multi-level nature of dynamic capabilities. By explicating where dynamic capabilities reside, we can more purposely impact on them to advance our scholarly understanding and proffer practical managerial interventions to directly enhance specific abilities of sensing, seizing and reconfiguring to achieve superior outcomes. The research employed the Gioia qualitative case study research methodology and research methods used were 35 semi-structured interviews and observations. The research findings suggest that firms renew and reconfigure their capabilities to align with the changing industry and industry standards, and client needs. Firms also renew and reconfigure capabilities and capability framework due to internal strategic organisational learning and to align with firm’s specific business strategies. Capability renewal and reconfiguration is vital to achieve technical and evolutionary fitness. In addition, findings inform that dynamic capabilities in the form of ability to sense, seize and reconfigure exhibit at macro, meso and micro levels. Actor’s external engagement with significant institutions enables superior sensing ability. Accumulated experience is exploited to gain credibility with clients to win business, and demystifying firm processes and clarity of language in firm artefacts achieve superior knowledge articulation and codification processes by actors. Structuring of simple routines and capabilities enable ease of internal knowledge transfer but susceptibility to intellectual property theft by outsiders whereas complex routines and capabilities create challenges for knowledge transfer but are harder for competitors to discern and copy. Drawing on the research findings, the thesis presents a conceptual model for the multi-level microfoundations of dynamic capabilities in knowledge-intensive domains with relevance for theory and practice.