1 |
A framework for information security management in local governmentDe Lange, Joshua January 2017 (has links)
Information has become so pervasive within enterprises and everyday life, that it is almost indispensable. This is clear as information has become core to the business operations of any enterprise. Information and communication technology (ICT) systems are heavily relied upon to store, process and transmit this valuable commodity. Due to its immense value, information and related ICT resources have to be adequately protected. This protection of information is commonly referred to as information security.
|
2 |
A brain-compatible approach to the presentation of cyber security educational materialReid, Rayne January 2012 (has links)
Information is an extremely important asset in modern society. It is used in most daily activities and transactions, and, thus, the importance of information is acknowledged by both organisational and private home information users. Unfortunately, as with any asset, there are often threats to this asset and, therefore, an information security solution is required to protect information against potential threats. Human beings play a major role in the implementation and governing of an entire information security process and, therefore, they have responsibilities in this regard. Thus, the effectiveness of any information security solutions in either an organisational or a private context is dependent on the human beings involved in the process. Accordingly, if these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in the information security solutions and, thus, it is essential that all these information users be educated in order to combat any threats to the information security. Many of the current information security education programmes and materials are not effective, possibly because the majority of these current approaches have been designed without using a sound pedagogical theory. In addition, many of these programmes also only target organisational users. This, in turn, is problematic as information security education is required by everybody, organisational and private information users alike. This dissertation addressed the lack of a pedagogical basis in the designing of information security educational courses suited to an extremely broad target audience. Accordingly, the dissertation set out to demonstrate how a pedagogy, which is broadly used and accepted for a diverse target audience of learners, could be applied to the design of the presentation of a web based, cyber security educational courses.
|
3 |
Integrating information security into corporate cultureThomson, Kerry-Lynn January 2003 (has links)
Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?.
|
4 |
Information security assurance model for an examination paper preparation process in a higher education institutionMogale, Miemie January 2016 (has links)
In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS.
|
5 |
A baseline for information security knowledge for end usersBoshoff, Ryno January 2012 (has links)
Information plays a vast contributing role to all resources within an organisation. Organisations should recognise the importance of information and implement information security controls to protect their information as this will ensure that the organisation‟s information retains its confidentiality, integrity and availability. Information security controls, which are the means of managing information risks, rely heavily on the user‟s knowledge regarding the use of these controls for their effectiveness, and as such, users should be educated in order to maximise effectiveness of these controls. Current information security educational programmes are created without necessarily taking into account the target audience, who comprises of all employees, stakeholders, suppliers, third parties, customers or other external parties or third party that requires access to the organisation‟s information. This results in programmes that are not linguistically appropriate; or that present knowledge at an inappropriate level for the target audience. This could leave users bored or confused, without successfully changing their behaviour or improving knowledge. This dissertation identifies a baseline for information security knowledge targeted at end users. This was done by means of a Delphi Study, where a profile of “generic” end users comprised of information security topics and concepts were rated by experts from the field of information security education. This resulted in the elimination of inappropriate topics and concepts and retaining the relevant and appropriate aspects. This baseline for information security knowledge can be characterised as a minimum standard that everybody should be educated on as an introductory or refresher course. This can also serve as the foundation phase to educate end users with knowledge of the basic topics and concepts to enable them to fulfil their responsibilities in order to protect information. If needed, topics and concepts could be added to the baseline for information security knowledge for specialised target audiences (e.g. specialised End Users, ICT Staff or Top Management).
|
6 |
Managing an information security policy architecture : a technical documentation perspectiveManinjwa, Prosecutor Mvikeli January 2012 (has links)
Information and the related assets form critical business assets for most organizations. Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA) of information assets. These threats can be of physical, technical, or operational nature. For an organization to successfully conduct its business operations, information assets should always be protected from these threats. The process of protecting information and its related assets, ensuring the CIA thereof, is referred to as information security. To be effective, information security should be viewed as critical to the overall success of the organization, and therefore be included as one of the organization’s Corporate Governance sub-functions, referred to as Information Security Governance. Information Security Governance is the strategic system for directing and controlling the organization’s information security initiatives. Directing is the process whereby management issues directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to within an organization. To be effective, Information Security Governance directing and controlling depend on the organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of the various information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security Policy Architecture, and controlling should ensure adherence to the Information Security Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are not comprehensively addressed and adequately managed. Therefore, this study argues towards a more comprehensive Information Security Policy Architecture, and the proper management thereof.
|
7 |
Using agreements as an abstraction for access control administrationReyneke, André January 2007 (has links)
The last couple of decades saw lots of changes in the business world. Not only did technology change at a rapid pace, but businesses' views with respect to the role that information plays also changed drastically. Information is now seen as a strategic resource. This change paved the way for the so-called knowledge worker that not only consumes information, but actively participates in creating new knowledge from information. Employees must therefore be empowered to fulfill their new role as knowledge workers. Empowerment happens through job redefinition and by ensuring that the appropriate information is at hand. Although information is more readily available to employees, appropriate access controls must still be implemented. However, there is conflict between the need to share information and the need to keep information confidential. These conflicting needs must be reflected in the administration of access control. In order to resolve these conflicts, a finer granularity of access controls must be implemented. However, to implement a finer granularity of access control, an increase in the number of access controls and, therefore, the administrative burden is inevitable. Access control administrators must cater for a potentially large number of systems. These systems can not only be heterogenous as far as architecture and technology are concerned, but also with respect to access control paradigms. Vendors have realized that human involvement must be minimized, giving birth to so-called "provisioning systems". Provisioning systems, in principle, automate certain parts of access control administration. However, currently implementations are done in an ad hoc manner, that is, without a systematic process of identifying the real access control needs. This study aims to address this problem by proposing the "agreement abstraction" as a possible vehicle for systematically analyzing the access control requirements in a business. In essence, the agreement abstraction allows us to identify opportunities where access control can be automated. A specific methodological approach is suggested whereby the business is analysed in terms of business processes, as opposed to the more traditional resource perspective. Various business processes are used as examples to explain and motivate the proposed agreement abstraction further. This dissertation therefore contributes to the field of discourse by presenting a new abstraction that can be used systematically to analyse access control administration requirements.
|
8 |
Toward Usable Access Control for End-users: A Case Study of Facebook Privacy SettingsJohnson, Maritza Lupe January 2012 (has links)
Many protection mechanisms in computer security are designed to enforce a configurable policy. The security policy captures high-level goals and intentions, and is managed by a policy author tasked with translating these goals into an implementable policy. In our work, we focus on access control policies where errors in the specified policy can result in the mechanism incorrectly denying a request to access a resource, or incorrectly allowing access to a resource that they should not have access to. Due to the need for correct policies, it is critical that organizations and individuals have usable tools to manage security policies. Policy management encompasses several subtasks including specifying the initial security policy, modifying an existing policy, and comprehending the effective policy. The policy author must understand the configurable options well enough to accurately translate the desired policy into the implemented policy. Specifying correct security policies is known to be a difficult task, and prior work has contributed policy authoring tools that are more usable than the prior art and other work has also shown the importance of the policy author being able to quickly understand the effective policy. Specifying a correct policy is difficult enough for technical users, and now, increasingly, end-users are being asked to make access control decisions in regard to who can access their personal data. We focus on the need for an access control mechanism that is usable for end-users. We investigated end-users who are already managing an access control policy, namely social network site (SNS) users. We first looked at how they manage the access control policy that defines who can access their shared content. We accomplish this by empirically evaluating how Facebook users utilize the available privacy controls to implement an access control policy for their shared content and found that many users have policies are inconsistent with their sharing intentions. Upon discovering that many participants claim they will not take corrective action in response to inconsistencies in their existing settings, we collected quantitative and qualitative data to measure whether SNS users are concerned with the accessibility of their shared content. After confirming that users do in fact care about who accesses their content, we hypothesize that we can increase the correctness of users' SNS privacy settings by introducing contextual information and specific guidance based on their preferences. We found that the combination of viewership feedback, a sequence of direct questions to audit the user's sharing preferences, and specific guidance motivates some users to modify their privacy settings to more closely approximate their desired settings. Our results demonstrate the weaknesses of ACL-based access control mechanisms, and also provide support that it is possible to improve the usability of such mechanisms. We conclude by outlining the implications of our results for the design of a usable access control mechanism for end-users.
|
9 |
Infosure: an information security management system.Venter, Diederik Petrus 04 June 2008 (has links)
Information constitutes one of an organisation’s most valuable assets. It provides the modern organisation with a competitive edge and in some cases, is a requirement merely to survive. An organisation has to protect its information but due to the distributed, networked environment of today, faces a difficult challenge; it has to implement a system of information security management. Software applications can provide significant assistance in managing information security. They can be used to provide for centralised feedback of information security related activities as well as for centralised configuration activities. Such an application can be used in enforcing compliance to the organisation’s information security policy document. Currently there are a number of software products that provide this function in varying measures. In this research the major players in this space were examined to identify the features commonly found in these systems, and where they were lacking in terms of affordability, flexibility and scalability. A framework for an information security management application was defined based on these features and requirements and incorporating the idea of being affordable, but still flexible and extendable. This shifted the focus from attempting to provide a comprehensive list of interfaces and measurements into general information security related activities, to focusing on providing a generic tool that could be customised to handle any information fed back to it. The measurements could then be custom-developed as per the needs of the organisation. This formed the basis on which the prototype information security management application (InfoSure) was developed. / Prof. S.H. Solms
|
10 |
Information security risk management: a holistic framework.Bornman, Werner George 22 April 2008 (has links)
Information security risk management is a business principle that is becoming more important for organisations due to external factors such as governmental regulations. Since due diligence regarding information security risk management (ISRM) is necessitated by law, organisations have to ensure that risk information is adequately communicated to the appropriate parties. Organisations can have numerous managerial levels, each of which has specific functions related to ISRM. The approaches of each level differ and this makes a cohesive ISRM approach throughout the organisation a daunting task. This task is compounded by strategic and tactical level management having specific requirements imposed on them regarding risk management. Tactical level management has to meet these requirements by instituting processes that can deliver on what is required. Processes in turn should be executed by operational level management. However, the available approaches of each managerial level make it impossible to communicate and consolidate information from the lower organisational levels to top level management due to the differing terminology, concepts and scope of each approach. This dissertation addresses the ISRM communication challenge through a systematic and structured solution. ISRM and related concepts are defined to provide a solid foundation for ISRM communication. The need for and institutions that impose risk management requirements are evaluated. These requirements are used to guide the solution for ISRM communication. At strategic level, governmental requirements from various countries are evaluated. These requirements are used as the goals of the communication processes. Different approaches at tactical and operational level are evaluated to determine if they can meet the strategic level requirements. It was found that the requirements are not met by most of the evaluated approaches. The Bornman Framework for ISRM Methodology Evaluation (BFME) is presented. It allows organisations to evaluate ISRM methodologies at operational level against the requirements of strategic management. This framework caters for the ability of ISRM methodologies to be adapted to organisational requirements. Developed scales allow for a qualitative comparison between different methodologies. The BFME forms the basis of the Bornman Framework for ISRM Information Communication (BFIC). This communication framework communicates the status of each ISRM component. This framework can be applied to any ISRM methodology after it has been evaluated by the BFME. The Bornman Risk Console (BRC) provides a practical implementation of the BFIC. The prototype utilises an existing ISRM methodology’s approach and provides decision-enabling risk information to top level management. By implementing the BRC and following the processes of the BFME and BFIC the differences in the approaches at each managerial level in different organisational structures are negated. These frameworks and prototype provide a holistic communication framework that can be implemented in any organisation. / Prof. L. Labuschagne
|
Page generated in 0.1107 seconds