The Challenges of Implementing Bring Your Own Device

DeShield, Leslie

01 January 2017

Research conducted by Tech Pro (2014) indicated that the Bring Your Own Device (BYOD) concept is gaining momentum with 74% of organizations already having some BYOD program or planning to implement one. While BYOD offers several benefits, it also presents challenges that concern information technology leaders and information security managers. This correlational study used the systems theory framework to examine the relationship between information security managers' intentions, perceptions of security, and compliance regarding BYOD implementation. Participants of the study consisted of information security managers in the eastern United States who had obtained the Certified Information Systems Manager certification. Data was collected from 94 information security managers through a survey instrument. The survey instrument integrated three other instruments with proven reliability developed by other researchers. Data was analyzed using a multiple regression analysis to test for a relationship between the variables of the study (security, compliance, and intent to implement BYOD). The multiple regression conducted in this study was insignificant indicating a relationship did not exist between the study's variables (F(2, 86) = 0.33, p = .718, R2 = .00). A significant negative relationship was found between security and compliance indicating a weakly negative correlation (r = -.26, p = .016). Using the results from the study, information technology leaders may be able to develop strategies from which to implement BYOD successfully. Implications for social change include increased knowledge of securing personal devices for employees and consumers in general and reduction in costs associated with security and data breaches.

Bring Your Own Device

Bring Your Own Device Framework

BYOD

BYOD Framework

Certified Information Security Managers

Information Security

Databases and Information Systems

我國行政機關資訊安全管理之研究

黃慶堂, Huang, Chin-Tung

Unknown Date

環顧辦公室自動化的演進歷史，早期從降低事務管理成本，提升行政運作效率輔助機具的發展，至今日電腦大量引用，四通八達的網際網路，資訊科技的洪流，正一波波的衝擊著各組織，行政部門亦難置身於外。就以組織內環境系統而言，資訊科技正嚴厲考驗傳統金字塔式的組織結構，網路流通訊息的便利，使中層管理者的地位岌岌可危，影響著整個組織的決策模式與管理方式；就組織外環境系統而言，電子化政府正透過網路連線，讓民眾享用更加便捷、高品質的服務、取得更多的訊息，更加暢通的溝通管道，甚至影響著整個民主政治的內涵。資訊科技對行政組織運作過程與其產出的衝擊與日俱增，而其帶來的正、負面效益，是吾人必須面對的嚴肅課題。 資訊科技所帶來的正面效益，資訊取得質與量上的變革，減低了民眾與行政機關間溝通障礙，人民可隨時取得機關相關訊息，滿足需求，電子化政府成為政府施政目標，『行政公開化』成為未來必然趨勢；就機關資訊財產權維護而言，因資訊科技使得整個檔案資料庫『數位化』、公文訊息『電子化』，傳統的公文流程、檔案保存方式起了根本轉變，檔案室不再是案牘勞形的儲藏大批卷宗，未來各機關中資訊室(中心)才是訊息流通、資料保存的中心。因此行政機關在面對未來民主行政要求、『行政公開化』的趨勢下，應有效的管理機關資料、維護機密資訊及民眾個人隱私，防止不法者破壞、竊取、竄改，在公共資訊的運用與機關資訊財產權的維護上求取一效率公平的管理方法，行政機關應認知到： (一) 資訊安全管理因時代進展而有不同意義，隨著資訊科技的突飛猛進，在行政公開化民意要求下﹐資訊安全管理問題具有的相依､主觀､人為及動態等特性將逐漸浮顯出來﹐深深影響組織內部及外部的運作。 (二) 一個完整的資訊安全管理系統，需完整的包含組織內、外各次級系統、並在整個大環境中具有政治、法律、經濟、行政、技術、及時間上的可行性。 (三) 行政機關資訊安全管理系統之目的在求取機關資訊運用上的機密性(confidentiality)、完整性(integrity)與可用性(avaliability)，而其功用則在機關財產､隱私權的維護及機關所應提供的公共資訊的合理運用上求得一均衡點。 (四) 妥善的資訊安全管理，除了管理當局的支持與專家協助之外，有賴完善的組織環境使用管理規定及資訊運用者資訊安全倫理的建構。 (五) 資訊安全管理研究將隨著資訊科技的永續發展，在內容上不斷的擴充與更新，政府應以更前瞻性的眼光規劃新的法令與訓練，建構資訊安全倫理以應未來所需。 早在二十六年前(1973)，公共行政學者H. A.Simon就曾對資訊科技對組織的衝擊研究，研擬如何有效地建構組織俾利於資訊之處理與儲存。另Norman J.Ream(1968)在『電腦對政府組織之影響』中指出在可預見之將來，政府組織將日趨依照資訊流動及決策點所在而建構。而為因應資訊化社會，行政院研考會在民國七十三年即完成『資訊立法之研究』，確立資訊科技的發展必須『尊重智慧財產權』、『防範電腦犯罪』、『加強資訊安全』、『確立文件法律地位』等層面，近來又陸續制定『電腦處理個人資料保護法』、『政府所屬各級機關電腦軟體管理作業要點』等資訊安全法案，唯上述理論與實務研究，仍著重於機關財產權與機密資訊的維護，為免陷入以『效率』掛帥的功能主義典範窠臼，對於溝通、公平與尊重等新人性主義典範應予適度關注。也就是在民主行政的環境下，資訊公平合理的運用應視為資訊安全管理的目的，而非僅具工具性價值，公部門應摒棄以往『閉關自守』的心態，以恢宏的胸襟與氣度，兼具『效率』與『公正』觀，來面對資訊社會的挑戰。

資訊安全

資訊安全倫理

資訊問題

資訊管理

Information security

Information security ethics

Information problem

Information management

Die Rolle der Social Media im Information Security Management

Humpert-Vrielink, Frederik

30 May 2014

No description available.

Konferenz

GeNeMe 2011

Social Media

Informationssicherheitsmanagement

Informationssicherheit

conference

new media

online community

Social Media

Information Security Management

information security

ddc:330

rvk:QR 760

POLÍTICA DE SEGURANÇA DA INFORMAÇÃO: UMA ESTRATÉGIA PARA GARANTIR A PROTEÇÃO E A INTEGRIDADE DAS INFORMAÇÕES ARQUIVÍSTICAS NO DEPARTAMENTO DE ARQUIVO GERAL DA UFSM / INFORMATION SECURITY POLICY: A STRATEGY TO ENSURE THE SECURITY AND INTEGRITY OF THE DEPARTMENT OF ARCHIVAL INFORMATION IN THE GENERAL ARCHIVING DEPARTMENT OF THE UFSM

Sfreddo, Josiane Ayres

06 December 2012

Presents a study on information security in order to propose an Information Security Policy for the Department of General Archives (DAG), Federal University of Santa Maria (UFSM) as a way of enabling the protection, availability and secure access to archival information (not digital), in the university context. It is characterized as an exploratory qualitative approach, assuming a case study form, because it involves the study of a certain subject allowing its wide and detailed knowledge. It was first conducted a more detailed study of the Standard ISO/IEC 27002 which is a code of practice for information security, providing guidelines for the implementation of an Information Security Policy, based on regulations according to the institutional purposes. The study aimed, at first, to adapt the requirements and controls present in this standard archival context, focusing on the protection of not digital information, a research in the Heritage Documentary line. Thus, the adaptation of the standard for archival followed the structure of the original standard, seeking to provide for the archival institutions a tool to subsidize the development of an Information Security Policy, providing a more secure and reliable protection. In order to compose this policy a data collection was carried out through interviews, structured within questions about security information, based on the standard ISO/IEC 27002, on the previous study and the Adaptation of the Standard for the archival context. With the data collected and analyzed, along with the DAG, it can be verified that the problems causer of threats to the security of not digital archives in the department are directly related to the lack of security to the perimeter and to the absence of a physical control, including entries and exits. These security actions made it possible, together with the adaption of the standard, to propose control in order to prevent further incidents. This way it was possible to structure the Document of the Security Policy representing the materialization of the Security Policy according to the needs presented by DAG. This document will serve as an instrument to support and guide employees, users and third parties in the conduct of institutional activities. However, it is up to the department to approve it and implement it for the purpose of preventing incidents, thereby providing safe reliable and continuous access to not digital information by him guarded. / Apresenta um estudo sobre a segurança da informação a fim de propor uma Política de Segurança da Informação para o Departamento de Arquivo Geral (DAG) da Universidade Federal de Santa Maria (UFSM), possibilitando a proteção, a disponibilidade e o acesso seguro às informações arquivísticas (não digitais), no contexto universitário. Caracteriza-se como uma pesquisa exploratória com abordagem qualitativa, assumindo a forma de estudo de caso, pois envolve o estudo sobre um determinado assunto permitindo o seu amplo e detalhado conhecimento. Primeiramente foi realizado um estudo mais aprofundado da Norma ABNT NBR ISO/IEC 27002 que é um código de prática para a segurança da informação, apresentando diretrizes para a aplicação de uma Política de Segurança da Informação, baseada em regulamentos de acordo com os propósitos institucionais. O estudo objetivou, em um primeiro momento, adaptar os requisitos e controles presentes nessa norma ao contexto arquivístico, tendo como foco a proteção de informação não digital, caracterizando, deste modo, uma pesquisa na linha do Patrimônio Documental. Assim, a Adaptação da Norma para a arquivologia seguiu a estrutura da Norma original, buscando proporcionar às instituições arquivísticas um instrumento que subsidiasse a elaboração de uma Política de Segurança da Informação, possibilitando a proteção de informações não digitais de uma forma mais segura e confiável. Para a composição dessa Política, foi realizada a coleta de dados por meio de entrevista estruturada com questões sobre a segurança da informação, fundamentada na Norma ABNT NBR ISO/IEC 27002, tendo como base o estudo anterior e a Adaptação da Norma para o contexto arquivístico. Com a análise dos dados coletados junto ao DAG, podese verificar que os problemas que causam ameaças à segurança da informação não digital no departamento estão relacionados diretamente à deficiência dos perímetros de segurança e à inexistência de um controle de acesso físico incluindo entradas e saídas. A partir dessas ações de segurança, foi possível, juntamente com a Adaptação da Norma, propor controles a serem aplicados a fim de evitar a ocorrência de novos incidentes. Dessa forma, foi possível estruturar o Documento da Política de Segurança da Informação representando a materialização da Política de Segurança de acordo com as necessidades apresentadas pelo DAG. Esse documento servirá com um instrumento de apoio fundamental para instruir funcionários, usuários e terceiros na realização das atividades institucionais. No entanto, cabe ao departamento aprová-lo e implementá-lo, a fim de prevenir incidentes proporcionando, assim, acesso seguro, confiável e contínuo às informações não digitais por ele custodiadas.

Política de segurança da informação

Segurança da informação

Informação arquivística não digital

Patrimônio documental

Information security policy

Information security

Archival information not digital

Documentary heritage

CNPQ::CIENCIAS HUMANAS::HISTORIA

Threats in Information Security : Beyond technical solutions. - Using Threat Tree Analysis / Hot mot Informationssäkerhet : Bortom tekniska lösningar. - Använda Hotträdsanalys

Olandersson, Sandra, Fredsson, Jeanette

January 2001

To be able to protect an organisation's resources, it is important to understand what there is to protect and what to protect it from. The first step is to try to analyse the security threats that exist against an organisation's resources to explore the risks. Threats have to be identified, for the organisation to protect its resources and find where the optimal placement against threats is. This thesis analysis whether it is possible to obtain a Threat Tree Analysis that is useful for developing an information security policy for the municipality in Ronneby, using the SS 62 77 99-1 standard. A co-operation between the technical solutions and the administrative security is necessary to achieve information security, together with ordinary common sense. True, each of these can help improve security, but none of them is a complete solution. Security is not a product - it is a process. Threat trees form the basis of understanding that process. In this thesis, we have been using a qualitative method. The analysis method is a case study at the Social Department, at the municipality in Ronneby. Through interviews it has come us to hand, that the organisation has not established an information security policy which should give the code of practice for how the work of information security will pursue within the organisation. The organisation does neither use a model for structuring threats nor a method for collecting threats against information today. Through the structure of possible threats, the personnel generates an understanding of the organisation and takes active part finding adequate threats within the Social Department. As users understand the importance of security, how to use it, and where to report suspected violations, they can do a great deal to reduce the risk to loose information. Important to remember is that the education is an ongoing process, new users need training and trained users need reminding, especially when new technologies or processes are introduced. Thus, Threat Tree Analysis is useful for continuing towards developing an information security policy according to SS 62 77 99-1 standard. / För att kunna skydda en organisations resurser är det viktigt att förstå vad organisationen behöver skydda och vad den ska skydda det ifrån. Det första steget är att analysera hot mot organisationens resurser för att uppskatta riskerna. Hot måste identifieras för att organisationen ska kunna skydda sina resurser och hitta den optimala placeringen av åtgärder mot hot. Denna uppsatsen undersöker om det är möjligt att skapa en hotträdsanalys som är användbar för skapandet av en informationssäkerhetspolicy för Ronneby kommun, genom att använda standarden SS 62 77 99-1. Vi betonar i uppsatsen att ett samarbete mellan existerande tekniska lösningar och administrativ säkerhet är nödvändigt för att uppnå informationssäkerhet. Visst kan var och en av dessa hjälpa till att förbättra säkerheten, men ingen av dem är ensam den kompletta lösningen. Säkerhet är inte en produkt - det är en process. Hotträd formar grunden för en förståelse av den processen. I denna uppsats har vi använt en kvalitativ metod. Analysmetoden är en fallstudie på Socialförvaltningen i Ronneby kommun. Genom intervjuer har vi fått fram att organisationen inte har etablerat en informationssäkerhetspolicy, vilken ska ge riktlinjer för hur säkerhetsarbetet ska fullföljas inom organisationen. Organisationen använder varken en modell för att identifiera hot mot information eller en metod för att strukturera hoten. Genom strukturen av möjliga hot, genererar personalen en förståelse för organisationen och tar aktivt del i att identifiera hot mot Socialförvaltningen. Detta medför att alla användare förstår hur viktigt det är med säkerhet, vart de ska rapportera misstänkta händelser och de kan göra mycket för att minska risken att förlora information. Det är viktigt att komma ihåg att utbildning är en pågående process, nya användare behöver utbildning och utbildade användare behöver vidareutbildning, speciellt när nya tekniker eller processer introduceras. Därför är hotträdsanalysen en användbar modell för arbetet mot att skapa en informationssäkerhetspolicy enligt standarden SS 62 77 99-1. / Sandra Olandersson Blåbärsvägen 27 372 38 RONNEBY 0457 / 12084 Jeanette Fredsson Villa Viola 372 36 RONNEBY 0457 / 26616

Information security

Administrative security

Information technology security

Resources

Vulnerability

Security awareness

Risk assessments

Threats

Threat tree analysis

Information security policy

Computer Sciences

Datavetenskap (datalogi)

Informačná bezpečnosť a riadenie rizík v konkrétnej spoločnosti / Information security and risk management in a particular company.

Slávková, Daniela

January 2012

The aim of the thesis is to apply the methodology of qualitative risk analysis according to ISO/EC/27005:2011 and to increase awareness of existing threats and impacts on information assets and to create possible security precautions to minimize identified threats in a particular company. The thesis is divided into five chapters. Introductory chapter explains the basic concepts of information security and risk management in the organization that are necessary for understanding of the principles and the importance of information security. The second chapter deals with the international standards aimed at information security and briefly describes ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27005. The following two chapters form a smooth transition from the theoretical to the practical part. The third chapter characterizes selected company and describes the current state of information security in the company. The fourth chapter forms the methodological apparatus of qualitative risk analysis, compiled in accordance with ISO/IEC 27005:2011. It also contains a list of relevant threats, to which an asset of the company is exposed. The last chapter is conducted to qualitative risk analysis, together with the draft of the precautions to minimize the risks. The practical section shows that by the implementing the proposed action the company will reduce existing risks to acceptable levels and will significantly improve the protection of information assets.

Compound Effects of Clock and Voltage Based Power Side-Channel Countermeasures

Lagasse, Jacqueline

15 July 2020

The power side-channel attack, which allows an attacker to derive secret information from power traces, continues to be a major vulnerability in many critical systems. Numerous countermeasures have been proposed since its discovery as a serious vulnerability, including both hardware and software implementations. Each countermeasure has its own drawback, with some of the highly effective countermeasures incurring large overhead in area and power. In addition, many countermeasures are quite invasive to the design process, requiring modification of the design and therefore additional validation and testing to ensure its accuracy. Less invasive countermeasures that do not require directly modifying the system do exist but often offer less protection. This thesis analyzes two non-invasive countermeasures and examines ways to maximize the protection offered by them while incurring the least amount of overhead. These two countermeasures are called clock phase noise (CPN) and voltage noise (VN), and are placed on the same FPGA as an AES encryption module that we are trying to protect. We test these designs against a highly effective algorithm called correlation power analysis (CPA) and a preprocessing technique called the sliding window attack (SW). We found that the combined effects of the two countermeasures was greater than the impact of either countermeasure when used independently, and published a paper in the 2019 IEEE 30th International Conference on Application-specific Systems, Architectures and Processors (ASAP) on our findings. We found that our best combined countermeasure protected about 76% of the maximum amount of traces that a well-known but invasive competitor, wave dynamic differential logic (WDDL), could with only about 41% of the area and 78% of the power. However, the sliding window attack significantly reduced the amount of protection our combined countermeasure could offer to only 11% of that offered by WDDL. Since then, we updated our methodology and made some adjustments to VN and CPN. Our CPN countermeasure greatly improved, and therefore so did our combined countermeasure, which on average protected up to about 90% of the maximum amount of traces that WDDL could with only about 43% of the area and about 60% of the power. This is remarkable because these results are after the sliding window attack, meaning that our post-proposal countermeasures protect almost as well as WDDL while requiring only about half of the resources.

power side-channel

clock randomization

voltage noise

hardware security

information security

FPGA

Hardware Systems

Information Security

Návrh zavedení bezpečnostních opatření v souladu s ISMS pro obchodní společnost / Design of security countermeasures implementation in accordance with ISMS for business company

Dočekal, Petr

January 2018

The master’s thesis focuses on area of security countermeasures in accordance with information security management system. Presents basic theoretical background of information and cyber security and describes a current state in the company. The thesis’s output is the design of security countermeasures implementation which contribute to information security in the company.

Budování bezpečnostního povědomí na fakultě podnikatelské / Building security awareness at the Faculty of Business and Management

Volfová, Jana

January 2021

This diploma thesis is focused on Security Awareness Education at the Faculty of Business and Management. It consists of three main parts: theoretical, analytical and practical considerations. The theoretical part is the introduction to basic terms, processes and analysis to help understand the thesis. The analytical part includes an introduction to the chosen organization and the implementation of analysis, which were presented in the theoretical part. The practical part contains, among other things, the actual proposals for Security Awareness Education at the faculty and its benefits.

Zavedení managementu informační bezpečnosti v malém podniku / The Implementation of Information Security Management System in Small Company

Čampula, Roman

January 2013

This master’s (diploma) thesis analyzes security situation of the software company. It contains theoretical information which is necessary for the installation of the information security system. It also demonstrates the method of its application. On the basis of the security risks analysis it suggests arrangements which are currently necessary for the required information security in the company. The whole thesis is covered on the basis of the ČSN ISO/IEC 27001:2006 norm.