行政院僑務委員會資訊安全管理現況分析 / A study of information security management -a case of OCAC

林劭怡

Unknown Date

本研究以資訊安全管理的觀點以個案研究的方式，從機關資訊安全管理的策略、技術、組織、人力以及環境等五個面向切入，訪談機關中資訊單位與業務單位人員，藉以深入探討僑務委員會的資安現況以及目前資訊安全管理所遭遇的困難，並且進一步的提出可能的解決方式以及本研究發現的研究命題。 本研究歸納出四點結論：(1)主管對於機關資訊安全的重視影響部屬對機關資訊安全管理措施的遵循與重視；(2)資訊人員跨部門溝通能力略微不足；(3)教育訓練實際效果與預期目標之間存在落差，易導致溝通問題而引起業務單位反彈；(4)機關的核心業務未納入資訊安全驗證範圍中，無法完備資安管理之落實。 針對研究發現，本研究提出之解決方法為：(1)加強資訊人員之跨部門溝通能力；(2)採取更有效的教育訓練方式；(3)將核心業務納入資訊安全驗證範圍中以確保資訊安全管理。 / Based on the theory of informationsSecurity management, The study conduct a case study of qualitative approach.Five propositions are delveloped according to the strategy of information security management, technologies, organizations, human resource and environments and the interviews of the staff of Overseas Compatriot Affairs Commission (OCAC), including IT staff and business staff. IT attempts to find out the status quo and difficulties of information security management in OCAC. Furthermore,the study also proposes plausible solutions to resolve those diffculties. The study concludes with four aspect of conclusion: (1) The manager ‘high priority and attention to information security, ead to the OCAC employees’, will affect employees’ compliance with information security rules. (2) IT staff are found to be comparatively lack of the inter-departmental communication skill to promote information security (3) There is a gap between expectation and the practical effect which then causes (4) Because the OCAC core business are not included in the scope of information security management verification, the implementation very unlikely to complete as required. According to the previous findings, the study proposes propose the plausible resolution to advance information security management in OCAC, including (1) strengthening of the inter-departmental communication skill of IT staff (2) adopting more effective way to train the core business staff, and make sure its effectiveness. (3) core businesses should be included in the scope of information security management verification to ensure that completeness and effectiveness of information security management.

資訊安全管理

ISMS

Návrh zavedení ITSM s využitím rámce ITIL se zaměřením na bezpečnost / Design for ITSM implementation with the use of the ITIL framework focusing on security

Antalík, Dominik

January 2018

The diploma thesis solves proposals for improving the quality of providing IT services and their optimization in the interest of the company and its business goals. For the needs of user-friendly IT services with optimized cost, the processes, functions, roles of employees and technology need to be a benefit for the business. By adopting and adapting the ITIL framework, it will be possible to increase the efficiency and effectiveness of providing IT services, to clearly define the IT service management and to define the main processes with the relevant objectives. The ITIL framework uses best practices that have been successfully used in other organizations. Practically proven processes, improved service quality and long-term optimization with continuous improvement offer cost-cutting potential. ISO/IEC 27013:2015 provides guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 200001 will be helpful in maintaining the integrity of the current information security management system with the design of IT services management.

Zavedení ISMS pro základní školu / Implementation of ISMS at Elementary School

Hensl, Marek

January 2017

This diploma’s thesis deals with information security management system on elementary school. This work is based on long time experience with chosen school and on communication with representatives of elementary school. In this thesis are teoretical basics, specific state, shortcomings and proposed or recommended solutions.

Návrh systém managementu ISMS / Information security management system project

Kameníček, Lukáš

January 2011

This diploma thesis analyses the current state of information security management in an organization. In the theoretical part of the thesis general concepts are described as well as the relations between risk management and information security, applicable laws and standards. Further, the theoretical part deals with the risk analysis and risk management, strategies, standard procedures and methods applied in this field. In the practical part a methodology is suggested for information risk analysis in a particular organization and appropriate measures are selected.

An Empirical Investigation of the Economic Value of Information Security Management System Standards

Shoraka, Babak

01 January 2011

Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management. The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification. The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms

Event study

Information secuity

Information security incidents

ISMS

Standards

Computer Sciences

An Automated Tool For Information Security Management System

Erkan, Ahmet

01 September 2006

This thesis focuses on automation of processes of Information Security Management System. In accordance with two International Standards, ISO/IEC 27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a documented ISMS as much as possible helps organizations. Some of the well known tools in this scope are analyzed and a comparative study on them including &ldquo / InfoSec Toolkit&rdquo / , which is developed for this purpose in the thesis scope, is given. &ldquo / InfoSec Toolkit&rdquo / is based on ISO/IEC 27001:2005 and ISO 17799:2005. Five basic integrated modules constituting the &ldquo / InfoSec Toolkit&rdquo / are &ldquo / Gap Analysis Module&rdquo / , &ldquo / Risk Module&rdquo / , &ldquo / Policy Management Module&rdquo / , &ldquo / Monitoring Module&rdquo / and &ldquo / Query and Reporting Module&rdquo / . In addition a research framework is proposed in order to assess the public and private organizations&rsquo / information security situation in Turkey.

Fact of Disaster Recover Plan within Information Security Management System ¡ÐExample as CTS Corporation

Lee, Chun-Lung

18 July 2003

Abstract The motive of thesis is trying to find out the role of information system security via the researching company ¡V CTS Corporation¡¦s disaster recovery plan and present a model to discuss with that. While through the researching procedure, we found out that most of information security systems obey the BS 7799-2 and ISO 17799 even the CNS 17799 in the world. Through the help of investigation of the questionnaire, all evidence just show out that how to construct and recognize the information security system is the issue and trend for enterprise to do after the ISO 9000 and QS 9000. Since 1978, the case study company, CTS Corporation has had fire and evacuation procedures, which were informally supported by various committees. An emergency plan, which was issued March 24, 1980, incorporated the functions of these committees and provided more formalized procedures for responding to emergencies. The emergency plan was later reissued as know of ¡§CTS Corporation Disaster Recovery Plan¡¨ as one of policy to be followed. In thesis, widely discuss the risk and evaluation of information security and show up some of major case of the information security for domestic and international by sequence of the date. Present some of overview from industry¡Bgovernment and academic how to face such of information security around the enterprises. Final conduct of 10 control sets, 36 control subjects and 127 control items with 8 abstracts of ISO 17799 introduction from BS 7799-1 and BS 779902 with comparison of ISO 17799 totally. Compare and distinguish the variance from CTS Corporation and those of international standard for the information security system, we deploy 4 steps of development the information security system as of: Information Security Policy; Documentation and Implementation; Risks Management and Information Security Management Security (ISMS). Provide evidence of questionnaires of the case study company. Summary three of dimensions for five(5) issues of ¡§Environment & Infrastructure¡¨, seven(7) issues of ¡§Disaster Recovering Planning¡¨ and six(6) issues of ¡§Business Contingency Planning¡¨ to conduce a Disaster Recovery Planning¡¦s Deployment Model for seven steps of four scenario as a conclusion.

Disaster Recovery Plan

ISMS

Contingency Plan

BS 7799

CNS 17799

Risk Management

ISO 17799

Management Systems & Software Vulnerabilty : A cross sectional study on IT managers in the energy sector

Rodriguez, Rene, Knapp, Dalton

January 2018

The researchers want the results to support the management systems theory and the growingneed to apply strong standards. Upper level energy managers in the U.S need to be concernedbecause there are constant infrastructure risk disasters that are produced when internal softwareis compromised. The researchers want our empirical results to display the importance of thisproblem and see if the management systems theory is being used.

Management systems

software

risk management

energy

IT

ISMS

Business Administration

Företagsekonomi

Systém řízení bezpečnosti informací společnosti BluePool s.r.o. / Information Security Management System in the company BluePool s.r.o.

Menčík, Jan

January 2017

This master thesis deals with the topics Information Security Management by the group of ISO/IEC 27000 norms and implementation of the Information Security Management System (ISMS) in one particular company. The theoretical part describes the group of norms ISO/IEC 27000 and the legislation and institutions related to these norms. Then the theoretical framework of a risk analysis is introduced. The benefits and possible obstacles when implementing the ISMS in an organization with emphasis on small businesses is described at the end of the theoretical part. The practical part includes a complex risk analysis and measures to be taken for the revealed risks. Furthermore, it involves the settings of the information security internal rules in the company Bluepool s.r.o. with regard to the risk management and information security policy. The conclusion of this part puts forward a proposal of the process and examples of implementation, time schedule and budget for implementation of adopted measures.

Integrace ISMS/ISO 27001/ISO 27002 do společnosti RWE / Integration of ISMS/ISO 27001/ISO 27002 to RWE company

Peroutka, Tomáš

January 2011

The main theme of this diploma thesis is Information Security Management System (ISMS) which is based on security standard ISO 27001 and ISO 27002. This thesis is one part of the project of integration ISMS to company RWE. First goal is analysis of actual documentation of RWE. Second goal is proposal of ideal structure of ISMS documentation. Third goal is assignment the parts of RWE documentation to ideal structure of ISMS documentation. Analysis of actual documentation used knowledge about RWE documentation to create overview table with all documents and their relations. Ideal structure of ISMS documentation was based on selected parts of ISO 27001 and multicriterial analysis. Third goal of this thesis was reached by assignment parts of RWE documentation to selected parts of ISO 27001 from the second goal. Contribution of this diploma thesis is the ideal structure of ISMS documentation and form of old RWE documentation assignment, because these goals are usual steps of PDCA cycle of ISMS but they are described briefly and sparsely in security standards and works related to ISMS.