41 |
Study on Architecture-Oriented Information Security Management ModelTsai, Chiang-nan 07 January 2009 (has links)
Information security, sometimes referred as enterprise security, plays a very important and professional role in the enterprises. Therefore, information security management is getting more and more popularity among the enterprises in recent years. Several aspects on information, such as technical documents, research and development plans, product quotations, are considered as core assets in one company. How to effectively manage and realize an information security system has become a key for a company¡¦s survival.
The international information security management standard, ISO 27001:2005, which includes personnel security, technology security, physical security and management security has been promulgated. When bringing in an information security management system, a company usually embraces the process-oriented approach which treats the system¡¦s structure view and behavior view separately. Separating structure view from behavior view during the planning phase may cause many difficulties, such as uneven distribution of resources, poor safety performance, bad risk management, poor system management and so on, when working on the later realization and verification phase of the information security management system¡¦s construction.
Up to date, there is no enterprise architecture theory for information security management system. This research utilizes architecture-oriented modeling methodology so that structure view and behavior view are coalesced when decomposing the information security management system to obtain structural elements and behaviors deriving from interactions among these structure elements. By adopting structure behavior coalescence, abbreviated as SBC, which includes ¡§architecture hierarchy diagram", "structure element diagram", "structure element service diagram", "structure element connection diagram", "structure behavior coalescence diagram", and "interactive flow diagram", this research constructs a complete architecture-oriented information security management model, abbreviated as AOISMM. This research is the first study using architecture-oriented approach to construct the information security management system. Also, AOISMM solves many difficulties caused by the process-oriented approach when constructing information security management systems. These are the contributions of this research.
|
42 |
Building Secure Systems using Mobile AgentsShibli, Muhammad Awais January 2006 (has links)
<p>The progress in the field of computer networks and Internet is increasing with tremendous volume in recent years. This raises important issue with regards to security. Several solutions emerged in the past which provide security at host or network level. These traditional solutions like antivirus, firewall, spy-ware, and authentication mechanisms provide security to some extends, but they still face the challenge of inherent system flaws, OS bugs and social engineering attacks. Recently, some interesting solution emerged like Intrusion Detection and Prevention systems, but these too have some problems, like detecting and responding in real time, because they mostly require inputs from system administrator. Optimistically, we have succeeded in protecting the hosts to some extent by applying the reactive approach, such as antivirus, firewall and intrusion detection and response systems, But, if we critically analyze this approach, we will reach the conclusion that it has inherent flaws, since the number of penetrations, Internet crime cases, identity and financial data thefts, etc. are rising exponentially in recent years. The main reason is that we are using only reactive approach, i.e. protection system is activated only when some security breach occurs. Secondly, current techniques try to fix the overall huge problem of security using only small remedies (firewall, antivirus and intrusion detection and preventions system) – “point solutions”. Therefore, there is a need to develop a strategy using Mobile Agents in order to operate in reactive and proactive manners, what requires providing security on the principle of defense in depth. So, that ultimate goal of securing a system as a whole can be achieved. System is assumed to be secure if unauthorized access (penetrations) is not possible and system is safe against damages. This strategy will include three aspects: (a) autonomously detect vulnerabilities on different hosts (in a distributed network) before an attacker can exploit (b) protect hosts by detecting attempts of intrusions and responding to them in real time; and finally (c) perform tasks related to security management.</p>
|
43 |
Probabilistic security management for power system operations with large amounts of wind powerHamon, Camille January 2015 (has links)
Power systems are critical infrastructures for the society. They are therefore planned and operated to provide a reliable eletricity delivery. The set of tools and methods to do so are gathered under security management and are designed to ensure that all operating constraints are fulfilled at all times. During the past decade, raising awareness about issues such as climate change, depletion of fossil fuels and energy security has triggered large investments in wind power. The limited predictability of wind power, in the form of forecast errors, pose a number of challenges for integrating wind power in power systems. This limited predictability increases the uncertainty already existing in power systems in the form of random occurrences of contingencies and load forecast errors. It is widely acknowledged that this added uncertainty due to wind power and other variable renewable energy sources will require new tools for security management as the penetration levels of these energy sources become significant. In this thesis, a set of tools for security management under uncertainty is developed. The key novelty in the proposed tools is that they build upon probabilistic descriptions, in terms of distribution functions, of the uncertainty. By considering the distribution functions of the uncertainty, the proposed tools can consider all possible future operating conditions captured in the probabilistic forecasts, as well as the likeliness of these operating conditions. By contrast, today's tools are based on the deterministic N-1 criterion that only considers one future operating condition and disregards its likelihood. Given a list of contingencies selected by the system operator and probabilitistic forecasts for the load and wind power, an operating risk is defined in this thesis as the sum of the probabilities of the pre- and post-contingency violations of the operating constraints, weighted by the probability of occurrence of the contingencies. For security assessment, this thesis proposes efficient Monte-Carlo methods to estimate the operating risk. Importance sampling is used to substantially reduce the computational time. In addition, sample-free analytical approximations are developed to quickly estimate the operating risk. For security enhancement, the analytical approximations are further embedded in an optimization problem that aims at obtaining the cheapest generation re-dispatch that ensures that the operating risk remains below a certain threshold. The proposed tools build upon approximations, developed in this thesis, of the stable feasible domain where all operating constraints are fulfilled. / <p>QC 20150508</p>
|
44 |
Gestão da segurança da informação em bibliotecas: elementos para elaboração de uma política de segurança da informação na Biblioteca Central da Universidade Federal da ParaíbaSouza, Fernando Antonio Ferreira de 02 August 2017 (has links)
Submitted by Fernando Souza (fernando@biblioteca.ufpb.br) on 2017-10-03T16:52:37Z
No. of bitstreams: 1
arquivototal.pdf: 2097465 bytes, checksum: d3bdb832ed8d7ca2faa35f212ab6ca2b (MD5) / Made available in DSpace on 2017-10-03T16:52:37Z (GMT). No. of bitstreams: 1
arquivototal.pdf: 2097465 bytes, checksum: d3bdb832ed8d7ca2faa35f212ab6ca2b (MD5)
Previous issue date: 2017-08-02 / The information protection has become an extremely critical factor for organizations and Government
entities. This involves not only the conventional environment, but also the technological and
informational networking infrastructure. This study set out to address the information security as part
of a University Library context. Even though a familiar environment with the information
management processes, the libraries come suffering with problems related to lack of information on
security management. For this purpose, this research studies the elements of information security
management that allow the elaboration of a minute of information security policy for the Central
Library of the Federal University of Paraíba. As the methodological aspects, is characterized as
qualitative, descriptive type. As instrument methodology of data collection, tabulation and analysis,
uses the Facilitated Process of risk analysis and assessment (FRAAP), which was supplemented with
quiz and analysis of content according to Bardin. The results indicat a group of fifteen threats, among
which detected nine physical threats, two logical threats and four threats related to processes. Finally,
it was found that the Central Library of UFPB needs to reflect on an action plan directed to
information security, to guarantee the confidentiality, integrity and safeguard of the organization's
critical management information. With the results, it is expected to contribute with information
security in the context of the Central Library of UFPB with the proposed minute information security
policy, enabling new contributions to the development of the processes of management of the
University Library. / A proteção da informação tornou-se fator de extrema criticidade para as organizações e
entidades de governo. Esta envolve não somente o ambiente convencional, mas a
infraestrutura tecnológica e de redes informacionais. Este estudo se propôs abordar a
Segurança da Informação no âmbito de uma biblioteca universitária. Mesmo sendo um
ambiente familiarizado com os processos de gestão da informação, as bibliotecas vêm
sofrendo com os problemas relacionados à falta de gestão da segurança da informação. Para
tanto, esta pesquisa estuda os elementos de Gestão da Segurança da Informação que permitam
a elaboração de uma minuta de Política de Segurança da Informação para a Biblioteca Central
da Universidade Federal da Paraíba. Quanto os aspectos metodológicos, se caracteriza como
qualitativa, do tipo descritiva. Como instrumento metodológico de coleta de dados, tabulação
e análise, utiliza o Processo Facilitado de Análise e Avaliação de Risco (FRAAP), que foi
complementado com questionário e a análise de conteúdo conforme Bardin. Os resultados
apresentados indicam um grupo de quinze ameaças, dentre as quais se detectou nove ameaças
físicas, duas ameaças lógicas e quatro ameaças relacionadas aos processos gerenciais. Por fim,
verifica-se que a Biblioteca Central da UFPB necessita refletir sobre um plano de ação
direcionado à segurança da informação, para a garantia de confidencialidade, integridade e
salvaguarda das informações gerenciais críticas da organização. Com os resultados, espera-se
contribuir com a Segurança da Informação no âmbito da Biblioteca Central da UFPB com
uma proposta de minuta para Política de Segurança da Informação, permitindo novas
contribuições para o desenvolvimento dos processos de gestão da Biblioteca Universitária.
|
45 |
Information security risk management in the South African small, medium and micro enterprise environmentVan Niekerk, Liesel 07 July 2008 (has links)
The small, medium and micro enterprise (SMME) environment of South Africa contributes 42% to the national gross domestic product. This is a high number for a largely under-regulated environment. The corporate governance and IT governance standards that apply to South African companies are not feasible for SMMEs, and neither are they enforced, although 80% of failures of SMMEs are attributable to lack of enterprise management skill. The first objective of this dissertation is to examine the South African SMME, and in so doing determine whether local regulatory standards can be used for this unique enterprise formation. The second objective of this dissertation is to determine whether international methodologies for information security risk management, as an inclusive of IT governance, may be used in the unique local SMME formation. The result of these two objectives creates a gap in a typical information security risk management methodology that is suitable for the South African regulatory and economic environment for SMMEs. A model has been created as a possible answer for filling the gap. The dissertation includes the Peculium Model, which answers the regulatory and economic requirements that resulted from the second objective. The Model allows the small enterprise a simple but effective method for managing risks to its information assets, with the control of corporate governance and IT governance included in its framework. The Model answers the methods for identifying and assessing risk in a tradition-based but feasible new qualitative technique. / Labuschagne, L., Prof.
|
46 |
Multi-Layered Policy Generation and Management in CloudsFatemi Moghaddam, Faraz 12 December 2017 (has links)
No description available.
|
47 |
Integrated ESSQ management:as a part of excellent operational and business management—a framework, integration and maturityTervonen, P. (Pekka) 21 June 2010 (has links)
Abstract
When examining management from the viewpoint of systems approach, the main elements are the overall management systems of a company and the related ESSQ matters and other critical success factors, depending on their theme. Excellent business management e.g. by taking advantage of quality award models is also becoming one of the cornerstones of the success of an organisation. Companies increasingly need more efficient and productive systems to maintain their competitiveness. These kinds of systems should continuously improve the company's operations and increase the satisfaction of customers and other interest groups.
A qualitative approach is mainly applied in this dissertation. This dissertation is composed of five research papers, in which qualitative approach is also used. The empirical data of this dissertation were obtained through interviews and a questionnaire among experienced industrial managers. All individual interview results and replies to the questionnaire were analysed and, when appropriate, compared to the literature. Finally, conclusions and synthesis were drawn based on the analysis.
As a general conclusion, it can be stated that combining issues that fall under different themes is reasonable because, on one hand, the causes of problems may be common to all areas and, on the other hand, solving one separate problem may easily lead to problems in other fields of business. Business-orientedness can be further increased by taking maturity models into consideration. Organisations, which apply holistic management systems that take all essential success factors of business into consideration, approach the natural functioning of an organisation. The integration of different operational areas into one system will facilitate the management of operations, increase internal co-operation and save resources, time and costs.
The starting point of holistic management is that needs can be fully addressed only when all relevant variables of the entire organisational system are taken into consideration. Systematically integrated management systems that cover different operating models in an extensive manner and that function well are not yet common, but there is a clear trend towards the integration of different systems. This dissertation indicates that the ultimate purpose and genuine contribution to business of Integrated ESSQ Management and maturity models is to provide a framework, which helps companies to better understand and incorporate these issues as a part of their overall Operational and Business Management. In principle, every company should develop its own management model that is tailored to meet the needs of the organisation in question.
|
48 |
Navigating between information security management documents : a modeling methodologyDomingues, Steve January 2010 (has links)
Organizations no longer draft their own standards. Instead, organizations take advantage of the available international standards. One standard may not cover all the organization's needs, requiring organizations to implement more than one standard. The same aspect in an organization may be covered by two or more standards, creating an overlap. An awareness of such overlaps led to various institutions creating mapping documents illustrating how a control from one standard relates to a control from a different standard. The mapping documents are consulted by the end user, to identify how a control in one standard may relate to other standards. This allows the end user to navigate between the standards documents. These mapping documents are valuable to a person who wishes to grasp how different standards deal with a specific control. However, the navigation between standards is a cumbersome task. In order to navigate between the standards the end user is required to consult three or more documents, depending on the number of standards that are mapped to the control being investigated. The need for a tool that will provide fast and efficient navigation between standards was identified. The data tier of the tool is the focus of this dissertation. As a result, this research proposes a modeling methodology that will allow for the modeling of the standards and the information about the mapping between standards, thereby contributing to the creation of tools to aid in the navigation between standards. A comparison between the major data modeling paradigms identifies multi-dimensional modeling as the most appropriate technique to model standards. Adapting an existing modeling methodology to cater for the modeling standards, yield a five step standard modeling methodology. Once modeled, the standards can be physically implemented as a database. The database schema that results from the standard modeling methodology adheres to a specific pattern and can thus be expressed according to well-defined meta-model. This allows for the generation of SQL statements by a tool with limited knowledge of the standards in a way that allows the quick navigation between standards. To determine the usefulness of the standards modeling methodology the research presents iv a prototype that utilizes the well-defined meta-model to navigate between standards. It is shown that, as far as navigation is concerned, no code changes are necessary when adding a new standard or new mappings between standards. This research contributes to the creation of a tool that can easily navigate between standards by providing the ability to model the data tier in such a way that it is extensible, yet remains independent of the application and presentation tiers.
|
49 |
Gestão de riscos para segurança do paciente: o enfermeiro e a notificação dos eventos adversosMilagres, Lidiane Miranda 03 July 2015 (has links)
Submitted by Renata Lopes (renatasil82@gmail.com) on 2016-01-06T12:19:03Z
No. of bitstreams: 1
lidianemirandamilagres.pdf: 1039453 bytes, checksum: 443b4aa86756817eaf9f0ce5ef68ff8c (MD5) / Approved for entry into archive by Adriana Oliveira (adriana.oliveira@ufjf.edu.br) on 2016-01-25T16:11:28Z (GMT) No. of bitstreams: 1
lidianemirandamilagres.pdf: 1039453 bytes, checksum: 443b4aa86756817eaf9f0ce5ef68ff8c (MD5) / Approved for entry into archive by Adriana Oliveira (adriana.oliveira@ufjf.edu.br) on 2016-01-25T16:15:06Z (GMT) No. of bitstreams: 1
lidianemirandamilagres.pdf: 1039453 bytes, checksum: 443b4aa86756817eaf9f0ce5ef68ff8c (MD5) / Made available in DSpace on 2016-01-25T16:15:06Z (GMT). No. of bitstreams: 1
lidianemirandamilagres.pdf: 1039453 bytes, checksum: 443b4aa86756817eaf9f0ce5ef68ff8c (MD5)
Previous issue date: 2015-07-03 / Este estudo trata da gestão de risco como estratégia para segurança do paciente.
Tem por objeto de estudo o processo de notificação dos eventos adversos. Os
objetivos traçados foram: identificar o conhecimento de enfermeiros acerca de
evento adverso, gestão de risco e segurança do paciente; descrever, a partir de
relatos de enfermeiros, suas ações frente à ocorrência de evento adverso no cenário
de seu trabalho; descrever as facilidades e dificuldades enfrentadas pelos
enfermeiros para a notificação de evento adverso. Utilizou-se como metodologia um
estudo de natureza exploratória com abordagem qualitativa, cujo cenário foi um
hospital geral público situado em uma cidade da Zona da Mata mineira. Como
referencial teórico, utilizaram-se estudos sobre segurança do paciente, gestão de
riscos e notificação de incidentes e eventos adversos. A coleta de dados foi
realizada através de entrevista semiestruturada, no período de novembro a
dezembro de 2014, com 20 enfermeiros que exercem suas atividades laborais no
referido serviço, e as respostas foram analisadas por meio da técnica de análise de
conteúdo, emergindo três categorias temáticas: o saber do enfermeiro acerca de
evento adverso, gestão de risco e segurança do paciente; o fazer do enfermeiro
diante de um evento adverso; e facilidades e dificuldades encontradas pelos
enfermeiros na notificação de evento adverso. Os resultados permitiram identificar
que os enfermeiros dominam os temas evento adverso, gestão de riscos e
segurança do paciente. Quanto à aplicabilidade das etapas do processo de
notificação de eventos adversos, ficou evidente que a notificação desses eventos é
uma prática cotidiana de enfermeiros, entretanto, nos depoimentos de alguns
profissionais, observaram-se lacunas na notificação, que favorecem a subnotificação
de eventos adversos. A análise temática do discurso dos sujeitos também permitiu
expressar que, durante o processo de notificação dos eventos adversos, o
enfermeiro se depara com aspectos que facilitam e dificultam este processo.
Considerou-se que há atitudes profissionais favoráveis à notificação e também
aquelas que interferem no sucesso do processo de notificação de eventos adversos,
merecendo enfoque nos treinamentos, que podem ser utilizados como ferramenta
para auxiliar na melhoria da segurança do paciente. / This study deals with risk management as a strategy for patient safety. Its object of
study the process of notification of adverse events. The objectives were: to identify
the knowledge of nurses about adverse events, risk management and patient safety;
describe, starting from nurses reports, their actions toward the occurrence of adverse
events in the setting of their work; to describe the advantages and difficulties faced
by nurses to the adverse event notification. It was used as a study methodology
exploratory qualitative approach, whose scenario was a public general hospital
located in a city in Zona da Mata mineira. As a theoretical framework, we used
studies of patient safety, risk management and reporting incidents and adverse
events. Data collection was conducted through semi-structured interviews, from
november to december 2014, with 20 nurses who perform their labor activities of the
service, and the answers were analyzed using content analysis technique, emerging
three thematic categories: knowledge of nurses about adverse events, risk
management and patient safety; do the nurse before an adverse event; and facilities
and difficulties encountered by nurses in adverse event notification. The results
showed that nurses dominate the adverse event issues, risk management and
patient safety. The applicability of the steps of adverse event reporting process,
clarified that the notification of adverse events is a daily practice of nurses, however,
the statements of some professionals, found gaps in the notification, which favor
underreporting of adverse events. The subject of discourse thematic analysis also
allowed to express that during the process of notification of adverse events, the nurse
is faced with aspects that facilitate and hinder this process. There were considered to
professional attitudes favorable to the notification and also those that affect the
success of adverse event notification process, deserving focus on training, which can
be used as a tool to assist in improving patient safety.
|
50 |
Exploring Data Security Management Strategies for Preventing Data BreachesOfori-Duodu, Michael Samuel 01 January 2019 (has links)
Insider threat continues to pose a risk to organizations, and in some cases, the country at large. Data breach events continue to show the insider threat risk has not subsided. This qualitative case study sought to explore the data security management strategies used by database and system administrators to prevent data breaches by malicious insiders. The study population consisted of database administrators and system administrators from a government contracting agency in the northeastern region of the United States. The general systems theory, developed by Von Bertalanffy, was used as the conceptual framework for the research study. The data collection process involved interviewing database and system administrators (n = 8), organizational documents and processes (n = 6), and direct observation of a training meeting (n = 3). By using methodological triangulation and by member checking with interviews and direct observation, efforts were taken to enhance the validity of the findings of this study. Through thematic analysis, 4 major themes emerged from the study: enforcement of organizational security policy through training, use of multifaceted identity and access management techniques, use of security frameworks, and use of strong technical control operations mechanisms. The findings of this study may benefit database and system administrators by enhancing their data security management strategies to prevent data breaches by malicious insiders. Enhanced data security management strategies may contribute to social change by protecting organizational and customer data from malicious insiders that could potentially lead to espionage, identity theft, trade secrets exposure, and cyber extortion.
|
Page generated in 0.0866 seconds