A model for information security management and regulatory compliance in the South African health sector

Tuyikeze, Tite

January 2005

Information Security is becoming a part of the core business processes in every organization. Companies are faced with contradictory requirements to ensure open systems and accessible information while maintaining high protection standards. In addition, the contemporary management of Information Security requires a variety of approaches in different areas, ranging from technological to organizational issues and legislation. These approaches are often isolated while Security Management requires an integrated approach. Information Technology promises many benefits to healthcare organizations. It helps to make accurate information more readily available to healthcare providers and workers, researchers and patients and advanced computing and communication technology can improve the quality and lower the costs of healthcare. However, the prospect of storing health information in an electronic form raises concerns about patient privacy and security. Healthcare organizations are required to establish formal Information Security program, for example through the adoption of the ISO 17799 standard, to ensure an appropriate and consistent level of information security for computer-based patient records, both within individual healthcare organizations and throughout the entire healthcare delivery system. However, proper Information Security Management practices, alone, do not necessarily ensure regulatory compliance. South African healthcare organizations must comply with the South African National Health Act (SANHA) and the Electronic Communication Transaction Act (ECTA). It is necessary to consider compliance with the Health Insurance Portability and Accountability Act (HIPAA) to meet healthcare international industry standards. The main purpose of this project is to propose a compliance strategy, which ensures full compliance with regulatory requirements and at the same time assures customers that international industry standards are being used. This is preceded by a comparative analysis of the requirements posed by the ISO 17799 standard and the HIPAA, SANHA and ECTA regulations.

Computer networks -- Security measures

Public health -- South Africa

Governing information security using organisational information security profiles

Tyukala, Mkhululi

January 2007

The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.

Data protection

Computer security -- Management

Computer networks -- Security measures

A framework for the development of a personal information security agent

Stieger, Ewald Andreas

January 2011

Nowadays information is everywhere. Organisations process, store and create information in unprecedented quantities to support their business processes. Similarly, people use, share and synthesise information to accomplish their daily tasks. Indeed, information and information technology are the core of business activities, and a part of daily life. Information has become a crucial resource in today‘s information age and any corruption, destruction or leakage of information can have a serious negative impact on an organisation. Thus, information should be kept safe. This requires the successful implementation of information security, which ensures that information assets are only used, modified and accessed by authorised people. Information security faces many challenges; and organisations still have not successfully addressed them. One of the main challenges is the human element. Information security depends to a large extent on people and their ability to follow and apply sound security practices. Unfortunately, people are often not very security-conscious in their behaviour; and this is the cause of many security breaches. There are a variety of reasons for this such as a lack of knowledge and a negative attitude to security. Many organisations are aware of this; and they attempt to remedy the situation by means of information security awareness programs. These programs aim to educate, train and increase the security awareness of individuals. However, information security awareness programs are not always successful. They are not a once-off remedy that can quickly cure information security. The programs need to be implemented effectively, and they require an ongoing effort. Unfortunately, this is where many organisations fail. Furthermore, changing individuals‘ security behaviour is difficult due to the complexity of factors that influence everyday behaviour. In view of the above, this research project proposes an alternative approach in the form of a personal information security agent. The goal of this agent is to influence individuals to adopt more secure behaviour. There are a variety of factors that need to be considered, in order to achieve this goal, and to positively influence security behaviour. Consequently, this research establishes criteria and principles for such an agent, based on the theory and practice. From a theoretical point of view, a variety of factors that influence human behaviour such as self-efficacy and normative beliefs were investigated. Furthermore, the field of persuasive technology has provided for strategies that can be used by technology to influence individuals. On the practical side, a prototype of a personal information security agent was created and evaluated through a technical software review process. The evaluation of the prototype showed that the theoretical criteria have merit but their effectiveness is largely dependent on how they are implemented. The criteria were thus revised, based on the practical findings. The findings also suggest that a personal information security agent, based on the criteria, may be able to positively influence individuals to be more secure in their behaviour. The insights gained by the research are presented in the form of a framework that makes both theoretical and practical recommendations for developing a personal information security agent. One may, consequently, conclude that the purpose of this research is to provide a foundation for the development of a personal information security agent to positively influence computer users to be more security-conscious in their behavior.

Computer networks -- Security measures

Artificial intelligence

Combining multiple Iris matchers using advanced fusion techniques to enhance Iris matching performance

Nelufule, Nthatheni Norman

17 September 2014

M.Phil. (Electrical And Electronic Engineering) / The enormous increase in technology advancement and the need to secure information e ectively has led to the development and implementation of iris image acquisition technologies for automated iris recognition systems. The iris biometric is gaining popularity and is becoming a reliable and a robust modality for future biometric security. Its wide application can be extended to biometric security areas such as national ID cards, banking systems such as ATM, e-commerce, biometric passports but not applicable in forensic investigations. Iris recognition has gained valuable attention in biometric research due to the uniqueness of its textures and its high recognition rates when employed on high biometric security areas. Identity veri cation for individuals becomes a challenging task when it has to be automated with a high accuracy and robustness against spoo ng attacks and repudiation. Current recognition systems are highly a ected by noise as a result of segmentation failure, and this noise factors increase the biometric error rates such as; the FAR and the FRR. This dissertation reports an investigation of score level fusion methods which can be used to enhance iris matching performance. The fusion methods implemented in this project includes, simple sum rule, weighted sum rule fusion, minimum score and an adaptive weighted sum rule. The proposed approach uses an adaptive fusion which maps feature quality scores with the matcher. The fused scores were generated from four various iris matchers namely; the NHD matcher, the WED matcher, the WHD matcher and the POC matcher. To ensure homogeneity of matching scores before fusion, raw scores were normalized using the tanh-estimators method, because it is e cient and robust against outliers. The results were tested against two publicly available databases; namely, CASIA and UBIRIS using two statistical and biometric system measurements namely the AUC and the EER. The results of these two measures gives the AUC = 99:36% for CASIA left images, the AUC = 99:18% for CASIA right images, the AUC = 99:59% for UBIRIS database and the Equal Error Rate (EER) of 0.041 for CASIA left images, the EER = 0:087 for CASIA right images and with the EER = 0:038 for UBIRIS images.

Biometric identification

Electronic commerce - Security measures

Security systems

Secure proximity queries in mobile geo-social services

Li, Hong Ping

01 January 2013

No description available.

Computer networks

Mobile communication systems

Security measures

Wireless communication systems

Addressing Automated Adversaries of Network Applications

Kaiser, Edward Leo

01 January 2010

The Internet supports a perpetually evolving patchwork of network services and applications. Popular applications include the World Wide Web, online commerce, online banking, email, instant messaging, multimedia streaming, and online video games. Practically all networked applications have a common objective: to directly or indirectly process requests generated by humans. Some users employ automation to establish an unfair advantage over non-automated users. The perceived and substantive damages that automated, adversarial users inflict on an application degrade its enjoyment and usability by legitimate users, and result in reputation and revenue loss for the application's service provider. This dissertation examines three challenges critical to addressing the undesirable automation of networked applications. The first challenge explores individual methods that detect various automated behaviors. Detection methods range from observing unusual network-level request traffic to sensing anomalous client operation at the application-level. Since many detection methods are not individually conclusive, the second challenge investigates how to combine detection methods to accurately identify automated adversaries. The third challenge considers how to leverage the available knowledge to disincentivize adversary automation by nullifying their advantage over legitimate users. The thesis of this dissertation is that: there exist methods to detect automated behaviors with which an application's service provider can identify and then systematically disincentivize automated adversaries. This dissertation evaluates this thesis using research performed on two network applications that have different access to the client software: Web-based services and multiplayer online games.

Internet

Intelligent agents (Computer software)

Computer networks -- Security measures

Current and emerging air cargo security and facilitation issues

Buzdugan, Maria.

January 2005

No description available.

Analysis, detection, and modeling of attacks in computer communication networks

Allen, William H.

01 July 2003

No description available.

Electrical and Computer Engineering

Engineering

A real time, system independent, secure, Internet based auctioning system.

Brown, Cuan.

January 2000

This thesis outlines the creation of a secure, real time, system independent, Internet based auctioning application. The system has been developed to meet the needs of today's stringent reqUirements on secure Internet based applications. To attain this goal, the latest cryptographic algorithms and development platforms have been used. The result is a JAVA based server and client auctioning application. The client application is designed to run In any common web browser, and the server to execute on any JAVA enabled operating system with a web server and Internet connection. The real time system uses a relatively secure hybrid cryptosystem for communication. This involves the use of RSA for secure key exchange, and RC6 and MARS for secure communication. / Thesis (M.Sc.)-University of Natal,Durban, 2000.

Internet auctions.

Electronic commerce--Security measures.

Internet--Security measures.

Cryptography.

Java (Computer program language)

Theses--Computer science.

Socialinės apsaugos priemonės nedarbo rizikos atveju: Lietuvos ir užsienio valstybių patirtis / Social protection measures in case of unemployment risk: experience of lithuania and foreign countries

Timofejevaitė, Raminta

27 June 2014

Šiame darbe nagrinėjamas socialinės apsaugos priemonių nedarbo rizikos atveju taikymas. Atskleidžiama nedarbo, kaip socialinės rizikos, samprata ir neigiama įtaka valstybės ekonominei raidai ir gerovei. Apžvelgiamas valstybės garantuojamos socialinės apsaugos nedarbo atveju teisinis reguliavimas Lietuvos Respublikos ir tarptautiniuose teisės aktuose. Aptariami šio instituto teisinio reglamentavimo trūkumai. Darbe analizuojama ne tik Lietuvos, bet ir užsienio valstybių patirtis taikant socialinės apsaugos priemones nedarbo rizikos atveju. Remiantis Statistikos depatamento pateiktais 2010-2011 metų Lietuvos gyventojų emigracijos duomenimis, tyrimo objektu pasirinktos Didžiosios Britanijos, Airijos ir Norvegijos valstybių socialinės apsaugos sistemos, kadangi šių šalių teikiamos garantijos ypač aktualios ten gyvenantiems ir dirbantiems Lietuvos piliečiams. Išsamiai apžvelgiamos Lietuvos ir minėtų užsienio valstybių teikiamos aktyvios ir pasyvios socialinės apsaugos priemonės nedarbo rizikos atveju, analizuojamas jų turinys, apimtis, efektyvumas, trūkumai, apžvelgiami naujausi priimtų teisės aktų, reglamentuojančių socialinę apsaugą nedarbo atveju, pakeitimai, juos įtakojusios aplinkybės. Atsižvelgiant į šių ekonomiškai stiprių užsienio valstybių patirtį taikant socialinės apsaugos priemones, pateikiami pasiūlymai dėl Lietuvos socialinės apsaugos sistemos tobulinimo. / This paper analyses application of social protection measures in relation to risk of unemployment. Conception of unemployment as of a social risk is exposed together with its negative effect on economic development and welfare of the state. Legal regulation of the state guaranteed social protection in case of unemployment provided for in legislative acts of the Republic of Lithuania and international legislative acts is reviewed. Drawbacks of legal regulation of this institute are discussed. The paper analyses not only Lithuanian experience, but also experience of foreign countries in applying social protection measures in relation to risk of unemployment. Invoking the data provided by the Statistics Lithuania on emigration of Lithuanian residents over years 2010-2011, social security systems of Great Britain, Ireland and Norway were chosen for survey, because social guarantees provided by those countries are especially relevant to Lithuanian citizens who work or reside there. Thorough review of active and passive social security measures in relation to risk of unemployment provided by Lithuania and the aforementioned countries is made, analyzing its content, amount, effectiveness, drawbacks; new amendments of adopted legislative acts, regulating social security in case of unemployment are reviewed together with circumstances that conditioned the amendments. Considering the experience of these economically strong foreign counties in application of social protection measures... [to full text]

Social protection

Social risk

Unemployment

Active social security measures

Passive social security measures

Experience of Lithuania

Experience of foreign countries