1 |
The information security policy: an important information security management control.Hone, Karin 22 April 2008 (has links)
This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it. / Prof. J.H.P. Ehlers
|
2 |
Optimizing the advanced encryption standard on Intel's SIMD architectureGodbole, Pankaj 15 January 2004 (has links)
The Advanced Encryption Standard (AES) is the new standard for cryptography
and has gained wide support as a means to secure digital data. Hence,
it is beneficial to develop an implementation of AES that has a high throughput.
SIMD technology is very effective in increasing the performance of some
cryptographic applications. This thesis describes an optimized implementation
of the AES in software based on Intel's SIMD architecture. Our results show
that our technique yields a significant increase in the performance and thereby
the throughput of AES. They also demonstrate that AES is a good candidate
for optimization using our approach. / Graduation date: 2004
|
3 |
How Far Web Services Tools Support OASIS Message Security Standards?Sistla Shambhu, Maharaj Sastry January 2005 (has links)
<p>There is a great deal of interest burgeoning in the intellectual community regarding Web Services and their usage. Many writers have tried to bring awareness about some unconceived threats lurking behind the enticing Web Services. Threats due to Web Services are on an all time high giving an alarming knock to the Web Services security community. This led to the, Organization for the Advancement of Structured Information Standards (OASIS) made some constraints mandatory in order to standardize message security and these constraints and specifications are presented through a document called WS Security -2004. This work is an attempt to check the support offered by various Web Services Tools available currently. It introduces the reader to Web Services and presents an overview of how far some of the tools have reached in order to make the Web Services environment safe, secure and robust to meet the current day’s requirements. A quantitative approach was taken to investigate the support offered by servers like BEA, Apache Axis etc. The conclusions drawn show that most of the tools meet the imposed standards but a lot more is expected from the web community and these tools; if at all the visions about safe and secure Web Services are to be realized.</p>
|
4 |
How Far Web Services Tools Support OASIS Message Security Standards?Sistla Shambhu, Maharaj Sastry January 2005 (has links)
There is a great deal of interest burgeoning in the intellectual community regarding Web Services and their usage. Many writers have tried to bring awareness about some unconceived threats lurking behind the enticing Web Services. Threats due to Web Services are on an all time high giving an alarming knock to the Web Services security community. This led to the, Organization for the Advancement of Structured Information Standards (OASIS) made some constraints mandatory in order to standardize message security and these constraints and specifications are presented through a document called WS Security -2004. This work is an attempt to check the support offered by various Web Services Tools available currently. It introduces the reader to Web Services and presents an overview of how far some of the tools have reached in order to make the Web Services environment safe, secure and robust to meet the current day’s requirements. A quantitative approach was taken to investigate the support offered by servers like BEA, Apache Axis etc. The conclusions drawn show that most of the tools meet the imposed standards but a lot more is expected from the web community and these tools; if at all the visions about safe and secure Web Services are to be realized.
|
5 |
GESTÃO DE RISCOS DE SEGURANÇA DA INFORMAÇÃO BASEADA NA NORMA NBR ISO/IEC 27005 USANDO PADRÕES DE SEGURANÇA / RISK MANAGEMENT OF INFORMATION SECURITY BASED ON STANDARD NBR ISO/IEC 27005 USING SECURITY PATTERNSKonzen, Marcos Paulo 26 February 2013 (has links)
In the last years more vulnerabilities and threats have emerged, compromising information
security in Information and Communication Technology (ICT) systems. In addition, many
organizations are unprepared to deal with the risks of information security, making them the
most vulnerable to such threats. Thus the negative impact caused by security incidents tends
to be more frequent. The implementation of information security risk management based on a
set of best practices is critical, but still a challenge for most companies. This work proposes a
methodology for managing risks based on NBR ISO/IEC 27005:2008. The methodology
presents a sequence of activities and a series of guidelines and goals that must be achieved to
make the risk management effective. As with most standards and reference models, the
methodology does not describe how activities should be implemented, which makes it
difficult to implement for organizations less experienced in security procedures. The reuse of
solutions already tested and consolidated to recurring security problems it can assist in
ensuring the use of best practices. These solutions can be found in security standards that
capture and document the knowledge of security experts, but its application to develop
standards for risk management activities is unknown. Thus, this work reviews the guidelines
of NBR ISO/IEC 27005:2008 standards and pattern catalogs in order to identify security
patterns to develop activities in accordance with the guidelines described by the standard.
Therefore, the main contribution of this work is to develop a methodology for risk
management centered in solutions, tasks and techniques described by 22 security standards.
An analysis and risk assessment using security standards was applied to a DC (Data Center)
of a private university, whose result shows the final risk for each asset, meeting the guidelines
of NBR ISO/IEC 27005:2008. / Nos últimos anos, cada vez mais novas ameaças e vulnerabilidades surgem comprometendo a
segurança das informações em sistemas de Tecnologia da Informação e Comunicações (TIC),
e muitas organizações encontram-se despreparadas para lidar com os riscos de segurança da
informação, tornando-as mais vulneráveis às ameaças, e os impactos negativos causados pelos
incidentes de segurança tendem a ser mais frequentes. A implantação de uma gestão de riscos
de segurança da informação baseada no conjunto das melhores práticas é fundamental, porém
ainda um desafio para a maioria das empresas. Este trabalho propõe uma metodologia de
gestão de riscos baseada na norma NBR ISO/IEC 27005:2008, que apresenta uma sequência
de atividades e uma série de diretrizes e objetivos que devem ser alcançados para que o
gerenciamento dos riscos seja efetivo. Como na maioria das normas e modelos de referência,
elas não descrevem como as atividades devem ser implementadas, o que acaba dificultando a
sua adoção por organizações menos experientes em processos de segurança. A reutilização de
soluções já testadas e consolidadas para resolver problemas recorrentes de segurança pode
auxiliar na garantia de utilização de melhores práticas. Estas soluções podem ser encontradas
em padrões de segurança que capturam e documentam o conhecimento de especialistas em
segurança, mas se desconhece a sua aplicação para desenvolver atividades das normas de
gestão de riscos. Desta forma, este trabalho faz uma revisão das diretrizes da norma NBR
ISO/IEC 27005:2008 e de catálogos de padrões, a fim de identificar padrões de segurança
para desenvolver as atividades de acordo com as diretrizes descritas pela norma. Portanto, a
principal contribuição deste trabalho é o desenvolvimento de uma metodologia de gestão
de riscos centrada em soluções, tarefas e técnicas descritas por 22 padrões de segurança. Uma
análise e avaliação de riscos utilizando padrões de segurança foi aplicada em um CPD de uma
instituição privada de ensino superior, cujo resultado mostra o risco final de cada ativo,
atendendo as diretrizes da norma NBR ISO/IEC 27005:2008.
|
6 |
Design Better Content Development Process for SCAP Standards / Design Better Content Development Process for SCAP StandardsBeňas, Petr January 2013 (has links)
Cílem této práce je nastudovat a zjednodušeně popsat standardy SCAP používané pro standardizované předávání informací o zranitelnostech a dalších dat souvisejících s informační bezpečností, se zaměřením na formáty XCCDF a OVAL. V textu jsou zkoumány existující přístupy a nástroje sloužící k tvorbě obsahu těchto standardů. Na základě získaných poznatků je navržen nový nástroj s cílem řešit nedostatky existujících přístupů. Text práce také popisuje implementaci a testování navrženého nástroje.
|
7 |
Cyber Security and Security Frameworks for Cloud and IoT ArchitecturesHaar, Christoph 20 October 2023 (has links)
Das Cloud Computing hat die Art und Weise unserer Kommunikation in den letzten Jahren rapide verändert. Es ermöglicht die Bereitstellung unterschiedlicher Dienste über das Internet. Inzwischen wurden sowohl für Unternehmen, als auch für den privaten Sektor verschiedene Anwendungen des Cloud Computing entwickelt. Dabei bringt jede Anwendung zahlreiche Vorteile mit sich, allerdings werden auch neue Herausforderungen an die IT-Sicherheit gestellt. In dieser Dissertation werden besonders wichtige Anwendungen des Cloud Computing auf die aktuellen Herausforderungen für die IT-Sicherheit untersucht.
1. Die Container Virtualisierung ermöglicht die Trennung der eigentlichen Anwendung von der IT-Infrastruktur. Dadurch kann ein vorkonfiguriertes Betriebssystem-Image zusammen mit einer Anwendung in einem Container kombiniert und in einer Testumgebung evaluiert werden. Dieses Prinzip hat vor allem die Software-Entwicklung in Unternehmen grundlegend verändert. Container können verwendet werden, um software in einer isolierten Umgebung zu testen, ohne den operativen Betrieb zu stören. Weiterhin ist es möglich, verschiedene Container-Instanzen über mehrere Hosts hinweg zu verwalten. In dem Fall spricht man von einer Orchestrierung. Da Container sensible unternehmensinterne Daten beinhalten, müssen Unternehmen ihr IT-Sicherheitskonzept für den Einsatz von Container Virtualisierungen überarbeiten. Dies stellt eine große Herausforderung dar, da es derzeit wenig Erfahrung mit der Absicherung von (orchestrierten) Container Virtualisierungen gibt.
2. Da Container Dienste über das Internet bereitstellen, sind Mitarbeiterinnen und Mitarbeiter, die diese Dienste für ihre Arbeit benötigen, an keinen festen Arbeitsplatz gebunden. Dadurch werden wiederum Konzepte wie das home o
|
8 |
Návrh bezpečnostní politiky české pobočky nadnárodní společnosti / The Proposal of a Safety Policy in the Czech Branch of an International CompanFilip, Tomáš January 2009 (has links)
Safety policy deals with processes of security in company to protect assets regardless of a branch office size. Nowadays is the company exposed to a lot of threats and risks, which the company has to face to prevent work threats. This risks and threats don't have to be caused by competition, they can caused randomly, sporadically and someone can't be avoided or its protection is too expensive, whereas protection against some hazards can be easy or cheap. Analysis and appropriate safety actions are made for correct examination. This thesis put mind to create complete suggestion of safety policy for a small Czech branch of an international company. It contains required analyses, tips, theoretical solutions, policy for personal management and changes for easier suggestion of necessary safety documents. I made use of up-to-date information from the domain of security during the process, but special care has been made while writing the concepts, so that the document's contents wouldn't age so quickly.
|
9 |
Etude de l’interaction mécanique entre un dispositif médical implantable actif crânien et le crâne face à des sollicitations dynamiques / Analysis of the mechanical interaction between an active cranial implantable medical device and the skull subjected to impact loadingsSiegel, Alice 05 April 2019 (has links)
Dans le cadre du développement accru d’implants crâniens actifs, l’étude de la résistance du complexe crâne-implant face à des chocs modérés est nécessaire afin d’assurer la sécurité du patient. Le but de cette thèse est de quantifier l’interaction mécanique entre le crâne et l’implant afin de développer un modèle éléments finis prédictif utilisable pour la conception des futurs dispositifs. Dans un premier temps, des essais matériaux sur titane et silicone ont permis d’extraire les paramètres élastiques, plastiques et de viscosité de leurs lois de comportement. Ces paramètres ont ensuite été implémentés dans un modèle éléments finis de l’implant sous sollicitations dynamiques, validé par des essais de choc de 2,5 J. L’implant dissipe une partie de l’énergie du choc et le modèle obtenu permet d’optimiser la conception de l’implant afin qu’il reste fonctionnel et étanche après l’impact. La troisième partie porte sur l’élaboration d’un modèle éléments finis du complexe crâne-implant sous sollicitations dynamiques. Des essais sur têtes cadavériques ovines ont permis d’optimiser les paramètres d’endommagement du crâne. Le modèle complet du complexe crâne-implant, corrélé à des essais de choc, apporte des éléments de réponses sur le comportement du crâne implanté face un choc mécanique, permettant ainsi d’optimiser la conception de l’implant afin de garantir l’intégrité du crâne.Ce modèle représente un premier outil pour l’analyse de l’interaction mécanique entre crâne et implant actif, et permet de dimensionner ce dernier de sorte à garantir son fonctionnement et son étanchéité, tout en assurant l’intégrité du crâne. / Active cranial implants are more and more developed to cure neurological diseases. In this context it is necessary to evaluate the mechanical resistance of the skull-implant complex under impact conditions as to ensure the patient’s security. The aim of this study is to quantify the mechanical interactions between the skull and the implant as to develop a finite element model for predictive purpose and for use in cranial implant design methodologies for future implants. First, material tests were necessary to identify the material law parameters of titanium and silicone. They were then used in a finite element model of the implant under dynamic loading, validated against 2.5 J-impact tests. The implant dissipates part of the impact energy and the model enables to optimize the design of implants for it to keep functional and hermetic after the impact. In the third part, a finite element model of the skull-implant complex is developed under dynamic loading. Impact tests on ovine cadaver heads are performed for model validation by enhancing the damage parameters of the three-layered skull and give insight into the behavior of the implanted skull under impact.This model is a primary tool for analyzing the mechanical interaction between the skull and an active implant and enables for an optimized design for functional and hermetic implants, while keeping the skull safe.
|
10 |
An investigation of information security in small and medium enterprises (SME's) in the Eastern CapeUpfold, Christopher Tennant January 2005 (has links)
Small and Medium Enterprises (SME’s) embrace a wide range of information systems and technology that range from basic bookkeeping and general purpose office packages, through to advanced E-Business Web portals and Electronic Data Interchange (EDI). A survey, based on SABS ISO/IEC 17799 was administered to a select number of SME’s in the services sector, in the Eastern Cape. The results of the survey revealed that the level of information security awareness amongst SME leadership is as diverse as the state of practice of their information systems and technology. Although a minority of SME’s do embrace security frameworks such as SABS ISO/IEC 17799 or the International equivalent, BS7799, most SME leaders have not heard of security standards, and see information security as a technical intervention designed to address virus threats and data backups. Furthermore, there are several “stripped-down” standards and guidelines for SME’s, based mostly on SABS ISO/IEC 17799, but designed as streamlined, more easily implemented options. Again, these “lighter” frameworks are scarcely used and largely unknown by SME’s. Far from blaming SME leadership for not understanding the critical issues surrounding information security, the research concludes that SME leadership need to engage, understand and implement formal information security processes, failing which their organisations may be severely impacted by inadvertent threats / deliberate attacks on their information systems which could ultimately lead to business failure.
|
Page generated in 0.0946 seconds