To see the other types of publications on this topic, follow the link: Information security, information security management system, ISMS.
Dissertations / Theses on the topic 'Information security, information security management system, ISMS'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Information security, information security management system, ISMS.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Erkan, Ahmet. "An Automated Tool For Information Security Management System." Master's thesis, METU, 2006. http://etd.lib.metu.edu.tr/upload/12607783/index.pdf.
Full textAbstract:
This thesis focuses on automation of processes of Information Security
Management System. In accordance with two International Standards, ISO/IEC
27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a
documented ISMS as much as possible helps organizations. Some of the well
known tools in this scope are analyzed and a comparative study on them including
&ldquoInfoSec Toolkit&rdquo
, which is developed for this purpose in the thesis scope, is given. &ldquo
InfoSec Toolkit&rdquo
is based on ISO/IEC 27001:2005 and ISO 17799:2005. Five basic integrated modules constituting the &ldquo
InfoSec Toolkit&rdquo
are &ldquo
Gap Analysis Module&rdquo
, &ldquo
Risk Module&rdquo
, &ldquo
Policy Management Module&rdquo
, &ldquo
Monitoring Module&rdquo
and &ldquo
Query and Reporting Module&rdquo
. In addition a research framework is proposed in order to assess the public and private organizations&rsquo
information security situation in Turkey.
2
Trunkát, Jan. "Návrh zavedení ISMS ve firmě." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2015. http://www.nusl.cz/ntk/nusl-225000.
Full textAbstract:
The master´s thesis is aimed at Proposal for the information security management system implementation in the company. It introduces with basic concepts of information security and provides general procedures for information security management system. As part of the work was carried out a risk analysis company and proposed measures to reduce risk. Work is mainly drawn from the series of standards ISO/IEC 27000.
3
Asp, Sandin Agnes. "A simplified ISMS : Investigating how an ISMS for a smaller organization can be implemented." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-20238.
Full textAbstract:
Over the past year, cyber threats have been growing tremendously, which has led to an essential need to strengthen the organization's security. One way of strengthening security is to implement an information security management system (ISMS). Although an ISMS will help improve the information security work within the business, organizations struggle with its implementation, and significantly smaller organizations. That results in smaller organization's information being potentially less protected.This thesis investigates how an ISMS based on MSB can be simplified to make it suitable for a small organization to implement. This thesis aims to open for further research about how it can be simplified and if it has a value of doing it.The study is based on a qualitative approach where semi-structured interviews with experts were conducted. This thesis concludes that it is possible to simplify an ISMS based on MSB for a small organization by removing external analysis, information classification, information classification model, continuity management for information assets, and incident management. In addition, the study provides tips on what a small organization should think about before and during implementation.
4
Shoraka, Babak. "An Empirical Investigation of the Economic Value of Information Security Management System Standards." NSUWorks, 2011. http://nsuworks.nova.edu/gscis_etd/304.
Full textAbstract:
Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management.
The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification.
The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms
5
Havlík, Michal. "Návrh průmyslového řešení ISMS." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318610.
Full textAbstract:
Thesis deals with industrial solutions of ISMS mainly network infrastructure. First introduction into theoretical background of the thesis. Further analysis of the current situation in the company and its evaluation. Consequently, the design of solution done to meet the standards of ISO / IEC 27000.
6
Tomko, Michal. "Návrh zavedení bezpečnostních opatření na základě ISMS pro malý podnik." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-402087.
Full textAbstract:
The master`s thesis deals with implementation of security countermeasures in accordance with information security management system for small company. Main concern of the master`s thesis will be design of security countermeasures in company. Solution of the design comes from the analysis of current state of the company including all important parts and assist evaluation which has been processed along with responsible persons.
7
Dočekal, Petr. "Návrh zavedení bezpečnostních opatření v souladu s ISMS pro obchodní společnost." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2018. http://www.nusl.cz/ntk/nusl-378344.
Full textAbstract:
The master’s thesis focuses on area of security countermeasures in accordance with information security management system. Presents basic theoretical background of information and cyber security and describes a current state in the company. The thesis’s output is the design of security countermeasures implementation which contribute to information security in the company.
8
Kuchařík, Lukáš. "Návrh ISMS v průmyslovém prostředí." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241472.
Full textAbstract:
The master’s thesis is aimed at the proposal of network infrastructure and introduction of the managerial system for the safety of information in the industrial environment. At the beginning the work is focused on theoretical knowledge concerning the safety of information wherein it describes basic concepts and common procedures of the managerial system of the safety of information. Further, the work deals with risk analysis in which the measures for reduction in hazard are suggested. The proposal for a new network infrastructure is finally carried out. The work draws the information from CSN standards ISO/IEC, series 27000.
9
Dokoupil, Ondřej. "Návrh metodiky pro zavedení ISMS." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-254270.
Full textAbstract:
This master’s thesis deals with the design of methodology for implementation of ISMS (Information Security Management System). The theoretical part describes the basic principles and procedures for processing of this domain, including normative and legal - legislative aspects. The next section is an analysis of the current state of the organization. On its basis the practical part is drafted, including an economic evaluation of the project and possible benefits of implementation.
10
Kameníček, Lukáš. "Návrh systém managementu ISMS." Master's thesis, Vysoké učení technické v Brně. Fakulta strojního inženýrství, 2011. http://www.nusl.cz/ntk/nusl-229425.
Full textAbstract:
This diploma thesis analyses the current state of information security management in an organization. In the theoretical part of the thesis general concepts are described as well as the relations between risk management and information security, applicable laws and standards. Further, the theoretical part deals with the risk analysis and risk management, strategies, standard procedures and methods applied in this field. In the practical part a methodology is suggested for information risk analysis in a particular organization and appropriate measures are selected.
11
Dejmek, Martin. "Zavedení ISMS v obchodní společnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224221.
Full textAbstract:
This master thesis deals with the implementation of information security management system in the company. It summarizes the theoretical background in this field and uses it to analyze the current state of information security, as well as analysis and risk management and not least the actual implementation of ISMS in the particular company. This work also contains three groups of measures that reduce the impact of identified risks and which also implements an essential parts of ISMS.
12
Šebrle, Petr. "Zavedení ISMS do podniku podporujícího kritickou infrastrukturu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318630.
Full textAbstract:
This diploma thesis deals with the methodology of Management of Information Security in a medium size company supporting critical infrastructure. The first part is focused on the theoretical aspects of the topic. Practical part consists of analysis of the current state, risk analysis and correction arrangements according to the attachment A of standard ČSN ISO/IEC 27001:2014. Implementation of ISMS is divided into four phases. This thesis however covers the first two phases only
13
Kulhánek, Radek. "Návrh na zavedení průmyslového řešení ISMS ve výrobní společnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241566.
Full textAbstract:
This diploma thesis deals with industrial ISMS implementation in manufacturing company. The theoretical part of thesis summarizes the theoretical knowledge in the field of information security and industrial security. In the following section company AB Komponenty s.r.o. is analysed. Then is performed analysis of risks based on selected assets and potential threats. Followed by design of the countermeasure to minimalize potential threats.
14
Kosek, Jindřich. "Zavedení ISMS v malém podniku se zaměřením na ICT infrastrukturu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2014. http://www.nusl.cz/ntk/nusl-224444.
Full textAbstract:
The diploma thesis is focused on the design implementation of information security management system in a small business and is applying theoretical knowledge to real-life situations in a manufacturing company. First of all is performed analysis of current status and the consequent threats which can affect the company's assets. Thereafter are proposed measures based on identified risks and requirements of the owner.
15
Bukovský, Luděk. "Návrh zavedení bezpečnostních opatření podle ISMS ve společnosti vyvíjející finanční aplikaci." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-399318.
Full textAbstract:
The goal of this Master Thesis is a proposal for the implementation security measures in the company developing financial software application focused primarily on the Swiss market. These measures are based on results from present state of security in the company. There are the proposal for the security measures on the risk analysis results which are recommendation of the series of standards ISO/IEC 27000 and should lead to the risk reduction affecting the company.
16
Pawlik, Jan. "Zavedení ISMS v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2015. http://www.nusl.cz/ntk/nusl-224837.
Full textAbstract:
This master thesis deals with the implementation of the information security management system according to the standard ISO/IEC 27 001 in the environment of a small company. In the first part, it focuses on the theoretical background of the information security. The second part deals with the analysis of the company and concept of a company's measures to increase the security of information within the selected company.
17
Palarczyk, Vít. "Zavedení ISMS v malém podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2015. http://www.nusl.cz/ntk/nusl-224894.
Full textAbstract:
This master's thesis is focused on the design of the implementation of information security management system (ISMS) into a specific business. In the theoretical part, it provides basic concepts and detailed description of ISMS. There is also described the analysis of a current information security state of the company. In the practical part, it provides a risk analysis and selection of measures to minimize found risks. In the final part is designed a process and a schedule of an implementation of the selected measures.
18
Jemelíková, Kristýna. "Kyberbezpečnost v průmyslu." Master's thesis, Vysoké učení technické v Brně. Fakulta strojního inženýrství, 2021. http://www.nusl.cz/ntk/nusl-449730.
Full textAbstract:
The master’s thesis deals with the management of cyber security in a manufacturing company. The theoretical part contains concepts and knowledge of cyber security and discusses the current requirements of legislation and standards of the ISO/IEC 27000 series. In practical part are proposed measures to increase cyber security and information security based on the theoretical background and analysis of current state in the selected company.
19
Kalabis, Petr. "Management informační bezpečnosti v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241646.
Full textAbstract:
This master thesis is focused on the design of implementation the information security management system in the company according to standards ISO/IEC 27000. First of all, it was described the theory of information security management system and it was explained the relevant terms and other requirements in the context of this issue. This assignment involves analysis of the current situation of the company and suggestions that lead to reducing discovered risks and bring improvement of the general information security.
20
Kryštof, Tomáš. "Návrh na zavedení nutných oblastí ISMS na základní škole." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241476.
Full textAbstract:
This master thesis is concerned with the information security on a specific primary school. In the first and second part of this thesis there is an endeavor to provide basic theoretical starting points about ISMS issues, and to get an overview about the current state of the information security at the primary school. This is followed by the practical part where there is the proposal of suitable security steps and recommendation for solution of the most important tasks from the ICT management security perspective.
21
Hajný, Jiří. "Management informační bezpečnosti ve zdravotnickém zařízení." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2014. http://www.nusl.cz/ntk/nusl-224498.
Full textAbstract:
The diploma thesis focuses on implementation and deployment of information security management system (ISMS) into healthcare organizations. Specifies what is required to include in this process and what not to forget. It includes a risk analysis of a branch of the selected company, and for it is written a safety guide. Safety guide provides advice and recommendations regarding security in terms of human resources, physical security, ICT security and other aspects that should be included in the ISMS deployment in healthcare organizations. The work also reflects the newly emerging law on cyber security. It is expected that the law will also address cyber security in healthcare.
22
Štukhejl, Kamil. "Návrh zavedení ISMS ve veřejné správě." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-399673.
Full textAbstract:
This diploma thesis focuses on the implementation of information security management system in the public administration based on ISO/IEC 27000 series of standards. The thesis contains theoretical background, introduction of the organization, risk analysis and a proposal of appropriate measures for minimization of these identified risks. In the end, an implementation plan is proposed including an economic evaluation.
23
Kadlec, Miroslav. "Návrh řízení informační bezpečnosti v průmyslovém prostředí." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2018. http://www.nusl.cz/ntk/nusl-378336.
Full textAbstract:
The diploma thesis deals with the design of information security management in the industrial environment. In the first part of thesis is mentioned the theoretical background from the area of information security. The analysis of the default status is followed, and the risk analysis is also performed. Further, the thesis deals with the design of the industrial network infrastructure and its management.
24
Kubík, Lukáš. "Informační bezpečnost jako jeden z ukazatelů hodnocení výkonnosti v energetické společnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318305.
Full textAbstract:
Master thesis is concerned with assessing the state of information security and its use as an indicator of corporate performance in energy company. Chapter analysis of the problem and current situation presents findings on the state of information security and implementation stage of ISMS. The practical part is focused on risk analysis and assessment the maturity level of processes, which are submitted as the basis for the proposed security measures and recommendations. There are also designed metrics to measure level of information security.
25
Lukeš, Pavel. "Implementace nových koncových uzlů do firmy a jejich management." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241594.
Full textAbstract:
This thesis deals with analysis of company’s MBG, spol. s r.o. problems, following with teoretical basis for these problems and in the end, it suggests the solutions. These problems are insufficient monitoring, any of used technology are old and absent of any information security management system. The first part is focused on a teoretical basis for the described problems, the second part will completely analyze all mentioned problems of a company. Final part will contain a solution for every company’s problem, based on theory and analysis with taking care about company’s demand too.
26
Šumbera, Adam. "Zavedení managementu bezpečnosti informací v podniku dle ISO 27001." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224217.
Full textAbstract:
This diploma thesis deals with implementation of the information security management system in company. The theoretical part of thesis summarizes the theoretical knowledge in the field of information security and describes a set of standards ISO/IEC 27000. In the following section the specific company is analysed, and to this company there are then applied theoretical knowledge during the implementation of information security management system.
27
Février, Rémy. "Management de la sécurité des systèmes d'information : les collectivités territoriales face aux risques numériques." Thesis, Paris 2, 2012. http://www.theses.fr/2012PA020025.
Full textAbstract:
Cette thèse a pour objectif de répondre à la question suivante : Quel est le niveau de prise en compte de la Sécurité des Systèmes d’Information (SSI) par les collectivités territoriales françaises face aux risques numériques ? Ces dernières étant aujourd’hui confrontées à de nouveaux défis qui nécessitent un recours toujours plus important aux nouvelles technologies (administration électronique, e-démocratie, dématérialisation des appels d’offre…), le management de la sécurité des Systèmes d’Information (SI) territoriaux devient un enjeu majeur -bien qu’encore peu étudié- en matière de service public et de protection des données à caractère personnel. Etablie au travers de postures professionnelles successives et dans le cadre d’une approche naturaliste de la décision, notre modélisation théorique tend à mesurer le niveau réel de prise en compte du risque numérique en partant d’hypothèses fondées sur l’influence respective d’un ensemble de caractéristiques propres aux collectivités territoriales. Il se traduit par une enquête de terrain menée directement auprès de responsables territoriaux. Alors que cet enjeu nécessite une prise de conscience, par les décideurs locaux, de la nécessité de protéger les données qui leur sont confiés, il s’avère que ceux-ci n’ont, au mieux, qu’une connaissance très imparfaite des enjeux et des risques inhérents à la sécurisation d’un SI ainsi que de l’ensemble des menaces, directes ou indirectes, susceptibles de compromettre leur bonne utilisation. Une solution potentielle pourrait résider, simultanément à de la mise en place de procédures adaptées à l’échelon de chaque collectivité, par la définition d’une politique publique spécifiqueThis doctoral thesis aims at answering a key question: what is the level of consideration given to Information Systems Security (ISS) by the French local authorities (LAs)? The latter are now facing new challenges that require an ever-increasing use of new technologies (e-government, e-democracy, dematerialization of call for tenders...). The under-researched territorial IT risk becomes a major issue in the sphere of public services and the protection of personal data. Theoretically based and constructed through successive professional positions, our theoretical model helps measure the actual level of inclusion of digital risk taking into account the respective influence of a set of characteristics of local authorities. A field survey was conducted with the close collaboration of representatives of LAs.While numerical risk requires a high level awareness by LA decision makers, it appears that they have a very imperfect knowledge of IT security related risks as well as of direct or indirect threats that may jeopardize their management systems. A potential solution lies with the definition of a specific public policy and with the implementation of appropriate procedures at the level of each community
28
Hruška, David. "Návrh změn identity managementu v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2018. http://www.nusl.cz/ntk/nusl-378329.
Full textAbstract:
This diploma thesis focuses on the proposal to implement changes of identity management into a particular company. In the theoretical part are the basic concepts and a detailed description of the identity management. There is also described an analysis of the current state of information security in the company, risk analysis and selection of measures to minimize the risks found. At the end of this thesis are proposed changes, their procedure and timetable for implementation of selected measures.
29
Pospíchal, Jindřich. "Zavedení ISMS v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241309.
Full textAbstract:
The master’s thesis is aimed at proposing an implementation of information security management system in a company. It covers basic theoretical background and concepts of information system security and describes standards of ČSN ISO/IEC 27000. Specific provisioning of ISMS is then proposed based on the theoretical background and analysis of current state.
30
Mahmood, Ashrafullah Khalid. "Information Security Management of Healthcare System." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-4353.
Full textAbstract:
Information security has significant role in Healthcare organizations. The Electronic Health Record (EHR) with patient’s information is considered as very sensitive in Healthcare organization. Sensitive information of patients in healthcare has to be managed such that it is safe and secure from unauthorized access. The high-level quality care to patients is possible if healthcare management system is able to provide right information in right time to right place. Availability and accessibility are significant aspects of information security, where applicable information needs to be available and accessible for user within the healthcare organization as well as across organizational borders. At the same time, it is essentials to protect the patient security from unauthorized access and maintain the appropriate level in health care regarding information security. The aim of this thesis is to explore current management of information security in terms of Electronic Health Records (EHR) and how these are protected from possible security threats and risks in healthcare, when the sensitive information has to be communicated among different actors in healthcare as well as across borders. The Blekinge health care system was investigated through case study with conduction of several interviews to discover possible issues, concerning security threats to management of healthcare. The theoretical work was the framework and support for possible solutions of identified security risks and threats in Blekinge healthcare. At the end after mapping, the whole process possible guidelines and suggestions were recommended for healthcare in order to prevent the sensitive information from unauthorized access and maintain information security. The management of technical and administrative bodies was explored for security problems. It has main role to healthcare and in general, whole business is the responsibility of this management to manage the sensitive information of patients. Consequently, Blekinge healthcare was investigated for possible issues and some possible guidelines and suggestions in order to improve the current information security with prevention of necessary risks to healthcare sensitive information.muqadas@gmail.com
31
Sharma, Dhirendra S. M. Massachusetts Institute of Technology. "Enterprise Information Security Management Framework [EISMF]." Thesis, Massachusetts Institute of Technology, 2011. http://hdl.handle.net/1721.1/67568.
Full textAbstract:
Thesis (S.M. in Engineering and Management)--Massachusetts Institute of Technology, Engineering Systems Division, System Design and Management Program, 2011.Cataloged from PDF version of thesis.
Includes bibliographical references (p. 124-130).
There are several technological solutions available in the market to help organizations with information security breach detection and prevention such as intrusion detection and prevention systems, antivirus software, firewalls, and spam filters. There is no doubt in the fact that significant progress has been made in the technological side of information security. However, when we study causes of information security breaches, we find that a significant number are caused by non-technical reasons such as social engineering, theft of computing device or portable hard drive, human behavior, and human error. This leads us to conclude that information security should not be viewed through technology perspective only. Instead, a more holistic approach is required. This thesis provides a systems approach towards information security management and include technological, management and social aspects. This thesis starts with introduction especially background and motivation of the author, followed by literature research. Next, Enterprise Information Security Management Framework is presented leading to estimation of an organization's information security management maturity-level. Finally, conclusion and potential future work are presented.
by Dhirendra Sharma.
S.M.in Engineering and Management
32
Nemec, Tomáš. "Návrh metodiky pro příručku ISMS a opatření aplikované na vybrané oblasti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224225.
Full textAbstract:
Content of this thesis is a methodology for creating ISMS Security Manual. Implementation of the proposal is supported by theoretical knowledge in the introductory part of this work. Practical process design methodology is conditional on the structure of the international standard ISO/IEC 27001:2005.
33
Coles-Kemp, Elizabeth. "The anatomy of an information security management system." Thesis, King's College London (University of London), 2008. https://kclpure.kcl.ac.uk/portal/en/theses/the-anatomy-of-an-information-security-management-system(08ef0714-a5aa-4b6e-b322-8a174da6a2b9).html.
Full textAbstract:
This thesis explores the different types of information security management decision making that take place within an organisation. It identifies how the construction of an information security management system (ISMS) alters in order to respond to different organisational variations, identifies the resource implications of making these alterations, and describes how the process of embedding an ISMS into the operational fabric of an organisation changes the way in which information security is managed. This thesis responds to the following "real world" problem: quantifying the type of resource needed to develop and maintain an ISMS is difficult because little is known about how ISMS are structured and how they respond to organisational variations. Documentation only considers ISMS in terms of its response to information security risk. As a result, not only is it difficult to quantify the resource required to manage information security, but it is also difficult to measure and compare the effectiveness of ISMS. This real world problem is paralleled by the following academic problem: ISMS theory is largely based on the views of practitioners and has not been augmented by systematic objective organisational research. In addition, existing information security management research shows that there are clear synergies with organisational sociology, organisation theory and cybernetics but these synergies have not been extensively reviewed. As a result, there is no specific academic platform from which to develop a theory of ISMS design. In response to these real-world and academic problems, this research contributes to the development of organisation theory relevant to information security management and is based on systematic organisational investigation. As a conclusion to this research, a theory of ISMS design is developed that has synergy with theories of organisational sociology, organisation theory and cybernetics but that also shows clear characteristics of its own.
34
He, Ying. "Generic security templates for information system security arguments : mapping security arguments within healthcare systems." Thesis, University of Glasgow, 2014. http://theses.gla.ac.uk/5773/.
Full textAbstract:
Industry reports indicate that the number of security incidents happened in healthcare organisation is increasing. Lessons learned (i.e. the causes of a security incident and the recommendations intended to avoid any recurrence) from those security incidents should ideally inform information security management systems (ISMS). The sharing of the lessons learned is an essential activity in the “follow-up” phase of security incident response lifecycle, which has long been addressed but not given enough attention in academic and industry. This dissertation proposes a novel approach, the Generic Security Template (GST), aiming to feed back the lessons learned from real world security incidents to the ISMS. It adapts graphical Goal Structuring Notations (GSN), to present the lessons learned in a structured manner through mapping them to the security requirements of the ISMS. The suitability of the GST has been confirmed by demonstrating that instances of the GST can be produced from real world security incidents of different countries based on in-depth analysis of case studies. The usability of the GST has been evaluated using a series of empirical studies. The GST is empirically evaluated in terms of its given effectiveness in assisting the communication of the lessons learned from security incidents as compared to the traditional text based approach alone. The results show that the GST can help to improve the accuracy and reduce the mental efforts in assisting the identification of the lessons learned from security incidents and the results are statistically significant. The GST is further evaluated to determine whether users can apply the GST to structure insights derived from a specific security incident. The results show that students with a computer science background can create an instance of the GST. The acceptability of the GST is assessed in a healthcare organisation. Strengths and weaknesses are identified and the GST has been adjusted to fit into organisational needs. The GST is then further tested to examine its capability to feed back the security lessons to the ISMS. The results show that, by using the GST, lessons identified from security incidents from one healthcare organisation in a specific country can be transferred to another and can indeed inform the improvements of the ISMS. In summary, the GST provides a unified way to feed back the lessons learned to the ISMS. It fosters an environment where different stakeholders can speak the same language while exchanging the lessons learned from the security incidents around the world.
35
Monzelo, Pedro Miguel Centúrio Sol. "A função do Chief Information Security Officer nas organizações." Master's thesis, Instituto Superior de Economia e Gestão, 2018. http://hdl.handle.net/10400.5/17568.
Full textAbstract:
Mestrado em Gestão de Sistemas de InformaçãoNum mundo cada vez mais conectado e digital, a informação é crescentemente vista como potenciador do negócio e fonte de vantagem competitiva. Assim, a segurança de informação torna-se crítica ao proteger os ativos de informação, pelo que a estratégia de segurança organizacional tem vindo a alinhar-se com os seus objetivos de negócio. Por outro lado, as recentes alterações legais, tais como a Diretiva Segurança das Redes e da Informação e o Regulamento Geral de Proteção de Dados, vêm impor regras relativamente à privacidade e à segurança da informação, permitindo às organizações um redesenho ou ajuste dos seus processos de forma a garantir que a informação se encontra efetivamente segura. Neste contexto, o Chief Information Security Officer assume um papel de destaque na coordenação da confidencialidade, integridade e disponibilidade da informação na organização. Este trabalho pretende estudar o ambiente geral da segurança de informação nas organizações, analisar o papel do CISO, e compreender onde este deverá estar integrado na estrutura organizacional. Para tal, foram realizadas entrevistas a consultores especialistas e a pessoas com cargos diretivos nas áreas de sistemas de informação e de segurança da informação, que permitiram concluir que ainda é necessário um grande amadurecimento a nível das organizações em Portugal relativamente ao tema, e que tal poderá dever-se à ausência de uma cultura de segurança estabelecida no país. Por outro lado, o papel do CISO tem assumido uma maior relevância, sendo que é uma opinião geral que o mesmo deverá ter uma relação próxima com a administração das organizações.
In an increasingly connected and digital world, information is seen as a business enabler and a source of sustained competitive advantage. Thus, information security is becoming critical so to protect these information assets, which is why the concern with organizations’ security strategy has been aligning with their strategic objectives. On the other hand, recent changes in regulation, as Network and Information Security (NIS) directive and the General Data Protection Regulation (GDPR), come to regulate and create rules when it comes to information security, and allow organizations to redesign or adjust these processes in order to ensure that information is, in fact, safe. In this context, the Chief Information Security Officer (CISO) comes to play an important role in coordinating confidentiality, integrity, and availability of information in the organization. This paper aims to study organizations’ information security environment in general, analyse the CISO’s role inside them, and understand where they should be integrated in the corporate structure. To do so, interviews were conducted on experienced information security consultants and information systems and information security directors, which allowed to conclude that organizations in Portugal still need a great amount of maturing when it comes to information security, and that this may eventually be due to the absence of an established security culture in the country. On the other hand, the CISO’s role has been increasing in relevance, being a general opinion that their relationship with organizations’ boards should be close.
info:eu-repo/semantics/publishedVersion
36
Altamirano, Peter. "Zavedenie systému riadenia informačnej bezpečnosti v malom podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-223974.
Full textAbstract:
The diploma thesis deals with the design of implementation of information security management system in IT company, deals with metrics for measuring the effectiveness of the system, according to the international standards ISO/IEC 2700x. The thesis solves invested resources in the establishment of the system. The thesis provides a summary of theoretical knowledge of information security management system, analyzes the current situation in the company and propose measures to increase security in the company.
37
Farahmand, Fariborz. "Developing a Risk Management System for Information Systems Security Incidents." Diss., Georgia Institute of Technology, 2004. http://hdl.handle.net/1853/7600.
Full textAbstract:
The Internet and information systems have enabled businesses to reduce costs, attain
greater market reach, and develop closer business partnerships along with improved
customer relationships. However, using the Internet has led to new risks and concerns.
This research provides a management perspective on the issues confronting CIOs and IT
managers. It outlines the current state of the art of information security, the important
issues confronting managers, security enforcement measure/techniques, and potential
threats and attacks. It develops a model for classification of threats and control measures.
It also develops a scheme for probabilistic evaluation of the impact of security threats
with some illustrative examples. It involves validation of information assets and
probabilities of success of attacks on those assets in organizations and evaluates the
expected damages of these attacks. The research outlines some suggested control
measures and presents some cost models for quantifying damages from these attacks and
compares the tangible and intangible costs of these attacks. This research also develops a
risk management system for information systems security incidents in five stages: 1-
Resource and application value analysis, 2- Vulnerability and risk analysis, 3-
Computation of losses due to threats and benefits of control measures, 4- Selection of
control measures, and 5- Implementation of alternatives. The outcome of this research
should help decision makers to select the appropriate control measure(s) to minimize
damage or loss due to security incidents. Finally, some recommendations for future work
are provided to improve the management of security in organizations.
38
Gancarčik, Rastislav. "Informační bezpečnost jako ukazatel výkonnosti podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318349.
Full textAbstract:
The content of this thesis is a proposal of methodology for evaluating company's performance in areas of information security, while their performance will be judged based on compliance with standard ISO/IEC 27001:2013, Act no. 181/2014 Coll., Regulation 2016/679 of European Parliament and Directive 2016/1148 of the European Parliament. The proposal of this methodology is designed in a particular company which operates in the Czech Republic.
39
Tyali, Sinovuyo. "An integrated management system for quality and information security in healthcare." Thesis, Nelson Mandela Metropolitan University, 2012. http://hdl.handle.net/10948/d1006670.
Full textAbstract:
Health service organizations are increasingly required to deliver quality healthcare services without increasing costs. The adoption of health information technologies can assist these organizations to deliver a quality service; however, this again exposes the health information to threats. The protection of personal health information is critical to ensure the privacy of patients in the care of health service organizations. Therefore both quality and information security are of importance in healthcare. Organisations commonly use management system standards to assist them to improve a particular function (e.g. quality or security) through structured organizational processes to establish, maintain and optimise a management system for the particular function. In the healthcare sector, the ISO 9001, ISO 9004 and IWA 1 standards may be used for the purpose of improving quality management through the establishment of a quality management system. Similarly, the ISO 27001 and ISO 27799 standards may be used to improve information security management through the establishment of an information security management system. However, the concurrent implementation of multiple standards brings confusion and complexity within organisations. A possible solution to the confusion is to introduce an integrated management system that addresses the requirements of multiple management systems. In this research, various standards relevant to the establishment of management systems for quality and security are studied. Additionally, literature on integrated management systems is reviewed to determine a possible approach to establishing an IMS for quality and information security in healthcare. It will be shown that the quality management and information security management standards contain commonalities that an integration approach can be based on. A detailed investigation of these commonalities is done in order to present the final proposal of the IMSQS, the Integrated Management System for Quality and Information Security in healthcare.
40
Ansen, Jerry Bature. "Information Security Management in a Human Resource Information System of a Selected University of Technology." Thesis, Cape Peninsula University of Technology, 2014. http://hdl.handle.net/20.500.11838/1768.
Full textAbstract:
SUBMITTED TO
THE FACULTY OF BUSINESS
IN PARTIAL FULFILMENT OF THE REQUIREMENTS
FOR THE DEGREE OF
MASTER OF TECHNOLOGY IN BUSINESS INFORMATION SYSTEMS
AT THE
CAPE PENINSULA UNIVERSITY OF TECHNOLOGY OF SOUTH AFRICA
2014The study aimed to determine the information security management challenges in information systems (IS). The human resources department (HRD) of a selected university of technology (UoT) was used as a case study to investigate employee appointment processes data and its security management challenges. The unit of study was the human resource infomation system (HRIS) as a form of IS. An interpretive case-study approach and questionnaires were employed to support data gathering. Information gathered and managed by HRD during and after an employee’s appointment is vital to the institution. The rationale for this study therefore eminated from ongoing concerns in respect of ineffective information security in organisations, resulting in substantial losses. From the literature reviewed a conceptual framework was developed and used to guide the data analysis and interpretation of data. The research findings were further used to validate the conceptual framework. This was done to create a general framework, whereby the conclusions and recommendations from the data analysis and information security practices could enhance information security management in human resource systems at a university of technology.
41
Al-Hamar, Aisha. "Enhancing information security in organisations in Qatar." Thesis, Loughborough University, 2018. https://dspace.lboro.ac.uk/2134/33541.
Full textAbstract:
Due to the universal use of technology and its pervasive connection to the world, organisations have become more exposed to frequent and various threats. Therefore, organisations today are giving more attention to information security as it has become a vital and challenging issue. Many researchers have noted that the significance of information security, particularly information security policies and awareness, is growing due to increasing use of IT and computerization. In the last 15 years, the State of Qatar has witnessed remarkable growth and development of its civilization, having embraced information technology as a base for innovation and success. The country has undergone tremendous improvements in the health care, education and transport sectors. Information technology plays a strategic role in building the country's knowledge-based economy. Due to Qatar s increasing use of the internet and connection to the global environment, it needs to adequately address the global threats arising online. As a result, the scope of this research is to investigate information security in Qatar and in particular the National Information Assurance (NIA) policy. There are many solutions for information security some technical and some non-technical such as policies and making users aware of the dangers. This research focusses on enhancing information security through non-technical solutions. The aim of this research is to improve Qatari organisations information security processes by developing a comprehensive Information Security Management framework that is applicable for implementation of the NIA policy, taking into account Qatar's culture and environment. To achieve the aim of this research, different research methodologies, strategies and data collection methods will be used, such as a literature review, surveys, interviews and case studies. The main findings of this research are that there is insufficient information security awareness in organisations in Qatar and a lack of a security culture, and that the current NIA policy has many barriers that need to be addressed. The barriers include a lack of information security awareness, a lack of dedicated information security staff, and a lack of a security culture. These barriers are addressed by the proposed information security management framework, which is based on four strategic goals: empowering Qataris in the field of information security, enhancing information security awareness and culture, activating the Qatar National Information Assurance policy in real life, and enabling Qatar to become a regional leader in information security. The research also provides an information security awareness programme for employees and university students. At the time of writing this thesis, there are already indications that the research will have a positive impact on information security in Qatar. A significant example is that the information security awareness programme for employees has been approved for implementation at the Ministry of Administrative Development Labour and Social Affairs (ADLSA) in Qatar. In addition, the recommendations proposed have been communicated to the responsible organisations in Qatar, and the author has been informed that each organisation has decided to act upon the recommendations made.
42
Hassebroek, Pamela Burns. "Institutionalized Environments and Information Security Management: Learning from Y2K." Diss., Available online, Georgia Institute of Technology, 2007, 2007. http://etd.gatech.edu/theses/available/etd-06192007-111256/.
Full textAbstract:
Thesis (Ph. D.)--Public Policy, Georgia Institute of Technology, 2008.Rogers, Juan D., Committee Chair ; Klein, Hans K., Committee Member ; Bolter, Jay David, Committee Member ; Nelson-Palmer, Mike, Committee Member ; Kingsley, Gordon, Committee Member.
43
Dubuc, Clémence. "A Real- time Log Correlation System for Security Information and Event Management." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-300452.
Full textAbstract:
The correlation of several events in a period of time is a necessity for a threat detection platform. In the case of multistep attacks (attacks characterized by a sequence of executed commands), it allows detecting the different steps one by one and correlating them to raise an alert. It also allows detecting abnormal behaviors on the IT system, for example, multiple suspicious actions performed by the same account. The correlation of security events increases the security of the system and reduces the number of false positives. The correlation of the events is made thanks to pre- existing correlation rules. The goal of this thesis is to evaluate the feasibility of using a correlation engine based on Apache Spark. There is a necessity of changing the actual correlation system because it is not scalable, it cannot handle all the incoming data and it cannot perform some types of correlation like aggregating the events by attributes or counting the cardinality. The novelty is the improvement of the performance and the correlation capacities of the system. Two systems are proposed for correlating events in this project. The first one is based on Apache Spark Structured Streaming and analyzed the flow of security logs in real- time. As the results are not satisfactory, a second system is implemented. It uses a more traditional approach by storing the logs into an Elastic Search cluster and does correlation queries on it. In the end, the two systems are able to correlate the logs of the platform. Nevertheless, the system based on Apache Spark uses too many resources by correlation rule and it is too expensive to launch hundreds of correlation queries at the same time. For those reasons, the system based on Elastic Search is preferred and is implemented in the workflow.Korrelation av flera händelser under en viss tidsperiod är en nödvändighet för plattformen för hotdetektering. När det gäller attacker i flera steg (attacker som kännetecknas av en sekvens av utförda kommandon) gör det möjligt att upptäcka de olika stegen ett efter ett och korrelera dem för att utlösa en varning. Den gör det också möjligt att upptäcka onormala beteenden i IT- systemet, t.ex. flera misstänkta åtgärder som utförs av samma konto. Korrelationen av säkerhetshändelser ökar systemets säkerhet och minskar antalet falska positiva upptäckter. Korrelationen av händelserna görs tack vare redan existerande korrelationsregler. Målet med den här avhandlingen är att utvärdera genomförbarheten av en korrelationsmotor baserad på Apache Spark. Det är nödvändigt att ändra det nuvarande korrelationssystemet eftersom det inte är skalbart, det kan inte hantera alla inkommande data och det kan inte utföra vissa typer av korrelation, t.ex. aggregering av händelserna efter attribut eller beräkning av kardinaliteten. Det nya är att förbättra systemets prestanda och korrelationskapacitet. I detta projekt föreslås två system för korrelering av händelser. Det första bygger på Apache Spark Structured Streaming och analyserade flödet av säkerhetsloggar i realtid. Eftersom resultaten inte var tillfredsställande har ett andra system införts. Det använder ett mer traditionellt tillvägagångssätt genom att lagra loggarna i ett Elastic Searchkluster och göra korrelationsförfrågningar på dem. I slutändan kan de två systemen korrelera plattformens loggar. Det system som bygger på Apache Spark använder dock för många resurser per korrelationsregel och det är för dyrt att starta hundratals korrelationsförfrågningar samtidigt. Av dessa skäl föredras systemet baserat på Elastic Search och det implementeras i arbetsflödet.
44
Barton, Kevin Andrew. "Information System Security Commitment: A Study of External Influences on Senior Management." NSUWorks, 2014. http://nsuworks.nova.edu/gscis_etd/19.
Full textAbstract:
This dissertation investigated how senior management is motivated to commit to information system security (ISS). Research shows senior management participation is critical to successful ISS, but has not explained how senior managers are motivated to participate in ISS. Information systems research shows pressures external to the organization have greater influence on senior managers than internal pressures. However, research has not fully examined how external pressures motivate senior management participation in ISS. This study addressed that gap by examining how external pressures motivate senior management participation in ISS through the lens of neo-institutional theory. The research design was survey research. Data collection was through an online survey, and PLS was used for data analysis. Sample size was 167 from a study population of small- and medium-sized organizations in a mix of industries in the south-central United States. Results supported three of six hypotheses. Mimetic mechanisms were found to influence senior management belief in ISS, and senior management belief in ISS was found to increase senior management participation in ISS. Greater senior management participation in ISS led to greater ISS assimilation in organizations. Three hypotheses were not supported. Correlation was not found between normative influences and senior management belief, normative influences and senior management participation, and coercive influences and senior management participation. Limitations with the study included a high occurrence of weak effect sizes on relationships within the model and heterogeneity based on industry, organization size, and regulatory requirements in the sample. This study contributes to ISS research by providing a theoretical model to explain how external influences contribute to senior management belief and participation in ISS, and ultimately ISS assimilation in organizations. Empirical evidence supports the mediating role by senior management between external influences and ISS assimilation. The findings also suggest some limitations that may exist with survey research in this area. This study benefits practitioners in three ways. First, it reinforces the argument that senior management support is critical to ISS success. Second, it extends understanding of senior management's role with ISS by explaining how IS and ISS management might nurture senior management belief and participation in ISS through industry groups and business partnerships. Third, the results inform government regulators and industry groups how they can supplement regulatory pressures with educational and awareness campaigns targeted at senior management to improve senior management commitment to ISS.
45
Svensson, Gustav. "Auditing the Human Factor as a Part of Setting up an Information Security Management System." Thesis, KTH, Industriella informations- och styrsystem, 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-119528.
Full textAbstract:
The human factor is the weakest link in all information systems regarding security but the users are not aware of the risks and the importance of following policies and routines to prevent a security breach. The most common attack vector starts by exploiting the human weakness and plant malware inside the organization. There is a need to nd a good way to audit the human factor to address this issue. Dierent penetration tests will be evaluated in this study; two phishing attacks and one in the form of a survey under a false pretext. The respondents are tricked into thinking that they are answering questions about customer service eciency while they are actually about information security and social engineering. This thesis argues that it is very complicated to measure people's predisposition to fall for social engineering but the survey under a false pretext is an interesting method to use when auditing how vulnerable an organization is to social engineering. It is also good at increasing the security awareness and to be used as a soft-start for the information security management process. The author also argues that all humans can be deceived and trust is something that is crucial for the society to work. It is therefore perhaps more meaningful to audit the users compliance with security policies and not the human behavior.
46
Kuo, Mei-Show, and 郭美秀. "Exploring Campus Information Security Management Using COBIT and ISMS-A Case Study on Campus Information Systems of Some Junior High School in Taichung City." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/92xf4m.
Full textAbstract:
碩士大葉大學
管理學院碩士在職專班
102
As the information technology advances, human life has been inextricably linked with the Internet. The institutions of government and enterprises require information systems to maintain the organizational operations through the Internet, and the campus information systems also do so. For instance, the scores and personal data of students must be uploaded to the campus systems, and the security of these data must be emphasized seriously. This shows the significance of campus information systems security. This research will combine the standard of COBIT process and the structure of ISMS procedure. Through the in-depth case interviews with the users of the campus information systems, we will derive the processes of the information security system for junior high schools in Taiwan, which can be used to enhance the campus information security according to the related countermeasures and suggestions.
47
Cho, Yi-Ting, and 卓奕廷. "Techniques and applications of ISMS (Information Security Management)-based Automatic Risk Assessment." Thesis, 2016. http://ndltd.ncl.edu.tw/handle/tz2z47.
Full textAbstract:
碩士元智大學
資訊工程學系
104
With the popularity and rapid development of information technology, information security has become an issue that can't be ignored. In recent years, major domestic and international information security incidents happened one after another, resulting in significant losses for many organizations. The impact of these incidents has been even extended to the level of the security of entire country. Many countries have realized the importance of information security, in particular the issue of security for critical information infrastructure. ISO adopted Information Security Management System (ISMS) standard series in 2000. ISO aims to protect the confidentiality, integrity and availability of organization information thourgh ISMS. By using risk analysis, evaluation and processing steps, the organization can achieve security control, and reduce the occurrences and impacts of information security incidents, and thus, improve the organization's information security. However, past research has not established any automatic mechanism for more objective risk evaluation to indicate the actual risk. This study, based on Information Security Management System framework, analyzes the feasibility and techniques of automatic risk evaluation. A case study of a recording center of a un-named large company is used to show the use and effectiveness of the proposed method. The advantages of automation include the following: it is a systematic, repeatable approach to detect potentially hidden / unobvious problems which can not be detected by humans. Thus, the proposed automation can improve the quality of information security management.
48
Venter, Diederik Petrus. "Infosure: an information security management system." Thesis, 2008. http://hdl.handle.net/10210/520.
Full textAbstract:
Information constitutes one of an organisation’s most valuable assets. It provides the modern organisation with a competitive edge and in some cases, is a requirement merely to survive. An organisation has to protect its information but due to the distributed, networked environment of today, faces a difficult challenge; it has to implement a system of information security management. Software applications can provide significant assistance in managing information security. They can be used to provide for centralised feedback of information security related activities as well as for centralised configuration activities. Such an application can be used in enforcing compliance to the organisation’s information security policy document. Currently there are a number of software products that provide this function in varying measures. In this research the major players in this space were examined to identify the features commonly found in these systems, and where they were lacking in terms of affordability, flexibility and scalability. A framework for an information security management application was defined based on these features and requirements and incorporating the idea of being affordable, but still flexible and extendable. This shifted the focus from attempting to provide a comprehensive list of interfaces and measurements into general information security related activities, to focusing on providing a generic tool that could be customised to handle any information fed back to it. The measurements could then be custom-developed as per the needs of the organisation. This formed the basis on which the prototype information security management application (InfoSure) was developed.Prof. S.H. Solms
49
Lei, Cheng-Chiu, and 雷誠久. "Information Security Management System for the Hospital." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/3fyzjb.
Full textAbstract:
碩士國立東華大學
資訊工程學系
95
Digitalization jeopardizes information security wherever it is applied, and hospitals are not an exception. The information they possess is very personal, while the trust between the patient and the hospital is one basic factor for quality care. Therefore hospital information security and privacy are major issues that cannot be ignored. This research uses case study methods to observe and understand the information security management system of our research subject. We used a four point scoring survey that was developed on the basis of “ISO/IEC 27001”to develop models that could verify their information security management systems. Our research subject was the first hospital under the jurisdiction of the Department of Health and the first in Taiwan to receive an ISO/IEC 27001:2005 certificate. Therefore, their information security management is very good and can be viewed as a standard for others to follow. We have come up with some extremely constructive suggestions via our extensive research. These suggestions and experience will be presented to our hospital, provided to future researchers, and serve as reference for those that wish to use such a system.
50
Yen, Kung-Kai, and 顏工凱. "An Information Security Knowledge Management System for Information Technology Industry." Thesis, 2016. http://ndltd.ncl.edu.tw/handle/77067390564461984336.
Full textAbstract:
碩士中華大學
資訊管理學系
104
The knowledge in enterprise is often omission or lost due to the change of job position or transformation of business. As a result, enterprise not only lost a valuable asset, but also damaged the interests of enterprise. With government paid more and more attention in protecting information security in recent years, each industry derived applicable processes and specifications to itself. If enterprise did not have a suitable process, enterprise may damage business interests when event occurs and cannot be processing immediately. This research designs and implements information security knowledge management system based on information technology enterprises. The study followed ISO/IEC 27001 which is an international information security management standard, to inspect business process and further defined appropriate specification. Besides, the research collected information security incidents that occurred in enterprise. In order to let enterprise staffs actively provide knowledge of information security incidents, the research establishes incentive mechanism based on learning motivation model theory. The research implements a knowledge management system for information security and adopts questionnaires to verify feasibility. The proposed system not only stores, transfers and shares personnel experience and knowledge of information security incidents but also provides systematic understanding of how to deal with when events occur. The proposed system will bring more benefit for enterprise.