To see the other types of publications on this topic, follow the link: Information security standards.
Dissertations / Theses on the topic 'Information security standards'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Information security standards.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Thomson, Steven Michael. "A standards-based security model for health information systems." Thesis, Nelson Mandela Metropolitan University, 2008. http://hdl.handle.net/10948/718.
Full textAbstract:
In the healthcare environment, various types of patient information are stored in electronic format. This prevents the re-entering of information that was captured previously. In the past this information was stored on paper and kept in large filing cabinets. However, with the technology advancements that have occurred over the years, the idea of storing patient information in electronic systems arose. This led to a number of electronic health information systems being created, which in turn led to an increase in possible security risks. Any organization that stores information of a sensitive nature must apply information security principles in order to ensure that the stored information is kept secure. At a basic level, this entails ensuring the confidentiality, integrity and availability of the information, which is not an easy feat in today’s distributed and networked environments. This paved the way for organized standardization activities in the areas of information security and information security management. Throughout history, there have been practices that were created to help “standardize” industries of all areas, to the extent that there are professional organizations whose main objective it is to create such standards to help connect industries all over the world. This applies equally to the healthcare environment, where standardization took off in the late eighties. Healthcare organizations must follow standardized security measures to ensure that patient information stored in health information systems is kept secure. However, the proliferation in standards makes it difficult to understand, adopt and deploy these standards in a coherent manner. This research, therefore, proposes a standards-based security model for health information systems to ensure that such standards are applied in a manner that contributes to securing the healthcare environment as a whole, rather than in a piecemeal fashion.
2
Johan, Boström. "Compliance & Standards - The Journey To Security." Thesis, Uppsala universitet, Institutionen för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-446601.
Full textAbstract:
We are in the age of Information Technology (IT) and amazinginnovations are developed. Management systems are now completelydigitalized and it has enabled people to continue working remotely inthe midst of a pandemic. With great innovations there are those thatseek to misuse or destroy systems for personal gain. Therefore IT &Information security is paramount both for organisation and products.To offer both an international approach for common security practicesand provide best results for IT & Information security there existsstandards and frameworks. In this thesis, the standard frameworksgeneral impact and value from both an organisational and a vendorsperspective is evaluated and assessed. To answer the research questionsof this thesis, standards and supporting theory were analysed andinterviewees with security professionals were held. Standards provideorganisational goals for developing a well-functioning and resilientsecurity. Standards also provide a common baseline between customerand vendors, minimising the need for tailoring in products’ securityrequirements. Furthermore, a certification for standards can increasethe confidence of the organisation or product, and generate a businessvalue. Whilst there are many benefits, the standards offer a structure onhow security can be built, but an organisation needs to understand anddevelop a security adapted to their organisation. In addition to setting upa security framework and implementing controls, organisation need tocreate security assurance processes to continuously review and evaluatemeasures to ascertain security posture.
3
Shoraka, Babak. "An Empirical Investigation of the Economic Value of Information Security Management System Standards." NSUWorks, 2011. http://nsuworks.nova.edu/gscis_etd/304.
Full textAbstract:
Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management.
The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification.
The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms
4
Ngqondi, Tembisa Grace. "The ISO/IEC 27002 and ISO/IEC 27799 information security management standards : a comparative analysis from a healthcare perspective." Thesis, Nelson Mandela Metropolitan University, 2009. http://hdl.handle.net/10948/1066.
Full textAbstract:
Technological shift has become significant and an area of concern in the health sector with regard to securing health information assets. Health information systems hosting personal health information expose these information assets to ever-evolving threats. This information includes aspects of an extremely sensitive nature, for example, a particular patient may have a history of drug abuse, which would be reflected in the patient’s medical record. The private nature of patient information places a higher demand on the need to ensure privacy. Ensuring that the security and privacy of health information remain intact is therefore vital in the healthcare environment. In order to protect information appropriately and effectively, good information security management practices should be followed. To this end, the International Organization for Standardization (ISO) published a code of practice for information security management, namely the ISO 27002 (2005). This standard is widely used in industry but is a generic standard aimed at all industries. Therefore it does not consider the unique security needs of a particular environment. Because of the unique nature of personal health information and its security and privacy requirements, the need to introduce a healthcare sector-specific standard for information security management was identified. The ISO 27799 was therefore published as an industry-specific variant of the ISO 27002 which is geared towards addressing security requirements in health informatics. It serves as an implementation guide for the ISO 27002 when implemented in the health sector. The publication of the ISO 27799 is considered as a positive development in the quest to improve health information security. However, the question arises whether the ISO 27799 addresses the security needs of the healthcare domain sufficiently. The extensive use of the ISO 27002 implies that many proponents of this standard (in healthcare), now have to ensure that they meet the (assumed) increased requirements of the ISO 27799. The purpose of this research is therefore to conduct a comprehensive comparison of the ISO 27002 and ISO 27799 standards to determine whether the ISO 27799 serves the specific needs of the health sector from an information security management point of view.
5
Domingues, Steve. "Navigating between information security management documents : a modeling methodology." Thesis, Nelson Mandela Metropolitan University, 2010. http://hdl.handle.net/10948/1212.
Full textAbstract:
Organizations no longer draft their own standards. Instead, organizations take advantage of the available international standards. One standard may not cover all the organization's needs, requiring organizations to implement more than one standard. The same aspect in an organization may be covered by two or more standards, creating an overlap. An awareness of such overlaps led to various institutions creating mapping documents illustrating how a control from one standard relates to a control from a different standard. The mapping documents are consulted by the end user, to identify how a control in one standard may relate to other standards. This allows the end user to navigate between the standards documents. These mapping documents are valuable to a person who wishes to grasp how different standards deal with a specific control. However, the navigation between standards is a cumbersome task. In order to navigate between the standards the end user is required to consult three or more documents, depending on the number of standards that are mapped to the control being investigated. The need for a tool that will provide fast and efficient navigation between standards was identified. The data tier of the tool is the focus of this dissertation. As a result, this research proposes a modeling methodology that will allow for the modeling of the standards and the information about the mapping between standards, thereby contributing to the creation of tools to aid in the navigation between standards. A comparison between the major data modeling paradigms identifies multi-dimensional modeling as the most appropriate technique to model standards. Adapting an existing modeling methodology to cater for the modeling standards, yield a five step standard modeling methodology. Once modeled, the standards can be physically implemented as a database. The database schema that results from the standard modeling methodology adheres to a specific pattern and can thus be expressed according to well-defined meta-model. This allows for the generation of SQL statements by a tool with limited knowledge of the standards in a way that allows the quick navigation between standards. To determine the usefulness of the standards modeling methodology the research presents iv a prototype that utilizes the well-defined meta-model to navigate between standards. It is shown that, as far as navigation is concerned, no code changes are necessary when adding a new standard or new mappings between standards. This research contributes to the creation of a tool that can easily navigate between standards by providing the ability to model the data tier in such a way that it is extensible, yet remains independent of the application and presentation tiers.
6
Dresner, Daniel Gideon. "A study of standards and the mitigation of risk in information systems." Thesis, University of Manchester, 2011. https://www.research.manchester.ac.uk/portal/en/theses/a-study-of-standards-and-the-mitigation-of-risk-in-information-systems(d316550b-f305-4802-a037-688bb44bdc48).html.
Full textAbstract:
Organisations from the multinational Organisation for Economic Cooperation and Development through to national initiatives such as the UK's Cabinet Office, have recognised that risk - the realisation of undesirable outcomes - needs a firm framework of policy and action for mitigation. Many standards have been set that implicitly or explicitly expect to manage risk in information systems, so creating a framework of such standards would steer outcomes to desirable results.This study applies a mixed methodology of desk enquiries, surveys, and action research to investigate how the command and control of information systems may be regulated by the fusion and fission of tacit knowledge in standards comprising the experience and inductive reasoning of experts. Information system user organisations from the membership of The National Computing Centre provided the working environment in which the research was conducted in real time. The research shows how a taxonomy of risks can be selected, and how a validated catalogue of standards which describe the mitigation of those risks can be assembled taking the quality of fit and expertise required to apply the standards into account. The work bridges a gap in the field by deriving a measure of organisational risk appetite with respect to information systems and the risk attitude of individuals, and linking them to a course of action - through the application of standards - to regulate the performance of information systems within a defined tolerance. The construct of a methodology to learn about a framework of ideas has become an integral part of the methodology itself with the standards forming the framework and providing direction of its application.The projects that comprise the research components have not proven the causal link between standards and the removal of risk, leaving this ripe for a narrowly scoped, future investigation. The thesis discusses the awareness of risk and the propensity for its management, developing this into the definition of a framework of standards to mitigate known risks in information systems with a new classification scheme that cross-references the efficacy of a standard with the expertise expected from those who apply it. The thesis extends this to the idea that the framework can be scaled to the views of stakeholders, used to detect human vulnerabilities in information systems, and developed to absorb the lessons learnt from emergent risk. The research has clarified the investigation of the security culture in the thrall of an information system and brought the application of technical and management standards closer to overcoming the social and psychological barriers that practitioners and researchers must overcome.
7
ALEXANDRIA, JOAO C. S. de. "Gestao da seguranca da informacao - uma proposta para potencializar a efetividade da seguranca da informacao em ambiente de pesquisa cientifica." reponame:Repositório Institucional do IPEN, 2009. http://repositorio.ipen.br:8080/xmlui/handle/123456789/9474.
Full textAbstract:
Made available in DSpace on 2014-10-09T12:27:08Z (GMT). No. of bitstreams: 0Made available in DSpace on 2014-10-09T13:56:07Z (GMT). No. of bitstreams: 0
Tese (Doutoramento)
IPEN/T
Instituto de Pesquisas Energeticas e Nucleares - IPEN-CNEN/SP
8
Owen, Morné. "An enterprise information security model for a micro finance company: a case study." Thesis, Nelson Mandela Metropolitan University, 2009. http://hdl.handle.net/10948/1151.
Full textAbstract:
The world has entered the information age. How the information is used within an organization will determine success or failure of the organisation. This study aims to provide a model, that once implemented, will provide the required protection for the information assets. The model is based on ISO 27002, an international security standard. The primary objective is to build a model that will provide a holistic security system specifically for a South African Micro Finance Company (MFC). The secondary objectives focuses on successful implementation of such a model, the uniqueness of the MFC that should be taken into account, and the maintenance of the model once implemented to ensure ongoing relevance. A questionnaire conducted at the MFC provided insight into the perceived understanding of information security. The questionnaire results were used to ensure the model solution addressed current information security shortcomings within the MFC. This study found that the information security controls in ISO 27002 should be applicable to any industry. The uniqueness for the MFC is not in the security controls, but rather in the regulations and laws applicable to it.
9
Hedian, Daniel, and Neto Gil Silva. "The Risk Assessment based on international standards, a credibility evaluation: A case study on international standards of Risk Assessment and Management in the Information Security context." Thesis, Umeå universitet, Företagsekonomi, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-99982.
Full textAbstract:
Summary Organizations face risks regardless of the type of industry or government. Historically risks have been undertaken in various processes and coped with differently by society. An appropriate application of risk management is widely acknowledged as one of the most critical aspects of undertaking business activities across all sectors in society, public and private. In order to carry out this activity as part of the crucial actions the organizations implement as part of their culture, many standards have been developed at the international level. These standards provide the groundwork for entities to start implementing these processes and reduce the risk they face with a standardized set of procedures across sectors. Risk assessment faces abundant arguments that lead to doubt the credibility of the standards implemented by different organizations, as not a single method or definition is agreed upon across cultural and sectorial barriers. Therefore, the credibility of the standardized assessment is doubted. This study aims to evaluate the credibility of standardized risk assessments with a focus on the Information Security Risk Assessment Standards, in particular ISO 27005 and NIST 800-30 in collaboration with the Swedish Armed Forces. The research adapts the frameworks available in literature to evaluate credibility of risk assessments to the international standardized assessment procedure. The standards credibility will be evaluated with different criteria divided in five categories considered applicable to the standardised risk assessment procedure. Also, input from experts in organizations currently employing the standards and academic experts in the field will also be utilized. This study utilizes a qualitative case study approach. The credibility evaluation performance of each international standard is similar; the only category that NIST 800-30 has a significant better performance is the category related to the final Risk Assessment Results (Report). The NIST provides a further step in the process as well as the guidelines and templates in order to develop different parts of the assessment process including the report, which is considered a best practice of a standardised risk assessment. The findings of the research contradict four criteria of the framework found in the literature, related to with what can be learned from past risk assessments, to the wide ranging of the required scope of a risk assessment, the relevance of the disclosure of information on the final risk assessment report related to the composition of the assessment group and finally the procedure for finding consensus among stakeholders. The research question “How credible are standardized risk assessments?” provide a holistic understanding of the credibility of the standards previously mentioned, determining that these provide a solid framework for companies to start assessing the risks in a regulated and standardized procedure. These oversee the problems embedded in the subjectivity of a risk assessment and the ever-changing (intrinsic and extrinsic) aspects of stakeholder behaviour with a lack of a systemic approach to solve these issues, which also include the lack of proper handling of risk uncertainty and the lack of transparency on the final risk assessment report. The study provides a groundwork which can be used in order to develop future research. This study also provides a grounded framework which can be used by entities utilizing the standards in order to reflect their procedures of their risk assessment activities. Keywords: Credibility, risk assessment, risk management, international standards, risk, information security, ISO 27005, NIST 800-30.
10
Mikkelinen, Nicklas. "Analysis of information classification best practices." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-11551.
Full textAbstract:
Information security, information management systems and more specifically information classification are important parts of an organisations information security. More and more information is being processed each day, and needs to be secured. Without proper information classification guidelines in place and lacking research within the subject, organisations could be vulnerable to attacks from third parties. This project displays a list of best practices found within information classification guidelines published online by different organisations. Out of 100 reviewed documents, 30 included information classification guidelines, and when analysed with a thematic analysis provides best practices within information classification.
11
Upfold, Christopher Tennant. "An investigation of information security in small and medium enterprises (SME's) in the Eastern Cape." Thesis, Rhodes University, 2005. http://hdl.handle.net/10962/d1003847.
Full textAbstract:
Small and Medium Enterprises (SME’s) embrace a wide range of information systems and technology that range from basic bookkeeping and general purpose office packages, through to advanced E-Business Web portals and Electronic Data Interchange (EDI). A survey, based on SABS ISO/IEC 17799 was administered to a select number of SME’s in the services sector, in the Eastern Cape. The results of the survey revealed that the level of information security awareness amongst SME leadership is as diverse as the state of practice of their information systems and technology. Although a minority of SME’s do embrace security frameworks such as SABS ISO/IEC 17799 or the International equivalent, BS7799, most SME leaders have not heard of security standards, and see information security as a technical intervention designed to address virus threats and data backups. Furthermore, there are several “stripped-down” standards and guidelines for SME’s, based mostly on SABS ISO/IEC 17799, but designed as streamlined, more easily implemented options. Again, these “lighter” frameworks are scarcely used and largely unknown by SME’s. Far from blaming SME leadership for not understanding the critical issues surrounding information security, the research concludes that SME leadership need to engage, understand and implement formal information security processes, failing which their organisations may be severely impacted by inadvertent threats / deliberate attacks on their information systems which could ultimately lead to business failure.
12
Radvanský, Martin. "Zavedení managementu informační bezpečnosti v malém podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2011. http://www.nusl.cz/ntk/nusl-222911.
Full textAbstract:
This diploma thesis deals with methods of management of information security in the small company. The thesis is divided into two main parts. The first part of this thesis is focused on theoretical aspects of information security and contains description of standards ČSN ISO/IEC 27000:2006. The practical part of this work is about the project of implementation of the information security management system in the small company. The implementation is divided into three separate parts with the first part of implementation being described in detail.
13
Ring, Eggers Gustav Emil, and Petter Olsson. "Informationssäkerhet vs. Affärsmål : Ett arbete om hur svenska startups hanterar sin informationssäkerhet." Thesis, Uppsala universitet, Institutionen för informatik och media, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-341513.
Full textAbstract:
Att bedriva startups i ett informationsbaserat samhälle medför idag flera utmaningar. För att nå framgång måste företagets resurser användas på rätt sätt. I en tid där informationssäkerhet spelar en allt större roll ska det här till en avvägning mellan att uppnå en bra säkerhetsnivå, samtidigt som de affärsmässiga aspekterna måste prioriteras. I arbetet undersöks hur svenska startups hanterar sin informationssäkerhet. Arbetet syftar även till att undersöka hur utbredd medvetenheten är inom sex svenska startups gällande informationssäkerhet samt hur mycket det prioriteras. Arbetet resultat visar att medvetenheten kring informationssäkerheten är hög men att det fortfarande är brister när det gäller att omsätta denna medvetenhet till praktisk handling och att det är de affärsorienterade målen som prioriteras högst inom en svensk startup.To run a startup in an information based society can cause a lot of challenges. To reach success, the company’s resources must be used in a proper way. In a time where information security has a big role, there must be a balance between keeping a high level of security meanwhile the business orientated expectations must be prioritized. This thesis will examine how a startup manages its information security. It does also focus on the awareness of information security within six swedish startups considering information security and also it’s priority. The results of the study shows that awareness of information security is high, but there are still shortcomings in putting this awareness into practice. The study also shows that the business-orientated goals are the highest priority within a swedish startup.
14
Ribas, Carlos Eduardo. "Sistema de gestão de segurança da informação em organizações da área da saúde." Universidade de São Paulo, 2010. http://www.teses.usp.br/teses/disponiveis/5/5160/tde-27092010-145036/.
Full textAbstract:
INTRODUÇÃO: Este estudo descreve o processo de implantação de um sistema de gestão de segurança da informação em uma organização de saúde, visando assegurar a confidencialidade, a integridade e a disponibilidade das informações. MÉTODOS: Utilizou-se a norma ISO 27001 para o desenvolvimento do projeto e o seu anexo A, através de uma nova metodologia, para avaliar a organização. Um questionário foi elaborado para avaliar a percepção dos funcionários com a segurança da informação e também para checar itens relacionados ao escopo do projeto. Avaliamos a segurança da informação no início e ao término do estudo. A análise estatística foi realizada com o teste do qui-quadrado com correção de Yates. O resultado foi considerado significante para P < 0,05. RESULTADOS: Houve resultado significativo na pontuação obtida pela organização, no total de controles implementados e no total de controles não implementados. Não houve resultados significativos com o questionário. CONCLUSÃO: O uso do SGSI trouxe benefícios para a organização com melhoras significativas no nível de conformidade com a norma de referência, além da redução dos riscos aos ativos da organização por meio da implementação de controlesINTRODUCTION: This study describes the implementations process of an Information Security Management System in a healthcare organization in order to assure the confidentiality, integrity and availability of the information. METHODS: We used the ISO 27001 standard for development of the project and its \"Annex A\", through a new methodology, to assess the organization. A questionnaire was designed to estimate the perception of staff with information security and also to check items related to project scope. We evaluated the information security at the beginning and at the end of the study. Statistical analysis was performed with the chi-square test with Yates correction. The result was considered significant for P < 0,05. RESULTS: The organization obtained significant improves on the score, on the number of implemented controls and on the number of not implemented controls, but there were no significant results with the questionnaire. CONCLUSION: The use of ISMS brought benefits to the organization with expressive improvements in the level of compliance with the standard\'s reference, besides the reduction of risks in the organization\'s assets through the implementation of controls
15
Kroft, Karel. "Audit cloudových služeb pro malé a střední podniky." Master's thesis, Vysoká škola ekonomická v Praze, 2014. http://www.nusl.cz/ntk/nusl-203958.
Full textAbstract:
Cloud computing brings to the world of information systems many opportunities but also new risks. The main one is decreased customer ability to directly control the security of information and systems, because administration responsibility passes to providers. This thesis focuses on cloud services auditing from the small and medium enterprises perspective. In introduction, this work defines information system audit terminology, characterizes cloud services and analyzes international legislation. Standardization organizations, published standards and methodologies that are widely respected in IT field are introduced. For the trust mediation in the cloud are important independent third-party audits and organizations specializing in the examination and control of cloud providers. The assumptions list is assembled on this basis to support screening process and to check, whether enterprise, service providers and services are ready for creating efficient and safe cloud system. The assumptions are applied to selected cloud service providers.
16
Araujo, Sueny Gomes Leda. "A dimensão humana no processo de gestão da segurança da informação: um estudo aplicado à Pró-Reitoria de Gestão de Pessoas da Universidade Federal da Paraíba." Universidade Federal da Paraíba, 2016. http://tede.biblioteca.ufpb.br:8080/handle/tede/8947.
Full textAbstract:
Submitted by Viviane Lima da Cunha (viviane@biblioteca.ufpb.br) on 2017-04-26T12:11:40Z
No. of bitstreams: 1
arquivototal.pdf: 4891600 bytes, checksum: e47187dc1816954c4d1cf20a19490124 (MD5)Made available in DSpace on 2017-04-26T12:11:40Z (GMT). No. of bitstreams: 1 arquivototal.pdf: 4891600 bytes, checksum: e47187dc1816954c4d1cf20a19490124 (MD5) Previous issue date: 2016-03-21
The information is presented as an important asset for institutions and needs to be protected adequately against undue destruction, temporary unavailability, adulteration or unauthorized disclosure. Various forms of physical, virtual and human threats jeopardize the security of information. Although the technology is responsible for providing part of the solution to these problems, many of the vulnerabilities of information systems can be attributed to man's actions. In this sense, it is salutary to study the human dimension in these processes. Concerned about the security of information in Federal Public Institutions the government published a series of laws, decrees, rules and reports that guides the implementation of information security management actions in public institutions. Thus, this study aimed to analyze the human dimension in the information security management process in the Dean of Personnel Management (Progep) of the Federal University of Paraíba (UFPB) from the perspective of the rules of the federal government. This research is characterized as descriptive research with qualitative and quantitative approach and case study as the method of investigation. Therefore, the documentary research was used, participant observation and interview as data collection techniques. From the triangulation of the three collection methods for data analysis was applied to content analysis. The sample was made up of nine directors who compose the Dean of Personnel Management. The results allowed identifying the need of UFPB on elaborate a policy of information classification, since its absence turns impossible the management of information security. As for information security awareness, it was noted the absence of actions that could contribute in the awareness of the public employee process, such as information security mentioned at the time of entry / ownership of public employees and collaborators; preparation of the responsibility and confidentiality term; formal disciplinary proceedings for breach of information security; and actions as informative manuals, campaigns, lectures and meetings. In the use of information security controls, there were initiatives of implementation of certain controls, however, the procedures were eventually made in error, without compliance of the regulatory guidelines. Based on the above, the results of this research can help minimize the impact of threats to information security in Progep /UFPB and, as well, contribute to the creation of a safety culture in federal institutions.
A informação apresenta-se como um importante ativo para as instituições, necessitando ser protegida de forma adequada contra destruição indevida, indisponibilidade temporária, adulteração ou divulgação não autorizada. Várias formas de ameaças físicas, virtuais e humanas, comprometem a segurança das informações. Apesar de a tecnologia ser responsável por fornecer parte da solução para esses problemas, muitas das vulnerabilidades dos sistemas de informação podem ser atribuídas às ações do homem. Nesse sentido, torna-se salutar estudar a dimensão humana nesses processos. Preocupado com a segurança da informação nas Instituições Públicas Federais, o governo publicou uma série de leis, decretos, normas e relatórios que orientam a implementação de ações de gestão de segurança da informação nas instituições públicas. Assim, o presente estudo teve por objetivo analisar a dimensão humana no processo de gestão de segurança da informação na Pró-Reitoria de Gestão de Pessoas (Progep) da Universidade Federal da Paraíba (UFPB) sob a ótica das normas do governo federal. Esta pesquisa caracteriza-se como pesquisa descritiva, com abordagem quali-quantitativa e, quanto ao método de investigação, estudo de caso. Para tanto, foi utilizada a pesquisa documental, observação participante e entrevista, como instrumentos de coleta de dados. A partir da triangulação dos três instrumentos de coleta, para a análise dos dados, foi aplicada a análise de conteúdo. A amostra desta pesquisa foi constituída pelos nove diretores que compõem a Pró-Reitoria de Gestão de Pessoas. Os resultados possibilitaram identificar a necessidade da UFPB em elaborar uma política de classificação da informação, uma vez que sua inexistência impossibilita a gestão da segurança da informação. Quanto à conscientização em segurança da informação, observou-se a inexistência de ações que poderiam contribuir no processo de conscientização dos servidores, como: menção à segurança da informação no momento de ingresso/posse de colaboradores e servidores; elaboração do termo de responsabilidade e confidencialidade; processo disciplinar formal para a violação da segurança da informação; e ações como manuais informativos, campanhas, palestras e reuniões. Na utilização dos controles de segurança da informação, observaram-se iniciativas de implantação de determinados controles, entretanto, os procedimentos acabaram sendo realizados de forma equivocada, sem a observância das orientações normativas. Com base no exposto, os resultados desta pesquisa podem auxiliar a minimizar a incidência de ameaças à segurança da informação na Progep/UFPB, bem como contribuir com a criação de uma cultura de segurança em instituições federais.
17
Tehrani, Amir, and Clara Siwetz. "Riskhanteringens utmaning : En studie som identifierar svenska organisationers riskhantering avseende informationssäkerhet samt dess prioritering." Thesis, Södertörn University College, School of Business Studies, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:sh:diva-1182.
Full textAbstract:
Background: Risk Management plays an important part of the enterprises strategic business activity. Efficient Risk Management will secure the businesses survival, assets and creates market advantages. The interest of information security has consequently gained in Swedish corporations. Corporations have realized the importance of the information which is stored in the IT systems. IT is the tool for businesses future progress and growth and therefore a source of risks. For managing these risks standards and frameworks are needed. To what extent are information security standards and frameworks used in Swedish organizations? Are information security integrated with operational Risk Management?
Purpose: The purpose of this study is to identify the Risk Management regarding information security in the studied organizations and to recognize the priority of information security.
Method: The main part of this study is based on case studies including four Swedish organizations, with the purpose to identify the Risk Management regarding information security in these organizations. The study is also added with a complementary survey carried out on Large Cap corporations on the Nordic exchange. The later survey will create a more general apprehension.
Conclusions: Findings shows that the Swedish organizations have realized the importance of standards and frameworks and the accompanying benefits. The main elements for using standards and frameworks are - better control, identification of business opportunities and gained security. The findings also suggested that the organizations should invest more resources in integrating information security with Risk Management and on the executive management involvement.
18
Svoboda, Milan. "Zavedení ISMS v malém podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241114.
Full textAbstract:
The diploma thesis focuses on proposing an information security management system (ISMS) in a small company. This publication includes theoretical facts, which are needed to understand and design a ISMS. The design proposal of the ISMS itself is based on an analysis of the current status of the company's information security. The proposed security measures are based on the actual state of information security within the company, and on recommendations stemming from the ISO/IEC 27000 standard.
19
Jemelíková, Kristýna. "Kyberbezpečnost v průmyslu." Master's thesis, Vysoké učení technické v Brně. Fakulta strojního inženýrství, 2021. http://www.nusl.cz/ntk/nusl-449730.
Full textAbstract:
The master’s thesis deals with the management of cyber security in a manufacturing company. The theoretical part contains concepts and knowledge of cyber security and discusses the current requirements of legislation and standards of the ISO/IEC 27000 series. In practical part are proposed measures to increase cyber security and information security based on the theoretical background and analysis of current state in the selected company.
20
Šebrle, Petr. "Zavedení ISMS do podniku podporujícího kritickou infrastrukturu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318630.
Full textAbstract:
This diploma thesis deals with the methodology of Management of Information Security in a medium size company supporting critical infrastructure. The first part is focused on the theoretical aspects of the topic. Practical part consists of analysis of the current state, risk analysis and correction arrangements according to the attachment A of standard ČSN ISO/IEC 27001:2014. Implementation of ISMS is divided into four phases. This thesis however covers the first two phases only
21
Kosek, Jindřich. "Zavedení ISMS v malém podniku se zaměřením na ICT infrastrukturu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2014. http://www.nusl.cz/ntk/nusl-224444.
Full textAbstract:
The diploma thesis is focused on the design implementation of information security management system in a small business and is applying theoretical knowledge to real-life situations in a manufacturing company. First of all is performed analysis of current status and the consequent threats which can affect the company's assets. Thereafter are proposed measures based on identified risks and requirements of the owner.
22
Alkadi, Alaa. "Anomaly Detection in RFID Networks." UNF Digital Commons, 2017. https://digitalcommons.unf.edu/etd/768.
Full textAbstract:
Available security standards for RFID networks (e.g. ISO/IEC 29167) are designed to secure individual tag-reader sessions and do not protect against active attacks that could also compromise the system as a whole (e.g. tag cloning or replay attacks). Proper traffic characterization models of the communication within an RFID network can lead to better understanding of operation under “normal” system state conditions and can consequently help identify security breaches not addressed by current standards. This study of RFID traffic characterization considers two piecewise-constant data smoothing techniques, namely Bayesian blocks and Knuth’s algorithms, over time-tagged events and compares them in the context of rate-based anomaly detection.
This was accomplished using data from experimental RFID readings and comparing (1) the event counts versus time if using the smoothed curves versus empirical histograms of the raw data and (2) the threshold-dependent alert-rates based on inter-arrival times obtained if using the smoothed curves versus that of the raw data itself. Results indicate that both algorithms adequately model RFID traffic in which inter-event time statistics are stationary but that Bayesian blocks become superior for traffic in which such statistics experience abrupt changes.
23
Klepárník, Roman. "Návrh zavedení nutných oblastí ISMS ve veřejné správě." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2018. http://www.nusl.cz/ntk/nusl-378365.
Full textAbstract:
This diploma thesis focuses on the application of information security management system in the public administration. Thesis focuses on the most frequent threats on information security and describes the best practices which are compliant with the ISO/IEC 27000. It contains the proposal of security recommendation that will help the organisation with ensuring better information security and with the preparation for GDPR
24
Hsiao, Chih-Wen, David Turner, and Keith Ross. "A secure lightweight currency service provider." CSUSB ScholarWorks, 2004. https://scholarworks.lib.csusb.edu/etd-project/2594.
Full textAbstract:
The main purpose of this project is to build a bank system that offers a friendly and simple interface to let users easily manage their lightweight currencies. The Lightweight Currency Protocol (LCP) was originally proposed to solve the problem of fairness in resource cooperatives. However, there are other possible applications of the protocol, including the control of spam and as a general purpose medium of exchange for low value transactions. This project investigates the implementation issues of the LCP, and also investigates LCP bank services to provide human interface to currency operations.
25
Dejmek, Martin. "Zavedení ISMS v obchodní společnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224221.
Full textAbstract:
This master thesis deals with the implementation of information security management system in the company. It summarizes the theoretical background in this field and uses it to analyze the current state of information security, as well as analysis and risk management and not least the actual implementation of ISMS in the particular company. This work also contains three groups of measures that reduce the impact of identified risks and which also implements an essential parts of ISMS.
26
Palarczyk, Vít. "Zavedení ISMS v malém podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2015. http://www.nusl.cz/ntk/nusl-224894.
Full textAbstract:
This master's thesis is focused on the design of the implementation of information security management system (ISMS) into a specific business. In the theoretical part, it provides basic concepts and detailed description of ISMS. There is also described the analysis of a current information security state of the company. In the practical part, it provides a risk analysis and selection of measures to minimize found risks. In the final part is designed a process and a schedule of an implementation of the selected measures.
27
Kutiš, Pavel. "Management bezpečnosti informačních systémů v obci." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224220.
Full textAbstract:
This Diploma Thesis is being focused on Information Security Management System implementation for a certain municipality. The work has been divided into two parts. The first part deals with theoretical basis which are based on the ISO/IEC 27000 standards. The second part contains the practical implementation following the theoretical background from the first part. The implementation itself has been divided into three stages and this thesis is mainly concentrated on the first stage.
28
Kalibjian, Jeff. "Securing Telemetry Post Processing Applications with Hardware Based Security." International Foundation for Telemetering, 2004. http://hdl.handle.net/10150/605052.
Full textAbstract:
International Telemetering Conference Proceedings / October 18-21, 2004 / Town & Country Resort, San Diego, CaliforniaThe use of hardware security for telemetry in satellites utilized for intelligence and defense applications is well known. Less common is the use of hardware security in ground-based computers hosting applications that post process telemetry data. Analysis reveals vulnerabilities in software only security solutions that can result in the compromise of telemetry data housed on ground-based computer systems. Such systems maybe made less susceptible to compromise with the use of hardware based security.
29
Doubková, Veronika. "Bezpečnostní rizika podle standardu ISO 27001." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2020. http://www.nusl.cz/ntk/nusl-412984.
Full textAbstract:
This diploma thesis deals with the management of security information, according to ISO/IEC 27005 and it is implementation in the Verinice software environment. The risk information management process is applied to a critical infrastructure, that is connected to a optical fiber network. The work focuses on incidents aimed at threatening data from optical threats and active network elements in transmission systems. The result of the work is defined as a risk file in the .VNA format containing identified risks, for which appropriate measures are implemented in connection with the requirements of ISO/IEC 27001, for the protection of critical infrastructures and transmitted data in the transmission system.
30
Vicen, Šimon. "Zavedení standardu ISO 27701 do firmy využitím Gap analýzy." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2020. http://www.nusl.cz/ntk/nusl-417718.
Full textAbstract:
This thesis analyses current state of the system for implementation of standard ISO 27701: 2019 extention. This standard extends already established standard ISO 27001. The thesis evaluates set of controls to the requirements of standard ISO 27701: 2019. Theoretical part contains information regarding the information security, describes a set of ISO 27000 standards as well as European and Czech legal acts related to information security. Following analysis of the company is performed with the application of security measures while implementing the extension standard ISO 27701. Contribution of this thesis is evaluation of the analysis which results from implementation of recommended standard to address the increased number of security threats and the protection of security information.
31
Štukhejl, Kamil. "Návrh zavedení ISMS ve veřejné správě." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-399673.
Full textAbstract:
This diploma thesis focuses on the implementation of information security management system in the public administration based on ISO/IEC 27000 series of standards. The thesis contains theoretical background, introduction of the organization, risk analysis and a proposal of appropriate measures for minimization of these identified risks. In the end, an implementation plan is proposed including an economic evaluation.
32
Coetzer, Christo. "An investigation of ISO/IEC 27001 adoption in South Africa." Thesis, Rhodes University, 2015. http://hdl.handle.net/10962/d1018669.
Full textAbstract:
The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.
33
Saleh, Mohamed S. M. "Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5414.
Full textAbstract:
With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures.
This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed.
The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness.
34
Hruška, David. "Návrh změn identity managementu v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2018. http://www.nusl.cz/ntk/nusl-378329.
Full textAbstract:
This diploma thesis focuses on the proposal to implement changes of identity management into a particular company. In the theoretical part are the basic concepts and a detailed description of the identity management. There is also described an analysis of the current state of information security in the company, risk analysis and selection of measures to minimize the risks found. At the end of this thesis are proposed changes, their procedure and timetable for implementation of selected measures.
35
Saleh, Mohamed Saad Morsy. "Analysis of information security risks and protection management requirements for enterprise networks." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5414.
Full textAbstract:
With widespread of harmful attacks against enterprises' electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness.
36
Jacobs, Pierre Conrad. "Towards a framework for building security operation centers." Thesis, Rhodes University, 2015. http://hdl.handle.net/10962/d1017932.
Full textAbstract:
In this thesis a framework for Security Operation Centers (SOCs) is proposed. It was developed by utilising Systems Engineering best practices, combined with industry-accepted standards and frameworks, such as the TM Forum’s eTOM framework, CoBIT, ITIL, and ISO/IEC 27002:2005. This framework encompasses the design considerations, the operational considerations and the means to measure the effectiveness and efficiency of SOCs. The intent is to provide guidance to consumers on how to compare and measure the capabilities of SOCs provided by disparate service providers, and to provide service providers (internal and external) a framework to use when building and improving their offerings. The importance of providing a consistent, measureable and guaranteed service to customers is becoming more important, as there is an increased focus on holistic management of security. This has in turn resulted in an increased number of both internal and managed service provider solutions. While some frameworks exist for designing, building and operating specific security technologies used within SOCs, we did not find any comprehensive framework for designing, building and managing SOCs. Consequently, consumers of SOCs do not enjoy a constant experience from vendors, and may experience inconsistent services from geographically dispersed offerings provided by the same vendor.
37
Shojaie, Bahareh [Verfasser], and Hannes [Akademischer Betreuer] Federrath. "Implementation of information security management systems based on the ISOIEC 27001 standard in different cultures / Bahareh Shojaie ; Betreuer: Hannes Federrath." Hamburg : Staats- und Universitätsbibliothek Hamburg, 2018. http://d-nb.info/1153546760/34.
Full text
38
Shojaie, Bahareh Verfasser], and Hannes [Akademischer Betreuer] [Federrath. "Implementation of information security management systems based on the ISOIEC 27001 standard in different cultures / Bahareh Shojaie ; Betreuer: Hannes Federrath." Hamburg : Staats- und Universitätsbibliothek Hamburg, 2018. http://nbn-resolving.de/urn:nbn:de:gbv:18-90059.
Full text
39
Nemec, Tomáš. "Návrh metodiky pro příručku ISMS a opatření aplikované na vybrané oblasti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224225.
Full textAbstract:
Content of this thesis is a methodology for creating ISMS Security Manual. Implementation of the proposal is supported by theoretical knowledge in the introductory part of this work. Practical process design methodology is conditional on the structure of the international standard ISO/IEC 27001:2005.
40
Berg, Anthon, and Felicia Svantesson. "Is your electric vehicle plotting against you? : An investigation of the ISO 15118 standard and current security implementations." Thesis, Högskolan i Halmstad, Akademin för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-44918.
Full textAbstract:
Electric vehicles are revolutionizing the way we travel. Climate change and policies worldwide are pushing the vehicle market towards a more sustainable future through electric vehicles. However, can these solutions be considered safe and secure? Because of the entirely new attack vector that is charging, many new security concerns are present in this new type of vehicle that did not exist in combustion engine vehicles. Here, a literature study of the current situation surrounding electric vehicle charging and the ISO 15118 standard is presented. In addition to this, a risk analysis of currently implemented solutions for electric vehicle charging is also presented. The purpose is to unveil what weaknesses that are present in modern electric vehicle communication standards and how secure electric vehicles on the road today really are. The results indicate that there are vulnerabilities present in electric vehicles today that require radical improvements to the charging security to provide a safer way of traveling for the future. A list of proposed countermeasures to found vulnerabilities as well as verification methods are also presented as part of this paper. The comprehensive study presented here acts as an excellent foundation for future projects but also for organizations to address critical areas within charging security.
41
Raymond, Benoit. "Investigating the Relationship between IT and Organizations: A Research Trilogy." Digital Archive @ GSU, 2010. http://digitalarchive.gsu.edu/cis_diss/43.
Full textAbstract:
The overall objective of this dissertation is to contribute to knowledge and theory about the influence of information technology (IT) on organizations and their members. This dissertation is composed of three related studies, each examining different aspects of the relationship between IT and organizations. The objective of the first study is to provide an overview of the dominant theoretical perspectives that IS researchers have used in the last five decades to study the influence of technology on organizations and their members. Without being exhaustive, this study seeks more specifically to identify, for each decade, the dominant theoretical perspectives used in the IS field. These dominant theoretical perspectives are illustrated by the selection and description of exemplars published in the decade and their implications for researchers and practitioners are discussed. This review is useful not only for understanding past trends and the current state of research in this area but also to foresee its future directions and guide researchers in their future research on the influence of IT on organizations and their members. The objective of the second study is to theorize how IT artifacts influence the design and performance of organizational routines. This study adopts organizational routines theory as its theoretical lens. Organizational routines represent an important part of almost every organization and organizational routines theory is an influential theory that explains how the accomplishment of organizational routines can contribute to both organizational stability and change. However, the current form of this theory has several limitations such as its neglect of the material aspect of artifacts and the distinctive characteristics of IT artifacts, and its treatment of artifacts as outside of organizational routines. This study seeks to overcome these limitations by extending organizational routines theory. The objective of the third study is to develop a better understanding of information security standards by analyzing the structure, nature and content of their controls. This study investigates also the mechanisms used in the design of information security standards to make them both applicable to a wide range of organizations and adaptable to various specific organizational settings. The results of this study led to the proposition of a new theory for information systems called generative control theory.
42
Lopez, Samuel. "MODERN CRYPTOGRAPHY." CSUSB ScholarWorks, 2018. https://scholarworks.lib.csusb.edu/etd/729.
Full textAbstract:
We live in an age where we willingly provide our social security number, credit card information, home address and countless other sensitive information over the Internet. Whether you are buying a phone case from Amazon, sending in an on-line job application, or logging into your on-line bank account, you trust that the sensitive data you enter is secure. As our technology and computing power become more sophisticated, so do the tools used by potential hackers to our information. In this paper, the underlying mathematics within ciphers will be looked at to understand the security of modern ciphers.
An extremely important algorithm in today's practice is the Advanced Encryption Standard (AES), which is used by our very own National Security Agency (NSA) for data up to TOP SECRET. Another frequently used cipher is the RSA cryptosystem. Its security is based on the concept of prime factorization, and the fact that it is a hard problem to prime factorize huge numbers, numbers on the scale of 2^{2048} or larger. Cryptanalysis, the study of breaking ciphers, will also be studied in this paper. Understanding effective attacks leads to understanding the construction of these very secure ciphers.
43
Bystrianska, Lucia. "Vplyv regulácií ISO 27001 a SOX na riadenie bezpečnosti informácií podniku." Master's thesis, Vysoká škola ekonomická v Praze, 2015. http://www.nusl.cz/ntk/nusl-203998.
Full textAbstract:
The master thesis has analytical character and focuses on information security issues in enterprises. The mail goal of this thesis is to evaluate the impact of implemented standard ISO/IEC 27001 and regulation by American law SOX to overall information security. In order to preform the analysis, two medium-sized companies from the segment of services were selected: the first one with ISO/IEC 27001 certification and the second one regulated by SOX. The structure of the thesis contributes gradually with its steps to meet the goal. The first three chapters provide a theoretical basis for the analysis of information security. They contain a summary of key processes and tools essential for ensuring the information security and are based on the best practices included within the latest standards and methodologies and on practical experience. These chapters provide the basis for an evaluation guidance including criteria groups and defined variants of implemented security, which is described in the fourth chapter. The analysis of information security and the impact of regulations is part of the fifth chapter of this document. The sixth chapter contains final assessment and comparison of the impact, which the regulations have on information security of the selected companies. The final chapter summarizes and evaluates the results achieved with regards to the goal.
44
Kalibjian, Jeff, and Steven Wierenga. "Assuring Post Processed Telemetry Data Integrity With a Secure Data Auditing Appliance." International Foundation for Telemetering, 2005. http://hdl.handle.net/10150/604910.
Full textAbstract:
ITC/USA 2005 Conference Proceedings / The Forty-First Annual International Telemetering Conference and Technical Exhibition / October 24-27, 2005 / Riviera Hotel & Convention Center, Las Vegas, NevadaRecent federal legislation (e.g. Sarbanes Oxley, Graham Leach Bliley) has introduced requirements for compliance including records retention and records integrity. Many industry sectors (e.g. Energy, under the North American Energy Reliability Council) are also introducing their own voluntary compliance mandates to avert possible additional federal regulation. A trusted computer appliance device dedicated to data auditing may soon be required in all corporate IT infrastructures to accommodate various compliance directives. Such an auditing device also may have application in telemetry post processing environments, as it maybe used to guarantee the integrity of post-processed telemetry data.
45
Semenski, Vedran. "An ABAC framework for IoT applications based on the OASIS XACML standard." Master's thesis, Universidade de Aveiro, 2015. http://hdl.handle.net/10773/18493.
Full textAbstract:
Mestrado em Engenharia de Computadores e TelemáticaA IoT (Internet of Things) é uma área que apresenta grande potencial mas embora muitos dos seus problemas já terem soluções satisfatórias, a segurança permanece um pouco esquecida, mantendo-se um como questão ainda por resolver. Um dos aspectos da segurança que ainda não foi endereçado é o controlo de acessos. O controlo de acesso é uma forma de reforçar a segurança que envolve avaliar os pedidos de acesso a recursos e negar o acesso caso este não seja autorizado, garantindo assim a segurança no acesso a recursos críticos ou vulneráveis. O controlo de Acesso é um termo lato, existindo diversos modelos ou paradigmas possíveis, dos quais os mais significativos são: IBAC (Identity Based Access Control), RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control). Neste trabalho será usado o ABAC, já que oferece uma maior flexibilidade comparativamente a IBAC e RBAC. Além disso, devido à sua natureza adaptativa o ABAC tem maior longevidade e menor necessidade de manutenção. A OASIS (Organization for the Advancement of Structured Information Standards) desenvolveu a norma XACML (eXtensible Access Control Markup Language) para escrita/definição de políticas de acesso e pedidos de acesso, e de avaliação de pedidos sobre conjuntos de políticas com o propósito de reforçar o controlo de acesso sobre recursos. O XACML foi definido com a intenção de que os pedidos e as políticas fossem de fácil leitura para os humanos, garantindo, porém, uma estrutura bem definida que permita uma avaliação precisa. A norma XACML usa ABAC. Este trabalho tem o objetivo de criar uma plataforma de segurança que utilize os padrões ABAC e XACML que possa ser usado por outros sistemas, reforçando o controlo de acesso sobre recursos que careçam de proteção, e garantindo acesso apenas a sujeitos autorizadas. Vai também possibilitar a definição fina ou granular de regras e pedidos permitindo uma avaliação com maior precisão e um maior grau de segurança. Os casos de uso principais são grandes aplicações IoT, como aplicações Smart City, que inclui monitorização inteligente de tráfego, consumo de energia e outros recursos públicos, monitorização pessoal de saúde, etc. Estas aplicações lidam com grandes quantidades de informação (Big Data) que é confidencial e/ou pessoal. Existe um número significativo de soluções NoSQL (Not Only SQL) para resolver o problema do volume de dados, mas a segurança é ainda uma questão por resolver. Este trabalho vai usar duas bases de dados NoSQL: uma base de dados key-value (Redis) para armazenamento de políticas e uma base de dados wide-column (Cassandra) para armazenamento de informação de sensores e informação de atributos adicionais durante os testes.
IoT (Internet of Things) is an area which offers great opportunities and although a lot of issues already have satisfactory solutions, security has remained somewhat unaddressed and remains to be a big issue. Among the security aspects, we emphasize access control. Access Control is a way of enforcing security that involves evaluating requests for accessing resources and denies access if it is unauthorised, therefore providing security for vulnerable resources. Access Control is a broad term that consists of several methodologies of which the most significant are: IBAC (Identity Based Access Control), RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control). In this work ABAC will be used as it offers the most flexibility compared to IBAC and RBAC. Also, because of ABAC's adaptive nature, it offers longevity and lower maintenance requirements. OASIS (Organization for the Advancement of Structured Information Standards) developed the XACML (eXtensible Access Control Markup Language) standard for writing/defining requests and policies and the evaluation of the requests over sets of policies for the purpose of enforcing access control over resources. It is defined so the requests and policies are readable by humans but also have a well defined structure allowing for precise evaluation. The standard uses ABAC. This work aims to create a security framework that utilizes ABAC and the XACML standard so that it can be used by other systems and enforce access control over resources that need to be protected by allowing access only to authorised subjects. It will also allow for fine grained defining of rules and requests for more precise evaluation and therefore a greater level of security. The primary use-case scenarios are large IoT applications such as Smart City applications including: smart traffic monitoring, energy and utility consumption, personal healthcare monitoring, etc. These applications deal with large quantities (Big Data) of confidential and/or personal data. A number of NoSQL (Not Only SQL) solutions exist for solving the problem of volume but security is still an issue. This work will use two NoSQL databases. A key-value database (Redis) for the storing of policies and a wide-column database (Cassandra) for storing sensor data and additional attribute data during testing.
46
Weber, Lyle. "Addressing the incremental risks associated with adopting a Bring Your Own Device program by using the COBIT 5 framework to identify keycontrols." Thesis, Stellenbosch : Stellenbosch University, 2014. http://hdl.handle.net/10019.1/86694.
Full textAbstract:
Thesis (MComm)--Stellenbosch University, 2014.ENGLISH ABSTRACT: Bring Your Own Device (BYOD) is a technological trend which individuals of all ages are embracing. BYOD involves an employee of an organisation using their own mobile devices to access their organisations network. Several incremental risks will arise as a result of adoption of a BYOD program by an organisation. The research aims to assist organisations to identify what incremental risks they could potentially encounter if they adopt a BYOD program and how they can use a framework like COBIT 5 in order to reduce the incremental risks to an acceptable level. By means of an extensive literature review the study revealed 50 incremental risks which arise as a result of the adoption of a BYOD program. COBIT 5 was identified as the most appropriate framework which could be used to map the incremental risks against. Possible safeguards were identified from the mapping process which would reduce the incremental risks to an acceptable level. It was identified that 13 of the 37 COBIT 5 processes were applicable for the study.
47
Gerber, Petro. "Addressing the incremental risks associated with social media by using the cobit 5 control framework." Thesis, Stellenbosch : Stellenbosch University, 2015. http://hdl.handle.net/10019.1/96665.
Full textAbstract:
Thesis (MComm)--Stellenbosch University, 2015.ENGLISH ABSTRACT: Social media offers great opportunities for businesses and the use thereof will increase competitiveness. However, social media also introduce significant risks to those who adopt it. A business can use existing IT governance control framework to address the risks introduced by social media. However a business should combine existing control frameworks for adequate and complete IT governance. This study was undertaken to help businesses to identify incremental risks resulting from the adoption of social media and to develop an integrated IT governance control framework to address these risks both at strategic and operational level. With the help of the processes in COBIT 5, this study provides safeguards or controls which can be implemented to address the IT risks that social media introduce to a business. By implementing the safeguards and controls identified from COBIT 5, a business ensures that they successfully govern the IT related risks at strategic level. This study also briefly discuss the steps that a business can follow to ensure IT related risks at operational level is addressed through the implementation of configuration controls.
AFRIKAANSE OPSOMMING: Sosiale media bied groot geleenthede vir besighede en die gebruik daarvan sal mededingendheid verhoog. Sosiale media hou ook egter beduidende risiko's in vir diegene wat dit aanneem. 'n Besigheid kan bestaande Informasie Tegnologie (IT) kontrole raamwerke gebruik om die risiko's wat ontstaan as gevolg van die gebruik van sosiale media aan te spreek. Vir voldoende en volledige IT korporatiewe beheer moet 'n besigheid egter bestaande kontrole raamwerke kombineer. Hierdie studie is onderneem om besighede te help om die toenemende risiko's wat ontstaan as gevolg van die gebruik van die sosiale media, te identifiseer en om 'n geïntegreerde IT kontrole raamwerk te ontwikkel om hierdie risiko's op strategiese sowel as operasionele vlak aan te spreek. Met die hulp van die prosesse in COBIT 5 voorsien hierdie studie voorsorgmaatreëls of kontroles wat geïmplementeer kan word om die IT-risiko's waaraan die besigheid, deur middel van sosiale media blootgestel is, aan te spreek. Deur die implementering van die voorsorgmaatreëls en kontroles soos geïdentifiseer uit COBIT 5, verseker ʼn besigheid dat hulle die IT-verwante risiko's op strategiese vlak suksesvol beheer. Hierdie studie bespreek ook kortliks die stappe wat 'n besigheid kan volg om te verseker dat IT-verwante risiko's op operasionele vlak aangespreek word deur die implementering van konfigurasie kontroles.
48
Soliman, Galal. "Lösenordshantering : Är lösenordspolicyn i en verksamhet tillräcklig för att de anställda ska bedriva säker lösenordshantering enligt ISO-standarder?" Thesis, Mittuniversitetet, Avdelningen för informationssystem och -teknologi, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-34000.
Full textAbstract:
Lösenord är en viktig del av informationssäkerhet och fungerar som primär autentiseringsmetod för att skydda användarkonton. Syftet med denna studie är att ta reda på hur väl en verksamhets anställda följer verksamhetens lösenordspolicy och undersöka om lösenordshanteringen sker på ett accepterat och godkänt sätt utifrån ett säkerhetsperspektiv i enlighet med ISO-standarder. Metoden har bestått av en enkätundersökning och intervjuundersökning vars resultat jämförts med relevanta riktlinjer från ISO-standarder och verksamhetens lösenordspolicy, en riskanalys och utvecklandet av ett verktyg för att memorera lösenord. Resultat visade brister på säker lösenordshantering bland verksamhetens anställda. Genom analysen har en rad åtgärder framtagits för att upprätta, återställa och förbättra lösenordshanteringen samt förebyggande åtgärder för den lösenordshantering som redan är godkänd. De slutsatser som dragits utifrån denna studie är att det finns ett behov för förbättring av lösenordshanteringen och utifrån behovet har förslag på både åtgärder och förebyggande åtgärder tagits fram.Passwords are an important part of information security and works as a primary authentication method to protect user accounts. The purpose of this study is to investigate how an organisation’s employees follow the password policy and investigate if the password management is executed in an acceptable fashion from a security perspective and according to ISO standards. The method consisted of a survey, interviews of which the results has been compared to ISO standards guidelines and the organisation’s password policy, a risk analysis and a development of a tool to memorize passwords. The result showed insufficiency in the password management of the employees. Thru the analysis several actions have been found to constitute, restore and improve the password management and also preventing actions to keep the password management that is already sufficient. The conclusions are that there is a need for improvement of the password management and from these needs proposals for actions have been extracted.
49
Dokoupil, Ondřej. "Návrh metodiky pro zavedení ISMS." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-254270.
Full textAbstract:
This master’s thesis deals with the design of methodology for implementation of ISMS (Information Security Management System). The theoretical part describes the basic principles and procedures for processing of this domain, including normative and legal - legislative aspects. The next section is an analysis of the current state of the organization. On its basis the practical part is drafted, including an economic evaluation of the project and possible benefits of implementation.
50
Sherry, Zaida. "Governance of virtual private networks using COBIT as framework." Thesis, Stellenbosch : University of Stellenbosch, 2007. http://hdl.handle.net/10019.1/3389.
Full textAbstract:
Thesis (MAcc (Accountancy))--University of Stellenbosch, 2007.The purpose of this assignment is to ascertain whether the COBIT framework is an adequate framework to assist in the governance of virtual private networks. The assignment focuses on whether the framework can ensure the identification of virtual private network-related risks and address IT compliance with policies and statutory regulations. A brief summary of the risks and issues pertaining to the pre-implementation, implementation and post-implementation phases of virtual private networks is included in the assignment. These risks and issues are then individually mapped onto a relevant COBIT control objective. The scope of the assignment does not include the intricacies of how these networks operate, the different types of network topologies or the different technologies used in virtual private networks. It was found that the COBIT framework can be implemented to manage and/or mitigate virtual private network risks.