782 resultados para information security, management, culture
Resumo:
This paper describes the inception, planning and first delivery of a security course as part of a postgraduate ecommerce program. The course is reviewed in terms of existing literature on security courses, the common body of knowledge established for security professionals and the job market into which students will graduate. The course described in this paper is a core subject for the e-commerce program. This program was established in 1999 and the first batch of students graduated in 2001. The program is offered at both postgraduate and undergraduate level. The work described here relates to the postgraduate offering. Students on this program are graduates of diverse disciplines and do not have a common e-commerce or business background.
Resumo:
With the increasing significance of information technology, there is an urgent need for adequate measures of information security. Systematic information security management is one of most important initiatives for IT management. At least since reports about privacy and security breaches, fraudulent accounting practices, and attacks on IT systems appeared in public, organizations have recognized their responsibilities to safeguard physical and information assets. Security standards can be used as guideline or framework to develop and maintain an adequate information security management system (ISMS). The standards ISO/IEC 27000, 27001 and 27002 are international standards that are receiving growing recognition and adoption. They are referred to as “common language of organizations around the world” for information security. With ISO/IEC 27001 companies can have their ISMS certified by a third-party organization and thus show their customers evidence of their security measures.
Resumo:
Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.
Resumo:
EXECUTIVE SUMMARY : Evaluating Information Security Posture within an organization is becoming a very complex task. Currently, the evaluation and assessment of Information Security are commonly performed using frameworks, methodologies and standards which often consider the various aspects of security independently. Unfortunately this is ineffective because it does not take into consideration the necessity of having a global and systemic multidimensional approach to Information Security evaluation. At the same time the overall security level is globally considered to be only as strong as its weakest link. This thesis proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat will exploit the weakest link. A formalized structure taking into account all security elements is presented; this is based on a methodological evaluation framework in which Information Security is evaluated from a global perspective. This dissertation is divided into three parts. Part One: Information Security Evaluation issues consists of four chapters. Chapter 1 is an introduction to the purpose of this research purpose and the Model that will be proposed. In this chapter we raise some questions with respect to "traditional evaluation methods" as well as identifying the principal elements to be addressed in this direction. Then we introduce the baseline attributes of our model and set out the expected result of evaluations according to our model. Chapter 2 is focused on the definition of Information Security to be used as a reference point for our evaluation model. The inherent concepts of the contents of a holistic and baseline Information Security Program are defined. Based on this, the most common roots-of-trust in Information Security are identified. Chapter 3 focuses on an analysis of the difference and the relationship between the concepts of Information Risk and Security Management. Comparing these two concepts allows us to identify the most relevant elements to be included within our evaluation model, while clearing situating these two notions within a defined framework is of the utmost importance for the results that will be obtained from the evaluation process. Chapter 4 sets out our evaluation model and the way it addresses issues relating to the evaluation of Information Security. Within this Chapter the underlying concepts of assurance and trust are discussed. Based on these two concepts, the structure of the model is developed in order to provide an assurance related platform as well as three evaluation attributes: "assurance structure", "quality issues", and "requirements achievement". Issues relating to each of these evaluation attributes are analysed with reference to sources such as methodologies, standards and published research papers. Then the operation of the model is discussed. Assurance levels, quality levels and maturity levels are defined in order to perform the evaluation according to the model. Part Two: Implementation of the Information Security Assurance Assessment Model (ISAAM) according to the Information Security Domains consists of four chapters. This is the section where our evaluation model is put into a welldefined context with respect to the four pre-defined Information Security dimensions: the Organizational dimension, Functional dimension, Human dimension, and Legal dimension. Each Information Security dimension is discussed in a separate chapter. For each dimension, the following two-phase evaluation path is followed. The first phase concerns the identification of the elements which will constitute the basis of the evaluation: ? Identification of the key elements within the dimension; ? Identification of the Focus Areas for each dimension, consisting of the security issues identified for each dimension; ? Identification of the Specific Factors for each dimension, consisting of the security measures or control addressing the security issues identified for each dimension. The second phase concerns the evaluation of each Information Security dimension by: ? The implementation of the evaluation model, based on the elements identified for each dimension within the first phase, by identifying the security tasks, processes, procedures, and actions that should have been performed by the organization to reach the desired level of protection; ? The maturity model for each dimension as a basis for reliance on security. For each dimension we propose a generic maturity model that could be used by every organization in order to define its own security requirements. Part three of this dissertation contains the Final Remarks, Supporting Resources and Annexes. With reference to the objectives of our thesis, the Final Remarks briefly analyse whether these objectives were achieved and suggest directions for future related research. Supporting resources comprise the bibliographic resources that were used to elaborate and justify our approach. Annexes include all the relevant topics identified within the literature to illustrate certain aspects of our approach. Our Information Security evaluation model is based on and integrates different Information Security best practices, standards, methodologies and research expertise which can be combined in order to define an reliable categorization of Information Security. After the definition of terms and requirements, an evaluation process should be performed in order to obtain evidence that the Information Security within the organization in question is adequately managed. We have specifically integrated into our model the most useful elements of these sources of information in order to provide a generic model able to be implemented in all kinds of organizations. The value added by our evaluation model is that it is easy to implement and operate and answers concrete needs in terms of reliance upon an efficient and dynamic evaluation tool through a coherent evaluation system. On that basis, our model could be implemented internally within organizations, allowing them to govern better their Information Security. RÉSUMÉ : Contexte général de la thèse L'évaluation de la sécurité en général, et plus particulièrement, celle de la sécurité de l'information, est devenue pour les organisations non seulement une mission cruciale à réaliser, mais aussi de plus en plus complexe. A l'heure actuelle, cette évaluation se base principalement sur des méthodologies, des bonnes pratiques, des normes ou des standards qui appréhendent séparément les différents aspects qui composent la sécurité de l'information. Nous pensons que cette manière d'évaluer la sécurité est inefficiente, car elle ne tient pas compte de l'interaction des différentes dimensions et composantes de la sécurité entre elles, bien qu'il soit admis depuis longtemps que le niveau de sécurité globale d'une organisation est toujours celui du maillon le plus faible de la chaîne sécuritaire. Nous avons identifié le besoin d'une approche globale, intégrée, systémique et multidimensionnelle de l'évaluation de la sécurité de l'information. En effet, et c'est le point de départ de notre thèse, nous démontrons que seule une prise en compte globale de la sécurité permettra de répondre aux exigences de sécurité optimale ainsi qu'aux besoins de protection spécifiques d'une organisation. Ainsi, notre thèse propose un nouveau paradigme d'évaluation de la sécurité afin de satisfaire aux besoins d'efficacité et d'efficience d'une organisation donnée. Nous proposons alors un modèle qui vise à évaluer d'une manière holistique toutes les dimensions de la sécurité, afin de minimiser la probabilité qu'une menace potentielle puisse exploiter des vulnérabilités et engendrer des dommages directs ou indirects. Ce modèle se base sur une structure formalisée qui prend en compte tous les éléments d'un système ou programme de sécurité. Ainsi, nous proposons un cadre méthodologique d'évaluation qui considère la sécurité de l'information à partir d'une perspective globale. Structure de la thèse et thèmes abordés Notre document est structuré en trois parties. La première intitulée : « La problématique de l'évaluation de la sécurité de l'information » est composée de quatre chapitres. Le chapitre 1 introduit l'objet de la recherche ainsi que les concepts de base du modèle d'évaluation proposé. La maniéré traditionnelle de l'évaluation de la sécurité fait l'objet d'une analyse critique pour identifier les éléments principaux et invariants à prendre en compte dans notre approche holistique. Les éléments de base de notre modèle d'évaluation ainsi que son fonctionnement attendu sont ensuite présentés pour pouvoir tracer les résultats attendus de ce modèle. Le chapitre 2 se focalise sur la définition de la notion de Sécurité de l'Information. Il ne s'agit pas d'une redéfinition de la notion de la sécurité, mais d'une mise en perspectives des dimensions, critères, indicateurs à utiliser comme base de référence, afin de déterminer l'objet de l'évaluation qui sera utilisé tout au long de notre travail. Les concepts inhérents de ce qui constitue le caractère holistique de la sécurité ainsi que les éléments constitutifs d'un niveau de référence de sécurité sont définis en conséquence. Ceci permet d'identifier ceux que nous avons dénommés « les racines de confiance ». Le chapitre 3 présente et analyse la différence et les relations qui existent entre les processus de la Gestion des Risques et de la Gestion de la Sécurité, afin d'identifier les éléments constitutifs du cadre de protection à inclure dans notre modèle d'évaluation. Le chapitre 4 est consacré à la présentation de notre modèle d'évaluation Information Security Assurance Assessment Model (ISAAM) et la manière dont il répond aux exigences de l'évaluation telle que nous les avons préalablement présentées. Dans ce chapitre les concepts sous-jacents relatifs aux notions d'assurance et de confiance sont analysés. En se basant sur ces deux concepts, la structure du modèle d'évaluation est développée pour obtenir une plateforme qui offre un certain niveau de garantie en s'appuyant sur trois attributs d'évaluation, à savoir : « la structure de confiance », « la qualité du processus », et « la réalisation des exigences et des objectifs ». Les problématiques liées à chacun de ces attributs d'évaluation sont analysées en se basant sur l'état de l'art de la recherche et de la littérature, sur les différentes méthodes existantes ainsi que sur les normes et les standards les plus courants dans le domaine de la sécurité. Sur cette base, trois différents niveaux d'évaluation sont construits, à savoir : le niveau d'assurance, le niveau de qualité et le niveau de maturité qui constituent la base de l'évaluation de l'état global de la sécurité d'une organisation. La deuxième partie: « L'application du Modèle d'évaluation de l'assurance de la sécurité de l'information par domaine de sécurité » est elle aussi composée de quatre chapitres. Le modèle d'évaluation déjà construit et analysé est, dans cette partie, mis dans un contexte spécifique selon les quatre dimensions prédéfinies de sécurité qui sont: la dimension Organisationnelle, la dimension Fonctionnelle, la dimension Humaine, et la dimension Légale. Chacune de ces dimensions et son évaluation spécifique fait l'objet d'un chapitre distinct. Pour chacune des dimensions, une évaluation en deux phases est construite comme suit. La première phase concerne l'identification des éléments qui constituent la base de l'évaluation: ? Identification des éléments clés de l'évaluation ; ? Identification des « Focus Area » pour chaque dimension qui représentent les problématiques se trouvant dans la dimension ; ? Identification des « Specific Factors » pour chaque Focus Area qui représentent les mesures de sécurité et de contrôle qui contribuent à résoudre ou à diminuer les impacts des risques. La deuxième phase concerne l'évaluation de chaque dimension précédemment présentées. Elle est constituée d'une part, de l'implémentation du modèle général d'évaluation à la dimension concernée en : ? Se basant sur les éléments spécifiés lors de la première phase ; ? Identifiant les taches sécuritaires spécifiques, les processus, les procédures qui auraient dû être effectués pour atteindre le niveau de protection souhaité. D'autre part, l'évaluation de chaque dimension est complétée par la proposition d'un modèle de maturité spécifique à chaque dimension, qui est à considérer comme une base de référence pour le niveau global de sécurité. Pour chaque dimension nous proposons un modèle de maturité générique qui peut être utilisé par chaque organisation, afin de spécifier ses propres exigences en matière de sécurité. Cela constitue une innovation dans le domaine de l'évaluation, que nous justifions pour chaque dimension et dont nous mettons systématiquement en avant la plus value apportée. La troisième partie de notre document est relative à la validation globale de notre proposition et contient en guise de conclusion, une mise en perspective critique de notre travail et des remarques finales. Cette dernière partie est complétée par une bibliographie et des annexes. Notre modèle d'évaluation de la sécurité intègre et se base sur de nombreuses sources d'expertise, telles que les bonnes pratiques, les normes, les standards, les méthodes et l'expertise de la recherche scientifique du domaine. Notre proposition constructive répond à un véritable problème non encore résolu, auquel doivent faire face toutes les organisations, indépendamment de la taille et du profil. Cela permettrait à ces dernières de spécifier leurs exigences particulières en matière du niveau de sécurité à satisfaire, d'instancier un processus d'évaluation spécifique à leurs besoins afin qu'elles puissent s'assurer que leur sécurité de l'information soit gérée d'une manière appropriée, offrant ainsi un certain niveau de confiance dans le degré de protection fourni. Nous avons intégré dans notre modèle le meilleur du savoir faire, de l'expérience et de l'expertise disponible actuellement au niveau international, dans le but de fournir un modèle d'évaluation simple, générique et applicable à un grand nombre d'organisations publiques ou privées. La valeur ajoutée de notre modèle d'évaluation réside précisément dans le fait qu'il est suffisamment générique et facile à implémenter tout en apportant des réponses sur les besoins concrets des organisations. Ainsi notre proposition constitue un outil d'évaluation fiable, efficient et dynamique découlant d'une approche d'évaluation cohérente. De ce fait, notre système d'évaluation peut être implémenté à l'interne par l'entreprise elle-même, sans recourir à des ressources supplémentaires et lui donne également ainsi la possibilité de mieux gouverner sa sécurité de l'information.
Resumo:
The Finnish legislation requires for a safe and secure learning environment. However, the comprehensive, risk based safety and security management (SSM) and the management commitment in the implementation and development of the SSM are not mentioned in the legislation. Multiple institutions, operators and researchers have studied and developed safety and security in educational institutions over the past decade. Typically the approach has been fragmented and without bringing up the importance of the comprehensive SSM. The development needs of the safety and security operations in universities have been studied. However, in universities of applied sciences (UASs) and in elementary schools (ESs), the performance level, strengths and weaknesses of the comprehensive SSM have not been studied. The objective of this study was to develop the comprehensive, risk based SSM of educational institutions by developing the new Asteri consultative auditing process and study its effects on auditees. Furthermore, the performance level in the comprehensive SSM in UASs and ESs were studied using Asteri and the TUTOR model developed by the Keski-Uusimaa Department for Rescue Services. In addition, strengths, development needs and differences were identified. In total, 76 educational institutions were audited between the years 2011 and 2014. The study is based on logical empiricism, and an observational applied research design was used. Auditing, observation and an electronic survey were used for data collection. Statistical analysis was used to analyze the collected information. In addition, thematic analysis was used to analyze the development areas of the organizations mentioned by the respondents in the survey. As one of the main contributions, this research presents the new Asteri consultative auditing process. Organizations with low performance levels on the audited subject benefit the most from the Asteri consultative auditing process. Asteri may be usable in many different types of audits, not only in SSM audits. As a new result, this study provides new knowledge on attitudes related to auditing. According to the research findings, auditing may generate negative attitudes and the auditor should take them into account when planning and preparing for audits. Negative attitudes can be compensated by producing added value, objectivity and positivity for the audit and, thus, improve the positive effects of auditing on knowledge and skills. Moreover, as the results of this study shows, auditing safety and security issues do not increase feelings of insecurity, but rather increase feelings of safety and security when using the new Asteri consultative auditing process with the TUTOR model. The results showed that the SSM in the audited UASs was statistically significantly more advanced than that in the audited ESs. However, there is still room for improvement in the ESs and the UASs as the approach to the SSM was fragmented. It can be assumed that the majority of Finnish UASs and ESs do not likely meet the basic level of the comprehensive, risk based the SSM.
Resumo:
Security becomes more and more important and companies are aware that it has become a management problem. It’s critical to know what are the critical resources and processes of the company and their weaknesses. A security audit can be a handy solution. We have developed BEVA, a method to critically analyse the company and to uncover the weak spots in the security system. BEVA results in security scores for each security factor and also in a general security score. The goal is to increase the security score Ss to a postulated level by focusing on the critical security factors, those with a low security score.
Resumo:
A szerzők tanulmányukban az információbiztonság egy merőben új, minőségi változást hozó találmányával, a kvantumkulcscserével (QKD-vel – quantum key distribution) foglalkoznak. Céljuk az, hogy az újdonságra mint informatikai biztonsági termékre tekintsenek, és megvizsgálják a bevezetéséről szóló vállalati döntés során felmerülő érveket, ellenérveket. Munkájuk egyaránt műszaki és üzleti szemléletű. Előbb elkülönítik a kvantumkulcscsere hagyományos eljárásokkal szembeni használatának motiváló tényezőit, és megállapítják, milyen körülmények között szükséges a napi működésben alkalmazni. Ezt követően a forgalomban is kapható QKD-termékek tulajdonságait és gyártóit szemügyre véve megfogalmazzák a termék széles körű elterjedésének korlátait. Végül a kvantumkulcscsere-termék bevezetéséről szóló vállalati döntéshozás különböző aspektusait tekintik át. Információbiztonsági és üzleti szempontból összehasonlítják az új, valamint a hagyományosan használt kulcscsereeszközöket. Javaslatot tesznek a védendő információ értékének becslésére, amely a használatbavétel költség-haszon elemzését támaszthatja alá. Ebből levezetve megállapítják, hogy mely szervezetek alkotják a QKD lehetséges célcsoportját. Utolsó lépésként pedig arra keresik a választ, melyik időpont lehet ideális a termék bevezetésére. _____ This study aims to illuminate Quantum Key Distribution (QKD), a new invention that has the potential to bring sweeping changes to information security. The authors’ goal is to present QKD as a product in the field of IT security, and to examine several pro and con arguments regarding the installation of this product. Their work demonstrates both the technical and the business perspectives of applying QKD. First they identify motivational factors of using Quantum Key Distribution over traditional methods. Then the authors assess under which circumstances QKD could be necessary to be used in daily business. Furthermore, to evaluate the limitations of its broad spread, they introduce the vendors and explore the properties of their commercially available QKD products. Bearing all this in mind, they come out with numerous factors that can influence corporate decision making regarding the installation of QKD. The authors compare the traditional and the new tools of key distribution from an IT security and business perspective. They also take efforts to estimate the value of the pieces of information to be protected. This could be useful for a subsequent cost–benefit analysis. Their findings try to provide support for determining the target audience of QKD in the IT security market. Finally the authors attempt to find an ideal moment for an organization to invest in Quantum Key Distribution.
Resumo:
This paper researches the information security value in e-entrepreneurship by revising the literature that establishes the entrepreneurial domain and by relating it with the development of technological resources that create value for the customer in an online business. It details multiple paradigms regarding consumer’s values of information security, while relating them with common practices and previous researches in technological entrepreneurship. This research presents and discusses the benefits of information security standards in e-entrepreneurship. It details and discusses the ISO 27001 and PCI-DSS information security standards that can be used to differentiate security initiatives to achieve competitive advantage, while preserving information leadership as a critical resource for online business success. Based on the literature review, a theoretical research model is presented and research hypotheses are discussed. This model believes that information security affects information leadership and that information leadership, as a unique resource in e-business, contributes to e-entrepreneurship success. The adoption of information security standards affects customer’s trust in e-business, which also benefits e-entrepreneurial strategy.
Resumo:
The popularization of software to mitigate Information Security threats can produce an exaggerated notion about its full effectiveness in the elimination of any threat. This situation can result reckless users behavior, increasing vulnerability. Based on behavioral theories, a theoretical model and hypotheses were developed to understand the extent to which human perception of threat, stress, control and disgruntlement can induce responsible behavior. A self-administered questionnaire was created and validated. The data were collected in Brazil, and complementary results regarding similar studies conducted in USA were found. The results show that there is influence of information security orientations provided by organizations in the perception about severity of the threat. The relationship between threat, effort, control and disgruntlement, and the responsible behavior towards information security was verified through linear regression. The contributions also involve relatively new concepts in the field and a new research instrument.
Resumo:
Management systems standards (MSSs) have developed in an unprecedented manner in the last few years. These MSS cover a wide array of different disciplines, aims and activities of organisations. Also, organisations are populated with an enormous diversity of independent management systems (MSs). An integrated management system (IMS) tends to integrate some or all components of the business. Maximising their integration in one coherent and efficient MS is increasingly a strategic priority and constitutes an opportunity for businesses to be more competitive and consequently, promote its sustainable success. Those organisations that are quicker and more efficient in their integration and continuous improvement will have a competitive advantage in obtaining sustainable value in our global and competitive business world. Several scholars have proposed various theoretical approaches regarding the integration of management sub-systems, leading to the conclusion that there is no common practice for all organisations as they encompass different characteristics. One other author shows that several tangible and intangible gains for organisations, as well as to their internal and external stakeholders, are achieved with the integration of the individual standardised MSs. The purpose of this work was to conceive a model, Flexible, Integrator and Lean for IMSs, according to ISO 9001 for quality; ISO 14001 for environment and OHSAS 18001 for occupational health and safety (IMS–QES), that can be adapted and progressively assimilate other MSs, such as, SA 8000/ISO 26000 for social accountability, ISO 31000 for risk management and ISO/IEC 27001 for information security management, among others. The IMS–QES model was designed in the real environment of an industrial Portuguese small and medium enterprise, that over the years has been adopting, gradually, in whole or in part, individual MSSs. The developed model is based on a preliminary investigation conducted through a questionnaire. The strategy and research methods have taken into consideration the case study. Among the main findings of the survey we highlight: the creation of added value for the business through the elimination of several organisational wastes; the integrated management of the sustainability components; the elimination of conflicts between independent MS; dialogue with the main stakeholders and commitment to their ongoing satisfaction and increased contribution to the company’s competitiveness; and greater valorisation and motivation of employees as a result of the expansion of their skill base, actions and responsibilities, with their consequent empowerment. A set of key performance indicators (KPIs) constitute the support, in a perspective of business excellence, to the follow up of the organisation’s progress towards the vision and achievement of the defined objectives in the context of each component of the IMS model. The conceived model had many phases and the one presented in this work is the last required for the integration of quality, environment, safety and others individual standardised MSs. Globally, the investigation results, by themselves, justified and prioritised the conception of an IMS–QES model, to be implemented at the company where the investigation was conducted, but also a generic model of an IMS, which may be more flexible, integrator and lean as possible, potentiating the efficiency, added value both in the present and, fundamentally, for future.
Resumo:
Mestrado em Engenharia Informática - Área de Especialização em Arquitecturas, Sistemas e Redes
