28 research outputs found
An Open Reference Framework for Enterprise Information Security Risk Management Using the STOPE Scope and the Six-Sigma Process
With the wide-spreading use of e-transactions in enterprises, information security risk management (ISRM) is becoming essential for establishing a safe environment for their activities. This paper is concerned with introducing a new and comprehensive ISRM framework that enables the effective establishment of the target safe environment. The framework has two structural dimensions; and two procedural dimensions. The structural dimensions include: ISRM scope , and ISRM assessment criteria ; while the procedural dimensions include: ISRM process , and ISRM assessment tools . The framework uses the comprehensive STOPE (Strategy, Technology, Organization, People, and Environment) view for the ISRM scope; while its assessment criteria is considered to be open to various standards. For the procedural dimensions, the framework uses the widely known six-sigma DAMIC (Define, Measure, Analyze, Improve, and Control) cycle for the ISRM process; and it considers the use of various assessment tools. It is hoped that the framework provides useful tools for future applications
A High-Level Scheme for an Ontology-Based Compliance Framework in Software Development
The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Software development market is currently
witnessing an increasing demand for software applications
conformance with the international regime of GRC for
Governance, Risk and Compliance. In this paper, we
propose a compliance requirement analysis method for
early stages of software development based on a
semantically-rich model, where a mapping can be
established from legal and regulatory requirements
relevant to system context to software system business goals
and contexts. The proposed semantic model consists of a
number of ontologies each corresponding to a knowledge
component within the developed framework of our
approach. Each ontology is a thesaurus of concepts in the
compliance and risk assessment domain related to system
development along with relationships and rules between
concepts that compromise the domain knowledge. The main
contribution of the work presented in this paper is a case
study that demonstrates how description-logic reasoning
techniques can be used to simulate legal reasoning
requirements employed by legal professions against the
description of each ontology
Towards a Sustainable and Efficient Component-based Information Security Framework
Information security and information systems (IS) security both have top management priority in many companies and organizations. In various information security models researchers recommend several important components to sustainably and efficiently enforce information security. There is little research aiming at approaches that combine theoretically and empirically substantiated principles. To fill this research gap, the aim of this paper is to discuss the adequacy of “academic” information security components, to analyze practical relevance using an empirical study and to consolidate identified factors using a principle component analysis to enhance applicability. Findings suggest two main factors which are identified as short-term and long-term as well as 18 sub-components. The results can assist companies and organizations in sustainably and efficiently implementing information security
Compliance Analysis in IT Management
Tato práce se zabývá jednou z významných částí fungování velkých korporací, tedy Compliance, se zvláštní pozorností na IT management. Diplomová práce zevrubně prozkoumává danou oblast. Tento průzkum si klade zároveň za cíl nalezení obtíží, ke kterým dochází v každodenní praxi. Následně je nastíněn způsob možných řešení zjištěných problematických jevů.This Diploma thesis deals with one of the important part in the structure of corporations, it is generally called Compliance with a focus on IT management. This assignment thoroughly explores given area. This research is simultaneously aimed at finding problems that occur in everyday practice. Subsequently are outlined ways of possible solutions to the identified problematic phenomena.
The information security policy unpacked: A critical study of the content of university policies
Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualization of information security embedded in the policies. There are two important conclusions to be drawn from this study: 1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and 2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management
Recommended from our members
Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks.
With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures.
This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed.
The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness
A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context
An examination of Information Security (IS) and Information Security Management (ISM) research in Saudi Arabia has shown the need for more rigorous studies focusing on the implementation and adoption processes involved with IS culture and practices. Overall, there is a lack of academic and professional literature about ISM and more specifically IS culture in Saudi Arabia. Therefore, the overall aim of this paper is to identify issues and factors that assist the implementation and the adoption of IS culture and practices within the Saudi environment. The goal of this paper is to identify the important conditions for creating an information security culture in Saudi Arabian organizations. We plan to use this framework to investigate whether security culture has emerged into practices in Saudi Arabian organizations
Equipment-as-Experience: A Heidegger-Based Position of Information Security
Information security (InfoSec) has ontologically been characterised as an order machine. The order machine connects with other machines through interrupting mechanisms. This way of portraying InfoSec focuses on the correct placement of machine entities to protect information assets. However, what is missing in this view is that for the InfoSec we experience in everyday practice, we are not just observers of the InfoSec phenomena but also active agents of it. To contribute to the quest, we draw on Heidegger’s (1962) notion of equipment and propose the concept of equipment-as-experience to understand the ontological position of InfoSec in everyday practice. In this paper we show how equipment-as-experience provides a richer picture of InfoSec as being a fundamental sociotechnical phenomena. We further contend using an example case to illustrate that InfoSec equipment should not be understood merely by its properties (present-at-hand mode), but rather in ready-to-hand mode when put into practice