A Conceptual Model of an Information Security Domain Knowledge Base

Information Security breaches and threats continue to grow worldwide. Securing information systems issues persist despite the development of several Information security standards. The low adoption rate of these security standards is one of the main contributing factors for this growing problem. As emerging economies seek to be a part of the digital economy it is prudent that they make information security a priority. The lack of effective Information Security Strategies in developing countries has resulted in these countries facing the problem of becoming targets for cyber criminals. In this research we present a Conceptual Model and a design of an Information Security Domain Knowledge Base (InfoSec DKB) that can assist in developing and managing information security strategies. This design is based on a combination of decision making, security and auditing frameworks, namely concepts of the Value Focused Thinking (VFT) approach used in decision making, the Guidelines for Management of IT security (ISO/IEC 27001), Control Objectives for Information and Related Technologies (COBIT)

Diagnosing the Maturity Level of IT Processes at the Enterprise

The article is aimed at substantiating theoretical provisions and developing practical recommendations to improve diagnostics of the maturity level of IT processes at the enterprise. It is determined that today at any enterprise using information systems and technologies (in the spheres of management, administration and IT law), business goals cannot be achieved without achieving IT goals, and IT goals, accordingly, can not be achieved without the optimal maturity level of IT processes. It is determined that diagnostics of the maturity level of IT processes at the enterprise is the process of identification, analysis and estimation of the level of performance of IT processes in the field of IT management (taking account of the risk assessment inherent in IT) with the purpose of making reasonable managerial decisions directed on achievement of desirable result of activity of enterprise in the systems of «effect - result», «goal - means - result» and «data - information - knowledge»

Information security assurance model for an examination paper preparation process in a higher education institution

In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS

System of Systems Lifecycle Management: A New Concept Based on Process Engineering Methodologies

In order to tackle interoperability issues of large-scale automation systems, SOA (Service-Oriented Architecture) principles, where information exchange is manifested by systems providing and consuming services, have already been introduced. However, the deployment, operation, and maintenance of an extensive SoS (System of Systems) mean enormous challenges for system integrators as well as network and service operators. The existing lifecycle management approaches do not cover all aspects of SoS management; therefore, an integrated solution is required. The purpose of this paper is to introduce a new lifecycle approach, namely the SoSLM (System of Systems Lifecycle Management). This paper first provides an in-depth description and comparison of the most relevant process engineering methodologies and ITSM (Information Technology Service Management) frameworks, and how they affect various lifecycle management strategies. The paper’s novelty strives to introduce an Industry 4.0-compatible PLM (Product Lifecycle Management) model and to extend it to cover SoS management-related issues on well-known process engineering methodologies. The presented methodologies are adapted to the PLM model, thus creating the recommended SoSLM model. This is supported by demonstrations of how the IIoT (Industrial Internet of Things) applications and services can be developed and handled. Accordingly, complete implementation and integration are presented based on the proposed SoSLM model, using the Arrowhead framework that is available for IIoT SoS. View Full-Tex

Analisa Dan Perencanaan Strategis Sistem Dan Teknologi Informasi Menggunakan Balance Scorecard Pada Institut Bisnis Dan Informatika Kwik Kian Gie

Kemajuan suatu institusi sangat ditentukan oleh visi, misi dan tujuan institusi tersebut yang didukung secarasungguh-sungguh oleh semua komponen institusi serta dikendalikan dengan kepemimpinan yang kuat dandiimplementasikan dengan pendekatan balanced scorecard. Penyelarasan dan pengelolaan teknologiinformasi dalam menyediakan sarana dan prasarana untuk mendukung tujuan institusi dalam mencapaitingkatan world class university yang mengacu kepada beberapa kriteria seperti DIKTI, ARWU danWebometric dilakukan dengan COBIT Framework. Investigasi akan kebutuhan dan pengembangan sumberdaya manusia yang berkualitas dalam mendukung kegiatan tersebut dilakukan dengan menggunakanZachman Framework. Dengan menggunakan pendekatan di atas maka didapat roadmap Teknologi Informasiyang akan dibangun dalam jangka waktu 15 tahun yang dibagi ke dalam 3 kategori, yaitu jaringan &infrastruktur, Sistem Informasi, dan Sistem Organisasi yang masing-masing kategori dibagi ke dalam 3tahapan 5 tahunan

The Effects of Computer Crimes on the Management of Disaster Recovery

The effects of a technology disaster on an organization can include a prolonged disruption, loss of reputation, monetary damages, and the inability to remain in business. Although much is known about disaster recovery and business continuance, not much research has been produced on how businesses can leverage other technology frameworks to assist information technology disaster recovery. The problem was the lack of organizational knowledge to recover from computer crime interruptions given the maturity level of existing disaster recovery programs. The purpose of this Delphi study was to understand how disaster recovery controls and processes can be modified to improve response to a computer crime caused business interruption. The overarching research question in this study was to understand what factors emerge relative to the ability of disaster recovery programs to respond to disasters caused by computer crimes. The conceptual framework included a maturity model to look at how programs might be improved to respond to the computer crimes threat. Research data were collected from a 3 round Delphi study of 22 disaster recovery experts in the fields of disaster recovery and information security. Results from the Delphi encompass a consensus by the panel. Key findings included the need for planning for cyber security, aligning disaster recovery with cyber security, providing cyber security training for managers and staff, and applying lessons learned from experience. Implications for positive social change include the ability for organizations to return to an acceptable level of operation and continue their service benefiting employees, customers, and other stakeholders

Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach

Cyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over time – which move an organization across the boundary of secure practice to a place where attacks will not only succeed, but also have a significantly greater impact on the organization. Yet current risk analysis and management methodologies are not designed to detect these kinds of systemic risks. We present an approach, devised in the field, to deriving these risks – using a qualitative research methodology, akin to grounded theory, but based on preset coding descriptors. This allows organizational and individual behavior identified during interviews, observations or document research to be thematically analyzed, collated and mapped to potential risks, linked to poor working practices. The resulting risk factors can be linked together forming “risk narratives”, showing how the degradation of working practices in one part of the organization can contribute to undermining its ability to respond to cyber security threats in another part of the organization

A framework to mitigate phishing threats

We live today in the information age with users being able to access and share information freely by using both personal computers and their handheld devices. This, in turn, has been made possible by the Internet. However, this poses security risks as attempts are made to use this same environment in order to compromise the confidentiality, integrity and availability of information. Accordingly, there is an urgent need for users and organisations to protect their information resources from agents posing a security threat. Organisations typically spend large amounts of money as well as dedicating resources to improve their technological defences against general security threats. However, the agents posing these threats are adopting social engineering techniques in order to bypass the technical measures which organisations are putting in place. These social engineering techniques are often effective because they target human behaviour, something which the majority of researchers believe is a far easier alternative than hacking information systems. As such, phishing effectively makes use of a combination of social engineering techniques which involve crafty technical emails and website designs which gain the trust of their victims. Within an organisational context, there are a number of areas which phishers exploit. These areas include human factors, organisational aspects and technological controls. Ironically, these same areas serve simultaneously as security measures against phishing attacks. However, each of these three areas mentioned above are characterised by gaps which arise as a result of human involvement. As a result, the current approach to mitigating phishing threats comprises a single-layer defence model only. However, this study proposes a holistic model which integrates each of these three areas by strengthening the human element in each of these areas by means of a security awareness, training and education programme

IT Risk Assessment: Developing and defining the IT Risk Assessment Process Framework in the case company

The objective of this study was to define the Information Technology risk assessment process framework for an international Finnish firm belonging to a major IT corporation. The study was motivated by the fact that, in the case company, due to the lack of a common defined process for IT risk assessment, it was challenging to correctly evaluate and compare the relevancy on each risk. As a consequence, potentially misleading and inconsistent information on the impact and related importance of IT risks may have led the top management to make incorrect investment decisions. The current state analysis was based on both qualitative (two rounds of semi-structured interviews) and quantitative (maturity survey) data. Nineteen managers and directors of the case company participated in different phases on the data collection. These data was utilized to create the project proposal, which was shared, commented and then approved by the top management of the case company. Additionally, the survey was used to evaluate the level of IT risk assessment process maturity in the case company before and after the project, as well as to compare it with industry benchmarks and the best in class. The final outcome of the present study was the definition of the IT risk assessment process framework for the case company, leading to the following outcomes: (1) Common IT risk evaluation approach was established across the organization, and it is now duly followed in order to achieve a correct IT risk evaluation, (2) resources of the case company are used more efficiently. This is due to the fact that the top management may, on the basis of a reliable IT risk assessment, make informed decisions, concentrating the resources of the company on the most relevant risks. In conclusion, based on the feedback and the comparison to defined targets, the research has fully achieved the established business objectives

Advanced Digital Auditing

This open access book discusses the most modern approach to auditing complex digital systems and technologies. It combines proven auditing approaches, advanced programming techniques and complex application areas, and covers the latest findings on theory and practice in this rapidly developing field. Especially for those who want to learn more about novel approaches to testing complex information systems and related technologies, such as blockchain and self-learning systems, the book will be a valuable resource. It is aimed at students and practitioners who are interested in contemporary technology and managerial implications