Development of an ISMS for professional associations in the Lambayeque Region. Case Study: College of Engineering

Los colegios profesionales (CP) son instituciones autónomas con personería jurídica de derecho público interno, sin fines de lucro, creadas por ley, agrupan a los profesionales en el ámbito de su jurisdicción. La problemática radica en la falta de seguridad de la información (SI) en la organización, en la actualidad la información es un activo clave para las empresas, sin embargo no se resguarda de manera adecuada para cumplir con los objetivos estratégicos de la organización. La información es parte principal en los procesos, servicios y tecnologías en el sector público o privado; sin importar el tamaño; es vital cumplir con las características de la SI: confidencialidad, integridad, disponibilidad (CID), en general se suele actuar de manera reactiva, desarrollar un Sistema de Gestión de Seguridad de la Información (SGSI), permitirá actuar en forma proactiva ante eventos que afecten la SI. Se analizó enfoques de estándares para gestionar la SI (ISO 27000, COBIT, ITIL, MAGERIT). Como objetivos de esta investigación culturizar a la alta dirección sobre SI, analizar las brechas, la identificación de los riesgos, identificar y evaluar los controles, y por ultimo plantear los proyectos de SI; finalmente se hace uso de la norma ISO 27001 en la aplicación al caso: Colegio de Ingenieros del Perú (CIP), implicó gestión de riesgos (GR), identificación de controles, normas, políticas y mejoras en los procesos de negocio definidos en el documento de alcance.Abstract : Professional associations (CP) are autonomous institutions with legal personality under public law, nonprofit, created by law; bring together professionals in the field of jurisdiction. The problem lies in the lack of information security (SI) in the organization, now the information is a key asset for companies, though not adequately safeguards to meet the strategic objectives of the organization. Information is principal and central part in processes, services and technologies in the public or private sector; regardless of size; is vital to meet the characteristics of the SI: confidentiality, integrity, availability (CID), the tendency is to act in a reactive way, develop a Management System Information Security (ISMS), allow to act proactively to events that affect the SI. It approaches standards were analyzed to manage the SI (ISO 27000, COBIT, ITIL, MAGERIT). It was proposed as targets for this research culturizar to top management on SI, analyze gaps, identification of risks, identify and assess controls, and finally prepare draft SI finally use is made of ISO 27001 in the application to the case: Departmental Council of Lambayeque Engineers Association of Peru (CIP), involved risk management (GR), identification of controls, standards, policies and improvements in business processes defined in the scoping document

The structure of R&D collaboration networks in the European Framework Programmes

Using a large and novel data source, we study the structure of R&D collaboration net-works in the first five EU Framework Programmes (FPs). The networks display proper-ties typical for complex networks, including scale-free degree distributions and the small-world property. Structural features are common across FPs, indicating similar network formation mechanisms despite changes in governance rules. Several findings point towards the existence of a stable core of interlinked actors since the early FPs with integration increasing over time. This core consists mainly of universities and research organisations. We observe assortative mixing by degree of projects, but not by degree of organisations. Unexpectedly, we find only weak association between central projects and project size, suggesting that different types of projects attract different groups of actors. In particular, large projects appear to have included few of the pivotal actors in the networks studied. Central projects only partially mirror funding priorities, indicating field-specific differences in network structures. The paper concludes with an agenda for future research.R&D collaboration, EU Framework Programmes, Complex Networks, Small World Effect, Centrality Measures, European Research Area

A model for the alignment of information security requirements within South African small, medium and micro enterprises

Small, medium and micro enterprises (SMMEs) are reported to be the hope of the economy in many developing countries, such as South Africa (SA). The unique characteristics of SMMEs such as their ability to evolve rapidly, and to employ larger labour forces as they grow, make these enterprises valuable to the SA economy, in which poverty and unemployment rates are alarmingly high. Like most modern enterprises, SA SMMEs make use of information and communication technology (ICT) systems - as a vehicle to store, transmit and process information, which is an asset that is critical to their business operations. Thus, the vulnerabilities of these ICT systems need to be addressed, in order to protect the information assets of enterprises. However, SMMEs are known to only implement measures to protect their information assets on an ad hoc basis and frequently as reactive measures to information security incidents. This can be attributed to the fact that most of these enterprises lack the ability to establish their unique information security requirements. Information security requirements are a measure of the level of security needed to adequately protect the information assets of an enterprise. Furthermore, it is reported that information security best practices and standards, which provide guidance on information security, are too complex for SA SMMEs to implement and for SMMEs to use for establishing their unique information security requirements

The Role of Design in the CE Transition of the Furniture Industry—The Case of the Italian Company Cassina

Abstract: The literature on circular economy has highlighted the need for more studies focused on investigating the journey of individual companies in the transition toward sustainable processes. This paper addresses this need by focusing on the furniture design industry, showing how the transition requires the re-organization of knowledge regarding materials, processes, technologies, and product quality. This assumption is demonstrated through the design research activity conducted in 2019–2020 as the first part of broader research by Cassina LAB, a collaboration between Cassina Research and Development Centre and POLI.design of Politecnico di Milano. Based on the analysis of the Italian furniture industry between constraints and opportunities, the aim of the research is to identify critical issues and propose sustainable and circular solutions, tailor-made for Cassina. Through this example, the paper contributes to the literature in two ways. First, it adds to the understanding of how companies are adopting the circular economy paradigm. Secondly, it contributes to defining tools to implement new forms of knowledge of materials and re-design processes to deliver products that are compatible with a circular economy model

Market Orientation, Strategy and Revenue Growth in the Turkish Hotel Industry

This empirical analysis of hotel properties in south-western Turkey draws on the market orientation, strategy, and capabilities literature to highlight the bene?ts of a differentiation strategy and customer-value focus for competitors in this industry. Relationship management and organizational resource management are key drivers of sales growth in this industry, and hotel operators facing high competitive intensity are particularly encouraged to develop these capabilities and to adopt a differentiation strategy instead of resorting to price cutting and other pricing and promotional tactics to grow revenues. Notable opportunities for future research include examining relationships between market orientation, customer satisfaction, and employee satisfaction in the Turkish hotel industry

A survey on the cyber security of Small-to-Medium businesses: Challenges, research focus and recommendations

Small-to-medium sized businesses (SMBs) constitute a large fraction of many countries’ economies but according to the literature SMBs are not adequately implementing cyber security which leaves them susceptible to cyber-attacks. Furthermore, research in cyber security is rarely focused on SMBs, despite them representing a large proportion of businesses. In this paper we review recent research on the cyber security of SMBs, with a focus on the alignment of this research to the popular NIST Cyber Security Framework (CSF). From the literature we also summarise the key challenges SMBs face in implementing good cyber security and conclude with key recommendations on how to implement good cyber security. We find that research in SMB cyber security is mainly qualitative analysis and narrowly focused on the Identify and Protect functions of the NIST CSF with very little work on the other existing functions. SMBs should have the ability to detect, respond and recover from cyber-attacks, and if research lacks in those areas, then SMBs may have little guidance on how to act. Future research in SMB cyber security should be more balanced and researchers should adopt well-established powerful quantitative research approaches to refine and test research whilst governments and academia are urged to invest in incentivising researchers to expand their research focus

9Solutions product quality system

Abstract. Quality management (QM) is an important managerial tool in production and service environments. It covers the social and technical factors affecting quality of products and services within an organization. Global competition and increasing customer demands emphasize the importance of QM in different organizations. If applied correctly, QM can be a success factor for a company, by increasing customer satisfaction and profitability of the company. The thesis is a constructive research in nature and performed in a case company. The objective of the study is to examine the current state and the biggest challenges regarding QM in the case company and to suggest improvement proposals based on theory and empirical findings. The study addresses QM and its utilization in the case company in the form of a quality management system (QMS). The literature review familiarizes with the concept of quality the QM principles, and its involvement in company’s functions, such as product development (PD). The empirical part of the research examines the current state of QM at the case company with the use of theme interviews. Also, three benchmarking interviews contribute to empirical study, highlighting the best QM practices from technology companies of similar magnitude. The empirical part of the study demonstrates that in the case company quality is managed with several procedures, but systematic and documented system, as well as clear, strategy-based quality policies and objectives, are missing. The lack of systematic QM complicates detecting problems in PD and other organizational functions, leading to both direct and indirect quality costs. Thus, the existing literature’s perception of reactive QM applies to the case company for the most part. The study aims to solve QM related challenges in the company by utilizing the key points of existing literature and benchmarking observations. Existing literature emphasizes the concepts of quality planning and continuous improvement as the most important factors for an organization to move towards preventive QM, including planning for the quality management system. The QMSs of the benchmarking companies differ, but their unifying factors were observed to be process management, clear documentation of the system, clear objectives, and systematic QM in PD processes. Evaluating the theory and empirical findings demonstrates, that QM at the case company can also be developed with the implementation of a process-based QMS. The proposed improvement model covers those basic QM methods, that the case company should assimilate to develop a QMS. The development proposals include quality planning, measuring organizational performance and process management, which together create a body for the QMS. Also, recommendations for QMS documentation procedures and audits are presented. Together, the improvement proposals offer the case company a concrete model for initiating quality work and developing the quality of products and services.Tiivistelmä. Laadunhallinta on tärkeä johtamisen apuväline sekä tuotanto- että palveluympäristöissä. Se kattaa ne organisaation sosiaaliset ja tekniset tekijät, jotka vaikuttavat tuotteiden ja palveluiden laatuun. Nykyinen globaali kilpailu ja asiakkaiden kasvavat laatuvaatimukset korostavat laadunhallinnan tarvetta erilaisissa organisaatioissa. Oikein sovellettuna laadunhallinta voi olla menestystekijä yritykselle, parantaen asiakastyytyväisyyttä ja yrityksen kannattavuutta. Tämä diplomityö on luonteeltaan konstruktiivinen tutkimus, joka suoritettiin kohdeyrityksessä. Työn tavoitteena on selvittää kohdeyrityksen laadunhallinnan nykytila ja suurimmat haasteet, sekä esittää kehitysehdotuksia kirjallisuuden ja empiiristen havaintojen pohjalta. Tutkimus käsittelee laadunhallintaa ja sen hyödyntämistä kohdeyrityksessä laatujärjestelmän muodossa. Kirjallisuuskatsaus perehtyy laadun käsitteeseen, laadunhallinnan periaatteisiin sekä sen merkitykseen yrityksen funktioille, kuten tuotekehitykselle. Empiirinen osa tutkimuksesta tutkii laadunhallinnan nykytilaa kohdeyrityksessä teemahaastattelujen avulla. Myös kolme benchmarking-haastattelua ovat osana empiiristä tutkimusta, tuoden esiin parhaita laadunhallinnallisia käytäntöjä vastaavan kokoluokan teknologiayrityksistä. Tutkimuksen empiirinen osa osoittaa, että laatua hallitaan kohdeyrityksessä eri toimintamallien avulla, mutta järjestelmällinen ja dokumentoitu laatujärjestelmä sekä selkeät, yrityksen strategiaan perustuvat laatulinjaukset ja -tavoitteet puuttuvat. Systemaattisen laadunhallinnan puute vaikeuttaa ongelmien havaitsemista niin tuotekehityksessä kuin muissakin organisaation toiminnoissa, johtaen sekä suoriin että epäsuoriin laatukustannuksiin. Täten kirjallisuuden käsitys reaktiivisesta laadunhallinnasta pätee suurin osin myös kohdeyrityksessä. Tutkimus pyrkii ratkaisemaan laadunhallinnallisia haasteita yrityksessä hyödyntämällä olemassa olevan kirjallisuuden pääkohtia sekä havaintoja benchmarkingista. Olemassa oleva kirjallisuus korostaa laatusuunnittelun ja jatkuvan kehittymisen konsepteja tärkeimpinä tekijöinä organisaation kehittyessä ennakoivaan laadunhallintaan, sisältäen myös laatujärjestelmän suunnittelun. Benchmarking-yritysten käyttämät laatujärjestelmät poikkeavat toisistaan, mutta niiden yhdistävinä, laatua edistävinä tekijöinä havaittiin prosessijohtaminen, selkeä järjestelmädokumentaatio, selkeät tavoitteet sekä järjestelmällinen laadunhallinta tuotekehitysprosesseissa. Kirjallisuuden ja empiiristen havaintojen vertailu osoittaa, että myös kohdeyrityksen laadunhallintaa voidaan kehittää prosessipohjaisen laatujärjestelmän toteuttamisen avulla. Ehdotettu kehitysmalli kattaa ne perustavanlaatuiset laadunhallinnan menetelmät, jotka kohdeyrityksen tulee sisäistää laatujärjestelmän kehittämiseksi. Kehitysehdotukset sisältävät laatusuunnittelun, organisaation suorituskyvyn mittaamisen ja prosessijohtamisen, jotka yhdessä luovat rungon laatujärjestelmälle. Myös suositukset laatujärjestelmän dokumentaatiomenetelmistä ja auditoinnista on esitetty. Yhdessä kehitysehdotukset tarjoavat kohdeyritykselle konkreettisen mallin laatutyön aloittamiseksi, sekä tuotteiden ja palveluiden laadun kehittämiseksi

A study of standards and the mitigation of risk in information systems

Organisations from the multinational Organisation for Economic Cooperation and Development through to national initiatives such as the UK's Cabinet Office, have recognised that risk - the realisation of undesirable outcomes - needs a firm framework of policy and action for mitigation. Many standards have been set that implicitly or explicitly expect to manage risk in information systems, so creating a framework of such standards would steer outcomes to desirable results.This study applies a mixed methodology of desk enquiries, surveys, and action research to investigate how the command and control of information systems may be regulated by the fusion and fission of tacit knowledge in standards comprising the experience and inductive reasoning of experts. Information system user organisations from the membership of The National Computing Centre provided the working environment in which the research was conducted in real time. The research shows how a taxonomy of risks can be selected, and how a validated catalogue of standards which describe the mitigation of those risks can be assembled taking the quality of fit and expertise required to apply the standards into account. The work bridges a gap in the field by deriving a measure of organisational risk appetite with respect to information systems and the risk attitude of individuals, and linking them to a course of action - through the application of standards - to regulate the performance of information systems within a defined tolerance. The construct of a methodology to learn about a framework of ideas has become an integral part of the methodology itself with the standards forming the framework and providing direction of its application.The projects that comprise the research components have not proven the causal link between standards and the removal of risk, leaving this ripe for a narrowly scoped, future investigation. The thesis discusses the awareness of risk and the propensity for its management, developing this into the definition of a framework of standards to mitigate known risks in information systems with a new classification scheme that cross-references the efficacy of a standard with the expertise expected from those who apply it. The thesis extends this to the idea that the framework can be scaled to the views of stakeholders, used to detect human vulnerabilities in information systems, and developed to absorb the lessons learnt from emergent risk. The research has clarified the investigation of the security culture in the thrall of an information system and brought the application of technical and management standards closer to overcoming the social and psychological barriers that practitioners and researchers must overcome.EThOS - Electronic Theses Online ServiceGBUnited Kingdo