The Graduate MIS Security Course: Objectives And Challenges

Given the magnitude of real and potential losses, both private and public employers increasingly expect graduates of management information systems (MIS) programs to understand information security concepts. The infrastructure requirements for the course includes setting up a secure laboratory environment to accommodate the development of viruses and worms. The labs and lectures are intended to instruct students in the inspection and protection of information assets, as well as detection of and reaction to threats to information assets

TINJAUAN ISU KEAMANAN JARINGAN KOMPUTER DI TEMPAT KERJA

Dalam tulisan ini akan dibahas beberapa isu keamanan jaringan komputer yang terdapat di tempat kerja. Tempat kerja yang dimaksud disini tidak hanya meliputi dunia perkantoran saja, tetapi juga di dunia industri secara umum, yang melibatkan pemakaian komputer dalam segala bentuk – mulai dari desktop hingga telepon VOIP dan sistem kontrol monitoring dan akuisisi data (SCADA – Supervisory Control and Data Acquisition) – serta penggunaan jaringan komputer pada perangkat komputer tersebut. Di bagian akhir tulisan ini juga dibahas langkah-langkah strategis untuk mengatasi permasalahan keamanan jaringan komputer yang telah dibahas. Kata Kunci: Keamanan jaringan komputer, tempat kerja, analisi

Migrating to Post-Quantum Cryptography: a Framework Using Security Dependency Analysis

Quantum computing is emerging as an unprecedented threat to the current state of widely used cryptographic systems. Cryptographic methods that have been considered secure for decades will likely be broken, with enormous impact on the security of sensitive data and communications in enterprises worldwide. A plan to migrate to quantum-resistant cryptographic systems is required. However, migrating an enterprise system to ensure a quantum-safe state is a complex process. Enterprises will require systematic guidance to perform this migration to remain resilient in a post-quantum era, as many organisations do not have staff with the expertise to manage this process unaided. This paper presents a comprehensive framework designed to aid enterprises in their migration. The framework articulates key steps and technical considerations in the cryptographic migration process. It makes use of existing organisational inventories and provides a roadmap for prioritising the replacement of cryptosystems in a post-quantum context. The framework enables the efficient identification of cryptographic objects, and can be integrated with other frameworks in enterprise settings to minimise operational disruption during migration. Practical case studies are included to demonstrate the utility and efficacy of the proposed framework using graph theoretic techniques to determine and evaluate cryptographic dependencies.Comment: 21 Page

ENTERPRISE ARCHITECTURE MENGGUNAKAN TOGAF 9.1 : SEBUAH STRATEGI TERHADAP PENINGKATAN SISTEM MANAJEMEN KEAMANAN INFORMASI PADA INDUSTRI JASA (STUDI KASUS PT SUMBER SAWIT SEJAHTERA)

Industri jasa adalah perusahaan yang memiliki izin usaha dalam bidang-bidang terentu seperti telekomunikasi, informasi, perhubungan, kesehatan, penelitian dan pengembangan, pertambangan dan juga kontruksi. Pada saat ini banyak perusahaan telah menggunakan teknologi sebagai alat yang mendukung proses binis yang berlangsung didalam sebuah perusahaan, baik mendukung kegiatan operasional maupun non-operasional. Namun hal ini tidak menjamin keamanan data atau informasi perusahaan. Oleh karena itu guna meminimalisir kehilangan data perusahaan perlu menerapkan standar keamanan informasi pada perusahaan mereka karena seiring berkembangnya teknologi, dibutuhkan pula perkembangan keamanan informasi yang baik serta manajemen aset yang baik, baik aset fisik maupun non fisik dikarenakan. Dikarenakan masih banyak perusahaan masih menganggap manajemen aset secara fisik maupun non fisik hanyalah sekedar instrumen pengelolaan daftar aset. Untuk mencegah masalah ini maka perusahaan membutuhkan adanya Enterprise Security. Adapun pendekatan yang digunakan yaitu dengan TOGAF ADM. TOGAF ADM sendiri telah mencakup keseluruhan domain inti yang terdapat diperusahaan berupa bisnis, data, aplikasi, dan teknologi. Pada penelitian ini akan dihasilkan sebuah rancangan Enterprise security berupa blueprint mengenai kondisi Enterprise security yang saat ini ada diperusahaan serta target yang diusulkan untuk perbaikan keamanan. Dengan adanya peningkatan keamanan informasi ini perusahaan dapat merasa lebih aman terhadap data mereka dan menciptakan kegiatan proses bisnis yang sehat. Kata Kunci : Enterprise Security, Keamanan Informasi, Manajemen Aset, TOGAF AD

МЕТОД ФУНКЦІОНАЛЬНОГО АНАЛІЗУВАННЯ СИСТЕМ УПРАВЛІННЯ ІНФОРМАЦІЙНОЮ БЕЗПЕКОЮ

The process of functional analysis of information security management systems was considered. The relevance of their presentation with many interrelated functions with internal and external interfaces is shown. Taking this into account, the methods of functional analysis of information security management systems are analyzed. Among them, graphic notation IDEF0 is highlighted. This choice is based on the ability to display both interfaces of functions and the conditions and resources of their execution. The orientation of the graphic notation IDEF0 use is established mainly for the presentation of the international standards ISO/IEC 27k series, the display of the main stages of the information security management systems life cycle, the development of individual elements of information security management systems, in particular, risk management. These limitations have been overcome by the method of information security management systems in functional analysis. This was preceded by the definition of the theoretical foundations of this method. Its use allows to allocate their functions at both levels of the system, and levels of its structural elements (subsystems, complexes, components). To do this, define the purpose, viewpoint and establishes information security management as the main activity. It is represented by a set of hierarchically related functions that are represented by a family tree. Each function of this tree defines incoming, outgoing data, management, and mechanisms. This makes it possible to establish their consistency with the organizational structure at the “activity-system”, “process-subsystem”, “operation-module (complex)” and “action-block (component)” levels. In future studies, it is planned to define a hierarchy of functions and develop a logical structure of information security management systems based on the proposed method of functional analysis.Розглянуто процес функціонального аналізування стосовно систем управління інформаційною безпекою. Показано актуальність їх представлення множиною взаємопов’язаних функцій з внутрішніми та зовнішніми інтерфейсами. З огляду на це проаналізовано способи функціонального аналізування систем управління інформаційною безпекою. Серед них виокремлено графічну нотацію IDEF0. Такий вибір обумовлено можливістю відображення як інтерфейсів функцій, так й умов і ресурсів їх виконання. При цьому встановлено орієнтованість застосування графічної нотації IDEF0 здебільшого для представлення міжнародних стандартів серії ISO/IEC 27k, відображення основних стадій життєвого циклу систем управління інформаційною безпекою, розроблення окремих елементів систем управління інформаційною безпекою, зокрема, управління ризиком. Ці обмеження подолано завдяки методу функціонального аналізування систем управління інформаційною безпекою. Цьому передувало визначення теоретичних основ даного методу. Його використання дозволяє виокремлювати їх функції як на рівні системи, так і рівнях її структурних елементів (підсистем, комплексів, компонентів). Для цього визначається мета, точка зору та встановлюється управління інформаційною безпекою як основна діяльність. Вона відображається множиною ієрархічно взаємопов’язаних функцій, що представляються родинним деревом. Кожній функції цього дерева визначаються вхідні, вихідні дані, управління і механізми. Це дозволяє встановити їх відповідність організаційно технічній структурі на рівнях “діяльність-система”, “процес-підсистема”, “операція-модуль (комплекс)” і “дія-блок (компонент)”. У перспективах подальших досліджень планується на основі запропонованого методу функціонального аналізування визначити ієрархію функцій та розробити логічну структуру систем управління інформаційною безпекою

The Security Blanket, September 2001

The ISO is responsible for State of Iowa enterprise security including security policies and procedures, security operations, security planning, information assurance, and security awareness. The Security Operations Team performs network vulnerability assessments, operates an Intrusion Detection System and a test network, serves as an incident response team, and consults on various network security issues. The purpose of the ISO is to help provide Information Assurance and enhance the quality of service that state agencies give to the citizens of Iowa through improved security awareness and practice. We' re here to help you and your agency protect your information assets in an increasingly computer-dependent environment. The purpose of this newsletter is to distribute information and resources that can aid state employees and agencies in protecting their information and their information systems

Service catalogue for non-medical support services in Hospitals (LekaS) : SN EN 15221-4 adapted, expanded and commented branchspecifically

In the present Service Catalogue for Non-medical Support Services in Hospitals (LekaS) the norm «SN EN 15221-4 (2011) Facility Management: Taxonomy, Classification and Structures in Facility Management» is, specific to the branch, adapted, expanded and commented upon.The catalogue is a first step towards more clarity and transparency in the non-medical support service area in hospitals

Cyber Security Audit and Attack Detection Toolkit

This goal of this project was to develop cyber security audit and attack detection tools for industrial control systems (ICS). Digital Bond developed and released a tool named Bandolier that audits ICS components commonly used in the energy sector against an optimal security configuration. The Portaledge Project developed a capability for the PI Historian, the most widely used Historian in the energy sector, to aggregate security events and detect cyber attacks

A study of employees' attitudes towards organisational information security policies in the UK and Oman

There is a need to understand what makes information security successful in an organization. What are the threats that the organization must deal with and what are the criteria of a beneficial information security policy? Policies are in place, but why employees are not complying? This study is the first step in trying to highlight effective approaches and strategies that might help organizations to achieve good information security through looking at success factors for the implementation. This dissertation will focus on human factors by looking at what concerns employees about information security. It will explore the importance of information security policy in organizations, and employee’s attitudes to compliance with organizations' policies. This research has been divided into four stages. Each stage was developed in light of the results from the previous stage. The first two stages were conducted in the Sultanate of Oman in order to use a population just starting out in the information security area. Stage one started with a qualitative semi-structured interview to explore and identify factors contributing towards successful implementation of information security in an organization. The results suggested a number of factors organizations needed to consider to implement information security successfully. The second stage of the research was based on the first stage’s results. After analysing the outcomes from the semi-structured interviews a quantitative questionnaire was developed to explore for information security policy. The findings did suggest that the more issues the organization covers in their security policy the more effective their policy is likely to be. The more an organization reports adoption of such criteria in their security policy, the more they report a highly effective security policy. The more the organization implements the ‘success factors’ the more effective they feel their security policy will be. The third stage was conducted in the UK at Glasgow University because employees are somewhat familiar with the idea of information security. It was based on the findings derived from the analysis of the quantitative questionnaire at stage two. The findings revealed different reasons for employee’s non-compliance to organization security policy as well as the impact of non-compliance. The fourth stage consolidates the findings of the three studies and brings them together to give recommendations about how to formulate a security policy to encourage compliance and therefore reduce security threats