ADOPTION OF THE INFORMATION SECURITY MANAGEMENT SYSTEM STANDARD ISO/IEC 27001: A STUDY AMONG GERMAN ORGANIZATIONS

Against the backdrop of numerous security breaches and cyber-attacks, organizations need to take measures to secure their data and information. However, the well-known management system standard ISO/IEC 27001 for information security has shown a lower adoption rate - in terms of annual ISO survey data - than was previously expected by scholars and practitioners. Through the lens of Rogers' diffusion of innovation theory, we consider the adoption of ISO/IEC 27001 as a 'preventive innovation' and aim to identify factors that help gain a better understanding of its adoption. Therefore, we conducted a survey among German organizations on the use and impact of management system standards, explicitly distinguishing between organizations that implement ISO/IEC 27001 and those that are additionally certified against this standard. This study provides insights and contributes to an advanced understanding of motives, impacts, barriers, and useful measures to increase adoption of ISO/IEC 27001. Our findings may be useful to organizations considering the adoption of this management system standard, to certification bodies providing certification services, and to policymakers seeking means to improve information security in organizations

INFORMATION SECURITY AND QUALITY MANAGEMENT SYSTEMS INTEGRATION: CHALLENGES AND CRITICAL FACTORS

Implementing a new management system in organizations that already have a certified management system can be challenging. This research discussed enabler factors that influence the integration of an information security management system certified following ISO 27001 with a quality management system certified following ISO 9001. Five factors were identified as the basis of this research: Implementation Model, Human Resources, Resources Availability, Standard Issues, and Standards Integration. Four factors were validated through the qualitative study with consultants specialized in implementing and integrating these standards. Then, by prioritizing these factors through the Analytic Hierarchy Process method, it was found that the most relevant aspect is Standards Integration for the managers from the institution object of study. For specialist consultants, the most pertinent factor is Human Resources

Design of a Security Toolbox: A Framework To Mitigate The Risks of Cyberspace

Dissertation presented as the partial requirement for obtaining a Master's degree in Information Management, specialization in Information Systems and Technologies ManagementThis research aims to create a framework that helps SMEs mitigate the various risks of cyberspace. In this digital era, the dangers of cyberspace are increasing, which leads to the need for organizations to adopt adequate security measures capable of preventing cyberattacks. However, a large number of employees in SMEs do not know how to act to mitigate the risks already mentioned. Thus, the development of a security toolbox could be a solution to help SMEs be less exposed to the dangers of cyberspace. For this research, a theoretical overview associated with cybersecurity to understand the current state of security solutions and the different control options in the organizational environment was essential. Last but not least, a clear understanding of the SMEs needs, in the area of security, was also crucial in the development and construction of the proposed artifact. To evaluate and validate the security toolbox, focus group meetings will be scheduled. The implementation of a security toolbox that helps SMEs to identify, protect, respond and recover from potential cyberattacks, may be relevant and can provide great results for different organizational environments to mitigate the risks of cyberspace. The suggested framework would play an important role, to the users of the security Toolbox to get more know-how to protect the business environment. Also, may be seen as a vantage to the science since will help to develop the research related to improving the techniques and tools disposal to mitigate the high risks of cyberspace

A Conceptual Research on the Contribution of Integrated Management Systems to the Circular Economy

Companies worldwide strive to become more sustainable, and, in this context, the circular economy (CE) gains importance as alternative system as opposed to the linear economy. Since executive mangers around the world work with management systems (MSs) to guide and improve organizational operations, this work aims to explore how integrated MSs (IMS) as business tools can contribute to the adoption of CE principles at the corporate level. To achieve this objective, a systematic literature review is performed, which results in a synthesis sample of 18 academic papers. The findings reveal how MSs contribute to CE adoption and, therefore, demonstrate that managers can use IMS to foster CE implementation. In addition, the findings highlight the importance of institutional intervention in the transition from a linear towards a circular designed economy. The paper contributes to academia by linking the concepts of IMS and CE, synthesizing the current academic knowledge at hand, and proposing a comprehensive research agenda that sets the path for future academic investigations. In a practical perspective, the paper contributes also to managers since it emphasizes how IMS can be used to incorporate circular business thinking into operations management

A Conceptual Research on the Contribution of Integrated Management Systems to the Circular Economy

Companies worldwide strive to become more sustainable, and, in this context, the circular economy (CE) gains importance as alternative system as opposed to the linear economy. Since executive mangers around the world work with management systems (MSs) to guide and improve organizational operations, this work aims to explore how integrated MSs (IMS) as business tools can contribute to the adoption of CE principles at the corporate level. To achieve this objective, a systematic literature review is performed, which results in a synthesis sample of 18 academic papers. The findings reveal how MSs contribute to CE adoption and, therefore, demonstrate that managers can use IMS to foster CE implementation. In addition, the findings highlight the importance of institutional intervention in the transition from a linear towards a circular designed economy. The paper contributes to academia by linking the concepts of IMS and CE, synthesizing the current academic knowledge at hand, and proposing a comprehensive research agenda that sets the path for future academic investigations. In a practical perspective, the paper contributes also to managers since it emphasizes how IMS can be used to incorporate circular business thinking into operations management

Análisis de riesgo de la información según la norma iso 27001:2013: previo a una implementación

En este artículo se explora la estructura organizacional de la municipalidad distrital de Asillo para mejorar el flujo de la información y el conocimiento sobre la seguridad de su infraestructura. Con ese fin, se realizaron estudios descriptivos para identificar problemas de la municipalidad. Los resultados permitieron identificar las debilidades en la municipalidad seguidamente se utilizará en futuros estudios para definir un plan de tratamiento de riesgos, adquisición de habilidades para un manejo mejor del riesgo y buenas prácticas gerenciales acordes con los retos de la de los tiempos en los que vivimos. Se recopiló información de los resultados sobre los elementos de la política de seguridad del municipio, Administración de activos, Organización de la seguridad de los recursos humanos, seguridad física, gestión de las comunicaciones y las operaciones, control de acceso, mantenimiento de los sistemas, Gestión de Incidencias, Gestión de Comunicaciones y Operaciones, para lo cual se recomienda la implementación de buenos sistemas basados en la norma ISO 27001: 2013, haciendo uso de tecnologías modernas que se adapten mejor a la comunidad y protejan sus activos de información más importantes.JULIACAEscuela Profesional de Ingeniería de SistemasGestión de T

Human resources analytics module at Quidgest: One more step for human resources to become a true strategic partner

Analytics has been a source of competitive advantage due to improved decision-making processes in several business areas. Organizations have reported gains in efficiency and effectiveness based on the implementation of data-driven strategies. However, Human Resources (HR) professionals have been struggling to implement Analytics processes and are missing out on the opportunity of using data to improve organizational performance and truly become a Business Strategic Partner. This Enterprise Project aims to contribute to shortening that gap. It sets out to gather and elicit business, user, functional, and nonfunctional requirements for a new Human Resources Analytics Module (HRAM) at Quidgest, a Portuguese Technological Consultancy company that develops Human Resources Information Systems. The gathering and elicitation of requirements were done through Interviews, a Questionnaire, and 2 Joint Application Development (JAD) Sessions. A Value Proposition Canvas was developed to convey a fit between the system’s main functionalities and HR Professionals’ needs based on those requirements. The relevance of this project is two-folded: First, when developed, the new Analytics Module can become a new revenue stream for Quidgest and a way to maintain and improve its competitiveness in the market; Second, HR Professionals may find a new tool that meets their needs towards implementing Analytics processes and take a step forward in becoming a Strategic Partner. The conclusion of this project also sets out to suggest the next steps for the Module Development and implementation.O uso de Analytics tem sido uma fonte de vantagem competitiva devido à melhoria dos processos de tomada de decisão. As organizações relatam ganhos em eficiência e eficácia com base na implementação de estratégias baseadas em análise de dados. No entanto, os profissionais de Recursos Humanos (RH) têm se debatido para implementar processos analíticos e estão a perder a oportunidade de usar os seus dados para melhorar o desempenho organizacional e se tornarem realmente Strategic Business Partners. Este projeto em empresa visa colmatar essa lacuna. Pretende-se recolher e clarificar requisitos de negócio, utilizador, funcionais e não funcionais para um novo Módulo de Human Resources (HR) Analytics na Quidgest, uma constultora tecnológica portuguesa que desenvolve Sistemas de Informação de RH. A recolha e a clarificação de requisitos foi feita através de entrevistas, um questionário, e 2 Joint Application Development Sessions. De seguida, foi desenvolvido um Value Proposition Canvas, que mostra como há um fit entre as principais funcionalidades do sistema e as necessidades dos profissionais de RH nesta área. A relevância deste projeto prende-se em dois aspetos: primeiro, o novo Módulo de Analytics pode tornar-se uma nova fonte de receita para a Quidgest e uma forma de manter e melhorar sua competitividade; Em segundo lugar, os profissionais de RH podem encontrar uma nova ferramenta que responda às suas necessidades de implementação de processos analíticos e dar um passo em frente para se tornarem um Business Partner. A conclusão deste projeto sugere os próximos passos para o Desenvolvimento do Módulo de Analytics

Exploring the influence of organisational, environmental, and technological factors on information security policies and compliance at South African higher education institutions: Implications for biomedical research.

>Magister Scientiae - MScHeadline reports on data breaches worldwide have resulted in heightened concerns about information security vulnerability. In Africa, South Africa is ranked among the top ‘at-risk’ countries with information security vulnerabilities and is the most the most cybercrime-targeted country. Globally, such cyber vulnerability incidents greatly affect the education sector, due, in part, to the fact that it holds more Personal Identifiable Information (PII) than other sectors. PII refers to (but is not limited to) ID numbers, financial account numbers, and biomedical research data. In response to rising threats, South Africa has implemented a regulation called the Protection of Personal Information Act (POPIA), similar to the European Union General Data Protection Regulation (GDPR), which seeks to mitigate cybercrime and information security vulnerabilities. The extent to which African institutions, especially in South Africa, have embraced and responded to these two information security regulations remains vague, making it a crucial matter for biomedical researchers. This study aimed to assess whether the participating universities have proper and reliable information security practices, measures and management in place and whether they fall in line with both national (POPIA) and international (GDPR) regulations. In order to achieve this aim, the study undertook a qualitative exploratory analysis of information security management across three universities in South Africa. A Technology, Organizational, and Environmental (TOE) model was employed to investigate factors that may influence effective information security measures. A Purposeful sampling method was employed to interview participants from each university. From the technological standpoint, Bring Your Own Device (BYOD) policy, whereby on average, a student owns and connects between three to four internet-enabled devices to the network, has created difficulties for IT teams, particularly in the areas of authentication, explosive growth in bandwidth, and access control to security university servers. In order to develop robust solutions to mitigate these concerns, and which are not perceived by users as overly prohibitive, executive management should acknowledge that security and privacy issues are a universal problem and not solely an IT problem and equip the IT teams with the necessary tools and mechanisms to allow them to overcome commonplace challenges. At an organisational level, information security awareness training of all users within the university setting was identified as a key factor in protecting the integrity, confidentiality, and availability of information in highly networked environments. Furthermore, the University’s information security mission must not simply be a link on a website, it should be constantly re-enforced by informing users during, and after, the awareness training. In terms of environmental factors, specifically the GDPR and POPIA legislations, one of the most practical and cost-effective ways universities can achieve data compliance requirements is to help staff (both teaching and non-teaching), students, and other employees understand the business value of all information. Users which are more aware of sensitivity of data, risks to the data, and their responsibilities when handling, storing, processing, and distributing data during their day to day activities will behave in a manner that would makes compliance easier at the institutional level. Results obtained in this study helped to elucidate the current status, issues, and challenges which universities are facing in the area of information security management and compliance, particularly in the South African context. Findings from this study point to organizational factors being the most critical when compared to the technological and environmental contexts examined. Furthermore, several proposed information security policies were developed with a view to assist biomedical practitioners within the institutional setting in protecting sensitive biomedical data

Cyber situational Awareness Dashboard for information security

Numa era em que organizações e pessoas vivem interconectados num mundo cibernético e, adivinhando-se que com as novas tecnologias emergentes, a produção de dados digitais e comunicações entre diferentes sistemas e entidades aumenta consideravelmente, torna-se cada vez mais premente a disponibilização e implementação de sistemas capazes de, não só assegurar a segurança digital, como medi-la e quantifica-la face às necessidades intrínsecas de cada entidade. O objetivo deste estudo é a criação de um dashboard de consciência situacional baseado na identificação do estado da arte relativamente às métricas de segurança de informação e arquiteturas que suportem a implementação de um sistema de consciência situacional. A metodologia de estudo utilizada foi descritiva com foco quantitativo. O produto conceptualizado, projetado e implementado nesta dissertação teve como base a utilização de um software comercial, amplamente adotado no contexto empresarial. A definição de métricas foi efetuada à medida para o caso de estudo académico, sendo expansível e permitindo desde o início da sua implementação dar resposta e assegurar a consciência situacional de potenciais utilizadores face às necessidades de uma organização. A utilização do produto desenvolvido nesta dissertação permite futuras integrações com sistemas de análise preditiva que permitam melhorar a eficiência dos sistemas de segurança de informação