Development of an ISMS for professional associations in the Lambayeque Region. Case Study: College of Engineering

Los colegios profesionales (CP) son instituciones autónomas con personería jurídica de derecho público interno, sin fines de lucro, creadas por ley, agrupan a los profesionales en el ámbito de su jurisdicción. La problemática radica en la falta de seguridad de la información (SI) en la organización, en la actualidad la información es un activo clave para las empresas, sin embargo no se resguarda de manera adecuada para cumplir con los objetivos estratégicos de la organización. La información es parte principal en los procesos, servicios y tecnologías en el sector público o privado; sin importar el tamaño; es vital cumplir con las características de la SI: confidencialidad, integridad, disponibilidad (CID), en general se suele actuar de manera reactiva, desarrollar un Sistema de Gestión de Seguridad de la Información (SGSI), permitirá actuar en forma proactiva ante eventos que afecten la SI. Se analizó enfoques de estándares para gestionar la SI (ISO 27000, COBIT, ITIL, MAGERIT). Como objetivos de esta investigación culturizar a la alta dirección sobre SI, analizar las brechas, la identificación de los riesgos, identificar y evaluar los controles, y por ultimo plantear los proyectos de SI; finalmente se hace uso de la norma ISO 27001 en la aplicación al caso: Colegio de Ingenieros del Perú (CIP), implicó gestión de riesgos (GR), identificación de controles, normas, políticas y mejoras en los procesos de negocio definidos en el documento de alcance.Abstract : Professional associations (CP) are autonomous institutions with legal personality under public law, nonprofit, created by law; bring together professionals in the field of jurisdiction. The problem lies in the lack of information security (SI) in the organization, now the information is a key asset for companies, though not adequately safeguards to meet the strategic objectives of the organization. Information is principal and central part in processes, services and technologies in the public or private sector; regardless of size; is vital to meet the characteristics of the SI: confidentiality, integrity, availability (CID), the tendency is to act in a reactive way, develop a Management System Information Security (ISMS), allow to act proactively to events that affect the SI. It approaches standards were analyzed to manage the SI (ISO 27000, COBIT, ITIL, MAGERIT). It was proposed as targets for this research culturizar to top management on SI, analyze gaps, identification of risks, identify and assess controls, and finally prepare draft SI finally use is made of ISO 27001 in the application to the case: Departmental Council of Lambayeque Engineers Association of Peru (CIP), involved risk management (GR), identification of controls, standards, policies and improvements in business processes defined in the scoping document

Role-based access control mechanisms: distributed, statically implemented and driven by CRUD expressions

Most of the security threats in relational database applications have their source in client-side systems when they issue requests formalized by Create, Read, Update and Delete (CRUD) expressions. If tools such as ODBC and JDBC are used to develop business logics, then there is another source of threats. In some situations the content of data sets retrieved by Select expressions can be modified and then committed into the host databases. These tools are agnostic regarding not only database schemas but also regarding the established access control policies. This situation can hardly be mastered by programmers of business logics in database applications with many and complex access control policies. To overcome this gap, we extend the basic Role-Based Access policy to support and supervise the two sources of security threats. This extension is then used to design the correspondent RBAC model. Finally, we present a software architectural model from which static RBAC mechanisms are automatically built, this way relieving programmers from mastering any schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC

An annotated bibliography of multidisciplinary information security resources, for the purpose of maintaining privacy and confidentiality in New Zealand government records management

Research Problem Maintaining privacy and confidentiality of data in an age of e-government and electronic recordkeeping is one of the key challenges for records management staff today. In New Zealand this issue has attracted negative attention through several recent public sector privacy and security breaches, raising questions about systemic issues, accountability, and a disconnect between strategy and implementation. How government responds will depend in large measure on the advice received regarding solutions to information security. A bibliographic gap on the relationship between records management and information security has been identified in the academic literature. Methodology Using targeted search strategies this annotated bibliography draws together articles from a range of journals with the aim of developing a consolidated resource for practitioners to become acquainted with the multifaceted and multidisciplinary nature of information security. The outcome is a resource directly relevant to the New Zealand context, which identifies key perspectives, relationships, technical issues, and shortcomings in research. Results Key findings relate to publishing trends, divided disciplines, and shortcomings in research pertaining to records management relationships with IT groups and engagement in e-government. Implications Includes the development of more comprehensive e-government information and security strategies, the re-examination and utilisation of existing relationships, and the strengthening of records management's position as a contributor to research and leadership in the array of possible responses to information security

VISUALIZING SOCIAL ROLES - DESIGN AND EVALUATION OF A BIRD\u27S-EYE VIEW OF SOCIAL NETWORK PRIVACY SETTINGS

The rising usage of Social Network Sites for interacting with contacts from multiple social spheres poses new privacy challenges and increasingly prompts users to manage their online identities. To convey a consistent image of the self when interacting with a group of contacts, at first awareness of previously used social roles is needed. However, existing tools on Social Network Sites to increase such awareness are often spread over different interfaces and the user is left to figure out which contacts have access to which shared items. To address these problems, we introduce the Access Policy Grid, a new visualization offering a bird\u27s-eye view on defined privacy settings that allows identifying social roles and inconsistencies therein. To evaluate our visualization, we present the results of a laboratory experiment involving 32 participants in which we compare the Access Policy Grid to the native Facebook interface. For five out of six research qustions, our results show that the APG outperforms the Facebook interface significantly in terms of at least one of the three investigated aspects (accuracy, confidence, and time-to-task completion)

РАЗВИТИЕ ЦИФРОВЫХ КОМПЕТЕНЦИЙ БУДУЩИХ СПЕЦИАЛИСТОВ ПО ЗАЩИТЕ ИНФОРМАЦИИ В ВУЗЕ

Digital transformation of modern society causes higher education to develop both universaland professional digital competencies of students. This is critical for the future specialists in thefield of information security, as their training has some specific features, which determine the relevanceof this article. The goal of the research is to justify the development of digital competenciesof information security students in the context of Education 4.0 paradigm and the nationalprogram for the development of digital economy. The theoretical significance of the study is theclarification of the concept of digital competencies, trends and the possible consequences of theirdevelopment in Russian and foreign practice. The scientific novelty is in identifying the featuresand problems of the development of digital competencies of information security specialists, aswell as in substantiating the prospective possibilities of these problems overcoming in traininginformation security students at university. The effectiveness of new approaches to the organizationof digital skills training of students in the course called information security risk managementis shown.В условиях динамики цифровой трансформации высшее образование призвано разви-вать как универсальные, так и профессиональные цифровые компетенции студентов.Особенно это касается специалистов по защите информации, подготовка которых облада-ет ярко выраженными специфическими особенностями, чем и обусловлена актуальностьнастоящей статьи. Этим обусловлена ее цель – обосновать возможности развития цифро-вых компетенций будущих специалистов по защите информации в вузе в контексте пара-дигмы «Образование 4.0» и национальной программы развития цифровой экономикиРоссии. В процессе исследования использованы аналитико-синтетические методы. Теоре-тическая значимость исследования заключена в уточнении понятия цифровых компетен-ций в эпоху Образования 4.0, тенденций и возможных последствий их развития в россий-ской и зарубежной практике. Научная новизна работы состоит в выявлении особенностейи проблем развития цифровых компетенций специалистов по защите информации, вобосновании перспективных возможностей преодоления этих проблем в процессе про-фессиональной подготовки будущих специалистов по защите информации в условиях ву-за. Показана результативность новых подходов к организации обучения цифровым навы-кам студентов в процессе обучения управлению рисками информационной безопасности,что подчеркивает практическую значимость исследования

When Cyber Systems Crash: Attitudes Towards Cyber Utilization And Security

This research focused on examining attitudinal differences of Internet utilization and security with the objective of understanding the relationships that cyber usability have with cybercrime and then determine best practices needed to promote the secure use of the Internet. The research was designed as a quantitative study that used judgment sampling to survey 433 cases to explain the relationship that exists between cyber utilization and security. To achieve this objective, research questions and hypothesis were designed to guide the analysis. Cross tabulation analysis was used to compare the dependent and independent variables while Chi-square, Lambda and Gamma statistical tests were used to verify the relationship and identify statistical significance of the relationship. The findings revealed that while variables like being IT savvy, amount of financial loss, education, age, gender and residence location did not have evidence of a relationship with security, research participants had concern for secure cyber use and thought that cybersecurity awareness training and type of transaction conducted on the Internet were associated to security even though the strength of each relationship was weak. The study highlighted the damaging effects of cybercrime and recommended that cyber users should embrace best practice principles as they browse the Internet and utilize cybersecurity awareness training as an important function of secure IT utilization

Betydningen av Rollebegrepet i utviklingen av virksomhetsovergripende EPJ standarder

Masteroppgave i helse- og sosialinformatikk- Universitetet i Agder, 2016The current offer of health care services shows that patients receive services from multiple health care providers within diagnostic procedures, treatment and follow-up care. Consequently, this entails that health care personnel across the board require access to updated information on the patient in order to provide health care. Today each health care establishment keep separate electronic health records (EHR) to which only their own employees have access. In addition, most establishments have individually adapted their records in relation to structure, access control and roles. Moving forward the goal is to provide a mutual access between health care actors into patient records, as well as standardizing the content of the records. In the EHR health personnel are categorized based on their role, for instance nurse or doctor, and this role is currently the basis for providing access to the part of the EHR relevant to them. This master thesis has examined the term “role” and its significance when the goal is standardized EHR and cooperation across different establishments. A pre-analysis has been conducted, reaching out to several individuals with extensive knowledge of the subject, in order to map possible challenges. Thesis statement: What is the impact of roles when developing standards in EHR, with focus being on cooperation and access across different health care establishments? A qualitative method has been applied in order to answer this statement, along with eight semi-structured interviews with a strategic selection of informants. Results indicate that there is unevenness in the progress of standardization when looking at county health care and specialized health care. It cannot be concluded that standardized roles are conclusive to the cooperation and access across establishments. Most informants expressed that this would be an advantage, however to what degree will depend on, amongst other things, what the basis of the access to the EHR is. Possibly, it could be more significant to define roles in relation to the patient, than roles as a user of the EHR. In addition, this thesis has made visible the challenges related to a broad, cooperative access, especially from the country health care providers. Several of these concerns are theoretically supported. Taking these challenges into account and conducting a thorough analyses, could be crucial for the implementation of access across establishments. Keywords: Electronic health records, role, access control, standardizatio