DEVELOPMENT OF AN INFORMATION ASSURANCE AWARENESS ASSESSMENT INSTRUMENT FOR INFORMATION TECHNOLOGY STAFF

The government continually expresses concern that critical infrastructures are vulnerable to a host of electronic attacks and that people are the front line of defense. No previous academic research quantitatively measures security awareness in an organization. To accomplish this task an instrument must be developed. This study describes the development and administration of such an instrument that other studies can use to measure the level of security awareness in Information Systems staff to determine level of preparedness

Analyzing Information Security Model for Small-Medium Sized Businesses

As large organizations invest heavily in security frameworks, cyber criminals and malicious insiders are turning their attention to smaller businesses to steal or damage sensitive information. Unlike large enterprises, small businesses often pay little attention to hackers, cyber criminals, and malicious insiders. Furthermore, small-medium sized organizations are challenged to implement proper information security strategies due to insufficient resources. Very few methods and publications focus on information security for small and medium sized organizations._x000D_ This paper reviews the National Institute of Standards and technology (NIST) framework for security in small and medium-sized businesses. After discussing several concerns with NIST’s approach, our proposed methodology is introduced and examined to provide an information security framework suited for small and medium sized businesses

A Comprehensive Information Technology Risk Assessment Audit Framework for Small- and Medium-Sized Financial Institutions

Information technology audits are vital information management programs for banks and financial institutions. A plethora of laws and regulations exists, requiring financial institutions to develop an information technology audit program to support its information technology infrastructure and keep non-public customer information secure. Furthermore, banks are required to complete a risk-based audit on an annual basis to comply with regulators. This research combines two previously identified frameworks, the Comprehensive Risk-Based Auditing Framework (CRBA) and Small to Medium Entity Risk Assessment Model (SMERAM), to further develop the audit process to include the critical risk assessment process and to ensure that the audit is risk- based. Having a sound risk-based audit program will improve the overall information security posture for banks and financial institutions. Furthermore, this research utilizes an example to demonstrate the process

Accuracy of Self Disclosed Cybersecurity Risks of Large U.S. Banks

Publicly traded corporations are required by the Securities and Exchange Commission (SEC) to selfdisclose information security risks. However, because of several undefined factors, the risk information may not accurately reflect the threats within the Internet domain. Investors are then left ill-informed regarding this substantial risk to corporate value. This project quantifies the disparity between reported information security risks and information security threats

Experiences and lessons learned in the design and implementation of an Information Assurance curriculum

In 2004, Dakota State University proposed a model for information assurance and computer security program development. That model provided a framework for developing undergraduate and graduate programs at DSU. This paper provides insight into experiences and lessons learned to further implement that model. The paper details modifications to both the undergraduate and graduate information assurance programs as a result of specific issues and challenges. Further, the paper highlights the introduction of a new terminal degree that includes an information assurance specialization. As a national center of excellence in information assurance education, we are confident that this paper will be helpful to universities around the world in either developing new or improving existing IA programs

An Inventory of International Privacy Principles: A 14 Country Analysis

Companies are operating within a global marketplace where they must navigate differing laws related to data privacy, so it is important to understand and respect the privacy concerns of various countries. To that end, this paper will provide an inventory of the data privacy principles set out by fourteen countries around the world. By looking at the similarities and differences between nations, it is possible to work toward a common understanding and agreement of which principles should be approved and thereafter enforced. With technology evolving so rapidly, laws cannot wait to be reactionary; rather the development of privacy principles can be used to guide future implementation of regulation

Towards a Triad for Data Privacy

Data privacy is a topic of interest for researchers, data collection managers, and data system specialists. In an attempt to assuage growing concerns regarding the collection and use of personal data, many organizations have begun developing systems and drafting policies meant to safeguard that data from potential privacy harms. This paper provides a surface-level comparison of data privacy triads from NIST in the United States and ULD in Germany that may form the basis for a future universal definition of data privacy. The analysis shows two different approaches for defining data privacy: one which focuses on the practical implementation of data privacy safeguards (NIST) and one that focuses on defining the highest possible standards to which data processors must be held (ULD)