A strategic approach for handling information security incidents in higher education
- Authors: Khamali, Rethabile
- Date: 2024-04
- Subjects: Computer security -- Management , Computer security , Information resources management , Corporate governance -- South Africa
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/64588 , vital:73769
- Description: Information Security Management System (ISMS) is a set of processes to protect institution information assets and information and to preserve confidentiality, integrity, and availability of institutional information. In the world of computers, it is known that there is no silver bullet when it comes to protecting an IT infrastructure. At some point, an organisation will face a security breach, and how it deals with the information security incident depending on the robustness of its processes and the strategy for handling incidents. In today’s world, information communication and technology (ICT) is integral in automating manual tasks that can take hours and even days to execute. The more institutions depend on technology, the more they become vulnerable to cyber threats. This could result in an institution losing its competitive edge, facing legal issues, loss of reputation, customer confidence and productivity, and lastly, financial loss. Various information security standards, frameworks, and methodologies can be applied to protect information assets. Many of these best practices define the ‘what’ and not the ‘how’ making it even more complex for institutions such as Higher Education to implement ISMS. The study aims is to develop a strategy for handling information security incidents that Higher Education Institutions can follow to improve how incidents, cyber threats and breaches are handled. The primary research objective is addressed through several secondary research objectives, namely, to investigate current strategies that Higher Education Institutions can utilise for the handling of information security incidents, to understand various challenges that Higher Education Institutions encounter when handling information security incidents, to assess the current capacity of relevant personnel in handling information security incidents through semi-structured interviews. A detailed literature review was undertaken to delve into existing various information security standards, frameworks, and methodologies. In addition, an investigation was conducted on ISMS adoption and implementation by institutions and Higher Education Institutions in general and how modern best practices such as ISO2700x, COBIT, ITIL, NIST, etc, relate to ISMS. Furthermore, semi-structured interviews were conducted to determine information security incidents at South African Higher Education Institutions. Expert interviews are utilised to evaluate the proposed strategy and provide input. The literature review findings, together with results obtained from semi-structured and expert interviews, are used to develop a strategy evaluated for its robustness, effectiveness, and suitability for the purpose. The developed strategy can be considered a beneficial tool for Higher Education Institutions in South Africa for handling information security incidents. This study’s findings significantly contribute to ISMS research in Higher Education Institutions in South Africa. In conclusion, findings of the study can be summarized as follows. The first chapter, which is also an introduction, sets out the scene for the entire research study undertaken by first highlighting information technology as an integral part of any business nowadays. Higher education institutions collect, process and store sensitive information of current and prospective students and employees, which might be of value to hackers. An information security management system (ISMS) can minimise damage by ensuring information assets are protected from a wide range of threats and business resilience in case of a breach or an incident. Chapter 2 reviews the existing literature for these frameworks, standards, and methods. In addition, various ISMS challenges and limitations within Higher Education Institutions were explored. The third chapter outlines the research design process and an emphasises that it must be based on real-world or tangible challenges. The fourth chapter presented and discussed results that were obtained from semi-structured interviews. The study’s analysis and findings vividly show that there is a need to implement a strategy to handle information security incidents for South African higher education institutions. The strategic management approach used to formulate a strategy to address the identified real problem is discussed in detail in chapter 5. The strategy is developed based on the information gathered from the literature review and semi-structured interviews. The results of the assessment of the proposed strategy carried out by the experts are presented in Chapter 6.The chapter also includes recommendations made by the experts to improve the proposedstrategy. , Thesis (MPhil) -- Faculty of Engineering, the Built Environment and Technology, School of Information Technology, 2024
- Full Text:
- Date Issued: 2024-04
- Authors: Khamali, Rethabile
- Date: 2024-04
- Subjects: Computer security -- Management , Computer security , Information resources management , Corporate governance -- South Africa
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/64588 , vital:73769
- Description: Information Security Management System (ISMS) is a set of processes to protect institution information assets and information and to preserve confidentiality, integrity, and availability of institutional information. In the world of computers, it is known that there is no silver bullet when it comes to protecting an IT infrastructure. At some point, an organisation will face a security breach, and how it deals with the information security incident depending on the robustness of its processes and the strategy for handling incidents. In today’s world, information communication and technology (ICT) is integral in automating manual tasks that can take hours and even days to execute. The more institutions depend on technology, the more they become vulnerable to cyber threats. This could result in an institution losing its competitive edge, facing legal issues, loss of reputation, customer confidence and productivity, and lastly, financial loss. Various information security standards, frameworks, and methodologies can be applied to protect information assets. Many of these best practices define the ‘what’ and not the ‘how’ making it even more complex for institutions such as Higher Education to implement ISMS. The study aims is to develop a strategy for handling information security incidents that Higher Education Institutions can follow to improve how incidents, cyber threats and breaches are handled. The primary research objective is addressed through several secondary research objectives, namely, to investigate current strategies that Higher Education Institutions can utilise for the handling of information security incidents, to understand various challenges that Higher Education Institutions encounter when handling information security incidents, to assess the current capacity of relevant personnel in handling information security incidents through semi-structured interviews. A detailed literature review was undertaken to delve into existing various information security standards, frameworks, and methodologies. In addition, an investigation was conducted on ISMS adoption and implementation by institutions and Higher Education Institutions in general and how modern best practices such as ISO2700x, COBIT, ITIL, NIST, etc, relate to ISMS. Furthermore, semi-structured interviews were conducted to determine information security incidents at South African Higher Education Institutions. Expert interviews are utilised to evaluate the proposed strategy and provide input. The literature review findings, together with results obtained from semi-structured and expert interviews, are used to develop a strategy evaluated for its robustness, effectiveness, and suitability for the purpose. The developed strategy can be considered a beneficial tool for Higher Education Institutions in South Africa for handling information security incidents. This study’s findings significantly contribute to ISMS research in Higher Education Institutions in South Africa. In conclusion, findings of the study can be summarized as follows. The first chapter, which is also an introduction, sets out the scene for the entire research study undertaken by first highlighting information technology as an integral part of any business nowadays. Higher education institutions collect, process and store sensitive information of current and prospective students and employees, which might be of value to hackers. An information security management system (ISMS) can minimise damage by ensuring information assets are protected from a wide range of threats and business resilience in case of a breach or an incident. Chapter 2 reviews the existing literature for these frameworks, standards, and methods. In addition, various ISMS challenges and limitations within Higher Education Institutions were explored. The third chapter outlines the research design process and an emphasises that it must be based on real-world or tangible challenges. The fourth chapter presented and discussed results that were obtained from semi-structured interviews. The study’s analysis and findings vividly show that there is a need to implement a strategy to handle information security incidents for South African higher education institutions. The strategic management approach used to formulate a strategy to address the identified real problem is discussed in detail in chapter 5. The strategy is developed based on the information gathered from the literature review and semi-structured interviews. The results of the assessment of the proposed strategy carried out by the experts are presented in Chapter 6.The chapter also includes recommendations made by the experts to improve the proposedstrategy. , Thesis (MPhil) -- Faculty of Engineering, the Built Environment and Technology, School of Information Technology, 2024
- Full Text:
- Date Issued: 2024-04
Cyber security compliance in South Africa’s maritime sector
- Authors: Steenberg, Wynand
- Date: 2024-04
- Subjects: Computer security -- Management , Computer networks -- Security measures , Cyberspace -- Security measures , Shipping -- Security measures
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/65445 , vital:74152
- Description: Globally, cyber attacks on the maritime industry have escalated exponentially, indicating that cyber security should be an international priority. The majority of maritime digital systems are connected to the cloud through information technologies, creating vulnerability to cyber attacks. Cyber security is critical to protect and ensure resiliency in the maritime industry’s operations. In July 2021, a cyber attack targeted the Transnet National Ports Authority (TNPA) and caused significant disruption to operations at multiple South African ports. Port operations were reduced to manual processes, which resulted in severe congestion. Transnet declared a force majeure during the two weeks it took to reinstate minimal operations. The TNPA cyber attack emphasised the need for effective strategies and procedures to prevent and recover from cyber attacks in the South African maritime industry. As maritime transport contributes significantly to South Africa’s gross domestic product (GDP), the incident had a detrimental effect on the country’s economy. It is, therefore, important to ensure that the South African maritime industry remains aware of the latest strategies and guidelines for cyber risk management. This study set out to establish if South Africa’s maritime industry complies with international standards for cyber risk management by analysing the International Maritime Organization’s (IMO) guidelines for cyber risk management. South Africa’s cyber risk management strategies were evaluated, and recommendations were made to improve the cyber risk management strategies and procedures currently employed in the South African maritime industry. , Thesis (MPhil) -- Faculty of Business and Economic Sciences, School of Economics, Development and Tourism, 2024
- Full Text:
- Date Issued: 2024-04
- Authors: Steenberg, Wynand
- Date: 2024-04
- Subjects: Computer security -- Management , Computer networks -- Security measures , Cyberspace -- Security measures , Shipping -- Security measures
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/65445 , vital:74152
- Description: Globally, cyber attacks on the maritime industry have escalated exponentially, indicating that cyber security should be an international priority. The majority of maritime digital systems are connected to the cloud through information technologies, creating vulnerability to cyber attacks. Cyber security is critical to protect and ensure resiliency in the maritime industry’s operations. In July 2021, a cyber attack targeted the Transnet National Ports Authority (TNPA) and caused significant disruption to operations at multiple South African ports. Port operations were reduced to manual processes, which resulted in severe congestion. Transnet declared a force majeure during the two weeks it took to reinstate minimal operations. The TNPA cyber attack emphasised the need for effective strategies and procedures to prevent and recover from cyber attacks in the South African maritime industry. As maritime transport contributes significantly to South Africa’s gross domestic product (GDP), the incident had a detrimental effect on the country’s economy. It is, therefore, important to ensure that the South African maritime industry remains aware of the latest strategies and guidelines for cyber risk management. This study set out to establish if South Africa’s maritime industry complies with international standards for cyber risk management by analysing the International Maritime Organization’s (IMO) guidelines for cyber risk management. South Africa’s cyber risk management strategies were evaluated, and recommendations were made to improve the cyber risk management strategies and procedures currently employed in the South African maritime industry. , Thesis (MPhil) -- Faculty of Business and Economic Sciences, School of Economics, Development and Tourism, 2024
- Full Text:
- Date Issued: 2024-04
An exploratory investigation into an Integrated Vulnerability and Patch Management Framework
- Authors: Carstens, Duane
- Date: 2021-04
- Subjects: Computer security , Computer security -- Management , Computer networks -- Security measures , Patch Management , Integrated Vulnerability
- Language: English
- Type: thesis , text , Masters , MSc
- Identifier: http://hdl.handle.net/10962/177940 , vital:42892
- Description: In the rapidly changing world of cybersecurity, the constant increase of vulnerabilities continues to be a prevalent issue for many organisations. Malicious actors are aware that most organisations cannot timeously patch known vulnerabilities and are ill-prepared to protect against newly created vulnerabilities where a signature or an available patch has not yet been created. Consequently, information security personnel face ongoing challenges to mitigate these risks. In this research, the problem of remediation in a world of increasing vulnerabilities is considered. The current paradigm of vulnerability and patch management is reviewed using a pragmatic approach to all associated variables of these services / practices and, as a result, what is working and what is not working in terms of remediation is understood. In addition to the analysis, a taxonomy is created to provide a graphical representation of all associated variables to vulnerability and patch management based on existing literature. Frameworks currently being utilised in the industry to create an effective engagement model between vulnerability and patch management services are considered. The link between quantifying a threat, vulnerability and consequence; what Microsoft has available for patching; and the action plan for resulting vulnerabilities is explored. Furthermore, the processes and means of communication between each of these services are investigated to ensure there is effective remediation of vulnerabilities, ultimately improving the security risk posture of an organisation. In order to effectively measure the security risk posture, progress is measured between each of these services through a single averaged measurement metric. The outcome of the research highlights influencing factors that impact successful vulnerability management, in line with identified themes from the research taxonomy. These influencing factors are however significantly undermined due to resources within the same organisations not having a clear and consistent understanding of their role, organisational capabilities and objectives for effective vulnerability and patch management within their organisations. , Thesis (MSc) -- Faculty of Science, Computer Science, 2021
- Full Text:
- Date Issued: 2021-04
- Authors: Carstens, Duane
- Date: 2021-04
- Subjects: Computer security , Computer security -- Management , Computer networks -- Security measures , Patch Management , Integrated Vulnerability
- Language: English
- Type: thesis , text , Masters , MSc
- Identifier: http://hdl.handle.net/10962/177940 , vital:42892
- Description: In the rapidly changing world of cybersecurity, the constant increase of vulnerabilities continues to be a prevalent issue for many organisations. Malicious actors are aware that most organisations cannot timeously patch known vulnerabilities and are ill-prepared to protect against newly created vulnerabilities where a signature or an available patch has not yet been created. Consequently, information security personnel face ongoing challenges to mitigate these risks. In this research, the problem of remediation in a world of increasing vulnerabilities is considered. The current paradigm of vulnerability and patch management is reviewed using a pragmatic approach to all associated variables of these services / practices and, as a result, what is working and what is not working in terms of remediation is understood. In addition to the analysis, a taxonomy is created to provide a graphical representation of all associated variables to vulnerability and patch management based on existing literature. Frameworks currently being utilised in the industry to create an effective engagement model between vulnerability and patch management services are considered. The link between quantifying a threat, vulnerability and consequence; what Microsoft has available for patching; and the action plan for resulting vulnerabilities is explored. Furthermore, the processes and means of communication between each of these services are investigated to ensure there is effective remediation of vulnerabilities, ultimately improving the security risk posture of an organisation. In order to effectively measure the security risk posture, progress is measured between each of these services through a single averaged measurement metric. The outcome of the research highlights influencing factors that impact successful vulnerability management, in line with identified themes from the research taxonomy. These influencing factors are however significantly undermined due to resources within the same organisations not having a clear and consistent understanding of their role, organisational capabilities and objectives for effective vulnerability and patch management within their organisations. , Thesis (MSc) -- Faculty of Science, Computer Science, 2021
- Full Text:
- Date Issued: 2021-04
Passphrase and keystroke dynamics authentication: security and usability
- Authors: Bhana, Bhaveer
- Date: 2020
- Subjects: Computer security -- Management , Computers -- Access control -- Codewords , Computers -- Access control -- Keystroke timing authentication , Entropy (Information theory)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/146663 , vital:38546
- Description: It was found that employees spend a total 2.25 days within a 60 day period on password related activities. Another study found that over 85 days an average user will create 25 accounts with an average of 6.5 unique passwords. These numbers are expected to increase over time as more systems become available. In addition, the use of 6.5 unique passwords highlight that passwords are being reused which creates security concerns as multiple systems will be accessible by an unauthorised party if one of these passwords is leaked. Current user authentication solutions either increase security or usability. When security increases, usability decreases, or vice versa. To add to this, stringent security protocols encourage unsecure behaviours by the user such as writing the password down on a piece of paper to remember it. It was found that passphrases require less cognitive effort than passwords and because passphrases are stronger than passwords, they don’t need to be changed as frequently as passwords. This study aimed to assess a two-tier user authentication solution that increases security and usability. The proposed solution uses passphrases in conjunction with keystroke dynamics to address this research problem. The design science research approach was used to guide this study. The study’s theoretical foundation includes three theories. The Shannon entropy formula was used to calculate the strength of passwords, passphrases and keystroke dynamics. The chunking theory assisted in assessing password and passphrase memorisation issues and the keystroke-level model was used to assess password and passphrase typing issues. Two primary data collection methods were used to evaluate the findings and to ensure that gaps in the research were filled. A login assessment experiment collected data on user authentication and user-system interaction for passwords and passphrases. Plus, an expert review was conducted to verify findings and assess the research artefact in the form of a model. The model can be used to assist with the implementation of a two-tier user authentication solution which involves passphrases and keystroke dynamics. There are a number of components that need to be considered to realise the benefits of this solution and ensure successful implementation.
- Full Text:
- Date Issued: 2020
- Authors: Bhana, Bhaveer
- Date: 2020
- Subjects: Computer security -- Management , Computers -- Access control -- Codewords , Computers -- Access control -- Keystroke timing authentication , Entropy (Information theory)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/146663 , vital:38546
- Description: It was found that employees spend a total 2.25 days within a 60 day period on password related activities. Another study found that over 85 days an average user will create 25 accounts with an average of 6.5 unique passwords. These numbers are expected to increase over time as more systems become available. In addition, the use of 6.5 unique passwords highlight that passwords are being reused which creates security concerns as multiple systems will be accessible by an unauthorised party if one of these passwords is leaked. Current user authentication solutions either increase security or usability. When security increases, usability decreases, or vice versa. To add to this, stringent security protocols encourage unsecure behaviours by the user such as writing the password down on a piece of paper to remember it. It was found that passphrases require less cognitive effort than passwords and because passphrases are stronger than passwords, they don’t need to be changed as frequently as passwords. This study aimed to assess a two-tier user authentication solution that increases security and usability. The proposed solution uses passphrases in conjunction with keystroke dynamics to address this research problem. The design science research approach was used to guide this study. The study’s theoretical foundation includes three theories. The Shannon entropy formula was used to calculate the strength of passwords, passphrases and keystroke dynamics. The chunking theory assisted in assessing password and passphrase memorisation issues and the keystroke-level model was used to assess password and passphrase typing issues. Two primary data collection methods were used to evaluate the findings and to ensure that gaps in the research were filled. A login assessment experiment collected data on user authentication and user-system interaction for passwords and passphrases. Plus, an expert review was conducted to verify findings and assess the research artefact in the form of a model. The model can be used to assist with the implementation of a two-tier user authentication solution which involves passphrases and keystroke dynamics. There are a number of components that need to be considered to realise the benefits of this solution and ensure successful implementation.
- Full Text:
- Date Issued: 2020
A model for the alignment of information security requirements within South African small, medium and micro enterprises
- Authors: Speckman, Timothy Harambee
- Date: 2019
- Subjects: Computer security -- Management , Data protection -- Management Small business -- South Africa Knowledge management
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/44012 , vital:37092
- Description: Small, medium and micro enterprises (SMMEs) are reported to be the hope of the economy in many developing countries, such as South Africa (SA). The unique characteristics of SMMEs such as their ability to evolve rapidly, and to employ larger labour forces as they grow, make these enterprises valuable to the SA economy, in which poverty and unemployment rates are alarmingly high. Like most modern enterprises, SA SMMEs make use of information and communication technology (ICT) systems - as a vehicle to store, transmit and process information, which is an asset that is critical to their business operations. Thus, the vulnerabilities of these ICT systems need to be addressed, in order to protect the information assets of enterprises. However, SMMEs are known to only implement measures to protect their information assets on an ad hoc basis and frequently as reactive measures to information security incidents. This can be attributed to the fact that most of these enterprises lack the ability to establish their unique information security requirements. Information security requirements are a measure of the level of security needed to adequately protect the information assets of an enterprise. Furthermore, it is reported that information security best practices and standards, which provide guidance on information security, are too complex for SA SMMEs to implement and for SMMEs to use for establishing their unique information security requirements.
- Full Text:
- Date Issued: 2019
- Authors: Speckman, Timothy Harambee
- Date: 2019
- Subjects: Computer security -- Management , Data protection -- Management Small business -- South Africa Knowledge management
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/44012 , vital:37092
- Description: Small, medium and micro enterprises (SMMEs) are reported to be the hope of the economy in many developing countries, such as South Africa (SA). The unique characteristics of SMMEs such as their ability to evolve rapidly, and to employ larger labour forces as they grow, make these enterprises valuable to the SA economy, in which poverty and unemployment rates are alarmingly high. Like most modern enterprises, SA SMMEs make use of information and communication technology (ICT) systems - as a vehicle to store, transmit and process information, which is an asset that is critical to their business operations. Thus, the vulnerabilities of these ICT systems need to be addressed, in order to protect the information assets of enterprises. However, SMMEs are known to only implement measures to protect their information assets on an ad hoc basis and frequently as reactive measures to information security incidents. This can be attributed to the fact that most of these enterprises lack the ability to establish their unique information security requirements. Information security requirements are a measure of the level of security needed to adequately protect the information assets of an enterprise. Furthermore, it is reported that information security best practices and standards, which provide guidance on information security, are too complex for SA SMMEs to implement and for SMMEs to use for establishing their unique information security requirements.
- Full Text:
- Date Issued: 2019
A strategy to promote awareness and adherence to information security policy at Capricorn District Municipality
- Authors: Mamabolo, Mokgadi Hellen
- Date: 2019
- Subjects: Computer security -- Management , Data protection -- Management Computer security Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/40867 , vital:36245
- Description: The purpose of this research was to investigate the reasons for non-adherence to the ISP and to measure the current level of adherence to the ISP. The research revealed that non adherence to the ISP is caused by lack of training or awareness, and through non-communication of the ISP to employees. The study was conducted at Capricorn District Municipality, Polokwane Local Municipality, Molemole Local Municipality and Blouberg Local Municipality. A web-based questionnaire (QuestionPro) was developed and it was directed to every official who uses or interacts with municipal information, to quantify the level of adherence to ISP by employees. An email with the questionnaire link administered by www.questionpro.com was then sent to the population of 152 employees. Presently ISP adherence is one of the key concerns that are faced by organisations. Employees are perceived as one of the reasons that there are security breaches within organisations; hence, it is of paramount importance that these security breaches are noticed, as well as technical matters. Most researchers have reasoned that non-adherence to ISP is one of the major challenges faced by organisations. The non-adherence to ISP will lead to potential information security threats and unauthorised access to information that might compromise municipal business operations. The Information Security Officer together with the help of management must educate employees regarding the value of IS and why it is crucial to adhere to these policies. The proposed strategy summarises the various concepts required in the promotion of awareness and adherence to an effective ISP. Ultimately, this research study concludes that if management continually trains employees, raising awareness about ISP and monitoring their adherence to ISP, this should increase the adherence level.
- Full Text:
- Date Issued: 2019
- Authors: Mamabolo, Mokgadi Hellen
- Date: 2019
- Subjects: Computer security -- Management , Data protection -- Management Computer security Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/40867 , vital:36245
- Description: The purpose of this research was to investigate the reasons for non-adherence to the ISP and to measure the current level of adherence to the ISP. The research revealed that non adherence to the ISP is caused by lack of training or awareness, and through non-communication of the ISP to employees. The study was conducted at Capricorn District Municipality, Polokwane Local Municipality, Molemole Local Municipality and Blouberg Local Municipality. A web-based questionnaire (QuestionPro) was developed and it was directed to every official who uses or interacts with municipal information, to quantify the level of adherence to ISP by employees. An email with the questionnaire link administered by www.questionpro.com was then sent to the population of 152 employees. Presently ISP adherence is one of the key concerns that are faced by organisations. Employees are perceived as one of the reasons that there are security breaches within organisations; hence, it is of paramount importance that these security breaches are noticed, as well as technical matters. Most researchers have reasoned that non-adherence to ISP is one of the major challenges faced by organisations. The non-adherence to ISP will lead to potential information security threats and unauthorised access to information that might compromise municipal business operations. The Information Security Officer together with the help of management must educate employees regarding the value of IS and why it is crucial to adhere to these policies. The proposed strategy summarises the various concepts required in the promotion of awareness and adherence to an effective ISP. Ultimately, this research study concludes that if management continually trains employees, raising awareness about ISP and monitoring their adherence to ISP, this should increase the adherence level.
- Full Text:
- Date Issued: 2019
Targeted attack detection by means of free and open source solutions
- Authors: Bernardo, Louis F
- Date: 2019
- Subjects: Computer networks -- Security measures , Information technology -- Security measures , Computer security -- Management , Data protection
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/92269 , vital:30703
- Description: Compliance requirements are part of everyday business requirements for various areas, such as retail and medical services. As part of compliance it may be required to have infrastructure in place to monitor the activities in the environment to ensure that the relevant data and environment is sufficiently protected. At the core of such monitoring solutions one would find some type of data repository, or database, to store and ultimately correlate the captured events. Such solutions are commonly called Security Information and Event Management, or SIEM for short. Larger companies have been known to use commercial solutions such as IBM's Qradar, Logrythm, or Splunk. However, these come at significant cost and arent suitable for smaller businesses with limited budgets. These solutions require manual configuration of event correlation for detection of activities that place the environment in danger. This usually requires vendor implementation assistance that also would come at a cost. Alternatively, there are open source solutions that provide the required functionality. This research will demonstrate building an open source solution, with minimal to no cost for hardware or software, while still maintaining the capability of detecting targeted attacks. The solution presented in this research includes Wazuh, which is a combination of OSSEC and the ELK stack, integrated with an Network Intrusion Detection System (NIDS). The success of the integration, is determined by measuring postive attack detection based on each different configuration options. To perform the testing, a deliberately vulnerable platform named Metasploitable will be used as a victim host. The victim host vulnerabilities were created specifically to serve as target for Metasploit. The attacks were generated by utilising Metasploit Framework on a prebuilt Kali Linux host.
- Full Text:
- Date Issued: 2019
- Authors: Bernardo, Louis F
- Date: 2019
- Subjects: Computer networks -- Security measures , Information technology -- Security measures , Computer security -- Management , Data protection
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/92269 , vital:30703
- Description: Compliance requirements are part of everyday business requirements for various areas, such as retail and medical services. As part of compliance it may be required to have infrastructure in place to monitor the activities in the environment to ensure that the relevant data and environment is sufficiently protected. At the core of such monitoring solutions one would find some type of data repository, or database, to store and ultimately correlate the captured events. Such solutions are commonly called Security Information and Event Management, or SIEM for short. Larger companies have been known to use commercial solutions such as IBM's Qradar, Logrythm, or Splunk. However, these come at significant cost and arent suitable for smaller businesses with limited budgets. These solutions require manual configuration of event correlation for detection of activities that place the environment in danger. This usually requires vendor implementation assistance that also would come at a cost. Alternatively, there are open source solutions that provide the required functionality. This research will demonstrate building an open source solution, with minimal to no cost for hardware or software, while still maintaining the capability of detecting targeted attacks. The solution presented in this research includes Wazuh, which is a combination of OSSEC and the ELK stack, integrated with an Network Intrusion Detection System (NIDS). The success of the integration, is determined by measuring postive attack detection based on each different configuration options. To perform the testing, a deliberately vulnerable platform named Metasploitable will be used as a victim host. The victim host vulnerabilities were created specifically to serve as target for Metasploit. The attacks were generated by utilising Metasploit Framework on a prebuilt Kali Linux host.
- Full Text:
- Date Issued: 2019
A framework for information security management in local government
- Authors: De Lange, Joshua
- Date: 2017
- Subjects: Computer security -- Management , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7588 , vital:21932
- Description: Information has become so pervasive within enterprises and everyday life, that it is almost indispensable. This is clear as information has become core to the business operations of any enterprise. Information and communication technology (ICT) systems are heavily relied upon to store, process and transmit this valuable commodity. Due to its immense value, information and related ICT resources have to be adequately protected. This protection of information is commonly referred to as information security.
- Full Text:
- Date Issued: 2017
- Authors: De Lange, Joshua
- Date: 2017
- Subjects: Computer security -- Management , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7588 , vital:21932
- Description: Information has become so pervasive within enterprises and everyday life, that it is almost indispensable. This is clear as information has become core to the business operations of any enterprise. Information and communication technology (ICT) systems are heavily relied upon to store, process and transmit this valuable commodity. Due to its immense value, information and related ICT resources have to be adequately protected. This protection of information is commonly referred to as information security.
- Full Text:
- Date Issued: 2017
Governing information security within the context of "bring your own device" in small, medium and micro enterprises
- Authors: Fani, Noluvuyo
- Date: 2017
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7626 , vital:22114
- Description: Throughout history, information has been core to the communication, processing and storage of most tasks in the organisation, in this case in Small-Medium and Micro Enterprises (SMMEs). The implementation of these tasks relies on Information and Communication Technology (ICT). ICT is constantly evolving, and with each developed ICT, it becomes important that organisations adapt to the changing environment. Organisations need to adapt to the changing environment by incorporating innovative ICT that allows employees to perform their tasks with ease anywhere and anytime, whilst reducing the costs affiliated with the ICT. In this modern, performing tasks with ease anywhere and anytime requires that the employee is mobile whilst using the ICT. As a result, a relatively new phenomenon called “Bring Your Own Device” (BYOD) is currently infiltrating most organisations, where personally-owned mobile devices are used to access organisational information that will be used to conduct the various tasks of the organisation. The use of BYOD in organisations breeds the previously mentioned benefits such as performing organisational tasks anywhere and anytime. However, with the benefits highlighted for BYOD, organisations should be aware that there are risks to the implementation of BYOD. Therefore, the implementation of BYOD deems that organisations should implement BYOD with proper management thereof.
- Full Text:
- Date Issued: 2017
- Authors: Fani, Noluvuyo
- Date: 2017
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7626 , vital:22114
- Description: Throughout history, information has been core to the communication, processing and storage of most tasks in the organisation, in this case in Small-Medium and Micro Enterprises (SMMEs). The implementation of these tasks relies on Information and Communication Technology (ICT). ICT is constantly evolving, and with each developed ICT, it becomes important that organisations adapt to the changing environment. Organisations need to adapt to the changing environment by incorporating innovative ICT that allows employees to perform their tasks with ease anywhere and anytime, whilst reducing the costs affiliated with the ICT. In this modern, performing tasks with ease anywhere and anytime requires that the employee is mobile whilst using the ICT. As a result, a relatively new phenomenon called “Bring Your Own Device” (BYOD) is currently infiltrating most organisations, where personally-owned mobile devices are used to access organisational information that will be used to conduct the various tasks of the organisation. The use of BYOD in organisations breeds the previously mentioned benefits such as performing organisational tasks anywhere and anytime. However, with the benefits highlighted for BYOD, organisations should be aware that there are risks to the implementation of BYOD. Therefore, the implementation of BYOD deems that organisations should implement BYOD with proper management thereof.
- Full Text:
- Date Issued: 2017
A baseline for information security knowledge for end users
- Authors: Boshoff, Ryno
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9808 , http://hdl.handle.net/10948/d1013260
- Description: Information plays a vast contributing role to all resources within an organisation. Organisations should recognise the importance of information and implement information security controls to protect their information as this will ensure that the organisation‟s information retains its confidentiality, integrity and availability. Information security controls, which are the means of managing information risks, rely heavily on the user‟s knowledge regarding the use of these controls for their effectiveness, and as such, users should be educated in order to maximise effectiveness of these controls. Current information security educational programmes are created without necessarily taking into account the target audience, who comprises of all employees, stakeholders, suppliers, third parties, customers or other external parties or third party that requires access to the organisation‟s information. This results in programmes that are not linguistically appropriate; or that present knowledge at an inappropriate level for the target audience. This could leave users bored or confused, without successfully changing their behaviour or improving knowledge. This dissertation identifies a baseline for information security knowledge targeted at end users. This was done by means of a Delphi Study, where a profile of “generic” end users comprised of information security topics and concepts were rated by experts from the field of information security education. This resulted in the elimination of inappropriate topics and concepts and retaining the relevant and appropriate aspects. This baseline for information security knowledge can be characterised as a minimum standard that everybody should be educated on as an introductory or refresher course. This can also serve as the foundation phase to educate end users with knowledge of the basic topics and concepts to enable them to fulfil their responsibilities in order to protect information. If needed, topics and concepts could be added to the baseline for information security knowledge for specialised target audiences (e.g. specialised End Users, ICT Staff or Top Management).
- Full Text:
- Date Issued: 2012
- Authors: Boshoff, Ryno
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9808 , http://hdl.handle.net/10948/d1013260
- Description: Information plays a vast contributing role to all resources within an organisation. Organisations should recognise the importance of information and implement information security controls to protect their information as this will ensure that the organisation‟s information retains its confidentiality, integrity and availability. Information security controls, which are the means of managing information risks, rely heavily on the user‟s knowledge regarding the use of these controls for their effectiveness, and as such, users should be educated in order to maximise effectiveness of these controls. Current information security educational programmes are created without necessarily taking into account the target audience, who comprises of all employees, stakeholders, suppliers, third parties, customers or other external parties or third party that requires access to the organisation‟s information. This results in programmes that are not linguistically appropriate; or that present knowledge at an inappropriate level for the target audience. This could leave users bored or confused, without successfully changing their behaviour or improving knowledge. This dissertation identifies a baseline for information security knowledge targeted at end users. This was done by means of a Delphi Study, where a profile of “generic” end users comprised of information security topics and concepts were rated by experts from the field of information security education. This resulted in the elimination of inappropriate topics and concepts and retaining the relevant and appropriate aspects. This baseline for information security knowledge can be characterised as a minimum standard that everybody should be educated on as an introductory or refresher course. This can also serve as the foundation phase to educate end users with knowledge of the basic topics and concepts to enable them to fulfil their responsibilities in order to protect information. If needed, topics and concepts could be added to the baseline for information security knowledge for specialised target audiences (e.g. specialised End Users, ICT Staff or Top Management).
- Full Text:
- Date Issued: 2012
A brain-compatible approach to the presentation of cyber security educational material
- Authors: Reid, Rayne
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9819 , http://hdl.handle.net/10948/d1019895
- Description: Information is an extremely important asset in modern society. It is used in most daily activities and transactions, and, thus, the importance of information is acknowledged by both organisational and private home information users. Unfortunately, as with any asset, there are often threats to this asset and, therefore, an information security solution is required to protect information against potential threats. Human beings play a major role in the implementation and governing of an entire information security process and, therefore, they have responsibilities in this regard. Thus, the effectiveness of any information security solutions in either an organisational or a private context is dependent on the human beings involved in the process. Accordingly, if these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in the information security solutions and, thus, it is essential that all these information users be educated in order to combat any threats to the information security. Many of the current information security education programmes and materials are not effective, possibly because the majority of these current approaches have been designed without using a sound pedagogical theory. In addition, many of these programmes also only target organisational users. This, in turn, is problematic as information security education is required by everybody, organisational and private information users alike. This dissertation addressed the lack of a pedagogical basis in the designing of information security educational courses suited to an extremely broad target audience. Accordingly, the dissertation set out to demonstrate how a pedagogy, which is broadly used and accepted for a diverse target audience of learners, could be applied to the design of the presentation of a web based, cyber security educational courses.
- Full Text:
- Date Issued: 2012
- Authors: Reid, Rayne
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9819 , http://hdl.handle.net/10948/d1019895
- Description: Information is an extremely important asset in modern society. It is used in most daily activities and transactions, and, thus, the importance of information is acknowledged by both organisational and private home information users. Unfortunately, as with any asset, there are often threats to this asset and, therefore, an information security solution is required to protect information against potential threats. Human beings play a major role in the implementation and governing of an entire information security process and, therefore, they have responsibilities in this regard. Thus, the effectiveness of any information security solutions in either an organisational or a private context is dependent on the human beings involved in the process. Accordingly, if these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in the information security solutions and, thus, it is essential that all these information users be educated in order to combat any threats to the information security. Many of the current information security education programmes and materials are not effective, possibly because the majority of these current approaches have been designed without using a sound pedagogical theory. In addition, many of these programmes also only target organisational users. This, in turn, is problematic as information security education is required by everybody, organisational and private information users alike. This dissertation addressed the lack of a pedagogical basis in the designing of information security educational courses suited to an extremely broad target audience. Accordingly, the dissertation set out to demonstrate how a pedagogy, which is broadly used and accepted for a diverse target audience of learners, could be applied to the design of the presentation of a web based, cyber security educational courses.
- Full Text:
- Date Issued: 2012
Managing an information security policy architecture : a technical documentation perspective
- Maninjwa, Prosecutor Mvikeli
- Authors: Maninjwa, Prosecutor Mvikeli
- Date: 2012
- Subjects: Computer security -- Management , Computer architecture , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9825 , http://hdl.handle.net/10948/d1020757
- Description: Information and the related assets form critical business assets for most organizations. Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA) of information assets. These threats can be of physical, technical, or operational nature. For an organization to successfully conduct its business operations, information assets should always be protected from these threats. The process of protecting information and its related assets, ensuring the CIA thereof, is referred to as information security. To be effective, information security should be viewed as critical to the overall success of the organization, and therefore be included as one of the organization’s Corporate Governance sub-functions, referred to as Information Security Governance. Information Security Governance is the strategic system for directing and controlling the organization’s information security initiatives. Directing is the process whereby management issues directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to within an organization. To be effective, Information Security Governance directing and controlling depend on the organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of the various information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security Policy Architecture, and controlling should ensure adherence to the Information Security Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are not comprehensively addressed and adequately managed. Therefore, this study argues towards a more comprehensive Information Security Policy Architecture, and the proper management thereof.
- Full Text:
- Date Issued: 2012
- Authors: Maninjwa, Prosecutor Mvikeli
- Date: 2012
- Subjects: Computer security -- Management , Computer architecture , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9825 , http://hdl.handle.net/10948/d1020757
- Description: Information and the related assets form critical business assets for most organizations. Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA) of information assets. These threats can be of physical, technical, or operational nature. For an organization to successfully conduct its business operations, information assets should always be protected from these threats. The process of protecting information and its related assets, ensuring the CIA thereof, is referred to as information security. To be effective, information security should be viewed as critical to the overall success of the organization, and therefore be included as one of the organization’s Corporate Governance sub-functions, referred to as Information Security Governance. Information Security Governance is the strategic system for directing and controlling the organization’s information security initiatives. Directing is the process whereby management issues directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to within an organization. To be effective, Information Security Governance directing and controlling depend on the organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of the various information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security Policy Architecture, and controlling should ensure adherence to the Information Security Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are not comprehensively addressed and adequately managed. Therefore, this study argues towards a more comprehensive Information Security Policy Architecture, and the proper management thereof.
- Full Text:
- Date Issued: 2012
Navigating between information security management documents : a modeling methodology
- Authors: Domingues, Steve
- Date: 2010
- Subjects: Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9761 , http://hdl.handle.net/10948/1212 , Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Description: Organizations no longer draft their own standards. Instead, organizations take advantage of the available international standards. One standard may not cover all the organization's needs, requiring organizations to implement more than one standard. The same aspect in an organization may be covered by two or more standards, creating an overlap. An awareness of such overlaps led to various institutions creating mapping documents illustrating how a control from one standard relates to a control from a different standard. The mapping documents are consulted by the end user, to identify how a control in one standard may relate to other standards. This allows the end user to navigate between the standards documents. These mapping documents are valuable to a person who wishes to grasp how different standards deal with a specific control. However, the navigation between standards is a cumbersome task. In order to navigate between the standards the end user is required to consult three or more documents, depending on the number of standards that are mapped to the control being investigated. The need for a tool that will provide fast and efficient navigation between standards was identified. The data tier of the tool is the focus of this dissertation. As a result, this research proposes a modeling methodology that will allow for the modeling of the standards and the information about the mapping between standards, thereby contributing to the creation of tools to aid in the navigation between standards. A comparison between the major data modeling paradigms identifies multi-dimensional modeling as the most appropriate technique to model standards. Adapting an existing modeling methodology to cater for the modeling standards, yield a five step standard modeling methodology. Once modeled, the standards can be physically implemented as a database. The database schema that results from the standard modeling methodology adheres to a specific pattern and can thus be expressed according to well-defined meta-model. This allows for the generation of SQL statements by a tool with limited knowledge of the standards in a way that allows the quick navigation between standards. To determine the usefulness of the standards modeling methodology the research presents iv a prototype that utilizes the well-defined meta-model to navigate between standards. It is shown that, as far as navigation is concerned, no code changes are necessary when adding a new standard or new mappings between standards. This research contributes to the creation of a tool that can easily navigate between standards by providing the ability to model the data tier in such a way that it is extensible, yet remains independent of the application and presentation tiers.
- Full Text:
- Date Issued: 2010
- Authors: Domingues, Steve
- Date: 2010
- Subjects: Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9761 , http://hdl.handle.net/10948/1212 , Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Description: Organizations no longer draft their own standards. Instead, organizations take advantage of the available international standards. One standard may not cover all the organization's needs, requiring organizations to implement more than one standard. The same aspect in an organization may be covered by two or more standards, creating an overlap. An awareness of such overlaps led to various institutions creating mapping documents illustrating how a control from one standard relates to a control from a different standard. The mapping documents are consulted by the end user, to identify how a control in one standard may relate to other standards. This allows the end user to navigate between the standards documents. These mapping documents are valuable to a person who wishes to grasp how different standards deal with a specific control. However, the navigation between standards is a cumbersome task. In order to navigate between the standards the end user is required to consult three or more documents, depending on the number of standards that are mapped to the control being investigated. The need for a tool that will provide fast and efficient navigation between standards was identified. The data tier of the tool is the focus of this dissertation. As a result, this research proposes a modeling methodology that will allow for the modeling of the standards and the information about the mapping between standards, thereby contributing to the creation of tools to aid in the navigation between standards. A comparison between the major data modeling paradigms identifies multi-dimensional modeling as the most appropriate technique to model standards. Adapting an existing modeling methodology to cater for the modeling standards, yield a five step standard modeling methodology. Once modeled, the standards can be physically implemented as a database. The database schema that results from the standard modeling methodology adheres to a specific pattern and can thus be expressed according to well-defined meta-model. This allows for the generation of SQL statements by a tool with limited knowledge of the standards in a way that allows the quick navigation between standards. To determine the usefulness of the standards modeling methodology the research presents iv a prototype that utilizes the well-defined meta-model to navigate between standards. It is shown that, as far as navigation is concerned, no code changes are necessary when adding a new standard or new mappings between standards. This research contributes to the creation of a tool that can easily navigate between standards by providing the ability to model the data tier in such a way that it is extensible, yet remains independent of the application and presentation tiers.
- Full Text:
- Date Issued: 2010
Governing information security using organisational information security profiles
- Authors: Tyukala, Mkhululi
- Date: 2007
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9788 , http://hdl.handle.net/10948/626 , Data protection , Computer security -- Management , Computer networks -- Security measures
- Description: The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.
- Full Text:
- Date Issued: 2007
- Authors: Tyukala, Mkhululi
- Date: 2007
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9788 , http://hdl.handle.net/10948/626 , Data protection , Computer security -- Management , Computer networks -- Security measures
- Description: The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.
- Full Text:
- Date Issued: 2007
MISSTEV : model for information security shared tacit espoused values
- Authors: Thomson, Kerry-Lynn
- Date: 2007
- Subjects: Computer security -- Management , Management information systems -- Security measures , Data protection
- Language: English
- Type: Thesis , Doctoral , DTech
- Identifier: vital:9787 , http://hdl.handle.net/10948/717 , Computer security -- Management , Management information systems -- Security measures , Data protection
- Description: One of the most critical assets in most organisations is information. It is often described as the lifeblood of an organisation. For this reason, it is vital that this asset is protected through sound information security practices. However, the incorrect and indifferent behaviour of employees often leads to information assets becoming vulnerable. Incorrect employee behaviour could have an extremely negative impact on the protection of information. An information security solution should be a fundamental component in most organisations. It is, however, possible for an organisation to have the most comprehensive physical and technical information security controls in place, but the operational controls, and associated employee behaviour, have not received much consideration. Therefore, the issue of employee behaviour must be addressed in an organisation to assist in ensuring the protection of information assets. The corporate culture of an organisation is largely responsible for the actions and behaviour of employees. Therefore, to address operational information security controls, the corporate culture of an organisation should be considered. To ensure the integration of information security into the corporate culture of an organisation, the protection of information should become part of the way the employees conduct their everyday tasks – from senior management, right throughout the entire organisation. Therefore, information security should become an integral component of the corporate culture of the organisation. To address the integration of information security into the corporate culture of an organisation, a model was developed which depicted the learning stages and modes of knowledge creation necessary to transform the corporate culture into one that is information security aware.
- Full Text:
- Date Issued: 2007
- Authors: Thomson, Kerry-Lynn
- Date: 2007
- Subjects: Computer security -- Management , Management information systems -- Security measures , Data protection
- Language: English
- Type: Thesis , Doctoral , DTech
- Identifier: vital:9787 , http://hdl.handle.net/10948/717 , Computer security -- Management , Management information systems -- Security measures , Data protection
- Description: One of the most critical assets in most organisations is information. It is often described as the lifeblood of an organisation. For this reason, it is vital that this asset is protected through sound information security practices. However, the incorrect and indifferent behaviour of employees often leads to information assets becoming vulnerable. Incorrect employee behaviour could have an extremely negative impact on the protection of information. An information security solution should be a fundamental component in most organisations. It is, however, possible for an organisation to have the most comprehensive physical and technical information security controls in place, but the operational controls, and associated employee behaviour, have not received much consideration. Therefore, the issue of employee behaviour must be addressed in an organisation to assist in ensuring the protection of information assets. The corporate culture of an organisation is largely responsible for the actions and behaviour of employees. Therefore, to address operational information security controls, the corporate culture of an organisation should be considered. To ensure the integration of information security into the corporate culture of an organisation, the protection of information should become part of the way the employees conduct their everyday tasks – from senior management, right throughout the entire organisation. Therefore, information security should become an integral component of the corporate culture of the organisation. To address the integration of information security into the corporate culture of an organisation, a model was developed which depicted the learning stages and modes of knowledge creation necessary to transform the corporate culture into one that is information security aware.
- Full Text:
- Date Issued: 2007
Using agreements as an abstraction for access control administration
- Authors: Reyneke, André
- Date: 2007
- Subjects: Information -- control and access , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9791 , http://hdl.handle.net/10948/598 , http://hdl.handle.net/10948/d1011701 , Information -- control and access , Computer security -- Management
- Description: The last couple of decades saw lots of changes in the business world. Not only did technology change at a rapid pace, but businesses' views with respect to the role that information plays also changed drastically. Information is now seen as a strategic resource. This change paved the way for the so-called knowledge worker that not only consumes information, but actively participates in creating new knowledge from information. Employees must therefore be empowered to fulfill their new role as knowledge workers. Empowerment happens through job redefinition and by ensuring that the appropriate information is at hand. Although information is more readily available to employees, appropriate access controls must still be implemented. However, there is conflict between the need to share information and the need to keep information confidential. These conflicting needs must be reflected in the administration of access control. In order to resolve these conflicts, a finer granularity of access controls must be implemented. However, to implement a finer granularity of access control, an increase in the number of access controls and, therefore, the administrative burden is inevitable. Access control administrators must cater for a potentially large number of systems. These systems can not only be heterogenous as far as architecture and technology are concerned, but also with respect to access control paradigms. Vendors have realized that human involvement must be minimized, giving birth to so-called "provisioning systems". Provisioning systems, in principle, automate certain parts of access control administration. However, currently implementations are done in an ad hoc manner, that is, without a systematic process of identifying the real access control needs. This study aims to address this problem by proposing the "agreement abstraction" as a possible vehicle for systematically analyzing the access control requirements in a business. In essence, the agreement abstraction allows us to identify opportunities where access control can be automated. A specific methodological approach is suggested whereby the business is analysed in terms of business processes, as opposed to the more traditional resource perspective. Various business processes are used as examples to explain and motivate the proposed agreement abstraction further. This dissertation therefore contributes to the field of discourse by presenting a new abstraction that can be used systematically to analyse access control administration requirements.
- Full Text:
- Date Issued: 2007
- Authors: Reyneke, André
- Date: 2007
- Subjects: Information -- control and access , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9791 , http://hdl.handle.net/10948/598 , http://hdl.handle.net/10948/d1011701 , Information -- control and access , Computer security -- Management
- Description: The last couple of decades saw lots of changes in the business world. Not only did technology change at a rapid pace, but businesses' views with respect to the role that information plays also changed drastically. Information is now seen as a strategic resource. This change paved the way for the so-called knowledge worker that not only consumes information, but actively participates in creating new knowledge from information. Employees must therefore be empowered to fulfill their new role as knowledge workers. Empowerment happens through job redefinition and by ensuring that the appropriate information is at hand. Although information is more readily available to employees, appropriate access controls must still be implemented. However, there is conflict between the need to share information and the need to keep information confidential. These conflicting needs must be reflected in the administration of access control. In order to resolve these conflicts, a finer granularity of access controls must be implemented. However, to implement a finer granularity of access control, an increase in the number of access controls and, therefore, the administrative burden is inevitable. Access control administrators must cater for a potentially large number of systems. These systems can not only be heterogenous as far as architecture and technology are concerned, but also with respect to access control paradigms. Vendors have realized that human involvement must be minimized, giving birth to so-called "provisioning systems". Provisioning systems, in principle, automate certain parts of access control administration. However, currently implementations are done in an ad hoc manner, that is, without a systematic process of identifying the real access control needs. This study aims to address this problem by proposing the "agreement abstraction" as a possible vehicle for systematically analyzing the access control requirements in a business. In essence, the agreement abstraction allows us to identify opportunities where access control can be automated. A specific methodological approach is suggested whereby the business is analysed in terms of business processes, as opposed to the more traditional resource perspective. Various business processes are used as examples to explain and motivate the proposed agreement abstraction further. This dissertation therefore contributes to the field of discourse by presenting a new abstraction that can be used systematically to analyse access control administration requirements.
- Full Text:
- Date Issued: 2007
Integrating information security into corporate culture
- Authors: Thomson, Kerry-Lynn
- Date: 2003
- Subjects: Computer security -- Management , Corporate governance , Corporate culture
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10801 , http://hdl.handle.net/10948/132 , Computer security -- Management , Corporate governance , Corporate culture
- Description: Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?.
- Full Text:
- Date Issued: 2003
- Authors: Thomson, Kerry-Lynn
- Date: 2003
- Subjects: Computer security -- Management , Corporate governance , Corporate culture
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10801 , http://hdl.handle.net/10948/132 , Computer security -- Management , Corporate governance , Corporate culture
- Description: Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?.
- Full Text:
- Date Issued: 2003
The development of a technique to establish the security requirements of an organization
- Authors: Gerber, Mariana
- Date: 2001
- Subjects: Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10789 , http://hdl.handle.net/10948/89 , Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Description: To perform their business activities effectively, organizations rely heavily on the use of information (ISO/IEC TR 13335-2, 1996, p 1). Owens (1998) reiterates this by claiming that all organizations depend on information for their everyday operation and without it business will fail to operate (Owens, 1998, p 1-2). For an organization it means that if the right information is not available at the right time, it can make the difference between profit and loss or success and failure (Royds, 2000, p 2). Information is an asset and just like other important business assets within the organization, it has extreme value to an organization (BS 7799-1, 1999, p 1; Humphreys, Moses & Plate, 1998, p 8). For this reason it has become very important that business information is sufficiently protected. There are many different ways in which information can exist. Information can be printed or written on paper, stored electronically, transmitted electronically or by post, even spoken in conversation or any other way in which knowledge and ideas can be conveyed (URN 99/703, 1999, p. 2; Humphreys, Moses & Plate, 1998, p 8; URN 96/702, 1996, p 3).It is, therefore, critical to protect information, and to ensure that the security of IT (Information Technology) systems within organizations is properly managed. This requirement to protect information is even more important today, since many organizations are internally and externally connected by networks of IT systems (ISO/IEC TR 13335-2, 1996, p 1). Information security is therefore required to assist in the process of controlling and securing of information from accidental or malicious changes, deletions or unauthorized disclosure (Royds, 2000, p 2; URN 96/702, 1996, p 3). By preventing and minimizing the impact of security incidents, information security can ensure business continuity and reduce business damage (Owens, 1998, p 7). Information security in an organization can be regarded as a management opportunity and should become an integral part of the whole management activity of the organization. Obtaining commitment from management is therefore extremely important for effective information security. One way in which management can show their commitment to ensuring information security, is to adopt and enforce a security policy. A security policy ensures that people understand exactly what important role they play in securing information assets.
- Full Text:
- Date Issued: 2001
- Authors: Gerber, Mariana
- Date: 2001
- Subjects: Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10789 , http://hdl.handle.net/10948/89 , Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Description: To perform their business activities effectively, organizations rely heavily on the use of information (ISO/IEC TR 13335-2, 1996, p 1). Owens (1998) reiterates this by claiming that all organizations depend on information for their everyday operation and without it business will fail to operate (Owens, 1998, p 1-2). For an organization it means that if the right information is not available at the right time, it can make the difference between profit and loss or success and failure (Royds, 2000, p 2). Information is an asset and just like other important business assets within the organization, it has extreme value to an organization (BS 7799-1, 1999, p 1; Humphreys, Moses & Plate, 1998, p 8). For this reason it has become very important that business information is sufficiently protected. There are many different ways in which information can exist. Information can be printed or written on paper, stored electronically, transmitted electronically or by post, even spoken in conversation or any other way in which knowledge and ideas can be conveyed (URN 99/703, 1999, p. 2; Humphreys, Moses & Plate, 1998, p 8; URN 96/702, 1996, p 3).It is, therefore, critical to protect information, and to ensure that the security of IT (Information Technology) systems within organizations is properly managed. This requirement to protect information is even more important today, since many organizations are internally and externally connected by networks of IT systems (ISO/IEC TR 13335-2, 1996, p 1). Information security is therefore required to assist in the process of controlling and securing of information from accidental or malicious changes, deletions or unauthorized disclosure (Royds, 2000, p 2; URN 96/702, 1996, p 3). By preventing and minimizing the impact of security incidents, information security can ensure business continuity and reduce business damage (Owens, 1998, p 7). Information security in an organization can be regarded as a management opportunity and should become an integral part of the whole management activity of the organization. Obtaining commitment from management is therefore extremely important for effective information security. One way in which management can show their commitment to ensuring information security, is to adopt and enforce a security policy. A security policy ensures that people understand exactly what important role they play in securing information assets.
- Full Text:
- Date Issued: 2001
- «
- ‹
- 1
- ›
- »