To see the other types of publications on this topic, follow the link: ISO/IEC 27004.
Dissertations / Theses on the topic 'ISO/IEC 27004'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'ISO/IEC 27004.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Garay, Daniel Felipe Carnero, Antonio Carbajal Ramos Marcos, Jimmy Armas-Aguirre, and Juan Manuel Madrid Molina. "Information security risk management model for mitigating the impact on SMEs in Peru." IEEE Computer Society, 2020. http://hdl.handle.net/10757/656577.
Full textAbstract:
El texto completo de este trabajo no está disponible en el Repositorio Académico UPC por restricciones de la casa editorial donde ha sido publicado.This paper proposes an information security risk management model that allows mitigating the threats to which SMEs in Peru are exposed. According to studies by Ernst Young, 90% of companies in Peru are not prepared to detect security breaches, and 51% have already been attacked. In addition, according to Deloitte, only 10% of companies maintain risk management indicators. The model consists of 3 phases: 1. Inventory the information assets of the company, to conduct the risk analysis of each one; 2. Evaluate treatment that should be given to each risk, 3. Once the controls are implemented, design indicators to help monitor the implemented safeguards. The article focuses on the creation of a model that integrates a standard of risk management across the company with a standard of IS indicators to validate compliance, adding as a contribution the results of implementation in a specific environment. The proposed model was validated in a pharmaceutical SME in Lima, Peru. The results showed a 71% decrease in risk, after applying 15 monitoring and training controls, lowering the status from a critical level to an acceptable level between 1.5 and 2.3, according to the given assessment.
Revisión por pares
2
Palička, Jan. "Systémové řešení bezpečnosti informací v organizaci." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-316954.
Full textAbstract:
This diploma thesis deals with ISMS implementation in Netcope Technologies, a. s., which is involved in the production of network cards for high speed acceleration. This thesis is divided into two logical parts. In the first part the theoretical basis information is presented, including selected methods for implementing information security. In the second part, the analysis of the company and the proposed measures are presented.
3
Santos, Valdeci Otacilio dos. "Um modelo de sistema de gestão da segurança da informação baseado nas normas ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008." [s.n.], 2012. http://repositorio.unicamp.br/jspui/handle/REPOSIP/259797.
Full textAbstract:
Orientador: Renato Baldini FilhoDissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação
Made available in DSpace on 2018-08-21T18:11:43Z (GMT). No. of bitstreams: 1 Santos_ValdeciOtaciliodos_M.pdf: 1681366 bytes, checksum: 4ed0e181fcbc30a368afc34e5d374cec (MD5) Previous issue date: 2012
Resumo: O crescimento constante de ameaças e vulnerabilidades nos sistemas de informação faz com que a preocupação por parte dos administradores sobre a segurança desses sistemas também seja intensificada. Na busca de um nível adequado de segurança da informação, estão sendo criadas e aperfeiçoadas, não somente no Brasil, mas em escala mundial, legislações e normatizações que tratam sobre esse tema tão importante nos dias atuais. Este trabalho tem como objetivo propor um modelo de sistema de gestão da segurança da informação, com modelagem de processos e descrição das atividades, que contemple as principais diretrizes preconizadas nas normas ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008. O modelo proposto visa guiar a implementação de um novo sistema de gestão da segurança da informação em uma organização ou verificar a conformidade de um sistema já existente. O trabalho compreende uma aplicação prática do modelo proposto, em que foi executado um levantamento do nível de aderência das atividades desenvolvidas nos diversos processos que compõem um sistema de gestão da segurança da informação de uma organização, com o que está previsto no modelo e, consequentemente, nas normas utilizadas como referência. Na avaliação dos resultados da verificação realizada foi possível obter uma visão geral da situação em que se encontra a gestão da segurança da informação da organização, bem como a verificação dos pontos que estão de acordo com a normatização e daqueles que necessitam aprimoramentos
Abstract: The steady growth of threats and vulnerabilities in the information systems causes an intensified concern among administrators about the security of these systems. In search of an appropriate level of information security are being created and improved, not only in Brazil but worldwide, laws and regulations that deal with this important issue. This work aims to propose a model of information security management system with process modeling and description of activities, covering the main guidelines recommended in the standards ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008. The proposed model aims to guide the implementation of a new system for managing information security in an organization or verify the conformity of an existing system. The work includes a practical application of the proposed model, that was carried out a survey on the level of activities adhesion in the various processes that comprise a information security management system within an organization, what is envisaged in the model and consequently, the standards used as reference. In assessing the results of the verification carried out was possible to obtain an overview of the situation in which the information security management system of the organization is, as well as the verification of the points that are in accordance with norms and those that need improvement
Mestrado
Telecomunicações e Telemática
Mestre em Engenharia Elétrica
4
Kryštof, Tomáš. "Návrh na zavedení nutných oblastí ISMS na základní škole." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241476.
Full textAbstract:
This master thesis is concerned with the information security on a specific primary school. In the first and second part of this thesis there is an endeavor to provide basic theoretical starting points about ISMS issues, and to get an overview about the current state of the information security at the primary school. This is followed by the practical part where there is the proposal of suitable security steps and recommendation for solution of the most important tasks from the ICT management security perspective.
5
Vyhňák, Petr. "Návrh zavedení bezpečnostních opatření v souladu s ISMS pro společnost." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-402086.
Full textAbstract:
The master thesis deals with the proposal of introduction security countermeasures in accordance with the information security management system for the company. The theoretical part is defined in the first part of the thesis. The next part introduces the company, describes the current state of security and analysis security countermeasures with the help of supporting material. The last part includes the proposal to introduce new security countermeasures. The thesis includes risk analysis, design of selected security countermeasures including the implementation procedure with a time schedule and economic evaluation.
6
Soukop, Tomáš. "Systém pro podporu auditu managementu informační bezpečnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2012. http://www.nusl.cz/ntk/nusl-236503.
Full textAbstract:
This master thesis describes creation of system for audit support of information security management. In the next chapters I will explain what is the information security, system of information security, audit system and what standards we have for this. Last but not least is described how to create a system for audit support. The whole design is created with usage of standards for quality management and information security management. System is oriented for web environment.
7
Al-Botani, Nidaa. "Informationssäkerhet i organisationer - Utvärdering av Folktandvårdens informationssäkerhet inom Region Jönköpings län." Thesis, Tekniska Högskolan, Högskolan i Jönköping, JTH, Data- och elektroteknik, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:hj:diva-28245.
Full textAbstract:
Information är idag en värdefull resurs i organisationer som blir mer och mer beroende av sina informationssystem. Information utsätts för olika hot och den behöver skyddas för att organisationer effektivt ska kunna driva sin verksamhet. Ett systematiskt informationssäkerhetsarbete hjälper organisationer att uppnå och upprätthålla en tillräcklig nivå av informationssäkerhet. Studiens syfte är att undersöka hur informationssäkerhet hanteras inom organisationer i allmänhet i nuläget. En fallstudie har genomförts på Folktandvården, Region Jönköpings län för att undersöka hur Folktandvårdens medarbetare hanterar informationssäkerheten. Dessutom syftar studien till att utvärdera medvetenhet om informationssäkerhet hos medarbetarna på Folktandvården och att presentera förslag på hur hanteringen av personuppgifter kan förbättras i organisationer. Blandade tekniker har använts för att samla information. Litteraturstudier inom området informationssäkerhet har genomförts. Empirisk data har samlats in genom en enkätundersökning, intervjuer och skriftliga frågor som har skickats via e-post till utvalda ansvariga som jobbar specifikt med frågor som berör informationssäkerhet inom Folktandvården. Denna studie använder de svenska standarderna SS-ISO/IEC 27001:2014 och SS-ISO/IEC 27002:2014 för att utvärdera informationssäkerhet på Folktandvården, Region Jönköpings län samt att få en bild av hur informationssäkerhet hanteras inom organisationer. Organisationer kan upprätthålla säkerhet i sin informationshantering genom att tillämpa ett ledningssystem för informationssäkerhet (LIS) som bevarar konfidentialitet, riktighet (integritet) och tillgänglighet av information. Informationssäkerhetsarbetet och införandet av LIS skiljer sig mellan organisationer eftersom de kan påverkas av organisationens behov och mål, storlek och struktur. Fallstudiens resultat visar att Folktandvården, Region Jönköpings län genomför en aktiv hantering av informationssäkerhet. Folktandvården klarar de flesta kraven som ställdes i standarderna. Däremot föreslås det i studien att fler utbildningsprogram ordnas för att öka medvetenheten kring informationssäkerhet. Dessa utbildningsprogram bör uppdateras regelbundet för att det fortsätter att vara i linje med organisatoriska policy och rutiner. Det rekommenderas även att organisationen utför informationsklassning fullt ut enligt den modellen som Folktandvården har. Dessutom rekommenderas att utveckla planeringen av kontinuitet för informationssäkerhet. Resultatet från enkätundersökningen visar att medarbetarna är medvetna om hur de hanterar informationssäkerhetsincidenter och upplever att systemen är tillgängliga för de behöriga. Flera av de förslag som presenterades av denna studie har hörsammats och kommer att leda till vidare arbete inom Folktandvården. Organisationers personuppgifter bör skyddas genom att tillämpa regler enligt gällande författningar. En ansvarig person i organisationen bör ge vägledning till de anställda om sitt ansvar för hantering av personuppgifter.Information today is a valuable resource for organizations which become more and more dependent on their information systems. Information subject to various threats and the need to be protected in order that organizations can effectively run their business. A systematic information security helps organizations to achieve and maintain a sufficient level of information security. The study aims to investigate how information is managed within organizations in general. A case study has been performed in Folktandvården (the Public Dental Service), Region Jönköping County to investigate how the organization handle information security. In addition, the study aims to evaluate awareness of information security among employees at the business and to present proposals on how to improve handling of personal data. Mixed techniques have been used to gather information. Literature studies in the field of information security has been implemented. The empirical data collected through a questionnaire, interviews and written questions sent by e-mail to managers in Folktandvården. This study uses the standards SS-ISO / IEC 27001:2014 and SS-ISO / IEC 27002:2014 to evaluate the information in Folktandvården, Region Jönköping County and to get a picture of how information is managed within organizations. Organizations can maintain the security of their information by implementing an information security management system (ISMS) that preserves the confidentiality, integrity and availability of information. Information security and ISMS application differs between organizations, which could be affected by the organization's needs and goals, size and structure. Case study results show that Folktandvården, Region Jönköping County implements an active management of information. The organization manages most of the specifications in the standards. However this study proposes to organize more training programs for information security awareness. These programs should be updated regularly in order to continue to be in line with organizational policies and procedures. It is recommended that the organization performs information classification fully in accordance with the model it has. Additionally, it is recommended to develop the planning of continuity for information. The results from the questionnaire show that the employees are aware of how they handle information security incidents and they think that the systems are available for authorized access. Several of the proposals presented by this study have been heeded and will lead to further work in Folktandvården. Organizations' personal information should be protected by applying the rules in accordance with applicable regulations. A responsible person in the organization should provide guidance to employees about their responsibility for the handling of personal data.
8
Alila, Patrick. "Complementing network security to the ISO/IEC 27000 standard." Thesis, Linköpings universitet, Institutionen för teknik och naturvetenskap, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-96298.
Full textAbstract:
I syfte att öppna upp nya affärsmöjligheter för informationssäkerhetsföretaget Secure State AB, har detta arbete bedrivits för att komplettera företagets nuvarande standard för informationssäkerhetsarbete med ytterligare nätverkssäkerhet. Krav på slutresultatet var att dokumentet eller standarden skulle kunna komplettera ISO 27000, samt vara kostnadseffektivt. Efter en undersökning av den nämnda standarden konstaterades att enbart ISO 27000 i sig inte är ett fullgott verktyg för nätverkssäkerhetsarbete, på grund av dess icke-tekniska inriktning och målgrupp. Att komplettera ISO 27000 med av författaren utarbetade krav var inte heller att föredra, då syftet med ett standardiserat arbetssätt därmed försvinner. Det är bättre och attraktivare för kunden att använda sig av specifika tekniska standarder och rekommendationer. Sökandet efter en kompletterande standard påbörjades däför enligt dessa kriterier Kompatibilitet med ISO 27000 Teknisk inriktning Kostnadseffektiv Attraktiv att arbeta efter ISO 18028 uppfyller dessa krav mycket bra på samtliga punkter och är därmed bäst lämpad att arbeta efter av de tre standarder/rekommendationer som undersöktes mot kravlistan. Därför bör också Secure State välja att utföra nätverkssäkerhetsarbetet förankrat i ISO 18028 med följande förväntade resultat. Fig. 10, Förväntat resultat av komplettering till ISO 27000. Högst upp ser vi de allmäna informationssäkerhetspolicies samtliga anställda följer. Som nivå två finns ISO 27000, vilket är ledningens system för hur informationssäkerhetsarbetet övergripande ska hanteras. Längst ned ser vi den tekniska skyddsutrustningen som administreras av tekniker som följer lämpliga dokument. Denna rapport har identifierat ISO 18028 för säkerheten i nätverk, övriga återstår att vid behov identifiera för annan teknisk utrustning.
9
Ljunggren, Viktor, and Emil Freid. "Effekterna av en ISO/IEC 27001-certifiering : Upplevda förändringar bland små svenska organisationer." Thesis, Tekniska Högskolan, Jönköping University, JTH, Datateknik och informatik, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:hj:diva-49716.
Full textAbstract:
Samhället idag är mer uppkopplat och hanterar större mängder information än tidigare. Informationen hanteras i större omfattning av IT-system där kraven på säker hantering av information blir allt större. För att hantera informationssäkerhet kan organisationer implementera ett ledningssystem för informationssäkerhet (LIS). Det tar både tid och resurser att designa och implementera ett LIS. För att denna investering ska vara lönsam bör den också ge ett mervärde för organisationer. För att standardisera och specificera uppbyggnaden av LIS har ISO/IEC 27001 (standard för LIS) utvecklats och implementerats av organisationer världen över. Syftet med denna studie är att identifiera vilka förändringar som en ISO/IEC 27001-certifiering leder till hos små organisationer i Sverige. En intervjustudie har utförts med en semistrukturerad intervju som datainsamlingsmetod. Utifrån den insamlade empirin har sex kategorier identifierats och beskrivs tematiskt utifrån varje informant. Studien visar att organisationer får en bättre process och kontroll över informationssäkerhet och en stärkt informationssäkerhetskultur. Utöver detta uppges informationssäkerhet ha förbättrats bland organisationer genom olika säkerhetsåtgärder. Dessutom har kommunikationen med kunder förenklats, när informationssäkerhet diskuteras. Studien undersöker ISO/IEC 27001-certifierings påverkan hos flera organisationer, för att få en diversitet på den insamlade empirin. Detta genomfördes med en informant per organisation, med överblick över både organisationen och certifieringen. Studien undersöker organisationer som redan är certifierade, då organisationen ska ha implementerat ISO/IEC 27001-standarden. Varken certifieringsprocessen, säkerhetsåtgärder, implementationen av eller tillämpningen av ledningssystemet har undersökts i denna studie.Society today is more connected and handles more information than ever before. The information is handled to a greater extent by IT systems, where the requirements for secure information management have increased. To manage this increase in information flow, organization can implement an information security management system (ISMS). It takes both time and resources to design and implement an ISMS. For this investment to be profitable, it should also provide additional value for companies. In order to standardize and specify the structure of ISMS, ISO/IEC 27001 (Standard for ISMS) has been developed and implemented by companies all over the world. The purpose of this study is to identify the changes that an ISO/IEC 27001-certification leads to for small organisations in Sweden. An interview study has been conducted and semi-structured interviews has been used for data collection. Based on the collected empirical evidence, six categories have been identified and described thematically for each informant. The study shows that organisations get a better process and control over information security and a strengthened information security culture. In addition, information security is said to have improved among organisations through various security measures. In addition communications with customers have been simplified, whenever information security is discussed. The study examines the impact of ISO/IEC 27001-certification on four organisations, in order to ensure diversity of the empirical evidence collected. This was done with one informant per organisation, with an overview of both the organisation and the certification. The study examines organisations that are already certified, since the organisation need to have implemented the ISO/IEC 27001 standard. Neither the certification process, the security measures, the implementation nor the application of the management system have been investigated in this study.
10
Coetzer, Christo. "An investigation of ISO/IEC 27001 adoption in South Africa." Thesis, Rhodes University, 2015. http://hdl.handle.net/10962/d1018669.
Full textAbstract:
The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.
11
Kohoutek, Josef. "Zavádění bezpečnostních opatření dle ISMS do malé společnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241610.
Full textAbstract:
In my master´s thesis I focus on the design of information security management system for the company INNC s.r.o., which specializes in the design and implementation of computer networks. The thesis is divided into two parts. The first part provides theoretical knowledge of the issue. Second part is the analysis and proposal of security measures.
12
Ngqondi, Tembisa Grace. "The ISO/IEC 27002 and ISO/IEC 27799 information security management standards : a comparative analysis from a healthcare perspective." Thesis, Nelson Mandela Metropolitan University, 2009. http://hdl.handle.net/10948/1066.
Full textAbstract:
Technological shift has become significant and an area of concern in the health sector with regard to securing health information assets. Health information systems hosting personal health information expose these information assets to ever-evolving threats. This information includes aspects of an extremely sensitive nature, for example, a particular patient may have a history of drug abuse, which would be reflected in the patient’s medical record. The private nature of patient information places a higher demand on the need to ensure privacy. Ensuring that the security and privacy of health information remain intact is therefore vital in the healthcare environment. In order to protect information appropriately and effectively, good information security management practices should be followed. To this end, the International Organization for Standardization (ISO) published a code of practice for information security management, namely the ISO 27002 (2005). This standard is widely used in industry but is a generic standard aimed at all industries. Therefore it does not consider the unique security needs of a particular environment. Because of the unique nature of personal health information and its security and privacy requirements, the need to introduce a healthcare sector-specific standard for information security management was identified. The ISO 27799 was therefore published as an industry-specific variant of the ISO 27002 which is geared towards addressing security requirements in health informatics. It serves as an implementation guide for the ISO 27002 when implemented in the health sector. The publication of the ISO 27799 is considered as a positive development in the quest to improve health information security. However, the question arises whether the ISO 27799 addresses the security needs of the healthcare domain sufficiently. The extensive use of the ISO 27002 implies that many proponents of this standard (in healthcare), now have to ensure that they meet the (assumed) increased requirements of the ISO 27799. The purpose of this research is therefore to conduct a comprehensive comparison of the ISO 27002 and ISO 27799 standards to determine whether the ISO 27799 serves the specific needs of the health sector from an information security management point of view.
13
Procingerová, Lucie. "Zavádění řízení informační bezpečnosti ve zdravotnickém zařízení." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318603.
Full textAbstract:
This Master‘s thesis is based on knowledge of information security and its management. The thesis is divided into two parts. The first part provides the theoretical background, definitions and terminology according to the information security management and it is based on concepts from standard ISO 27000 series. The second part aims to analysis of a selected company. Following to this analysis proposal of implementation of information security management system and security guide is drawn up. This guide contains recommendations for ICT security management and advices in field of personal and physical security in company.
14
Bartoš, Lukáš. "Návrh metodiky bezpečnosti informací v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224223.
Full textAbstract:
This thesis proposes a design of information security methodology in the company. After the theoretical bases of this thesis is introduced company for which is intended this work. Then is performed analysis of risks based on selected assets and potential threats. Followed by design of the measures to minimize the creation of possible risks in the company.
15
Nemec, Tomáš. "Návrh metodiky pro příručku ISMS a opatření aplikované na vybrané oblasti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224225.
Full textAbstract:
Content of this thesis is a methodology for creating ISMS Security Manual. Implementation of the proposal is supported by theoretical knowledge in the introductory part of this work. Practical process design methodology is conditional on the structure of the international standard ISO/IEC 27001:2005.
16
Pospíchal, Jindřich. "Zavedení ISMS v podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241309.
Full textAbstract:
The master’s thesis is aimed at proposing an implementation of information security management system in a company. It covers basic theoretical background and concepts of information system security and describes standards of ČSN ISO/IEC 27000. Specific provisioning of ISMS is then proposed based on the theoretical background and analysis of current state.
17
Pina, João Nuno Esteves. "Framework de auto-avaliação interna para gestão da segurança da informação : estudo de caso." Master's thesis, Instituto Superior de Economia e Gestão, 2012. http://hdl.handle.net/10400.5/10756.
Full textAbstract:
Mestrado em Gestão de Sistemas de InformaçãoA importância da protecção da informação, associada aos factores de insucesso na implementação de Sistemas de Gestão da Segurança da Informação (SGSI), cria a necessidade de adoptar modelos de planeamento de segurança cada vez mais eficazes nas organizações. Um SGSI pretende garantir a utilização das boas práticas de gestão da segurança da informação, bem como a utilização de mecanismos que maximizem a eficácia dos seus sistemas de informação. Neste sentido, e face aos factores de insucesso verificados na literatura, e aos modelos estudados ao longo da revisão bibliográfica, o principal objectivo deste estudo foi o de procurar analisar o contributo de um mecanismo de auto-avaliação interna prévia na implementação de um SGSI numa organização. O estudo de caso do Ministério das Obras Publicas Transportes e Comunicações ? Secretaria-Geral (MOPTC-SG), apresenta um procedimento de auto-avaliação interna com base nos controlos (ISO/IEC 27002:2005, 2005), aferindo o grau de conformidade do organismo, níveis de performance, níveis de exposição e vulnerabilidade, procedimentos de consciencialização e responsabilização. Os resultados parecem indicar que a utilização destes processos, além de complementar os modelos existentes, permite um conhecimento mais abrangente, consciente, eficaz e antecipado do risco, garantindo à organização uma implementação e utilização mais eficiente dos seus SGSI.
The importance of information protection, associated with factors that may influence the failure of Information Security Management Systems (ISMS) implementation, create the need for more effective security planning models in organizations. An ISMS seeks to ensure the use of good information security management practices, as well as the use of mechanisms that maximize the effectiveness of existing information systems. In this line of thought, given some failure factors observed in the literature, and the models studied throughout the literature review, the main goal of this study was to analyze the possible contribution of an internal self-assessment mechanism prior to the implementation of an ISMS in an organization. The case study of the Secretary-General of the Ministry of Public Works Transport and Communication (MOPTC-SG), presents on such internal self-assessment based on industry standard controls (ISO / IEC 27002:2005, 2005). This set of controls represent a framework that measures the degree of organization compliance, levels of performance, levels of exposure and vulnerability, awareness and accountability procedures. The results seem to show that by using these processes, complemented by existing models, a more comprehensive knowledge, awareness, and early risk assessment a more efficient implementation can be achieved.
18
Piña, Remigio Gabriela. "IMPLEMENTACIÓN DE SEGURIDAD EN LA INFRAESTRUCTURA DE RED PARA LA DIFUSIÓN DEL PROGRAMA DE RESULTADOS ELECTORALES PRELIMINARES 2017 EN EL ESTADO DE MÉXICO BAJO LA NORMA ISO/IEC 27001:2013." Tesis de Licenciatura, Universidad Autónoma del Estado de México, 2018. http://hdl.handle.net/20.500.11799/99629.
Full textAbstract:
Esta tesina muestra una descripción general del proceso de difusión de los resultados electorales del Programa de Resultados Electorales Preliminares del Instituto Electoral del Estado de México realizado el 4 de junio de 2017 para la elección de Gobernador en el Estado de México.
Específicamente se describe como se implementó seguridad en la Infraestructura que se utilizó para la difusión de los resultados electorales. Así mismo, se detalla la infraestructura que operó para la difusión del PREP, la cual estaba compuesta del hosteo del servicio web en un centro de datos que cuenta con el nivel Tier IV e International Computer Room Expert Association (ICREA) nivel 5. Además, el servicio de hosteo contó con seguridad en la web a través de la implementación de un firewall del tipo Web Application Firewall (WAF), el cual se utilizó principalmente para bloquear los ataques del tipo Distributed Denial of Service (DDoS). La infraestructura del PREP contaba con un ancho de banda a internet de 6 Gbps.
El PREP en el IEEM está certificado bajo la norma ISO 27001:2013, por lo que esta infraestructura fue implementada para cumplir con los objetivos de seguridad de la información, además como una solución de mejora continua (ISO, 2016).
Las pruebas realizadas a la infraestructura fueron pruebas de estrés y un ataque de Denial of Service (DoS). Estas pruebas sirvieron para identificar algunas vulnerabilidades en la infraestructura, con el fin de que el día de la Jornada Electoral se garantizara el cumplimiento de los objetivos de seguridad propuestos por el IEEM.
En particular, las pruebas de estrés se realizaron para cuantificar la capacidad y disponibilidad que ofrecía la infraestructura, para validar los requerimientos de rendimiento y la escalabilidad de la plataforma “difusión del PREP”. Con lo cual se verificó que la página se mantuvo en línea en los tiempos comprometidos, sin embargo, se observó que los tiempos de recarga de la página web se fueron incrementando.
De igual manera, en las pruebas se incluyó un ataque de Denial of Service (DoS), para monitorear el consumo de ancho de banda o sobrecarga de los recursos disponibles, con ello se incrementó el tiempo de espera de la página web, aunque siempre se mantuvo en línea. Este fenómeno tuvo presencia el día de la Jornada Electoral.
19
Bystrianska, Lucia. "Vplyv regulácií ISO 27001 a SOX na riadenie bezpečnosti informácií podniku." Master's thesis, Vysoká škola ekonomická v Praze, 2015. http://www.nusl.cz/ntk/nusl-203998.
Full textAbstract:
The master thesis has analytical character and focuses on information security issues in enterprises. The mail goal of this thesis is to evaluate the impact of implemented standard ISO/IEC 27001 and regulation by American law SOX to overall information security. In order to preform the analysis, two medium-sized companies from the segment of services were selected: the first one with ISO/IEC 27001 certification and the second one regulated by SOX. The structure of the thesis contributes gradually with its steps to meet the goal. The first three chapters provide a theoretical basis for the analysis of information security. They contain a summary of key processes and tools essential for ensuring the information security and are based on the best practices included within the latest standards and methodologies and on practical experience. These chapters provide the basis for an evaluation guidance including criteria groups and defined variants of implemented security, which is described in the fourth chapter. The analysis of information security and the impact of regulations is part of the fifth chapter of this document. The sixth chapter contains final assessment and comparison of the impact, which the regulations have on information security of the selected companies. The final chapter summarizes and evaluates the results achieved with regards to the goal.
20
Šumbera, Adam. "Zavedení managementu bezpečnosti informací v podniku dle ISO 27001." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224217.
Full textAbstract:
This diploma thesis deals with implementation of the information security management system in company. The theoretical part of thesis summarizes the theoretical knowledge in the field of information security and describes a set of standards ISO/IEC 27000. In the following section the specific company is analysed, and to this company there are then applied theoretical knowledge during the implementation of information security management system.
21
Asp, Sandin Agnes. "A simplified ISMS : Investigating how an ISMS for a smaller organization can be implemented." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-20238.
Full textAbstract:
Over the past year, cyber threats have been growing tremendously, which has led to an essential need to strengthen the organization's security. One way of strengthening security is to implement an information security management system (ISMS). Although an ISMS will help improve the information security work within the business, organizations struggle with its implementation, and significantly smaller organizations. That results in smaller organization's information being potentially less protected.This thesis investigates how an ISMS based on MSB can be simplified to make it suitable for a small organization to implement. This thesis aims to open for further research about how it can be simplified and if it has a value of doing it.The study is based on a qualitative approach where semi-structured interviews with experts were conducted. This thesis concludes that it is possible to simplify an ISMS based on MSB for a small organization by removing external analysis, information classification, information classification model, continuity management for information assets, and incident management. In addition, the study provides tips on what a small organization should think about before and during implementation.
22
Štěpánek, Daniel. "Návrh zavedení bezpečnostních opatření ve společnosti vyvíjející software." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318285.
Full textAbstract:
Master's thesis focuses on proposal for the implementation of security measures in the software development company. Theoretical section defines chosen information security terms. Analytical section deals with analysis and assessment of current security situation in the company. Solution proposal contains risk analysis, proposal of security measures for risk treatment and economic evaluation.
23
Alexandria, João Carlos Soares de. "Gestão de segurança da informação - uma proposta para potencializar a efetividade da segurança da informação em ambiente de pesquisa científica." Universidade de São Paulo, 2009. http://www.teses.usp.br/teses/disponiveis/85/85131/tde-22092011-095831/.
Full textAbstract:
O aumento crescente da interconectividade no ambiente de negócio, aliado à dependência cada vez maior dos sistemas de informação nas organizações, faz da gestão da segurança da informação uma importante ferramenta de governança corporativa. A segurança da informação tem o objetivo de salvaguardar a efetividade das transações e, por conseguinte, a própria continuidade do negócio. As ameaças à informação vão desde ataques hackers, fraudes eletrônicas, espionagem e vandalismo; a incêndio, interrupção de energia elétrica e falhas humanas. Segurança da informação é obtida a partir da implementação de um conjunto de controles, incluindo-se dentre outros, políticas, processos, procedimentos, estruturas organizacionais, software e hardware, o que exige uma gestão contínua e uma estrutura administrativa bem estabelecida para fazer frente aos seus desafios. O presente trabalho procurou investigar as razões relacionadas às dificuldades que muitas organizações enfrentam para a estruturação da segurança da informação. Muitas delas se limitam a adotarem medidas pontuais e inconsistentes com a realidade em que vivem. O mercado conta com um arcabouço legal e normativo para a implementação da segurança da informação NBR ISO/IEC 27002, Lei Americana Sarbanes-Oxley, acordo de capital da Basiléia, regulamentações das agências regulatórias (ANATEL, ANVISA e CVM). As pesquisas de mercado mostram que a implementação da segurança da informação está concentrada em instituições de grande porte e de segmentos específicos da economia como, por exemplo, bancário-financeiro e telecomunicação. Entretanto, a segurança da informação faz-se necessária em qualquer organização que utilize sistema de informação nos seus processos de trabalho, independentemente do porte ou do setor econômico de atuação. A situação da segurança da informação no setor governamental do Brasil, e dentro deste, nas instituições de pesquisas científicas é considerada preocupante, de acordo com o Tribunal de Contas da União. Este trabalho apresenta um método de diagnóstico e avaliação da segurança da informação, aplicado na forma de levantamento de dados, que tem a intenção de servir de ponto de partida para fomentar uma discussão interna visando à estruturação da segurança da informação na organização. O referido método é destinado em especial àquelas organizações que não se enquadram no perfil das empresas atingidas pelas leis e regulamentos existentes, mas que necessitam igualmente protegerem seus ativos de informação para o bom e fiel cumprimento de seus objetivos e metas de negócio.The increase of the connectivity in the business environment, combined with the growing dependency of information systems, has become the information security management an important governance tool. Information security has as main goal to protect the business transactions in order to work normally. In this way, It will be safeguarding the business continuity. The threats of information come from hackers attacks, electronic frauds and spying, as well as fire, electrical energy interruption and humans fault. Information security is made by implementation of a set of controls, including of the others politics, processes, procedures, organizational structures, software and hardware, which require a continuous management and a well established structure to be able to face such challenges. This work tried to search the reasons why the organizations have difficulties to make a practice of information security management. Many of them just limit to adopt points measures, sometimes they are not consistent with their realities. The market counts on enough quantity of standards and regulations related to information security issues, for example, ISO/IEC 27002, American Sarbanes-Oxley act, Basel capital accord, regulations from regulatory agency (such as the Brazilians ones ANATEL, ANVISA and CVM). The market researches have showed that the information security implementation is concentrated on a well-defined group of organization mainly formed by large companies and from specifics sectors of economy, for example, financial and telecommunication. However, information security must be done by all organizations that use information systems to carry out their activities, independently of its size or economic area that it belongs. The situation of information security in the governmental sector of Brazil, and inside its research institutions, is considered worrying by the Brazilian Court of Accounts (TCU). This research work presents an assessment and diagnostic proposal of information security, applied in the form of a data survey, which intend to be a tool that can be used as a starting point to foment debates about information security concerns into organization. This can lead them to a well-structured information security implementation. The referred proposal is specially addressed to those organizations that do not have the profile that put them among those companies which are forced to follow some law or regulation. But in the same way they need to protect their information assets to reach their goals and their business objectives.
24
Hensl, Marek. "Zavedení ISMS pro základní školu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318615.
Full textAbstract:
This diploma’s thesis deals with information security management system on elementary school. This work is based on long time experience with chosen school and on communication with representatives of elementary school. In this thesis are teoretical basics, specific state, shortcomings and proposed or recommended solutions.
25
Valášková, Martina. "Návrh bezpečnostních opatření v souladu s ISMS pro zdravotnické zařízení." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2020. http://www.nusl.cz/ntk/nusl-417805.
Full textAbstract:
The Master Thesis deals with the design of security measures in accordance with the information security management system and as well as the standards applicable to the critical infrastructure element since it is a healthcare institution. It consists of theoretical background, analysis of the current state of the network and certain areas of the hospital. The practical part is devoted to the risk analysis and the design of concrete measures that result in an increase in the information security level. This part also includes an economic evaluation of the design implementation.
26
Krídla, Matúš. "Návrh zavedení bezpečnostních opatření pro danou společnost." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2021. http://www.nusl.cz/ntk/nusl-444607.
Full textAbstract:
This diploma thesis deals with the design and implementation of security measures within a selected company. The aim of the work is to create a proposal for measures against possible security threats. The first chapter deals with a general introduction to the issue, describes and defines the concepts from a theoretical point of view. The second part deals with the description of the current state and analysis of selected areas of the company. At the end of this work, we focus on raising awareness of security threats and proposing measures that contribute to increasing the security of information.
27
Tomko, Michal. "Návrh zavedení bezpečnostních opatření na základě ISMS pro malý podnik." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-402087.
Full textAbstract:
The master`s thesis deals with implementation of security countermeasures in accordance with information security management system for small company. Main concern of the master`s thesis will be design of security countermeasures in company. Solution of the design comes from the analysis of current state of the company including all important parts and assist evaluation which has been processed along with responsible persons.
28
Konzen, Marcos Paulo. "GESTÃO DE RISCOS DE SEGURANÇA DA INFORMAÇÃO BASEADA NA NORMA NBR ISO/IEC 27005 USANDO PADRÕES DE SEGURANÇA." Universidade Federal de Santa Maria, 2013. http://repositorio.ufsm.br/handle/1/8276.
Full textAbstract:
In the last years more vulnerabilities and threats have emerged, compromising information
security in Information and Communication Technology (ICT) systems. In addition, many
organizations are unprepared to deal with the risks of information security, making them the
most vulnerable to such threats. Thus the negative impact caused by security incidents tends
to be more frequent. The implementation of information security risk management based on a
set of best practices is critical, but still a challenge for most companies. This work proposes a
methodology for managing risks based on NBR ISO/IEC 27005:2008. The methodology
presents a sequence of activities and a series of guidelines and goals that must be achieved to
make the risk management effective. As with most standards and reference models, the
methodology does not describe how activities should be implemented, which makes it
difficult to implement for organizations less experienced in security procedures. The reuse of
solutions already tested and consolidated to recurring security problems it can assist in
ensuring the use of best practices. These solutions can be found in security standards that
capture and document the knowledge of security experts, but its application to develop
standards for risk management activities is unknown. Thus, this work reviews the guidelines
of NBR ISO/IEC 27005:2008 standards and pattern catalogs in order to identify security
patterns to develop activities in accordance with the guidelines described by the standard.
Therefore, the main contribution of this work is to develop a methodology for risk
management centered in solutions, tasks and techniques described by 22 security standards.
An analysis and risk assessment using security standards was applied to a DC (Data Center)
of a private university, whose result shows the final risk for each asset, meeting the guidelines
of NBR ISO/IEC 27005:2008.Nos últimos anos, cada vez mais novas ameaças e vulnerabilidades surgem comprometendo a segurança das informações em sistemas de Tecnologia da Informação e Comunicações (TIC), e muitas organizações encontram-se despreparadas para lidar com os riscos de segurança da informação, tornando-as mais vulneráveis às ameaças, e os impactos negativos causados pelos incidentes de segurança tendem a ser mais frequentes. A implantação de uma gestão de riscos de segurança da informação baseada no conjunto das melhores práticas é fundamental, porém ainda um desafio para a maioria das empresas. Este trabalho propõe uma metodologia de gestão de riscos baseada na norma NBR ISO/IEC 27005:2008, que apresenta uma sequência de atividades e uma série de diretrizes e objetivos que devem ser alcançados para que o gerenciamento dos riscos seja efetivo. Como na maioria das normas e modelos de referência, elas não descrevem como as atividades devem ser implementadas, o que acaba dificultando a sua adoção por organizações menos experientes em processos de segurança. A reutilização de soluções já testadas e consolidadas para resolver problemas recorrentes de segurança pode auxiliar na garantia de utilização de melhores práticas. Estas soluções podem ser encontradas em padrões de segurança que capturam e documentam o conhecimento de especialistas em segurança, mas se desconhece a sua aplicação para desenvolver atividades das normas de gestão de riscos. Desta forma, este trabalho faz uma revisão das diretrizes da norma NBR ISO/IEC 27005:2008 e de catálogos de padrões, a fim de identificar padrões de segurança para desenvolver as atividades de acordo com as diretrizes descritas pela norma. Portanto, a principal contribuição deste trabalho é o desenvolvimento de uma metodologia de gestão de riscos centrada em soluções, tarefas e técnicas descritas por 22 padrões de segurança. Uma análise e avaliação de riscos utilizando padrões de segurança foi aplicada em um CPD de uma instituição privada de ensino superior, cujo resultado mostra o risco final de cada ativo, atendendo as diretrizes da norma NBR ISO/IEC 27005:2008.
29
Pino, Malpica Isabel Corina. "Análisis de los factores de éxito y limitantes para la implementación de la norma técnica peruana Iso NTP/IEC 27001;2014 2A. Edición en la Municipalidad provincial de Huancayo–I trimestre 2018." Bachelor's thesis, Universidad Continental, 2019. http://repositorio.continental.edu.pe/handle/continental/5527.
Full textAbstract:
La Presidencia de Consejo de Ministros (PCM) emitió un conjunto de normas entre ellas algunas relacionadas a la seguridad de la información, con la cual se dispuso la obligatoriedad de uso de la NTP ISO/IEC 27001:2008 (aprobada con RM Nº 129-2012- PCM del 4 de junio de 2012), posteriormente la Norma Técnica Peruana NTP-ISO /IEC 27001:2014 2da Edición (aprobada con RM N° 004-2016-PCM del 8 de enero de 2016). Sin embargo, han pasado 6 años desde entonces, y pocas entidades han logrado la implementación total de la norma, es por ello que este trabajo de investigación tiene como objetivo identificar estos factores de éxito o limitantes para la implementación de la norma.
La investigación se desarrolló en la Municipalidad Provincial de Huancayo, para lo cual elabore un check list en base a lo que solicita la norma y verifique la existencia en la Municipalidad durante I trimestre del año 2018, cualquiera fuese el resultado se solicitó información de los factores que permitieron el nivel alcanzado. Al finalizar la investigación se identificó que la entidad implemento 32% de lo solicitado por la norma, que algunos de los factores de éxito fue el conocimiento, experiencia e interés por parte del funcionario público responsable, y entre los limitantes la falta de procesos, cultura organizacional, presupuesto y capacitaciones.
30
Lind, Fredrik. "Informationssäkerhet inom kommuners administrativa verksamhet." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-11102.
Full textAbstract:
Informationssäkerhet handlar om att skydda viktig information oavsett format för att garantera dess konfidentialitet, integritet och tillgänglighet. Syftet med studien är att undersöka hur informationssäkerhet hanteras av kommuner, med fokus på den administrativa verksamheten. Metoden som används är en kvalitativ studie baserad på intervjuer som har genomförts i ett urval av Skaraborgs kommuner. Resultaten visar att kommunerna har ett tillräckligt skydd för flera områden men också att det finns områden med brister främst relaterade till rutiner, efterlevnad och utbildning där kommunerna med fördel kan arbeta efter tillgängliga standarder. Som en del av arbetet presenteras även ett antal förbättringsförslag bland annat relaterade till utbildning av användare och ansvariga, som kan användas av kommunerna. Möjliga framtida arbeten inom området är främst relaterade till att ytterligare undersöka informationssäkerheten men det finns också möjligheter att utveckla och anpassa existerande verktyg för kommunal verksamhet.
31
Krčmář, Josef. "Návrh managementu bezpečnosti informací v malém účetním podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241313.
Full textAbstract:
This diploma thesis proposes the implementation of information security management system in a business processing accounting. The first part describes the theoretical background. On the basis, will analyze the company and created the draft measures that will increase the security of information in a selected company.
32
Palarczyk, Vít. "Zavedení ISMS v malém podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2015. http://www.nusl.cz/ntk/nusl-224894.
Full textAbstract:
This master's thesis is focused on the design of the implementation of information security management system (ISMS) into a specific business. In the theoretical part, it provides basic concepts and detailed description of ISMS. There is also described the analysis of a current information security state of the company. In the practical part, it provides a risk analysis and selection of measures to minimize found risks. In the final part is designed a process and a schedule of an implementation of the selected measures.
33
Svoboda, Milan. "Zavedení ISMS v malém podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241114.
Full textAbstract:
The diploma thesis focuses on proposing an information security management system (ISMS) in a small company. This publication includes theoretical facts, which are needed to understand and design a ISMS. The design proposal of the ISMS itself is based on an analysis of the current status of the company's information security. The proposed security measures are based on the actual state of information security within the company, and on recommendations stemming from the ISO/IEC 27000 standard.
34
Šebrle, Petr. "Zavedení ISMS do podniku podporujícího kritickou infrastrukturu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2017. http://www.nusl.cz/ntk/nusl-318630.
Full textAbstract:
This diploma thesis deals with the methodology of Management of Information Security in a medium size company supporting critical infrastructure. The first part is focused on the theoretical aspects of the topic. Practical part consists of analysis of the current state, risk analysis and correction arrangements according to the attachment A of standard ČSN ISO/IEC 27001:2014. Implementation of ISMS is divided into four phases. This thesis however covers the first two phases only
35
Kutiš, Pavel. "Management bezpečnosti informačních systémů v obci." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224220.
Full textAbstract:
This Diploma Thesis is being focused on Information Security Management System implementation for a certain municipality. The work has been divided into two parts. The first part deals with theoretical basis which are based on the ISO/IEC 27000 standards. The second part contains the practical implementation following the theoretical background from the first part. The implementation itself has been divided into three stages and this thesis is mainly concentrated on the first stage.
36
Kornelly, Aleš. "Budování bezpečnostního povědomí na střední a vyšší odborné škole." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241448.
Full textAbstract:
This thesis describes the design and implementation of ISMS to a particular high school. The aim is to provide our own recommendations and suggestions to improve the current situation. Introductory section explains the various basic concepts related to ICT security, the next section describes the facilities of the school and the current state of the school. In the practical part are individually discussed the proposed security measures.
37
Fernández, Fernández Dámaris. "Modelo de gestión de riesgos de TI de acuerdo con las exigencias de las SBS, basados en las ISO/IEC 27001, ISO/IEC 17799, Magerit para la Caja de Ahorro y Créditos Sipán SA." Bachelor's thesis, Chiclayo, 2015. http://tesis.usat.edu.pe/jspui/handle/123456789/483.
Full textAbstract:
La gestión de los riesgos de TI, conjuntamente con la gestión de la continuidad de los procesos del negocio, se constituye en “herramientas” estratégicas para asegurar la efectividad y la eficacia de los sistemas de gestión de la seguridad de la información en una organización; así como en mecanismo esencial para obtener la información necesaria en la toma de decisiones relacionada con la inversión oportuna y adecuada en la implementación de los controles de TI. La falta de una metodología y de un software adecuado que de soporte a la gestión de riesgos de TI en entidades financieras de nuestro medio, no solo a través de “buenas prácticas”, si no también que se ajusten a las exigencias de la Superintendencia de Banca y Seguro en sus normativas Resolución S.B.S N° 2116 -2009 - Reglamento para la Gestión del Riesgo Operacional y Circular Nº G-105-2002 - Riesgos de tecnología de información, constituye la justificación del presente trabajo de tesis. Con esta investigación se demostró que con un modelo de gestión de riesgos implementado, tomando como referencia a los estándares ISO/IEC 27001, ISO 17799 y la metodología MagerIT, se puede lograr mayor efectividad en el cálculo de los niveles de riesgos de los diferentes activos de TI en la etapa de evaluación de los riesgos; así como también en el tratamiento de éstos, a través de la implantación y seguimiento de los controles, siempre en concordancia y en cumplimiento con los requerimientos mínimos de la SBS para estos fines. Para ello se tomó como caso experimental, la CRAC Sipán SAC.
38
Fernández, Fernández Dámaris, and Fernández Dámaris Fernández. "Modelo de gestión de riesgos de TI de acuerdo con las exigencias de las SBS, basados en las ISO/IEC 27001, ISO/IEC 17799, Magerit para la Caja de Ahorro y Créditos Sipán SA." Bachelor's thesis, Universidad Católica Santo Toribio de Mogrovejo, 2015. http://tesis.usat.edu.pe/handle/usat/540.
Full textAbstract:
La gestión de los riesgos de TI, conjuntamente con la gestión de la continuidad de los procesos del negocio, se constituye en “herramientas” estratégicas para asegurar la efectividad y la eficacia de los sistemas de gestión de la seguridad de la información en una organización; así como en mecanismo esencial para obtener la información necesaria en la toma de decisiones relacionada con la inversión oportuna y adecuada en la implementación de los controles de TI. La falta de una metodología y de un software adecuado que de soporte a la gestión de riesgos de TI en entidades financieras de nuestro medio, no solo a través de “buenas prácticas”, si no también que se ajusten a las exigencias de la Superintendencia de Banca y Seguro en sus normativas Resolución S.B.S N° 2116 -2009 - Reglamento para la Gestión del Riesgo Operacional y Circular Nº G-105-2002 - Riesgos de tecnología de información, constituye la justificación del presente trabajo de tesis. Con esta investigación se demostró que con un modelo de gestión de riesgos implementado, tomando como referencia a los estándares ISO/IEC 27001, ISO 17799 y la metodología MagerIT, se puede lograr mayor efectividad en el cálculo de los niveles de riesgos de los diferentes activos de TI en la etapa de evaluación de los riesgos; así como también en el tratamiento de éstos, a través de la implantación y seguimiento de los controles, siempre en concordancia y en cumplimiento con los requerimientos mínimos de la SBS para estos fines. Para ello se tomó como caso experimental, la CRAC Sipán SAC.Tesis
39
Arriaga, Rosado Estefanía. "Gestión de claves y control de acceso a un sistema web educativo basada en la norma ISO/IEC 27001:2005." Tesis de Licenciatura, Universidad Autónoma del Estado de México, 2016. http://hdl.handle.net/20.500.11799/58260.
Full textAbstract:
En este documento se reporta el trabajo realizado dentro de un proyecto de desarrollo de software Educativo a nivel básico, medio superior, superior y corporativo, en el cual colaboró la Facultad de Ingeniería de la Universidad Autónoma del Estado de México y una organización del sector privado con registro CONACYT PEI4-220949.
El sistema web educativo es de carácter multidisciplinario, es decir, su desarrollo involucró a profesionales como diseñadores gráficos, especialistas en pedagogía e ingenieros en sistemas computacionales. El desarrollo del sistema web educativo se realizó en dos etapas, en la primera etapa se diseñaron e implementaron los perfiles correspondientes a la educación básica. En su segunda etapa, se implementaron los perfiles correspondientes a la educación media superior, educación superior y nivel corporativo.
En los últimos años, la tecnología ha evolucionado considerablemente, en donde nosotros como usuarios, deseamos que nuestros dispositivos y nuestra información estén vinculados entre sí y disponible en cualquier momento para ser consultada o utilizada a través de los diversos medios de comunicación vía internet. Sin embargo, tanto los usuarios como los desarrolladores y diseñadores de la tecnología no consideran como un rubro importante la implementación de la seguridad de la información. Gran parte de la información considerada importante está a la vista de atacantes, quienes esperan que se presente la oportunidad mínima para obtener la información de usuarios y de las empresas, haciendo uso de ella de forma indebida y delictiva.
Con el avance de la tecnología, se han desarrollado normas y metodologías para la seguridad de la información, como es el caso de la norma ISO/IEC 27001:2005 quien permite a los desarrolladores y empresas, analizar e implementar un Sistema de Gestión de Seguridad de la Información conocido por sus siglas SGSI, con la finalidad de proteger los activos o información que se consideren de gran valor en función del costo que podría representar su daño o pérdida. La información es considerada como el recurso más valioso de una empresa y del propio
viii
usuario, es por ello la necesidad de que sea protegida de cualquier atacante para evitar el mal uso de está.
En el presente reporte de aplicación de conocimientos, se describen los conceptos básicos y mínimos requeridos para mantener la seguridad de la información. Se presentan las normas y metodologías de seguridad de información que son empleadas para la implementación de mecanismos y controles de seguridad en un sistema web, tomado como caso de estudio un sistema web educativo a nivel básico, medio superior, superior y corporativo. Además, se detallan las actividades que se realizaron durante el desarrollo del proyecto para la implementación de controles de seguridad para un sistema web educativo previamente diseñado y desarrollado por programadores pertenecientes al mismo proyecto y bajo la premisa de no afectar la funcionalidad del sistema web, empleando la menor cantidad de recursos posibles. Cumpliendo así el rol que desempeñé dentro del proyecto que se enfocó en la implementación de la seguridad en el sistema web educativo.
El proyecto inició en el mes de abril de 2015 y finalizó en el mes de marzo de 2016.
40
Huamán, Monzón Fernando Miguel. "Diseño de procedimientos de auditoría de cumplimiento de la norma NTP-ISO/IEC 17799:2007 como parte del proceso de implantación de la norma técnica NTP-ISO/IEC 27001:2008 en instituciones del estado peruano." Bachelor's thesis, Pontificia Universidad Católica del Perú, 2014. http://tesis.pucp.edu.pe/repositorio/handle/123456789/5582.
Full textAbstract:
El presente proyecto de fin de carrera responde a la necesidad creada a causa de
las normativas publicadas por la Oficina Nacional de Gobierno Electrónico e
Informática (ONGEI) que declaran de uso obligatorio las Normas Técnicas
Peruanas NTP-ISO/IEC 27001:2008 y NTP-ISO/IEC 17799:2007 (con fechas de
publicación mayo 2012 y julio 2011 respectivamente) a una lista de empresas del
estado peruano que pertenezcan y/o estén involucradas en la Administración
Pública con la finalidad de establecer un modelo integral para el desarrollo de los
planes de seguridad de la información de la misma.
Esta necesidad, a causa del carácter obligatorio de las normas mencionadas, es
reconocida como la atención a la falta de procedimientos que permitan realizar
auditorías que verifiquen el cumplimiento de la NTP-ISO/IEC 17799 como parte del
proceso de cumplimiento integral de la NTP-ISO/IEC 27001 en las empresas del
estado peruano.
La elaboración de estos procedimientos estarán basados en COBIT 5.0, publicado
en mayo de 2012, nuevo estándar de facto para Tecnologías de Información
reconocido internacionalmente.
Estos procedimientos estarán acompañados de la declaración de aplicabilidad para
la norma NTP-ISO/IEC 17799 para poder definir los controles que serán
establecidos e implementados por la institución, un Inventario de activos de
información comúnmente relacionados con los controles presentes en la NTPISO/
IEC 17799 y un Mapeo del marco COBIT 5.0 frente a la norma NTP 17799
identificando la correspondencia de los dominios de COBIT hacia los controles de la
NTP.Tesis
41
Justino, Salinas Zully Isabel. "Diseño de un sistema de gestión de seguridad de información para una empresa inmobiliaria alineado a la norma ISO/IEC 27001:2013." Bachelor's thesis, Pontificia Universidad Católica del Perú, 2015. http://tesis.pucp.edu.pe/repositorio/handle/123456789/6045.
Full textAbstract:
La información, tanto digital como física, cumple un papel muy importante en una organización ya que actúa como activo principal y genera valor económico real para esta. Es por ello que toda información debe de ser protegida para que se encuentre accesible en tiempo y forma adecuados o, desde el punto de vista de seguridad de la información, conserve sus características de confidencialidad, integral y disponibilidad.Tesis
42
Menčík, Jan. "Systém řízení bezpečnosti informací společnosti BluePool s.r.o." Master's thesis, Vysoká škola ekonomická v Praze, 2017. http://www.nusl.cz/ntk/nusl-359161.
Full textAbstract:
This master thesis deals with the topics Information Security Management by the group of ISO/IEC 27000 norms and implementation of the Information Security Management System (ISMS) in one particular company. The theoretical part describes the group of norms ISO/IEC 27000 and the legislation and institutions related to these norms. Then the theoretical framework of a risk analysis is introduced. The benefits and possible obstacles when implementing the ISMS in an organization with emphasis on small businesses is described at the end of the theoretical part. The practical part includes a complex risk analysis and measures to be taken for the revealed risks. Furthermore, it involves the settings of the information security internal rules in the company Bluepool s.r.o. with regard to the risk management and information security policy. The conclusion of this part puts forward a proposal of the process and examples of implementation, time schedule and budget for implementation of adopted measures.
43
Kosek, Jindřich. "Zavedení ISMS v malém podniku se zaměřením na ICT infrastrukturu." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2014. http://www.nusl.cz/ntk/nusl-224444.
Full textAbstract:
The diploma thesis is focused on the design implementation of information security management system in a small business and is applying theoretical knowledge to real-life situations in a manufacturing company. First of all is performed analysis of current status and the consequent threats which can affect the company's assets. Thereafter are proposed measures based on identified risks and requirements of the owner.
44
Vásquez, Ojeda Agustín Wilmer. "Diseño de un Sistema de Gestión de Seguridad de Información para la empresa Neointel SAC basado en la norma ISO/IEC 27001:2013." Bachelor's thesis, Universidad Peruana de Ciencias Aplicadas (UPC), 2020. http://hdl.handle.net/10757/652123.
Full textAbstract:
El presente trabajo de tesis tiene como objetivo Diseñar un Sistema de Gestión de Seguridad de Información (SGSI), para mejorar la calidad en el servicio del Call Center de la empresa Neointel SAC.
En este sentido, en presente modelo se detalla la manera más efectiva de como el Call Center va tratar sus riesgos de seguridad información, en base al anexo A de la norma ISO/IEC 27001: 2013, que permita reducir y mitigar los riesgos de los activos de información. Asimismo, se podrá reducir las vulnerabilidades tecnológicas a las que se encuentra expuesta el Call Center.
Por otro lado, el diseño de este trabajo nos permite, clasificar los principales activos de información, así como determinar los principales riesgos de información a los que se encuentran expuestos y como se va a tratar los riesgos de seguridad de información alineados a los objetivos de negocio.
Por último, se define los roles y responsabilidades dentro de la estructura organizacional de un Sistema de Gestión de Seguridad de Información (SGSI) y se propone un plan de tratamiento de riesgos, sobre los activos de información, la misma que ha permitido establecer a la empresa sus propios procedimientos de seguridad, los cuales se podrán apreciar en las políticas que la conforman.This thesis work aims to Design an Information Security Management System (ISMS), to improve the quality of the service of the Call Center of the company Neointel SAC. In this sense, this model details the most effective way in which the Call Center will deal with its information security risks, based on Annex A of ISO / IEC 27001: 2013, which allows reducing and mitigating the risks of information assets. Likewise, the technological vulnerabilities to which the Call Center is exposed can be reduced. On the other hand, the design of this work allows us to classify the main information assets, as well as to determine the main information risks to which they are exposed and how the information security risks aligned with the objectives of deal. Finally, the roles and responsibilities within the organizational structure of an Information Security Management System (ISMS) are defined and a risk treatment plan on information assets is proposed, which has allowed the establishment of company its own security procedures, which can be seen in the policies that comprise it.
Tesis
45
Haller, Martin. "Návrh procesů pro společnost poskytující IT služby s ohledem na ISMS a ITSM." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2012. http://www.nusl.cz/ntk/nusl-223705.
Full textAbstract:
The goal of this diploma thesis is to design processes for existing ICT company mainly providing services. This work contains models of the designed processes and proposes convenient information system. All the designed processes are evaluated against ISO/IEC 27000 and ISO/IEC 20000 standards.
46
Klepárník, Roman. "Návrh zavedení nutných oblastí ISMS ve veřejné správě." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2018. http://www.nusl.cz/ntk/nusl-378365.
Full textAbstract:
This diploma thesis focuses on the application of information security management system in the public administration. Thesis focuses on the most frequent threats on information security and describes the best practices which are compliant with the ISO/IEC 27000. It contains the proposal of security recommendation that will help the organisation with ensuring better information security and with the preparation for GDPR
47
Sörensen, Robin. "Utvärdering av gapanalys för informationssäkerhet." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-11103.
Full textAbstract:
Informationssäkerhet innebär att skydda informationstillgångar avseende tillgänglighet, konfidentialitet, integritet och spårbarhet. För att hantera informationssäkerhet inom en verksamhet kan ett LIS (ledningssystem för informationssäkerhet) införas. MSB (Myndigheten för samhällskydd och beredskap) förvaltar ett metodstöd för att införa ett LIS och i detta metodstöd finns en gapanalys med inriktning mot informationssäkerhet. Denna gapanalys syftar till att kartlägga det nuvarande läget för informationssäkerhet inom organisationer för att jämföra detta mot den befintliga standarden ISO/IEC 27002. Problemet med denna gapanalys är att den är generiskt utformad för att passa de flesta organisationer och därför görs en undersökning för att undersöka hur denna gapanalys kan anpassas samt förbättras mot kommunal verksamhet. En anpassning innebär att delar kan tas bort från gapanalysen vilket skulle effektivisera informationssäkerhetsarbetet mot kommunal verksamhet. I förbättringsaspekten undersöks det hur väl gapanalysen förstås av den som ska delta i informationssäkerhetsarbetet. Utvärderingen har skett med kapitlet styrning av åtkomst ur gapanalysen, vilket avser hur åtkomsten hanteras till viktiga tillgångar som till exempel databaser innehållande känslig information. Denna rapport visar om en anpassning mot kommunal verksamhet kan göras gällande den gapanalys som MSB förvaltar samt visar möjliga förbättringsområden. För att få svar på undersökningens fråga användes intervjuer som metod.
48
Johnson, Luciano. "Proposta de uma estrutura de análise de maturidade dos processos de segurança da informação com base na norma ABNT NBR ISO/IEC 27002: 2005." reponame:Repositório Institucional da UFPR, 2013. http://hdl.handle.net/1884/32224.
Full textAbstract:
Resumo: Os conceitos e práticas de segurança da informação têm evoluído nos últimos anos, e as empresas têm buscado se adaptar a esta evolução. O esforço para esta adaptação reflete, na maioria das vezes, a visão da tecnologia da informação. Neste contexto é possível identificar a necessidade de um modelo para avaliar como a segurança da informação é tratada nas organizações. A segurança da informação não possui uma estrutura de processos ou mesmo um modelo de maturidade que apoie as organizações na identificação de melhorias. Este trabalho tem por objetivo propor uma estrutura de análise de maturidade dos processos de segurança da informação com base na norma ABNT NBR ISO/IEC 27002:2005 que busque fechar a lacuna identificada anteriormente. Para alcançar este objetivo foram modelados processos com base na norma de segurança da informação ABNT NBR ISO/IEC 27002:2005 (ABNT, 2005). Os processos foram derivados dos objetivos de controle estabelecidos na norma técnica e as atividades dos processos foram derivadas dos controles de cada objetivo de controle normativo. A partir deste ponto foi utilizado o modelo genérico de maturidade, proposto pelo CMMI e amplamente utilizado em boas práticas internacionais, para se desenvolver os modelos de maturidade dos processos de segurança da informação. Para avaliar a maturidade através dos modelos propostos, foi desenvolvido um questionário de análise de maturidade e uma ferramenta computacional para apoiar a aplicação do mesmo. O questionário foi aplicado em dez organizações da região de Curitiba-PR, que possuem acima de mil usuários internos de tecnologia da informação. Os resultados indicam que o tema ainda é foco da área de tecnologia da informação - TI, pois somente os processos diretamente relacionados com a TI se mostraram mais evoluídos. Por outro lado, os processos relacionados à gestão e planejamento se mostraram os menos desenvolvidos. Através das análises foi possível concluir que a segurança da informação é abordada como uma responsabilidade de TI e não corporativa. Outra conclusão importante é que o tema é ainda novo nas organizações, pela baixa maturidade dos processos identificada na pesquisa. Isso sugere que de fato existem melhorias a serem desenvolvidas, principalmente nas questões de gestão da segurança da informação.
49
Berríos, Mesía César Augusto, and Cam Martín Augusto Rocha. "Propuesta de un modelo de sistema de gestión de la seguridad de la información en una pyme basado en la norma ISO/IEC 27001." Bachelor's thesis, Universidad Peruana de Ciencias Aplicadas (UPC), 2015. http://hdl.handle.net/10757/581891.
Full textAbstract:
This Project “Implementation Proposal of an Information Security Management System (ISMS) in an SME, based on the ISO 27001 standard” propose an implementation model of a Information Security Management System (ISMS) in a SME, in order to obtain the ISO 27001 certification in a simple way, at low cost and reducing implementation periods.
For the development of this project, the project team make an exhaustive analysis of the ISO/IEC 27000 family of standards, in order to identify the minimum needed requirements for the implementation of an ISMS in a SME. Based on the analyzed, the project team design an ISMS model that allows their subsequent implementation in a SME. In addition, the project team develop the implementation procedure of the model, which allow an SME to implement the model by their own hands. Finally, the application of the proposed model is performed, following the established methodology, in an SME, to proof their viability and provide an implementation example for future project stakeholders.
The long-term goal of this Project is to facilitate the implementation of an ISMS for SMEs on their own, to distinguish itself from competition or some other interest.El presente proyecto propone un modelo de Sistema de Gestión de la Seguridad de la Información (SGSI) para su implementación en una pequeña y mediana empresa (pyme), con la finalidad de obtener, en un futuro, la certificación ISO 27001 de manera sencilla, a un bajo costo y con los tiempos de implementación reducidos. Para el desarrollo de este proyecto se realiza un análisis exhaustivo de la familia de normas ISO/IEC 27000, con la finalidad de identificar los requerimientos mínimos necesarios para la implementación de un SGSI en una pyme. En base a lo analizado, se elabora el diseño de un modelo de SGSI que permita su posterior implementación en una pyme. Asimismo, se elabora el procedimiento de implementación del modelo, el cual permite a una pyme poder implementar el modelo por sus propios medios. Por último, se realiza la aplicación del modelo propuesto, según la metodología establecida, en una pyme del Perú para comprobar su viabilidad y brindar un ejemplo de implementación para los futuros interesados en el proyecto. El objetivo a largo plazo de este proyecto es facilitar la implementación de un SGSI para una pyme por sus propios medios, para poder salvaguardar su información y poder distinguirse de la competencia.
50
Štukhejl, Kamil. "Návrh zavedení ISMS ve veřejné správě." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-399673.
Full textAbstract:
This diploma thesis focuses on the implementation of information security management system in the public administration based on ISO/IEC 27000 series of standards. The thesis contains theoretical background, introduction of the organization, risk analysis and a proposal of appropriate measures for minimization of these identified risks. In the end, an implementation plan is proposed including an economic evaluation.