Abstract
PhD. (Informatics)
Organizations become daily more dependent on information. Information is
captured, processed, stored and distributed by the information resources and
services within the organization. These information resources and services
should be secured to ensure a high level of availability, integrity and privacy
of this information at all times. This process is referred to as Information
Security Management. The main objective of this, thesis is to identify all the
processes that constitute Information Security Management and to define a
metric through which the information security status of the organization can be
measured and presented.
It is necessary to identify an individual or a department which will be
responsible for introducing and managing the information security controls to
maintain a high level of security within the organization. The position .and
influence of this individual, called the Information Security officer, and/or
department within the organization, is described in chapter 2. The various
processes and subprocesses constituting Information Security Management are
identified and grouped in chapter 3.
One of these processes, Measuring and Reporting, is currently very ill-defined
and few guidelines and/or tools exist currently to help the Information Security
officer to perform this task. For this reason the rest of the thesis is devoted to
providing an effective means to enable the Information Security officer to
measure and report the information security status in an effective way...