Abstract
M.Phil. (Computer Science)
Despite the efforts at international and national level, security
continues to pose challenging problems. Firstly, attacks on information
systems are increasingly motivated by profit rather than by the desire
to create disruption for its own sake. Data are illegally mined,
increasingly without the user’s knowledge, while the number of
variants (and the rate of evolution) of malicious software (malware) is
increasing rapidly. Spam is a good example of this evolution. It is
becoming a vehicle for viruses and fraudulent and criminal activities,
such as spyware, phishing and other forms of malware. Its widespread
distribution increasingly relies on botnets, i.e. compromised servers
and PCs used as relays without the knowledge of their owners. The
increasing deployment of mobile devices (including 3G mobile phones,
portable videogames, etc.) and mobile-based network services will
pose new challenges, as IP-based services develop rapidly. These could
eventually prove to be a more common route for attacks than personal
computers since the latter already deploy a significant level of security.
Indeed, all new forms of communication platforms and information
systems inevitably provide new windows of opportunity for malicious
attacks.
In order to successfully tackle the problems described above, a
strategic approach to information security is required, rather than the
implementation of ad hoc solutions and controls.
The strategic approach requires the development of an Information
Security Architecture. To be effective, an Information Security
Architecture that is developed must be aligned with the organisation’s
Enterprise Architecture and must be able to incorporate security into
each domain of the Enterprise Architecture.
This mini dissertation evaluates two current Information Security
Architecture models and frameworks to find an Information Security
Architecture that aligns with Eskom’s Enterprise Architecture.