Abstract
D.Phil.
Any organisation is dependent on its information technology resources. The
challenges posed by new developments such as the World Wide Web and e-business,
require new approaches to address the management and protection of IT resources.
Various documents exist containing recommendations for the best practice to follow
for information security management. BS7799 is such a code of practice for
information security management.
The most important problem to be addressed in this thesis is the need for new
approaches and perspectives on information security (IS) management in an
organisation to take cognisance of changing requirements in the realm of information
technology. In this thesis various models and tools are developed that can assist
management in understanding, adapting and using internationally accepted codes of
practice for information security management to the best benefit of their
organisations.
The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction
and Background. In Chapter 1 the problem statement, objectives and
deliverables are given. Further the chapter contains definitions of important
terminology used in the thesis as well as an overview of the research.
Chapter 2 defines various terms associated with information security management in
an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical
framework in order to illustrate the relationship between the different terms.
In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5
and 6, new approaches to information security management is discussed. In
Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS
management, is presented. The different perspectives are based on the unique
characteristics of the organisation such as its size and functional purpose. These
different perspectives also enable organisations to focus on the controls for specific
resources or security services such as integrity or confidentiality. In Chapter 4 these
different perspectives ofbusiness type/size, the security services and the resources are
integrated into a multi-dimensional model and mapped onto BS7799. Using the
multi-dimensional model will enable management to answer questions such as:
"Which BS7799 controls must a small retail organisation interested in preserving the
confidentiality of their networks implement?"
In Chapter 5 the SecComp model is proposed to assist in determining how well an
organisation has implemented the BS7799 controls recommended for their needs.
In Chapter 6 the underlying implemented IT infrastructure, i.e. the software,
hardware and network products are also incorporated into determining if the
information assets of organisations are sufficiently protected. This chapter combines
technology aspects with management aspects to provide a consolidated approach
towards the evaluation of IS.
The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In
this last chapter, Chapter 7, the research undertaken thus far is summarised and the
pros and cons of the proposed modelling approach is weighed up. The thesis is
concluded with a reflection on possible areas for further research.