A model for the secure management of supply chains.
- Authors: Watt, Gareth
- Date: 2008-06-04T11:27:13Z
- Subjects: computer security , counterfeits and counterfeiting , business logistics
- Type: Thesis
- Identifier: uj:8852 , http://hdl.handle.net/10210/528
- Description: We live in a very demanding and increasingly computerised world. In almost any area, consumers have a wide variety of choices, yet they demand shorter lead-times, higher quality and lower costs and if a business is unable to provide for the consumer’s requirements, the consumer will look elsewhere. With little to distinguish in manufacturing quality, the efficient use and management of supply chains becomes paramount. For a long time, the counterfeiting trade has been a thorn in the side of legitimate business. Seeking only to generate maximum profit with minimum effort, they use the reputation of a legitimate business to maximize sales. The counterfeiter’s task is made easier by the lack of control mechanisms along the supply chain. This leads to a situation where materials and finished products are being misappropriated in volume and counterfeit goods are able to enter the chain, often with help from within the targeted organisation. There is no mechanism for forcing individuals and organisations to accept responsibility, allowing for the passing blame. This dissertation will examine the nature of a system aimed at defeating attempts at theft, validating an item’s authenticity and positively identifying the origin and rightful owner of an item. This dissertation will not be explicitly developing the above system and will concentrate more on the underlying factors and providing a generic model on which to base an actual system. First we examine the impact of supply chains on our day-to-day lives, the concept and the related management paradigms. Next comes the counterfeiting trade and what motivates the counterfeiter. The examination is extended to cover the workings of the so-called “Grey Market” and some steps to combat the trade. In order to facilitate an implementation, various technologies are examined for their suitability. This covers diverse technologies from biometric authentication through the Internet and cryptographic technologies to the use of Radio Frequency Identifiers. Some specific devices are discussed and user attitudes towards these technologies are gauged. Based on these technologies a model is proposed allow a supply chain to be secured. A variety of concepts, such as packaging, unpacking and sealing, are introduced and explained. These concepts are combined with the various technologies for tracking items within the chain and for enforcing nonrepudiation. Based on the model, the actors within the system are identified along with the types of information each might expect, allowing generic datasets to be developed. With the model and technologies in place a tiered theoretical implementation is formed showing how each hardware device interacts with the model to form a solution. , Prof. M.S. Olivier
- Full Text:
A model for vulnerability forecasting.
- Authors: Venter, Hein S.
- Date: 2008-06-04T11:26:48Z
- Subjects: forecasting , computer security
- Type: Thesis
- Identifier: uj:8847 , http://hdl.handle.net/10210/525
- Description: Internet and network security forms an interesting and topical, yet challenging and developing research domain. In this domain, a taxonomy of information security technologies is identified. This taxonomy is divided into two mainline entities, namely proactive and reactive information security technologies. This thesis is specifically concerned with proactive information security technologies, the focus being on a specific proactive information security technology – vulnerability scanning. Vulnerability scanning is implemented by vulnerability scanner (VS) products. VS products are used proactively to conduct vulnerability scans to identify vulnerabilities so that they can be rectified before they can be exploited by hackers. However, there are currently many problems with state-of-the-art VS products. For example, a vulnerability scan is time-consuming and a vast number of system resources are occupied, leading to the degradation of network and system performance. Furthermore, VS products lack the intelligence that is required to deal with new vulnerabilities that appear like clockwork. Current VS products also differ extensively in the way that they can detect vulnerabilities, as well as in the number of vulnerabilities that they can detect. These problems motivated the researcher to create a model for vulnerability forecasting (VF). The uniqueness of the VF model lies in its holistic approach to addressing these problems while maintaining its end goal – that of being able to do a vulnerability forecast of how vulnerabilities will occur in the near future. Such a vulnerability forecast would, therefore, enable an organisation to use it proactively as part of a risk management scheme. Furthermore, in order to demonstrate the feasibility of implementing the proposed model, a report on the development of a prototype for vulnerability forecasting is included. Rather than reinventing the wheel, the prototype incorporates the use of current state-of-the-art VS products in its VF process. This is advantageous in the sense that the prototype is independent of a specific VS product. It is because of the latter that a standardisation technique had to be used to refer to vulnerabilities in the same way since different VS products do not refer to and detect similar vulnerabilities in the same way. This standardisation technique introduced in this thesis is known as harmonising vulnerability categories. This thesis contributes to the understanding of vulnerability scanning techniques and how vulnerability scanning can be utilised more effectively by doing vulnerability forecasting. The thesis also paves the way for numerous potential future research projects in the domain of Internet and network security. , Prof. J.H.P. Eloff
- Full Text:
Institutionalizing information security.
- Authors: Von Solms, Elmarie
- Date: 2008-06-04T11:26:29Z
- Subjects: microcomputer access control , computer security , data protection
- Type: Thesis
- Identifier: uj:8826 , http://hdl.handle.net/10210/523
- Description: Information security has become a much discussed subject all over the world in the last few years. This is because information security is no longer a luxury, but a necessity in all organisations. The securing of information is not an easy task because information security is flexible and always seems to be in a state of development. This means that information security has undergone different development changes due to new technologies in the past few years. Information security became prominent around 50 years ago and had a very strict technical approach. In this approach, industries mainly worked with mainframes, with little or no concept of management aspects such as security policies or awareness programmes. The technical approach thus included little or no management effort in terms of information security. The need to manage information security began when new technologies such as the Internet and the World Wide Web were introduced to the information security environment. This caused information security to shift from the technical to the more managerial approach. The move of information security from the technical to the managerial approach may be identified through different development trends. These development trends have occurred mainly to improve information security management in any organisation. The primary purpose of this dissertation is therefore to identify and investigate different development trends that have an influence on information security, especially from a managerial point of view. , Prof. J.H.P. Eloff
- Full Text:
A model for the dynamic delegation of authorization rights in a secure workflow management system.
- Authors: Venter, Karin
- Date: 2008-06-04T09:27:37Z
- Subjects: delegation of authority , workflow , computer security , computer access control
- Type: Thesis
- Identifier: uj:8807 , http://hdl.handle.net/10210/521
- Description: Businesses are continually striving to become more efficient. In an effort to achieve optimal efficiency, many companies have been forced to re-evaluate the efficiency of their business processes. Consequently, the term “business process re-engineering” (BPR) has been given to the activity of restructuring organizational policies and methods for conducting business. The refinement of business processes is the primary motivation behind the development of automated work- flow systems that ensure the secure and efficient flow of information between activities and participants that constitute the business process. A workflow is an automated business process that comprises a number of related tasks. When these tasks are executed in a systematic way, they contribute to the fulfilment of some goal. The order in which workflow tasks execute is of great significance because these tasks are typically dependent on each other. A workflow management system (WFMS) is responsible for scheduling the systematic execution of workflow tasks whilst considering the dependencies that exist between them. Businesses are realizing the necessity of information management in the functioning and general management of a company. They are recognizing the important role that information security has to play in ensuring that accurate information that is relevant is gathered, applied and maintained to enhance the company’s service to its customers. In a workflow context, information security primarily involves the implementation of access control security mechanisms. These mechanisms help ensure that task dependencies are coordinated and that tasks are performed by authorized subjects only. In doing so, they also assist in the maintenance of object integrity. TheWorkflow Authorization Model (WAM) was developed by Atluri and Huang [AH96b, HA99] with the specific intention of addressing the security requirements of workflow environments. It primarily addresses the granting and revoking of authorizations in a WFMS. TheWAM satisfies most criteria that are required of an optimal access control model. These criteria are the enforcement of separation of duties, the handling of temporal constraints, a role-based application and the synchronization of workflow with authorization flow. Some of these conditions cannot be met through pure role-based access control (RBAC) mechanisms. This dissertation addresses the delegation of task authorizations within a work- flow process by subject roles in the organizational structure. In doing this, a role may have the authority to delegate responsibility for task execution to another individual in a role set. This individual may potentially belong to a role other than the role explicitly authorized to perform the task in question. The proposed model will work within the constraints that are enforced by the WAM. Therefore, the WAM will play a part in determining whether delegation may be approved. This implies that the delegation model may not override any dynamically defined security constraints. The Delegation Authorization Model (DAM) proposed assists in distributing workloads amongst subject roles within an organization, by allowing subjects to delegate task responsibilities to other subjects according to restrictions imposed by security policies. As yet, this area of research has not received much attention. , Prof. M.S. Olivier
- Full Text:
The use of a virtual machine as an access control mechanism in a relational database management system.
- Authors: Van Staden, Wynand Johannes
- Date: 2008-06-04T09:27:04Z
- Subjects: database management , relational databases , computer security , virtual computer systems , computer access control
- Type: Thesis
- Identifier: uj:8802 , http://hdl.handle.net/10210/518
- Description: This dissertation considers the use of a virtual machine as an access control mechanism in a relational database management system. Such a mechanism may prove to be more flexible than the normal access control mechanism that forms part of a relational database management system. The background information provided in this text (required to clearly comprehend the issues that are related to the virtual machine and its language) introduces databases, security and security mechanisms in relational database management systems. Finally, an existing implementation of a virtual machine that is used as a pseudo access control mechanism is provided. This mechanism is used to examine data that travels across a electronic communications network. Subsequently, the language of the virtual machine is chiefly considered, since it is this language which will determine the power and flexibility that the virtual machine offers. The capabilities of the language is illustrated by showing how it can be used to implement selected access control policies. Furthermore it is shown that the language can be used to access data stored in relations in a safe manner, and that the addition of the programs to the DAC model does not cause a significant increase in the management of a decentralised access control model. Following the proposed language it is obvious that the architecture of the ìnewî access control subsystem is also important since this architecture determines where the virtual machine fits in to the access control mechanism as a whole. Other extensions to the access control subsystem which are important for the functioning of the new access control subsystem are also reected upon. Finally, before concluding, the dissertation aims to provide general considerations that have to be taken into account for any potential implementation of the virtual machine. Aspects such as the runtime support system, data types and capabilities for extensions are taken into consideration. By examining all of the previous aspects, the access control language and programs, the virtual machine and the extensions to the access control subsystem, it is shown that the virtual machine and the language offered in this text provides the capability of implementing all the basic access control policies that can normally be provided. Additionally it can equip the database administrator with a tool to implement even more complex policies which can not be handled in a simple manner by the normal access control system. Additionally it is shown that using the virtual machine does not mean that certain complex policies have to be implemented on an application level. It is also shown that the new and extended access control subsystem does not significantly alter the way in which access control is managed in a relational database management system. , Prof. M.S. Olivier
- Full Text:
Computer vulnerability risk analysis.
- Authors: Van Loggerenberg, Morne
- Date: 2008-06-04T09:26:54Z
- Subjects: computer security , computer systems' risk assessment
- Type: Thesis
- Identifier: uj:8801 , http://hdl.handle.net/10210/517
- Description: The discussions presented in this dissertation have been undertaken in answer to the need for securing the intellectual assets stored on computer systems. Computer vulnerabilities and their influence on computer systems and the intellectual assets they possess are the main focus of this research. In an effort to portray the influence of vulnerabilities on a computer system, a method for assigning a measure of risk to individual vulnerabilities is proposed. This measure of risk, in turn, gives rise to the development of the vulnerability risk status of a computer system. In short, vulnerability risk status is the total measure of risk a computer system is exposed to according to its vulnerabilities, at a certain point in time. A prototype was developed to create the vulnerability risk status of a computer system, which summarizes the purpose of the research in this dissertation. The discussions start with background information concerning the influence of the inherent vulnerabilities on computer systems. A conceptual model is proposed for achieving the creation of the vulnerability risk status of a computer system. Later chapters are concerned with categorizing all known vulnerabilities so that the main areas of vulnerability within a computer system can be identified. Different security technologies and tools are also evaluated to determine those that could aid the creation of vulnerability risk status. A security tool is selected and the generic, architectural elements are manipulated to allow the added functionality of vulnerability risk status. In conclusion, discussions are evaluated to determine whether the problem statements have been addressed and thoroughly resolved. , Eloff, J.H.P., Prof.
- Full Text:
Integrating visual feedback and a vision agent into the telemanufacturing environment.
- Authors: Scarcella, Vincenzo
- Date: 2008-06-04T09:26:10Z
- Subjects: computer vision , virtual reality , computer security , internet , data processing , engineering prototypes , industrial design
- Type: Thesis
- Identifier: uj:8786 , http://hdl.handle.net/10210/514
- Description: The automated fabrication of a prototype three-dimensional part from a three-dimensional drawing can be regarded as rapid prototyping. There are two basic types of rapid prototyping: subtractive fabrication and additive fabrication. Subtractive fabrication begins with a block of material that is larger than the object to be created and “sculpts” the block into the required prototype three-dimensional part. Additive fabrication continuously adds particles to an object until the desired object is created. Often this process builds a prototype three-dimensional part layer by layer. The prototype three-dimensional parts are created by particular rapid prototyping hardware. Telemanufacturing allows for the remote submission of three-dimensional drawings via a communication medium to the site where the rapid prototyping machine resides. The communication medium for the purposes of this dissertation is the Internet. After the three-dimensional drawing is submitted to the remote site, the rapid prototyping machine proceeds to create the prototype three-dimensional part. The aim of this research is to integrate a visual feedback system into the telemanufacturing environment. The visual feedback system allows a user at a remote location to view the progress of the manufacture of the prototype three-dimensional part in real time. This research also aims to integrate a software agent into the telemanufacturing environment. An agent is loosely defined as “one that acts for another”. The software agent discussed in this dissertation will analyze visual data obtained from the rapid prototyping environment, determine if the prototype three-dimensional part being created contains errors, and take the necessary action. The ultimate goal of this dissertation is to allow the visual analysis of a part as a rapid prototyping machine is creating it. This research allows for two approaches to this “visual analysis”: human analysis, and analysis by a software agent. The “visual analysis” will detect any errors that have occurred during the manufacturing process and ultimately result in the reduction of time and resources to create prototype three dimensional parts using telemanufacturing. , Prof. E.M. Ehlers
- Full Text:
Information security in web-based teleradiology.
- Authors: Psaros, Vasiliki Chrisovalantou
- Date: 2008-06-04T09:25:56Z
- Subjects: computer security , data protection , internet security , telecommunication in medicine , picture archiving and communication systems , radiology
- Type: Thesis
- Identifier: uj:8781 , http://hdl.handle.net/10210/513
- Description: Health care organisations operate in a eld that is driven by patient, business and legislative demands. Now, Information Technology (IT) is starting to exert its powers on this eld. A revolution is taking place in the health care eld, and IT is playing an increasingly important role. This study originated from realising that medical staff were using technology to help them receive patient studies and do a diagnosis. Health care professionals are very dependent on the availability of the computer systems and on the accuracy of the data that is stored. While health care records may contain information that is of utmost sensitivity, this information is only useful if it is shared with the health care providers and the system under which the patient receives his/her care. The latter trend marks an ever-growing need to protect the confidentiality and integrity of health care information, while at the same time ensuring its availability to authorised health care providers. It has to be acknowledged that a complete protection of data is, in practice, infeasible and impossible. Many systems are not secure, making them vulnerable to attacks. Health care facilities have a challenge of keeping up-to-date with the legal requirements that apply to patient records in order to protect the condentiality, integrity and availability of patient data. This study is aimed at examining the information security of the data in a teleradiology system that is used by a health care facility, and to provide recommendations on how the security can be improved. , Prof. S.H. von Solms
- Full Text:
Secure multimedia databases.
- Authors: Pedroncelli, Antony
- Date: 2008-06-02T13:08:07Z
- Subjects: Multimedia systems , access control , computer security , data protection , databases
- Type: Thesis
- Identifier: uj:8748 , http://hdl.handle.net/10210/509
- Description: A message can be communicated to other people using a combination of pictures, sounds, and actions. Ensuring that the message is understood as intended often depends on the presentation of these forms of multimedia. In today’s digital world, traditional multimedia artefacts such as paintings, photographs, audiotapes and videocassettes, although still used, are gradually being replaced with a digital equivalent. It is normally easy to duplicate these digital multimedia files, and they are often available within public repositories. Although this has its advantages, security may be a concern, especially for sensitive multimedia data. Information security services such as identification and authentication, authorisation, and confidentiality can be implemented to secure the data at the file level, ensuring that only authorised entities gain access to the entire multimedia file. It may not always be the case however that a message must be conveyed in the same way for every entity (user or program) that makes a request for the multimedia data. Although access control measures can be ensured for the multimedia at the file level, very little work has been done to ensure access control for multimedia at the content level. A number of models will be presented in this dissertation that should ensure logical access control at the content level for the three main types of multimedia, namely images, audio, and video. In all of these models, the multimedia data is securely stored in a repository, while the associated security information is stored in a database. The objects that contain the authorisation information are created through an interface that securely communicates with the database. Requests are made through another secure interface, where only the authorised multimedia data will be assembled according to the requesting entity’s security classification. Certain important side issues concerning the secure multimedia models will also be discussed. This includes security issues surrounding the model components and suspicion i.e. reducing the probability that a requesting entity would come to the conclusion that changes were made to the original multimedia data. , Prof. M.S. Olivier
- Full Text:
Enforcing Privacy on the Internet.
- Authors: Lategan, Frans Adriaan
- Date: 2008-06-02T10:16:50Z
- Subjects: internet , internet security , computer security , data protection , right of privacy
- Type: Thesis
- Identifier: uj:2507 , http://hdl.handle.net/10210/495
- Full Text:
A framework for secure human computer interaction.
- Authors: Johnston, James
- Date: 2008-06-02T10:16:37Z
- Subjects: electronic commerce security measures , web sites security measures , internet banking security measures , firewalls (computer security) , Microsoft Windows (computer file) , computer security , human- computer interaction
- Type: Thesis
- Identifier: uj:2485 , http://hdl.handle.net/10210/493
- Description: This research is concerned with the development of a framework for the analysis and design of interfaces found in a security environment. An example of such an interface is a firewall. The purpose of this research is to use the framework as a method to improve the usability of an interface, thus aiding the user to implement the correct security features. The purpose is also to use the framework to assist in the development of trust between a user and a computer system. In this research the framework comprises six criteria which are used to analyse interfaces found in the traditional software environment, Internet banking environment and e-commerce environment. In order to develop the framework an overview of the fields of information security and human computer interfaces (HCI) is given. The overview provides background information and also establishes the existing research which has been done in these fields. Due to its popularity, the Windows Internet Connection Firewall is analysed in this research. Based on the criteria a level of trust fostered between the user and interface is calculated for the firewall. It is then shown how this level of trust can be improved by modifying the interface. A proposed interface for the firewall is presented according to the criteria. Interfaces found in the online Internet environment are discussed. This is important in order to identify the similarities and differences between traditional software interfaces and web interfaces. Due to these differences the criteria are modified to be relevant in the analysis and design of security interfaces found on the Internet. Three South African online banking websites are analysed according to the modified framework. Each interface is broken down into a number of components which are then analysed individually. The results of the analysis are compared between the three banking sites to identify the elements which make up a successful interface in an online banking environment. Lastly, three interfaces of e-commerce websites are analysed. Recommendations are made on how the interfaces can be improved, thus leading to a higher level of trust. , Labuschagne, L., Prof.
- Full Text:
A model for bridging the information security gap between IT governance and IT service management.
- Authors: Da Cruz, Eduardo Miguel
- Date: 2008-05-29T08:32:33Z
- Subjects: computer security , corporate governance , information technology management
- Type: Thesis
- Identifier: uj:2463 , http://hdl.handle.net/10210/491
- Description: Today, organisations rely on IT systems which are constantly expected to improve return on investment without an increase in costs. These expectations have resulted in greater importance of the use and management of IT resources. In light of this increased importance of IT management, organisations turned towards frameworks, such as COBIT and ITIL, to better manage their IT resources. Although both frameworks have gained remarkable popularity, there is a lack of detailed information regarding their interrelation within an organisation. This creates a problem where an organisation that has implemented ITIL is unable to determine the level of COBIT compliance. Without being able to determine the level of compliance, it is not possible to ensure that the business requirements for information are being met therefore preventing an organisation from ensuring that their business objectives are achieved. The goal of this dissertation is to establish, from a security perspective, a Model that links COBIT and ITIL together on a detailed level to show their interrelation within an organisation and to provide a means of determining COBIT compliance through the use of the ITIL framework. This will effectively bridge the gap between IT Governance and IT Service Management. Before being able to develop such a Model, it was necessary to first link the COBIT and ITIL frameworks to show that such a Model can be developed. It was possible to establish such a link between COBIT and ITIL as both frameworks are based on a similar process. This is followed by determining the overlap between the security components of COBIT and ITIL. The results indicate that ITIL is insufficient to address all the security aspects of COBIT and additional control measures were required. These control measures werefound in an external framework and integrated into ITIL to complete the overlap. The completed overlap allowed for full COBIT compliance through the use of the ITIL with the additional control measures. The complete overlap between COBIT and ITIL allowed for the development of a framework that showed the interrelation between the security aspects of COBIT and ITIL within an organisation. This framework was then used as a foundation to develop a process of determining COBIT compliance using ITIL. This process of determining COBIT compliance was validated through the development of a software prototype. The framework and the process of determining COBIT compliance constitute the required Model which can be used to solve the identified problem. This dissertation also provides a strong platform for further research involving the areas of IT Governance and IT Service Management. It provides research topics into linking other parts of COBIT and ITIL that are not security related. The process of determining COBIT compliance can also be extended to function with other operational frameworks. This dissertation has also discovered an interesting relationship that exists within the COBIT frameworks. , Prof. Labuschagne
- Full Text:
A model to assess the Information Security status of an organization with special reference to the Policy Dimension.
- Authors: Grobler, Cornelia Petronella
- Date: 2008-05-29T08:31:57Z
- Subjects: computer security , data protection , ISO 17799
- Type: Thesis
- Identifier: uj:2430 , http://hdl.handle.net/10210/488
- Description: Information Security is becoming a high-priority issue in most organizations. Management is responsible for the implementation of security in the organization. Information Security is a multi-dimensional discipline. A well-defined Information Security Management strategy will enable managers to manage security effectively and efficiently in the organization. Management must be able to assess the current security status of the organization. Currently, no comprehensive, integrated assessment tool or model exists to assess the total security posture of an organization. The study will address the problem by proposing a high-level integrated assessment model for Information Security. The study is divided into 4 parts. Part one: Introduction to Information Security Management consists of three chapters. Chapter 1 provides the user with an introduction and background to the study. In chapter 2, the study discusses Information Security as a multi-dimensional discipline. The dimensions identified are the Corporate Governance (Strategic and Operational), Policy, People, Risk Management, Legal, Compliance and Technology dimensions. Information Security is no longer a technical issue, it must be managed. The need for an Information Security Management strategy is discussed in chapter 3 of the study. A successful management strategy should be based on a well-defined Information Security Architecture. Part 2: Information Security Architectures, of the study consists of one chapter. Chapter 4 of the study discusses and compares different Information Security Architectures. The study uses the information gathered from the comparative study and best practices: CobiT and ISO17799, to propose a new Information Security Architecture: RISA. The study uses this architecture as a framework for the assessment model. Part 3: Assessing security consists of five chapters. Chapter 5 discusses the characteristics of assessment and proposes an assessment framework. The study recognizes that assessment on the different levels of an organization will be different, as the assessment requirements on management level will differ from the requirements on a technical level. It is important to use best practices in the assessment model as it enables organizations to prove their security readiness and status to business partners. Best practices and standards enable organizations to implement security in a structured way. Chapter 6 discusses the ISO17799 and CobiT as best practices and their role in the assessment process. Chapter 7 of the study discusses various factors that will influence security assessment in an organization. These factors are the size of the organization, the type of organization and the resources that need to be secured. The chapter briefly discusses the various dimensions of Information Security and identifies deliverables to assess for every dimension. The chapter proposes a high-level, integrated assessment plan for Information Security, using the deliverables identified for each dimension. The study refines the assessment plan for the Policy Dimension in chapter 8. The chapter proposes various checklists to determine the completeness of the policy set, correct format of every documented policy and if supporting documentation exist for every documented policy. A policy status result will be allocated to each policy that the organization needs. The status results of all the individual policies will be combined to determine the security status of the Policy dimension. The study proposes an integrated high-level assessment model in chapter 9 of the study. This model uses the RISA and assessment plan as proposed in chapter 7. It includes all the specified dimensions of Information Security. The assessment model will enable management to obtain a comprehensive high-level picture of the total security posture of an organization. Chapter 10 will summarize the research done and propose further research to be done. , Prof. S.H. von Solms
- Full Text:
CoSAWoE - a model for context-sensitive access control in workflow environments.
- Authors: Botha, Reinhardt A
- Date: 2008-05-29T08:31:19Z
- Subjects: workflow , data protection , computer security , computers access control
- Type: Thesis
- Identifier: uj:2407 , http://hdl.handle.net/10210/485
- Description: Due to the correspondence between the role abstraction in Role-based Access Control (RBAC) and the notion of organizational positions, it seems easy to construct role hierarchies. This is, however, a misconception. This paper argues that, in order to reﬂect the functional requirements, a role hierarchy becomes very complex. In a bid to simplify the design of role hierarchies suitable for the expression of access control requirements in workﬂow systems, the paper proposes a “typed” role hierarchy. In a “typed” role hierarchy a role is of a speci ﬁc type. The associations between diﬀerent types of roles are limited by rules that govern the construction of a role hierarchy. This paper proposes a methodology to systematically construct a “typed” role hierarchy. Since the “typed” nature of the role hierarchy is only relevant during the construction of the role hierarchy, it can seamlessly be integrated into existing RBAC schemes that support the concept of role hierarchies. , Eloff, J.H.P., Prof.
- Full Text:
A framework for ethical information security.
- Authors: Trompeter, Colette
- Date: 2008-05-06T10:10:35Z
- Subjects: computer security , data protection , information technology , business ethics
- Type: Thesis
- Identifier: uj:6742 , http://hdl.handle.net/10210/314
- Description: Organisations are under constant pressure to comply with information security requirements. However, this seldom happens. Information security is like a patchwork quilt - the protection it provides is only as good as its weakest stitch. The electronic business revolution has compounded this situation, as millions of dollars are being tossed about, and rules and regulations have yet to be written. Another problem is that information has to be protected over a geographically dispersed network. It stands to reason then that instances of unethical, even criminal, behaviour are growing exponentially. The principal aim of this research was to consider information security from an ethical perspective. Information security has been a well researched topic for several years. Therefore an investigation was carried out as to whether information security conforms to what individuals and organisations deem as being morally and behaviourally correct. An investigation was carried out into the age-old philosophy of ethically correct behaviour. This was then applied to information security and three ethical information security controls were identified that could provide protection in this e-business environment. A framework was developed to illustrate how a “pillar of strength” can be established in organisations to create an awareness of ethically correct behaviour in securing information. This framework was applied to recently accepted information security standards to test their applicability to the creation of ethical awareness. The research concludes by determining the ability of organisations to adhere to ethically correct behavioural patterns in information security. , Prof. J.H.P. Eloff
- Full Text:
Information security culture.
- Authors: Martins, Adele
- Date: 2008-04-24T12:34:55Z
- Subjects: computer security , data protection
- Type: Thesis
- Identifier: uj:8610 , http://hdl.handle.net/10210/292
- Description: The current study originated from the realisation that information security is no longer solely dependent on technology. Information security breaches are often caused by users, most of the time internal to the organisation, who compromise the technology-driven solutions. This interaction between people and the information systems is seemingly the weakest link in information security. A people-oriented approach is needed to address this problem. Incorporating the human element into information security could be done by creating an information security culture. This culture can then focus on the behaviour of users in the information technology environment. The study is therefore principally aimed at making a contribution to information security by addressing information security culture and, for this reason, culminates in the development of an information security culture model and assessment approach. While developing the model, special care was taken to incorporate the behaviour of people in the working environment and hence organisational behaviour coupled with issues concerning information security culture that need to be addressed. An information security culture assessment approach is developed consisting of a questionnaire to assess whether an organisation has an adequate level of information security culture. The assessment approach is illustrated through a case study. Below is an overview of the framework within which the research was conducted: The dissertation consists of four parts. Chapters 1 and 2 constitute Part 1: Introduction and background. Chapter 1 serves as an introduction to the research study by providing the primary motivation for the study and defining the problems and issues to be addressed. In addition, the chapter is devoted to defining a set of standard terms and concepts used throughout the study. The chapter concludes with an overview of the remaining chapters. Chapter 2 gives some background to information security culture and discusses its evolution to date. There is a new trend in information security to incorporate the human element through an information security culture. Information security is divided into two different levels. Level 1 focuses on the human aspects of information security, such as the information security culture, and level 2 incorporates the technical aspects of information security. Part 2: Information security culture model is covered in chapters 3, 4 and 5. In chapter 3, the concept of information security culture is researched. Different perspectives are examined to identify issues that need to be considered when addressing information security culture. A definition of information security culture is constructed based on organisational culture. Chapter 4 is devoted to developing a model that can be used to promote an information security culture. This model incorporates the concept of organisational behaviour as well as the issues identified in chapter 3. Chapter 5 builds upon the information security culture model and aims to identify practical tasks to address in order to implement the model. In Part 3: Assessing information security culture, chapters 6 to 10, attention is given to the assessment of an information security culture, giving management an indication of how adequately the culture is promoted through the model. Chapter 6 considers the use of available approaches such as ISO17799 to aid in promoting and assessing an information security culture. This approach is evaluated against the definition of information security culture and the information security culture model in order to determine whether it could assess information security culture in an acceptable manner. The next four chapters, namely chapters 7 to 10, are devoted to the development of an information security culture assessment approach consisting of four phases. Chapter 7 discusses phase 1. In this phase a questionnaire is developed based on the information security culture model. Chapter 8 uses the information security culture questionnaire as part of a survey in a case study. This case study illustrates phase 2 as well as what information can be obtained through the questionnaire. In chapter 9 the data obtained through the survey is analysed statistically and presented (phase 3). The level of information security culture is then discussed in chapter 10, with interpretations and recommendations to improve the culture (phase 4). Chapter 11 in Part 4: Conclusion serves as a concluding chapter in which the usefulness and limitations of the proposed model and assessment approach are highlighted. The research study culminates in a discussion of those aspects of information security culture that could bear further research. , Prof. J.H.P. Eloff
- Full Text:
The information security policy: an important information security management control.
- Authors: Hone, Karin
- Date: 2008-04-22T06:36:17Z
- Subjects: computer security , computer security management , computer security standards , data protection
- Type: Thesis
- Identifier: uj:8549 , http://hdl.handle.net/10210/274
- Description: This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it. , Prof. J.H.P. Ehlers
- Full Text: