A strategy for managing examination security at tertiary institutions in South Africa
- Authors: van Zyl, Marthinus Petrus
- Date: 2012-09-11
- Subjects: Examinations , Management information systems , Higher education management , Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:9958 , http://hdl.handle.net/10210/7354
- Description: M.B.A. , More and more policy makers in South Africa’s educational environment are focusing on the impact of digital developments on lifelong learning, electronic publishing, computer-mediated communication and the growth of virtual universities. Johnson and Scholes (1999:475) state that increased availability and quality of information can enhance an organisation’s competency both by reducing the cost of processes and by improving their quality. Managers need to be clear about how these improvements in information technology should influence the way in which they manage their business processes and the benefits associated with the costs of these electronic services. President Thabo Mbeki has stated that universities have a key role to play in improving the quality of life of all South African citizens since education is the key to unlocking each person's potential and improving the quality of life in general (Le Roux, 2005). Mbeki also emphasized that South African universities should emerge from the current process of change, ready to compete with the best institutions in the world. Mbeki asserted that change must guarantee that South Africa catches up with the best in the world in terms of the generation and use of knowledge capital to create the winning society that South Africa yearns for. It must guarantee that South Africa produces the intelligentsia who must be at the cutting edge of our process of renaissance.
- Full Text:
- Authors: van Zyl, Marthinus Petrus
- Date: 2012-09-11
- Subjects: Examinations , Management information systems , Higher education management , Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:9958 , http://hdl.handle.net/10210/7354
- Description: M.B.A. , More and more policy makers in South Africa’s educational environment are focusing on the impact of digital developments on lifelong learning, electronic publishing, computer-mediated communication and the growth of virtual universities. Johnson and Scholes (1999:475) state that increased availability and quality of information can enhance an organisation’s competency both by reducing the cost of processes and by improving their quality. Managers need to be clear about how these improvements in information technology should influence the way in which they manage their business processes and the benefits associated with the costs of these electronic services. President Thabo Mbeki has stated that universities have a key role to play in improving the quality of life of all South African citizens since education is the key to unlocking each person's potential and improving the quality of life in general (Le Roux, 2005). Mbeki also emphasized that South African universities should emerge from the current process of change, ready to compete with the best institutions in the world. Mbeki asserted that change must guarantee that South Africa catches up with the best in the world in terms of the generation and use of knowledge capital to create the winning society that South Africa yearns for. It must guarantee that South Africa produces the intelligentsia who must be at the cutting edge of our process of renaissance.
- Full Text:
A data protection methodology to preserve critical information from the possible threat of information loss
- Authors: Schwartzel, Taryn
- Date: 2011-10-03T07:34:13Z
- Subjects: Data protection , Business communication - Security measures , Business - Computer network resources - Security measures , Computer security management , Electronic commerce - Security measures
- Type: Thesis
- Identifier: uj:7224 , http://hdl.handle.net/10210/3861
- Description: M.Tech. , Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.
- Full Text:
- Authors: Schwartzel, Taryn
- Date: 2011-10-03T07:34:13Z
- Subjects: Data protection , Business communication - Security measures , Business - Computer network resources - Security measures , Computer security management , Electronic commerce - Security measures
- Type: Thesis
- Identifier: uj:7224 , http://hdl.handle.net/10210/3861
- Description: M.Tech. , Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.
- Full Text:
Modeling personally identifiable information leakage that occurs through the use of online social networks
- Authors: Louw, Candice
- Date: 2015-06-30
- Subjects: Online social networks - Access control , Online social networks - Security measures , Data protection
- Type: Thesis
- Identifier: uj:13662 , http://hdl.handle.net/10210/13846
- Description: M.Sc. (Computer Science) , With the phenomenal growth of the Online Social Network (OSN) industry in the past few years, users have resorted to storing vast amounts of personal information on these sites. The information stored on these sites is often readily accessible from anywhere in the world and not always protected by adequate security settings. As a result, user information can make its way, unintentionally, into the hands of not only other online users, but also online abusers. Online abusers, better known as cyber criminals, exploit user information to commit acts of identity theft, Advanced Persistent Threats (APTs) and password recovery, to mention only a few. As OSN users are incapable of visualising the process of access to their OSN information, they may choose to never adjust their security settings. This can become synonymous with ultimately setting themselves up to becoming a victim of cyber crime. In this dissertation we aim to address this problem by proposing a prototype system, the Information Deduction Model (IDM) that can visualise and simulate the process of accessing information on an OSN profile. By visually explaining concepts such as information access, deduction and leakage, we aim to provide users with a tool that will enable them to make more informed choices about the security settings on their OSN profiles thereby setting themselves up for a pleasant online experience.
- Full Text:
- Authors: Louw, Candice
- Date: 2015-06-30
- Subjects: Online social networks - Access control , Online social networks - Security measures , Data protection
- Type: Thesis
- Identifier: uj:13662 , http://hdl.handle.net/10210/13846
- Description: M.Sc. (Computer Science) , With the phenomenal growth of the Online Social Network (OSN) industry in the past few years, users have resorted to storing vast amounts of personal information on these sites. The information stored on these sites is often readily accessible from anywhere in the world and not always protected by adequate security settings. As a result, user information can make its way, unintentionally, into the hands of not only other online users, but also online abusers. Online abusers, better known as cyber criminals, exploit user information to commit acts of identity theft, Advanced Persistent Threats (APTs) and password recovery, to mention only a few. As OSN users are incapable of visualising the process of access to their OSN information, they may choose to never adjust their security settings. This can become synonymous with ultimately setting themselves up to becoming a victim of cyber crime. In this dissertation we aim to address this problem by proposing a prototype system, the Information Deduction Model (IDM) that can visualise and simulate the process of accessing information on an OSN profile. By visually explaining concepts such as information access, deduction and leakage, we aim to provide users with a tool that will enable them to make more informed choices about the security settings on their OSN profiles thereby setting themselves up for a pleasant online experience.
- Full Text:
Application of the access path model with specific reference to the SAP R/3 environment
- Authors: Pretorius, Maria Rebecca
- Date: 2014-10-07
- Subjects: Computer security , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:12534 , http://hdl.handle.net/10210/12328
- Description: M.Com. (Computer Auditing) , The management and control of modern day computer systems are becoming more and more trying due to the complexity of systems. This renders the traditional approach to evaluating controls in complex computer systems, inadequate and heightens the need for an alternative audit approach. The complex SAP R/3 environment will be evaluated in terms of security and validity of users and processes. This will be achieved through the use of an alternative audit approach namely, the application of the Access Path and Path Context Models (Boshoff 1985, 1990). The research methodology used during this research may indicate universal application implications for similar complex environments, although this has not yet been proved. The research showed that there are many control features available in the different software c.omponents of the SAP R/3 environment, that can be applied to control access and validity of users and processes. The duplication of control features provided by the software components, requires a global approach to security inthe defined environment. Only when evaluating the environment as a whole, will it be able to make the most effective security decisions. The use of the control matrices developed during this research will ease the global evaluation of the SAP R/3 environment. Although further research is required, the above has proven the usefulness of both the research methodology and the resultant model and matrices.
- Full Text:
- Authors: Pretorius, Maria Rebecca
- Date: 2014-10-07
- Subjects: Computer security , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:12534 , http://hdl.handle.net/10210/12328
- Description: M.Com. (Computer Auditing) , The management and control of modern day computer systems are becoming more and more trying due to the complexity of systems. This renders the traditional approach to evaluating controls in complex computer systems, inadequate and heightens the need for an alternative audit approach. The complex SAP R/3 environment will be evaluated in terms of security and validity of users and processes. This will be achieved through the use of an alternative audit approach namely, the application of the Access Path and Path Context Models (Boshoff 1985, 1990). The research methodology used during this research may indicate universal application implications for similar complex environments, although this has not yet been proved. The research showed that there are many control features available in the different software c.omponents of the SAP R/3 environment, that can be applied to control access and validity of users and processes. The duplication of control features provided by the software components, requires a global approach to security inthe defined environment. Only when evaluating the environment as a whole, will it be able to make the most effective security decisions. The use of the control matrices developed during this research will ease the global evaluation of the SAP R/3 environment. Although further research is required, the above has proven the usefulness of both the research methodology and the resultant model and matrices.
- Full Text:
A secure, anonymous, real-time cyber-security information sharing system with respect to critical information infrastructure protection
- Authors: Mohideen, Feroze
- Date: 2015
- Subjects: Computer security , Data protection , Computers - Access control , Cyber intelligence (Computer security) , Supervisory control systems
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/84671 , uj:19250
- Description: Abstract: Please refer to full text to view abstract , M.Sc.
- Full Text:
- Authors: Mohideen, Feroze
- Date: 2015
- Subjects: Computer security , Data protection , Computers - Access control , Cyber intelligence (Computer security) , Supervisory control systems
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/84671 , uj:19250
- Description: Abstract: Please refer to full text to view abstract , M.Sc.
- Full Text:
A model for a secure fully wireless telemedicine system
- Authors: Ngoss, Ngue Baha Djob
- Date: 2008-07-07T09:27:45Z
- Subjects: Wireless telecommunication systems , Telecommunication in medicine , Computer security , Data protection
- Type: Thesis
- Identifier: uj:10227 , http://hdl.handle.net/10210/759
- Description: New wireless communication technology standards are being released every year. Wireless technologies merely differ from one another by their range and speed and can each be selected according to the type of application in use. Mobility and ubiquity are the main benefits that can be extracted by using those technologies. On the other hand, telemedicine is the use of communication technologies to provide medical care and thus avoid the usual face-to-face, physician-to-patient scenario. With telemedicine, a physician can treat a patient located at a remote site. Early telemedicine systems used technologies that were available at the time, such as the telephone. Integrating wireless technologies into telemedicine systems would surely provide a huge boost to the improvement of the delivery of healthcare. However, telemedicine and wireless technologies are both emerging scientific concepts. Scientific concepts always have to face challenges prior to popularisation. The more important barriers to the adoption of wireless telemedicine are security and privacy. Medical practitioners are doing their best to preserve the privacy of their patients. Disclosure of patients’ health information may lead to severe legal sanctions. Security flaws in a wireless telemedicine system would lead to privacy breaches. Patient privacy, which physicians have tried so hard to protect, would consequently be out of their control. This dissertation will achieve two goals. The first goal is to show how different wireless technologies could be integrated into telemedicine to provide different applications. The second goal is to design a fully wireless telemedicine system where the information of patients will flow securely. The model described in this dissertation shows a possible wireless telemedicine scenario using different types of wireless technologies. The model also proposes a solution to allow the secure flow of medical information in order to protect the privacy of patients. , Dr. E. Marais
- Full Text:
- Authors: Ngoss, Ngue Baha Djob
- Date: 2008-07-07T09:27:45Z
- Subjects: Wireless telecommunication systems , Telecommunication in medicine , Computer security , Data protection
- Type: Thesis
- Identifier: uj:10227 , http://hdl.handle.net/10210/759
- Description: New wireless communication technology standards are being released every year. Wireless technologies merely differ from one another by their range and speed and can each be selected according to the type of application in use. Mobility and ubiquity are the main benefits that can be extracted by using those technologies. On the other hand, telemedicine is the use of communication technologies to provide medical care and thus avoid the usual face-to-face, physician-to-patient scenario. With telemedicine, a physician can treat a patient located at a remote site. Early telemedicine systems used technologies that were available at the time, such as the telephone. Integrating wireless technologies into telemedicine systems would surely provide a huge boost to the improvement of the delivery of healthcare. However, telemedicine and wireless technologies are both emerging scientific concepts. Scientific concepts always have to face challenges prior to popularisation. The more important barriers to the adoption of wireless telemedicine are security and privacy. Medical practitioners are doing their best to preserve the privacy of their patients. Disclosure of patients’ health information may lead to severe legal sanctions. Security flaws in a wireless telemedicine system would lead to privacy breaches. Patient privacy, which physicians have tried so hard to protect, would consequently be out of their control. This dissertation will achieve two goals. The first goal is to show how different wireless technologies could be integrated into telemedicine to provide different applications. The second goal is to design a fully wireless telemedicine system where the information of patients will flow securely. The model described in this dissertation shows a possible wireless telemedicine scenario using different types of wireless technologies. The model also proposes a solution to allow the secure flow of medical information in order to protect the privacy of patients. , Dr. E. Marais
- Full Text:
Smart card byte code identification using power electromagnetic radiations analysis and machine learning
- Authors: Djonon Tsague, Hippolyte
- Date: 2018
- Subjects: Embedded computer systems - Security measures , Smart cards - Security measures , Computer security , Data protection , Data encryption (Computer science)
- Language: English
- Type: Doctoral (Thesis)
- Identifier: http://hdl.handle.net/10210/286050 , uj:30945
- Description: D.Ing. (Electrical Engineering) , Abstract: Power Analysis or Side-Channel Attack aimed at embedded systems such as smart cards has gained momentum to become a very important and well-studied area in computer security. Side-channels are unwanted and exploitable by-products information leaked from cryptographic devices that an attacker or a hacker can utilize to reveal secret information stored or processed by those devices. In most instances it is easier to acquire the secret keys hidden in cryptographic hardware from such techniques than to attempt to break the cryptographic algorithm. One such side-channel attack is the electromagnetic side-channel attack, giving rise to electromagnetic analysis (EMA). In this thesis, we take a different approach towards side-channels. Instead of exploiting side-channel to derive cryptographic keys, we present techniques, algorithms and use-cases to identify instruction-dependent information from smart card code by analyzing their electromagnetic emanation and power consumption. This has resulted in the so-called side-channel disassembler offering new applications or uses that were not previously explored in the embedded design. Although the idea of recognizing executed micro-controller instructions using side-channel analysis is not new, previous implementations reported in available literature did not yield good enough accuracy to be relevant for practical applications. Our first use-case presents the practical results of a real-life smart card malware detection. We present an implementation consisting of reconstructing a malware program executed on a smart card device using the emanated electromagnetic radiation only. This is useful in the sense that it allows network engineers to immediately detect the presence of the Sykipot malware in a smart card environment almost instantaneously. It has been demonstrated that it takes approximately 229 days for network engineers to detect a malware attack. So this implementation goes a long way towards improving such statistics. Our solution makes use of machine learning techniques applied to data involving a substantial number of correlated variables. To effectively reduce the number of variable under consideration, we use dimension reduction algorithms such as PCA and LDA. K-Nearest neighbor (k-NN) search is applied as a learning and classification technique to recognize and detect malware presence in the device. Genetic Algorithms are further applied to improve some of the k-NN limitations and shortcomings. Our implementation shows very promising results in the sense that our malware detection tool produced a recognition rate of up to 90%. The second use-case analyzes the recorded power consumption of a micro-controller to extract Hamming weights of executed instructions including operands. These Hamming weights are transformed into strings that can be used to overcome the popular dummy instruction countermeasure. Although the presented technique is only applied to the dummy and random instruction countermeasure, a similar approach can be applied to other variants of side-channel countermeasures. Such findings highlight the fact that most available countermeasures can easily be overcome. As a contribution toward building more effective countermeasures to side-channel analysis, we proposed three techniques with their simulated results. The first technique relies on mathematical equations for modeling the performance trade-offs of logic circuits. Using such equations, effective models for leakage reduction in CMOS are easily deduced. Among other, it is argued and demonstrated that the use of high dielectric constant can be a very effective technique for reducing CMOS leakages. In the second proposition, we highlight the use of strained-Si in CMOS device fabrication. In our proposition, the emphasis is on mobility enhancement as a result of strain. The study is carried out...
- Full Text:
- Authors: Djonon Tsague, Hippolyte
- Date: 2018
- Subjects: Embedded computer systems - Security measures , Smart cards - Security measures , Computer security , Data protection , Data encryption (Computer science)
- Language: English
- Type: Doctoral (Thesis)
- Identifier: http://hdl.handle.net/10210/286050 , uj:30945
- Description: D.Ing. (Electrical Engineering) , Abstract: Power Analysis or Side-Channel Attack aimed at embedded systems such as smart cards has gained momentum to become a very important and well-studied area in computer security. Side-channels are unwanted and exploitable by-products information leaked from cryptographic devices that an attacker or a hacker can utilize to reveal secret information stored or processed by those devices. In most instances it is easier to acquire the secret keys hidden in cryptographic hardware from such techniques than to attempt to break the cryptographic algorithm. One such side-channel attack is the electromagnetic side-channel attack, giving rise to electromagnetic analysis (EMA). In this thesis, we take a different approach towards side-channels. Instead of exploiting side-channel to derive cryptographic keys, we present techniques, algorithms and use-cases to identify instruction-dependent information from smart card code by analyzing their electromagnetic emanation and power consumption. This has resulted in the so-called side-channel disassembler offering new applications or uses that were not previously explored in the embedded design. Although the idea of recognizing executed micro-controller instructions using side-channel analysis is not new, previous implementations reported in available literature did not yield good enough accuracy to be relevant for practical applications. Our first use-case presents the practical results of a real-life smart card malware detection. We present an implementation consisting of reconstructing a malware program executed on a smart card device using the emanated electromagnetic radiation only. This is useful in the sense that it allows network engineers to immediately detect the presence of the Sykipot malware in a smart card environment almost instantaneously. It has been demonstrated that it takes approximately 229 days for network engineers to detect a malware attack. So this implementation goes a long way towards improving such statistics. Our solution makes use of machine learning techniques applied to data involving a substantial number of correlated variables. To effectively reduce the number of variable under consideration, we use dimension reduction algorithms such as PCA and LDA. K-Nearest neighbor (k-NN) search is applied as a learning and classification technique to recognize and detect malware presence in the device. Genetic Algorithms are further applied to improve some of the k-NN limitations and shortcomings. Our implementation shows very promising results in the sense that our malware detection tool produced a recognition rate of up to 90%. The second use-case analyzes the recorded power consumption of a micro-controller to extract Hamming weights of executed instructions including operands. These Hamming weights are transformed into strings that can be used to overcome the popular dummy instruction countermeasure. Although the presented technique is only applied to the dummy and random instruction countermeasure, a similar approach can be applied to other variants of side-channel countermeasures. Such findings highlight the fact that most available countermeasures can easily be overcome. As a contribution toward building more effective countermeasures to side-channel analysis, we proposed three techniques with their simulated results. The first technique relies on mathematical equations for modeling the performance trade-offs of logic circuits. Using such equations, effective models for leakage reduction in CMOS are easily deduced. Among other, it is argued and demonstrated that the use of high dielectric constant can be a very effective technique for reducing CMOS leakages. In the second proposition, we highlight the use of strained-Si in CMOS device fabrication. In our proposition, the emphasis is on mobility enhancement as a result of strain. The study is carried out...
- Full Text:
An analysis of information security governance models
- Authors: Sibanda, Mbusi
- Date: 2012-06-06
- Subjects: Information security governance , Computer networks security , Data protection
- Type: Thesis
- Identifier: uj:2493 , http://hdl.handle.net/10210/4947
- Description: M.Comm. , This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.
- Full Text:
- Authors: Sibanda, Mbusi
- Date: 2012-06-06
- Subjects: Information security governance , Computer networks security , Data protection
- Type: Thesis
- Identifier: uj:2493 , http://hdl.handle.net/10210/4947
- Description: M.Comm. , This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.
- Full Text:
Implementing an effective information security awareness program
- Authors: Wolmarans, Amanda
- Date: 2008-07-18T13:41:53Z
- Subjects: Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:7363 , http://hdl.handle.net/10210/811
- Description: The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people’s attitude towards change must be changed. It is also important to measure the behavioural change to make sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people’s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a web-based security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter. , Von Solms, S.H., Prof.
- Full Text:
- Authors: Wolmarans, Amanda
- Date: 2008-07-18T13:41:53Z
- Subjects: Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:7363 , http://hdl.handle.net/10210/811
- Description: The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people’s attitude towards change must be changed. It is also important to measure the behavioural change to make sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people’s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a web-based security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter. , Von Solms, S.H., Prof.
- Full Text:
Objek-georiënteerde en rolgebaseerde verspreide inligtingsekerheid in 'n oop transaksieverwerking omgewing
- Authors: Van der Merwe, Jacobus
- Date: 2014-10-07
- Subjects: Computers - Access control , Data protection , Computer security , Object-oriented databases - Security measures
- Type: Thesis
- Identifier: uj:12539 , http://hdl.handle.net/10210/12332
- Description: M.Sc. (Computer Science) , Information is a valuable resource in any organisation and more and more organisations are realising this and want efficient means to protect it against disclosure, modification or destruction. Although relatively efficient security methods have been available almost as long as information databases, they all provide additional cost. This cost does not only involve money but also cost in terms of system performance and management of information security. Any new information security model must also provide better management of information security. In this dissertation we present a model that provides information security and aims to lower the technical skills required to manage information security using this approach. In any business organisation we can describe each employee's duties. Put in other words, we can say that each employee has a specific business role in the organisation. In organisations with many employees there are typically many employees that have more or less the same duties in the organisation. This means that employees can be grouped according to their business roles. We use an employee's role as a description of his/her duties in a business organisation. ' Each role needs resources to perform its duties in the organisation. In terms of computer systems, each role needs computer resources such as printers. Most roles need access to data files in the organisation's database but it is not desirable to give all roles access to all data files. It is obvious that roles have specific privileges and restrictions in terms of information resources. Information security can be achieved by identifying the business roles in an organisation and giving these roles only the privileges needed to fulfill their business function and then assigning these roles to people (users of the organisation's computer system). This is called role-based security. People's business functions are related, for example clerks and clerk-managers are related in the sense that a clerk-manager is a manager of clerks. Business roles are related in the same way. For an information security manager to assign roles to users it is important to see this relationship between roles. In this dissertation we present this relationship using a lattice graph which we call a role lattice. The main advantage of this is that it is eases information security management...
- Full Text:
- Authors: Van der Merwe, Jacobus
- Date: 2014-10-07
- Subjects: Computers - Access control , Data protection , Computer security , Object-oriented databases - Security measures
- Type: Thesis
- Identifier: uj:12539 , http://hdl.handle.net/10210/12332
- Description: M.Sc. (Computer Science) , Information is a valuable resource in any organisation and more and more organisations are realising this and want efficient means to protect it against disclosure, modification or destruction. Although relatively efficient security methods have been available almost as long as information databases, they all provide additional cost. This cost does not only involve money but also cost in terms of system performance and management of information security. Any new information security model must also provide better management of information security. In this dissertation we present a model that provides information security and aims to lower the technical skills required to manage information security using this approach. In any business organisation we can describe each employee's duties. Put in other words, we can say that each employee has a specific business role in the organisation. In organisations with many employees there are typically many employees that have more or less the same duties in the organisation. This means that employees can be grouped according to their business roles. We use an employee's role as a description of his/her duties in a business organisation. ' Each role needs resources to perform its duties in the organisation. In terms of computer systems, each role needs computer resources such as printers. Most roles need access to data files in the organisation's database but it is not desirable to give all roles access to all data files. It is obvious that roles have specific privileges and restrictions in terms of information resources. Information security can be achieved by identifying the business roles in an organisation and giving these roles only the privileges needed to fulfill their business function and then assigning these roles to people (users of the organisation's computer system). This is called role-based security. People's business functions are related, for example clerks and clerk-managers are related in the sense that a clerk-manager is a manager of clerks. Business roles are related in the same way. For an information security manager to assign roles to users it is important to see this relationship between roles. In this dissertation we present this relationship using a lattice graph which we call a role lattice. The main advantage of this is that it is eases information security management...
- Full Text:
'n Bestuurshulpmiddel vir die evaluering van 'n maatskappy se rekenaarsekerheidsgraad
- Authors: Von Solms, Rossouw
- Date: 2014-05-13
- Subjects: Electronic data processing departments - Security measures , Data protection , Computer security
- Type: Thesis
- Identifier: uj:11026 , http://hdl.handle.net/10210/10599
- Description: M.Sc. (Informatics) , Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.
- Full Text:
- Authors: Von Solms, Rossouw
- Date: 2014-05-13
- Subjects: Electronic data processing departments - Security measures , Data protection , Computer security
- Type: Thesis
- Identifier: uj:11026 , http://hdl.handle.net/10210/10599
- Description: M.Sc. (Informatics) , Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.
- Full Text:
Die ontwikkeling en implementering van 'n formele model vir logiese toegangsbeheer in rekenaarstelsels
- Authors: Edwards, Norman Godfrey
- Date: 2014-03-25
- Subjects: Computers - Access control , Data protection
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/383727 , uj:4470 , http://hdl.handle.net/10210/9810
- Description: M.Com. (Computer Science) , The area covered in this study is that of logical security models. A logical security model refers to the formal representation of a security policy which allows the subsequent movement of rights between subjects and objects in a system. The best way to illustrate the goal of this study, is with the following abstract from the submitted article, which originated from this study. 'The original protection graph rewriting grammar used to simulate the different operations of the Take/Grant model is reviewed. The productions of the PGR-grammar is then expanded, by adding a new context which is based on the different security classes found in the Bell Grid LaPadula model [14].' The first goal of this study was to take the Take/Grant security -model and expand it. This expansion included the concept of assigning a different security class to each subject and object in the model. This concept was derived from the Bell and LaPadula model as discussed in chapter 2 of this study. The next goal that was defined, was to expand the PGR-grammar of [28], so that it would also be able to simulate .the operations of this expanded Take/Grant model. The .PGR-grammar consisted of different permitting and forbidding node and edge contexts. This PGR-grammar was expanded by adding an additional context to the formal representation. This expansion is explained in detail in chapter 5 of this study. The third goal was to take the expansions, mentioned above, and implement them in a computer system. This computer system had to make use of an expert. system in order to reach certain conclusions. Each of the operations of the Take/Grant model must be evaluated, to determine whether that rule can be applied or not. The use of the expert system is explained in chapters 6 and 7 of this study. This study consists out of eight chapters in the following order. Chapter 2 starts of with an introduction of some of the most important logical security models. This chapter gives the reader background knowledge of the different models available, which is essential for the rest of the study. This chapter, however, does not discuss the Take/Grant model in detail. This is done in chapter 3 of the study. In this chapter the Take Grant model is discussed as a major input to this study. The Send Receive model is also discussed as a variation of the Take/Grant model. In the last section of the chapter a comparison is drawn between these two models. Chapter 4 formalizes the Take/Grant model. The protection graph rewriting grammar (PGR-grammar), which is used to simulate the different operations of the Take/Grant model, is introduced...
- Full Text:
- Authors: Edwards, Norman Godfrey
- Date: 2014-03-25
- Subjects: Computers - Access control , Data protection
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/383727 , uj:4470 , http://hdl.handle.net/10210/9810
- Description: M.Com. (Computer Science) , The area covered in this study is that of logical security models. A logical security model refers to the formal representation of a security policy which allows the subsequent movement of rights between subjects and objects in a system. The best way to illustrate the goal of this study, is with the following abstract from the submitted article, which originated from this study. 'The original protection graph rewriting grammar used to simulate the different operations of the Take/Grant model is reviewed. The productions of the PGR-grammar is then expanded, by adding a new context which is based on the different security classes found in the Bell Grid LaPadula model [14].' The first goal of this study was to take the Take/Grant security -model and expand it. This expansion included the concept of assigning a different security class to each subject and object in the model. This concept was derived from the Bell and LaPadula model as discussed in chapter 2 of this study. The next goal that was defined, was to expand the PGR-grammar of [28], so that it would also be able to simulate .the operations of this expanded Take/Grant model. The .PGR-grammar consisted of different permitting and forbidding node and edge contexts. This PGR-grammar was expanded by adding an additional context to the formal representation. This expansion is explained in detail in chapter 5 of this study. The third goal was to take the expansions, mentioned above, and implement them in a computer system. This computer system had to make use of an expert. system in order to reach certain conclusions. Each of the operations of the Take/Grant model must be evaluated, to determine whether that rule can be applied or not. The use of the expert system is explained in chapters 6 and 7 of this study. This study consists out of eight chapters in the following order. Chapter 2 starts of with an introduction of some of the most important logical security models. This chapter gives the reader background knowledge of the different models available, which is essential for the rest of the study. This chapter, however, does not discuss the Take/Grant model in detail. This is done in chapter 3 of the study. In this chapter the Take Grant model is discussed as a major input to this study. The Send Receive model is also discussed as a variation of the Take/Grant model. In the last section of the chapter a comparison is drawn between these two models. Chapter 4 formalizes the Take/Grant model. The protection graph rewriting grammar (PGR-grammar), which is used to simulate the different operations of the Take/Grant model, is introduced...
- Full Text:
Information security management : processes and metrics
- Authors: Von Solms, Rossouw
- Date: 2014-09-11
- Subjects: Data protection , Computer security
- Type: Thesis
- Identifier: uj:12275 , http://hdl.handle.net/10210/12038
- Description: PhD. (Informatics) , Organizations become daily more dependent on information. Information is captured, processed, stored and distributed by the information resources and services within the organization. These information resources and services should be secured to ensure a high level of availability, integrity and privacy of this information at all times. This process is referred to as Information Security Management. The main objective of this, thesis is to identify all the processes that constitute Information Security Management and to define a metric through which the information security status of the organization can be measured and presented. It is necessary to identify an individual or a department which will be responsible for introducing and managing the information security controls to maintain a high level of security within the organization. The position .and influence of this individual, called the Information Security officer, and/or department within the organization, is described in chapter 2. The various processes and subprocesses constituting Information Security Management are identified and grouped in chapter 3. One of these processes, Measuring and Reporting, is currently very ill-defined and few guidelines and/or tools exist currently to help the Information Security officer to perform this task. For this reason the rest of the thesis is devoted to providing an effective means to enable the Information Security officer to measure and report the information security status in an effective way...
- Full Text:
- Authors: Von Solms, Rossouw
- Date: 2014-09-11
- Subjects: Data protection , Computer security
- Type: Thesis
- Identifier: uj:12275 , http://hdl.handle.net/10210/12038
- Description: PhD. (Informatics) , Organizations become daily more dependent on information. Information is captured, processed, stored and distributed by the information resources and services within the organization. These information resources and services should be secured to ensure a high level of availability, integrity and privacy of this information at all times. This process is referred to as Information Security Management. The main objective of this, thesis is to identify all the processes that constitute Information Security Management and to define a metric through which the information security status of the organization can be measured and presented. It is necessary to identify an individual or a department which will be responsible for introducing and managing the information security controls to maintain a high level of security within the organization. The position .and influence of this individual, called the Information Security officer, and/or department within the organization, is described in chapter 2. The various processes and subprocesses constituting Information Security Management are identified and grouped in chapter 3. One of these processes, Measuring and Reporting, is currently very ill-defined and few guidelines and/or tools exist currently to help the Information Security officer to perform this task. For this reason the rest of the thesis is devoted to providing an effective means to enable the Information Security officer to measure and report the information security status in an effective way...
- Full Text:
Information security in the client/server environment
- Authors: Botha, Reinhardt A
- Date: 2012-08-23
- Subjects: Client/server computing , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:3117 , http://hdl.handle.net/10210/6538
- Description: M.Sc. (Computer Science) , Client/Server computing is currently one of the buzzwords in the computer industry. The client/server environment can be defined as an open systems environment. This openness of the client/server environment makes it a very popular environment to operate in. As information are exceedingly accessed in a client/server manner certain security issues arise. In order to address this definite need for a secure client/server environment it is necessary to firstly define the client/server environment. This is accomplished through defining three possible ways to partition programs within the client/server environment. Security, or secure systems, have a different meaning for different people. This dissertation defines six attributes of information that should be maintained in order to have secure information. For certain environments some of these attributes may be unnecessary or of lesser importance. Different security techniques and measures are discussed and classified in terms of the client/server partitions and the security attributes that are maintained by them. This is presented in the form of a matrix and provides an easy reference to decide on security measures in the client/server environment in order to protect a specific aspect of the information. The importance of a security policy and more specifically the influence of the client/server environment on such a policy are discussed and it is demonstrated that the framework can assist in drawing up a security policy for a client/server environment. This dissertation furthermore defines an electronic document .management system as a case study. It is shown that the client/server environment is a suitable environment for such a system. The security needs and problems are identified and classified in terms of the security attributes. Solutions to the problems are discussed in order to provide a reasonably secure electronic document management system environment.
- Full Text:
- Authors: Botha, Reinhardt A
- Date: 2012-08-23
- Subjects: Client/server computing , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:3117 , http://hdl.handle.net/10210/6538
- Description: M.Sc. (Computer Science) , Client/Server computing is currently one of the buzzwords in the computer industry. The client/server environment can be defined as an open systems environment. This openness of the client/server environment makes it a very popular environment to operate in. As information are exceedingly accessed in a client/server manner certain security issues arise. In order to address this definite need for a secure client/server environment it is necessary to firstly define the client/server environment. This is accomplished through defining three possible ways to partition programs within the client/server environment. Security, or secure systems, have a different meaning for different people. This dissertation defines six attributes of information that should be maintained in order to have secure information. For certain environments some of these attributes may be unnecessary or of lesser importance. Different security techniques and measures are discussed and classified in terms of the client/server partitions and the security attributes that are maintained by them. This is presented in the form of a matrix and provides an easy reference to decide on security measures in the client/server environment in order to protect a specific aspect of the information. The importance of a security policy and more specifically the influence of the client/server environment on such a policy are discussed and it is demonstrated that the framework can assist in drawing up a security policy for a client/server environment. This dissertation furthermore defines an electronic document .management system as a case study. It is shown that the client/server environment is a suitable environment for such a system. The security needs and problems are identified and classified in terms of the security attributes. Solutions to the problems are discussed in order to provide a reasonably secure electronic document management system environment.
- Full Text:
Automated secure systems development methodology
- Booysen, Hester Aletta Susanna
- Authors: Booysen, Hester Aletta Susanna
- Date: 2014-11-20
- Subjects: Computers - Access control , Computer security , Data protection
- Type: Thesis
- Identifier: uj:13093 , http://hdl.handle.net/10210/12971
- Description: D.Com. (Informatics) , The complexity of modern computer-based information systems is such that, for all but the simplest of examples, they cannot be produced without a considerable amount of prior planning and preparation. The actual difficulties of trying to design, develop and implement complex computer-based systems have been recognised as early as the seventies. In a bid to deal with what was then referred to as the "software crisis", a number of so- called "methodologies" were advocated. Those methodologies were, in turn, based on a collection of guidelines or methods thanks to which their designers could eventually make the claim that computer systems, and in particular information systems, could be designed and developed with a greater degree of success. By using a clear set of rules, or at least reasonably detailed principles, they could ensure that the various design and development tasks be performed in a methodical, organ ised fashion. Irrespective of the methodologies or guidelines that were adopted or laid down, the developers principal aim was to ensure that all relevant detail about the proposed information systems would be taken into account during the long and often drawn-out design and development process. Unfortunately, many of those methodologies and guidelines date from the early 1970s and, as a result, no longer meet the security requirements and guidelines of today's information systems. It was never attempted under any of those methodolog ies, however, to unriddle the difficulties they had come up against in information security in the domain of system development . Security concerns should however, form an integral part of the planning, development and maintenance of a computer application. Each application system should for example, take the necessary security measures in any given situation.
- Full Text:
- Authors: Booysen, Hester Aletta Susanna
- Date: 2014-11-20
- Subjects: Computers - Access control , Computer security , Data protection
- Type: Thesis
- Identifier: uj:13093 , http://hdl.handle.net/10210/12971
- Description: D.Com. (Informatics) , The complexity of modern computer-based information systems is such that, for all but the simplest of examples, they cannot be produced without a considerable amount of prior planning and preparation. The actual difficulties of trying to design, develop and implement complex computer-based systems have been recognised as early as the seventies. In a bid to deal with what was then referred to as the "software crisis", a number of so- called "methodologies" were advocated. Those methodologies were, in turn, based on a collection of guidelines or methods thanks to which their designers could eventually make the claim that computer systems, and in particular information systems, could be designed and developed with a greater degree of success. By using a clear set of rules, or at least reasonably detailed principles, they could ensure that the various design and development tasks be performed in a methodical, organ ised fashion. Irrespective of the methodologies or guidelines that were adopted or laid down, the developers principal aim was to ensure that all relevant detail about the proposed information systems would be taken into account during the long and often drawn-out design and development process. Unfortunately, many of those methodologies and guidelines date from the early 1970s and, as a result, no longer meet the security requirements and guidelines of today's information systems. It was never attempted under any of those methodolog ies, however, to unriddle the difficulties they had come up against in information security in the domain of system development . Security concerns should however, form an integral part of the planning, development and maintenance of a computer application. Each application system should for example, take the necessary security measures in any given situation.
- Full Text:
The Community-oriented Computer Security, Advisory and Warning Team
- Von Solms, Sebastiaan, Ellefsen, Ian
- Authors: Von Solms, Sebastiaan , Ellefsen, Ian
- Date: 2010
- Subjects: Critical information infrastructure protection , Cyber attacks , Information technology security , Community-oriented Advisory, Security and Warning Teams , C-SAW Teams , CSIRT structures , Data protection , Internet safety measures , Computer Security Incident Response Team structures , WARP
- Type: Article
- Identifier: uj:6203 , ISBN 978-1-905824-15-1 , http://hdl.handle.net/10210/5285
- Description: Critical information infrastructure protection is vital for any nation. Many of a country’s critical systems are interconnected via an information infrastructure, such as the Internet. Should the information infrastructure be targeted by remote attacks, it would have a devastating effect on functioning of a country. Developing nations are no exception. As broadband penetration rates increase, and as Internet access speeds increase, developing nations have to implement safeguards to ensure that their information infrastructure is not target or abused by cyber attackers. Many nations implement CSIRT structures to aid in the protection of their information infrastructure. However these structures are expensive to set up and maintain. In this paper we introduce a Community-oriented Advisory, Security and Warning (C-SAW) Team, which aims to be a cost effective alternative to a CSIRT. C-SAW Teams aims to combine cost-effectiveness with the ability to mutate into a full-scale CSIRT structure over time.
- Full Text:
- Authors: Von Solms, Sebastiaan , Ellefsen, Ian
- Date: 2010
- Subjects: Critical information infrastructure protection , Cyber attacks , Information technology security , Community-oriented Advisory, Security and Warning Teams , C-SAW Teams , CSIRT structures , Data protection , Internet safety measures , Computer Security Incident Response Team structures , WARP
- Type: Article
- Identifier: uj:6203 , ISBN 978-1-905824-15-1 , http://hdl.handle.net/10210/5285
- Description: Critical information infrastructure protection is vital for any nation. Many of a country’s critical systems are interconnected via an information infrastructure, such as the Internet. Should the information infrastructure be targeted by remote attacks, it would have a devastating effect on functioning of a country. Developing nations are no exception. As broadband penetration rates increase, and as Internet access speeds increase, developing nations have to implement safeguards to ensure that their information infrastructure is not target or abused by cyber attackers. Many nations implement CSIRT structures to aid in the protection of their information infrastructure. However these structures are expensive to set up and maintain. In this paper we introduce a Community-oriented Advisory, Security and Warning (C-SAW) Team, which aims to be a cost effective alternative to a CSIRT. C-SAW Teams aims to combine cost-effectiveness with the ability to mutate into a full-scale CSIRT structure over time.
- Full Text:
Die toepassing van ekspertstelseltegnologie binne inligtingsekerheid
- Authors: De Ru, Willem Gerhardus
- Date: 2014-09-18
- Subjects: Expert systems (Computer science) , Data protection , Data security
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/372918 , uj:12339 , http://hdl.handle.net/10210/12125
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
- Authors: De Ru, Willem Gerhardus
- Date: 2014-09-18
- Subjects: Expert systems (Computer science) , Data protection , Data security
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/372918 , uj:12339 , http://hdl.handle.net/10210/12125
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
A multi-dimensional model for information security management
- Authors: Eloff, Maria Margaretha
- Date: 2011-12-06
- Subjects: Information resources management , Data protection , Computer security , Database management security measures
- Type: Thesis
- Identifier: uj:1794 , http://hdl.handle.net/10210/4158
- Description: D.Phil. , Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.
- Full Text:
- Authors: Eloff, Maria Margaretha
- Date: 2011-12-06
- Subjects: Information resources management , Data protection , Computer security , Database management security measures
- Type: Thesis
- Identifier: uj:1794 , http://hdl.handle.net/10210/4158
- Description: D.Phil. , Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.
- Full Text:
'n Logiese sekuriteitsmodel gebaseer op NCL-grammatikas
- Authors: De Villiers, Daniel Pierre
- Date: 2014-03-18
- Subjects: Data protection , Electronic data processing departments - Security measures
- Type: Thesis
- Identifier: uj:4377 , http://hdl.handle.net/10210/9726
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
- Authors: De Villiers, Daniel Pierre
- Date: 2014-03-18
- Subjects: Data protection , Electronic data processing departments - Security measures
- Type: Thesis
- Identifier: uj:4377 , http://hdl.handle.net/10210/9726
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
Compliance at velocity within a DevOps environment
- Authors: Abrahams, Muhammad Zaid
- Date: 2017
- Subjects: Information technology - Security measures , Computer software - Development , Data protection , Computer security
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/279418 , uj:30006
- Description: M.Sc. (Informatics) , Abstract: Please refer to full text to view abstract.
- Full Text:
- Authors: Abrahams, Muhammad Zaid
- Date: 2017
- Subjects: Information technology - Security measures , Computer software - Development , Data protection , Computer security
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/279418 , uj:30006
- Description: M.Sc. (Informatics) , Abstract: Please refer to full text to view abstract.
- Full Text: