Implementing an effective information security awareness program
- Authors: Wolmarans, Amanda
- Date: 2008-07-18T13:41:53Z
- Subjects: Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:7363 , http://hdl.handle.net/10210/811
- Description: The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people’s attitude towards change must be changed. It is also important to measure the behavioural change to make sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people’s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a web-based security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter. , Von Solms, S.H., Prof.
- Full Text:
- Authors: Wolmarans, Amanda
- Date: 2008-07-18T13:41:53Z
- Subjects: Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:7363 , http://hdl.handle.net/10210/811
- Description: The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people’s attitude towards change must be changed. It is also important to measure the behavioural change to make sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people’s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a web-based security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter. , Von Solms, S.H., Prof.
- Full Text:
The Community-oriented Computer Security, Advisory and Warning Team
- Von Solms, Sebastiaan, Ellefsen, Ian
- Authors: Von Solms, Sebastiaan , Ellefsen, Ian
- Date: 2010
- Subjects: Critical information infrastructure protection , Cyber attacks , Information technology security , Community-oriented Advisory, Security and Warning Teams , C-SAW Teams , CSIRT structures , Data protection , Internet safety measures , Computer Security Incident Response Team structures , WARP
- Type: Article
- Identifier: uj:6203 , ISBN 978-1-905824-15-1 , http://hdl.handle.net/10210/5285
- Description: Critical information infrastructure protection is vital for any nation. Many of a country’s critical systems are interconnected via an information infrastructure, such as the Internet. Should the information infrastructure be targeted by remote attacks, it would have a devastating effect on functioning of a country. Developing nations are no exception. As broadband penetration rates increase, and as Internet access speeds increase, developing nations have to implement safeguards to ensure that their information infrastructure is not target or abused by cyber attackers. Many nations implement CSIRT structures to aid in the protection of their information infrastructure. However these structures are expensive to set up and maintain. In this paper we introduce a Community-oriented Advisory, Security and Warning (C-SAW) Team, which aims to be a cost effective alternative to a CSIRT. C-SAW Teams aims to combine cost-effectiveness with the ability to mutate into a full-scale CSIRT structure over time.
- Full Text:
- Authors: Von Solms, Sebastiaan , Ellefsen, Ian
- Date: 2010
- Subjects: Critical information infrastructure protection , Cyber attacks , Information technology security , Community-oriented Advisory, Security and Warning Teams , C-SAW Teams , CSIRT structures , Data protection , Internet safety measures , Computer Security Incident Response Team structures , WARP
- Type: Article
- Identifier: uj:6203 , ISBN 978-1-905824-15-1 , http://hdl.handle.net/10210/5285
- Description: Critical information infrastructure protection is vital for any nation. Many of a country’s critical systems are interconnected via an information infrastructure, such as the Internet. Should the information infrastructure be targeted by remote attacks, it would have a devastating effect on functioning of a country. Developing nations are no exception. As broadband penetration rates increase, and as Internet access speeds increase, developing nations have to implement safeguards to ensure that their information infrastructure is not target or abused by cyber attackers. Many nations implement CSIRT structures to aid in the protection of their information infrastructure. However these structures are expensive to set up and maintain. In this paper we introduce a Community-oriented Advisory, Security and Warning (C-SAW) Team, which aims to be a cost effective alternative to a CSIRT. C-SAW Teams aims to combine cost-effectiveness with the ability to mutate into a full-scale CSIRT structure over time.
- Full Text:
'n Bestuurshulpmiddel vir die evaluering van 'n maatskappy se rekenaarsekerheidsgraad
- Authors: Von Solms, Rossouw
- Date: 2014-05-13
- Subjects: Electronic data processing departments - Security measures , Data protection , Computer security
- Type: Thesis
- Identifier: uj:11026 , http://hdl.handle.net/10210/10599
- Description: M.Sc. (Informatics) , Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.
- Full Text:
- Authors: Von Solms, Rossouw
- Date: 2014-05-13
- Subjects: Electronic data processing departments - Security measures , Data protection , Computer security
- Type: Thesis
- Identifier: uj:11026 , http://hdl.handle.net/10210/10599
- Description: M.Sc. (Informatics) , Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.
- Full Text:
Information security management : processes and metrics
- Authors: Von Solms, Rossouw
- Date: 2014-09-11
- Subjects: Data protection , Computer security
- Type: Thesis
- Identifier: uj:12275 , http://hdl.handle.net/10210/12038
- Description: PhD. (Informatics) , Organizations become daily more dependent on information. Information is captured, processed, stored and distributed by the information resources and services within the organization. These information resources and services should be secured to ensure a high level of availability, integrity and privacy of this information at all times. This process is referred to as Information Security Management. The main objective of this, thesis is to identify all the processes that constitute Information Security Management and to define a metric through which the information security status of the organization can be measured and presented. It is necessary to identify an individual or a department which will be responsible for introducing and managing the information security controls to maintain a high level of security within the organization. The position .and influence of this individual, called the Information Security officer, and/or department within the organization, is described in chapter 2. The various processes and subprocesses constituting Information Security Management are identified and grouped in chapter 3. One of these processes, Measuring and Reporting, is currently very ill-defined and few guidelines and/or tools exist currently to help the Information Security officer to perform this task. For this reason the rest of the thesis is devoted to providing an effective means to enable the Information Security officer to measure and report the information security status in an effective way...
- Full Text:
- Authors: Von Solms, Rossouw
- Date: 2014-09-11
- Subjects: Data protection , Computer security
- Type: Thesis
- Identifier: uj:12275 , http://hdl.handle.net/10210/12038
- Description: PhD. (Informatics) , Organizations become daily more dependent on information. Information is captured, processed, stored and distributed by the information resources and services within the organization. These information resources and services should be secured to ensure a high level of availability, integrity and privacy of this information at all times. This process is referred to as Information Security Management. The main objective of this, thesis is to identify all the processes that constitute Information Security Management and to define a metric through which the information security status of the organization can be measured and presented. It is necessary to identify an individual or a department which will be responsible for introducing and managing the information security controls to maintain a high level of security within the organization. The position .and influence of this individual, called the Information Security officer, and/or department within the organization, is described in chapter 2. The various processes and subprocesses constituting Information Security Management are identified and grouped in chapter 3. One of these processes, Measuring and Reporting, is currently very ill-defined and few guidelines and/or tools exist currently to help the Information Security officer to perform this task. For this reason the rest of the thesis is devoted to providing an effective means to enable the Information Security officer to measure and report the information security status in an effective way...
- Full Text:
A strategy for managing examination security at tertiary institutions in South Africa
- Authors: van Zyl, Marthinus Petrus
- Date: 2012-09-11
- Subjects: Examinations , Management information systems , Higher education management , Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:9958 , http://hdl.handle.net/10210/7354
- Description: M.B.A. , More and more policy makers in South Africa’s educational environment are focusing on the impact of digital developments on lifelong learning, electronic publishing, computer-mediated communication and the growth of virtual universities. Johnson and Scholes (1999:475) state that increased availability and quality of information can enhance an organisation’s competency both by reducing the cost of processes and by improving their quality. Managers need to be clear about how these improvements in information technology should influence the way in which they manage their business processes and the benefits associated with the costs of these electronic services. President Thabo Mbeki has stated that universities have a key role to play in improving the quality of life of all South African citizens since education is the key to unlocking each person's potential and improving the quality of life in general (Le Roux, 2005). Mbeki also emphasized that South African universities should emerge from the current process of change, ready to compete with the best institutions in the world. Mbeki asserted that change must guarantee that South Africa catches up with the best in the world in terms of the generation and use of knowledge capital to create the winning society that South Africa yearns for. It must guarantee that South Africa produces the intelligentsia who must be at the cutting edge of our process of renaissance.
- Full Text:
- Authors: van Zyl, Marthinus Petrus
- Date: 2012-09-11
- Subjects: Examinations , Management information systems , Higher education management , Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:9958 , http://hdl.handle.net/10210/7354
- Description: M.B.A. , More and more policy makers in South Africa’s educational environment are focusing on the impact of digital developments on lifelong learning, electronic publishing, computer-mediated communication and the growth of virtual universities. Johnson and Scholes (1999:475) state that increased availability and quality of information can enhance an organisation’s competency both by reducing the cost of processes and by improving their quality. Managers need to be clear about how these improvements in information technology should influence the way in which they manage their business processes and the benefits associated with the costs of these electronic services. President Thabo Mbeki has stated that universities have a key role to play in improving the quality of life of all South African citizens since education is the key to unlocking each person's potential and improving the quality of life in general (Le Roux, 2005). Mbeki also emphasized that South African universities should emerge from the current process of change, ready to compete with the best institutions in the world. Mbeki asserted that change must guarantee that South Africa catches up with the best in the world in terms of the generation and use of knowledge capital to create the winning society that South Africa yearns for. It must guarantee that South Africa produces the intelligentsia who must be at the cutting edge of our process of renaissance.
- Full Text:
CESIMAS : a continual evaluative self-aware immune-inspired multi agent critical information infrastructure protection system
- Authors: Van Niekerk, Jan Hendrik
- Date: 2018
- Subjects: Multiagent systems , Artificial immune systems , Ambient intelligence , Computer security , Data protection
- Language: English
- Type: Doctoral (Thesis)
- Identifier: http://hdl.handle.net/10210/292808 , uj:31826
- Description: Abstract: Organisations have become more reliant on electronic assets in recent years, as a shift in focus has driven organisations to make extensive use of Critical Information Infrastructure (CII) to drive various business activities. While there has been a significant paradigm shift during this transition, most organisations have failed to ensure that sufficient security mechanisms are put in place to protect the organisation and their CII from exploitation. Typically, these organisations employ conventional security mechanisms such as a firewall, proxy or anti-virus software, but these approaches are fallible. An organisation can simply not afford to have its CII exploited, as this results in reputational and financial losses. Every single organisation should define their appetite for risk by performing a Risk Value Assessment. (RVA). Unfortunately, it is impossible for an organisation to protect its CII against every possible threat, as threats are polymorphic and dynamic in nature. The research proposes a hybrid approach towards improving the Critical Information Infrastructure Protection (CIIP) capabilities within an organisation. The Continual Evaluative Self-aware Immune-inspired Multi Agent Critical Information Infrastructure Protection System (CESIMAS) utilises various concepts and ideal analogies from the research fields of Multi Agent Systems, Artificial Immune Systems, Self-awareness, and Ambient Intelligence to propose a hybrid virtualised metaphysical model. The CESIMAS model utilises various sub-systems and agent types to establish an automated, self-sufficient and self-regulatory eco-system whereby the agents in the model effectively and efficiently attempt to provide an improved CIIP capability within an organisation’s Critical Information Infrastructure. The CESIMAS model contributes a virtualised meta-physical model, which illustrates how an Ambient Intelligence-based approach can be implemented and modelled to potentially improve the level of CIIP within an organisation. The CESIMAS model proposes and contributes a more efficient and effective agent generation process, parts of which are utilised to improve immune-inspired detection techniques within the model. The model establishes a hybrid approach to self-set maintenance and immune-inspired detection techniques, whilst reducing the computational penalties and constraints. , Ph.D. (Computer Science)
- Full Text:
- Authors: Van Niekerk, Jan Hendrik
- Date: 2018
- Subjects: Multiagent systems , Artificial immune systems , Ambient intelligence , Computer security , Data protection
- Language: English
- Type: Doctoral (Thesis)
- Identifier: http://hdl.handle.net/10210/292808 , uj:31826
- Description: Abstract: Organisations have become more reliant on electronic assets in recent years, as a shift in focus has driven organisations to make extensive use of Critical Information Infrastructure (CII) to drive various business activities. While there has been a significant paradigm shift during this transition, most organisations have failed to ensure that sufficient security mechanisms are put in place to protect the organisation and their CII from exploitation. Typically, these organisations employ conventional security mechanisms such as a firewall, proxy or anti-virus software, but these approaches are fallible. An organisation can simply not afford to have its CII exploited, as this results in reputational and financial losses. Every single organisation should define their appetite for risk by performing a Risk Value Assessment. (RVA). Unfortunately, it is impossible for an organisation to protect its CII against every possible threat, as threats are polymorphic and dynamic in nature. The research proposes a hybrid approach towards improving the Critical Information Infrastructure Protection (CIIP) capabilities within an organisation. The Continual Evaluative Self-aware Immune-inspired Multi Agent Critical Information Infrastructure Protection System (CESIMAS) utilises various concepts and ideal analogies from the research fields of Multi Agent Systems, Artificial Immune Systems, Self-awareness, and Ambient Intelligence to propose a hybrid virtualised metaphysical model. The CESIMAS model utilises various sub-systems and agent types to establish an automated, self-sufficient and self-regulatory eco-system whereby the agents in the model effectively and efficiently attempt to provide an improved CIIP capability within an organisation’s Critical Information Infrastructure. The CESIMAS model contributes a virtualised meta-physical model, which illustrates how an Ambient Intelligence-based approach can be implemented and modelled to potentially improve the level of CIIP within an organisation. The CESIMAS model proposes and contributes a more efficient and effective agent generation process, parts of which are utilised to improve immune-inspired detection techniques within the model. The model establishes a hybrid approach to self-set maintenance and immune-inspired detection techniques, whilst reducing the computational penalties and constraints. , Ph.D. (Computer Science)
- Full Text:
Objek-georiënteerde en rolgebaseerde verspreide inligtingsekerheid in 'n oop transaksieverwerking omgewing
- Authors: Van der Merwe, Jacobus
- Date: 2014-10-07
- Subjects: Computers - Access control , Data protection , Computer security , Object-oriented databases - Security measures
- Type: Thesis
- Identifier: uj:12539 , http://hdl.handle.net/10210/12332
- Description: M.Sc. (Computer Science) , Information is a valuable resource in any organisation and more and more organisations are realising this and want efficient means to protect it against disclosure, modification or destruction. Although relatively efficient security methods have been available almost as long as information databases, they all provide additional cost. This cost does not only involve money but also cost in terms of system performance and management of information security. Any new information security model must also provide better management of information security. In this dissertation we present a model that provides information security and aims to lower the technical skills required to manage information security using this approach. In any business organisation we can describe each employee's duties. Put in other words, we can say that each employee has a specific business role in the organisation. In organisations with many employees there are typically many employees that have more or less the same duties in the organisation. This means that employees can be grouped according to their business roles. We use an employee's role as a description of his/her duties in a business organisation. ' Each role needs resources to perform its duties in the organisation. In terms of computer systems, each role needs computer resources such as printers. Most roles need access to data files in the organisation's database but it is not desirable to give all roles access to all data files. It is obvious that roles have specific privileges and restrictions in terms of information resources. Information security can be achieved by identifying the business roles in an organisation and giving these roles only the privileges needed to fulfill their business function and then assigning these roles to people (users of the organisation's computer system). This is called role-based security. People's business functions are related, for example clerks and clerk-managers are related in the sense that a clerk-manager is a manager of clerks. Business roles are related in the same way. For an information security manager to assign roles to users it is important to see this relationship between roles. In this dissertation we present this relationship using a lattice graph which we call a role lattice. The main advantage of this is that it is eases information security management...
- Full Text:
- Authors: Van der Merwe, Jacobus
- Date: 2014-10-07
- Subjects: Computers - Access control , Data protection , Computer security , Object-oriented databases - Security measures
- Type: Thesis
- Identifier: uj:12539 , http://hdl.handle.net/10210/12332
- Description: M.Sc. (Computer Science) , Information is a valuable resource in any organisation and more and more organisations are realising this and want efficient means to protect it against disclosure, modification or destruction. Although relatively efficient security methods have been available almost as long as information databases, they all provide additional cost. This cost does not only involve money but also cost in terms of system performance and management of information security. Any new information security model must also provide better management of information security. In this dissertation we present a model that provides information security and aims to lower the technical skills required to manage information security using this approach. In any business organisation we can describe each employee's duties. Put in other words, we can say that each employee has a specific business role in the organisation. In organisations with many employees there are typically many employees that have more or less the same duties in the organisation. This means that employees can be grouped according to their business roles. We use an employee's role as a description of his/her duties in a business organisation. ' Each role needs resources to perform its duties in the organisation. In terms of computer systems, each role needs computer resources such as printers. Most roles need access to data files in the organisation's database but it is not desirable to give all roles access to all data files. It is obvious that roles have specific privileges and restrictions in terms of information resources. Information security can be achieved by identifying the business roles in an organisation and giving these roles only the privileges needed to fulfill their business function and then assigning these roles to people (users of the organisation's computer system). This is called role-based security. People's business functions are related, for example clerks and clerk-managers are related in the sense that a clerk-manager is a manager of clerks. Business roles are related in the same way. For an information security manager to assign roles to users it is important to see this relationship between roles. In this dissertation we present this relationship using a lattice graph which we call a role lattice. The main advantage of this is that it is eases information security management...
- Full Text:
An analysis of information security governance models
- Authors: Sibanda, Mbusi
- Date: 2012-06-06
- Subjects: Information security governance , Computer networks security , Data protection
- Type: Thesis
- Identifier: uj:2493 , http://hdl.handle.net/10210/4947
- Description: M.Comm. , This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.
- Full Text:
- Authors: Sibanda, Mbusi
- Date: 2012-06-06
- Subjects: Information security governance , Computer networks security , Data protection
- Type: Thesis
- Identifier: uj:2493 , http://hdl.handle.net/10210/4947
- Description: M.Comm. , This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.
- Full Text:
A data protection methodology to preserve critical information from the possible threat of information loss
- Authors: Schwartzel, Taryn
- Date: 2011-10-03T07:34:13Z
- Subjects: Data protection , Business communication - Security measures , Business - Computer network resources - Security measures , Computer security management , Electronic commerce - Security measures
- Type: Thesis
- Identifier: uj:7224 , http://hdl.handle.net/10210/3861
- Description: M.Tech. , Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.
- Full Text:
- Authors: Schwartzel, Taryn
- Date: 2011-10-03T07:34:13Z
- Subjects: Data protection , Business communication - Security measures , Business - Computer network resources - Security measures , Computer security management , Electronic commerce - Security measures
- Type: Thesis
- Identifier: uj:7224 , http://hdl.handle.net/10210/3861
- Description: M.Tech. , Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.
- Full Text:
Perception and determinism theories for communicating information systems security policies
- Authors: Rantao, Tsholofelo
- Date: 2020
- Subjects: Computer security , Information storage and retrieval systems|xSecurity measures , Data protection
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/422244 , uj:36025
- Description: Abstract: Information security breaches are one of the fastest growing challenges faced by businesses in the world. The pace and progression of cybercrime exceeds most corporate’s security capability. That is why companies cannot rely on security technology only; however, employees also need to be involved. The goal of the study is to predict the relationship between communication factors and information security compliance. Media synchronicity theory is used due to its perceived effectiveness in promoting shared behaviour among people that work in the same environment. Communication theory and media richness theory were also included to support the model. These theories are combined into a framework called Miscellany of Perception and Determinism. Ten factors are extracted from this framework to test the relationship between communication and information security compliance in organisations. adopts a positivist deductive stance and generates hypotheses derived from a miscellany of communication theories. The positivist paradigm informs the data collection method and the development of the questionnaire. The Miscellany of Perception and Determinism Framework shows that there is a significant relationship between the dependent variable: Information security compliance and independent variables: Communication factors; Media Appropriateness; Reason for Communication; Non-conflicting Interpretations; Feedback Immediacy; and Personal Focus. The findings show that personal focus; non-conflicting interpretations; feedback immediacy; media appropriateness; and the reason for communication explain 61.3% of information security compliance. The study is at the forefront of linking important aspects within information security compliance and communication alike. This is ground-breaking research that was able to predict how policies can effectively be communicated. The results emphasise the necessity of adopting a comprehensive approach to using factors to communicate IS (information security) policy compliance. The implications of these findings are that communication mediums used by organisations are isolated in that they do not consider user experience for promoting understanding, and this leads to low security compliance behaviour. Once communication of policy is articulated effectively using the correct mediums, organisations will be able to be mindful of employee perception towards security strategies, which contributes to improving security compliance... , M.Com. (Information Technology Management)
- Full Text:
- Authors: Rantao, Tsholofelo
- Date: 2020
- Subjects: Computer security , Information storage and retrieval systems|xSecurity measures , Data protection
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/422244 , uj:36025
- Description: Abstract: Information security breaches are one of the fastest growing challenges faced by businesses in the world. The pace and progression of cybercrime exceeds most corporate’s security capability. That is why companies cannot rely on security technology only; however, employees also need to be involved. The goal of the study is to predict the relationship between communication factors and information security compliance. Media synchronicity theory is used due to its perceived effectiveness in promoting shared behaviour among people that work in the same environment. Communication theory and media richness theory were also included to support the model. These theories are combined into a framework called Miscellany of Perception and Determinism. Ten factors are extracted from this framework to test the relationship between communication and information security compliance in organisations. adopts a positivist deductive stance and generates hypotheses derived from a miscellany of communication theories. The positivist paradigm informs the data collection method and the development of the questionnaire. The Miscellany of Perception and Determinism Framework shows that there is a significant relationship between the dependent variable: Information security compliance and independent variables: Communication factors; Media Appropriateness; Reason for Communication; Non-conflicting Interpretations; Feedback Immediacy; and Personal Focus. The findings show that personal focus; non-conflicting interpretations; feedback immediacy; media appropriateness; and the reason for communication explain 61.3% of information security compliance. The study is at the forefront of linking important aspects within information security compliance and communication alike. This is ground-breaking research that was able to predict how policies can effectively be communicated. The results emphasise the necessity of adopting a comprehensive approach to using factors to communicate IS (information security) policy compliance. The implications of these findings are that communication mediums used by organisations are isolated in that they do not consider user experience for promoting understanding, and this leads to low security compliance behaviour. Once communication of policy is articulated effectively using the correct mediums, organisations will be able to be mindful of employee perception towards security strategies, which contributes to improving security compliance... , M.Com. (Information Technology Management)
- Full Text:
Application of the access path model with specific reference to the SAP R/3 environment
- Authors: Pretorius, Maria Rebecca
- Date: 2014-10-07
- Subjects: Computer security , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:12534 , http://hdl.handle.net/10210/12328
- Description: M.Com. (Computer Auditing) , The management and control of modern day computer systems are becoming more and more trying due to the complexity of systems. This renders the traditional approach to evaluating controls in complex computer systems, inadequate and heightens the need for an alternative audit approach. The complex SAP R/3 environment will be evaluated in terms of security and validity of users and processes. This will be achieved through the use of an alternative audit approach namely, the application of the Access Path and Path Context Models (Boshoff 1985, 1990). The research methodology used during this research may indicate universal application implications for similar complex environments, although this has not yet been proved. The research showed that there are many control features available in the different software c.omponents of the SAP R/3 environment, that can be applied to control access and validity of users and processes. The duplication of control features provided by the software components, requires a global approach to security inthe defined environment. Only when evaluating the environment as a whole, will it be able to make the most effective security decisions. The use of the control matrices developed during this research will ease the global evaluation of the SAP R/3 environment. Although further research is required, the above has proven the usefulness of both the research methodology and the resultant model and matrices.
- Full Text:
- Authors: Pretorius, Maria Rebecca
- Date: 2014-10-07
- Subjects: Computer security , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:12534 , http://hdl.handle.net/10210/12328
- Description: M.Com. (Computer Auditing) , The management and control of modern day computer systems are becoming more and more trying due to the complexity of systems. This renders the traditional approach to evaluating controls in complex computer systems, inadequate and heightens the need for an alternative audit approach. The complex SAP R/3 environment will be evaluated in terms of security and validity of users and processes. This will be achieved through the use of an alternative audit approach namely, the application of the Access Path and Path Context Models (Boshoff 1985, 1990). The research methodology used during this research may indicate universal application implications for similar complex environments, although this has not yet been proved. The research showed that there are many control features available in the different software c.omponents of the SAP R/3 environment, that can be applied to control access and validity of users and processes. The duplication of control features provided by the software components, requires a global approach to security inthe defined environment. Only when evaluating the environment as a whole, will it be able to make the most effective security decisions. The use of the control matrices developed during this research will ease the global evaluation of the SAP R/3 environment. Although further research is required, the above has proven the usefulness of both the research methodology and the resultant model and matrices.
- Full Text:
The automatic generation of information security profiles
- Authors: Pottas, Dalenca
- Date: 2014-10-07
- Subjects: Computers - Access control , Data protection , Computer security
- Type: Thesis
- Identifier: uj:12540 , http://hdl.handle.net/10210/12333
- Description: D.Phil. (Computer Science) , Security needs have changed considerably in the past decade as the economics of computer usage necessitates increased business reliance on computers. As more individuals need computers to perform their jobs, more detailed security controls are needed to offset the risk inherent in granting more people access to computer systems. Traditionally, computer security administrators have been tasked with configuring' , security systems by setting controls on the actions of users. This basically entails the compilation of access rules (contained in security profiles), which state who can access what resources in what way. The task of building these rules is of considerable magnitude and is in general not well understood. Adhoc approaches, characterized by exhaustive interviewing and endless printouts of organizational data repositories, are usually followed. In the end, too much is left to the discretion of the security administrators...
- Full Text:
- Authors: Pottas, Dalenca
- Date: 2014-10-07
- Subjects: Computers - Access control , Data protection , Computer security
- Type: Thesis
- Identifier: uj:12540 , http://hdl.handle.net/10210/12333
- Description: D.Phil. (Computer Science) , Security needs have changed considerably in the past decade as the economics of computer usage necessitates increased business reliance on computers. As more individuals need computers to perform their jobs, more detailed security controls are needed to offset the risk inherent in granting more people access to computer systems. Traditionally, computer security administrators have been tasked with configuring' , security systems by setting controls on the actions of users. This basically entails the compilation of access rules (contained in security profiles), which state who can access what resources in what way. The task of building these rules is of considerable magnitude and is in general not well understood. Adhoc approaches, characterized by exhaustive interviewing and endless printouts of organizational data repositories, are usually followed. In the end, too much is left to the discretion of the security administrators...
- Full Text:
A model for a secure fully wireless telemedicine system
- Authors: Ngoss, Ngue Baha Djob
- Date: 2008-07-07T09:27:45Z
- Subjects: Wireless telecommunication systems , Telecommunication in medicine , Computer security , Data protection
- Type: Thesis
- Identifier: uj:10227 , http://hdl.handle.net/10210/759
- Description: New wireless communication technology standards are being released every year. Wireless technologies merely differ from one another by their range and speed and can each be selected according to the type of application in use. Mobility and ubiquity are the main benefits that can be extracted by using those technologies. On the other hand, telemedicine is the use of communication technologies to provide medical care and thus avoid the usual face-to-face, physician-to-patient scenario. With telemedicine, a physician can treat a patient located at a remote site. Early telemedicine systems used technologies that were available at the time, such as the telephone. Integrating wireless technologies into telemedicine systems would surely provide a huge boost to the improvement of the delivery of healthcare. However, telemedicine and wireless technologies are both emerging scientific concepts. Scientific concepts always have to face challenges prior to popularisation. The more important barriers to the adoption of wireless telemedicine are security and privacy. Medical practitioners are doing their best to preserve the privacy of their patients. Disclosure of patients’ health information may lead to severe legal sanctions. Security flaws in a wireless telemedicine system would lead to privacy breaches. Patient privacy, which physicians have tried so hard to protect, would consequently be out of their control. This dissertation will achieve two goals. The first goal is to show how different wireless technologies could be integrated into telemedicine to provide different applications. The second goal is to design a fully wireless telemedicine system where the information of patients will flow securely. The model described in this dissertation shows a possible wireless telemedicine scenario using different types of wireless technologies. The model also proposes a solution to allow the secure flow of medical information in order to protect the privacy of patients. , Dr. E. Marais
- Full Text:
- Authors: Ngoss, Ngue Baha Djob
- Date: 2008-07-07T09:27:45Z
- Subjects: Wireless telecommunication systems , Telecommunication in medicine , Computer security , Data protection
- Type: Thesis
- Identifier: uj:10227 , http://hdl.handle.net/10210/759
- Description: New wireless communication technology standards are being released every year. Wireless technologies merely differ from one another by their range and speed and can each be selected according to the type of application in use. Mobility and ubiquity are the main benefits that can be extracted by using those technologies. On the other hand, telemedicine is the use of communication technologies to provide medical care and thus avoid the usual face-to-face, physician-to-patient scenario. With telemedicine, a physician can treat a patient located at a remote site. Early telemedicine systems used technologies that were available at the time, such as the telephone. Integrating wireless technologies into telemedicine systems would surely provide a huge boost to the improvement of the delivery of healthcare. However, telemedicine and wireless technologies are both emerging scientific concepts. Scientific concepts always have to face challenges prior to popularisation. The more important barriers to the adoption of wireless telemedicine are security and privacy. Medical practitioners are doing their best to preserve the privacy of their patients. Disclosure of patients’ health information may lead to severe legal sanctions. Security flaws in a wireless telemedicine system would lead to privacy breaches. Patient privacy, which physicians have tried so hard to protect, would consequently be out of their control. This dissertation will achieve two goals. The first goal is to show how different wireless technologies could be integrated into telemedicine to provide different applications. The second goal is to design a fully wireless telemedicine system where the information of patients will flow securely. The model described in this dissertation shows a possible wireless telemedicine scenario using different types of wireless technologies. The model also proposes a solution to allow the secure flow of medical information in order to protect the privacy of patients. , Dr. E. Marais
- Full Text:
A framework for identifying master data from business processes
- Authors: Ndlozi, Joshua Gugu
- Date: 2016
- Subjects: Database security , Data protection , Knowledge management
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/237766 , uj:24367
- Description: M.Com. (Information Technology Management) , Abstract: The recent advancement in information technology has prompted many organisations to review their business strategies. One of the prominent areas concerning business executives is data management. The introduction of new technology such as the ‘internet of things’ continues to present serious challenges within the data management discipline. Systems that used to be siloed are now expected to share data and integrate with other systems. The integration and sharing of data across systems presents serious data management challenges. Business executives are responding to this challenge by turning to master data management. The lack of research studies and research papers in this field show the immaturity of the master data management discipline. This makes business executives have less interest in master data management and therefore reduces any investment into research on the subject. New data governance legislation and regulations such as those set out in the Protection of Personal Information Act are now forcing business executives to be accountable for the data they own. This presents a serious challenge for business executives as the master data management discipline has not been well-researched. The implementation of a master data management program is very challenging and the current best practices are too generic to be applicable in every company. Within the South African boundaries, there are no known master data management frameworks that can be used to facilitate the implementation of master data management programs. This dissertation uses an exploratory, phenomenographic research approach to learn about master data management. The aim of the exploratory approach was to develop the required knowledge, establish priorities and develop the concepts of master data management more clearly. One of the challenges of implementing master data management is the identification of master data objects from the business processes. Keywords: Enterprise information management, data management, master data management, information technology, process management, data architecture, information quality, IT portfolio management, information security.
- Full Text:
- Authors: Ndlozi, Joshua Gugu
- Date: 2016
- Subjects: Database security , Data protection , Knowledge management
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/237766 , uj:24367
- Description: M.Com. (Information Technology Management) , Abstract: The recent advancement in information technology has prompted many organisations to review their business strategies. One of the prominent areas concerning business executives is data management. The introduction of new technology such as the ‘internet of things’ continues to present serious challenges within the data management discipline. Systems that used to be siloed are now expected to share data and integrate with other systems. The integration and sharing of data across systems presents serious data management challenges. Business executives are responding to this challenge by turning to master data management. The lack of research studies and research papers in this field show the immaturity of the master data management discipline. This makes business executives have less interest in master data management and therefore reduces any investment into research on the subject. New data governance legislation and regulations such as those set out in the Protection of Personal Information Act are now forcing business executives to be accountable for the data they own. This presents a serious challenge for business executives as the master data management discipline has not been well-researched. The implementation of a master data management program is very challenging and the current best practices are too generic to be applicable in every company. Within the South African boundaries, there are no known master data management frameworks that can be used to facilitate the implementation of master data management programs. This dissertation uses an exploratory, phenomenographic research approach to learn about master data management. The aim of the exploratory approach was to develop the required knowledge, establish priorities and develop the concepts of master data management more clearly. One of the challenges of implementing master data management is the identification of master data objects from the business processes. Keywords: Enterprise information management, data management, master data management, information technology, process management, data architecture, information quality, IT portfolio management, information security.
- Full Text:
A secure, anonymous, real-time cyber-security information sharing system with respect to critical information infrastructure protection
- Authors: Mohideen, Feroze
- Date: 2015
- Subjects: Computer security , Data protection , Computers - Access control , Cyber intelligence (Computer security) , Supervisory control systems
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/84671 , uj:19250
- Description: Abstract: Please refer to full text to view abstract , M.Sc.
- Full Text:
- Authors: Mohideen, Feroze
- Date: 2015
- Subjects: Computer security , Data protection , Computers - Access control , Cyber intelligence (Computer security) , Supervisory control systems
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/84671 , uj:19250
- Description: Abstract: Please refer to full text to view abstract , M.Sc.
- Full Text:
Modeling personally identifiable information leakage that occurs through the use of online social networks
- Authors: Louw, Candice
- Date: 2015-06-30
- Subjects: Online social networks - Access control , Online social networks - Security measures , Data protection
- Type: Thesis
- Identifier: uj:13662 , http://hdl.handle.net/10210/13846
- Description: M.Sc. (Computer Science) , With the phenomenal growth of the Online Social Network (OSN) industry in the past few years, users have resorted to storing vast amounts of personal information on these sites. The information stored on these sites is often readily accessible from anywhere in the world and not always protected by adequate security settings. As a result, user information can make its way, unintentionally, into the hands of not only other online users, but also online abusers. Online abusers, better known as cyber criminals, exploit user information to commit acts of identity theft, Advanced Persistent Threats (APTs) and password recovery, to mention only a few. As OSN users are incapable of visualising the process of access to their OSN information, they may choose to never adjust their security settings. This can become synonymous with ultimately setting themselves up to becoming a victim of cyber crime. In this dissertation we aim to address this problem by proposing a prototype system, the Information Deduction Model (IDM) that can visualise and simulate the process of accessing information on an OSN profile. By visually explaining concepts such as information access, deduction and leakage, we aim to provide users with a tool that will enable them to make more informed choices about the security settings on their OSN profiles thereby setting themselves up for a pleasant online experience.
- Full Text:
- Authors: Louw, Candice
- Date: 2015-06-30
- Subjects: Online social networks - Access control , Online social networks - Security measures , Data protection
- Type: Thesis
- Identifier: uj:13662 , http://hdl.handle.net/10210/13846
- Description: M.Sc. (Computer Science) , With the phenomenal growth of the Online Social Network (OSN) industry in the past few years, users have resorted to storing vast amounts of personal information on these sites. The information stored on these sites is often readily accessible from anywhere in the world and not always protected by adequate security settings. As a result, user information can make its way, unintentionally, into the hands of not only other online users, but also online abusers. Online abusers, better known as cyber criminals, exploit user information to commit acts of identity theft, Advanced Persistent Threats (APTs) and password recovery, to mention only a few. As OSN users are incapable of visualising the process of access to their OSN information, they may choose to never adjust their security settings. This can become synonymous with ultimately setting themselves up to becoming a victim of cyber crime. In this dissertation we aim to address this problem by proposing a prototype system, the Information Deduction Model (IDM) that can visualise and simulate the process of accessing information on an OSN profile. By visually explaining concepts such as information access, deduction and leakage, we aim to provide users with a tool that will enable them to make more informed choices about the security settings on their OSN profiles thereby setting themselves up for a pleasant online experience.
- Full Text:
A model for protecting personal information using Blockchain
- Authors: Jappie, Thauriq
- Date: 2020
- Subjects: Blockchains (Databases) , Data protection
- Language: English
- Type: Master (Thesis)
- Identifier: http://hdl.handle.net/10210/458453 , uj:40721
- Description: Abstract: Users have lost control and ownership of their personal information in Cyberspace. Personal information is scattered across many company databases in Cyberspace and introduces many security risks, as well as a central point of attack that affects any user’s accounts containing personal information. Based on the information gathered on data breaches, the purpose of the research presented within this dissertation is to explore alternative methods that can be applied in Cyberspace. This will allow for the secured ownership and control of personal information. These methods will explore the mitigation of risks to personal information and improve the security of personal information in Cyberspace. By investigating the best methods to own and control personal information, some factors needed to be considered. Personal information would need to be transferable with users or parties in an environment which provides security, integrity, transparency, control, and interaction. In this dissertation, we will develop a model that will address the abovementioned points. The model is called the “SUUS CHAIN” model. “SUUS” means to be independent [1]. The chain is taken from the Blockchain term to indicate and support the use of the Blockchain technologies in this model. To support the development of the SUUS CHAIN model, we have chosen Blockchain technology which utilizes Smart Contracts. The Blockchain technology will provide the needed environment to securely send personal information between two parties while holding the integrity of the message, providing a fully auditable trail, and allow for the development of Smart Contracts. Smart Contracts will allow us to program any rules and conditions set out between two or more parties, concerning their personal information. We would also be allowed to program an authorization mechanism for interacting with user personal information. The contribution of our SUUS CHAIN model would be to allow users to own their personal information, as well as control how personal information is handled in Cyberspace. In doing so, we will also contribute to the improvement of securely transacting and sending personal information across Cyberspace. From the information and results accumulated throughout this dissertation, we have provided a working prototype demonstration of the SUUS CHAIN model. We have proven that the problem statement can be solved, and the objectives are met. Our SUUS CHAIN prototype demonstration, as well as the literature results provided, proves the security, control, and ownership of personal information can be accomplished. , M.Sc. (Computer Science)
- Full Text:
- Authors: Jappie, Thauriq
- Date: 2020
- Subjects: Blockchains (Databases) , Data protection
- Language: English
- Type: Master (Thesis)
- Identifier: http://hdl.handle.net/10210/458453 , uj:40721
- Description: Abstract: Users have lost control and ownership of their personal information in Cyberspace. Personal information is scattered across many company databases in Cyberspace and introduces many security risks, as well as a central point of attack that affects any user’s accounts containing personal information. Based on the information gathered on data breaches, the purpose of the research presented within this dissertation is to explore alternative methods that can be applied in Cyberspace. This will allow for the secured ownership and control of personal information. These methods will explore the mitigation of risks to personal information and improve the security of personal information in Cyberspace. By investigating the best methods to own and control personal information, some factors needed to be considered. Personal information would need to be transferable with users or parties in an environment which provides security, integrity, transparency, control, and interaction. In this dissertation, we will develop a model that will address the abovementioned points. The model is called the “SUUS CHAIN” model. “SUUS” means to be independent [1]. The chain is taken from the Blockchain term to indicate and support the use of the Blockchain technologies in this model. To support the development of the SUUS CHAIN model, we have chosen Blockchain technology which utilizes Smart Contracts. The Blockchain technology will provide the needed environment to securely send personal information between two parties while holding the integrity of the message, providing a fully auditable trail, and allow for the development of Smart Contracts. Smart Contracts will allow us to program any rules and conditions set out between two or more parties, concerning their personal information. We would also be allowed to program an authorization mechanism for interacting with user personal information. The contribution of our SUUS CHAIN model would be to allow users to own their personal information, as well as control how personal information is handled in Cyberspace. In doing so, we will also contribute to the improvement of securely transacting and sending personal information across Cyberspace. From the information and results accumulated throughout this dissertation, we have provided a working prototype demonstration of the SUUS CHAIN model. We have proven that the problem statement can be solved, and the objectives are met. Our SUUS CHAIN prototype demonstration, as well as the literature results provided, proves the security, control, and ownership of personal information can be accomplished. , M.Sc. (Computer Science)
- Full Text:
Encryption technology to address validity in transactions using the GII
- Authors: Gerber, Anton Hendrik
- Date: 2012-09-05
- Subjects: Data encryption (Computer science) , Internet -- Security measures , Electronic commerce , Electronic data interchange , Data protection , Computer security
- Type: Mini-Dissertation
- Identifier: uj:3604 , http://hdl.handle.net/10210/6984
- Description: M.Comm. , The development of electronic commerce resulted in the development of EDI and the use of the Internet to transact these data. This led to the question of whether a security technology existed that could ensure the validity and integrity of transactions. The development of the GII which will not only be used for EDI and other financial transactions, but also in the medical and educational fields, has emphasised this concern of business. Encryption is one of the technologies available which can ensure the validity of transaction during transmission and even during storage. Cryptology entails the encoding and decoding of transaction data before and after transmission through the use of secret and public keys. The following questions should be addressed: The most cost effective solution to business' security concerns; The legal and regulatory issues concerning privacy; Transmission of keys through digital and electronic media resulting in the possible breach of security in the keys themselves; Standards and infrastructures which must be agreed upon and implemented to secure the development of the Gll; and Existing internal and external audit methodologies can cater for the audit of the completeness, accuracy, validity and continuity of transactions but the methods and tests to substantiate these objectives will have to change. All of the above points are addressed in the research, except those on the legal and regulatory issues. Each of these points can, however, still be the topic for detailed future research. The objective of this dissertation is to research encryption technology to provide a questionnaire to the auditor ensuring the validity of transactions on the GII. A questionnaire or checklist is presented that could be serve a guideline for auditors when addressing risks in a GII environment.
- Full Text:
- Authors: Gerber, Anton Hendrik
- Date: 2012-09-05
- Subjects: Data encryption (Computer science) , Internet -- Security measures , Electronic commerce , Electronic data interchange , Data protection , Computer security
- Type: Mini-Dissertation
- Identifier: uj:3604 , http://hdl.handle.net/10210/6984
- Description: M.Comm. , The development of electronic commerce resulted in the development of EDI and the use of the Internet to transact these data. This led to the question of whether a security technology existed that could ensure the validity and integrity of transactions. The development of the GII which will not only be used for EDI and other financial transactions, but also in the medical and educational fields, has emphasised this concern of business. Encryption is one of the technologies available which can ensure the validity of transaction during transmission and even during storage. Cryptology entails the encoding and decoding of transaction data before and after transmission through the use of secret and public keys. The following questions should be addressed: The most cost effective solution to business' security concerns; The legal and regulatory issues concerning privacy; Transmission of keys through digital and electronic media resulting in the possible breach of security in the keys themselves; Standards and infrastructures which must be agreed upon and implemented to secure the development of the Gll; and Existing internal and external audit methodologies can cater for the audit of the completeness, accuracy, validity and continuity of transactions but the methods and tests to substantiate these objectives will have to change. All of the above points are addressed in the research, except those on the legal and regulatory issues. Each of these points can, however, still be the topic for detailed future research. The objective of this dissertation is to research encryption technology to provide a questionnaire to the auditor ensuring the validity of transactions on the GII. A questionnaire or checklist is presented that could be serve a guideline for auditors when addressing risks in a GII environment.
- Full Text:
Legal implications of information security governance
- Authors: Etsebeth, Verine
- Date: 2009-01-08T13:04:36Z
- Subjects: Computer security , Data protection , Liability (Law) , Information technology management , Computer network security , Business enterprises
- Type: Thesis
- Identifier: uj:14757 , http://hdl.handle.net/10210/1837
- Description: LL.M. , Organisations are being placed under increased pressure by means of new laws, regulations and standards, to ensure that adequate information security exists within the organisation. The King II report introduced corporate South Africa to the concept of information security in 2002. In the same year the Electronic Communications and Transactions Act 25 of 2002 addressed certain technical information security issues such as digital signatures, authentication, and cryptography. Therefor, South Africa is increasingly focussing its attention on information security. This trend is in line with the approach taken by the rest of the international community, who are giving serious consideration to information security and the governance thereof. As organisations are waking up to the benefits offered by the digital world, information security governance is emerging as a business issue pivotal within the e-commerce environment. Most organisations make use of electronic communications systems such as e-mail, faxes, and the world-wide-web when performing their day-to-day business activities. However, all electronic transactions and communications inevitably involve information being used in one form or another. It may therefor be observed that information permeates every aspect of the business world. Consequently, the need exists to have information security governance in place to ensure that information security prevails. However, questions relating to: which organisation must deploy information security governance, why the organisation should concern itself with this discipline, how the organisation should go about implementing information security governance, and what consequences will ensue if the organisation fails to comply with this discipline, are in dispute. Uncertainty surrounding the answers to these questions contribute to the reluctance and skepticism with which this discipline is approached. This dissertation evolves around the legal implications of information security governance by establishing who is responsible for ensuring compliance with this discipline, illustrating the value to be derived from information security governance, the methodology of applying information security governance, and liability for non-compliance with this discipline, ultimately providing the reader with certainty and clarity regarding the above mentioned questions, while simultaneously enabling the reader to gain a better understanding and appreciation for the discipline information security governance. The discussion hereafter provides those who should be concerned with information security governance with practical, pragmatic advice and recommendations on: (i) The legal obligation to apply information security; (ii) Liability for failed information security; (iii) Guidelines on how to implement information security; and (iv) A due diligence assessment model against which those responsible for the governance and management of the organisation may benchmark their information security efforts.
- Full Text:
- Authors: Etsebeth, Verine
- Date: 2009-01-08T13:04:36Z
- Subjects: Computer security , Data protection , Liability (Law) , Information technology management , Computer network security , Business enterprises
- Type: Thesis
- Identifier: uj:14757 , http://hdl.handle.net/10210/1837
- Description: LL.M. , Organisations are being placed under increased pressure by means of new laws, regulations and standards, to ensure that adequate information security exists within the organisation. The King II report introduced corporate South Africa to the concept of information security in 2002. In the same year the Electronic Communications and Transactions Act 25 of 2002 addressed certain technical information security issues such as digital signatures, authentication, and cryptography. Therefor, South Africa is increasingly focussing its attention on information security. This trend is in line with the approach taken by the rest of the international community, who are giving serious consideration to information security and the governance thereof. As organisations are waking up to the benefits offered by the digital world, information security governance is emerging as a business issue pivotal within the e-commerce environment. Most organisations make use of electronic communications systems such as e-mail, faxes, and the world-wide-web when performing their day-to-day business activities. However, all electronic transactions and communications inevitably involve information being used in one form or another. It may therefor be observed that information permeates every aspect of the business world. Consequently, the need exists to have information security governance in place to ensure that information security prevails. However, questions relating to: which organisation must deploy information security governance, why the organisation should concern itself with this discipline, how the organisation should go about implementing information security governance, and what consequences will ensue if the organisation fails to comply with this discipline, are in dispute. Uncertainty surrounding the answers to these questions contribute to the reluctance and skepticism with which this discipline is approached. This dissertation evolves around the legal implications of information security governance by establishing who is responsible for ensuring compliance with this discipline, illustrating the value to be derived from information security governance, the methodology of applying information security governance, and liability for non-compliance with this discipline, ultimately providing the reader with certainty and clarity regarding the above mentioned questions, while simultaneously enabling the reader to gain a better understanding and appreciation for the discipline information security governance. The discussion hereafter provides those who should be concerned with information security governance with practical, pragmatic advice and recommendations on: (i) The legal obligation to apply information security; (ii) Liability for failed information security; (iii) Guidelines on how to implement information security; and (iv) A due diligence assessment model against which those responsible for the governance and management of the organisation may benchmark their information security efforts.
- Full Text:
A multi-dimensional model for information security management
- Authors: Eloff, Maria Margaretha
- Date: 2011-12-06
- Subjects: Information resources management , Data protection , Computer security , Database management security measures
- Type: Thesis
- Identifier: uj:1794 , http://hdl.handle.net/10210/4158
- Description: D.Phil. , Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.
- Full Text:
- Authors: Eloff, Maria Margaretha
- Date: 2011-12-06
- Subjects: Information resources management , Data protection , Computer security , Database management security measures
- Type: Thesis
- Identifier: uj:1794 , http://hdl.handle.net/10210/4158
- Description: D.Phil. , Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.
- Full Text: