'n Bestuurshulpmiddel vir die evaluering van 'n maatskappy se rekenaarsekerheidsgraad
- Authors: Von Solms, Rossouw
- Date: 2014-05-13
- Subjects: Electronic data processing departments - Security measures , Data protection , Computer security
- Type: Thesis
- Identifier: uj:11026 , http://hdl.handle.net/10210/10599
- Description: M.Sc. (Informatics) , Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.
- Full Text:
- Authors: Von Solms, Rossouw
- Date: 2014-05-13
- Subjects: Electronic data processing departments - Security measures , Data protection , Computer security
- Type: Thesis
- Identifier: uj:11026 , http://hdl.handle.net/10210/10599
- Description: M.Sc. (Informatics) , Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.
- Full Text:
'n Logiese sekuriteitsmodel gebaseer op NCL-grammatikas
- Authors: De Villiers, Daniel Pierre
- Date: 2014-03-18
- Subjects: Data protection , Electronic data processing departments - Security measures
- Type: Thesis
- Identifier: uj:4377 , http://hdl.handle.net/10210/9726
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
- Authors: De Villiers, Daniel Pierre
- Date: 2014-03-18
- Subjects: Data protection , Electronic data processing departments - Security measures
- Type: Thesis
- Identifier: uj:4377 , http://hdl.handle.net/10210/9726
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
A data protection methodology to preserve critical information from the possible threat of information loss
- Authors: Schwartzel, Taryn
- Date: 2011-10-03T07:34:13Z
- Subjects: Data protection , Business communication - Security measures , Business - Computer network resources - Security measures , Computer security management , Electronic commerce - Security measures
- Type: Thesis
- Identifier: uj:7224 , http://hdl.handle.net/10210/3861
- Description: M.Tech. , Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.
- Full Text:
- Authors: Schwartzel, Taryn
- Date: 2011-10-03T07:34:13Z
- Subjects: Data protection , Business communication - Security measures , Business - Computer network resources - Security measures , Computer security management , Electronic commerce - Security measures
- Type: Thesis
- Identifier: uj:7224 , http://hdl.handle.net/10210/3861
- Description: M.Tech. , Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.
- Full Text:
A framework for identifying master data from business processes
- Authors: Ndlozi, Joshua Gugu
- Date: 2016
- Subjects: Database security , Data protection , Knowledge management
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/237766 , uj:24367
- Description: M.Com. (Information Technology Management) , Abstract: The recent advancement in information technology has prompted many organisations to review their business strategies. One of the prominent areas concerning business executives is data management. The introduction of new technology such as the ‘internet of things’ continues to present serious challenges within the data management discipline. Systems that used to be siloed are now expected to share data and integrate with other systems. The integration and sharing of data across systems presents serious data management challenges. Business executives are responding to this challenge by turning to master data management. The lack of research studies and research papers in this field show the immaturity of the master data management discipline. This makes business executives have less interest in master data management and therefore reduces any investment into research on the subject. New data governance legislation and regulations such as those set out in the Protection of Personal Information Act are now forcing business executives to be accountable for the data they own. This presents a serious challenge for business executives as the master data management discipline has not been well-researched. The implementation of a master data management program is very challenging and the current best practices are too generic to be applicable in every company. Within the South African boundaries, there are no known master data management frameworks that can be used to facilitate the implementation of master data management programs. This dissertation uses an exploratory, phenomenographic research approach to learn about master data management. The aim of the exploratory approach was to develop the required knowledge, establish priorities and develop the concepts of master data management more clearly. One of the challenges of implementing master data management is the identification of master data objects from the business processes. Keywords: Enterprise information management, data management, master data management, information technology, process management, data architecture, information quality, IT portfolio management, information security.
- Full Text:
- Authors: Ndlozi, Joshua Gugu
- Date: 2016
- Subjects: Database security , Data protection , Knowledge management
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/237766 , uj:24367
- Description: M.Com. (Information Technology Management) , Abstract: The recent advancement in information technology has prompted many organisations to review their business strategies. One of the prominent areas concerning business executives is data management. The introduction of new technology such as the ‘internet of things’ continues to present serious challenges within the data management discipline. Systems that used to be siloed are now expected to share data and integrate with other systems. The integration and sharing of data across systems presents serious data management challenges. Business executives are responding to this challenge by turning to master data management. The lack of research studies and research papers in this field show the immaturity of the master data management discipline. This makes business executives have less interest in master data management and therefore reduces any investment into research on the subject. New data governance legislation and regulations such as those set out in the Protection of Personal Information Act are now forcing business executives to be accountable for the data they own. This presents a serious challenge for business executives as the master data management discipline has not been well-researched. The implementation of a master data management program is very challenging and the current best practices are too generic to be applicable in every company. Within the South African boundaries, there are no known master data management frameworks that can be used to facilitate the implementation of master data management programs. This dissertation uses an exploratory, phenomenographic research approach to learn about master data management. The aim of the exploratory approach was to develop the required knowledge, establish priorities and develop the concepts of master data management more clearly. One of the challenges of implementing master data management is the identification of master data objects from the business processes. Keywords: Enterprise information management, data management, master data management, information technology, process management, data architecture, information quality, IT portfolio management, information security.
- Full Text:
A model for a secure fully wireless telemedicine system
- Authors: Ngoss, Ngue Baha Djob
- Date: 2008-07-07T09:27:45Z
- Subjects: Wireless telecommunication systems , Telecommunication in medicine , Computer security , Data protection
- Type: Thesis
- Identifier: uj:10227 , http://hdl.handle.net/10210/759
- Description: New wireless communication technology standards are being released every year. Wireless technologies merely differ from one another by their range and speed and can each be selected according to the type of application in use. Mobility and ubiquity are the main benefits that can be extracted by using those technologies. On the other hand, telemedicine is the use of communication technologies to provide medical care and thus avoid the usual face-to-face, physician-to-patient scenario. With telemedicine, a physician can treat a patient located at a remote site. Early telemedicine systems used technologies that were available at the time, such as the telephone. Integrating wireless technologies into telemedicine systems would surely provide a huge boost to the improvement of the delivery of healthcare. However, telemedicine and wireless technologies are both emerging scientific concepts. Scientific concepts always have to face challenges prior to popularisation. The more important barriers to the adoption of wireless telemedicine are security and privacy. Medical practitioners are doing their best to preserve the privacy of their patients. Disclosure of patients’ health information may lead to severe legal sanctions. Security flaws in a wireless telemedicine system would lead to privacy breaches. Patient privacy, which physicians have tried so hard to protect, would consequently be out of their control. This dissertation will achieve two goals. The first goal is to show how different wireless technologies could be integrated into telemedicine to provide different applications. The second goal is to design a fully wireless telemedicine system where the information of patients will flow securely. The model described in this dissertation shows a possible wireless telemedicine scenario using different types of wireless technologies. The model also proposes a solution to allow the secure flow of medical information in order to protect the privacy of patients. , Dr. E. Marais
- Full Text:
- Authors: Ngoss, Ngue Baha Djob
- Date: 2008-07-07T09:27:45Z
- Subjects: Wireless telecommunication systems , Telecommunication in medicine , Computer security , Data protection
- Type: Thesis
- Identifier: uj:10227 , http://hdl.handle.net/10210/759
- Description: New wireless communication technology standards are being released every year. Wireless technologies merely differ from one another by their range and speed and can each be selected according to the type of application in use. Mobility and ubiquity are the main benefits that can be extracted by using those technologies. On the other hand, telemedicine is the use of communication technologies to provide medical care and thus avoid the usual face-to-face, physician-to-patient scenario. With telemedicine, a physician can treat a patient located at a remote site. Early telemedicine systems used technologies that were available at the time, such as the telephone. Integrating wireless technologies into telemedicine systems would surely provide a huge boost to the improvement of the delivery of healthcare. However, telemedicine and wireless technologies are both emerging scientific concepts. Scientific concepts always have to face challenges prior to popularisation. The more important barriers to the adoption of wireless telemedicine are security and privacy. Medical practitioners are doing their best to preserve the privacy of their patients. Disclosure of patients’ health information may lead to severe legal sanctions. Security flaws in a wireless telemedicine system would lead to privacy breaches. Patient privacy, which physicians have tried so hard to protect, would consequently be out of their control. This dissertation will achieve two goals. The first goal is to show how different wireless technologies could be integrated into telemedicine to provide different applications. The second goal is to design a fully wireless telemedicine system where the information of patients will flow securely. The model described in this dissertation shows a possible wireless telemedicine scenario using different types of wireless technologies. The model also proposes a solution to allow the secure flow of medical information in order to protect the privacy of patients. , Dr. E. Marais
- Full Text:
A model for protecting personal information using Blockchain
- Authors: Jappie, Thauriq
- Date: 2020
- Subjects: Blockchains (Databases) , Data protection
- Language: English
- Type: Master (Thesis)
- Identifier: http://hdl.handle.net/10210/458453 , uj:40721
- Description: Abstract: Users have lost control and ownership of their personal information in Cyberspace. Personal information is scattered across many company databases in Cyberspace and introduces many security risks, as well as a central point of attack that affects any user’s accounts containing personal information. Based on the information gathered on data breaches, the purpose of the research presented within this dissertation is to explore alternative methods that can be applied in Cyberspace. This will allow for the secured ownership and control of personal information. These methods will explore the mitigation of risks to personal information and improve the security of personal information in Cyberspace. By investigating the best methods to own and control personal information, some factors needed to be considered. Personal information would need to be transferable with users or parties in an environment which provides security, integrity, transparency, control, and interaction. In this dissertation, we will develop a model that will address the abovementioned points. The model is called the “SUUS CHAIN” model. “SUUS” means to be independent [1]. The chain is taken from the Blockchain term to indicate and support the use of the Blockchain technologies in this model. To support the development of the SUUS CHAIN model, we have chosen Blockchain technology which utilizes Smart Contracts. The Blockchain technology will provide the needed environment to securely send personal information between two parties while holding the integrity of the message, providing a fully auditable trail, and allow for the development of Smart Contracts. Smart Contracts will allow us to program any rules and conditions set out between two or more parties, concerning their personal information. We would also be allowed to program an authorization mechanism for interacting with user personal information. The contribution of our SUUS CHAIN model would be to allow users to own their personal information, as well as control how personal information is handled in Cyberspace. In doing so, we will also contribute to the improvement of securely transacting and sending personal information across Cyberspace. From the information and results accumulated throughout this dissertation, we have provided a working prototype demonstration of the SUUS CHAIN model. We have proven that the problem statement can be solved, and the objectives are met. Our SUUS CHAIN prototype demonstration, as well as the literature results provided, proves the security, control, and ownership of personal information can be accomplished. , M.Sc. (Computer Science)
- Full Text:
- Authors: Jappie, Thauriq
- Date: 2020
- Subjects: Blockchains (Databases) , Data protection
- Language: English
- Type: Master (Thesis)
- Identifier: http://hdl.handle.net/10210/458453 , uj:40721
- Description: Abstract: Users have lost control and ownership of their personal information in Cyberspace. Personal information is scattered across many company databases in Cyberspace and introduces many security risks, as well as a central point of attack that affects any user’s accounts containing personal information. Based on the information gathered on data breaches, the purpose of the research presented within this dissertation is to explore alternative methods that can be applied in Cyberspace. This will allow for the secured ownership and control of personal information. These methods will explore the mitigation of risks to personal information and improve the security of personal information in Cyberspace. By investigating the best methods to own and control personal information, some factors needed to be considered. Personal information would need to be transferable with users or parties in an environment which provides security, integrity, transparency, control, and interaction. In this dissertation, we will develop a model that will address the abovementioned points. The model is called the “SUUS CHAIN” model. “SUUS” means to be independent [1]. The chain is taken from the Blockchain term to indicate and support the use of the Blockchain technologies in this model. To support the development of the SUUS CHAIN model, we have chosen Blockchain technology which utilizes Smart Contracts. The Blockchain technology will provide the needed environment to securely send personal information between two parties while holding the integrity of the message, providing a fully auditable trail, and allow for the development of Smart Contracts. Smart Contracts will allow us to program any rules and conditions set out between two or more parties, concerning their personal information. We would also be allowed to program an authorization mechanism for interacting with user personal information. The contribution of our SUUS CHAIN model would be to allow users to own their personal information, as well as control how personal information is handled in Cyberspace. In doing so, we will also contribute to the improvement of securely transacting and sending personal information across Cyberspace. From the information and results accumulated throughout this dissertation, we have provided a working prototype demonstration of the SUUS CHAIN model. We have proven that the problem statement can be solved, and the objectives are met. Our SUUS CHAIN prototype demonstration, as well as the literature results provided, proves the security, control, and ownership of personal information can be accomplished. , M.Sc. (Computer Science)
- Full Text:
A multi-dimensional model for information security management
- Authors: Eloff, Maria Margaretha
- Date: 2011-12-06
- Subjects: Information resources management , Data protection , Computer security , Database management security measures
- Type: Thesis
- Identifier: uj:1794 , http://hdl.handle.net/10210/4158
- Description: D.Phil. , Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.
- Full Text:
- Authors: Eloff, Maria Margaretha
- Date: 2011-12-06
- Subjects: Information resources management , Data protection , Computer security , Database management security measures
- Type: Thesis
- Identifier: uj:1794 , http://hdl.handle.net/10210/4158
- Description: D.Phil. , Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.
- Full Text:
A prototype design for RBAC in a workflow environment
- Authors: Cholewka, Damian Grzegorz
- Date: 2012-02-13
- Subjects: Data protection , Workflow , Computer security , Computer access control
- Type: Thesis
- Identifier: uj:2044 , http://hdl.handle.net/10210/4394
- Description: M.Sc. , Role-based access control (RBAC) associates roles with privileges and users with roles. These associations are, however, static in that changes are infrequent and explicit. In certain instances this does not reflect business requirements. Access to an object should be based not only on the identity of the object and the user, but also on the actual task that must be performed. Context-sensitive access control meets the requirements in that it also considers the actual task, i.e. the context of the work to be done, when deciding whether an access should be granted or not. Workflow technology provides an appropriate environment for establishing the context of work. This dissertation discusses the implementation of a context-sensitive access control mechanism within a workflow environment. Although the prototype represents scaled-down workflow functionality, it illustrates the concept of context-sensitive access control. Access control was traditionally aimed at physically controlling access to a computer terminal. Large doors were put in place and time was divided between users who needed to work on a terminal. Today, however, physical means of restraining access have to a large extent given way to logical controls. Current access control mechanisms frequently burden the end-users with unnecessary security-related tasks. A user may, for example, be expected to assume a specific role at the beginning of a session, resulting in unnecessary multi-logons. Alternatively, users can automatically play the most senior role that they can hold and consequently receive the permissions associated with that role. The user is therefore trusted to implement the security policy and not misuse granted privileges. It is also possible for an end-user to bypass security functionality inadvertently- end-users do not always remember to do the correct thing. End-users are furthermore not necessarily adequately educated in security principles and may thus regard security-related tasks as hampering the tasks that they regard as being more important.
- Full Text:
- Authors: Cholewka, Damian Grzegorz
- Date: 2012-02-13
- Subjects: Data protection , Workflow , Computer security , Computer access control
- Type: Thesis
- Identifier: uj:2044 , http://hdl.handle.net/10210/4394
- Description: M.Sc. , Role-based access control (RBAC) associates roles with privileges and users with roles. These associations are, however, static in that changes are infrequent and explicit. In certain instances this does not reflect business requirements. Access to an object should be based not only on the identity of the object and the user, but also on the actual task that must be performed. Context-sensitive access control meets the requirements in that it also considers the actual task, i.e. the context of the work to be done, when deciding whether an access should be granted or not. Workflow technology provides an appropriate environment for establishing the context of work. This dissertation discusses the implementation of a context-sensitive access control mechanism within a workflow environment. Although the prototype represents scaled-down workflow functionality, it illustrates the concept of context-sensitive access control. Access control was traditionally aimed at physically controlling access to a computer terminal. Large doors were put in place and time was divided between users who needed to work on a terminal. Today, however, physical means of restraining access have to a large extent given way to logical controls. Current access control mechanisms frequently burden the end-users with unnecessary security-related tasks. A user may, for example, be expected to assume a specific role at the beginning of a session, resulting in unnecessary multi-logons. Alternatively, users can automatically play the most senior role that they can hold and consequently receive the permissions associated with that role. The user is therefore trusted to implement the security policy and not misuse granted privileges. It is also possible for an end-user to bypass security functionality inadvertently- end-users do not always remember to do the correct thing. End-users are furthermore not necessarily adequately educated in security principles and may thus regard security-related tasks as hampering the tasks that they regard as being more important.
- Full Text:
A secure, anonymous, real-time cyber-security information sharing system with respect to critical information infrastructure protection
- Authors: Mohideen, Feroze
- Date: 2015
- Subjects: Computer security , Data protection , Computers - Access control , Cyber intelligence (Computer security) , Supervisory control systems
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/84671 , uj:19250
- Description: Abstract: Please refer to full text to view abstract , M.Sc.
- Full Text:
- Authors: Mohideen, Feroze
- Date: 2015
- Subjects: Computer security , Data protection , Computers - Access control , Cyber intelligence (Computer security) , Supervisory control systems
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/84671 , uj:19250
- Description: Abstract: Please refer to full text to view abstract , M.Sc.
- Full Text:
A strategy for managing examination security at tertiary institutions in South Africa
- Authors: van Zyl, Marthinus Petrus
- Date: 2012-09-11
- Subjects: Examinations , Management information systems , Higher education management , Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:9958 , http://hdl.handle.net/10210/7354
- Description: M.B.A. , More and more policy makers in South Africa’s educational environment are focusing on the impact of digital developments on lifelong learning, electronic publishing, computer-mediated communication and the growth of virtual universities. Johnson and Scholes (1999:475) state that increased availability and quality of information can enhance an organisation’s competency both by reducing the cost of processes and by improving their quality. Managers need to be clear about how these improvements in information technology should influence the way in which they manage their business processes and the benefits associated with the costs of these electronic services. President Thabo Mbeki has stated that universities have a key role to play in improving the quality of life of all South African citizens since education is the key to unlocking each person's potential and improving the quality of life in general (Le Roux, 2005). Mbeki also emphasized that South African universities should emerge from the current process of change, ready to compete with the best institutions in the world. Mbeki asserted that change must guarantee that South Africa catches up with the best in the world in terms of the generation and use of knowledge capital to create the winning society that South Africa yearns for. It must guarantee that South Africa produces the intelligentsia who must be at the cutting edge of our process of renaissance.
- Full Text:
- Authors: van Zyl, Marthinus Petrus
- Date: 2012-09-11
- Subjects: Examinations , Management information systems , Higher education management , Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:9958 , http://hdl.handle.net/10210/7354
- Description: M.B.A. , More and more policy makers in South Africa’s educational environment are focusing on the impact of digital developments on lifelong learning, electronic publishing, computer-mediated communication and the growth of virtual universities. Johnson and Scholes (1999:475) state that increased availability and quality of information can enhance an organisation’s competency both by reducing the cost of processes and by improving their quality. Managers need to be clear about how these improvements in information technology should influence the way in which they manage their business processes and the benefits associated with the costs of these electronic services. President Thabo Mbeki has stated that universities have a key role to play in improving the quality of life of all South African citizens since education is the key to unlocking each person's potential and improving the quality of life in general (Le Roux, 2005). Mbeki also emphasized that South African universities should emerge from the current process of change, ready to compete with the best institutions in the world. Mbeki asserted that change must guarantee that South Africa catches up with the best in the world in terms of the generation and use of knowledge capital to create the winning society that South Africa yearns for. It must guarantee that South Africa produces the intelligentsia who must be at the cutting edge of our process of renaissance.
- Full Text:
An analysis of information security governance models
- Authors: Sibanda, Mbusi
- Date: 2012-06-06
- Subjects: Information security governance , Computer networks security , Data protection
- Type: Thesis
- Identifier: uj:2493 , http://hdl.handle.net/10210/4947
- Description: M.Comm. , This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.
- Full Text:
- Authors: Sibanda, Mbusi
- Date: 2012-06-06
- Subjects: Information security governance , Computer networks security , Data protection
- Type: Thesis
- Identifier: uj:2493 , http://hdl.handle.net/10210/4947
- Description: M.Comm. , This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.
- Full Text:
Application of the access path model with specific reference to the SAP R/3 environment
- Authors: Pretorius, Maria Rebecca
- Date: 2014-10-07
- Subjects: Computer security , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:12534 , http://hdl.handle.net/10210/12328
- Description: M.Com. (Computer Auditing) , The management and control of modern day computer systems are becoming more and more trying due to the complexity of systems. This renders the traditional approach to evaluating controls in complex computer systems, inadequate and heightens the need for an alternative audit approach. The complex SAP R/3 environment will be evaluated in terms of security and validity of users and processes. This will be achieved through the use of an alternative audit approach namely, the application of the Access Path and Path Context Models (Boshoff 1985, 1990). The research methodology used during this research may indicate universal application implications for similar complex environments, although this has not yet been proved. The research showed that there are many control features available in the different software c.omponents of the SAP R/3 environment, that can be applied to control access and validity of users and processes. The duplication of control features provided by the software components, requires a global approach to security inthe defined environment. Only when evaluating the environment as a whole, will it be able to make the most effective security decisions. The use of the control matrices developed during this research will ease the global evaluation of the SAP R/3 environment. Although further research is required, the above has proven the usefulness of both the research methodology and the resultant model and matrices.
- Full Text:
- Authors: Pretorius, Maria Rebecca
- Date: 2014-10-07
- Subjects: Computer security , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:12534 , http://hdl.handle.net/10210/12328
- Description: M.Com. (Computer Auditing) , The management and control of modern day computer systems are becoming more and more trying due to the complexity of systems. This renders the traditional approach to evaluating controls in complex computer systems, inadequate and heightens the need for an alternative audit approach. The complex SAP R/3 environment will be evaluated in terms of security and validity of users and processes. This will be achieved through the use of an alternative audit approach namely, the application of the Access Path and Path Context Models (Boshoff 1985, 1990). The research methodology used during this research may indicate universal application implications for similar complex environments, although this has not yet been proved. The research showed that there are many control features available in the different software c.omponents of the SAP R/3 environment, that can be applied to control access and validity of users and processes. The duplication of control features provided by the software components, requires a global approach to security inthe defined environment. Only when evaluating the environment as a whole, will it be able to make the most effective security decisions. The use of the control matrices developed during this research will ease the global evaluation of the SAP R/3 environment. Although further research is required, the above has proven the usefulness of both the research methodology and the resultant model and matrices.
- Full Text:
Automated secure systems development methodology
- Booysen, Hester Aletta Susanna
- Authors: Booysen, Hester Aletta Susanna
- Date: 2014-11-20
- Subjects: Computers - Access control , Computer security , Data protection
- Type: Thesis
- Identifier: uj:13093 , http://hdl.handle.net/10210/12971
- Description: D.Com. (Informatics) , The complexity of modern computer-based information systems is such that, for all but the simplest of examples, they cannot be produced without a considerable amount of prior planning and preparation. The actual difficulties of trying to design, develop and implement complex computer-based systems have been recognised as early as the seventies. In a bid to deal with what was then referred to as the "software crisis", a number of so- called "methodologies" were advocated. Those methodologies were, in turn, based on a collection of guidelines or methods thanks to which their designers could eventually make the claim that computer systems, and in particular information systems, could be designed and developed with a greater degree of success. By using a clear set of rules, or at least reasonably detailed principles, they could ensure that the various design and development tasks be performed in a methodical, organ ised fashion. Irrespective of the methodologies or guidelines that were adopted or laid down, the developers principal aim was to ensure that all relevant detail about the proposed information systems would be taken into account during the long and often drawn-out design and development process. Unfortunately, many of those methodologies and guidelines date from the early 1970s and, as a result, no longer meet the security requirements and guidelines of today's information systems. It was never attempted under any of those methodolog ies, however, to unriddle the difficulties they had come up against in information security in the domain of system development . Security concerns should however, form an integral part of the planning, development and maintenance of a computer application. Each application system should for example, take the necessary security measures in any given situation.
- Full Text:
- Authors: Booysen, Hester Aletta Susanna
- Date: 2014-11-20
- Subjects: Computers - Access control , Computer security , Data protection
- Type: Thesis
- Identifier: uj:13093 , http://hdl.handle.net/10210/12971
- Description: D.Com. (Informatics) , The complexity of modern computer-based information systems is such that, for all but the simplest of examples, they cannot be produced without a considerable amount of prior planning and preparation. The actual difficulties of trying to design, develop and implement complex computer-based systems have been recognised as early as the seventies. In a bid to deal with what was then referred to as the "software crisis", a number of so- called "methodologies" were advocated. Those methodologies were, in turn, based on a collection of guidelines or methods thanks to which their designers could eventually make the claim that computer systems, and in particular information systems, could be designed and developed with a greater degree of success. By using a clear set of rules, or at least reasonably detailed principles, they could ensure that the various design and development tasks be performed in a methodical, organ ised fashion. Irrespective of the methodologies or guidelines that were adopted or laid down, the developers principal aim was to ensure that all relevant detail about the proposed information systems would be taken into account during the long and often drawn-out design and development process. Unfortunately, many of those methodologies and guidelines date from the early 1970s and, as a result, no longer meet the security requirements and guidelines of today's information systems. It was never attempted under any of those methodolog ies, however, to unriddle the difficulties they had come up against in information security in the domain of system development . Security concerns should however, form an integral part of the planning, development and maintenance of a computer application. Each application system should for example, take the necessary security measures in any given situation.
- Full Text:
CESIMAS : a continual evaluative self-aware immune-inspired multi agent critical information infrastructure protection system
- Authors: Van Niekerk, Jan Hendrik
- Date: 2018
- Subjects: Multiagent systems , Artificial immune systems , Ambient intelligence , Computer security , Data protection
- Language: English
- Type: Doctoral (Thesis)
- Identifier: http://hdl.handle.net/10210/292808 , uj:31826
- Description: Abstract: Organisations have become more reliant on electronic assets in recent years, as a shift in focus has driven organisations to make extensive use of Critical Information Infrastructure (CII) to drive various business activities. While there has been a significant paradigm shift during this transition, most organisations have failed to ensure that sufficient security mechanisms are put in place to protect the organisation and their CII from exploitation. Typically, these organisations employ conventional security mechanisms such as a firewall, proxy or anti-virus software, but these approaches are fallible. An organisation can simply not afford to have its CII exploited, as this results in reputational and financial losses. Every single organisation should define their appetite for risk by performing a Risk Value Assessment. (RVA). Unfortunately, it is impossible for an organisation to protect its CII against every possible threat, as threats are polymorphic and dynamic in nature. The research proposes a hybrid approach towards improving the Critical Information Infrastructure Protection (CIIP) capabilities within an organisation. The Continual Evaluative Self-aware Immune-inspired Multi Agent Critical Information Infrastructure Protection System (CESIMAS) utilises various concepts and ideal analogies from the research fields of Multi Agent Systems, Artificial Immune Systems, Self-awareness, and Ambient Intelligence to propose a hybrid virtualised metaphysical model. The CESIMAS model utilises various sub-systems and agent types to establish an automated, self-sufficient and self-regulatory eco-system whereby the agents in the model effectively and efficiently attempt to provide an improved CIIP capability within an organisation’s Critical Information Infrastructure. The CESIMAS model contributes a virtualised meta-physical model, which illustrates how an Ambient Intelligence-based approach can be implemented and modelled to potentially improve the level of CIIP within an organisation. The CESIMAS model proposes and contributes a more efficient and effective agent generation process, parts of which are utilised to improve immune-inspired detection techniques within the model. The model establishes a hybrid approach to self-set maintenance and immune-inspired detection techniques, whilst reducing the computational penalties and constraints. , Ph.D. (Computer Science)
- Full Text:
- Authors: Van Niekerk, Jan Hendrik
- Date: 2018
- Subjects: Multiagent systems , Artificial immune systems , Ambient intelligence , Computer security , Data protection
- Language: English
- Type: Doctoral (Thesis)
- Identifier: http://hdl.handle.net/10210/292808 , uj:31826
- Description: Abstract: Organisations have become more reliant on electronic assets in recent years, as a shift in focus has driven organisations to make extensive use of Critical Information Infrastructure (CII) to drive various business activities. While there has been a significant paradigm shift during this transition, most organisations have failed to ensure that sufficient security mechanisms are put in place to protect the organisation and their CII from exploitation. Typically, these organisations employ conventional security mechanisms such as a firewall, proxy or anti-virus software, but these approaches are fallible. An organisation can simply not afford to have its CII exploited, as this results in reputational and financial losses. Every single organisation should define their appetite for risk by performing a Risk Value Assessment. (RVA). Unfortunately, it is impossible for an organisation to protect its CII against every possible threat, as threats are polymorphic and dynamic in nature. The research proposes a hybrid approach towards improving the Critical Information Infrastructure Protection (CIIP) capabilities within an organisation. The Continual Evaluative Self-aware Immune-inspired Multi Agent Critical Information Infrastructure Protection System (CESIMAS) utilises various concepts and ideal analogies from the research fields of Multi Agent Systems, Artificial Immune Systems, Self-awareness, and Ambient Intelligence to propose a hybrid virtualised metaphysical model. The CESIMAS model utilises various sub-systems and agent types to establish an automated, self-sufficient and self-regulatory eco-system whereby the agents in the model effectively and efficiently attempt to provide an improved CIIP capability within an organisation’s Critical Information Infrastructure. The CESIMAS model contributes a virtualised meta-physical model, which illustrates how an Ambient Intelligence-based approach can be implemented and modelled to potentially improve the level of CIIP within an organisation. The CESIMAS model proposes and contributes a more efficient and effective agent generation process, parts of which are utilised to improve immune-inspired detection techniques within the model. The model establishes a hybrid approach to self-set maintenance and immune-inspired detection techniques, whilst reducing the computational penalties and constraints. , Ph.D. (Computer Science)
- Full Text:
Compliance at velocity within a DevOps environment
- Authors: Abrahams, Muhammad Zaid
- Date: 2017
- Subjects: Information technology - Security measures , Computer software - Development , Data protection , Computer security
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/279418 , uj:30006
- Description: M.Sc. (Informatics) , Abstract: Please refer to full text to view abstract.
- Full Text:
- Authors: Abrahams, Muhammad Zaid
- Date: 2017
- Subjects: Information technology - Security measures , Computer software - Development , Data protection , Computer security
- Language: English
- Type: Masters (Thesis)
- Identifier: http://hdl.handle.net/10210/279418 , uj:30006
- Description: M.Sc. (Informatics) , Abstract: Please refer to full text to view abstract.
- Full Text:
Die ontwikkeling en implementering van 'n formele model vir logiese toegangsbeheer in rekenaarstelsels
- Authors: Edwards, Norman Godfrey
- Date: 2014-03-25
- Subjects: Computers - Access control , Data protection
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/383727 , uj:4470 , http://hdl.handle.net/10210/9810
- Description: M.Com. (Computer Science) , The area covered in this study is that of logical security models. A logical security model refers to the formal representation of a security policy which allows the subsequent movement of rights between subjects and objects in a system. The best way to illustrate the goal of this study, is with the following abstract from the submitted article, which originated from this study. 'The original protection graph rewriting grammar used to simulate the different operations of the Take/Grant model is reviewed. The productions of the PGR-grammar is then expanded, by adding a new context which is based on the different security classes found in the Bell Grid LaPadula model [14].' The first goal of this study was to take the Take/Grant security -model and expand it. This expansion included the concept of assigning a different security class to each subject and object in the model. This concept was derived from the Bell and LaPadula model as discussed in chapter 2 of this study. The next goal that was defined, was to expand the PGR-grammar of [28], so that it would also be able to simulate .the operations of this expanded Take/Grant model. The .PGR-grammar consisted of different permitting and forbidding node and edge contexts. This PGR-grammar was expanded by adding an additional context to the formal representation. This expansion is explained in detail in chapter 5 of this study. The third goal was to take the expansions, mentioned above, and implement them in a computer system. This computer system had to make use of an expert. system in order to reach certain conclusions. Each of the operations of the Take/Grant model must be evaluated, to determine whether that rule can be applied or not. The use of the expert system is explained in chapters 6 and 7 of this study. This study consists out of eight chapters in the following order. Chapter 2 starts of with an introduction of some of the most important logical security models. This chapter gives the reader background knowledge of the different models available, which is essential for the rest of the study. This chapter, however, does not discuss the Take/Grant model in detail. This is done in chapter 3 of the study. In this chapter the Take Grant model is discussed as a major input to this study. The Send Receive model is also discussed as a variation of the Take/Grant model. In the last section of the chapter a comparison is drawn between these two models. Chapter 4 formalizes the Take/Grant model. The protection graph rewriting grammar (PGR-grammar), which is used to simulate the different operations of the Take/Grant model, is introduced...
- Full Text:
- Authors: Edwards, Norman Godfrey
- Date: 2014-03-25
- Subjects: Computers - Access control , Data protection
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/383727 , uj:4470 , http://hdl.handle.net/10210/9810
- Description: M.Com. (Computer Science) , The area covered in this study is that of logical security models. A logical security model refers to the formal representation of a security policy which allows the subsequent movement of rights between subjects and objects in a system. The best way to illustrate the goal of this study, is with the following abstract from the submitted article, which originated from this study. 'The original protection graph rewriting grammar used to simulate the different operations of the Take/Grant model is reviewed. The productions of the PGR-grammar is then expanded, by adding a new context which is based on the different security classes found in the Bell Grid LaPadula model [14].' The first goal of this study was to take the Take/Grant security -model and expand it. This expansion included the concept of assigning a different security class to each subject and object in the model. This concept was derived from the Bell and LaPadula model as discussed in chapter 2 of this study. The next goal that was defined, was to expand the PGR-grammar of [28], so that it would also be able to simulate .the operations of this expanded Take/Grant model. The .PGR-grammar consisted of different permitting and forbidding node and edge contexts. This PGR-grammar was expanded by adding an additional context to the formal representation. This expansion is explained in detail in chapter 5 of this study. The third goal was to take the expansions, mentioned above, and implement them in a computer system. This computer system had to make use of an expert. system in order to reach certain conclusions. Each of the operations of the Take/Grant model must be evaluated, to determine whether that rule can be applied or not. The use of the expert system is explained in chapters 6 and 7 of this study. This study consists out of eight chapters in the following order. Chapter 2 starts of with an introduction of some of the most important logical security models. This chapter gives the reader background knowledge of the different models available, which is essential for the rest of the study. This chapter, however, does not discuss the Take/Grant model in detail. This is done in chapter 3 of the study. In this chapter the Take Grant model is discussed as a major input to this study. The Send Receive model is also discussed as a variation of the Take/Grant model. In the last section of the chapter a comparison is drawn between these two models. Chapter 4 formalizes the Take/Grant model. The protection graph rewriting grammar (PGR-grammar), which is used to simulate the different operations of the Take/Grant model, is introduced...
- Full Text:
Die toepassing van ekspertstelseltegnologie binne inligtingsekerheid
- Authors: De Ru, Willem Gerhardus
- Date: 2014-09-18
- Subjects: Expert systems (Computer science) , Data protection , Data security
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/372918 , uj:12339 , http://hdl.handle.net/10210/12125
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
- Authors: De Ru, Willem Gerhardus
- Date: 2014-09-18
- Subjects: Expert systems (Computer science) , Data protection , Data security
- Type: Thesis
- Identifier: http://ujcontent.uj.ac.za8080/10210/372918 , uj:12339 , http://hdl.handle.net/10210/12125
- Description: M.Sc. (Computer Science) , Please refer to full text to view abstract
- Full Text:
Encryption technology to address validity in transactions using the GII
- Authors: Gerber, Anton Hendrik
- Date: 2012-09-05
- Subjects: Data encryption (Computer science) , Internet -- Security measures , Electronic commerce , Electronic data interchange , Data protection , Computer security
- Type: Mini-Dissertation
- Identifier: uj:3604 , http://hdl.handle.net/10210/6984
- Description: M.Comm. , The development of electronic commerce resulted in the development of EDI and the use of the Internet to transact these data. This led to the question of whether a security technology existed that could ensure the validity and integrity of transactions. The development of the GII which will not only be used for EDI and other financial transactions, but also in the medical and educational fields, has emphasised this concern of business. Encryption is one of the technologies available which can ensure the validity of transaction during transmission and even during storage. Cryptology entails the encoding and decoding of transaction data before and after transmission through the use of secret and public keys. The following questions should be addressed: The most cost effective solution to business' security concerns; The legal and regulatory issues concerning privacy; Transmission of keys through digital and electronic media resulting in the possible breach of security in the keys themselves; Standards and infrastructures which must be agreed upon and implemented to secure the development of the Gll; and Existing internal and external audit methodologies can cater for the audit of the completeness, accuracy, validity and continuity of transactions but the methods and tests to substantiate these objectives will have to change. All of the above points are addressed in the research, except those on the legal and regulatory issues. Each of these points can, however, still be the topic for detailed future research. The objective of this dissertation is to research encryption technology to provide a questionnaire to the auditor ensuring the validity of transactions on the GII. A questionnaire or checklist is presented that could be serve a guideline for auditors when addressing risks in a GII environment.
- Full Text:
- Authors: Gerber, Anton Hendrik
- Date: 2012-09-05
- Subjects: Data encryption (Computer science) , Internet -- Security measures , Electronic commerce , Electronic data interchange , Data protection , Computer security
- Type: Mini-Dissertation
- Identifier: uj:3604 , http://hdl.handle.net/10210/6984
- Description: M.Comm. , The development of electronic commerce resulted in the development of EDI and the use of the Internet to transact these data. This led to the question of whether a security technology existed that could ensure the validity and integrity of transactions. The development of the GII which will not only be used for EDI and other financial transactions, but also in the medical and educational fields, has emphasised this concern of business. Encryption is one of the technologies available which can ensure the validity of transaction during transmission and even during storage. Cryptology entails the encoding and decoding of transaction data before and after transmission through the use of secret and public keys. The following questions should be addressed: The most cost effective solution to business' security concerns; The legal and regulatory issues concerning privacy; Transmission of keys through digital and electronic media resulting in the possible breach of security in the keys themselves; Standards and infrastructures which must be agreed upon and implemented to secure the development of the Gll; and Existing internal and external audit methodologies can cater for the audit of the completeness, accuracy, validity and continuity of transactions but the methods and tests to substantiate these objectives will have to change. All of the above points are addressed in the research, except those on the legal and regulatory issues. Each of these points can, however, still be the topic for detailed future research. The objective of this dissertation is to research encryption technology to provide a questionnaire to the auditor ensuring the validity of transactions on the GII. A questionnaire or checklist is presented that could be serve a guideline for auditors when addressing risks in a GII environment.
- Full Text:
Implementing an effective information security awareness program
- Authors: Wolmarans, Amanda
- Date: 2008-07-18T13:41:53Z
- Subjects: Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:7363 , http://hdl.handle.net/10210/811
- Description: The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people’s attitude towards change must be changed. It is also important to measure the behavioural change to make sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people’s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a web-based security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter. , Von Solms, S.H., Prof.
- Full Text:
- Authors: Wolmarans, Amanda
- Date: 2008-07-18T13:41:53Z
- Subjects: Computer security , Data protection
- Type: Mini-Dissertation
- Identifier: uj:7363 , http://hdl.handle.net/10210/811
- Description: The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people’s attitude towards change must be changed. It is also important to measure the behavioural change to make sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people’s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a web-based security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter. , Von Solms, S.H., Prof.
- Full Text:
Information security in the client/server environment
- Authors: Botha, Reinhardt A
- Date: 2012-08-23
- Subjects: Client/server computing , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:3117 , http://hdl.handle.net/10210/6538
- Description: M.Sc. (Computer Science) , Client/Server computing is currently one of the buzzwords in the computer industry. The client/server environment can be defined as an open systems environment. This openness of the client/server environment makes it a very popular environment to operate in. As information are exceedingly accessed in a client/server manner certain security issues arise. In order to address this definite need for a secure client/server environment it is necessary to firstly define the client/server environment. This is accomplished through defining three possible ways to partition programs within the client/server environment. Security, or secure systems, have a different meaning for different people. This dissertation defines six attributes of information that should be maintained in order to have secure information. For certain environments some of these attributes may be unnecessary or of lesser importance. Different security techniques and measures are discussed and classified in terms of the client/server partitions and the security attributes that are maintained by them. This is presented in the form of a matrix and provides an easy reference to decide on security measures in the client/server environment in order to protect a specific aspect of the information. The importance of a security policy and more specifically the influence of the client/server environment on such a policy are discussed and it is demonstrated that the framework can assist in drawing up a security policy for a client/server environment. This dissertation furthermore defines an electronic document .management system as a case study. It is shown that the client/server environment is a suitable environment for such a system. The security needs and problems are identified and classified in terms of the security attributes. Solutions to the problems are discussed in order to provide a reasonably secure electronic document management system environment.
- Full Text:
- Authors: Botha, Reinhardt A
- Date: 2012-08-23
- Subjects: Client/server computing , Data protection , Computers - Access control
- Type: Thesis
- Identifier: uj:3117 , http://hdl.handle.net/10210/6538
- Description: M.Sc. (Computer Science) , Client/Server computing is currently one of the buzzwords in the computer industry. The client/server environment can be defined as an open systems environment. This openness of the client/server environment makes it a very popular environment to operate in. As information are exceedingly accessed in a client/server manner certain security issues arise. In order to address this definite need for a secure client/server environment it is necessary to firstly define the client/server environment. This is accomplished through defining three possible ways to partition programs within the client/server environment. Security, or secure systems, have a different meaning for different people. This dissertation defines six attributes of information that should be maintained in order to have secure information. For certain environments some of these attributes may be unnecessary or of lesser importance. Different security techniques and measures are discussed and classified in terms of the client/server partitions and the security attributes that are maintained by them. This is presented in the form of a matrix and provides an easy reference to decide on security measures in the client/server environment in order to protect a specific aspect of the information. The importance of a security policy and more specifically the influence of the client/server environment on such a policy are discussed and it is demonstrated that the framework can assist in drawing up a security policy for a client/server environment. This dissertation furthermore defines an electronic document .management system as a case study. It is shown that the client/server environment is a suitable environment for such a system. The security needs and problems are identified and classified in terms of the security attributes. Solutions to the problems are discussed in order to provide a reasonably secure electronic document management system environment.
- Full Text: