The information security policy: an important information security management control.
- Authors: Hone, Karin
- Date: 2008-04-22T06:36:17Z
- Subjects: computer security , computer security management , computer security standards , data protection
- Type: Thesis
- Identifier: uj:8549 , http://hdl.handle.net/10210/274
- Description: This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it. , Prof. J.H.P. Ehlers
- Full Text:
- Authors: Hone, Karin
- Date: 2008-04-22T06:36:17Z
- Subjects: computer security , computer security management , computer security standards , data protection
- Type: Thesis
- Identifier: uj:8549 , http://hdl.handle.net/10210/274
- Description: This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it. , Prof. J.H.P. Ehlers
- Full Text:
Secure multimedia databases.
- Authors: Pedroncelli, Antony
- Date: 2008-06-02T13:08:07Z
- Subjects: Multimedia systems , access control , computer security , data protection , databases
- Type: Thesis
- Identifier: uj:8748 , http://hdl.handle.net/10210/509
- Description: A message can be communicated to other people using a combination of pictures, sounds, and actions. Ensuring that the message is understood as intended often depends on the presentation of these forms of multimedia. In today’s digital world, traditional multimedia artefacts such as paintings, photographs, audiotapes and videocassettes, although still used, are gradually being replaced with a digital equivalent. It is normally easy to duplicate these digital multimedia files, and they are often available within public repositories. Although this has its advantages, security may be a concern, especially for sensitive multimedia data. Information security services such as identification and authentication, authorisation, and confidentiality can be implemented to secure the data at the file level, ensuring that only authorised entities gain access to the entire multimedia file. It may not always be the case however that a message must be conveyed in the same way for every entity (user or program) that makes a request for the multimedia data. Although access control measures can be ensured for the multimedia at the file level, very little work has been done to ensure access control for multimedia at the content level. A number of models will be presented in this dissertation that should ensure logical access control at the content level for the three main types of multimedia, namely images, audio, and video. In all of these models, the multimedia data is securely stored in a repository, while the associated security information is stored in a database. The objects that contain the authorisation information are created through an interface that securely communicates with the database. Requests are made through another secure interface, where only the authorised multimedia data will be assembled according to the requesting entity’s security classification. Certain important side issues concerning the secure multimedia models will also be discussed. This includes security issues surrounding the model components and suspicion i.e. reducing the probability that a requesting entity would come to the conclusion that changes were made to the original multimedia data. , Prof. M.S. Olivier
- Full Text:
- Authors: Pedroncelli, Antony
- Date: 2008-06-02T13:08:07Z
- Subjects: Multimedia systems , access control , computer security , data protection , databases
- Type: Thesis
- Identifier: uj:8748 , http://hdl.handle.net/10210/509
- Description: A message can be communicated to other people using a combination of pictures, sounds, and actions. Ensuring that the message is understood as intended often depends on the presentation of these forms of multimedia. In today’s digital world, traditional multimedia artefacts such as paintings, photographs, audiotapes and videocassettes, although still used, are gradually being replaced with a digital equivalent. It is normally easy to duplicate these digital multimedia files, and they are often available within public repositories. Although this has its advantages, security may be a concern, especially for sensitive multimedia data. Information security services such as identification and authentication, authorisation, and confidentiality can be implemented to secure the data at the file level, ensuring that only authorised entities gain access to the entire multimedia file. It may not always be the case however that a message must be conveyed in the same way for every entity (user or program) that makes a request for the multimedia data. Although access control measures can be ensured for the multimedia at the file level, very little work has been done to ensure access control for multimedia at the content level. A number of models will be presented in this dissertation that should ensure logical access control at the content level for the three main types of multimedia, namely images, audio, and video. In all of these models, the multimedia data is securely stored in a repository, while the associated security information is stored in a database. The objects that contain the authorisation information are created through an interface that securely communicates with the database. Requests are made through another secure interface, where only the authorised multimedia data will be assembled according to the requesting entity’s security classification. Certain important side issues concerning the secure multimedia models will also be discussed. This includes security issues surrounding the model components and suspicion i.e. reducing the probability that a requesting entity would come to the conclusion that changes were made to the original multimedia data. , Prof. M.S. Olivier
- Full Text:
Infosure: an information security management system.
- Authors: Venter, Diederik Petrus
- Date: 2008-06-04T09:27:26Z
- Subjects: data protection , computer network security , computer security management
- Type: Thesis
- Identifier: uj:8804 , http://hdl.handle.net/10210/520
- Description: Information constitutes one of an organisation’s most valuable assets. It provides the modern organisation with a competitive edge and in some cases, is a requirement merely to survive. An organisation has to protect its information but due to the distributed, networked environment of today, faces a difficult challenge; it has to implement a system of information security management. Software applications can provide significant assistance in managing information security. They can be used to provide for centralised feedback of information security related activities as well as for centralised configuration activities. Such an application can be used in enforcing compliance to the organisation’s information security policy document. Currently there are a number of software products that provide this function in varying measures. In this research the major players in this space were examined to identify the features commonly found in these systems, and where they were lacking in terms of affordability, flexibility and scalability. A framework for an information security management application was defined based on these features and requirements and incorporating the idea of being affordable, but still flexible and extendable. This shifted the focus from attempting to provide a comprehensive list of interfaces and measurements into general information security related activities, to focusing on providing a generic tool that could be customised to handle any information fed back to it. The measurements could then be custom-developed as per the needs of the organisation. This formed the basis on which the prototype information security management application (InfoSure) was developed. , Prof. S.H. Solms
- Full Text:
- Authors: Venter, Diederik Petrus
- Date: 2008-06-04T09:27:26Z
- Subjects: data protection , computer network security , computer security management
- Type: Thesis
- Identifier: uj:8804 , http://hdl.handle.net/10210/520
- Description: Information constitutes one of an organisation’s most valuable assets. It provides the modern organisation with a competitive edge and in some cases, is a requirement merely to survive. An organisation has to protect its information but due to the distributed, networked environment of today, faces a difficult challenge; it has to implement a system of information security management. Software applications can provide significant assistance in managing information security. They can be used to provide for centralised feedback of information security related activities as well as for centralised configuration activities. Such an application can be used in enforcing compliance to the organisation’s information security policy document. Currently there are a number of software products that provide this function in varying measures. In this research the major players in this space were examined to identify the features commonly found in these systems, and where they were lacking in terms of affordability, flexibility and scalability. A framework for an information security management application was defined based on these features and requirements and incorporating the idea of being affordable, but still flexible and extendable. This shifted the focus from attempting to provide a comprehensive list of interfaces and measurements into general information security related activities, to focusing on providing a generic tool that could be customised to handle any information fed back to it. The measurements could then be custom-developed as per the needs of the organisation. This formed the basis on which the prototype information security management application (InfoSure) was developed. , Prof. S.H. Solms
- Full Text:
Information security culture.
- Authors: Martins, Adele
- Date: 2008-04-24T12:34:55Z
- Subjects: computer security , data protection
- Type: Thesis
- Identifier: uj:8610 , http://hdl.handle.net/10210/292
- Description: The current study originated from the realisation that information security is no longer solely dependent on technology. Information security breaches are often caused by users, most of the time internal to the organisation, who compromise the technology-driven solutions. This interaction between people and the information systems is seemingly the weakest link in information security. A people-oriented approach is needed to address this problem. Incorporating the human element into information security could be done by creating an information security culture. This culture can then focus on the behaviour of users in the information technology environment. The study is therefore principally aimed at making a contribution to information security by addressing information security culture and, for this reason, culminates in the development of an information security culture model and assessment approach. While developing the model, special care was taken to incorporate the behaviour of people in the working environment and hence organisational behaviour coupled with issues concerning information security culture that need to be addressed. An information security culture assessment approach is developed consisting of a questionnaire to assess whether an organisation has an adequate level of information security culture. The assessment approach is illustrated through a case study. Below is an overview of the framework within which the research was conducted: The dissertation consists of four parts. Chapters 1 and 2 constitute Part 1: Introduction and background. Chapter 1 serves as an introduction to the research study by providing the primary motivation for the study and defining the problems and issues to be addressed. In addition, the chapter is devoted to defining a set of standard terms and concepts used throughout the study. The chapter concludes with an overview of the remaining chapters. Chapter 2 gives some background to information security culture and discusses its evolution to date. There is a new trend in information security to incorporate the human element through an information security culture. Information security is divided into two different levels. Level 1 focuses on the human aspects of information security, such as the information security culture, and level 2 incorporates the technical aspects of information security. Part 2: Information security culture model is covered in chapters 3, 4 and 5. In chapter 3, the concept of information security culture is researched. Different perspectives are examined to identify issues that need to be considered when addressing information security culture. A definition of information security culture is constructed based on organisational culture. Chapter 4 is devoted to developing a model that can be used to promote an information security culture. This model incorporates the concept of organisational behaviour as well as the issues identified in chapter 3. Chapter 5 builds upon the information security culture model and aims to identify practical tasks to address in order to implement the model. In Part 3: Assessing information security culture, chapters 6 to 10, attention is given to the assessment of an information security culture, giving management an indication of how adequately the culture is promoted through the model. Chapter 6 considers the use of available approaches such as ISO17799 to aid in promoting and assessing an information security culture. This approach is evaluated against the definition of information security culture and the information security culture model in order to determine whether it could assess information security culture in an acceptable manner. The next four chapters, namely chapters 7 to 10, are devoted to the development of an information security culture assessment approach consisting of four phases. Chapter 7 discusses phase 1. In this phase a questionnaire is developed based on the information security culture model. Chapter 8 uses the information security culture questionnaire as part of a survey in a case study. This case study illustrates phase 2 as well as what information can be obtained through the questionnaire. In chapter 9 the data obtained through the survey is analysed statistically and presented (phase 3). The level of information security culture is then discussed in chapter 10, with interpretations and recommendations to improve the culture (phase 4). Chapter 11 in Part 4: Conclusion serves as a concluding chapter in which the usefulness and limitations of the proposed model and assessment approach are highlighted. The research study culminates in a discussion of those aspects of information security culture that could bear further research. , Prof. J.H.P. Eloff
- Full Text:
- Authors: Martins, Adele
- Date: 2008-04-24T12:34:55Z
- Subjects: computer security , data protection
- Type: Thesis
- Identifier: uj:8610 , http://hdl.handle.net/10210/292
- Description: The current study originated from the realisation that information security is no longer solely dependent on technology. Information security breaches are often caused by users, most of the time internal to the organisation, who compromise the technology-driven solutions. This interaction between people and the information systems is seemingly the weakest link in information security. A people-oriented approach is needed to address this problem. Incorporating the human element into information security could be done by creating an information security culture. This culture can then focus on the behaviour of users in the information technology environment. The study is therefore principally aimed at making a contribution to information security by addressing information security culture and, for this reason, culminates in the development of an information security culture model and assessment approach. While developing the model, special care was taken to incorporate the behaviour of people in the working environment and hence organisational behaviour coupled with issues concerning information security culture that need to be addressed. An information security culture assessment approach is developed consisting of a questionnaire to assess whether an organisation has an adequate level of information security culture. The assessment approach is illustrated through a case study. Below is an overview of the framework within which the research was conducted: The dissertation consists of four parts. Chapters 1 and 2 constitute Part 1: Introduction and background. Chapter 1 serves as an introduction to the research study by providing the primary motivation for the study and defining the problems and issues to be addressed. In addition, the chapter is devoted to defining a set of standard terms and concepts used throughout the study. The chapter concludes with an overview of the remaining chapters. Chapter 2 gives some background to information security culture and discusses its evolution to date. There is a new trend in information security to incorporate the human element through an information security culture. Information security is divided into two different levels. Level 1 focuses on the human aspects of information security, such as the information security culture, and level 2 incorporates the technical aspects of information security. Part 2: Information security culture model is covered in chapters 3, 4 and 5. In chapter 3, the concept of information security culture is researched. Different perspectives are examined to identify issues that need to be considered when addressing information security culture. A definition of information security culture is constructed based on organisational culture. Chapter 4 is devoted to developing a model that can be used to promote an information security culture. This model incorporates the concept of organisational behaviour as well as the issues identified in chapter 3. Chapter 5 builds upon the information security culture model and aims to identify practical tasks to address in order to implement the model. In Part 3: Assessing information security culture, chapters 6 to 10, attention is given to the assessment of an information security culture, giving management an indication of how adequately the culture is promoted through the model. Chapter 6 considers the use of available approaches such as ISO17799 to aid in promoting and assessing an information security culture. This approach is evaluated against the definition of information security culture and the information security culture model in order to determine whether it could assess information security culture in an acceptable manner. The next four chapters, namely chapters 7 to 10, are devoted to the development of an information security culture assessment approach consisting of four phases. Chapter 7 discusses phase 1. In this phase a questionnaire is developed based on the information security culture model. Chapter 8 uses the information security culture questionnaire as part of a survey in a case study. This case study illustrates phase 2 as well as what information can be obtained through the questionnaire. In chapter 9 the data obtained through the survey is analysed statistically and presented (phase 3). The level of information security culture is then discussed in chapter 10, with interpretations and recommendations to improve the culture (phase 4). Chapter 11 in Part 4: Conclusion serves as a concluding chapter in which the usefulness and limitations of the proposed model and assessment approach are highlighted. The research study culminates in a discussion of those aspects of information security culture that could bear further research. , Prof. J.H.P. Eloff
- Full Text:
Information security in web-based teleradiology.
- Psaros, Vasiliki Chrisovalantou
- Authors: Psaros, Vasiliki Chrisovalantou
- Date: 2008-06-04T09:25:56Z
- Subjects: computer security , data protection , internet security , telecommunication in medicine , picture archiving and communication systems , radiology
- Type: Thesis
- Identifier: uj:8781 , http://hdl.handle.net/10210/513
- Description: Health care organisations operate in a eld that is driven by patient, business and legislative demands. Now, Information Technology (IT) is starting to exert its powers on this eld. A revolution is taking place in the health care eld, and IT is playing an increasingly important role. This study originated from realising that medical staff were using technology to help them receive patient studies and do a diagnosis. Health care professionals are very dependent on the availability of the computer systems and on the accuracy of the data that is stored. While health care records may contain information that is of utmost sensitivity, this information is only useful if it is shared with the health care providers and the system under which the patient receives his/her care. The latter trend marks an ever-growing need to protect the confidentiality and integrity of health care information, while at the same time ensuring its availability to authorised health care providers. It has to be acknowledged that a complete protection of data is, in practice, infeasible and impossible. Many systems are not secure, making them vulnerable to attacks. Health care facilities have a challenge of keeping up-to-date with the legal requirements that apply to patient records in order to protect the condentiality, integrity and availability of patient data. This study is aimed at examining the information security of the data in a teleradiology system that is used by a health care facility, and to provide recommendations on how the security can be improved. , Prof. S.H. von Solms
- Full Text:
- Authors: Psaros, Vasiliki Chrisovalantou
- Date: 2008-06-04T09:25:56Z
- Subjects: computer security , data protection , internet security , telecommunication in medicine , picture archiving and communication systems , radiology
- Type: Thesis
- Identifier: uj:8781 , http://hdl.handle.net/10210/513
- Description: Health care organisations operate in a eld that is driven by patient, business and legislative demands. Now, Information Technology (IT) is starting to exert its powers on this eld. A revolution is taking place in the health care eld, and IT is playing an increasingly important role. This study originated from realising that medical staff were using technology to help them receive patient studies and do a diagnosis. Health care professionals are very dependent on the availability of the computer systems and on the accuracy of the data that is stored. While health care records may contain information that is of utmost sensitivity, this information is only useful if it is shared with the health care providers and the system under which the patient receives his/her care. The latter trend marks an ever-growing need to protect the confidentiality and integrity of health care information, while at the same time ensuring its availability to authorised health care providers. It has to be acknowledged that a complete protection of data is, in practice, infeasible and impossible. Many systems are not secure, making them vulnerable to attacks. Health care facilities have a challenge of keeping up-to-date with the legal requirements that apply to patient records in order to protect the condentiality, integrity and availability of patient data. This study is aimed at examining the information security of the data in a teleradiology system that is used by a health care facility, and to provide recommendations on how the security can be improved. , Prof. S.H. von Solms
- Full Text:
Enforcing Privacy on the Internet.
- Authors: Lategan, Frans Adriaan
- Date: 2008-06-02T10:16:50Z
- Subjects: internet , internet security , computer security , data protection , right of privacy
- Type: Thesis
- Identifier: uj:2507 , http://hdl.handle.net/10210/495
- Description: Privacy of information is becoming more and more important as we start trusting unknown computers, servers and organisations with more and more of our personal information. We distribute our private information on an ever-increasing number of computers daily, and we effectively give target organisations carte blanche to do what they want with our private information once they have collected it. We have only their privacy policy as a possible safeguard against misuse of our private information. Thus far, no reliable and practical method to enforce privacy has been discovered. In this thesis we look at ways to enforce the privacy of information. In order to do this, we first present a classification of private information based on the purpose it is acquired for. This will then enable us to tailor protection methods in such a way that the purpose the information is acquired for can still be fulfilled. We propose three distinct methods to protect such information. The first method, that of nondisclosure, is where private information is required not for the contents, but as input to verify calculations. We shall present an encryption method to protect private information where the private information consists of a set of numeric values S on which some function G has to be applied and the result = G(S) has to be supplied to a target organisation. The calculation of the result must be verifiable by the target organisation, without disclosing S. The second method, that of retaining control is a method by which we can grant limited access to our private information, and thus enforce the terms of privacy policies. The final method we present is a conceptual method to extend P3P in order to add more flexibility to the decision on whether or not a given item of private information will be supplied to a target organisation by using the Chinese Wall security policy. This will enable a user to not only define rules as to which items of private information he would disclose, but also to define what collection of private information any given organisation would be able to build about him. , Olivier, M.S., Prof.
- Full Text:
- Authors: Lategan, Frans Adriaan
- Date: 2008-06-02T10:16:50Z
- Subjects: internet , internet security , computer security , data protection , right of privacy
- Type: Thesis
- Identifier: uj:2507 , http://hdl.handle.net/10210/495
- Description: Privacy of information is becoming more and more important as we start trusting unknown computers, servers and organisations with more and more of our personal information. We distribute our private information on an ever-increasing number of computers daily, and we effectively give target organisations carte blanche to do what they want with our private information once they have collected it. We have only their privacy policy as a possible safeguard against misuse of our private information. Thus far, no reliable and practical method to enforce privacy has been discovered. In this thesis we look at ways to enforce the privacy of information. In order to do this, we first present a classification of private information based on the purpose it is acquired for. This will then enable us to tailor protection methods in such a way that the purpose the information is acquired for can still be fulfilled. We propose three distinct methods to protect such information. The first method, that of nondisclosure, is where private information is required not for the contents, but as input to verify calculations. We shall present an encryption method to protect private information where the private information consists of a set of numeric values S on which some function G has to be applied and the result = G(S) has to be supplied to a target organisation. The calculation of the result must be verifiable by the target organisation, without disclosing S. The second method, that of retaining control is a method by which we can grant limited access to our private information, and thus enforce the terms of privacy policies. The final method we present is a conceptual method to extend P3P in order to add more flexibility to the decision on whether or not a given item of private information will be supplied to a target organisation by using the Chinese Wall security policy. This will enable a user to not only define rules as to which items of private information he would disclose, but also to define what collection of private information any given organisation would be able to build about him. , Olivier, M.S., Prof.
- Full Text:
A privacy protection model to support personal privacy in relational databases.
- Oberholzer, Hendrik Johannes
- Authors: Oberholzer, Hendrik Johannes
- Date: 2008-06-02T13:07:53Z
- Subjects: data protection , confidential communications , records access control , relational databases security
- Type: Thesis
- Identifier: uj:8729 , http://hdl.handle.net/10210/507
- Description: The individual of today incessantly insists on more protection of his/her personal privacy than a few years ago. During the last few years, rapid technological advances, especially in the field of information technology, directed most attention and energy to the privacy protection of the Internet user. Research was done and is still being done covering a vast area to protect the privacy of transactions performed on the Internet. However, it was established that almost no research has been done on the protection of the privacy of personal data that are stored in tables of a relational database. Until now the individual had no say in the way his/her personal data might have been used, indicating who may access the data or who may not. The individual also had no way to indicate the level of sensitivity with regard to the use of his/her personal data or exactly what he/she consented to. Therefore, the primary aim of this study was to develop a model to protect the personal privacy of the individual in relational databases in such a way that the individual will be able to specify how sensitive he/she regards the privacy of his/her data. This aim culminated in the development of the Hierarchical Privacy-Sensitive Filtering (HPSF) model. A secondary aim was to test the model by implementing the model into query languages and as such to determine the potential of query languages to support the implementation of the HPSF model. Oracle SQL served as an example for text or command-based query languages, while Oracle SQL*Forms served as an example of a graphical user interface. Eventually, the study showed that SQL could support implementation of the model only partially, but that SQL*Forms was able to support implementation of the model completely. An overview of the research approach employed to realise the objectives of the study: At first, the concepts of privacy were studied to narrow down the field of study to personal privacy and the definition thereof. Problems that relate to the violation or abuse of the individual’s personal privacy were researched. Secondly, the right to privacy was researched on a national and international level. Based on the guidelines set by organisations like the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe (COE), requirements were determined to protect the personal privacy of the individual. Thirdly, existing privacy protection mechanisms like privacy administration, self-regulation, and automated regulation were studied to see what mechanisms are currently available and how they function in the protection of privacy. Probably the most sensitive data about an individual is his/her medical data. Therefore, to conclude the literature study, the privacy of electronic medical records and the mechanisms proposed to protect the personal privacy of patients were investigated. The protection of the personal privacy of patients seemed to serve as the best example to use in the development of a privacy model. Eventually, the Hierarchical Privacy-Sensitive Filtering model was developed and introduced, and the potential of Oracle SQL and Oracle SQL*Forms to implement the model was investigated. The conclusion at the end of the dissertation summarises the study and suggests further research topics. , Prof. M.S. Olivier
- Full Text:
- Authors: Oberholzer, Hendrik Johannes
- Date: 2008-06-02T13:07:53Z
- Subjects: data protection , confidential communications , records access control , relational databases security
- Type: Thesis
- Identifier: uj:8729 , http://hdl.handle.net/10210/507
- Description: The individual of today incessantly insists on more protection of his/her personal privacy than a few years ago. During the last few years, rapid technological advances, especially in the field of information technology, directed most attention and energy to the privacy protection of the Internet user. Research was done and is still being done covering a vast area to protect the privacy of transactions performed on the Internet. However, it was established that almost no research has been done on the protection of the privacy of personal data that are stored in tables of a relational database. Until now the individual had no say in the way his/her personal data might have been used, indicating who may access the data or who may not. The individual also had no way to indicate the level of sensitivity with regard to the use of his/her personal data or exactly what he/she consented to. Therefore, the primary aim of this study was to develop a model to protect the personal privacy of the individual in relational databases in such a way that the individual will be able to specify how sensitive he/she regards the privacy of his/her data. This aim culminated in the development of the Hierarchical Privacy-Sensitive Filtering (HPSF) model. A secondary aim was to test the model by implementing the model into query languages and as such to determine the potential of query languages to support the implementation of the HPSF model. Oracle SQL served as an example for text or command-based query languages, while Oracle SQL*Forms served as an example of a graphical user interface. Eventually, the study showed that SQL could support implementation of the model only partially, but that SQL*Forms was able to support implementation of the model completely. An overview of the research approach employed to realise the objectives of the study: At first, the concepts of privacy were studied to narrow down the field of study to personal privacy and the definition thereof. Problems that relate to the violation or abuse of the individual’s personal privacy were researched. Secondly, the right to privacy was researched on a national and international level. Based on the guidelines set by organisations like the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe (COE), requirements were determined to protect the personal privacy of the individual. Thirdly, existing privacy protection mechanisms like privacy administration, self-regulation, and automated regulation were studied to see what mechanisms are currently available and how they function in the protection of privacy. Probably the most sensitive data about an individual is his/her medical data. Therefore, to conclude the literature study, the privacy of electronic medical records and the mechanisms proposed to protect the personal privacy of patients were investigated. The protection of the personal privacy of patients seemed to serve as the best example to use in the development of a privacy model. Eventually, the Hierarchical Privacy-Sensitive Filtering model was developed and introduced, and the potential of Oracle SQL and Oracle SQL*Forms to implement the model was investigated. The conclusion at the end of the dissertation summarises the study and suggests further research topics. , Prof. M.S. Olivier
- Full Text:
A framework for ethical information security.
- Authors: Trompeter, Colette
- Date: 2008-05-06T10:10:35Z
- Subjects: computer security , data protection , information technology , business ethics
- Type: Thesis
- Identifier: uj:6742 , http://hdl.handle.net/10210/314
- Description: Organisations are under constant pressure to comply with information security requirements. However, this seldom happens. Information security is like a patchwork quilt - the protection it provides is only as good as its weakest stitch. The electronic business revolution has compounded this situation, as millions of dollars are being tossed about, and rules and regulations have yet to be written. Another problem is that information has to be protected over a geographically dispersed network. It stands to reason then that instances of unethical, even criminal, behaviour are growing exponentially. The principal aim of this research was to consider information security from an ethical perspective. Information security has been a well researched topic for several years. Therefore an investigation was carried out as to whether information security conforms to what individuals and organisations deem as being morally and behaviourally correct. An investigation was carried out into the age-old philosophy of ethically correct behaviour. This was then applied to information security and three ethical information security controls were identified that could provide protection in this e-business environment. A framework was developed to illustrate how a “pillar of strength” can be established in organisations to create an awareness of ethically correct behaviour in securing information. This framework was applied to recently accepted information security standards to test their applicability to the creation of ethical awareness. The research concludes by determining the ability of organisations to adhere to ethically correct behavioural patterns in information security. , Prof. J.H.P. Eloff
- Full Text:
- Authors: Trompeter, Colette
- Date: 2008-05-06T10:10:35Z
- Subjects: computer security , data protection , information technology , business ethics
- Type: Thesis
- Identifier: uj:6742 , http://hdl.handle.net/10210/314
- Description: Organisations are under constant pressure to comply with information security requirements. However, this seldom happens. Information security is like a patchwork quilt - the protection it provides is only as good as its weakest stitch. The electronic business revolution has compounded this situation, as millions of dollars are being tossed about, and rules and regulations have yet to be written. Another problem is that information has to be protected over a geographically dispersed network. It stands to reason then that instances of unethical, even criminal, behaviour are growing exponentially. The principal aim of this research was to consider information security from an ethical perspective. Information security has been a well researched topic for several years. Therefore an investigation was carried out as to whether information security conforms to what individuals and organisations deem as being morally and behaviourally correct. An investigation was carried out into the age-old philosophy of ethically correct behaviour. This was then applied to information security and three ethical information security controls were identified that could provide protection in this e-business environment. A framework was developed to illustrate how a “pillar of strength” can be established in organisations to create an awareness of ethically correct behaviour in securing information. This framework was applied to recently accepted information security standards to test their applicability to the creation of ethical awareness. The research concludes by determining the ability of organisations to adhere to ethically correct behavioural patterns in information security. , Prof. J.H.P. Eloff
- Full Text:
A model to assess the Information Security status of an organization with special reference to the Policy Dimension.
- Grobler, Cornelia Petronella
- Authors: Grobler, Cornelia Petronella
- Date: 2008-05-29T08:31:57Z
- Subjects: computer security , data protection , ISO 17799
- Type: Thesis
- Identifier: uj:2430 , http://hdl.handle.net/10210/488
- Description: Information Security is becoming a high-priority issue in most organizations. Management is responsible for the implementation of security in the organization. Information Security is a multi-dimensional discipline. A well-defined Information Security Management strategy will enable managers to manage security effectively and efficiently in the organization. Management must be able to assess the current security status of the organization. Currently, no comprehensive, integrated assessment tool or model exists to assess the total security posture of an organization. The study will address the problem by proposing a high-level integrated assessment model for Information Security. The study is divided into 4 parts. Part one: Introduction to Information Security Management consists of three chapters. Chapter 1 provides the user with an introduction and background to the study. In chapter 2, the study discusses Information Security as a multi-dimensional discipline. The dimensions identified are the Corporate Governance (Strategic and Operational), Policy, People, Risk Management, Legal, Compliance and Technology dimensions. Information Security is no longer a technical issue, it must be managed. The need for an Information Security Management strategy is discussed in chapter 3 of the study. A successful management strategy should be based on a well-defined Information Security Architecture. Part 2: Information Security Architectures, of the study consists of one chapter. Chapter 4 of the study discusses and compares different Information Security Architectures. The study uses the information gathered from the comparative study and best practices: CobiT and ISO17799, to propose a new Information Security Architecture: RISA. The study uses this architecture as a framework for the assessment model. Part 3: Assessing security consists of five chapters. Chapter 5 discusses the characteristics of assessment and proposes an assessment framework. The study recognizes that assessment on the different levels of an organization will be different, as the assessment requirements on management level will differ from the requirements on a technical level. It is important to use best practices in the assessment model as it enables organizations to prove their security readiness and status to business partners. Best practices and standards enable organizations to implement security in a structured way. Chapter 6 discusses the ISO17799 and CobiT as best practices and their role in the assessment process. Chapter 7 of the study discusses various factors that will influence security assessment in an organization. These factors are the size of the organization, the type of organization and the resources that need to be secured. The chapter briefly discusses the various dimensions of Information Security and identifies deliverables to assess for every dimension. The chapter proposes a high-level, integrated assessment plan for Information Security, using the deliverables identified for each dimension. The study refines the assessment plan for the Policy Dimension in chapter 8. The chapter proposes various checklists to determine the completeness of the policy set, correct format of every documented policy and if supporting documentation exist for every documented policy. A policy status result will be allocated to each policy that the organization needs. The status results of all the individual policies will be combined to determine the security status of the Policy dimension. The study proposes an integrated high-level assessment model in chapter 9 of the study. This model uses the RISA and assessment plan as proposed in chapter 7. It includes all the specified dimensions of Information Security. The assessment model will enable management to obtain a comprehensive high-level picture of the total security posture of an organization. Chapter 10 will summarize the research done and propose further research to be done. , Prof. S.H. von Solms
- Full Text:
- Authors: Grobler, Cornelia Petronella
- Date: 2008-05-29T08:31:57Z
- Subjects: computer security , data protection , ISO 17799
- Type: Thesis
- Identifier: uj:2430 , http://hdl.handle.net/10210/488
- Description: Information Security is becoming a high-priority issue in most organizations. Management is responsible for the implementation of security in the organization. Information Security is a multi-dimensional discipline. A well-defined Information Security Management strategy will enable managers to manage security effectively and efficiently in the organization. Management must be able to assess the current security status of the organization. Currently, no comprehensive, integrated assessment tool or model exists to assess the total security posture of an organization. The study will address the problem by proposing a high-level integrated assessment model for Information Security. The study is divided into 4 parts. Part one: Introduction to Information Security Management consists of three chapters. Chapter 1 provides the user with an introduction and background to the study. In chapter 2, the study discusses Information Security as a multi-dimensional discipline. The dimensions identified are the Corporate Governance (Strategic and Operational), Policy, People, Risk Management, Legal, Compliance and Technology dimensions. Information Security is no longer a technical issue, it must be managed. The need for an Information Security Management strategy is discussed in chapter 3 of the study. A successful management strategy should be based on a well-defined Information Security Architecture. Part 2: Information Security Architectures, of the study consists of one chapter. Chapter 4 of the study discusses and compares different Information Security Architectures. The study uses the information gathered from the comparative study and best practices: CobiT and ISO17799, to propose a new Information Security Architecture: RISA. The study uses this architecture as a framework for the assessment model. Part 3: Assessing security consists of five chapters. Chapter 5 discusses the characteristics of assessment and proposes an assessment framework. The study recognizes that assessment on the different levels of an organization will be different, as the assessment requirements on management level will differ from the requirements on a technical level. It is important to use best practices in the assessment model as it enables organizations to prove their security readiness and status to business partners. Best practices and standards enable organizations to implement security in a structured way. Chapter 6 discusses the ISO17799 and CobiT as best practices and their role in the assessment process. Chapter 7 of the study discusses various factors that will influence security assessment in an organization. These factors are the size of the organization, the type of organization and the resources that need to be secured. The chapter briefly discusses the various dimensions of Information Security and identifies deliverables to assess for every dimension. The chapter proposes a high-level, integrated assessment plan for Information Security, using the deliverables identified for each dimension. The study refines the assessment plan for the Policy Dimension in chapter 8. The chapter proposes various checklists to determine the completeness of the policy set, correct format of every documented policy and if supporting documentation exist for every documented policy. A policy status result will be allocated to each policy that the organization needs. The status results of all the individual policies will be combined to determine the security status of the Policy dimension. The study proposes an integrated high-level assessment model in chapter 9 of the study. This model uses the RISA and assessment plan as proposed in chapter 7. It includes all the specified dimensions of Information Security. The assessment model will enable management to obtain a comprehensive high-level picture of the total security posture of an organization. Chapter 10 will summarize the research done and propose further research to be done. , Prof. S.H. von Solms
- Full Text:
CoSAWoE - a model for context-sensitive access control in workflow environments.
- Authors: Botha, Reinhardt A
- Date: 2008-05-29T08:31:19Z
- Subjects: workflow , data protection , computer security , computers access control
- Type: Thesis
- Identifier: uj:2407 , http://hdl.handle.net/10210/485
- Description: Due to the correspondence between the role abstraction in Role-based Access Control (RBAC) and the notion of organizational positions, it seems easy to construct role hierarchies. This is, however, a misconception. This paper argues that, in order to reflect the functional requirements, a role hierarchy becomes very complex. In a bid to simplify the design of role hierarchies suitable for the expression of access control requirements in workflow systems, the paper proposes a “typed” role hierarchy. In a “typed” role hierarchy a role is of a speci fic type. The associations between different types of roles are limited by rules that govern the construction of a role hierarchy. This paper proposes a methodology to systematically construct a “typed” role hierarchy. Since the “typed” nature of the role hierarchy is only relevant during the construction of the role hierarchy, it can seamlessly be integrated into existing RBAC schemes that support the concept of role hierarchies. , Eloff, J.H.P., Prof.
- Full Text:
- Authors: Botha, Reinhardt A
- Date: 2008-05-29T08:31:19Z
- Subjects: workflow , data protection , computer security , computers access control
- Type: Thesis
- Identifier: uj:2407 , http://hdl.handle.net/10210/485
- Description: Due to the correspondence between the role abstraction in Role-based Access Control (RBAC) and the notion of organizational positions, it seems easy to construct role hierarchies. This is, however, a misconception. This paper argues that, in order to reflect the functional requirements, a role hierarchy becomes very complex. In a bid to simplify the design of role hierarchies suitable for the expression of access control requirements in workflow systems, the paper proposes a “typed” role hierarchy. In a “typed” role hierarchy a role is of a speci fic type. The associations between different types of roles are limited by rules that govern the construction of a role hierarchy. This paper proposes a methodology to systematically construct a “typed” role hierarchy. Since the “typed” nature of the role hierarchy is only relevant during the construction of the role hierarchy, it can seamlessly be integrated into existing RBAC schemes that support the concept of role hierarchies. , Eloff, J.H.P., Prof.
- Full Text:
Institutionalizing information security.
- Authors: Von Solms, Elmarie
- Date: 2008-06-04T11:26:29Z
- Subjects: microcomputer access control , computer security , data protection
- Type: Thesis
- Identifier: uj:8826 , http://hdl.handle.net/10210/523
- Description: Information security has become a much discussed subject all over the world in the last few years. This is because information security is no longer a luxury, but a necessity in all organisations. The securing of information is not an easy task because information security is flexible and always seems to be in a state of development. This means that information security has undergone different development changes due to new technologies in the past few years. Information security became prominent around 50 years ago and had a very strict technical approach. In this approach, industries mainly worked with mainframes, with little or no concept of management aspects such as security policies or awareness programmes. The technical approach thus included little or no management effort in terms of information security. The need to manage information security began when new technologies such as the Internet and the World Wide Web were introduced to the information security environment. This caused information security to shift from the technical to the more managerial approach. The move of information security from the technical to the managerial approach may be identified through different development trends. These development trends have occurred mainly to improve information security management in any organisation. The primary purpose of this dissertation is therefore to identify and investigate different development trends that have an influence on information security, especially from a managerial point of view. , Prof. J.H.P. Eloff
- Full Text:
- Authors: Von Solms, Elmarie
- Date: 2008-06-04T11:26:29Z
- Subjects: microcomputer access control , computer security , data protection
- Type: Thesis
- Identifier: uj:8826 , http://hdl.handle.net/10210/523
- Description: Information security has become a much discussed subject all over the world in the last few years. This is because information security is no longer a luxury, but a necessity in all organisations. The securing of information is not an easy task because information security is flexible and always seems to be in a state of development. This means that information security has undergone different development changes due to new technologies in the past few years. Information security became prominent around 50 years ago and had a very strict technical approach. In this approach, industries mainly worked with mainframes, with little or no concept of management aspects such as security policies or awareness programmes. The technical approach thus included little or no management effort in terms of information security. The need to manage information security began when new technologies such as the Internet and the World Wide Web were introduced to the information security environment. This caused information security to shift from the technical to the more managerial approach. The move of information security from the technical to the managerial approach may be identified through different development trends. These development trends have occurred mainly to improve information security management in any organisation. The primary purpose of this dissertation is therefore to identify and investigate different development trends that have an influence on information security, especially from a managerial point of view. , Prof. J.H.P. Eloff
- Full Text:
- «
- ‹
- 1
- ›
- »