izpis_h1_title_alt

Načrtovanje informacijsko - organizacijske varnosti v rastočem podjetju v fazah od zagonskega podjetja do zrele organizacije
ID ŠKODA, MATJAŽ (Author), ID Trček, Denis (Mentor) More about this mentor... This link opens in a new window

.pdfPDF - Presentation file, Download (1,29 MB)
MD5: F4DDB13C9A9FD859085D05376B2F9D41
PID: 20.500.12556/rul/a1e632f9-7ccf-4cda-85f6-ab83fa475a02

Abstract
Zadnja leta je veliko govora o varnosti in varnostnih politikah v organizacijah in tudi o varnosti na nivoju celotnih držav. Standardi in zakoni le stežka sledijo hitremu napredku na področju informacijsko-komunikacijske tehnologije (IKT). Od organizacij in držav se pričakuje, da bodo zagotavljale varnost svojih sistemov IKT in podatkov ter informacij, ki jih ti sistemi hranijo. V magistrski nalogi v prvem delu predstavim terminologijo in stanje ključnih standardov na področju varnosti IKT. Opišem družino standardov ISO/IEC 27000 za vzpostavitev sistema za upravljanje informacijske varnosti (SUIV), ki ga je v skladu s smernicami moč vpeljati tako v zagonska podjetja kot tudi v velike organizacije. Za mnoge organizacije je neprekinjeno poslovanje ključ do rasti in obstoja na trgu, zato predstavim standarde na področju obvladovanja neprekinjenega poslovanja vključno z načrtom za obnovo IKT po morebitnem škodnem dogodku. Obvladovanje sprememb je v današnjem hitrem tempu pomemben proces, ki se ga organizacije premalo zavedajo. V nadaljevanju zapišem ključne korake za uspešno vpeljavo obvladovanja sprememb v organizacijah. Ključ za dolgoročno uspešno obvladovanje informacijske varnosti leži tudi v transformaciji organizacijske kulture v varnostno organizacijsko kulturo. V šestih točkah zapišem priporočilo za uspešno vpeljavo varnostno-organizacijske kulture. V osrednjem delu naredim analize statističnih podatkov SURS za področje varnosti IKT v slovenskih podjetjih. Pregled obsega posledice varnostnih incidentov, formalne strategije za varno uporabo IKT, seznanitev uslužbencev z njihovimi obveznostmi glede varne uporabe IKT, uporabo varnostnih pripomočkov ali postopkov, obseg uporabe (odprtokodne) programske opreme (PO) ter obseg uporabe prenosnih naprav v podjetjih. V okviru analize izdelam tudi orodje (CVE-analyzer) za pomoč pri analizi ranljivosti PO v povezavi z bazo NVD CVE. S pomočjo dobljenih podatkov in statistične analize preverim štiri hipoteze, vezane na posledice varnostnih incidentov IKT in uporabo odprtokodne PO. V nadaljevanju opišem najpogostejše napake, ki nastanejo pri razvoju PO, in predstavim predloge, kako v procesu razvoja in vzdrževanja povečati varnost PO. V zadnjem delu navedem znane statistične podatke s področja varnostnih incidentov po svetu in na osnovi tega zapišem dodatna priporočila za slovensko gospodarstvo.

Language:Slovenian
Keywords:informacijska varnost, neprekinjeno poslovanje, kultura orga-nizacijske varnosti, posledice varnostnih incidentov, obvladovanje sprememb, NVD CVE, zagonska podjetja, statistični pregled varnosti, slovenska podjetja
Work type:Master's thesis
Organization:FRI - Faculty of Computer and Information Science
Year:2016
PID:20.500.12556/RUL-85520 This link opens in a new window
Publication date in RUL:15.09.2016
Views:2297
Downloads:398
Metadata:XML DC-XML DC-RDF
:
Copy citation
Share:Bookmark and Share

Secondary language

Language:English
Title:Implementation of information security in fast growing enterprises – from startup to large enterprise
Abstract:
IT security and security policies in organizations as well as information security (IS) on the state level have been widely discussed in the last years. Standards and laws hardly keep up with the rapid progress in the field of information and communication technology (ICT). Organisations and states are expected to ensure the security and privacy of their ICT systems. In the first part of this master's thesis, I present basic terminology and standards from the field of ICT security. I describe the ISO/IEC 27000 family of standards for introduction and management of information security management systems (ISMS), which can be in line with the guidelines implemented in start-up companies as well as in large organizations. For many organizations a business continuity is a key to growth and existence on the market. Bearing that in mind, I present the standards in the field of business continuity management, including ICT disaster recovery plan strategy for cases of disruptions. At todays rapid pace, change management is important process of which organizations are not sufficiently aware of. Further, I present key steps for successful implementation of change management into the organizations. The key to successful long-term management of IS is also in the transformation of the organizational culture into the security organizational culture. On the basis of simple six-step plan I make a recommendation for successful implementation of the security organizational culture. In the central part of the thesis, I analyse statistical data collected by the Statistical Office of the Republic of Slovenia (SURS) related to ICT security in Slovenian enterprises. The review covers ramifications of ICT related security incidents, formally defined ICT security policies and reviews, informing of the staff of their obligations in ICT related issues, usage of internal security facilities or procedures, usage of (open source) software in enterprises and provision of portable devices with mobile Internet access by type and purpose in enterprises. In order to help me with the analysis, I also created a tool (CVE-analyzer) to help me with the analysis of software vulnerabilities according to data from NVD CVE database. On the basis of obtained data and statistical analysis I check four hypotheses related to ramifications of ICT related security incidents and the use of open source software in Slovenian enterprises. Further on, I present the most common mistakes in software development process and introduce the proposals for increasing of software security in development and maintenance process. In the last part, I introduce world-wide statistical data from the field of data security incidents and on their basis I propose additional recommendations for the Slovenian economy.

Keywords:information security, business continuity, organizational security culture, security incidents, change management, NVD CVE, startup companies, statistical review of security, Slovenian enterprises

Similar documents

Similar works from RUL:
Similar works from other Slovenian collections:

Back