Mariana Gerber

Special Features: From Risk Analysis to Security Requirements

577 Risk analysis used to play a major role in identifying security controls to protect computer and related infrastructures.Today, the emphasis has moved to the protection of information and it seems as if the traditional way of identifying security controls needs to be modernized. This paper studies the evolution of the computer and related technologies and the protection thereof. It further analyses whether an alternative approach to risk analysis should be used to effectively identify the most suitable security controls to protect information as a resource.

Information security requirements - Interpreting the legal aspects

With information security being the focal point of business in the media and in legislatures around the world, organisations face complex requirements to comply with security and privacy standards and regulations. The escalating magnitude of national and international laws and regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley and Basel II, caused organisations to become increasingly aware of the importance of legal compliance and the obligations that arise from it. The challenge of meeting these obligations has become a complex web of requirements that grows exponentially as organisations cross international boundaries. This paper attempts to provide an interpretation of the legal aspects, as a starting point for clarifying compliance issues, as referred to by ISO/IEC 27002 (ISO/IEC 27002, 2005; previously known as ISO/IEC 17799, 2005). ISO/IEC 27002 further mentions three sources from which information security requirements can be derived, of which one will be focused on within this paper, namely the legal requirements. The interpretation of the legal aspects thus forms the foundation for motivating a proposed model for determining legal requirements, which in turn, indicates relevant information security controls from the list provided in ISO/IEC 27002, to satisfy the identified legal requirements.

Formalizing information security requirements

Risk analysis, concentrating on assets, threats and vulnerabilities, used to play a major role in helping to identify the most effective set of security controls to protect information technology resources. To successfully protect information, the security controls must not only protect the infrastructure, but also instill and enforce certain security properties in the information resources. To accomplish this, a more modern top‐down approach is called for today, where security requirements driven by business needs dictate the level of protection required.

Towards corporate governance of ICT in local government

One of the main objectives of local government is the effective delivery of services. Information and Communication Technology (ICT) plays a major role in this regard. Various best practices and standards indicate the importance of corporate governance of ICT across all types of sectors. According to the Auditor General, in the South African context, there exists a definite lack in implementing corporate governance of ICT. Due to the complexity of the current corporate governance of ICT structure, local government is challenged with implementing sound corporate governance of ICT. Through the extensive use of a literature survey and semi-structured interviews, an architecture is proposed to address this issue of complexity. This architecture can aid local government in the corporate governance of ICT. This not only applies to South Africa, but also possibly to the rest of Africa.

Governing information security within the context of “bring your own device in SMMEs”

Information is a critical important asset; and it will always influence the way an organization conducts its business processes. Like any important business asset in an organization, there must be the assurance that the business information and related technologies are both protected and secure. Like any era in the advancement of technology, there is a new phenomenon that has grown in status: “Bring Your Own Device (BYOD)”. BYOD combines the official organizational devices required to function at work, together with the personal mobile device. There are many benefits to implementing BYOD; but because many risks are associated; and since BYOD is a new phenomenon, it can be difficult for organizations to manage in a secure manner. Therefore, this paper will provide a basic guideline to Executive Management on how they can govern and manage the BYOD phenomenon in SMMEs in a responsible way.

Information security management in local government

Information and Communication Technology (ICT) has become so pervasive in most organizations, that business functions are almost completely dependent on it. ICT is the platform that enables most of the organizations information processing and storage. Within the context of local government, this is also the case as ICT plays a crucial role in achieving their goal of service delivery to their communities. Due to its high importance, the information and related ICT systems should be adequately protected by the process of information security management. However, the problem remains that the efforts of local government in addressing information security is unsatisfactory. In order to address this, the objective of this paper is to propose an architecture, combined with a process model, which aims to assist local government to improve their information security management. This architecture and process model was refined by engaging with practitioners within local government and is not only applicable to South Africa, but also the rest of Africa.

Fostering Content Relevant Information Security Awareness through Browser Extensions

A call for adopting information security awareness amongst end-users has been suggested over the years. Adoption can occur through various methods. These methods each hold their own characteristics, whether being of a positive or negative nature. The challenge to find an appropriate method on which to establish and engage in a security dialog with a user has been written on extensively over the past few years. A number of common key points have been raised in research that addresses information security awareness and how it is conveyed to users. Additional to these common key points, this paper suggests using browser integration as a medium to promote security values and provide security suggestions based on a specific user’s behavioural pattern.

Validation of the framework for corporate governance of ICT in local government

Information and Communication Technology (ICT) has become critical and pervasive in any well-run modern enterprise across all sectors, which include local government. As a result, ICT demands to be managed and governed in a sustainable manner. Therefore, local government should accept the responsibility of implementing good Corporate Governance of ICT (CGICT). Without sound CGICT, ICT is unable to support local government in the achievement of their strategic objectives. Even though various frameworks exist in guiding local government with implementing good CGICT, the Auditor-General of South Africa reports that local governments attempts are unsatisfactory, in this regard. In order to aid local government, a framework for good CGICT was developed. The aim of this framework is to guide local government with ‘how’ to implement good CGICT. With this in mind, this paper will report on the validation process of the entire framework for good CGICT in local government.

ICT Readiness for Business Continuity in local government

Information and Communication Technology is a critical enabler for service delivery in local government. The importance of adequate business and ICT continuity should therefore not be understated. Effective ICT Readiness, as part of the wider Business Continuity system, enables ICT to be more resilient and able to recover should an incident or disaster occur. However, within South African local government, ICT continuity controls are found to be ineffective. This is an ongoing problem reported by the Auditor-General of South Africa. The objective of this paper is therefore to propose a model, based on literature and a design-oriented research approach, for the implementation and operation of ICT readiness in local government - applicable throughout the continent of Africa.

Scenario-based IT risk assessment in local government

Information Technology (IT) has become an integral part of conducting business within organizations including local government. Local government depends heavily on the use of IT to achieve its goals and objectives. The use of IT poses a number of risks within local government. Thus it is important for IT to be governed adequately. Core to the governance of IT is the process of risk management. To conduct effective risk management, an adequate risk assessment must be conducted within its given context. The Auditor General identified lack of adequate risk assessments within local government in South Africa. The objective of this paper is to propose an automated scenario-based IT risk assessment process model for local government to improve risk assessment. The research study followed a design-oriented IS research approach to devise and revise the process model.