ArticlePDF Available

Information Security Management Systems In Marshal Offices In Poland

Authors:
Dominika Lisiak-Felicka at University of Lodz
Dominika Lisiak-Felicka
Maciej Szmit at University of Lodz
Maciej Szmit
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

The article presents results of a survey concerning Information Security Man- agement Systems (ISMS), which was conducted in Marshal Offices between December 2012 and April 2013. Survey questionnaires were sent to all sixteen Mar- shal Offices in Poland. The aim of the research was identifying in which government offices information security management systems are implemented, according to which standards are developed and certified and gathering information about factors facilitate the implementation of the ISMS, problems encountered in the implementa- tion of this system and documentation concerning information security.
Figures - uploaded by Maciej Szmit
Author content
All figure content in this area was uploaded by Maciej Szmit
Content may be subject to copyright.
Content uploaded by Maciej Szmit
Author content
All content in this area was uploaded by Maciej Szmit on May 13, 2014
Content may be subject to copyright.
INFORMATION
SYSTEMS
IN MANAGEMENT
Systemy informatyczne w zarzdzaniu
Vol. 3 2014 No. 2
Quarterly
Information Systems in Management
Primary version of the journal is an electronic version.
Editor
Department of Informatics, Warsaw University of Life Sciences SGGW
Editorial Committee
Dr hab. in. Arkadiusz Orłowski – Editor-in-Chief
Dr Piotr Łukasiewicz – Scientific Secretary / Executive Editor
Prof. nadzw. Kris Gaj – Linguistic Editor
Dr hab. Wiesław Szczesny – Statistical Editor
Dr Piotr Łukasiewicz – Technical Editor
Editorial Council
Dr hab. in. Arkadiusz Orłowski – Szkoła Główna Gospodarstwa Wiejskiego w Warszawie – Chairman
Prof. dr hab. in. Ryszard Budziski – Uniwersytet Szczeciski
Prof. dr hab. Witold Chmielarz – Uniwersytet Warszawski
Dr hab. in. Leszek Chmielewski – Szkoła Główna Gospodarstwa Wiejskiego w Warszawie
Dr hab. Maciej Janowicz – Szkoła Główna Gospodarstwa Wiejskiego w Warszawie
Dr in. Waldemar Karwowski – Szkoła Główna Gospodarstwa Wiejskiego w Warszawie
Prof. Yuiry Kondratenko – Black Sea State University, Ukraina
Prof. dr hab. Marian Niedwiedziski – Uniwersytet Łódzki
Dr in. Jerzy Peja – Zachodniopomorski Uniwersytet Technologiczny w Szczecinie
Dr hab. Marian Rusek – Szkoła Główna Gospodarstwa Wiejskiego w Warszawie
Dr hab. in. Ludwik Wicki – Szkoła Główna Gospodarstwa Wiejskiego w Warszawie
Prof. dr hab. in. Antoni Wiliski – Zachodniopomorski Uniwersytet Technologiczny w Szczecinie
Address of the Editor
Faculty of Applied Informatics and Mathematics, WULS SGGW
ul. Nowoursynowska 166, 02-787 Warszawa, Poland
e-mail: isim@sggw.pl, www.isim.wzim.sggw.pl
ISSN: 2084-5537
Wydawnictwo SGGW
ul. Nowoursynowska 166, 02-787 Warszawa, Poland
e-mail: wydawnictwo@sggw.pl, www.wydawnictwosggw.pl
Print: Agencja Reklamowo-Wydawnicza A. Grzegorczyk, www.grzeg.com.pl
INFORMATION
SYSTEMS
IN MANAGEMENT
Vol. 3 2014 No. 2
Table of contents
Beata Butryn, Piotr Machura
CONVERGENCE OF MOBILE TECHNOLOGIES IN CONTEMPORARY
ORGANIZATIONS ......................................................................................................... 91
Anna Davy
SOURCING OF IT SERVICES INDUSTRY TRENDS ............................................ 102
Dorota Dejniak
POWER LAW AND SELF-SIMILARITY IN THE DISTRIBUTION
OF NATIONAL INCOME ............................................................................................ 113
Piotr Jałowiecki, Tomasz Woniakowski, Tomasz Zbkowski
SOME REMARKS ON LOGISTICS INVESTMENTS AMONG POLISH
FOOD PROCESSING AND AGRIBUSINESS COMPANIES .................................... 122
Dominika Lisiak-Felicka, Maciej Szmit
INFORMATION SECURITY MANAGEMENT SYSTEMS IN MARSHAL
OFFICES IN POLAND ................................................................................................. 134
Tomasz Sitek, Artur Ziółkowski
PROJECT-FACTOR-DECISION DECISIVE FACTORS IN IT PROJECTS
AND THEIR IMPACT ON ITS SUCCESS .................................................................. 145
INFORMATION
SYSTEMS IN
MANAGEMENT
Information Systems in Management (2014) Vol. 3 (2) 134144
INFORMATION SECURITY MANAGEMENT SYSTEMS
IN MARSHAL OFFICES IN POLAND
D
OMINIKA
L
ISIAK
-F
ELICKA
a)
, M
ACIEJ
S
ZMIT
b)
a)
Department of Computer Science in Economics,Faculty of Economics and Sociology,
University of Łód
b)
Corporate IT Security Agency,Orange Labs Poland
The article presents results of a survey concerning Information Security Man-
agement Systems (ISMS), which was conducted in Marshal Offices between
December 2012 and April 2013. Survey questionnaires were sent to all sixteen Mar-
shal Offices in Poland. The aim of the research was identifying in which government
offices information security management systems are implemented, according to
which standards are developed and certified and gathering information about factors
facilitate the implementation of the ISMS, problems encountered in the implementa-
tion of this system and documentation concerning information security.
Keywords: information security, information security management systems, infor-
mation security policy
1. Introduction
Managing information safety and security [2], [4], [7], [9],[10], [11], [16] in
all kinds of organizations is a big challenge for contemporary organizations and
institutions.
Information Security Management System (ISMS) is defined in ISO/IEC
27000 standard as part of the overall management system, based on a business risk
approach, to establish, implement, operate, monitor, review, maintain and improve
information security (see: 2.23. in [5]). According to the standard scope, the stand-
135
ard 27k family is applicable to all types of organization (e.g. commercial enterpris-
es, government agencies, non-profit organizations). In the field of research con-
cerns the marshal offices [18].
Particularly interesting, from the point of view of research, a group of organi-
zations that decide to implement the ISMS are public administration offices.
First and foremost – as opposed to individual commercial organizations all are
forced to various contacts with the administration, and so information security in
offices corresponds directly to the security of citizens. Secondly, the government
offices have a strictly defined scope of its tasks and competencies, so it is easy to
conduct a comparative analysis on information security management in different
offices, the role of the "specifics" so important in commercial organizations is min-
imum in offices [1], [8], [15]. Thirdly, finally – last but not least offices, in ac-
cordance with the principles of the access to public information, are particularly
convenient research material, and although the practice shows that the tendency to
hide information is present among the workers of offices, however, the responsive-
ness of research organizational units of public administration is definitely higher
than in the case of commercial organizations.
2. Aim of the research
The research had primarily cognitive objective, that was (apart from identify-
ing in which government offices are implemented information security manage-
ment systems, according to which standards are developed and certified) answer
the following questions: the reasons why respondents did decide (or not) to imple-
ment and certification of ISMS, how long it took to implement the ISMS, identify
problems encountered in the implementation of this system, whether they could
count on the support of the state administration bodies, which factors facilitate the
implementation of the ISMS, which the operations relating to the operation of the
ISMS have the most problems, what documentation concerning information securi-
ty has been implemented in these units, together with the brief overview of the
application, whether the administrator of information security has been appointed,
and how often safety reviews has been conducted.
The survey is a part of our investigations concerning selected aspects of
cybersecurity in government organizations in Poland [12].
3. Method of the research
The research was conducted using a survey questionnaire. For all marshal of-
fices a letter asking for help in the implementation of a scientific study by complet-
ing a questionnaire was sent. The content of the letter was posted a link to the ques-
136
tionnaire in electronic form, which is located on a server google.com. The annex to
the letter with a questionnaire in Microsoft Word file was also sent. In the course of
the research numerous telephone and e-mail contacts with officials was conducted.
Obtained 13 positive responses. The Office of the Marshal of Podlaskie Voi-
vodeship sent written notice of the lack of interest to participate in the survey, two
offices (The Office of the Marshal of Lower Silesia Voivodeship and the Office of
the Marshal of Kuyavian-Pomeranian Voivodeship), despite numerous telephone
and email communications from investigator, did not submit any response.
4. Results of the research
Among the 13 marshal offices, in nine the information security management
system is implemented. In the four offices (The Office of the Marshal of Lublin
Voivodeship, The Office of the Marshal of Łód Voivodeship, The Office of the
Marshal of Silesian Voivodeship, The Office of the Marshal of witokrzyskie
Voivodeship), such a system does not work and in the past had not been attempts to
implement it (see Figure 1).
Figure 1. Information security management systems in Marshal Offices
137
The reasons, why the officials did not take such action, include: lack of funds,
lack of time and lack of sufficient knowledge. The reason, why the Marshal Office
of the Silesian Voivodeship, was not implemented ISMS is implementation of par-
tial solutions in the field of safety management, which in the opinion of officials
are now sufficient due to the nature of the Office.
Seven of the nine implemented Information Security Management Systems –
were developed by the recommendations of the standards, including five offices
were using PN-ISO/IEC 17799, and two offices ISO/IEC 27002. Detailed answers
to the survey questions in this area are presented in Table 1.
Table 1. Development and certification of information security management systems
Voivodeship, in which is the
Marshal Office
The system
developed by the
recommendations of
the standards
The system
developed by the
recommendations of
the standards
The system certified
compliant with the
standard
Lubusz Voivod eship Yes ISO/IEC 27002 PN-ISO/IEC 27001
Lesser Poland Voivodeship Yes ISO/IEC 27002 PN-ISO/IEC 27 001
Masovian Voivodeship Yes PN-ISO/IEC 17799 PN-ISO/IEC 27001
Opole Voivodeship Yes PN-ISO/IEC 17799 -
Subcarpathian Voivodeship No - -
Pomeranian Voivodeship Yes PN-ISO/IEC 17799 -
Warmian-Masurian Voivodeship Yes PN-ISO/ IEC 17799 -
Greater Poland Voivodeship No - -
West Pomeranian Voivodeship Yes PN-ISO/IEC 17799 -
Only in three offices decided to certify the information security management
system according to PN-ISO/IEC 27001.
In offices where decided not to certify the ISMS, indicated the following rea-
sons for not taking such action:
certification does not affect the quality of the information security man-
agement (3 answers),
it is a time-consuming project (2 answers),
it is an expensive proposition (2 answers).
Respondents from all offices which certify the ISMS said they had decided on this
because certification has an impact on the quality of information security manage-
ment. Also examined the ISMS implementation time. Accordingly, the three offic-
es have identified it as belonging to the range of 6-12 months, one – 12-18 months
and four for more than two years.
For the success factors and problems with the implementation of the ISMS [1]
respondents indicated respectively, as a source of problems: lack of use of formal
methods of implementation of the system (4 answers), lack of substantive prepara-
tion workers (3 answers), too extensive documentation (3 answers), insufficient
138
financial resources (3 answers), lack of experience of the certification body
(1 answer).
Only three offices of the nine implementing an Information Security Man-
agement System [3] were able to count on the support of the state administration
bodies. The stages in which the aid was granted: the establishment information
security management system (2 answers), implementation and operation of infor-
mation security management system (1 answer), monitoring and review of infor-
mation security management system (2 answers), maintaining and improving
information security management system (1 answer), no aid (6 answers).
Only one of the officials showed what this aid consists of:
The Internal Security Agency and the Inspector General for the Protection
of Personal Data supports employees of public administration in the estab-
lishment of information security management systems,
Training own officers and employees, participated in training sessions and
conferences organized by other entities,
Advice and current aid,
Portals of programs in support the workers on security, guides, explana-
tions, and above all, the database of current legislation and guidelines,
Visits, audits, inspection, accreditation, certification, etc’.
In another question, the officials indicated which of these factors facilitate the
implementation of Information Security Management System. Evaluation factors
are shown in Figure 2.
Figure 2. Evaluation of factors that facilitate the implementation of the ISMS
139
High rating factors: employees awareness of the need to ensure the security of
information and involvement of the top management is was highlighted by the
comments of an official: ‘The commitment and staff awareness of information
security requirements is crucial for the proper functioning of the system. This is
achieved by, among others, properly implement the planned course of internal and
external training, internal controls, etc.
According to officials, the implementation of Information Security Manage-
ment System has a positive effect on the unit, especially can increase the level the
information security, raising the employees awareness of information security
management, is necessary and beneficial. The three officials also indicated that it is
an expensive venture (Figure 3).
Figure 3. Opinion on the ISMS implementation
Respondents also indicated the steps on the operation of the Information
Security Management System, which have the most problems. The results are
shown in Figure 4.
One official also indicated a problem with too frequent regulatory changes
and changes in the organizational and staffing (though this is inevitable and should
be taken them continuously into account)’. This comment, however, should
be included under question concerning problems with the implementation of
the system.
140
Figure 4. Actions on the operation of the ISMS, which officials have the most problems
Another survey questions focused on conducting documentation. Among the
13 surveyed offices, 12 have developed and implemented an information security
policy that contains the policy of protection of personal data in accordance with the
requirements of the Law on the Protection of Personal Data [18], [13], [17] and the
one of the offices (The Marshal Office of Subcarpathian Voivodeship) has only a
policy of protection of personal data in accordance with the requirements of the
Law on the Protection of Personal Data [19]. Table 2 presents the characteristics of
each document.
Also in each of the 13 units are conducted the security reviews. The frequency
of these inspections is shown in Figure 5.
In all of the 13 offices the information security administrators were estab-
lished and training for employees of the implemented information security policy /
protection of personal data policy were conducted.
141
Table 2. Characteristics of information security documentation in Marshal Offices
Voivodeship, in which
is the Marshal Office Structure Approximate
number of pages Last updated Disclosure of
document
Lubli n Voivodeship the main document
with attachments 102 2012-07-03 Only some parts
of the document
Lubusz Voivod eship the main document
with attachments 67 2011-08-16 Yes
Łód Voivodeship the main document
with attachments 81 2012-06-14 Yes
Lesser Poland
Voivodeship
the main document
with attachments 50 2012-10-30 Only some parts
of the document
Masovian Voivodeship the main document
with attachments 200
2011-12-28
currently being
updated
Only some parts
of the document
Opole Voivodeship the main document
with attachments 62 2011-06-30 Yes
Subcarpathian
Voivodeship
the main document
with attachments 43 2012-04-30 Yes
Pomeranian
Voivodeship
the main document
with attachments 140 2012-04-10 Yes
Silesian Voivodeship the main document
with attachments 110 2012-10 Only some parts
of the document
witokrzyskie
Voivodeship
the main document
with attachments 126 currently being
updated Yes
Warmian-Masurian
Voivodeship
the main document
with attachments 68 2011-11-21 Only some parts
of the document
Greater Poland
Voivodeship
the main document
with attachments 105
2009-08-05
currently being
updated
Yes
West Pomeranian
Voivodeship
the separate
procedures and
instructions
about 120 2013-02-22 Yes
Figure 5. Frequency of the security reviews
142
5. Conclusion
On the basis on the results of the research it can be concluded, that the issues
related to information security are known for officers, especially in the field of
personal data protection. All offices have examined the relevant documentation,
in each unit the information security administrator was appointed, all units have
adequate physical security of access to information and appropriate security sys-
tems. Therefore officials are performing tasks in field of personal data protection
[14], [19].
In 9 offices, from 13 participating in the research, was implemented infor-
mation security management systems. The main reasons for which other entities
involved in the study did not implement such a system are: lack of funds, lack of
sufficient knowledge and lack of time. The first two mentioned tend to be under-
stood. Typically, any action aimed at improving a process at the office, are not
made because of the limited budget, or lack of proper training. The last reason is
due to poor organization of work and lack of willingness to take on new tasks by
the officials.
Based on the responses obtained from the offices in which the information
security management systems is implemented, key success factors have been iden-
tified to implement the ISMS. These include: employees awareness of the need to
ensure the security of information, involvement of the top management, definition
of specific requirements for the system, substantive preparation workers.
Therefore, in order to achieve the successful implementation of an ISMS it is
necessary to continue raising awareness for employees of all levels of the organiza-
tion and their respective substantive preparation. This can be achieved through the
participation of officials in various training courses in the field of information secu-
rity. In addition, the subject matter should be addressed in different conferences,
involving representatives of the public administration.
Actions on the operation of the ISMS, which officers have the most problems
are: taking actions related to the improvement of the system and conducting the
procedures for monitoring and maintenance of information security. Only a few
offices can count on the support of government units in undertaking activities relat-
ed to the implementation of the ISMS. It is worth noting the answer to the question
on the frequency of ISMS review, which acted as a control question in the survey.
Review is an activity undertaken to determine the suitability, adequacy and effec-
tiveness of the subject matter to achieve established objectives (see: 3.8.2.2. in [6])
(in this case: ISMS) and can be carried out every few months or in the event of
need, but it is impossible to review ISMS which has dozens of pages documenta-
tion every week or even every day.
Officials also indicate problems they encountered during the implementation
of ISMS. In addition to the questionnaire (lack of use of formal methods of imple-
143
mentation of the system, insufficient financial resources, too extensive documenta-
tion, lack of substantive preparation workers) also drew attention to the problems
of the legal and organizational nature. The first is a result of frequent changes
in rules on information security and inconsistencies of these provisions during
the period of change. The second - the frequent organizational changes in person-
nel offices.
REFERENCES
[1] Calder A.: Nine Steps to Success: an ISO 27001 Implementation Overview, IT
Governance Publishing, UK, 2005, pp. 107-112.
[2] Gillies A.: Improving the quality of information security management systems with
ISO27000, TQM Journal, Volume 23, Issue 4, 2011, pp. 367-376.
[3] Humphreys E., Implementing the ISO/IEC 27001 Information Security Management
System Standard, Artech House, Norwood 2007, pp. 11-44.
[4] Ilvonen I.: Information security culture or information safety culture - What do words
convey?, 10th European Conference on Information Warfare and Security 2011,
ECIW 2011, Tallinn 2011, pp. 148-154.
[5] International Standard ISO/IEC 27000:2009 Information technology — Security
techniques Information security management systems Overview and
vocabulary. First edition, ISO 2009.
[6] ISO Guide 73 Risk management — Vocabulary. First edition, ISO 2009.
[7] Jašek R.: The information security of enterprises and citizens' security context,
Komunikacie Volume 7, Issue 3, University of Zilina, Žilina 2005, pp. 45-48.
[8] Kister Ł.: Significance of information security in a company, (w:) Riešenie krízových
situácií v špecifickom prostredí, University of Zilina, Žilina 2009, pp. 329-334.
[9] Korzeniowski L. F.: Securitology - The concept of safety, Komunikacie, Volume 7,
Issue 3, University of Zilina, Žilina 2005, pp. 20-23.
[10] Korzeniowski L. F.: Informaná bezpenos podnikania. Žilina: Multiprint, 2010
[11] Korzeniowski L. F.: Podstawy nauk o bezpieczestwie, Warszawa: Difin, 2012.
[12] Lisiak-Felicka D., Szmit M.: “Tango Down” Some Comments to the Security of
Cyberspace of Republic of Poland, [in:] Biały W. Kamierczak J. (ed.), Systems
supporting production engineering, pp. 133-145, PKJS, Gliwice 2012, ISBN: 978-83-
62652-34-1.
[13] Monarcha-Matlak A.: Obowizki administracji w komunikacji elektronicznej,
Wolters Kluwer Polska, 2008, pp. 239-268.
[14] Regulation of April 29, 2004, by the Minister of Internal Affairs and Administration
as regards personal data processing documentation and technical and organizational
144
conditions which should be fulfilled by devices and computer systems used for
personal data processing (Journal of Laws of 2004 No. 100 item 1024).
[15] Robinson N.: IT excellence starts with governance, Journal of Investment
Compliance, Volume 6 Issue 3, 2005, pp. 45-49.
[16] Stoll M., Breu R.: Information security measurement roles and responsibilities, 6th
International Joint Conference on Computer, Information and Systems Sciences and
Engineering, Lecture Notes in Electrical Engineering, Volume 151, 2013, pp. 11-23.
[17] Suchorzewska A.: Ochrona prawna systemów informatycznych wobec zagroenia
cyberterroryzmem, Wolters Kluwer Polska, 2010, pp. 279-285.
[18] Ustawa z dnia 5 czerwca 1998 r. o samorzdzie województwa (Dz. U. z 2001 r.,
Nr 142, poz. 1590 z pón. zm.).
[19] Ustawa z dnia 29 sierpnia 1997 r. o ochronie danych osobowych (Dz. U. z 1997 r.,
Nr 133, poz. 883, z pón. zm.).
... Ɣ whether information security incidents have occurred; Ɣ whether information security incidents are registered; Ɣ how many incidents have occurred and are registered; Ɣ the methods of information security incidents management. The survey is a part of our investigations concerning selected aspects of cyber security in government organizations in Poland [11], [9], [10]. ...
View
... Spośród 13 badanych urzędów, 12 ma opracowaną i wdrożoną politykę bezpieczeństwa informacji zawierającą politykę ochrony danych osobowych zgodną z wymaganiami ustawy o ochronie danych osobowych (Ustawa z dnia 5 czerwca 1998 r., Monarcha-Matlak , 2008, s. 239-268, Suchorzewska, 2010, s. 279-285), a jeden z urzędów (Urząd Marszałkowski Województwa Podkarpackiego) posiada tylko politykę ochrony danych osobowych zgodną z wymaganiami ustawy o ochronie danych osobowych (Ustawa z dnia 29 sierpnia 1997 r.). Szczegółowe wyniki części badania dotyczącej wdrożenia i funkcjonowania SZBI opublikowano i omówiono w artykule (Lisiak-Felicka, Szmit, 2013 ). Poniżej prezentujemy wyniki dotyczące praktyki zarządzania incydentami bezpieczeństwa. ...
Sprzedaż mocy przesyłowych infrastruktury energetycznej w drodze aukcji, a bezpieczeństwo energetyczne RP
Article
Full-text available
  • Dec 2013
The article discusses the issue of energy infrastructure capacity auctions as a tool of improving the energy security of Poland. It argues that the experiences from foreign markets clearly indicate that this method of capacity allocation may be an effective way of providing the energy supply precisely where it is needed or generating extra funds for further infrastructure development.
View
Cyberbezpieczeństwo administracji publicznej w Polsce. Wybrane zagadnienia
Book
Full-text available
  • Apr 2016
Monografia dotycząca bezpieczeństwa informacji w urzędach administracji terenowej podsumowująca wyniki badań z lat 2012-2016
View
Inevitable War? Examining Yugoslavia as a Fault Line Conflict
Article
Full-text available
  • Dec 2014
This article examines the case for viewing the conflicts that took place in Yugoslavia between 1991 and 1999 through Huntington’s civilisational paradigm, whereby conflict is the inevitable result of the existence of “cleft states” such as Yugoslavia, which lay on the fault line of Western, Orthodox and Islamic civilisations and was therefore predisposed to civilisational conflict. This article argues instead that divisions in Yugoslavia were national, rather than civilisational and fomented by a wider, more nuanced range of factors which are not taken into account by Huntington.
View
Selected aspects of information security management in Voivodeship Office in Poland
Article
Full-text available
  • Dec 2014
The article presents results of a survey concerning Information Security Management Systems (ISMS), which was conducted in Voivodenship Offices in 2014. Survey ques- tionnaires were sent to all Voivodenship Offices in Poland. The aim of the research was identifying in which of the offices ISMS are implemented, according to which standards ISMS are developed and certified and gathering information about factors facilitate the implementation of the ISMS, problems which occurred during the implementation of these systems and documentation concerning information security. The article is a con- tinuation of research on information security management systems in the state and local government agencies.
View
The Information Security of Enterprises and Citizens' Security Context
Article
Full-text available
  • Sep 2005
The aim of the article to show the analogical procedures encountered while dealing with the security of a company or personal security. Security of Information Systems relates closely to modern-day life and the solution of crisis situations is but one part. It does not matter whether the reason of the crisis is the human factor (purposely or unpremeditated) or even a technical failure. All systems must be able to switch to reserves within real time in order to ensure process continuity. While this article is about systems in the economic (financial) field, the same rules apply in government crisis management at any level. Consequently, the rule of Crisis Management in contemporary society is essential.
View
Securitology - The Concept of Safety
Article
Full-text available
  • Sep 2005
In the article the author presents his own definition of the category of safety, emphasizing both: objective and subjective aspects of this Idea. The author, on the basis of available publications, carries out the presentation of securitology as the scientific discipline as well as categories studied within that science, like: security, needs value and sense of safety, risk, danger, personality of a manager, etc. In the article are Included proposals of a security model covering objective dangers and the sense of safety.
View
"TANGO DOWN". SOME COMMENTS ON THE SECURITY OF CYBERSPACE OF REPUBLIC OF POLAND
Chapter
Full-text available
  • Jan 2012
http://www.dydaktyka.polsl.pl/roz5/konfer/wyd/2012/1/R_13.pdf
View
Information Security Measurement Roles and Responsibilities
Article
  • Aug 2013
An adequate information security management system (ISMS) to minimize business risks and maximize return on investments and business opportunities is recognized always more as key differentiator. Thus legal compliance, commercial image and competitive edge are sustainable maintained. Due to increasingly faster changing information security (IS) requirements (from market, customer, technology, law or regulations) the effectiveness and performance of the ISMS must be continually evaluated and improved. Data must be recorded, analyzed and if necessary appropriate corrective or preventive actions should be taken. For these measurement and improvement tasks we have to assign roles and responsibilities. Firstly we define different roles and their tasks for information security (IS) measurement and improvement. Starting from the approved organizational structure we assign the responsibilities for these roles to top and executive management. After we elaborate and document all relevant business processes with their supporting IT services and go on through all technical layers describing the relevant items with their dependencies and relationships. To entire processes, services and items are assigned responsibilities for the defined roles systematically, consistently and traceably. This innovative, systemic, strategic aligned approach has been implemented successfully by different medium sized organizations for several years. Based on our experiences IS awareness, IT alignment with business goals, service orientation, process and systems thinking, as well as the comprehension for the requirements of other organizational units were increased.
View
Information security culture or information safety culture - What do words convey?
Article
  • Jan 2011
In the contemporary world of constantly changing information threats, information security culture is a concept that many organizations should emphasize on. Many threats cannot be countered only with sophisticated technical equipment. Instead, the attitudes and actions of employees gain significance each day, be the threat an urge to leak company confidential documents to Wikileaks or to competitors, or willingness to help a "colleague" with an unconventional request. Information security culture is a concept widely accepted in the field of information security research. It refers to the dominant understanding of how information security principles are manifested in the daily operations of a company. The culture implies what kind of behaviour of the employees is acceptable and encouraged. Literature about information security almost non-exceptionally uses the word security. However, in the field of organizational safety culture, the word security has little use. What is different? Is preventing human or material casualties really fundamentally different from preventing information casualties? This paper is triggered by the curiosity of how different literature streams discuss culture, be it called safety culture or security culture. Also the differences in approaches to security and safety are analysed. The term safety includes both the perspective of an object being protected from threats and the perspective of that object not causing threats. The term security includes only the perspective of an object being protected from threats. It is interesting to note, that both the words safety and security appear in the definitions for the term security. In information security the focus is for many organizations on the threats that come from outside the organization. This seems to justify the use of the word security. However, in many cases the biggest threats to the information of an organization come from inside the organization. Also, many organizations state that the information of customers is the most valuable to them and compromising customer information would not only harm the organization itself, but also its stakeholders. This would justify the use of the word safety in connection with information. This paper presents a literature review. The outcome of this paper is an understanding of the differences and similarities of the concepts under stydy. Discussion on the meaning of information security culture and implications to companies are presented.
View
How to implement an ISO/IEC 27001 information security management system The ISMS model
Article
The recently published ISO/ IEC 27001:2005, Information technology – Security tech-niques – Information security management systems – Require-ments, provides a foundation for designing and deploying a management system for infor-mation security to prevent a variety of business-threatening risks such as the following : • financial losses and damages ; • loss of the organization's intellectual capital and intellectual property rights ; • loss of market share ; • poor productivity and performance ratings ; • ineffective operations ; • inability to comply with laws and regulations ; and even • loss of image and reputa-tion./IEC 27001:2005 spec-ifies the requirements and processes for enabling a busi-ness to establish, implement, review and monitor, manage and maintain effective infor-mation security. Like ISO 9001:2000, it is built on the Plan-Do-Check-Act (PDCA) process cycle model (see Fig-ure 1 for the ISMS version of Here is advice on implement-ing ISO/IEC 27001 gleaned from a question-and-answer session with John Snare (Fujit-su, Australia) one of the co-editors of the standard.
View
IT excellence starts with governance
Article
  • Jul 2005
  • J Invest Compl
Purpose – To explain how information technology (IT) governance enables an organization to achieve three vital objectives: regulatory and legal compliance, operational excellence, and optimal risk management. Design/methodology/approach – Describes the role in IT governance of functions such as value creation (distilling company's mission and strategic direction into business needs for IT applications), value delivery (formal project management methodology and system development life cycle), value preservation (integrated control and risk management program), resource management, performance management (capability maturity model, balanced scorecard, Six Sigma), and oversight. Describes governance frameworks such as COBIT, ITIL, and ISO/IEC 17799: 2000. Offers advice on getting started. Findings – When governance is effective, IT becomes a valued asset, inseparable from the business and regarded as an asset, not a cost. Originality/value – Helps a compliance officer think about the connection between effective IT and compliance systems.
View
Improving the quality of information security management systems with ISO27000
Article
  • Jun 2011
Purpose – The ISO27001 standard provides a model for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS)”. This paper seeks to consider the global adoption of the ISO27000 series of standards, and to compare them with the adoption rates for ISO9000 and ISO14000. The paper aims to compare the barriers to adoption for the different standards. Design/methodology/approach – Previous studies suggest that ISO27001 adoption is slower than for the other standards. The uptake of ISO27001 has been slower than the related management system standards ISO9001 and ISO14001, with approximately half the certifications compared with ISO14001. In response to the issues raised in this analysis, the paper considers how an approach based on a maturity model can be used to help overcome these barriers, especially in smaller companies. Findings – The 2008 survey of ISO27001‐certificated companies found that 50 per cent of the certificated organisations which responded had fewer than 200 employees, and were therefore in the SME category. Perhaps more surprisingly, around half of these had fewer than 50 employees The framework has used the ISO27002 code of practice to define the elements, which should be considered within the ISMS. Each element is then developed through a maturity model lifecycle to develop processes to the point where an ISO27001‐compliant ISMS can be implemented. Originality/value – The principal contribution of the paper is a step‐by‐step framework designed to simplify the process for organisations working towards ISO27001 and offer significant benefits at milestones before systems are mature enough to achieve certification.
View
Nine Steps to Success: an ISO 27001 Implementation Overview
  • Jan 2005
  • 107-112
  • A Calder
Calder A.: Nine Steps to Success: an ISO 27001 Implementation Overview, IT Governance Publishing, UK, 2005, pp. 107-112.
Information technology — Security techniques — Information security management systems — Overview and vocabulary
  • Jan 2009
  • International Standard
International Standard ISO/IEC 27000:2009 Information technology — Security techniques — Information security management systems — Overview and vocabulary. First edition, ISO 2009.