Implementation of information security in fast growing enterprises – from startup to large enterprise

Matjaž Škoda (2016) Implementation of information security in fast growing enterprises – from startup to large enterprise. MSc thesis.

Preview

PDF Download (2720Kb)

Abstract

IT security and security policies in organizations as well as information security (IS) on the state level have been widely discussed in the last years. Standards and laws hardly keep up with the rapid progress in the field of information and communication technology (ICT). Organisations and states are expected to ensure the security and privacy of their ICT systems. In the first part of this master's thesis, I present basic terminology and standards from the field of ICT security. I describe the ISO/IEC 27000 family of standards for introduction and management of information security management systems (ISMS), which can be in line with the guidelines implemented in start-up companies as well as in large organizations. For many organizations a business continuity is a key to growth and existence on the market. Bearing that in mind, I present the standards in the field of business continuity management, including ICT disaster recovery plan strategy for cases of disruptions. At todays rapid pace, change management is important process of which organizations are not sufficiently aware of. Further, I present key steps for successful implementation of change management into the organizations. The key to successful long-term management of IS is also in the transformation of the organizational culture into the security organizational culture. On the basis of simple six-step plan I make a recommendation for successful implementation of the security organizational culture. In the central part of the thesis, I analyse statistical data collected by the Statistical Office of the Republic of Slovenia (SURS) related to ICT security in Slovenian enterprises. The review covers ramifications of ICT related security incidents, formally defined ICT security policies and reviews, informing of the staff of their obligations in ICT related issues, usage of internal security facilities or procedures, usage of (open source) software in enterprises and provision of portable devices with mobile Internet access by type and purpose in enterprises. In order to help me with the analysis, I also created a tool (CVE-analyzer) to help me with the analysis of software vulnerabilities according to data from NVD CVE database. On the basis of obtained data and statistical analysis I check four hypotheses related to ramifications of ICT related security incidents and the use of open source software in Slovenian enterprises. Further on, I present the most common mistakes in software development process and introduce the proposals for increasing of software security in development and maintenance process. In the last part, I introduce world-wide statistical data from the field of data security incidents and on their basis I propose additional recommendations for the Slovenian economy.

Actions (login required)