Managing information security in organizations : a case study
Abstract
During a participation in a security project in an enterprise in Norway, I have been able to get
knowledge about the field of information security. The project leader told me that the method he
was using has not been documented. The ideas of the way of handling information security has
been used with another company in Norway, in a earlier project that he had also been project
leader of. The main theme of the method was organizing the IT department into processes and
roles, with tasks and responsibilities.
In my literature research I have found several ways of handling information security. There is no
grounded theory in the field of information security, but there are several guidelines, frameworks
and standards, and there is a lot of research about these. Most of these frameworks and standards
are based on commercial use and not free of charge. I have also done research about the human
factor, to verify that the topic is valid.
I have done a CASE study of the enterprise; to get detailed information of how they handled
information security. I found that the method that has been used and has parallels to frameworks
and standards I found in the literature research.
By my findings in the literature research and the CASE study, I have been able to develop a
simple framework for handling information security in organizations. The framework is suited
especially to medium organizations, with less ability to implement several frameworks and
standards. Large companies can use frameworks like Cobit, ITIL and ISO standards.
The key elements of the framework is a three dimensional cube containing the elements of
business requirements, IT resources and information security requirements. I have not found any
framework in literature that has linked this combination together.
Description
Masteroppgave i informasjonssystemer 2007 - Høgskolen i Agder, Kristiansand
Publisher
Høgskolen i AgderAgder University College