IT security and security policies in organizations as well as information security (IS) on the state level have been widely discussed in the last years. Standards and laws hardly keep up with the rapid progress in the field of information and communication technology (ICT). Organisations and states are expected to ensure the security and privacy of their ICT systems. ududIn the first part of this master's thesis, I present basic terminology and standards from the field of ICT security. I describe the ISO/IEC 27000 family of standards for introduction and management of information security management systems (ISMS), which can be in line with the guidelines implemented in start-up companies as well as in large organizations. For many organizations a business continuity is a key to growth and existence on the market. Bearing that in mind, I present the standards in the field of business continuity management, including ICT disaster recovery plan strategy for cases of disruptions. At todays rapid pace, change management is important process of which organizations are not sufficiently aware of. Further, I present key steps for successful implementation of change management into the organizations. The key to successful long-term management of IS is also in the transformation of the organizational culture into the security organizational culture. On the basis of simple six-step plan I make a recommendation for successful implementation of the security organizational culture.ududIn the central part of the thesis, I analyse statistical data collected by the Statistical Office of the Republic of Slovenia (SURS) related to ICT security in Slovenian enterprises. The review covers ramifications of ICT related security incidents, formally defined ICT security policies and reviews, informing of the staff of their obligations in ICT related issues, usage of internal security facilities or procedures, usage of (open source) software in enterprises and provision of portable devices with mobile Internet access by type and purpose in enterprises. In order to help me with the analysis, I also created a tool (CVE-analyzer) to help me with the analysis of software vulnerabilities according to data from NVD CVE database. On the basis of obtained data and statistical analysis I check four hypotheses related to ramifications of ICT related security incidents and the use of open source software in Slovenian enterprises.ududFurther on, I present the most common mistakes in software development process and introduce the proposals for increasing of software security in development and maintenance process.ududIn the last part, I introduce world-wide statistical data from the field of data security incidents and on their basis I propose additional recommendations for the Slovenian economy.
展开▼
机译:近年来,组织中的IT安全和安全策略以及州一级的信息安全(IS)受到了广泛的讨论。标准和法律很难跟上信息和通信技术(ICT)领域的快速发展。期望组织和州确保其ICT系统的安全性和私密性。 ud ud在本硕士论文的第一部分中,我介绍了ICT安全领域的基本术语和标准。我描述了用于信息安全管理系统(ISMS)的引入和管理的ISO / IEC 27000系列标准,该标准可以与在初创公司以及大型组织中实施的准则相一致。对于许多组织而言,业务连续性是市场增长和生存的关键。考虑到这一点,我介绍了业务连续性管理领域的标准,包括针对中断案例的ICT灾难恢复计划策略。以当今的快速步伐,变更管理是组织尚未充分意识到的重要过程。此外,我介绍了在组织中成功实施变更管理的关键步骤。成功进行IS长期管理的关键还在于将组织文化转变为安全组织文化。在简单的六步计划的基础上,我对成功实施安全组织文化提出了建议。 ud ud在本文的中心部分,我分析了斯洛文尼亚共和国统计局(SURS)收集的统计数据与斯洛文尼亚企业的ICT安全有关。审查涵盖了与ICT相关的安全事件的后果,正式定义的ICT安全政策和审查,告知员工在ICT相关问题中的义务,内部安全设施或程序的使用,企业中(开源)软件的使用以及企业中按类型和用途可以移动互联网访问的便携式设备。为了帮助我进行分析,我还创建了一个工具(CVE-analyzer),可以根据NVD CVE数据库中的数据帮助我分析软件漏洞。在获得的数据和统计分析的基础上,我检查了与ICT相关安全事件后果和斯洛文尼亚企业使用开源软件有关的四个假设。 ud ud此外,我还介绍了软件开发过程中最常见的错误并介绍了在上一部分中,我介绍了来自数据安全事件领域的全球统计数据,并在此基础上为斯洛文尼亚经济提出了其他建议。
展开▼
