Measuring the effectiveness of information security controls

Skaaland, Siri

dc.contributor.advisor	Knapskog, Svein Johan	nb_NO
dc.contributor.advisor	Vidhammer, Gjermund	nb_NO
dc.contributor.author	Skaaland, Siri	nb_NO
dc.date.accessioned	2014-12-19T14:11:54Z
dc.date.available	2014-12-19T14:11:54Z
dc.date.created	2010-09-02	nb_NO
dc.date.issued	2008	nb_NO
dc.identifier	347027	nb_NO
dc.identifier	ntnudaim:4192	nb_NO
dc.identifier.uri	http://hdl.handle.net/11250/261608
dc.description.abstract	With an increasing need for information security in IT the need for measuring is present to display the improvement and development of your information security over time. No best practice has been accepted in the area. ISO/IEC 27001 - textit{Information technology - Security techniques - Information security management systems - Requirements} requires measuring of effectiveness of both management system and controls implemented. A new standard ISO/IEC 27004 textit{Information technology - Security techniques - Information security management - Measurements} is under development to address this requirement, but is not scheduled for publication until 2009. This report has aimed to evaluate the draft ISO/IEC 3rd CD 27004, both in relation to requirements of ISO/IEC 27001 and also in relation to measuring of the effectiveness of information security controls in general. Research conducted to gain results has been consisting of investigation of measuring solutions within different organizations certified toward ISO/IEC 27001, interviews with individuals familiar with measuring in these environments and also research of published material covering the subject. Conclusions of this study has shown that the requirement of measuring the effectiveness of the management system and not only the controls has been overseen by many. Further the different solutions found has been much simpler than the proposed solutions depicted in ISO/IEC 3rd CD 27004, which indicates two things. Both that if the draft becomes a standard and the standard then becomes normative, then the task of upgrading the solutions to adhere to it may be difficult, and in that the draft is too extensive and unnecessarily complex for smaller organizations. The fact that several organizations have been certified toward ISO/IEC 27001, without having measuring implemented in a good way, is concerning. The main driver behind measuring the effectiveness of information security controls seems to be a required need for measuring, like compliance with standards, not the benefits from measuring. The benefits could however be many with a good measuring implementation, but this requires better visualization of the drivers.	nb_NO
dc.language	eng	nb_NO
dc.publisher	Institutt for telematikk	nb_NO
dc.subject	ntnudaim	no_NO
dc.subject	SIE7 kommunikasjonsteknologi	no_NO
dc.subject	Telematikk	no_NO
dc.title	Measuring the effectiveness of information security controls	nb_NO
dc.type	Master thesis	nb_NO
dc.source.pagenumber	125	nb_NO
dc.contributor.department	Norges teknisk-naturvitenskapelige universitet, Fakultet for informasjonsteknologi, matematikk og elektroteknikk, Institutt for telematikk	nb_NO

Tilhørende fil(er)

Filnavn:: 347027_COVER01.pdf
Størrelse:: 272.3Kb
Format:: PDF

Låst

Filnavn:: 347027_FULLTEXT01.pdf
Størrelse:: 1.029Mb
Format:: PDF

Låst

Denne innførselen finnes i følgende samling(er)

Institutt for informasjonssikkerhet og kommunikasjonsteknologi [2517]

Vis enkel innførsel