6533b856fe1ef96bd12b2017

RESEARCH PRODUCT

Managing information security in organizations : a case study

subject

description

Masteroppgave i informasjonssystemer 2007 - Høgskolen i Agder, Kristiansand During a participation in a security project in an enterprise in Norway, I have been able to get knowledge about the field of information security. The project leader told me that the method he was using has not been documented. The ideas of the way of handling information security has been used with another company in Norway, in a earlier project that he had also been project leader of. The main theme of the method was organizing the IT department into processes and roles, with tasks and responsibilities. In my literature research I have found several ways of handling information security. There is no grounded theory in the field of information security, but there are several guidelines, frameworks and standards, and there is a lot of research about these. Most of these frameworks and standards are based on commercial use and not free of charge. I have also done research about the human factor, to verify that the topic is valid. I have done a CASE study of the enterprise; to get detailed information of how they handled information security. I found that the method that has been used and has parallels to frameworks and standards I found in the literature research. By my findings in the literature research and the CASE study, I have been able to develop a simple framework for handling information security in organizations. The framework is suited especially to medium organizations, with less ability to implement several frameworks and standards. Large companies can use frameworks like Cobit, ITIL and ISO standards. The key elements of the framework is a three dimensional cube containing the elements of business requirements, IT resources and information security requirements. I have not found any framework in literature that has linked this combination together.