| | SLO | ENG | Cookies and privacy

Bigger font | Smaller font

Show document

Title:Information security in risk management systems : Slovenian perspective
Authors:Bernik, Igor (Author)
Prislan, Kaja (Author)
Files:URL https://www.fvv.um.si/rv/arhiv/2011-2/07_Bernik-Prislan.pdf
 
URL https://www.fvv.um.si/rv/arhiv/2011-2/07_Bernik-Prislan-E.html
 
Language:English
Work type:Scientific work (r2)
Typology:1.01 - Original Scientific Article
Organization:FVV - Faculty of Criminal Justice and Security
Abstract:Purpose: Modern organizations are no longer able to operate and achieve their goals without information technology. The only stability in the modern world is change, and users adjust to them, as do the threats to information technology. Therefore, the only way to control threats to information security is to execute a process of risk management, which enables organizations to manage threats. This paper introduces various ways of managing information security threats and researches the existence of risk management systems in Slovenia. Design/Methods/Approach: The study focused on the research of the perception of information security risk management among Slovenian organizations. For this purpose, research has been conducted in different organizations. The results of this research revealed that threats to information security are largely not fully comprehended. Moreover, the structure of risk management systems depends completely on each individual organization. The problem is therefore the fact that there are as many systems as there are organizations. In theory, any information system must be examined thoroughly before risk management systems are established. It is important to know the weaknesses of the system, possible threats to it and ways of attack, and what consequences follow. Findings: Risks can be managed in different ways. Organizations choose mostly among the following approaches: (1) informal or unsystematic approach; (2) general approach, which provides the same protection mechanism for every organizational level; (3) exact approach, which refers to an analysis of the entire information system; (4) a combination of a general and an exact approach. When organizations choose their approach, they establish the control mechanisms. With these mechanisms it is possible to simply avoid risks, mitigate their consequences, accept a particular risk, or introduce adequate security mechanisms. Due to continual changes such systems must be constantly evaluated and improved. This means that systems must be constantly adjusted to new types of threats. By establishing a safe information system, organizations can consider different trends, recommendations and effective practices; for instance the ISO 27000 series of standards. In the process of managing information security, it is of great significance to establish a risk management system, to be able to recognize the most exposed areas, and to protect them accordingly. Research limitations: Research results cannot be generalized due to the relatively small number of companies interviewed. Practical implications: This paper represents a useful source of information for companies establishing information security risk management systems, and it represents the basis for further research. Originality/Value: Guidelines for establishing a secure information system and forms conclusions on how these guidelines are considered in practice are represented. The study has original value because it is based on a research of the current state of risk management procedures in different organizations. Organizations can consider different guidelines, recommendations and good practices for establishing their own effective information security. Findings show that defining management responsibility, identifying key vulnerabilities and securing them, are the three most significant elements in effective risk management and maintenance of information security.
Keywords:informacijski sistemi, informacijska varnost, grožnje, tveganje, management, Slovenija
Year of publishing:2011
Number of pages:str. 208-221
Numbering:št. 2, Letn. 13
UDC:004.056(497.4)
ISSN on article:1580-0253
COBISS_ID:2170858 New window
NUK URN:URN:SI:UM:DK:DDXE9XBK
Views:297
Downloads:12
Metadata:XML RDF-CHPDL DC-XML DC-RDF
Categories:Misc.
:
  
Average score:(0 votes)
Your score:Voting is allowed only for logged in users.
Share:AddThis
AddThis uses cookies that require your consent. Edit consent...

Hover the mouse pointer over a document title to show the abstract or click on the title to get all document metadata.

Record is a part of a journal

Title:Varstvoslovje
Shortened title:Varstvoslovje
Publisher:Ministrstvo za notranje zadeve Republike Slovenije, Visoka policijsko-varnostna šola, Ministrstvo za notranje zadeve Republike Slovenije, Visoka policijsko-varnostna šola, Univerza v Mariboru, Fakulteta za policijsko-varnostne vede, Univerza v Mariboru, Fakulteta za varnostne vede
ISSN:1580-0253
COBISS.SI-ID:99492352 New window

Licences

License:CC BY 4.0, Creative Commons Attribution 4.0 International
Link:http://creativecommons.org/licenses/by/4.0/
Description:This is the standard Creative Commons license that gives others maximum freedom to do what they want with the work as long as they credit the author.
Licensing start date:05.05.2020

Secondary language

Language:Slovenian
Title:Upravljanje tveganj v informacijski varnosti : pogledi Slovenije
Abstract:Namen prispevka: V sodobnem času organizacije ne morejo optimalno funkcionirati in dosegati zastavljenih ciljev brez informacijske tehnologije. Edina stalnica so spremembe, katerim se poleg uporabnikov prilagajajo tudi grožnje v informacijskem okolju. Iz tega sledi, da je vodenje procesa upravljanja s tveganji edini način obvladovanja in upravljanja omenjenih groženj. Predstavljamo načine in naravo upravljanja informacijske varnosti ter prikazujemo trenutno stanje omenjenih procesov v slovenskem prostoru. Metode: Prispevek se osredotoča na razumevanje informacijske varnosti in z njo povezanega sistema upravljanja s tveganji med slovenskimi organizacijami. V ta namen je bila izpeljana raziskava z usmerjenimi intervjuji v različnih slovenskih podjetjih. Rezultati kažejo, da grožnje informacijski varnosti v večini organizacij niso ustrezno razumljene, poleg tega pa je proces upravljanja s tveganji preveč odvisen od posamezne organizacije. Problem se kaže v tem, da poznamo toliko sistemov upravljanj s tveganji, kolikor imamo organizacij. Teoretično pa bi vsak informacijski sistem moral biti podvržen natančni analizi, preden se sistem upravljanja s tveganji vzpostavi in vpelje v organizacijsko strukturo. Poznavanje organizacijskih ranljivosti, potencialnih groženj in posledic, ki bi ob njihovem uresničenju nastale, pa je pri tem ključnega pomena. Ugotovitve: S tveganji lahko upravljamo na različne načine, organizacije pa lahko v grobem izbirajo med štirimi različnimi pristopi: (1) neformalen ali nesistematičen pristop, (2) splošen pristop, s katerim se vzpostavlja enaka zaščita na različnih organizacijskih ravneh, (3) natančna analiza celotnega informacijskega premoženja, (4) kombinacija splošnega in natančnega pristopa. Ko organizacija izbere enega izmed pristopov mora vzpostaviti ustrezne kontrolne oz. zaščitne mehanizme, s katerimi se lahko tveganjem preprosto izogne, prenaša posledice na druga okolja, grožnje sprejema ali pa vpelje ustrezno stopnjo zaščite. Zaradi nenehnih sprememb, predvsem v informacijskem okolju, pa je potrebno vpeljane nadzorne mehanizme stalno ocenjevati in posodabljati, kar pomeni, da ga je potrebno nenehno prilagajati novim tipom groženj. Pri vzpostavljanju ustreznega in varnega informacijskega sistema si lahko organizacije pomagajo z različnimi priporočili in dobrimi praksami, med katere vsekakor uvrščamo serijo standardov ISO 27000. V procesu upravljanja s tveganji je ključnega pomena vzpostavitev sistema, ki je sposoben identificirati grožnjam najbolj izpostavljena območja in jih tudi ustrezno zavarovati. Omejitve raziskave: Rezultatov raziskave ne moremo posploševati, saj je število organizacij vključenih v raziskavo relativno majhno. Praktična uporabnost: Prispevek predstavlja uporaben vir informacij za podjetja, ki vzpostavljajo sisteme upravljanja z informacijsko varnostjo, prav tako pa predstavlja osnovo za nadaljnje raziskave. Izvirnost/pomembnost prispevka: Predstavljene so smernice pri vzpostavljanju sistema informacijske varnosti in ugotovitve, kako so te smernice uporabljene v praksi. Prispevek ima izvirno vrednost, ker je osnovan na raziskavi trenutnega stanja procesov upravljanja s tveganji v različnih organizacijah. Le-te lahko pri vpeljevanju učinkovite informacijske varnosti upoštevajo različne smernice, priporočila in uspešne prakse. Rezultati raziskave kažejo, da so razumevanje odgovornosti managementa, prepoznavanje ključnih ranljivosti in zaščita le-teh trije najpomembnejši elementi pri učinkovitem upravljanju s tveganji in vzdrževanju informacijske varnosti.
Keywords:information system, management, security threats, risks, risk management, changes, Slovenia


Collection

This document is a part of these collections:
  1. Varstvoslovje

Comments

Leave comment

You have to log in to leave a comment.

Comments (0)
0 - 0 / 0
 
There are no comments!

Back
Logos of partners University of Maribor University of Ljubljana University of Primorska University of Nova Gorica