| 1. |
- Johansson, Erik, 1967-
(författare)
-
Assessment of Enterprise Information Security : How to make it Credible and Efficient
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Information is an important business asset in today’s enterprises. Hence enterprise information security is an important system quality that must be carefully managed. Although enterprise information security is acknowledged as one of the most central areas for enterprise IT management, the topic still lacks adequate support for decision making on top-management level. This composite thesis consists of four articles which presents the Enterprise Information Security Assessment Method (EISAM), a comprehensive method for assessing the current state of the enterprise information security. The method is useful in helping guide top-management’s decision-making because of the following reasons: 1) it is easy to understand, 2) it is prescriptive, 3) it is credible, and 4) it is efficient. The assessment result is easy to understand because it presents a quantitative estimate. The result can be presented as an aggregated single value, abstracting the details of the assessment. The result is easy to grasp and enables comparisons both within the organization and in terms of industry in general. The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where improvements efforts are essential. It is credible for two reasons. Firstly, the method presents an explicit and transparent definition of enterprise information security. Secondly, the method in itself includes an indication of assessment uncertainty, expressed in terms of confidence levels. The method is efficient because it focuses on important enterprise information security aspects, and because it takes into account how difficult it is to find security related evidence. Being resource sparse it enables assessments to take place regularly, which gives valuable knowledge for long-term decision-making. The usefulness of the presented method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden. The success from this research should encourage further researcher in using these analysis techniques to guide decisions on other enterprise architecture attributes.
|
|
| 2. |
- Johansson, Erik, et al.
(författare)
-
Assessment of Enterprise Information Security in Electric Utilities : The Importance of Prioritization
- 2006
-
Ingår i: Proceedings CIGRE Session 2006.
-
Konferensbidrag (refereegranskat)abstract
- In today’s large electric utilities enterprise system is highly complex. Technically, they possess several hundreds of extensively interconnected and heterogeneous IT systems performing tasks that vary from Enterprise Resource Planning (ERP) to real-time control and monitoring of the processes, such as Distributed Control System (DCS) and Supervisory Control and Data Acquisition System (SCADA). Organizationally, the enterprise system embraces business processes and business units using, as well as maintaining and acquiring, the IT systems. Information and systems are to a large extent becoming integrated in industry operations since communication and sharing of information are becoming more efficient and faster than before. However, the networking and interconnection of systems can increase the enterprise exposure to information security risks. The significance of information security has been continuously increasing in the management of organizations and in ensuring their operating ability as well as in maintaining disturbance-free and efficient operations. Thus, enterprise information security has become an increasingly important system quality. Assessing a sufficient level of information security is a necessary pre-requisite for the continuance and credibility of operations. But assessing the level of information security in an enterprise is a serious challenge for many organizations, since the area still lacks sufficient support for decision-making on a top-management level. One problem with such assessments is that there are various views on what, exactly, should be measured. There are different opinions on what the constituent parts of enterprise information security are and what these parts? relative importance is. Addressing that problem, this paper presents an operational definition and prioritization of the field of enterprise information security. First, the paper proposes a framework for capturing the semantic essence of enterprise information security. Then, the relative weights of the framework?s subdomains are quantified. Two methods for prioritization are used to obtain the weights. The results demonstrate to what extent different standards committees, guideline authors and expert groups differ in their opinions on what the important issues are in enterprise information security. As prioritization sources, the ISO/IEC 17799, the NIST SP 800-26, the ISF standards committees, the CMU/SEI OCTAVE framework authors and an expert panel at the Swedish Information Processing Society (DFS) are considered. To demonstrate the practical consequences, the effects of varying prioritizations on the enterprise information security assessment results in a European energy company are presented.
|
|
| 3. |
- Lindström, Åsa, et al.
(författare)
-
The top IT concerns for Chief Information Officers in European Electric Power Industries
- 2006
-
Ingår i: 41st International Conference on Large High Voltage Electric Systems 2006, CIGRE 2006.
-
Konferensbidrag (refereegranskat)abstract
- The electric power industry heavily depends on IT. Earlier, business operations of most large companies were supported by a number of isolated software systems performing diverse specific tasks, from real-time process control to administrative functions. Today many companies possess a highly complex enterprise-wide IT system; in large organizations several hundreds of interconnected systems may be employed. The industry is challenged by two major changes; the integration of administrative systems and operation support systems and the deregulation of the electricity market. The deregulation affects the deployment of IT in many ways; new IT support is needed for many business processes, e.g. billing. The ever changing business environment challenges contemporary organizations to constantly get most value from their IT. The Chief Information Officer, CIO, is responsible for IT management which is a significant challenge today. This paper uses the Architecture Theory Diagram (ATD) for modeling the CIO's responsibilities. The ATD spans the concerns of the CIO and is based on consolidated knowledge from existing architecture theories and frameworks. This paper presents the result from a survey where the concerns stated in the ATD were prioritized by CIOs at European electric power industries. The result can be used by CIOs for benchmarking. A prioritized set of concerns can be used for communicating to the rest of the organization what is important and be used as a basis for IT investments decisions and determining strategy. This paper is based on a survey answered by CIOs in the European electric power industry in January and February 2005. The survey was answered by twelve supreme IT chiefs at Electric Power Industries in Europe. All the respondents come from different countries and ten of the respondents are members in Cigré. The respondents consist of 75 % CIOs and 59 % of all the respondents' reports directly to their CEO. Results from the survey indicates that "Developing strategies", "IT and business alignment", and "Information security" are the three most important concerns for the European CIOs' in general. Then it is a large gap down to the fourth most important concern, which is "Project management". The paper is concluded with recommendation on how companies can use this survey to focus and communicating their prioritizations. The survey has been conducted in cooperation with the CIO-group at Vattenfall, Cigré and the Department of Industrial Information and Control Systems (ICS) at the Royal Institute of Technology (KTH), Sweden.
|
|
| 4. |
- Lindström, Åsa, 1976-
(författare)
-
Using Architectural Principles to make the IT-Strategy come true : focusing on the electric power ndustry
- 2006
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Most large enterprises are facing numerous challenges concerning their information systems, IS, and information and communication technology, ICT. Today, many enterprises employ a considerable number of applications that often have redundant functionality. There is also a large diversification in the ICT products and technologies employed. Further, integration costs are a major issue in almost all acquisition projects and many enterprises experience a lack of data quality and information security. The list of IS/ICT management challenges can be made much longer. At most enterprises, IS/ICT decisions are made by autonomous business units. In order to change the situation described above and build a more cost-effective IS/ICT environment, all business units need to make consistent IS/ICT decisions. Distributed and consistent decisions can only be made if the decision maker knows which decisions to make and why he/she needs to make them. The latter can be described by the target architecture for the whole enterprise IS/ICT, the information needed to conduct the business and its relationship to the business processes and business organization together with the benefits that the target architecture provides to the business. Which decisions to make are formulated into architectural principles, i.e. rules that express how your enterprise needs to design and deploy IS/ICT. The present thesis is a composite thesis including eight papers. The first four papers describe the reference model for IS/ICT management responsibilities that is one of the outcomes of the present research. Two different surveys have been performed in order to find out what the major IS/ICT management challenges are. The first survey was answered by 62 Swedish Chief Information Officers, CIOs, from large private enterprises as well as municipalities. The second survey was answered by twelve CIO’s from the European electric power industry. In the fifth paper, one of the IS/ICT management responsibilities, i.e. data quality, is used to illustrate how the IS/ICT manager’s responsibilities can be decomposed into measurable units. Over 70 respondents were used in order to perform an enterprise- wide measurement of the data quality at a Swedish insurance company. The last three papers are devoted to architectural principles. Architectural principles are introduced and guidelines on how to define and manage them are proposed in the sixth paper. The guidelines have been used in a review of Vattenfall’s architectural principles. In the last two papers, architectural principles and the reference model are combined in a methodology for assessing the enterprise architecture. The methodology has been used in two different case studies, one at Vattenfall and one at Scania. In both case studies multiple information systems were assessed from many different viewpoints resulting in that many respondents were interviewed.
|
|
