| 1. |
- Magnusson, Lars, 1952-, et al.
(författare)
-
Post-Mortem of Mega Hacks : Signifying the Need for a Systemic Enterprise View on Information Security
- 2023
-
Ingår i: 2023 7th International Conference on Cryptography, Security and Privacy (CSP). - : IEEE. - 9798350323368 - 9798350323375 ; , s. 41-46
-
Konferensbidrag (refereegranskat)abstract
- Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Information security, therefore, must involve all systems in the chain. New legal European regulations such as Guidelines for Data Protection Regulation demand that the ICT/IT world must include systems outside the organizational border to be involved and accounted for under enterprise information security umbrella. Recent mega hacks analyzed in this article point to the fact that a systems thinking perspective is needed to create modern governance, risk, and compliance security model framework. This research work puts forth a conceptual model based on Viable System Model appropriate for a major global information security restructuring. A motive for VSM is grounded in that it works fine with securing modern laws like GDPR and CCPA in supporting a needed enterprise perspective.
|
|
| 2. |
- Magnusson, Lars, 1952-, et al.
(författare)
-
On System Thinking and Information Security
- 2019
-
Ingår i: The OR Society Annual Conference OR61, 3-5 September 2019, Sibson Building, Kent University. - : The Operational Research Society. ; , s. 161-162
-
Konferensbidrag (refereegranskat)abstract
- Security problems we have to deal with today regarding Internet are created by ourselves. Internet, initially created to handle US Government data traffic, evolved to become communication between different research institutes. The protocols that were used had no security at all. Today we still use this network to almost everything and the complexity has grown tremendously. Compared to when the network initially was created, we now try to protect assets rather than just communicate, divide users according to permission and accessibility, and deal with privacy issues. Basically, everything is depending on the network that initially was created with no security.Privacy has been a critical security aspect for the EU, but with the event of the GDPR privacy is both a legal aspect and an auditable ICT concept. GDPR includes topics like: owning your own data, independent of who collected it and where it is stored, and; the right to be forgotten. Each data collector also needs to have a complete data-flow map, describing any privacy data sets in a flow, to make these traceable and ready for audit inspection. Any organization handling EU residents’ data, needs to adhere to proactive Information Security processes. GDPR is based on the principles of Governance, Risk, and Compliance. It is not a purely legal construct; it is a management and strategy issue, not an IT issue. Further examples relate to cloud services with distributed resources, which illustrate the complex problem situation.There is a need for a new perspective, moving from systems management to data flow management. We propose a systemic model which illustrate processes and flows within a fractal structure; we build on Beer’s Viable System Model. Such a model enables mapping of complexity and data flows and provide a tool for auditing and, thus, enable meeting the requirements of GDPR.
|
|
| 3. |
- Magnusson, Lars, 1952-
(författare)
-
A New Authentication Paradigm?
- 2012
-
Ingår i: ISC2 InfoSecurity Professional Magazine. - Faringham, US : ISC2. ; 3:17, s. 24-24
-
Tidskriftsartikel (refereegranskat)abstract
- A discussion piece regarding early 2010 woes and concerns about authentication of cloud service users and the information security aspects of that. Includes a perspective of authentication in the view of AT&T Plan 9 Factorum security service.
|
|
| 4. |
- Magnusson, Lars, 1952-
(författare)
-
A Call for Best-Practice Framework
- 2011
-
Ingår i: ISC2 InfoSecurity Professional Magazine. - Faringham, Ma 01701, US : (ISC)2. ; 2:14, s. 32-32
-
Tidskriftsartikel (populärvet., debatt m.m.)abstract
- A discussion piece within (ISC)2 community regarding variation in auditor security configuration standards. Discussing how to conform to a wider standard, so what was approved by one auditor group is not conforming to another auditing group.
|
|
| 5. |
- Magnusson, Lars, Doktorand, 1952-
(författare)
-
HR Access : a key to better InfoSecurity
- 2013
-
Ingår i: ISC2 InfoSecurity Professional Magazine. - Faringham, US : ISC2. ; 4:22, s. 23-23
-
Tidskriftsartikel (populärvet., debatt m.m.)abstract
- As seen in virtually all IT audits, the auditors find active accounts connected to people retired, that left the organization or simply change jobs. Accounts that should be closed. THise article is a discussion about forcing the HR department to give IT better signals of personnel changes, so IT does not need to rely on personal knowledge. The issue is a key US SOX finding and will be an EU GDPR key finding in GDPR audits.
|
|
| 6. |
- Magnusson, Lars, 1952-, et al.
(författare)
-
Implications of EU-GDPR in Low-Grade Social, Activist and NGO Settings
- 2017
-
Ingår i: Proceedings 6<sup>th </sup>UBT annual international conference, 27-29 ocktober, Durrës, Albania. - : UBT. - 9789951437608 ; , s. 91-97
-
Konferensbidrag (refereegranskat)abstract
- Social support services are becoming popular among the citizens of every country and every age. Though, social support services easily accessible on mobile phones are used in different contexts, ranging from extending your presence and connectivity to friends, family and colleagues to using social media services for being a social activist seeking to help individuals confined in miserable situations such as homeless community, drug addicts or even revolutionists fighting against dictatorships etc. However, a very recent development in the European Parliament’s law (2016/679) on the processing and free movement of personal data in terms of EU-GDPR (General data protection rules) considers the low funded social service development efforts unsafe. This article analyses a case study conducted at a shelter for homeless mothers in the United States to conceptualize the future similar development efforts from low end public activist groups within European union. This article aims to raise awareness on this issue and also puts forth a conceptual model to envision the possibilities of mitigating the risks attached to such development efforts under the light of EU-GDPR which will be implemented in may 2018.
|
|
| 7. |
- Magnusson, Lars, 1952-, et al.
(författare)
-
Implications of EU-GDPR in Low-Grade Social, Activist and NGO Settings
- 2018
-
Ingår i: International Journal of Business and Technology. - : UBT. - 2223-8387. - 9789951437608 ; 6:3, s. 1-7
-
Tidskriftsartikel (refereegranskat)abstract
- Social support services are becoming popular among the citizens of every country and every age. Though, social support services easily accessible on mobile phones are used in different contexts, ranging from extending your presence and connectivity to friends, family and colleagues to using social media services for being a social activist seeking to help individuals confined in miserable situations such as homeless community, drug addicts or even revolutionists fighting against dictatorships etc. However, a very recent development in the European Parliament’s law (2016/679) on the processing and free movement of personal data in terms of EU-GDPR (General data protection rules) considers the low funded social service development efforts unsafe. This article analyses a case study conducted at a shelter for homeless mothers in the United States to conceptualize the future similar development efforts from low end public activist groups within European union. This article aims to raise awareness on this issue and also puts forth a conceptual model to envision the possibilities of mitigating the risks attached to such development efforts under the light of EU-GDPR which will be implemented in may 2018.
|
|
| 8. |
- Magnusson, Lars, 1952-
(författare)
-
Solarwinds breach, a signal for a systemic enterprise view on Information Security
- 2021
-
Ingår i: The OR Society's 63rd Annual Conference. - : Operational Research Society, UK.
-
Konferensbidrag (refereegranskat)abstract
- Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Today's info security involves all systems in the chain; to use an old maxim, "No chain is stronger than its weakest link". The ICT world has become so interconnected that holistic system thinking is needed, with systems outside the organizational border to be involved and accounted for. ICT criminals are using increasingly sophisticated attack methods, often based on the victim's system architecture. In the Dec 2020 security breach at the network management firm Solarwinds in the US, an external party had added a trojan horse package to the Solarwinds management system. The hack gave the hackers stealth control of both Solarwinds as its 18.000 customers' internal system environments. Including high-security targets like the FBI, Homeland Security, and Microsoft. The attack was sophisticated, using the Solarwinds system knowledge, standards, and code layouts. Anyone not doing a deep survey would see Solarwinds code. The trojan was well-known but rewritten to the standards of the target. Solarwinds shows that we now entered a "new brave world", demanding a much more structural system discussion, how to protect our ICT. Based on this attack's sophistication, this was probably a 7- or 8-time successful attempt. We need solid enterprise-wide, system-coordinated security perspectives. But, how can we use system thinking to help plan a better and more cost-efficient security approach on an enterprise-level? For 14 years, this researcher worked with info security in a global automotive company, having the Viable System Model as its internal system model. When not "sabotage" by managers, yes, it happened; VSM worked fine. VSM also works fine with securing modern laws like GDPR when having an enterprise perspective. Info Security desperately needs enterprise system thinking.
|
|
| 9. |
- Magnusson, Lars, 1952-
(författare)
-
12.3 Informationssäkerhet på 2010-talet
- 2013. - 10
-
Ingår i: Bonniers IT-managementhandbok. - Stockholm : Bonnier. - 9197429120
-
Bokkapitel (populärvet., debatt m.m.)abstract
- Artikeln går igenom de informationsäkerhetsutmaningar vi står inför under 2010-talet, både tekniskt som processmässigt. Bland annat beskrivs vikten av revisioner och regelverk, samt hur bygga upp en säkerhetspolicy.
|
|
| 10. |
- Iqbal, Sarfraz, 1979-, et al.
(författare)
-
Searching for A Governance Model to Secure the Data Flow in Organizations : an Indispensable Discussion
- 2019
-
Ingår i: <em>UBT International Conference</em>. - : UBT Knowledge center. - 9789951550192
-
Konferensbidrag (refereegranskat)abstract
- Since the end of the 1980s, there have been several initiatives to control and manage IT environments. ITIL is one of the more successful models, COBIT another. However, thanks to the IP protocol and Internet, since mid-2000 the world has seen a veritable data explosion, affecting IT governance. Some predictions expect current data volumes to grow more than 10 times till 2020, having serious implications both from governance and security perspectives. Additionally, we see some new EU regulations, i.e., Network and Information Security Directive (NIS) and General Data Protection Regulation (GDPR), implemented in May 2018. The latter two will directly affect the scope of IT governance within the European Union and for non-European entities handling EU Citizen’s personal data, with substantial fines if not complying. Both regulations forces anyone handling such data to consider information strategies that include big data management, governance, and information security as a convoluted context. Particularly, GDPR make them to related questions, a governance package. This creates a need for a paradigm shift to remediate/mitigate identified limitations in today’s traditional governance models. This article discusses governance from a holistic perspective, based on the data flow, as per the requirements of GDPR. These are the issues which were not envisioned when today’s governance models were designed in the late 1980s or early 1990s.
|
|
