| 1. |
- Moses, Frank, et al.
(författare)
-
Empirical Study on the State of Practice of Information Security Management in Local Government
- 2022
-
Ingår i: Human Centred Intelligent Systems. - Singapore : Springer. - 9789811934544 - 9789811934551 ; , s. 13-25
-
Konferensbidrag (refereegranskat)abstract
- Modern administrative action is no longer conceivable without electronic communication and IT. The complexity of IT, the increasing degree of networking and the dependence of the administration on IT-supported procedures has led to the fact that security of IT and associated processes must be given high priority and a corresponding cybersecurity strategy must be substantiated. Existing approaches either fall short or cannot be applied to the context of local government without adaptation. This article aims at contrasting the published state-of-the-art in information security management and the state-of-practice in governmental organizations. Empirical basis for our work are (1) audit reports of certification audits in the municipal sector, (2) expert interviews on the status quo of information security in German local government and (3) a review of scientific literature. Results of the paper include current challenges in increasing the resilience of the municipal administration and open issues for future research.
|
|
| 2. |
- Moses, Frank, et al.
(författare)
-
Information Security Management in Small Public Sector Organizations : Requirements and Design of a Procedural Approach
- 2023
-
Ingår i: Complex Systems Informatics and Modeling Quarterly. - : Riga Technical University. - 2255-9922. ; 2023:37, s. 54-68
-
Tidskriftsartikel (refereegranskat)abstract
- The increasing digitalization of enterprises and public authorities has resulted in the growing importance of information technology in everyday operations. In this context, an information security management system (ISMS) has become an essential aspect for most organizations. The dependency on technology for almost every single process in an organization has put ISMS at the top of the corporate agenda of public sector organizations. For public organizations in particular, the NIS 2 Directive describes abstract requirements for the development of an ISMS. On the other hand, only a few public administrations operate an ISMS. In this context, this article analyses the requirements of the NIS-2 Directive and complements them with the obstacles and reasons for success in the introduction of ISMS in small public sector organizations (SPSO). At the same time, minimum requirements should be defined that help municipal administration set up an ISMS quickly and easily. This article summarizes the different requirements and generates a foundation for a rough procedural model, for implementing the upcoming requirements of the NIS 2 Directive in local governments. The article also presents the conceptual design of the procedural model.
|
|
| 3. |
- Moses, Frank, et al.
(författare)
-
ISMS in small public sector organisations : requirements and design of a procedural approach
- 2023
-
Ingår i: CEUR Workshop Proceedings. - : CEUR-WS. ; , s. 1-10
-
Konferensbidrag (refereegranskat)abstract
- At a time when information technology is growing faster than ever before, information security management system (ISMS) assessment has become one of the most important aspects of most public sector organisations. The dependency on technology for almost every single process in an organisation has put ISMS at the top of the corporate agenda of public sector organisations. For public organisations in particular, the NIS 2 Directive describes abstract requirements for the development of an ISMS. On the other hand, only a few public administrations operate an ISMS. In this context, this paper analyses the requirements of the NIS-2 Directive and complements them with the obstacles and reasons for success in the introduction of ISMS in small public sector organisations (SPSO). At the same time, minimum requirements should be defined that help municipal administration set up an information security management system quickly and easily. This paper summarizes the different requirements and generates a foundation for a rough procedural model, for implementing the upcoming requirements of the NIS 2 Directive quickly and easily in local governments.
|
|
| 4. |
- Moses, Frank, et al.
(författare)
-
Information security management in German local government
- 2022
-
Ingår i: Communication Papers of the 17th Conference on Computer Science and Intelligence Systems, FedCSIS 2022, September 4-7, 2022, Sofia, Bulgaria. - Warszawa : Polskie Towarzystwo Informatyczne. - 9788396589743 - 9788396589750 ; , s. 183-189
-
Konferensbidrag (refereegranskat)abstract
- The growing importance of information security in organizations is undisputed. This is particularly true of local governments, because modern administrative action is no longer conceivable today without electronic communication media and IT procedures. The complexity of information technology, the increasing degree of networking (also with citizens) and the dependence of the administration on IT-supported procedures has led to the fact that the security of information technology and associated processes must be given a higher priority and a corresponding cybersecurity strategy must be substantiated. Existing approaches either fall short or cannot be applied to the context of local government without revision and adaptation. In this article, case studies of implementations of IT security projects in local government are examined. Specific focus is on the differences between information security management system (ISMS) implementations of different hierarchical levels of governmental organizations. The results show current challenges in increasing the resilience of the local government.
|
|
| 5. |
- Rehbohm, Thomas, et al.
(författare)
-
On challenges of cyber and information security management in federal structures - The example of German public administration
- 2019
-
Ingår i: CEUR Workshop Proceedings. - : CEUR-WS. ; , s. 1-13
-
Konferensbidrag (refereegranskat)abstract
- Security management in organizations is a complex task requiring defined organizational structures and processes. Established standards and recommendations provide methodological guidance for establishing and managing security. However, it has been observed that governmental or public bodies show different challenges in security management than industrial organizations due to their often densely regulated settings. In this context, in particular federal multi-layered structures have been pointed out as hard to manage. The main contributions of this paper are the results of an interview study among the chief information and security officers (CISOs) of the federal states of Germany. The results shed light on current challenges in cybersecurity management. The results are meant to establish the relevance of research work in this area and to be the starting point of developing artefacts or instruments supporting cybersecurity management at the interface of federal states and municipalities in particular.
|
|
| 6. |
- Kirikova, Marite, et al.
(författare)
-
The Enterprise Model Frame for Supporting Security Requirement Elicitation from Business Processes
- 2016
-
Ingår i: 12th International Baltic Conference, DB&IS 2016, July 4-6, 2016.. - Cham : Springer. - 9783319401799 - 9783319401805 ; , s. 229-241
-
Konferensbidrag (refereegranskat)abstract
- It is generally accepted that security requirements have to be elicited as early as possible to avoid later rework in the systems development process. One of the reasons for difficulties of early detection of security requirements is the complexity of security requirements identification. In this paper we propose an extension of the method for security requirements elicitation from business processes (SREBP). The extension includes the application of the enterprise model frame to capture enterprise views and relationships of the analysed system assets. Although the proposal was used in some practical settings, the main goal of this work is conceptual discussion of the proposal. Our study shows that (i) the enterprise model frame covers practically all concepts of the information security related definitions, and that (ii) the use of the frame with the SREBP method complies with the common enterprise modeling and enterprise architecture approaches.
|
|
| 7. |
- Kirikova, Marite, et al.
(författare)
-
Application of the Enterprise Model Frame for Security Requirements and Control Identification
- 2016
-
Ingår i: Databases and information systems IX. - Amsterdam : IOS Press. - 9781614997146 - 9781614997139 ; , s. 129-142
-
Konferensbidrag (refereegranskat)abstract
- It is generally accepted that security requirements have to be identified as early as possible to avoid later rework in the systems development process. However, in practice quite often security aspects are considered either at the later stages of development cycles (increments in agile projects) or addressed only when problems arise. One of the reasons for difficulties of early detection of security requirements is the complexity of security requirements identification. In this paper we discuss an extension of the method for security requirements elicitation from business processes (SREBP). The extension includes the application of the enterprise model frame to provide an enterprise architecture context for analyzed business process models. The enterprise model frame covers practically all concepts of the information security related definitions; the use of the frame with the SREBP method complies with the common enterprise modeling and enterprise architecture approaches; and it use helps to consider security requirements and control at the business, application, and technology levels simultaneously.
|
|
| 8. |
- Wichmann, Johannes, et al.
(författare)
-
Enterprise architecture frameworks as support for implementation of regulations : Approach and experiences from GDPR
- 2020
-
Ingår i: Complex Systems Informatics and Modeling Quarterly. - : Riga Technical University. - 2255-9922. ; :24, s. 31-48
-
Tidskriftsartikel (refereegranskat)abstract
- Enterprise Architecture (EA) management has been discussed as being supportive for implementation of regulations in enterprises and organizations, but the role of EA frameworks in this context has not been addressed intensely. The EU General Data Protection Regulation (GDPR) is one of the most frequently discussed regulation in industry and research, and expected to cause a shift in viewpoint of enterprises from a technological perspective dominated by information security issues to an organizational perspective governed by GDPR-compliant organizational structures and processes. A well-documented Enterprise Architecture (EA) and a working Enterprise Architecture Management (EAM) organization are expected to significantly ease the roadmap planning for GDPR implementation. Therefore, this article focuses on the practice of EA use for GDPR implementation. The main contributions of this article are (a) an analysis and comparison of existing architecture frameworks and how they address security-related issues, and (b) a case study from financial industries illustrating the use of EA for implementing GDPR compliance.
|
|
