Information Security Measuring: Evaluation of concepts for measuring information security in an organisation, and an outline of a practical approach for this implementation
MetadataVis full innførsel
Information security is essential in many situations in organisations to manage information. The threat of revealing crucial information is relevant in many businesses. Several suggestions to how an organisation could manage information security are worked out by standardisation bodies and other interested parties. These documentations constitute the foundation of building information security management systems. For an organisation to control the quality of their management system, measuring methods should exist. Preparation of standards for this purpose is under development. Based on these approaches to measuring information security, best practice from each document is examined to form a suggestion to measuring. Through this thesis, it has become evident that standard measurements are difficult to create. Organisations have different needs and requirements which influence the measuring procedures. The standardisation of measurements has the problem of suiting organisations of all sizes. The thesis meets this challenge by presenting a list of control objectives from the ISO/IEC 27001 standard. The list contains costs according to implementing and operating the measurements. It also presents the effect and importance of each control objectives. Small and medium enterprises could pick the most relevant measurements. A definite proposal for measurement is described based on business continuity management. Information security should be implemented in the procedures of business continuity. To measure this security domain surveys are sent to administration, selected employees and third parties involved in the process. Based on these surveys, a metric value is calculated as an indicator to the status of business continuity. The measurements need reviewing to be improved. The measurement suggestion should be updated regularly as applies to all processes in the information security measurement area. The work with information security measurements needs better documentation and maturation, and the process is ongoing.