Internal Information Security Management : Creating a Practical Security Process for a BPO
Ynion, Hidden (2016)
Ynion, Hidden
Metropolia Ammattikorkeakoulu
2016
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2016052610117
https://urn.fi/URN:NBN:fi:amk-2016052610117
Tiivistelmä
Information security is vital in any organization and for every individual. Most companies, particularly those that provide outsourcing services as in the case of the case company, have access to proprietary and confidential information. If this information is not properly managed, the result could be detrimental to the individual and the business. Thus, the objective of this Thesis is to propose a practical internal information security management process that could help the case company protect the confidentiality and integrity of this information.
Existing literature on information security management, mostly inspired by ISO27001, provides valuable information in drafting the conceptual framework of the Thesis. The framework is used as a baseline during the interviews with the case company’s stakeholders to understand the current state of the business. The data from the interviews, along with the best practices gathered from stakeholders of other companies and those from the literature were merged to draft the proposal on the process that was provided to the case company.
The information security management process which is the outcome of this thesis fits the need of the case company. The process consists of different elements from setting security policy, managing assets, and operations, establishing access controls, reporting incidents, up to conducting the security audit. To commence the process, action items were identified for each of these elements, and owners are assigned. Implementation of the process can help provide structure to ensure proper security management of clients’ and customers’ information that can be beneficial for the case company and its daily operations.
Existing literature on information security management, mostly inspired by ISO27001, provides valuable information in drafting the conceptual framework of the Thesis. The framework is used as a baseline during the interviews with the case company’s stakeholders to understand the current state of the business. The data from the interviews, along with the best practices gathered from stakeholders of other companies and those from the literature were merged to draft the proposal on the process that was provided to the case company.
The information security management process which is the outcome of this thesis fits the need of the case company. The process consists of different elements from setting security policy, managing assets, and operations, establishing access controls, reporting incidents, up to conducting the security audit. To commence the process, action items were identified for each of these elements, and owners are assigned. Implementation of the process can help provide structure to ensure proper security management of clients’ and customers’ information that can be beneficial for the case company and its daily operations.