Information Security Governance: An action plan for a non-profit organization based in the Nordics
Olundegun, Luqman (2018)
Olundegun, Luqman
Laurea-ammattikorkeakoulu
2018
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-201805188912
https://urn.fi/URN:NBN:fi:amk-201805188912
Tiivistelmä
This thesis examined the gaps in the Information Security Governance process of a non-profit organization based in the Nordics and identified important actions required to close the existing gaps. The maturity level of seven (7) perspectives from the ISO 27002 relevant to the non-profit organization was assessed using the COBIT maturity model to determine the gap between the current and desired level of the organization’s governance process. Five (5) Country representatives and three (3) Managers from 5 countries (Finland, Sweden, Denmark, Norway, and Iceland) were interviewed using a structured questionnaire developed based on ISO 27002 and COBIT maturity model.
The thesis adopted a combination of qualitative and quantitative research method. The data collected from the interviews were used as the primary data source and a statistical representation of the data was depicted using a Radar chart to show the current level, desired level specified by the non-profit organization and the desired level specified by the respondents during the interview.
The result of this thesis shows that the non-profit organization’s supplier service delivery management, incident management and information security risk management procedures were not in place while other perspectives such as information security policy, asset classification, continuity planning and personnel security were not standardized based on COBIT maturity model. In addition, the thesis shows the gap margin between the current and the organization’s desired maturity levels. The widest gap measured was in the organization’s supplier service delivery management procedures while the lowest gap measured was in the organization’s personnel security manage-ment procedures.
This thesis provided a prioritized list of needed actions to close the identified gaps in the organization’s information security governance process to achieve its desired maturity level. The conclusion drawn from this thesis was that the non-profit organization is vulnerable to potential breaches because the non-technical governance perspectives needed to secure its information security systems were not based on any standard practice and undefined.
Finally, this thesis recommended further research of the organization’s information security governance process capability supported by field study to all the units in the Nordics to determine appropriate desired maturity level for each ISO 27002 perspectives related to the organization.
The thesis adopted a combination of qualitative and quantitative research method. The data collected from the interviews were used as the primary data source and a statistical representation of the data was depicted using a Radar chart to show the current level, desired level specified by the non-profit organization and the desired level specified by the respondents during the interview.
The result of this thesis shows that the non-profit organization’s supplier service delivery management, incident management and information security risk management procedures were not in place while other perspectives such as information security policy, asset classification, continuity planning and personnel security were not standardized based on COBIT maturity model. In addition, the thesis shows the gap margin between the current and the organization’s desired maturity levels. The widest gap measured was in the organization’s supplier service delivery management procedures while the lowest gap measured was in the organization’s personnel security manage-ment procedures.
This thesis provided a prioritized list of needed actions to close the identified gaps in the organization’s information security governance process to achieve its desired maturity level. The conclusion drawn from this thesis was that the non-profit organization is vulnerable to potential breaches because the non-technical governance perspectives needed to secure its information security systems were not based on any standard practice and undefined.
Finally, this thesis recommended further research of the organization’s information security governance process capability supported by field study to all the units in the Nordics to determine appropriate desired maturity level for each ISO 27002 perspectives related to the organization.