In the project COSEMA www.cosema.org the Quality Engineering (QE) group at the Institute for Computer Sciences works on the development of a framework and concept for management of information security in companies.

On May 4th 2010 the COSEMA IT-Cluster took place at the Tiroler Zukunftsstifung (Tyrolean Future Foundation). Dr. Margareth Stoll gave a presentation on "Information Security as a Cooperative Task". During her talk, Dr. Stoll presented some impressive facts: about 67 % of all information security faults are stem from human error, about 25 % of all companies have no emergency/contingency plan at all. This can, of course, lead to far-reaching damages and failure of services. Creating staff-awareness and provide extensive documentation and carrying out of continuous security analyses are important components of Risk-Management-Processes in companies.
Read more:
www.cosema.org
Tiroler Zukunftsstifung

Abstract:

Due to globalisation, technologization and increased customer demands, competitions becomes fiercer and innovation cycles become shorter. Therefor, innovation, knowledge- and data management become a crucial contributor to sustainable success. Data, information and knowledge are however subject to increasing internal and external threats as well as human an technical faults. Consequently integrity and credibility of data as well as accessibility of services must be guaranteed.

Currently about 6.400 organisations world-wide are using a ISO 27001 certified information management system. Information security principles, including requirements of the respective organisation in regard to confidentiality, availability and integrity, taking into account the field of activity, type or organisation and business strategy, customer requirements and legal obligations, contractual agreements, used technology and assets are created. Security goals and strategies are deducted from this. Also, a risk analysis to identify potential risks and their consequences is carried out. Taking into account the already implemented security measures, additional measures are developed in order to reduce risk for the respective organisation to an acceptable level. For the remaining risk a contingency plan is developed in order to assure re-establishment of the agreed security level. All necessary security measures are documented, staff is instructed and using goals and indicators the entire process is monitored. Periodically the agreed-upon rules, processes and orders are evaluated against efficiency and timeliness and are adjusted in order to take into account changed circumstances, disturbances, weaknesses, emergencies and external information.
Due to the introduction of an information system according to ISO 27001 organisation values are protected according to the respective needs and legal requirements and customer confidence and reputation is improved.