Name: | Description: | Size: | Format: | |
---|---|---|---|---|
3.36 MB | Adobe PDF |
Authors
Abstract(s)
A Segurança da Informação é hoje uma vertente fundamental da segurança dos recursos e ativos das empresas, das organizações e das instituições, visto todo o mundo estar totalmente interligado através da internet. A mesma é alcançada pela implementação de um conjunto adequado de controlos, incluindo políticas, processos, procedimentos, estrutura organizacional e funções de software e hardware. Estes controlos precisam ser estabelecidos, implementados, monitorizados, analisados criticamente e melhorados para assegurar que os objetivos da empresa/organização bem como da sua segurança no geral sejam atendidos. O cumprimento das normas não é suficiente, é necessário provar que estão a ser cumpridas com auditorias regulares que produzem os relatórios com as melhores práticas de segurança.
A UMa é uma universidade complexa na medida em que apresenta uma rede de telecomunicações com um grau de complexidade médio alto, por os sistemas da universidade envolverem três edifícios, equipamentos de rede, sistemas de informação, onde milhares de utilizadores (alunos, docentes, funcionários, convidados, etc…) estão diariamente em contacto com eles. Dessa forma, o nível de segurança da universidade, também complexo, apresenta alguns problemas/defeitos. O cerne deste trabalho foi identificar quais os problemas de segurança que a universidade enfrenta, atualmente, tais como a inexistência de normas, processos e/ou procedimentos, formais, para uma boa gestão de segurança, entre outros.
Nesta sequência, efetuou-se um levantamento e um estudo de vários conceitos, normas, metodologias e processos por forma a ver qual seria a melhor abordagem a esses problemas da UMa. Embora terem sido identificadas inúmeras formas de abordar os problemas, optou-se por abordar especificamente a família das normas 27000 por ser vocacionada para a área da segurança da informação, sistemas de gestão.
Deste modo foi efetuada a caracterização à UMa, recorrendo ao levantamento de várias informações sobre a situação e estado atual da rede da UMa, onde foram identificados um conjunto de problemas. Foi definida uma metodologia de análise por forma a analisar e avaliar esse conjunto de problemas para a obtenção do nível de risco de segurança que a UMa enfrenta e por fim foi proposto a definição de um conjunto de políticas para os mitigar.
Como resultados do trabalho, foram definidas seis políticas de segurança, complementadas com onze controlos, associadas aos domínios (Política de Segurança da Informação; Organização de Segurança da Informação; Controlo de Acesso; Segurança Física e Ambiental) das normas abordadas (ISO/IEC 27001 e ISO/IEC 27002).
Information Security is today a fundamental aspect of the security of resources and assets of companies, organizations and institutions, since the whole world is totally interconnected through the internet. It is achieved by implementing an adequate set of controls, including policies, processes, procedures, organizational structure, and software and hardware functions. These controls need to be established, implemented, monitored, critically reviewed and improved to ensure that the objectives of the company/organization as well as their overall safety are met. Compliance with standards is not enough, it is necessary to prove that they are being met with regular audits that produce reports with best security practices. The University of Madeira is a complex university in that it has a medium-high complexity telecommunications network, because the university's systems involve three buildings, network equipment, information systems, where thousands of users (students, teachers , employees, guests, etc ...) are in daily contact with them. In this way, the university security is also complex and presents some problems/faults. The core of this work was to identify the security problems that the university currently faces, such as the lack of formal norms, processes and/or procedures, for good security management, among others. In this sequence, a survey and a study of several concepts, standards, methodologies and processes was carried out in order to see what would be the best approach to these UMa problems. Although many ways of addressing problems have been identified, it was decided to specifically address the 27000 family of standards because it is geared to the area of information security, management systems. In this way, the UMa was characterized, using a survey of various information about the current situation and state of the UMa network, where a set of problems were identified. An methodology analysis was defined in order to analyze and evaluate this set of problems to obtain the level of security risk faced by UMa and finally it was proposed the definition of a set of policies to mitigate them. As a result of the work, six security policies, supplemented by eleven controls, associated to the domains (Information Security Policy, Information Security Organization, Access Control, Physical and Environmental Security) were defined as standards (ISO / IEC 27001 and ISO / IEC 27002).
Information Security is today a fundamental aspect of the security of resources and assets of companies, organizations and institutions, since the whole world is totally interconnected through the internet. It is achieved by implementing an adequate set of controls, including policies, processes, procedures, organizational structure, and software and hardware functions. These controls need to be established, implemented, monitored, critically reviewed and improved to ensure that the objectives of the company/organization as well as their overall safety are met. Compliance with standards is not enough, it is necessary to prove that they are being met with regular audits that produce reports with best security practices. The University of Madeira is a complex university in that it has a medium-high complexity telecommunications network, because the university's systems involve three buildings, network equipment, information systems, where thousands of users (students, teachers , employees, guests, etc ...) are in daily contact with them. In this way, the university security is also complex and presents some problems/faults. The core of this work was to identify the security problems that the university currently faces, such as the lack of formal norms, processes and/or procedures, for good security management, among others. In this sequence, a survey and a study of several concepts, standards, methodologies and processes was carried out in order to see what would be the best approach to these UMa problems. Although many ways of addressing problems have been identified, it was decided to specifically address the 27000 family of standards because it is geared to the area of information security, management systems. In this way, the UMa was characterized, using a survey of various information about the current situation and state of the UMa network, where a set of problems were identified. An methodology analysis was defined in order to analyze and evaluate this set of problems to obtain the level of security risk faced by UMa and finally it was proposed the definition of a set of policies to mitigate them. As a result of the work, six security policies, supplemented by eleven controls, associated to the domains (Information Security Policy, Information Security Organization, Access Control, Physical and Environmental Security) were defined as standards (ISO / IEC 27001 and ISO / IEC 27002).
Description
Keywords
Segurança da informação Gestão de segurança Análise de segurança Politicas de segurança Norma ISO/IEC 27001 Norma ISO/IEC 27002 Information security Security management Security analysis Security policies Standard ISO/IEC 27001 Standard ISO/IEC 27002 Engenharia Eletrotécnica - Telecomunicações . Faculdade de Ciências Exatas e da Engenharia