Information Security Management System Framework for the University of Colombo

Abstract

Information Security is an important and serious factor for any organization. Previously the focus has been on Information Technology security and the implementation of such security mechanisms were assumed to be the responsibility of the IT department and technical experts. However, this trend is changing due to new aspects of business processes and business aspirations in a digital world. The integration of business activities together has made information more vulnerable, not just the Information Technology used to process the information. To address such situations, IT security controls themselves are not enough to mitigate vulnerabilities to an organization. To address such situations, a worldwide international standard was required. The ISO 27000 family of security standards was developed to help organizations to protect their important assets. Furthermore, many developed countries have developed their own versions of security standards. In Sri Lanka we currently do not have any local standardization to assist in protecting local businesses and organization which are regularly subject to security incidents and vulnerable to information security risks. The main idea was to have an Information Security Management System for the University of Colombo, and thereby develop a localized security standard aligned to the laws and regulations of the government of Sri Lanka. By helping small organizations to use a local standardization, based on local laws and regulations provides the opportunity for such organizations to secure themselves without having to spend vast amounts trying to obtain international standardization. Due to limited time offered to complete the project, this Information Security Management System framework is intended to provide a suitable risk assessment and a risk treatment plan to address identified hazards. It will reduce the risks arising from critically identified vulnerabilities that University system has and go towards eliminating any unacceptable security practices within some administrative departments. In this thesis, the main concentration and effort was given to the creation of an Information Security Incident Management system for the University of Colombo staff instead of creating systems to manage all risks observed when doing the risk assessment. The ISMS project will help the University of Colombo achieve a level close to the international standard regarding information security and assist in growing the quality of work. The ISMS would provide the ongoing opportunity for the University to keep the system under constant review and apply modern technologies and new techniques with the recommendation of Information Security Steering Committee.