Towards ISO 27001 information Security certification

Dissertant

al-Fahli, Ouarda

Thesis advisor

Rashidi, Taj al-Din

University

Al Akhawayn University

Faculty

School of Science and Engineering

Department

Computer Networks

University Country

Morocco

Degree

Master

Degree Date

2006

English Abstract

٥١^^ its decade of existence (1995-2006), A1 Akhawayn University in Ifiane’s (AUI) ٥^٠٠ and operations business have relied extensively on information technologies and systems.

The Universi^ acquired complex applications to manage its operational activities along with a collaborative environment and file sharing systems for its core mission that is Education.

Consequently, as information systems, technologies and services carry out all or most of لهe operations inside the University, they constitute an important point of failure that needs to be secured and protected.

In this perspective, and along with the enhancement of AUI networl، and IT facilities, the University, and mainly the Department of the Information Technologies and Services (ITS), felt the need of adopting a structured information securi^ plan following int«national standards.

This project aims at proposing a global fi^ameworl، for the Information Technology Security at AUI.

This framework is based on international standards for information security.

Applying this framework will, indeed, be ver^ beneficial to the University business and image on many aspects.

On the financial aspect, it will participate actively in the reduction of costs due to failures.

On the organi^tional and procedural aspects, this framework is providing a global view of all existing systems, their interfaces and interdependencies which will give place to £nte،prise هovernanءe.

On the technical aspect, this framework will help systems administrators The adoption of these standards does indeed constitute the beginning of a certification process for the University information system security.

This certification is an accreditation for excellence that recognises an Organisation as one that adheres to the best practices in managing security of its IT environment.

In order to select the more appropriate standard, a comparative study of a set of international standards has been conducted as a first step.

The standard (ISO 27001) is then chosen to define the global information securi^ management system, followed b^ a second standard (ISO 13335) which provides genera] guidelines for the implementation.

The second step was to conduct a prelimina^ audit in order to assess the existent and measure the gaps between the existent and best practices provided by ISO 2?001 based on guidelines proposed b^ IS© 13335.

This audit showed the absence of a global management system for information security including a documentation system.

In order to set up this management system, a baseline risk analysis was conducted, the results of which revealed problems of two di^erent aspects: The first problem concerns the lac^ of a structured operation environment for IT related systems.

The second problem which is more technical, concems some fiaws that were identified on the network.

To address these two problems, I proposed the adoption of a comprehensive documentary system composed of the Information Security ^^muel along with templates for policies, procedures and reporting documents.

I also develop«! a network monitoring tool to address some technical flaws that were detected.

Main Subjects

Educational Sciences
Information Technology and Computer Science

Topics

• Educational technology
• Morocco
• Information technology
• Standards
• Security measures

No. of Pages

84

Table of Contents

• APA
• MLA
• AMA

Language

English

Data Type

Arab Theses

Record ID

BIM-644949