Analysis and Evaluation of the Information Security Management System in the Enterprise – A Case Study

Michał PAŁĘGA, Cezary KOLMASIAK and Dariusz POLAK

Abstract:

The aim of the article is to analyze the information security management system as well as to identify and assess the risks of information security loss in a selected manufacturing company. In view of the aim of the work defined in this way, the research problem was formulated in the form of the following questions: What elements does the information security management system functioning in the enterprise consist of and what is their impact on the general level of information security? What is the level of the risk of losing information security and what security does the company apply to counteract threats? What other measures should be implemented to ensure an adequate level of information security? The implementation of the above-mentioned goal of the work and the response to the research problems posed required the use of the following research methods: analysis of the literature available in the field of information security management, which was supported by a diagnostic survey, the observation and experience of the authors, as well as a synthesis of the knowledge possessed. The main part of the article is the analysis of the risk of information security loss carried out with the use of a commonly used methodology. The article presents a synthetic analysis of selected elements of the information security management system in a selected production company. includes the following elements (1) objectives, (2) scope, (3) responsibility, (4) information classification, (5) information access control, (6) physical security, (7) ICT security, (8) human resource security , (9) breaches of information security, (10) monitoring, maintenance and improvement of the information security system. Then, on the basis of the collected research material, an information security risk assessment was carried out. Based on the research results obtained, it can be concluded that information security threats that may occur in the examined enterprise are at an acceptable level of risk. In practice, this means that the company is not obliged to implement new or modify existing security measures. However, it is recommended to conduct a systematic analysis of threats and monitoring of implemented security measures, as any signs of their neglect or errors in their functioning may lead to an escalation of threats and an increase in risk, even to an unacceptable level.

nsdlogo2016