Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Förenklade informationsklassificeringsscheman hos svenska statliga myndigheter
University of Skövde, School of Informatics.
2016 (Swedish)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesisAlternative title
Simplified classification schemes at Swedish state agencies (English)
Abstract [en]

Information is a vital part for most organizations, not least for state agencies as they handle personal data for every citizen, such as medical records, social security numbers and other sensitive information. It is therefore critical to protect the information assets at a sufficient level according to its value. Information security aims to do this by preserving the properties of confidentiality, integrity and availability of the information. This means that accurate and complete information shall be accessible and usable by an authorized entity upon demand. Swedish state agencies are obliged to manage their information security by the implementation of an information security management system (ISMS). The ISMS has to be set up and operated in compliance with the international standards ISO/IEC 27001 and ISO/IEC 27002, but these standards are somewhat vague in describing how to perform certain procedures. One part of the ISMS consists of the process of classifying the information, a process that according to the result from a survey by the Swedish Civil Contingencies Agency (MSB) is troublesome (MSB, 2014), especially for smaller-sized agencies. In this classification process, a classification scheme is used to determine the consequences to the organisation if the confidentiality, integrity or availability of the information is jeopardized. The result of this process determines the level of protection that each piece of information asset will receive at a later stage. It is vital to classify the assets at a suitable level to avoid over or under classification, as the former can lead to unnecessary costs and difficulties in using the assets, and the latter can put the asset at risk of unauthorized access. The interest from the academic world have however been low regarding research focused on the 27000 series of standards, compared to the more mature ISO/IEC 9000 and ISO/IEC 14000 series. This thesis project aims to investigate how the classification scheme has been simplified and to identify enabling factors from the development and use of simplified classification schemes. The research questions for this thesis project are:

In which ways have a number of Swedish state agencies simplified their information classification schemes?

Which factors have influenced the development and use of a simplified classification scheme?

A mixed method, an embedded case study, was used, including both a review of existing information security policies for the state agencies to gather information about current information classification models and schemes, as well as interviews with the chiefs of information security for the state agencies regarding the development and usage of a simplified information classification scheme. In total, 120 documents from 81 agencies were reviewed and 7 interviews were completed. The results from the study shows that the state agencies that have simplified their classification scheme do so by focusing on one aspect: confidentiality. The agencies motivate this by a number of reasons:

  • The aspects integrity and availability are regarded complex and difficult for the end user to relate to and classify. In order to simplify for the end user these aspects are handled by the IT department and the IT environment
  • The integrity and availability aspects are more or less built into the IT environment and thus handled automatically as long as the end user correctly classifies the information asset according to the confidentiality aspect and handles the information according to the handling guidelines

The study also shows the need for a national, common set of handling guidelines and consequence levels for the classification scheme as this would simplify and improve the security in communication between the state agencies

Place, publisher, year, edition, pages
2016. , p. 26
Keywords [en]
information security, information classification, classification scheme, Swedish state agencies
Keywords [sv]
informationssäkerhet, informationsklassificering, klassificeringsschema, svenska statliga myndigheter
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:his:diva-12446OAI: oai:DiVA.org:his-12446DiVA, id: diva2:937022
Subject / course
Informationsteknologi
Educational program
Network and Systems Administration
Supervisors
Examiners
Available from: 2016-06-16 Created: 2016-06-14 Last updated: 2018-01-10Bibliographically approved

Open Access in DiVA

fulltext(1349 kB)1016 downloads
File information
File name FULLTEXT02.pdfFile size 1349 kBChecksum SHA-512
90e7e1f3589f67e3a4732e687552f63345146887a83160ed12937616a5192bccc60a871fd689a0227c235dea489f20d775b06d12bea4fbe820a59c6015680165
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Gustavsson, Fredrik
By organisation
School of Informatics
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 1020 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 629 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf