Author: Maria Pibilota Murumaa
Supervisors: Mari Seeba, Tarmo Oja
Abstract: The Estonian Information Security Standard (E-ITS) development has brought the need to evaluate organisation’s information security state. However, collecting data about security measures must be handled securely. This thesis aims to design a security sensitive Self-Assessment Framework (SAF) for collecting answers to F4SLE (Framework for Security Level Evaluation). To propose the SAF design, a similar tool comparison, requirement analysis, and three design iterations were performed. The final design included a web-based user interface for collecting aggregated results and server-based administrative functionality for benchmark calculations and visualisation. In addition, a limited version of the SAF was implemented to conduct a pilot in Estonia and the Czech Republic. The SAF validation consists of two parts. Firstly, threat analysis is conducted to evaluate the framework’s security posture and identify additional requirements. Secondly, the pilot participants are asked to assess the framework to validate design decisions. The proposed security sensitive SAF design can be generalised to other 4-level self-assessment tools. The framework is suitable for conducting threat audits or validating newly developed risk assessment frameworks.