This report is a bachelor thesis created for the Technology Center as a part of the Software Engineering and Management programme.

The report deals with the problem of security issues in organizations with wast amounts of data. The question at issue asked what could be done to increase information security for the Technology Center.

While solving the problem the report presents the Technology Center and what their ITresources is and why they should be secured. The author describes the method used to gather data that was used in a risk assessment and analysis.

The next part in the authors struggle to increase information security was to create an information security policy. The policy is a document that all members and users of the Technology Center should read and follow as it has rules and guidelines that can help the organization minimize the risks found in the analysis.


One thing that is often overlooked in companies and organization is clear rules and guidelines for how their information resources and data should be secured. If data is lost due to user error or neglect that could most certainly have been avoided if the user would have had education or a set of rules to follow while processing data. Even a simple thing as leaving a cable on the floor could mean system downtime or loss of network access if someone trips and unintentionally unplugs the cable. If data then gets corrupt and no recent backup exist the company or organization could be in big trouble. These threat examples and more can be reduced or eliminated by risk analysis and the implementation of countermeasures.


The organization that the author is going to help design an information security policy for is the Technology Center, hereafter shortened to the TechCenter. The TechCenter will host several virtual environments and databases for students to aid them in school related activities, for instance learning and managing an Oracle SQL database.

The Problem

As the TechCenter is a fairly new institution it lacks guidelines and policies including an information security policy. The lack of policies compromises data security and integrity together with plans to handle crises such as theft or fire. Also the users lacks a document that informs them about how to handle their accounts and passwords.