Kasutaja usaldatavuse tagamine Järvamaa Kutsehariduskeskuse infosüsteemides

Lõputöö eesmärk, analüüsida Järvamaa Kutsehariduskeskuse infosüsteemide kasutaja usaldatavuse tagamist mõjutavaid tegureid ja lahendusi, et leida võimalusi nende nõrkuste ja riskide vähendamiseks ning lähtuvalt uuringu tulemustest teha juhtkonnale vastavaid parendusettepanekuid, autori hinnangul saavutati. Eesmärgi saavutamiseks püstitatud uurimisülesanded said kõik täidetud. Esimene peatükk koosnes teoreetilisest osast, kus anti ülevaade kasutaja usaldatavuse tagamise teoreetilistest lähtekohtadest ja tehnilistest lahendustest üldiselt. Teises peatükis analüüsiti Järvamaa Kutsehariduskeskuse kasutaja usaldatavuse tagamist mõjutavaid tegureid ja tehnilisi lahendusi ning samuti kaardistati asutuse küberturbe meetmed CIS raamistikuga (Lisa 4) ning loodi ka arvutivõrgu kasutamise korra näidisdokument (Lisa 3). Kolmandas peatükis analüüsiti uurimistulemusi ning leiti võimalusi kasutajate usaldatavuse tagamise mõjutavate tegurite ja tehniliste lahenduste riskide ja nõrkuse vähendamiseks ning tehti ka juhtkonnale ja IT-osakonnale vastavaid parendusettepanekuid. Autor toob välja olulisemad tulemused: • uuritavas asutuses puudusid infoturbealased dokumendid, v.a privaatsuspoliitika; • uuringust selgus, et puudub küberturbealane kasutajate koolitamine ja teadlikkuse tõstmine; • asutuses on varem juurutatud erinevaid turbeelemente, kuid neid enam ei rakendata; • olenemata ametlikult määratlemata dokumentide puudumisest, on asutus suutnud ära hoida katastroofilisemad küberintsidendid tänu IT-osakonna heale tööle. Tuginedes teoreetilisele analüüsile ning uurimistulemustele tegi lõputöö autor Järvamaa Kutsehariduskeskuse kasutajate usaldatavuse tagamise parendamiseks viis ettepanekut lisaks eeltoodud CIS meetmete kaardistamisele ja arvutivõrgu korra näidisdokumendi loomisele, mille elluviimine tugevdab asutuse üldist küberturvalisuse taset nii organisatsiooniliselt, kui infotehnoloogiliselt; tõstab kasutajate teadlikkust ja oskusi ning annab suunised kuidas jätkata asutuse küberturvalisuse taseme tõstmist. Detailselt on ettepanekud näha alajaotuses 3.4. Digitaalsed andmed ei ole enam ainult arvutites failidena, vaid on erinevate infosüsteemide andmebaasides. Infosüsteemide kasutamiseks on kasutajatel vaja läbida kogu kasutaja usaldatavuse tagamise protsess. Väga relevantne on organisatsioonidel ära määrata oma infosüsteemides andmetele ligipääsu-, haldamise- ja käsitlemise õigused. See on turvalise kasutajate usaldatavuse tagamise alus.

The title of given thesis is entitled „Ensuring User Reliability in the Information Systems of Järvamaa Vocational Training Centre“ and is written in Estonian. The thesis consists of 75 pages, 3 chapters, 3 tables, 5 figures, 4 appendices, 83 sources and a summary in English. Various studies have shown that in recent years, along with the development of the digital society, there has been an upward trend in cyber-attacks. Digital data is no longer just on computers in the form of documents, but also on various information systems, smart devices, cloud services, etc. The trend in cyber-security has increased in recent years. To access all these services, users have different user accounts that they need to access. Controlling access is the basis of all security, as it is essential for both individuals and organisations to determine who has access to which data and how to manage it. The aim of the thesis was to analyse the factors affecting the reliability of the users in the information systems of Järvamaa Vocational Training Centre and the technical solutions in order to find ways to reduce these weaknesses and risks. It also aimed at mapping the security measures of Järvamaa Vocational Training Centre based on the CIS framework and, if necessary, to create sample information security documents. The objective of the thesis was to describe the requirements of legislation, standards, norms to ensure the reliability of users. The supporting objectives of the thesis were: ● to describe the requirements of legislation, standards and norms to ensure the reliability of users: ● to describe the information security triad through user trust management and how different measures are ensured; ● to analyse and compare state-of-the-art technical solutions for ensuring user reliability; ● to select an appropriate methodology and data collection instruments to identify the user reliability requirements, measures and security assurance methods in use at Järvamaa Vocational Training Centre. ● based on the selected methodologies, to map the user assurance requirements, standards and technical solutions used in the information systems of Järvamaa Vocational Training Centre; 53 ● to identify the problematic areas to ensure user reliability in the information systems in the Järvamaa Vocational Training Centre, to draw up proposals for improving user reliability in the information systems in the Järvamaa Vocational Education Training Centre, and, if necessary, to create model documents. The thesis was based on theoretical analysis and empirical research. The first part dealt with the theoretical starting points of ensuring user reliability and legal acts. The second part describes the research methodology. The final part presents the analysis, conclusions and results of the study. The empirical study was based on a qualitative method involving interviews, document review and participatory observation. The interview sample consisted of the IT manager and the director of the institution. During the document review, the privacy policy was analysed. During the participant observation, the author was involved in the day-to-day management of various information systems in the institution. Based on the theoretical part and the results of the study, the author drafted a sample document of the computer network policy of the institution, mapped the institution's cybersecurity measures based on the CIS framework, and made 5 suggestions, the three most important of which are: ● Establish, immediately in-house procedures for using the computer network, an information security policy and procedures for better handling security incidents to define better the rules and roles for ensuring user reliability. ● Establish a mandatory web-based e-learning course on cyber security for staff to ensure a common user behaviour pattern on data security. ● Organise internal cyber security training at least twice a year, including a knowledge audit, to instil a common cyber awareness and behaviour.