Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa

Riskienhallinta on olennainen osa organisaatioiden toimintaa, jonka avulla pyritään kasvattamaan oman toiminnan onnistumisen todennäköisyyttä. Useimmiten organisaatioiden riskienhallintaa ohjaa ISO 31000:2018 riskienhallinnan ohjeet. Riskienhallinnan ohjeiden, standardien sekä muiden parhaiksi havai...

Full description

Bibliographic Details
Main Author: Arponen, Leo-Pekka
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:fin
Published: 2023
Subjects:
Online Access: https://jyx.jyu.fi/handle/123456789/86875
_version_ 1826225752670994432
author Arponen, Leo-Pekka
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Arponen, Leo-Pekka Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Arponen, Leo-Pekka Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Arponen, Leo-Pekka
datasource_str_mv jyx
description Riskienhallinta on olennainen osa organisaatioiden toimintaa, jonka avulla pyritään kasvattamaan oman toiminnan onnistumisen todennäköisyyttä. Useimmiten organisaatioiden riskienhallintaa ohjaa ISO 31000:2018 riskienhallinnan ohjeet. Riskienhallinnan ohjeiden, standardien sekä muiden parhaiksi havaittujen käytänteiden tarkoituksena on luoda edellytykset riskienhallinnan toteuttamiseksi. Erilaiset ohjeet ja standardit lähestyvät riskienhallintaa useiden näkökulmien ja metodien kautta, mutta tavoite on silti yhteinen, tehokas riskienhallinta. Tämän tutkielman tavoitteena oli kerätä tietoa ja selvittää, miten ICT-organisaatioiden tulisi toteuttaa riskienhallintaa ja kannattaisiko yleisesti sovellettujen ISO 31000:2018 riskienhallinnan ohjeiden lisäksi hyödyntää NIST SP 800-37r2 riskienhallinnan viitekehystä. Tutkimuksen teoreettisessa viitekehyksessä perehdyttiin riskienhallinnan keskeisiin käsitteisiin, teoriaperusteisiin sekä tutkielmassa käsiteltyihin riskienhallintamalleihin ja niiden vertailuun. Tutkimuksen empiirinen osuus toteutettiin laadullisin menetelmin. Aineisto kerättiin puolistrukturoiduilla haastatteluilla, joissa haastateltiin erään suomalaisen ICT-organisaation turvallisuusjohtajia. Aineisto analysoitiin aineistolähtöisellä sisällönanalyysillä. Tutkimuksen avulla pääteltiin riskienhallinnan ohjeiden ja viitekehyksen yhdistäminen mahdolliseksi, mutta tehokkaan riskienhallinnan huomattiin olevan sidoksissa ihmisiin ohjeiden sijasta. Risk management is an essential part of a functioning organization’s activities to increase the likelihood of success. Most organizations' risk management is guided by the ISO 31000:2018 risk management guidelines. The purpose of risk management guidelines, standards, and other best practices is to create the conditions for implementing risk management. The various guidelines and standards approach risk management through different perspectives and methodologies, but the goal is still the same, effective risk management. The aim of this thesis was to gather information and to find out how ICT organizations should implement risk management and whether it would be worthwhile to use the NIST SP 800-37r2 risk management framework in addition to the generally applied ISO 31000:2018 risk management guidelines. In the theoretical framework of the study, the main concepts of risk management, theoretical foundations, and risk management models and their comparison were examined. The empirical part of the study was carried out using qualitative methods. The data was collected through semi-structured interviews with the security managers of a Finnish ICT organization. The data was analyzed using content analysis. The study concluded that it is possible to combine risk management guidelines and a framework, but effective risk management was found to depend on people rather than guidelines.
first_indexed 2023-05-11T20:02:07Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Siponen, Mikko", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Arponen, Leo-Pekka", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2023-05-11T05:16:11Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2023-05-11T05:16:11Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2023", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/86875", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Riskienhallinta on olennainen osa organisaatioiden toimintaa, jonka avulla pyrit\u00e4\u00e4n kasvattamaan oman toiminnan onnistumisen todenn\u00e4k\u00f6isyytt\u00e4. Useimmiten organisaatioiden riskienhallintaa ohjaa ISO 31000:2018 riskienhallinnan ohjeet. Riskienhallinnan ohjeiden, standardien sek\u00e4 muiden parhaiksi havaittujen k\u00e4yt\u00e4nteiden tarkoituksena on luoda edellytykset riskienhallinnan toteuttamiseksi. Erilaiset ohjeet ja standardit l\u00e4hestyv\u00e4t riskienhallintaa useiden n\u00e4k\u00f6kulmien ja metodien kautta, mutta tavoite on silti yhteinen, tehokas riskienhallinta. T\u00e4m\u00e4n tutkielman tavoitteena oli ker\u00e4t\u00e4 tietoa ja selvitt\u00e4\u00e4, miten ICT-organisaatioiden tulisi toteuttaa riskienhallintaa ja kannattaisiko yleisesti sovellettujen ISO 31000:2018 riskienhallinnan ohjeiden lis\u00e4ksi hy\u00f6dynt\u00e4\u00e4 NIST SP 800-37r2 riskienhallinnan viitekehyst\u00e4. Tutkimuksen teoreettisessa viitekehyksess\u00e4 perehdyttiin riskienhallinnan keskeisiin k\u00e4sitteisiin, teoriaperusteisiin sek\u00e4 tutkielmassa k\u00e4siteltyihin riskienhallintamalleihin ja niiden vertailuun. Tutkimuksen empiirinen osuus toteutettiin laadullisin menetelmin. Aineisto ker\u00e4ttiin puolistrukturoiduilla haastatteluilla, joissa haastateltiin er\u00e4\u00e4n suomalaisen ICT-organisaation turvallisuusjohtajia. Aineisto analysoitiin aineistol\u00e4ht\u00f6isell\u00e4 sis\u00e4ll\u00f6nanalyysill\u00e4. Tutkimuksen avulla p\u00e4\u00e4teltiin riskienhallinnan ohjeiden ja viitekehyksen yhdist\u00e4minen mahdolliseksi, mutta tehokkaan riskienhallinnan huomattiin olevan sidoksissa ihmisiin ohjeiden sijasta.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Risk management is an essential part of a functioning organization\u2019s activities to increase the likelihood of success. Most organizations' risk management is guided by the ISO 31000:2018 risk management guidelines. The purpose of risk management guidelines, standards, and other best practices is to create the conditions for implementing risk management. The various guidelines and standards approach risk management through different perspectives and methodologies, but the goal is still the same, effective risk management. The aim of this thesis was to gather information and to find out how ICT organizations should implement risk management and whether it would be worthwhile to use the NIST SP 800-37r2 risk management framework in addition to the generally applied ISO 31000:2018 risk management guidelines. In the theoretical framework of the study, the main concepts of risk management, theoretical foundations, and risk management models and their comparison were examined. The empirical part of the study was carried out using qualitative methods. The data was collected through semi-structured interviews with the security managers of a Finnish ICT organization. The data was analyzed using content analysis. The study concluded that it is possible to combine risk management guidelines and a framework, but effective risk management was found to depend on people rather than guidelines.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2023-05-11T05:16:11Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2023-05-11T05:16:11Z (GMT). No. of bitstreams: 0\n Previous issue date: 2023", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "70", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.language.iso", "value": "fin", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": null, "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "riskienhallinnan viitekehys", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "riskienhallinnan ohjeet", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "ICT-organisaatiot", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202305112954", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "riskienhallinta", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "organisaatiot", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "riskit", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "standardit", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "johtaminen", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "turvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}]
id jyx.123456789_86875
language fin
last_indexed 2025-02-18T10:54:48Z
main_date 2023-01-01T00:00:00Z
main_date_str 2023
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/4538e2d7-9e7f-4bbc-809c-d9b9bee07b6c\/download","text":"URN:NBN:fi:jyu-202305112954.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2023
record_format qdc
source_str_mv jyx
spellingShingle Arponen, Leo-Pekka Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa riskienhallinnan viitekehys riskienhallinnan ohjeet ICT-organisaatiot Kyberturvallisuus 601 riskienhallinta organisaatiot riskit standardit johtaminen turvallisuus
title Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa
title_full Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa
title_fullStr Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa
title_full_unstemmed Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa
title_short Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa
title_sort riskienhallinnan suunnittelu ja toteutus ict alan organisaatioissa
title_txtP Riskienhallinnan suunnittelu ja toteutus ICT-alan organisaatioissa
topic riskienhallinnan viitekehys riskienhallinnan ohjeet ICT-organisaatiot Kyberturvallisuus 601 riskienhallinta organisaatiot riskit standardit johtaminen turvallisuus
topic_facet 601 ICT-organisaatiot Kyberturvallisuus johtaminen organisaatiot riskienhallinnan ohjeet riskienhallinnan viitekehys riskienhallinta riskit standardit turvallisuus
url https://jyx.jyu.fi/handle/123456789/86875 http://www.urn.fi/URN:NBN:fi:jyu-202305112954
work_keys_str_mv AT arponenleopekka riskienhallinnansuunnittelujatoteutusictalanorganisaatioissa