Kommunal informationssäkerhet : En undersökning av informationssäkerhet inom kommunal IT-styrning

Sammanfattning: This study examined how municipalities work with information security focusing on the use of security standards. Data was collected from three different municipalities differentiating in population, for the purpose of determining whether financial resources was a factor to successful information security within the organization. The study was based on a theoretical framework that consisted of ISO 27000, The General Data Protection Regulation, as well as the NIS directive. To examine the municipalities information security and whether security standards were used data was collected via interviews. In these interviews the informants were asked questions created in a semi-structured way to provide them with context while still being able to answer freely. This data was later to be analysed and categorised into themes where it could be interpreted. These themes within information security, consisted of continuity, risk assessment, policies, regulations, security standards, budget, and resources. Through analysis, the answers were compared as well as put into the context of what had been discovered in prior research within the field. It later points towards certain improvements in some respects as well as no further improvements in other areas. The study could affirm prior results from earlier research, and that municipalities still had essential deficiencies in their information security such as not working systematically with information security at an acceptable level. However, there were some improvements compared to prior research among municipalities and there were clear indications that there had been put a larger focus on information security. The informants also affirmed that regulations such as the General Data Protection Regulation had affected the municipalities executives’ approach towards information security within the organization.