Conference PaperPDF Available

Developing a Model and a Tool to Manage the Information Security in Small and Medium Enterprises.

Authors:

Abstract and Figures

The maturity and security management systems are essential in order to guarantee the continuity and stability of the companies in the current market situation. However, this requires that enterprises know in every moment their security maturity level and to what extend their information security system must evolve. In small and medium-sized enterprises, the application of security standards has an additional problem, which is the fact that they do not have enough resources to carry out an appropriate management. This security management system must have highly reduced costs for its implementation and maintenance in small and medium-sized enterprises (from here on refered to as SMEs) to be feasible. In this paper, we will put forward our proposal of a maturity model for security management in SMEs and we will briefly analyse other models that exist in the market. This approach is being directly applied to real cases, thus obtaining a constant improvement in its application.
Content may be subject to copyright.
Developing a model and a tool to manage the information security in Small and
Medium Enterprises
Luís Enrique Sánchez, Daniel Villafranca
SICAMAN NT. Departamento de I+D, Juan José Rodrigo, 4. Tomelloso, Ciudad Real, Spain
{lesanchez, dvillafranca} @sicaman-nt.com
Eduardo Fernández-Medina, Mario Piattini
ALARCOS Research Group. TSI Department. University of Castilla-La Mancha, Paseo de la Universidad, 4 – 13071
Ciudad Real, Spain
{Eduardo.FdezMedina, Mario.Piattini}@uclm.es
Abstract: The maturity and security management systems are essential in order to guarantee the continuity and
stability of the companies in the current market situation. However, this requires that enterprises know in
every moment their security maturity level and to what extend their information security system must
evolve. In small and medium-sized enterprises, the application of security standards has an additional
problem, which is the fact that they do not have enough resources to carry out an appropriate management.
This security management system must have highly reduced costs for its implementation and maintenance
in small and medium-sized enterprises (from here on refered to as SMEs) to be feasible. In this paper, we
will put forward our proposal of a maturity model for security management in SMEs and we will briefly
analyse other models that exist in the market. This approach is being directly applied to real cases, thus
obtaining a constant improvement in its application.
1 INTRODUCTION
Information and processes supporting systems and
nets are the most important assets for any
organization (Dhillon and Backhouse 2000) and they
suppose the main differentiating factor in the
evolution of an enterprise. These assets are exposed
to a great variety of risks that may critically affect
enterprises. There are many sources that provide us
with figures showing the importance of the
problems caused by a lack of adequate security
measures (Wood 2000; CSI 2002; Hyder et al. 2004;
Biever 2005; Telang and Wattal 2005; Goldfarb
2006).
At present, tackling the implementation of a
security management system is extremely complex
for a small or medium-sized enterprise (Pertier 2003;
Kim and I.Choi 2005). The tendency in the field of
enterprise security is that of gradually migrating
their culture towards the creation of a security
management system (ISMS), despite the fact that
this progression is very slow. Thus, studies such as
that of René Sant-Germain (Sant-Germain 2005)
estimate that with the current models, by 2009 only
35% of the enterprises in the world which employ
more than 2000 people will have implemented an
ISMS, and that the figures for SMEs will be much
worse.
At present, the market demands that enterprises
are able to guarantee that technologies for computer
assets and information are secure, fast and easy to
interact with (Corti et al. 2005). However, in order
to fulfill these requirements, the system
administrators have discovered two problems with
no satisfactory solution: a lack of tools to allow
them to confront the management of information
system security in a centralized, simple way and
(according to the size of the enterprises) a lack of
information security (Pertier 2003; Kim and I.Choi
2005).
The first problem is still unsolved, but we
believe that by solving the second problem we shall
be able to solve the first. With regard to the second
problem, not only national organizations but also
international ones have gone to great lengths to
elaborate a set of rules and specifications related to
the security of information and communication
technologies. These rules are above all focused on
the definition of security controls through codes of
good practices, rules defining security management
systems and rules with criteria to certify security.
Nevertheless, the situation is complex, and for a
small or medium-sized enterprise it is an extremely
difficult task to implement a security management
system which may have several levels of exigency,
and with their limited resources. In addition, the
process almost always gives rise to the situation of
the enterprise being forced to take the risk of not
having a security management system because it is
not able to implement it.
In this paper, we shall describe a new proposal
for a maturity model and security management
orientated towards SMEs, aimed at solving the
problems detected in classical models which are
proving to be inefficient when implemented in
SMEs due to both their complexity and another
series of factors that will be analysed in detail in the
following sections of the paper.
The remainder of this paper is organized as
follows: Section 2 very briefly describes existing
maturity models, their current tendencies and some
of the new proposals that are appearing. Section 3,
introduces our proposal for a maturity model
orientated towards SMEs. Finally, in Section 4, we
shall conclude by discussing our future work on this
subject.
2 RELATED WORK
Security Maturity Models (COBIT 2000; Eloff and
Eloff 2003; Lee et al. 2003; Aceituno 2005; Areiza
et al. 2005; Barrientos and Areiza 2005) are
designed with the intention of establishing a
standardized valuation which can not only be used to
determine the state of security information in an
organization but which also allows us to plan the
means by which to attain the desired security goals.
These maturity levels will be progressive, meaning
that the information security implemented increases
at the same time as maturity levels rise.
Almost all the defined maturity models, have
common domains, and matrixes have been
developed (Institute; Eloff and Eloff 2003; Jimmy
Heschl 2006) which make it possible to interconnect
and relate maturity models to each other, so that they
can be compared and interconnected with each
other.
Among the information security models (Areiza
et al. 2005) that are most frequently applied to
enterprises nowadays, we can highlight SSE-CMM
(Systems Security Engineering Capability and
Maturity Model), COBIT (COBIT 2000) and ISM3
(Walton 2002), Moreover, although research to
develop new models has been carried out, none of it
has been able to solve the current problems that
occur at the time of applying those models to SMEs.
Among these new proposals we can highlight
CC_SSE-CCM developed by Jongsook Lee (Lee et
al. 2003), which is based on the Common Criteria
(CC), and the SSE-CMM model developed by Eloff
and Eloff (Eloff and Eloff 2003), which defines four
different classes of protection allowing a progressive
increase in security levels.
Other proposals see risk analysis as being the
central concept of ISMS. Among these, we can
highlight the proposal by Karen & Barrientes
(Barrientos and Areiza 2005) and UE CORAS (IST-
2000-25031) (Lund et al. 2003).
The majority of the current models based on
risks use the Magerit v2 risk analysis (MageritV2
2005) as a methodology. The problem with the
Magerit is that as it is the most complete and
efficient risk analysis that exists in the market, it is
not useful for SMEs since it implies both an
enormous complexity when collecting data and the
direct involvement of users.
As opposed to those models which see risk
analysis as being the nucleus of ISMS, in our case,
and although we consider it to be very important, it
is only seen as one more piece in the system. Siegel
(Siegel et al. 2002) points out that computer security
models that are exclusively centred upon risk
elimination models are not enough. On the other
hand, Garigue (Garigue and Stefaniu 2003)
highlights that nowadays managers wish to know not
only what has been done to mitigate risks but also
that this task has been effectively carried out and
whether its performance has allowed the company to
save money.
We must take into account that risk analysis is an
expensive process which cannot be repeated any
time a modification is performed. Hence, it is
important to develop specific methodologies which
allow the maintenance of risk analysis results. UE
Coras’ (Lund et al. 2003) project makes this risk
analysis maintenance the main point of its model.
The way in which to confront these maturity
levels differs according to the authors taken as a
reference. Thus, some authors insist on using
ISO/IEC 17799 international regulation in security
management models but always in an incremental
manner which takes the particular security needs
into consideration (Von Solms and Von Solms 2001;
Walton 2002; Eloff and Eloff 2003; Barrientos and
Areiza 2005).
The proposal presented in this paper is also
based on the ISO/IEC 17799 international regulation
but has been orientated towards its application in
SMEs and an avoidance of the problems detected in
current models.
3 SMM-SME: SPYRAL
MATURITY MODEL FOR ISMS
The Information Security Maturity Model that we
propose allows any organization to evaluate the state
of its security but is mainly orientated towards
SMEs since it develops simple, cheap, rapid,
automated, progressive and maintainable security
management models, which are the main
requirements of these enterprises when
implementing these models. Furthermore, small and
medium size companies represent more than 95% of
Spanish companies and for this reason, we could not
consider the Spanish set of enterprises mature from a
technological viewpoint until we could not achieve
an adequate security level in small and medium size
enterprises. The most outstanding characteristics of
our model are the following: i) it has three security
levels (1 to 3) instead of the 5-6 levels proposed by
the classical models, ii) we propose that each level is
certifiable instead of the total certification that exists
at present, and finally, iii) the maturity level is
associated with the characteristics of the enterprise.
In this way, and by using the information
obtained from customers who use SICAMAN, we
have developed a spirally structured maturity model
(see Figure 1). This model has the aim of facilitating
the performance of fast and economic cycles which
allow us to create a security culture within the
organization, in a constant and progressive way. The
purpose of our model is, initially, to carry out an
estimation of the enterprise maturity level at a low
cost and in a short period of time, so as to determine
a project plan which can be presented the company’s
board of directors. Other characteristic of our model
is that it has the purpose of carrying out the
proposed plans in a short term instead of the plans
derived from the current models that have a long
duration and this fact makes them totally inadequate
for the current changing structure of small and
medium size enterprises.
Another of the main contributions presented by
the model that we have developed is a set of
matrixes which allow us to relate the various
components of ISMS (controls, assets, threats,
vulnerabilities, risk, procedures, registers, templates,
technical instructions, regulations and metrics) and
which the system uses to automatically generate a
large amount of the necessary information, noticably
reducing the necessary period of time for ISMS
development and implementation. This set of
interrelations between all of the ISMS components
means that if there is any change in these
components in any of those objects, the
measurement value of the rest of the objects in the
system is altered so that we can always have an
updated valuation of how the security system of the
company evolves.
Figure 1: Simplified Diagram of the spiral model phases.
By using this model, we are always able to
estimate, in a minimum period of time, the maturity
level of the enterprise’s ISMS and are also able to
identify the set of rules that best adapt themselves to
it. We are thus able to propose realistic short-term
goals for the company’s expected evolution for each
spiral cycle. Once we have identified the current
maturity level of the enterprise, an improvement
plan will be created and will be presented to the
board of directors. The main objective of this will be
that of complementing the current maturity level in
order to reach the following maturity level.
Figure 2: Simplified Diagram of the spiral model phases.
The security management model is formed of
three phases and the results of each of the previous
phases are necessary for the following phase (see
Figure 2). At the same time, there is information
feedback from Phase III to Phases I and II which
allows the system to modify its parameters if
necessary, and to adapt itself to the new
circumstances.
In the following section, we will give a
summerized analysis of the functioning of each
phase of the model by reviewing and analysing the
algorithms that the system uses to generate adequate
information for the enterprise with minimum effort.
At the end of the section, we will briefly present the
tool used to automate the model.
3.1 Phase I: Establishment of the
Current and Desired Maturity Level
The main objective of this phase is the establishment
of the security level desirable for the enterprise and
later, the current security level will be obtained
through the audit. Moreover, vital information for
Phases II and III will be obtained.
Do.I.1
Initial Security Audit
Do.I.2
Establishment of the
enterprise profile
Phase I
(Establishment of the Current and Desired Maturi ty Level)
Recommended
Security Level
Current
Security Level
Process
Data
ISMS data feedbak
by means of metrics
De.I.1
Report: Present security stat e
Process
Data
Risk level
Σ
NRM
Σ
NSE
Periodic
audits
Phase II
Phase III
= Matrixes
Σ = Equations
Ω = Algoriths
∫ = Levels
Do = Documents
De = Deliverables
Figure 3: Diagram of the Spiral Model Phase I.
This section is composed of two sub-phases (see
Figure 3):
Establishment of the enterprise profile:
The model that we propose uses a set of
characteristics intrinsic to the enterprise in
order to define the maximum maturity level
to which the enterprise must evolve taking
into account the current situation. Each of
these parameters is translated into a value
and the normalized sum of these values
determines the maximum maturity level that
the system considers appropriate for the
enterprise.
The equation (1) to calculate the maturity level
associated with the company is as follows:
Σ(SectWeight*(ValFactor/MaxValFactor)/ Σ(SectWeight)
(1)
According to that expression and our practical
experience with our customers, we have considered
three maturity levels (see Figure 4):
1: If the result is between 0-0.25.
2: If the result is between 0.25–0.75.
3: If the result is between 0.75–1.
Figure 4: Phase I – Maturity Levels.
The different elements of this expression are
shown below:
o Factors: Factors represent a set of
parameters that we have selected and that
have an effect upon determining the
security dimensioning which is adequate for
the enterprise. In the current version, the
following parameters have been considered:
i) Number of employees, ii) Annual
turnover, iii) Dependency on I+D
Department, iv) Number of employees
using the Information System, v) Number
of people directly associated with the
Systems Department, vi) Level of enterprise
dependency on I.S. outsourcing.
These factors have values ranges associated
that are determined depending on the
characteristics of the enterprise.
o WeightFactor: This is a correct parameter
extracted from a matrix which assigns
values to the factor—sector pair. This
parameter of the equation allows us to
control the deviations that the special
characteristics of enterprises belonging to
certain sectors may produce.
Initial Security Audit: This subphase,
included in Phase I, consists of performing a
detailed check-list that helps us position the
current state of the company with regard to
its maturity level. The 735 subcontrols can
belong to different maturity levels, although
in the initial configuration that we
recommend all subcontrols belong to a same
level.
3.2 Phase II: Risk Analysis
Once we have carried out the first phase to position
the enterprise at a Maturity Level and to decide to
what extend the ISMS implementation must be
developed, we must perform a risk analysis of the
enterprise assets (see Figure 5).
This phase is extremely delicate due to the high
cost that it may suppose and the importance of its
results in the success of the ISMS.
The risk analysis model that we have developed
is based on the models proposed by Stephenson
(Stephenson 2004) which are centered upon the
synergy between technical testing and risk analysis,
taking ISO17799 and the Magerit v2 risk analysis
methodology (MageritV2 2005) as a reference.
These models have not proved to be adequate for
SMEs for the following reasons: Firstly, they are
enormously complex, in the second place, they
require an enormous effort of involvement from the
members of the enterprise, and finally the costs
associated with them are not acceptable to this type
of enterprises.
Phase II
(Risk Analysis)
De.II.1
Risk Matrix
Threats-
Vulnerabilities
Activos-
Vulnerabilities
Threats-
Controls
Improvement
Plan Generation
Assets -
Threats -
Risk Criteria
Do.II.1
List of assets
Risk Level
Do.I.1 y 2 Process
Data
Process
Data
De.II.2
Improvement Plan
= Matrixes
Σ = Equations
Ω = Algoriths
∫ = Levels
Do = Documents
De = Deliverables
Phase III
Phase I
Figure 5: Diagram of the Spiral Model Phase II.
For this reason, in our model we have tried at all
times to simplify the previous models in order to
make them adequate for use in SMEs. The main
bases on which our methodology is defined are:
Flexibility, Simplicity and Cost Efficiency (both
human and temporal). It is, therefore, a methodology
aimed at identifying enterprise assets and their
associated risks at the lowest possible cost, by using
the results generated in Phase I and some simple
algorithms.
This risk analysis will be formed of different
objects (Assets, Threats, Vulnerabilities, Impacts
and Risks) which interact with each other.
One of the most important aspects of the risk
analysis that we have developed is that of
Association Matrixes which allow us to minimize
the cost of risk analysis and to produce the
maximum result and information for the enterprise
with the minimum effort. There have been
performed a series of matrixes that allow us to
associate the different components of the risk
analysis (assets-threats-vulnerabilities) and at the
same time, these components with the results
produced in Phase I (controls). These matrixes are of
great importance due to the fact that they help us
both to simplify risk analysis and to obtain a
valoration of the level of coverage of an asset with
regard to ISO/IEC 17999 controls. These matrixes
are static although the consultant may decide to
modify them in other to make them more adequate
for the company’s needs:
Assets vs vulnerabilities Matrix: This
allows us to associate assets with the
vulnerabilities that may affect them.
Threats vs vulnerabilities Matrix: This
allows us to associate vulnerabilities to each
type of threat.
ISO17799 threats vs controls Matrix: This
makes it possible to associate threats with
the ISO17799 controls which affect them,
and thanks to the previous matrixes; it also
allows us to give a security level to an asset
from the controls associated with it.
Assets-Threats vs Risk Criteria: This matrix
makes it possible to associate the assets and
threats of a company with regard to the risk
criteria we have defined (Confidentiality,
Integrity, Availability y Legality). Although
in the current version, the risk generation
algorithm doesn’t use this matrix for the
improvement plan, it is used for the report
generation.
Another of the aspects provided in our risk
model is that of Level of fulfilment of a control
subjected to an unacceptable risk. The level of
fulfilment of a control is of vital importance at the
time of prioritizing the system improvement plan
because it permits us to determine the level of
current coverage of a particular asset. In the case of
an asset whose risk is high because of the impact
that a security error might have upon the
organization and which, at the same time, has low
control coverage, we must prioritize the increase of
such coverage in order to raise its level of
protection.
Finally, the risk analysis will be based on two
algorithms:
Risk Level Algorithm: The definition of risk
level (RN) will be given by the combination
of the probability (P) of occurrence
(vulnerabilities) with the threat level (TL).
Improvement Plan Generation Algorithm.
For the current phase of the project, the
improvement plan generation algorithm that
has been developed is very basic and it is
only generated by taking as a reference the
assets that have obtained a high risk and
ordering them from highest to lowest
according to the control coverage. With the
results obtained, the system achieves the
controls, and issues a report indicating the
control that must be improved and those
factors that will improve.
3.3 Phase III: ISMS Generation.
In this phase, we have tried to make ISMS
manageable, orientated towards the dominions of the
most interesting regulation for the organization and
to reduce the number of metrics, thus obtaining rapid
results and feeding back the process in each cycle
with the purpose of achieving the initially indicated
maturity level.
Regulations-
Documents
Regulations-
Controls
Documents-
Controls
Procedures-
Documents
ISMS
Generation
Do.I.1 y 2
De.II.2
Process
Data
ISMS
Phase III
(ISMS Generation)
Phase II
Phase I
∏ = Matrixes
Σ = Equations
Ω = Algoriths
∫ = Levels
Do = Documents
De = Deliverables
Figure 6: Diagram of the Spiral Model Phase III.
In the previous phases, we have obtained the
enterprise profile, its current maturity level, its
maximum advisable maturity level, the state of its
controls, its assets, the risks associated with it and
the improvement plan. With all this information, the
system is now ready to automatically prepare an
information system management plan for the
enterprise, using a series of matrixes associated with
the previous results to do so (see Figure 6).
This set of matrixes which, together with those
shown in Phases I and II, are the main contributions
of our model will be internally used by the system to
determine which procedures, technical instructions,
registers, etc. must be activated for the enterprise.
The objects library of which the ISMS
application is composed will steadily grow, so for
this reason we have preferred to generate the first
version of the model with a single library composed
of the following set of objects (4 technical
instructions, 25 regulations, 65 patterns, 50
procedures, 35 register).
In this phase of ISMS generation, one of the
most important aspects is that of the Association
Matrixes which allow us to associate all the objects
in these libraries. These matrixes are internally used
by the system to recommend an ISMS initial plan for
the SME according to the information obtained in
previous phases. There are four types of matrixes:
Relationship between regulation and
documents: The regulation defines the rules
that must be fulfilled in an ISMS concrete
subject. The violation of a rule of this
regulation is normally associated with the
non-fulfilment of other objects (procedures,
patterns, registers and so on).
Relationship between regulation and
ISO17779: This matrix allows us to
associate the regulation rules with
ISO17799 controls in a way in which we
can measure the non-fulfilment of
ISO17799 controls.
Relationship between documents and
ISO17799 controls: This is the most
important matrix since it allows us to
associate the documents by composing our
model with ISO17799 controls.
Relationship between procedures and their
associated documents: This matrix is at
present used as a reference by which to
determine which documents are input/output
and which are only input or only output.
Matrixes associated with ISO17799 are vitally
important in the design of our system since they are
used by the algorithm for the selection of those
documents and procedures which are considered
vitally important not only for the ISMS design but
also for its subsequent follow-up.
To finish this phase, an ISMS generation
Algorithm is used. Given the enormous scope of the
research, the ISMS generation Algorithm has been
developed by seeking the simplicity principle. This
algorithm is composed of the following steps: ISMS
objects Selection and Application of colour codes.
The final result of this phase will be a set of
regulations and procedures that must be fulfilled if
the security level of the enterprise is to improve.
They will have a colour code which will visually and
rapidly indicate to its users where a greater effort
must be made. ISMS will be dynamic; adapting it
self to the changes in control coverage levels along
with those in the security levels, depending upon
how the system evolves. The evolution of the system
will be measured through a set of metrics defined
upon the ISMS set of objects.
4 CONCLUSIONS AND FUTURE
WORK
Despite the enormous efforts that are being made to
create adequate maturity models to manage security
in SMEs, these do not yet fit properly with the
environment in which they must be implemented.
The most probable reason for this is the lack of
maturity of the enterprises as well as the fact that
they have tried to implement models which are too
general and ambitious.
In this paper, we have presented a proposal for a
new maturity and security management model
orientated towards SMEs which allows us to
reconfigure and adapt existing models in order to
guarantee the security and the stability of their
management system with regard to the dimension of
each enterprise. To do so, we have defined a
methodology and a tool able to support the results
that have been generated during the research (the
tool has not been described in this paper due to
space restrictions). We have clearly defined how this
new maturity model must be used and the
improvements that it offers with regard to the
classical models.
Some of the main and most valuable conclusions
obtained from the feedback of the participant
enterprises in which several models have been
analysed are shown below:
The majority of the SMEs have very similar
security structures. This characteristic
makes it possible to develop automated
security systems by means of the definition
of static matrixes, which can later be
reconfigured.
If we over-dimension the security level of
an enterprise with regard to its size, a
degradation of the controls that we have
over-dimensioned will be produced until
they reach their natural balance.
Enterprises are shown to be more receptive
to very short-term implementation plans
than to long- term ones.
The maturity model presented reduces the
system’s implementation costs and also improves
the percentage of success of its implementation in
SMEs. For these reasons, as the majority of our
customers are SMEs, our proposal is being well
received and its application is being very positive
because it allows this type of enterprises access to
the use of security maturity models which, until
now, has only been possible for large enterprises.
As this proposal is under constant development,
our short and long term objective is that of studying
maturity models to a greater depth so as to refine
both our model and the tool that is being developed
at the same time as the model.
Among the model improvements that we intend
to work on in the future, it is worth highlighting that
we wish:
To improve the algorithms of which the
system is composed in order to increase their
effectiveness in decision making.
To include a planner of the time and the
resources that the company wants to spend
on the project, so that the system will be
able to estimate time-milestones in the
improvement plan.
In Phase III, to include a library with the
subprojects that should be worked on to
improve the security management system
globally.
With the help of the “action research” research
method and the feedback directly obtained from our
customers, we hope to achieve a continuous
improvement in these implementations.
ACKNOWLEDGEMENTS
This research is part of the following projects:
DIMENSIONS (PBC-05-012-1) and MISTICO
(PBC-06-0082), both supported by the FEDER and
the “Consejería de Ciencia y Tecnología de la Junta
de Comunidades de Castilla-La Mancha”,
RETISTRUST (TIN2006-26885-E) granted by the
“Ministerio de Educación y Ciencia” (Spain), and
Proyect SCMM-PYME (FIT-360000-2006-73)
supported by the PROFIT granted by the “Ministerio
de Industria, Turismo y Comercio).
REFERENCES
Aceituno, V. (2005). "Ism3 1.0: Information security
management matury model."
Areiza, K. A., A. M. Barrientos, et al. (2005). Hacia un
modelo de madurez para la seguridad de la
información. IV Congreso Internacional de
Auditoría y Seguridad de la Información.
Areiza, K. A., A. M. Barrientos, et al. (2005). Hacia un
modelo de madurez para la seguridad de la
información. 3er Congreso Iberoamericano de
seguridad Informática.
Barrientos, A. M. and K. A. Areiza (2005). Integración de
un sistema de gestión de seguridad de la
información conun sistema de gestión de
calidad. Master’s thesis, Universidad EAFIT.
Biever, C. (2005). "Revealed: the true cost of computer
crime." Computer Crime Research Center.
COBIT (2000). Cobit Guidelines, Information Security
Audit and Control Association.
Corti, M. E., G. Betarte, et al. (2005). Hacia una
implementación Exitosa de un SGSI. IV
Congreso Internacional de Auditoría y
Seguridad de la Información.
CSI (2002). Computer Security Institute, Computer Crime
and Security Survey.
Dhillon, G. and J. Backhouse (2000). "Information System
Security Management in the New Millennium."
Communications of the ACM 43(7): 125-128.
Eloff, J. and M. Eloff (2003). Information Security
Management - A New Paradigm. Annual
research conference of the South African
institute of computer scientists and information
technologists on Enablement through technology
SAICSIT´03.
Garigue, R. and M. Stefaniu (2003). "Information Security
Governance Reporting." Information Systems
Security sept/oct: 36-40.
Goldfarb, A. (2006). "The medium-term effects of
unavailability " Journal Quantitative Marketing
and Economics 4(2): 143-171
Hyder, E. B., K. M. Heston, et al. (2004). The eSCM-SP
v2: The eSourcing Capability Model For Service
Providers (eSCM-SP) v2. Pittsburh,
Pennsylvania, USA. 19 May.
Institute, I. G. "COBIT Mapping: Mapping of ISO/IEC
17799:2000 with COBIT." IT Governance
Institute, from http://www.itgi.org.
Jimmy Heschl, C., CISM. (2006). "COBIT Mapping:
Mapping of ISO/IEC 17799:2005 with COBIT."
IT Governance Institute, from
http://www.itgi.org.
Kim, S. and I.Choi (2005). Cost-Benefit Análisis of
Security Investments: Methodology and Case
Study. ICCSA 2005, LNCS 3482.
Lee, J., J. Lee, et al. (2003). A CC-based Security
Engineering Process Evaluation Model.
Proceedings of the 27th Annual International
Computer Software and Applications
Conference (COMPSAC).
Lund, M. S., F. d. Braber, et al. (2003). "Proceedings of
the Seventh European Conference On Software
Maintenance And Reengineering (CSMR’03)."
IEEE.
MageritV2 (2005). Metodología de Análisis y Gestión de
Riesgos para las Tecnologías de la Información,
V2.
Pertier, T. R. (2003). "Preparing for ISO 17799." Security
Management Practices jan/feb: 21-28.
Sant-Germain, R. (2005). "Information Security
Management Best Practice Based on ISO/IEC
17799." Setting Standars, The information
Management JournaL 39(4): 60-62, 64-66.
Siegel, C. A., T. R. Sagalow, et al. (2002). "Cyber-Risk
Management: Technical and Insurance Controls
for Enterprise-Level Security." Security
Management Practices sept/oct: 33-49.
Stephenson, P. (2004). "Forensic Análisis of Risks in
Enterprise Systems." Law, Investigation and
Ethics sep/oct: 20-21.
Telang, R. and S. Wattal (2005). Impact of Vulnerability
Disclosure on Market Value of Software
Vendors: An Empirical Analysis. 4h Workshop
on Economics and Information Security, Boston.
Von Solms, B. and R. Von Solms (2001). "Incremental
Information Security Certification." Computers
& Security 20: 308-310.
Walton, J. P. (2002). Developing an Enterprise
Information Security Policy. 30th annual ACM
SIGUCCS conference on User services.
Wood, C. C. (2000). Researchers Must Disclose All
Sponsors And Potential Conflicts. Computer
Security Alert, San Francisco, CA, Computer
Security Institute.
... Esta gestión se hace mediante los sistemas conocidos como Sistemas de Gestión de Seguridad (SGSI) [20], que requieren herramientas y metodologías adecuadas para su implantación. Actualmente, la mayoría de las grandes empresas han abordado la implementación de SGSI, con base en modelos de madurez, para la gestión de su seguridad [1], pero desafortunadamente la implantación de este tipo de sistemas en pequeñas y medianas empresas es muy complejo debido fundamentalmente que no disponen de herramientas y metodologías adecuadas para este tipo de empresas [14]. Una de las herramientas más importantes para los SGSI son los CMI de la seguridad. ...
... Como hemos expuesto en trabajos anteriores [ Diseño de patrón de selección de métricas para la construcción de CMI de la seguridad E humanos y económicos suficientes para realizar una adecuada gestión. Los modelos de madurez generales no han sabido dar respuesta práctica en este caso, lo que nos ha llevado a desarrollar un modelo propio, tomando como marco de referencia la norma ISO/IEC 17799 [14]. También se ha visto la necesidad de complementarlo con un proceso particular de selección de métricas para la construcción de CMIs adecuados al contexto de este tipo de empresas [20]. ...
... La idea es ofrecer soluciones consolidadas y que pueden ser reutilizadas en el contexto del diseño del CMI de la seguridad. Asimismo, este proceso de construcción del CMI de Seguridad encaja con nuestro modelo de madurez desarrollado para PYMES [14], ya que se realiza de forma incremental partiendo del nivel que la organización tiene según nuestro modelo de madurez en espiral [15] y conjuga otros elementos adicionales (know-how previo, sistemas expertos probabilísticos, herramientas para la selección automática de indicadores,…) conformando de esta forma un procedimiento recurrente para la selección de métricas. El resto del artículo se organizará así: en el apartado siguiente se revisarán los indicadores y métricas de seguridad, los estándares que los definen y su planteamiento para su utilización en la construcción del CMI de la seguridad y por último se revisará la utilización de patrones de diseño en el ámbito de la seguridad. ...
Conference Paper
Full-text available
La implantación práctica de Sistemas de Gestión de la Seguridad de la Información presenta una problemática añadida para el caso de las PYMES debido a la falta de herramientas y guías adaptadas a su estructura organizativa y procesos en el área de las Tecnologías de la Información (TI). La selección de indicadores adecuados y la definición de métricas acordes para la construcción de un Cuadro de Mando Integral (CMI) de la Seguridad de la Información es un problema que las guías y métodos estándar no resuelven completamente. Es por ello que hemos desarrollado un nuevo método, orientado a PYMES y desde un punto de vista empírico, para la selección de indicadores y construcción de las métricas que van a proveer la información para nuestro CMI. En este artículo exponemos en detalle dicho método.
... En este articulo seguimos profundizando en nuestra propuesta de modelo de madurez y gestión de la seguridad orientado a las PYMES [8][9][10][11][12][13] que pretende solucionar los Esta investigación es parte del proyecto MISTICO, parcialmente financiado por el FEDER y por la Consejería de Educación y Ciencia de la Junta de Comunidades de Castilla-La Mancha y el proyecto SCMM-PYME financiado por el PROFIT y concedido por Ministerio de Industria, Turismo y Comercio. 1 problemas detectados en los modelos clásicos, los cuales no se están mostrando eficientes a la hora de su implantación en las PYMES debido a su complejidad y otra serie de factores que han sido analizados en anteriores artículos [14,15]. En anteriores trabajos hemos presentado la situación actual de sistemas de gestión de la seguridad para los sistemas de información [14,15], distintas versiones de nuestro modelo de madurez a medida que este ha ido evolucionando, así como de la herramienta que se ha desarrollado para darle soporte automatizado [16] y las métricas que ayudan a mejorar su eficacia y reducir sus costes [17,18]. ...
... En artículos anteriores [8][9][10][11][12][13] se han presentado versiones previas del modelo, por lo que aquí se presenta de forma detalla la fase encargada de establecer y cuantificar la situación actual de la compañía, aportando mejoras obtenidas por la aplicación práctica del mismo a casos reales que consisten en la definición de esquemas predefinidos que posibilitan el desarrollo del plan director de seguridad en un periodo de tiempo muy reducido y con pocos recursos. Mostramos también los resultados obtenidos de su aplicación en 11 casos reales, aunque por motivos de confidencialidad y debido a que dichos resultados muestran puntos débiles en sus sistemas de gestión seguridad, se ha mantenido en el anonimato el nombre de algunos de ellos. ...
Conference Paper
Full-text available
Para garantizar la subsistencia de las empresas y la evolución de sus modelos empresariales, éstas deben poder garantizar la seguridad de sus sistemas de información, pero esto requiere que las empresas conozcan en todo momento el nivel de madurez de su seguridad y hasta qué punto esta debe evolucionar para ser adecuada. Actualmente las empresas requieren de auditorias periódicas para tener este conocimiento, lo que hace que muchas veces las medidas de seguridad se implanten tarde y tengan un coste que la empresa no pueda asumir. En este artículo mostramos los puntos principales del nuestra propuesta de modelo de madurez para la gestión de la seguridad en las PYMES, centrándonos en la fase que determina el estado de la compañía y en algunos de los mecanismos que permiten mantener actualizado el nivel de seguridad sin tener que realizar auditorias continuas. Este enfoque se está refinando de forma continua mediante su aplicación en casos reales, cuyos resultados mostramos en el artículo.
... La idea es ofrecer soluciones consolidadas y que pueden ser reutilizadas en el contexto del diseño del CMI de la seguridad. Asimismo, este proceso de construcción del CMI de Seguridad encaja con nuestro modelo de madurez desarrollado para PYMES [14] [17], ya que se realiza de forma incremental partiendo del nivel que la organización tiene según nuestro modelo de madurez en espiral [15] y conjuga otros elementos adicionales (know-how previo, sistemas expertos probabilísticos, herramientas para la selección automática de indicadores,…) conformando de esta forma un procedimiento recurrente para la selección de métricas. El resto del artículo se organizará así: en el apartado siguiente se revisarán los indicadores y métricas de seguridad, los estándares que los definen y su planteamiento para su utilización en la construcción del CMI de la seguridad. ...
... La implantación de los SGSI requiere la realización de un análisis inaccesible para pequeñas organizaciones en las que es difícil alinear objetivos de gobierno (demasiado abstractos) con las necesidades de seguridad que se tienen en la operativa diaria [16]. Esto nos ha llevado a la elaboración de un modelo de madurez de la seguridad que está especialmente diseñado para ser implantado en las PYMES [17] [20], en las que debido a sus características particulares, resulta difícil adecuar los estándares y modelos sobre métricas y seguridad de la información. ...
Conference Paper
Full-text available
La implantación práctica de Sistemas de Gestión de la Seguridad de la Información presenta una problemática añadida para el caso de las PYMES debido a la falta de herramientas y guías adaptadas a su estructura organizativa y procesos en el área de las Tecnologías de la Información (TI). La selección de indicadores adecuados y la definición de métricas acordes para la construcción de un Cuadro de Mando Integral (CMI) de la Seguridad de la Información es un problema que las guías y métodos estándar no resuelven completamente. Es por ello que hemos desarrollado un nuevo método, orientado a PYMES y desde un punto de vista empírico, para la selección de indicadores y construcción de las métricas que van a proveer la información para nuestro CMI. En este artículo exponemos en detalle dicho método.
... Esto puede contribuir a mejorar no sólo la seguridad de las PYMES, sino también su nivel de competitividad. Por este motivo, a los largo de los últimos años hemos trabajado en elaborar un proceso simplificado que permita analizar y gestionar el riesgo de seguridad en las PYMES [39][40][41], y además hemos construido una herramienta que automatiza completamente la metodología [42], y lo hemos aplicado en casos reales [43], lo que nos ha permitido validar tanto la metodología como la herramienta. ...
Article
Full-text available
The information society is increasingly dependent Information Systems Security Management (ISMS) and knowledge of the security risks associated with its assets value. However, very few risk analysis methodologies have been raised as to create systems to analyze risks in a quick and economical, and which in turn can leave this system dynamically update. This paper presents a new methodology, called MARISMA, aimed at carrying out a risk analysis simplified and dynamic, which is valid for all companies, including SMEs, and to provide solutions to the problems identified during the application of the scientific method «Action Research». This methodology is being applied directly to real cases, thus achieving a constant improvement of its processes.
... Actualmente se está analizando la posibilidad de integrar este proceso dentro de la metodología de Gestión de la Seguridad para PYMES denominada MGSM-PYME [11][12][13][14], y de la herramienta que da soporte a la metodología [15]. ...
Article
Full-text available
La sociedad de la información cada vez depende más de los Sistemas de Gestión de la Seguridad de la Información (SGSI), y poder disponer de estos sistemas ha llegado a ser vital para la evolución de las PYMES. Sin embargo, este tipo de compañías requiere de SGSIs adaptados a sus especiales características, y que estén optimizados desde el punto de vista de los recursos necesarios para implantarlos y mantenerlos. Este articulo se centra en el desarrollo de un proceso para SGSIs que permita conocer el nivel de seguridad de las aplicaciones críticas instaladas en estos sistemas, es decir, sistemas operativos y sistemas de Gestión de Bases de Datos. Este modelo está siendo aplicado directamente a casos reales, consiguiendo así una constante mejora en su aplicación
... Esto puede contribuir a mejorar no sólo la seguridad de las PYMES, sino también su nivel de competitividad. Por este motivo, a los largo de losúltimos años hemos trabajado en elaborar un proceso simplificado que permita analizar y gestionar el riesgo de seguridad en las PYMES [13,14] , y además hemos construido una herramienta que automatiza completamente este proceso [15] , y lo hemos aplicado en casos reales [16], lo que nos ha permitido validar tanto la metodología como la herramienta. ...
Conference Paper
Full-text available
La sociedad de la información cada vez depende más de los Sistemas de Gestión y Análisis del Riesgo al que se encuentran sometidos sus principales activos de información, y poder disponer de estos sistemas ha llegado a ser vital para la evolución de las PYMES. Sin embargo, este tipo de compañías requiere que estos sistemas estén adaptados a sus especiales características. En este artículo se presenta el método propuesto para realizar un análisis de riesgos simplificado, que sea válido para las PYMES, y enmarcado dentro de la metodología de gestión de la seguridad en las pequeñas y medianas empresas (MSM2-PYME). Este modelo está siendo aplicado directamente a casos reales, consiguiendo así una constante mejora en su aplicación.
Article
Full-text available
There are various challenges regarding the development and use of cybersecurity standards for SMEs. In particular, SMEs need guidance in interpreting and implementing cybersecurity practices and adopting the standards to their specific needs. As an empirical study, the workshop Cybersecurity Standards: What Impacts and Gaps for SMEs was co-organized by the StandICT.eu and SMESEC Horizon 2020 projects with the aim of identifying cybersecurity standardisation needs and gaps for SMEs. The workshop participants were from key stakeholder groups that include policymakers, standards developing organisations, SME alliances, and cybersecurity organisations. This paper highlights the key discussions and outcomes of the workshop and presents the themes, current initiatives, and plans towards cybersecurity standardisation for SMEs. The findings from the workshop and multivocal literature searches were used to formulate an agenda for future research.
Conference Paper
Full-text available
In a society based on information, the Information Security Management Systems (ISMSs) are increasingly critical for businesses. Within the Management of Information Security issues are very critical in certain sectors, such as processing of personal data for the Health Sector where the misuse of them can mean irreparable damage to their owners and organizations are obligation to protect them. This paper presents a real case of success that allowed to solve issues related to privacy of patient information at the time of making the citation of these consultations, as well as compliance with the Organic Law on Personal Data Protection in environments health and other benefits from the implemented solution.
Conference Paper
Full-text available
The information society is ever-increasingly dependent upon Information Security Management Systems (ISMSs), and the availability of these systems has come to be vital to the evolution of SMEs. However, this type of companies requires ISMSs which have been adapted to their particular characteristics, and which are optimised from the point of view of the resources that are necessary to install and maintain them. This paper concentrates on the development of a process for ISMSs that will allow the level of security of critical applications installed in these sytems, i.e., Operative Systems and Data Base Management Systems, to be measured. This process is currently being directly applied in real cases, thus leading to an improvement in its application.
Conference Paper
Full-text available
La sociedad de la información cada vez depende más de los Sistemas de Gestión de la Seguridad de la Información (SGSI), y poder disponer de estos sistemas ha llegado a ser vital para la evolución de las PYMES. Sin embargo, este tipo de compañías requiere de SGSIs adaptados a sus especiales características, y que estén optimizados desde el punto de vista de los recursos necesarios para implantarlos y mantenerlos. En este artículo se presenta un análisis de las diferentes propuestas que están surgiendo orientadas a implantar los SGSIs en las PYMES, con el objetivo de determinar las características que debería tener una metodología de gestión de seguridad orientada a las PYMES.
Conference Paper
Full-text available
Information security management needs a paradigm shift in order to successfully protect information assets. Organisations must change to the holistic management of information security, requiring a well-established Information Security Management System (ISMS). An ISMS addresses all aspects in an organisation that deals with creating and maintaining a secure information environment. Organisational management and their staff to manage information security cost-effectively can use the ISMS. It can also help with the assessment of the trustworthiness of an organisation's information security arrangements by other organisations. An intelligent mix of aspects such as policies, standards, guidelines, codes-of-practice, technology, human issues, legal and ethical issues constitute an ISMS. Ideally organisations should opt for a combination of these different aspects in establishing an ISMS. The initial combination of all the aspects might by a bridge too far when embarking on the establishment of an ISMS, forcing organisations to take a 'phased' approach. One approach can be to implement the controls as contained in a standard such as ISO17799. In this case information security is driven from a management process point of view and referred to as 'process security'. Another approach that also complement or add to process security, is to use certified products in the IT infrastructure environment when possible. The approach here focuses on technical issues and is referred to as 'product security'.
Article
Full-text available
The article focuses on cognitive modeling for games and animation This article focuses on the need of security management for information system in the 21st century. It is described that changes in communication and information technologies and particularly their confluence has raised a number of concerns connected with the protection of organizational information assets. Achieving consensus regarding safeguards for an information system, among different stakeholders in an organization, has become more difficult than solving many technical problems that might arise. Authors of this article are suggesting for a development of vision for new organizational structure. They say that future users of information systems must address organizational problems at a time when the organizational form is being revolutionized. In order to be more efficient, effective, and responsive organizations must provide prominence to the use of networks and computer-based information systems but it is often found that some organizations facing pressures of organizational cost containment and external competition, they are rushing headlong into adopting IT without carefully planning and understanding the security concerns which creates future problems.
Article
Imagine you are the Chief Information Security Officer (CISO) and your boss, the CIO or CEO, is asking some simple questions: “How secure are our information systems? Is security getting better or worse? How do you know that?” You could describe the successful installation of the newest firewalls, the performance of the intrusion detection systems, the centralized deployment of up-to-date anti-virus solutions, the application of software patches on all network devices, and the popularity of your security awareness program. But that is not an answer to the questions. Your boss wants to know not only what you have done to lower the risk, but also how effective you have been. It is all about process, metrics, and trend monitoring. And money, of course.
Article
Researchers are starting to investigate the real effects on computer crime targeting individual computers and websites. Much computer crime exploits flaws or vulnerabilities in software that allow an attacker or a virus to gain entry to a computer, access confidential information, run malicious programs, or crash the system. Besides software vulnerabilities, denial of service (DoS) attacks in which hackers try to shut down a website by programming thousands of computers to simultaneously request information from it. These types of computer attacks produce huge amount of business loss to websites as they loose customers who can't access the website.
Article
T his article is about information security management standard ISM3. 1 Some readers might ask themselves if it is necessary to add yet another standard to the current pile. After walking through the most prominent features of ISM3 as described in this article, any skeptical reader can answer the question. There are several management and information security standards and, as Andrew S. Tannenbaum, Ph.D., best known as the author of MINIX and a professor at Vrije Universiteit (Amsterdam, The Netherlands), said, "The nice thing about standards is that there are so many to choose from." For anyone who is an expert in management and information technology (IT) management, ISO 9001, 2 ISO 14001, 3 ITIL v3, 4 COBIT 4.1, 5 ISO 17799 6 and ISO 27001 7 spring to mind. While standards make a statement about how to solve practical problems, according to US baseball legend Yogi Berra, "In theory, there is no difference between theory and practice, but in practice, there is." The motivation behind ISM3 was to narrow the gap between theory and practice for information security management systems, and the trigger was the idea of linking security management and maturity models. ISM3 strove to keep clear of the pitfalls pointed out in the article "Designing Secure Information Systems and Software: Critical Evaluation of the Existing Approaches and a New Paradigm," by Mikko Siponen. 8 The project looked at Capability Maturity Model Integration (CMMI), 9 ISO 9001, Control Objectives for Information and related Technology (COBIT), IT Infrastructure Library (ITIL), ISO 27001 and other standards, and found a need for linking security to business needs, using a process-based approach, providing some additional details (who, what, why) for implementation and suggesting specific metrics, while preserving compatibility with current IT and security management standards. The Core The core idea of ISM3 is that information security is not just about the prevention of attacks to information systems, but also about achieving the organization's mission despite attacks, accidents and errors. There is no alignment between security objectives (the traditional confidentiality, integrity, availability) and business goals, but in ISM3, they are one and the same. If a company makes pastries, quality would be to deliver pastries that customers find tasty for the price they are willing to pay, while security would be to continue delivering pastries despite accidents (e.g., fire, earthquake), attacks (e.g., denial of service, viruses) and errors (i.e., administrator or operator error). This core idea leads to defining confidentiality, availability, integrity and related concepts in great detail. ISM3 security objectives depend on technical, business and compliance needs and limitations. For example, the requirements of an invoicing system can be specified as follows using ISM3: • Invoices should be accessible only to the accounting and collection departments. • Paid invoices are to be kept for three years and destroyed after no more than four. • The invoicing system has to register the user account at the date and time of creation, and needs to be available 9 a.m.-5 p.m. (09.00-17.00) Monday through Friday, with no more than five interruptions per week, and a duration of no more than one hour in total, and cause no more than 15 invoices to be reentered. • There must be fewer than five errors per 100 invoices. More than 99.8 percent of products served must be invoiced. • Since the invoicing system is a third-party application, the license must be kept current. • As the invoicing system keeps personal information, according to the law, the database must be registered at the Data Protection Agency. The invoicing system must not be visible to systems from outside the company or have any remote access. It must be kept in the data center under controlled environmental conditions and must be safeguarded against fire, flood, etc.
Conference Paper
The University of Pittsburgh is at the midpoint of a three-year strategic plan focused on information technology. Our strategic direction is based on a tiered model consisting of these layers: network infrastructure, middleware, Web infrastructure, and the set of applications and services that can be provided to our user community. As applications and services become increasingly more complex, there is a greater potential for security breaches that must be adequately addressed.The ability for students and faculty to share data and collaborate on projects is of utmost importance to any higher education institution. A large, multidisciplinary institution such as the University of Pittsburgh must be able to find an effective balance between the need to provide people in the local, national, and international communities with access to information and the need to protect sensitive information from unauthorized access and misuse.The subject of information security has received a great deal of attention within academia before and after the events of September 11, 2001. Federal regulations such as the HIPAA legislation protecting patient data, the USA PATRIOT Act, and the Digital Millennium Copyright Act all have significant impact. The complexities involved in developing adequate security plans have resulted in the development of the ISO 17799 standard, used widely in security plan development.A University-wide security plan is under development that, when completed, will address security at all levels. This comprehensive security plan will cover policies, business practice changes, and user awareness concerns. This presentation focuses on the process that is underway to identify security issues and to design and implement a comprehensive security plan that maintains an open academic environment and fully addresses relevant legislation and best practice models.
Conference Paper
We live in an unsafe world in which we encounter threats against our safety and security every day. This is especially true in the information processing environment. Managements are engaging and facing difficult problems to manage information security issues. One of the most brain-teasing management issues is “How they could make a decision on security-related investment to maximize the economic balance?” To solve this problem the ROI of security investments must be measured and managed. This paper provides the integrated methodology which consists of a process model and analysis criteria of cost factors and benefit factors to support an economic justification of security investments. Also, a case study is provided to show practicality of this methodology.
Article
The implementation of an information security management plan in a company was discussed. An information security certification helps in getting an understanding of the information security in the company and in comparing it with the information security level of another certified company. BS7799, the only internationally accepted scheme to get a formal information security certification, is difficult to obtain as the company needs to conform to all the ten sections of BS7799. The Information Security Institute of South Africa (ISIZA) is a framework developed for information security certification consisting of five levels and is faster to obtain as the company needs to conform to small subsets of BS7799 only.