Information security risk management model for mitigating the impact on SMEs in Peru

Garay, Daniel Felipe Carnero, Marcos Antonio, Carbajal Ramos, Armas-Aguirre, Jimmy, Molina, Juan Manuel Madrid

01 June 2020

El texto completo de este trabajo no está disponible en el Repositorio Académico UPC por restricciones de la casa editorial donde ha sido publicado. / This paper proposes an information security risk management model that allows mitigating the threats to which SMEs in Peru are exposed. According to studies by Ernst Young, 90% of companies in Peru are not prepared to detect security breaches, and 51% have already been attacked. In addition, according to Deloitte, only 10% of companies maintain risk management indicators. The model consists of 3 phases: 1. Inventory the information assets of the company, to conduct the risk analysis of each one; 2. Evaluate treatment that should be given to each risk, 3. Once the controls are implemented, design indicators to help monitor the implemented safeguards. The article focuses on the creation of a model that integrates a standard of risk management across the company with a standard of IS indicators to validate compliance, adding as a contribution the results of implementation in a specific environment. The proposed model was validated in a pharmaceutical SME in Lima, Peru. The results showed a 71% decrease in risk, after applying 15 monitoring and training controls, lowering the status from a critical level to an acceptable level between 1.5 and 2.3, according to the given assessment. / Revisión por pares

information security

ISO/IEC 27004

ISO/IEC 31000

IT Risk

Magerit

Vyhodnocování spektra slunečního záření / Analyzing of measured solar spectrum

Štěpánek, Jakub

January 2015

This diploma thesis deals with the definition of solar lights for solar purposes and solar simulators. These concepts are presented and described in detail. The theoretical part is described below chapter explaining the possibilities of using solar energy phototherapy. The next section follows the issue of standards and their podnorem AM, describes in detail the direct and diffuse light component. In connection continues with IEC 60904, IEC 60904-3 and IEC 60904-9, differences in purpose and use. The thesis describes the problems of the methods of analysis of the solar spectrum as defined in IEC 60904-9. In the penultimate chapter we discuss all light sources, their properties and uses. They navyzují selected light sources used in this work, as well as descriptions and color filters designed for measurement and subsequent evaluation in the practical part. The last chapter analyzes used measuring instruments, their advantages and disadvantages. In the practical part, we describe a method for measuring real-world light spectra, determining compliance with these spectra spectra AM 1.5 and the necessity to generate data from IEC 60904-3. Another part allows measured data to see in an understandable form and must include an assessment and assignment of the data set into classes according to AM 1.5.

Systémové řešení bezpečnosti informací v organizaci / Systematic Solution for Information Security in Organisation

Palička, Jan

January 2017

This diploma thesis deals with ISMS implementation in Netcope Technologies, a. s., which is involved in the production of network cards for high speed acceleration. This thesis is divided into two logical parts. In the first part the theoretical basis information is presented, including selected methods for implementing information security. In the second part, the analysis of the company and the proposed measures are presented.

Návrh metodiky bezpečnosti informací v podniku / Design of Information Security Methodology in the Company

Bartoš, Lukáš

January 2013

This thesis proposes a design of information security methodology in the company. After the theoretical bases of this thesis is introduced company for which is intended this work. Then is performed analysis of risks based on selected assets and potential threats. Followed by design of the measures to minimize the creation of possible risks in the company.

Zavádění řízení informační bezpečnosti ve zdravotnickém zařízení / The Implementation of Information Security in Healthcare Organization

Procingerová, Lucie

January 2017

This Master‘s thesis is based on knowledge of information security and its management. The thesis is divided into two parts. The first part provides the theoretical background, definitions and terminology according to the information security management and it is based on concepts from standard ISO 27000 series. The second part aims to analysis of a selected company. Following to this analysis proposal of implementation of information security management system and security guide is drawn up. This guide contains recommendations for ICT security management and advices in field of personal and physical security in company.

Identifikace dostupnosti zařízení v technologických sítích / Identification of Device Availability in Technological Networks

Vodehnal, Stanislav

January 2018

This diploma thesis deals with the monitoring of network elements of technological networks and distribution systems. There are described reasons why and what kind of values we want to monitor. Three monitoring systems are then selected, described their properties and functions. Based on their merits, one system for deploying the test environment is selected. The practical part is the configuration of the selected system and its subsequent deployment to the network.

The Implementation of ISO/IEC 29110 Software Engineering Standards and Guides in Very Small Entities

Laporte, Claude Y., O’Connor, Rory V., García Paucar, Luis Hernán

03 1900

This paper outlines the details of seven case studies involving the pilot usage of the new standard ISO/IEC 29110standard ‘Lifecycle Profiles for Very Small Entities’, which was specifically designed by Working Group 24 of ISO/IEC JTC1/SC7 to address the standardization needs of Very Small Entities (VSEs). The purpose of this paper is to add substantially to the body of knowledge and the literature on the rollout and implementation of this new and evolving standard and to act as guidance for other researchers in the design and implementation of ISO/IEC 29110 case studies. Furthermore it is hoped that that the lessons learnt from these case studies will help promote the adoption of this new standard in an industrial setting.

Very Small Entities

ISO Standards

ISO/IEC 29110

VSE

Análisis de los factores de éxito y limitantes para la implementación de la norma técnica peruana Iso NTP/IEC 27001;2014 2A. Edición en la Municipalidad provincial de Huancayo–I trimestre 2018

Pino Malpica, Isabel Corina

10 April 2019

La Presidencia de Consejo de Ministros (PCM) emitió un conjunto de normas entre ellas algunas relacionadas a la seguridad de la información, con la cual se dispuso la obligatoriedad de uso de la NTP ISO/IEC 27001:2008 (aprobada con RM Nº 129-2012- PCM del 4 de junio de 2012), posteriormente la Norma Técnica Peruana NTP-ISO /IEC 27001:2014 2da Edición (aprobada con RM N° 004-2016-PCM del 8 de enero de 2016). Sin embargo, han pasado 6 años desde entonces, y pocas entidades han logrado la implementación total de la norma, es por ello que este trabajo de investigación tiene como objetivo identificar estos factores de éxito o limitantes para la implementación de la norma. La investigación se desarrolló en la Municipalidad Provincial de Huancayo, para lo cual elabore un check list en base a lo que solicita la norma y verifique la existencia en la Municipalidad durante I trimestre del año 2018, cualquiera fuese el resultado se solicitó información de los factores que permitieron el nivel alcanzado. Al finalizar la investigación se identificó que la entidad implemento 32% de lo solicitado por la norma, que algunos de los factores de éxito fue el conocimiento, experiencia e interés por parte del funcionario público responsable, y entre los limitantes la falta de procesos, cultura organizacional, presupuesto y capacitaciones.

Factores de éxito

ISO NTP/IEC 27001:2014 2a. edición

Certificação de candidato a material de referência para fertilizante mineral através da análise estatística de resultados obtidos em ensaio interlaboratorial / Certification of candidate for reference material for mineral fertilizer through the statistical analysis of results obtained in an interlaboratorial study

Toledo, Guilherme Teruaki Kuwahara de

10 January 2019

O Brasil é atualmente um dos maiores contribuintes de produtos agrícolas do cenário mundial, em 2010 um quarto dos produtos agropecuários em circulação no mundo eram de exportação brasileira. Com o grande desenvolvimento agropecuário, a demanda por materiais de reposição nutricional de solo, como fertilizantes, cresceu na mesma proporção que a necessidade pelo controle da qualidade desses materiais. Este controle tem sido feito em laboratórios que operam de acordo com sistemas de gestão da qualidade, os quais fornecem ferramentas e procedimentos que permitem ao laboratório gerenciar e controlar todos os fatores que possam afetar a qualidade de suas analise, sendo os materiais de referência certificados primordiais para estes sistemas de gestão. Os MR ou MRCs (material de referência certificado) são materiais conhecidos por serem suficientemente homogêneos e estáveis e que trazem em seus certificados os valores de suas propriedades e suas incertezas associadas garantindo sua rastreabilidade metrológica. Neste projeto foi desenvolvido um material de referência para fertilizantes, em parceria com o Laboratório de fiscalização do ministério da Agricultura Pecuária e Abastecimento, MAPA (LANAGRO). Foram fornecidos 6 Kg de fertilizante mineral de utilização via solo, o qual foi processado de modo a se tornar um material de referência (verificação de tamanho de partícula através de peneiras, homogeneização do material e sua posterior divisão e envase) esse material foi distribuído aos laboratórios participantes do interlaboratorial organizado pelo LANAGRO. O material foi avaliado para homogeneidade onde foi determinado que o material se encontra homogêneo. Foi realizado um estudo de estabilidade para os elementos: Calcio, cobre, ferro, manganês e zinco. Onde observou-se que todos os elementos se encontraram com estabilidade aceitável. A caracterização foi realizada através de um estudo interlaboratorial organizado pelo LANAGRO - SP contando com a participação de 13 laboratórios, que analisaram 2 amostras do material em triplicata. Os resultados fornecidos pelos laboratórios foram analisados estatisticamente de forma a fornecer os resultados de concentração esperada para os elementos: Calcio, cádmio, cobalto, cobre, cromo, chumbo, ferro, magnésio, manganês, molibdênio, níquel e zinco. A incerteza associada a cada elemento de interesse foi determinada e ao final foi produzido um material de referência com os elementos cálcio, cobre, ferro, manganês e zinco certificados e contendo os restantes dos analitos como elementos de referência. Foi realizada a publicação de um artigo de revisão na revista Trends in Analytical Chemistry intitulado \"Trends in development of certified reference materials for chemical analysis - Focus on food, water, soil and sediment matrices\" / Brazil is one of the largest contributors of agricultural products in the world, in 2010 a quarter of the world\'s agricultural products were of the Brazilian export market. With the great agricultural development, the demand for soil nutritional replacement materials, as fertilizers, grew in the same proportion as the need to control the quality of these materials. This control its been done in laboratories that work according to quality management systems, which offer tools and procedures that allow the laboratory to manage and control all factors that may affect the quality of its analysis. Reference materials or certified reference materials are essential for these management systems. MR or MRC\'s (certified reference material) are materials known to be sufficiently homogeneous and stable that carry in their certificates the values of their properties and their associated uncertainties, ensuring their metrological traceability. In this project, a reference material for fertilizers was developed in partnership with the Ministry of Agriculture, Livestock and Supply, MAPA (LANAGRO). 6 kg of mineral fertilizer was provided, which was processed to become a reference material (particle size verification through sieves, homogenization of the material and its subsequent division and packaging). these materials were distributed to the laboratories participating in the interlaboratorial organized by LANAGRO. The material was evaluated for homogeneity where it was determined that the material is homogeneous. A stability study was carried out for the elements: calcium, copper, iron, manganese and zinc. It was observed that all the elements met an acceptable stability. The characterization was performed through an interlaboratorial study organized by LANAGRO - SP with the participation of 13 laboratories, which analyzed 2 samples of the material in triplicate. The results provided by the laboratories were statistically analyzed to provide the expected concentration results for the elements: Calcium, cadmium, cobalt, copper, chromium, lead, iron, magnesium, manganese, molybdenum, nickel and zinc. The uncertainty associated with each element of interest was determined and at the end a reference material with certified calcium, copper, iron, manganese and zinc elements was produced and the remainder of the analytes contained as reference elements. A review article was published in the journal Trends in Analytical Chemistry titled \"Trends in development of certified reference materials for chemical analysis - Focus on food, water, soil and sediment matrices\"

fertilizante mineral

gestão de qualidade

ISO GUIA 35

ISO Guide 35

ISO/IEC 17025

ISO/IEC 17025

ISO/IEC 17034

material de referência

mineral fertilizer

quality management

reference material

SO/IEC 17034

Sistema embarcado inteligente para detecção de intrusão em subestações de energia elétrica utilizando o Protocolo OpenFlow / Embedded intelligent system for intrusion detection in electric power substations using the OpenFlow protocol

Silva, Lázaro Eduardo da

05 October 2016

O protocolo International Electrotechnical Commission (IEC)-61850 tornou possível integrar os equipamentos das subestações de energia elétrica, através de uma rede de comunicação de dados Ethernet de alta velocidade. A utilização deste protocolo tem como objetivo principal a interligação dos Intelligent Electronic Devices (IEDs) para a automatização dos processos no sistema elétrico. As contribuições deste protocolo para a integração do controle e supervisão do sistema elétrico são diversas, porém, o fato de utilizar uma rede de comunicação de dados Ethernet integrada expõe o sistema elétrico à ataques cibernéticos. A norma IEC-62351 estabelece uma série de recomendações para prover segurança à rede de comunicação do sistema elétrico, dentre elas, o gerenciamento da rede de comunicação, a análise dos campos da mensagem Generic Object Oriented Substation Event (GOOSE) e a utilização de sistemas de detecção de intrusão. O presente trabalho descreve o desenvolvimento de um Intrusion Detection System (IDS) que atende os requisitos de segurança propostos pelo protocolo IEC-62351, para a identificação de ataques à comunicação realizada por mensagens GOOSE do protocolo IEC-61850, e entre equipamentos do sistema elétrico. Para o desenvolvimento desta aplicação, foram identificados os campos que compõem as mensagens GOOSE, de forma a reconhecer os valores esperados em diferentes situações de operação do sistema elétrico. Determinaram-se padrões de comportamento a serem utilizados para discernir mensagens falsas na rede de comunicação. Instalou-se e configurou-se um sistema operacional de tempo real embarcado na plataforma de desenvolvimento Zynq Board (ZYBO), juntamente com o controlador Open-Mul, para gerenciar a rede de comunicação da subestação, através do protocolo OpenFlow, realizando otimizações para o tráfego multicast. Foi desenvolvido um sistema de detecção e bloqueio de mensagens GOOSE falsas que utiliza o protocolo OpenFlow para controle da rede de comunicação do Sistema Elétrico. Desenvolveu-se ainda um sistema inteligente, utilizando-se uma Rede Neural Artificial (RNA) Nonlinear Autoregressive Model with Exogenous Input (NARX), para predição do tráfego realizado por mensagens GOOSE e detecção de ataques Distributed Deny of Service (DDOS). Os resultados obtidos demonstraram que o protocolo OpenFlow pode ser uma ferramenta interessante para controle da rede, porém, os fabricantes necessitam amadurecer sua implementação nos switches, para que sejam utilizados em produção nas redes de comunicação das subestações. O sistema de predição do tráfego gerado por mensagens GOOSE apresentou benefícios interessantes para a segurança da rede de comunicação, demonstrando potencial para compor um sistema de detecção de ataques DDOS realizado por mensagens GOOSE, na rede de comunicação das subestações de energia elétrica. / The IEC-61850 made it possible to integrate equipments of electric power system substations to a high-speed Ethernet data communication network. Its main goal is the interconnection of IEDs for the automation of processes in an electrical system. The contributions of this protocol for the integration of the control and supervision of the electrical system are diverse, although an Ethernet network exposes the electrical system for cyber attacks. The IEC-62351 states a series of recommendations to provide security to the communication network of the electrical system, such as the communication network management, the analysis of GOOSE messages and the use of intrusion detection systems. This study describes the development of an IDS that meets the security requirements proposed by the IEC-62351 standard to identify attacks on communication between GOOSE messages exchanged by electrical equipment using IEC-61850. For the development of this application, fields of the GOOSE messages were identified, in order to recognize the expected values in different power system operating conditions. Behaviour patterns were determined to detect false messages on the communication network. A real-time embedded operating system on ZYBO was installed and configured, as well as the OpenMul controller to manage the communication network of the substation through the OpenFlow protocol, performing optimizations for multicast traffic. A detection system and block tamper GOOSE messages, using the OpenFlow protocol for control of the electrical system communication network, were developed. In addition, an intelligent system using an Artificial Neural Network (ANN) Nonlinear Autoregressive Model with Exogenous Input (NARX) for predicting of the GOOSE messages traffic and the detection of Distributed Deny of Service attack (DDOS) were also developed. The results obtained show that the OpenFlow protocol may be a valuable tool for network control, however, manufacturers should maturely carry on with its implementation in the switches, so that it be used in substation communication networks. The traffic prediction system of the GOOSE messages presented interesting benefits for the security of the communication network, demonstrating potential to built a DDOS attack detection system performed by GOOSE messages on the communication network of electric power substations.

Cyber security

Data communication network

Embedded system

IEC-61850

IEC-61850

IEC-62351

IEC-62351

Intelligent system

Intrusion detection system

Power system

Redes de comunicação de dados

Segurança cibernética

Sistema de detecção de intrusão

Sistema elétrico

Sistema embarcado

Sistema inteligente