Information security risk management model for mitigating the impact on SMEs in Peru

Garay, Daniel Felipe Carnero, Marcos Antonio, Carbajal Ramos, Armas-Aguirre, Jimmy, Molina, Juan Manuel Madrid

01 June 2020

El texto completo de este trabajo no está disponible en el Repositorio Académico UPC por restricciones de la casa editorial donde ha sido publicado. / This paper proposes an information security risk management model that allows mitigating the threats to which SMEs in Peru are exposed. According to studies by Ernst Young, 90% of companies in Peru are not prepared to detect security breaches, and 51% have already been attacked. In addition, according to Deloitte, only 10% of companies maintain risk management indicators. The model consists of 3 phases: 1. Inventory the information assets of the company, to conduct the risk analysis of each one; 2. Evaluate treatment that should be given to each risk, 3. Once the controls are implemented, design indicators to help monitor the implemented safeguards. The article focuses on the creation of a model that integrates a standard of risk management across the company with a standard of IS indicators to validate compliance, adding as a contribution the results of implementation in a specific environment. The proposed model was validated in a pharmaceutical SME in Lima, Peru. The results showed a 71% decrease in risk, after applying 15 monitoring and training controls, lowering the status from a critical level to an acceptable level between 1.5 and 2.3, according to the given assessment. / Revisión por pares

information security

ISO/IEC 27004

ISO/IEC 31000

IT Risk

Magerit

Modelo de gestión de riesgos de seguridad de TI para pymes del sector comercial que dependen de proveedores críticos

Flores Huamani, Vladimir, Chavez Rios, Manuel Junior

02 July 2020

La seguridad de la información se ha convertido en un área importante, ya que las organizaciones diariamente administran activos de TI valiosos que dependen de proveedores críticos; tales como: bases de datos, servicios, aplicaciones, hardware, etc. Estos activos están sometidos a riesgos de una gran variedad, como: desastres naturales, ciberataques, fraudes, etc. que pueden afectar de forma crítica a la organización. Estudios realizados sobre organizaciones en Europa y EE. UU revelan que las Pymes se caracterizan por la falta de la dedicación necesaria a la seguridad de TI. Esto debido principalmente a que la seguridad de la información no forma parte de sus necesidades internas. En el Perú, las empresas no se encuentran preparadas para afrontar situaciones de riesgo, debido a que la mayoría de las organizaciones carecen de políticas de seguridad y sistemas de evaluación de riesgos. El presente proyecto plantea el desarrollo de un modelo de gestión de riesgos de seguridad de TI que tiene como objetivo incrementar el nivel de madurez y disminuir el nivel de riesgo en los procesos y activos de TI de las Pymes que dependen de proveedores críticos. Esto mediante una serie de controles y planes de seguridad basados en la metodología Magerit y estándares de seguridad como la ISO/IEC 27001:2013. Con esto, buscamos cubrir la principal necesidad identificada en las Pymes, la cual es reducir el nivel de impacto ocasionado por los riesgos que afectan los activos y procesos de TI soportados por terceros, y que además puedan contar con un adecuado plan de continuidad. / Information security has become an important area as organizations daily manage valuable IT assets that depend on critical providers; such as: databases, services, applications, hardware, etc. These assets are subject to risks of a wide variety, such as: natural disasters, cyberattacks, fraud, etc. that can critically affect the organization. Studies carried out on organizations in Europe and USA reveal that SMEs are characterized by the lack of dedication necessary to IT security. This is mainly because information security is not part of their internal needs. In Peru, companies are not prepared to face risk situations, since most organizations lack security policies and risk assessment systems. This project proposes the development of an IT security risk management model that aims to increase the level of maturity and decrease the level of risk in the IT processes and assets of SMEs that depend on critical providers. This through a series of controls and security plans based on the Magerit methodology and security standards such as ISO / IEC 27001: 2013. With this, we seek to cover the main need identified in SMEs, which is to reduce the level of impact caused by the risks that affect IT assets and processes supported by third parties, and that may also have an adequate continuity plan. / Tesis

Gestión del riesgo

Estándares de gestión del riesgo

Magerit

Pymes

Risk management

Risk management standards