A study of standards and the mitigation of risk in information systems

Dresner, Daniel Gideon

January 2011

Organisations from the multinational Organisation for Economic Cooperation and Development through to national initiatives such as the UK's Cabinet Office, have recognised that risk - the realisation of undesirable outcomes - needs a firm framework of policy and action for mitigation. Many standards have been set that implicitly or explicitly expect to manage risk in information systems, so creating a framework of such standards would steer outcomes to desirable results.This study applies a mixed methodology of desk enquiries, surveys, and action research to investigate how the command and control of information systems may be regulated by the fusion and fission of tacit knowledge in standards comprising the experience and inductive reasoning of experts. Information system user organisations from the membership of The National Computing Centre provided the working environment in which the research was conducted in real time. The research shows how a taxonomy of risks can be selected, and how a validated catalogue of standards which describe the mitigation of those risks can be assembled taking the quality of fit and expertise required to apply the standards into account. The work bridges a gap in the field by deriving a measure of organisational risk appetite with respect to information systems and the risk attitude of individuals, and linking them to a course of action - through the application of standards - to regulate the performance of information systems within a defined tolerance. The construct of a methodology to learn about a framework of ideas has become an integral part of the methodology itself with the standards forming the framework and providing direction of its application.The projects that comprise the research components have not proven the causal link between standards and the removal of risk, leaving this ripe for a narrowly scoped, future investigation. The thesis discusses the awareness of risk and the propensity for its management, developing this into the definition of a framework of standards to mitigate known risks in information systems with a new classification scheme that cross-references the efficacy of a standard with the expertise expected from those who apply it. The thesis extends this to the idea that the framework can be scaled to the views of stakeholders, used to detect human vulnerabilities in information systems, and developed to absorb the lessons learnt from emergent risk. The research has clarified the investigation of the security culture in the thrall of an information system and brought the application of technical and management standards closer to overcoming the social and psychological barriers that practitioners and researchers must overcome.

338.0068

Modelo de gestión de riesgos de seguridad de TI para pymes del sector comercial que dependen de proveedores críticos

Flores Huamani, Vladimir, Chavez Rios, Manuel Junior

02 July 2020

La seguridad de la información se ha convertido en un área importante, ya que las organizaciones diariamente administran activos de TI valiosos que dependen de proveedores críticos; tales como: bases de datos, servicios, aplicaciones, hardware, etc. Estos activos están sometidos a riesgos de una gran variedad, como: desastres naturales, ciberataques, fraudes, etc. que pueden afectar de forma crítica a la organización. Estudios realizados sobre organizaciones en Europa y EE. UU revelan que las Pymes se caracterizan por la falta de la dedicación necesaria a la seguridad de TI. Esto debido principalmente a que la seguridad de la información no forma parte de sus necesidades internas. En el Perú, las empresas no se encuentran preparadas para afrontar situaciones de riesgo, debido a que la mayoría de las organizaciones carecen de políticas de seguridad y sistemas de evaluación de riesgos. El presente proyecto plantea el desarrollo de un modelo de gestión de riesgos de seguridad de TI que tiene como objetivo incrementar el nivel de madurez y disminuir el nivel de riesgo en los procesos y activos de TI de las Pymes que dependen de proveedores críticos. Esto mediante una serie de controles y planes de seguridad basados en la metodología Magerit y estándares de seguridad como la ISO/IEC 27001:2013. Con esto, buscamos cubrir la principal necesidad identificada en las Pymes, la cual es reducir el nivel de impacto ocasionado por los riesgos que afectan los activos y procesos de TI soportados por terceros, y que además puedan contar con un adecuado plan de continuidad. / Information security has become an important area as organizations daily manage valuable IT assets that depend on critical providers; such as: databases, services, applications, hardware, etc. These assets are subject to risks of a wide variety, such as: natural disasters, cyberattacks, fraud, etc. that can critically affect the organization. Studies carried out on organizations in Europe and USA reveal that SMEs are characterized by the lack of dedication necessary to IT security. This is mainly because information security is not part of their internal needs. In Peru, companies are not prepared to face risk situations, since most organizations lack security policies and risk assessment systems. This project proposes the development of an IT security risk management model that aims to increase the level of maturity and decrease the level of risk in the IT processes and assets of SMEs that depend on critical providers. This through a series of controls and security plans based on the Magerit methodology and security standards such as ISO / IEC 27001: 2013. With this, we seek to cover the main need identified in SMEs, which is to reduce the level of impact caused by the risks that affect IT assets and processes supported by third parties, and that may also have an adequate continuity plan. / Tesis

Gestión del riesgo

Estándares de gestión del riesgo

Magerit

Pymes

Risk management

Risk management standards