PRACTICAL APPLICATION OF A SECURITY MANAGEMENT MATURITY MODEL FOR SMES BASED ON PREDEFINED SCHEMAS

Luís Enrique Sánchez, Daniel Villafranca, Eduardo Fernández-Medina, Mario Piattini

2008

Abstract

For enterprises to be able to use information technologies and communications with guarantees, it is necessary to have an adequate security management system and tools which allow them to manage it. In small and medium-sized enterprises, the application of security standards has an additional problem, which is the fact that they do not have enough resources to carry out an appropriate management. This security management system must have highly reduced costs for its implementation and maintenance in small and medium-sized enterprises (from here on refered to as SMEs) to be feasible. In this paper we show the practical application of our proposal for a maturity model with which to manage the security in SMEs, centring upon the phase which determines the state of the enterprise and some of the mechanisms which allow the security level to be kept up to date without the need for continuous audits. This focus is continuously refined through its application to real cases, the results of which are shown in this paper.

References

  1. Aceituno, V. (2005). "Ism3 1.0: Information security management matury model."
  2. Barrientos, A. M. and K. A. Areiza (2005). Integración de un sistema de gestión de seguridad de la información conun sistema de gestión de calidad. Master's thesis, Universidad EAFIT.
  3. Biever, C. (2005). Revealed: the true cost of computer crime. Computer Crime Research Center.
  4. Eloff, J. and M. Eloff (2003). "Information Security Management - A New Paradigm." Annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology SAICSIT03: 130- 136.
  5. Garigue, R. and M. Stefaniu (2003). "Information Security Governance Reporting." Information Systems Security sept/oct: 36-40.
  6. Goldfarb, A. (2006). "The medium-term effects of unavailability " Journal Quantitative Marketing and Economics 4(2): 143-171
  7. Hyder, E. B., K. M. Heston, et al. (2004). The eSCM-SP v2: The eSourcing Capability Model For Service Providers (eSCM-SP) v2. Pittsburh, Pennsylvania, USA. 19 May.
  8. ISO/IEC17799 (2000). ISO/IEC 17799. Information Technology - Security techniques - Code of practice for information security management.
  9. ISO/IEC17799 (2005). ISO/IEC 17799. Information Technology - Security techniques - Code of practice for information security management.
  10. ISO/IEC27002 (2007). "ISO/IEC 27002:2005, the international standard Code of Practice for Information Security Management (en desarrollo)."
  11. Lee, J., J. Lee, et al. (2003). A CC-based Security Engineering Process Evaluation Model. Proceedings of the 27th Annual International Computer Software and Applications Conference (COMPSAC).
  12. Sánchez, L. E., D. Villafranca, et al. (2007a). Developing a model and a tool to manage the information security in Small and Medium Enterprises. International Conference on Security and Cryptography (SECRYPT'07). Barcelona. Spain., Junio.
  13. Sánchez, L. E., D. Villafranca, et al. (2007b). MMISSSME Practical Development: Maturity Model for Information Systems Security Management in SMEs. 9th International Conference on Enterprise Information Systems (WOSIS'07). Funchal, Madeira (Portugal). June.
  14. Sánchez, L. E., D. Villafranca, et al. (2007c). SCMMTOOL: Tool for computer automation of the Information Security Management Systems. 2nd International conference on Software and Data Technologies (ICSOFT'07). , Barcelona-España Septiembre.
  15. Siegel, C. A., T. R. Sagalow, et al. (2002). "Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security." Security Management Practices sept/oct: 33-49.
  16. Telang, R. and S. Wattal (2005). Impact of Vulnerability Disclosure on Market Value of Software Vendors: An Empirical Analysis. 4h Workshop on Economics and Information Security, Boston.
  17. Von Solms, B. and R. Von Solms (2001). "Incremental Information Security Certification." Computers & Security 20: 308-310.
  18. Walton, J. P. (2002). Developing an Enterprise Information Security Policy. 30th annual ACM SIGUCCS conference on User services.
  19. Wood, C. C. (2000). Researchers Must Disclose All Sponsors And Potential Conflicts. Computer Security Alert, San Francisco, CA, Computer Security Institute.
Download


Paper Citation


in Harvard Style

Enrique Sánchez L., Villafranca D., Fernández-Medina E. and Piattini M. (2008). PRACTICAL APPLICATION OF A SECURITY MANAGEMENT MATURITY MODEL FOR SMES BASED ON PREDEFINED SCHEMAS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 391-398. DOI: 10.5220/0001923803910398


in Bibtex Style

@conference{secrypt08,
author={Luís Enrique Sánchez and Daniel Villafranca and Eduardo Fernández-Medina and Mario Piattini},
title={PRACTICAL APPLICATION OF A SECURITY MANAGEMENT MATURITY MODEL FOR SMES BASED ON PREDEFINED SCHEMAS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={391-398},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001923803910398},
isbn={978-989-8111-59-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - PRACTICAL APPLICATION OF A SECURITY MANAGEMENT MATURITY MODEL FOR SMES BASED ON PREDEFINED SCHEMAS
SN - 978-989-8111-59-3
AU - Enrique Sánchez L.
AU - Villafranca D.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2008
SP - 391
EP - 398
DO - 10.5220/0001923803910398