Developing a Maturity Model for Information System Security Management within Small and Medium Size Enterprises

Luis Enrique Sánchez, Daniel Villafranca, Eduardo Fernández-Medina, Mario Piattini

Abstract

For enterprises to be able to use information and communication technologies with guarantees, it is necessary to have an adequate security management available. This requires that enterprises always know their current maturity level and to what extend their security must evolve. Current maturity models are showing us that they are inefficient in small and medium size enterprises since these enterprises have a series of additional problems when implementing security management systems. In this paper, we will make an analysis of the maturity models oriented to security existing in the market by analysing their main disadvantages regarding small and medium size enterprises using as a reference framework ISO17799. This approach is being directly applied to real cases, thus obtaining a constant improvement in its application.

References

  1. Dhillon, G. y Backhouse, J. Information System Security Management in the New Millennium, Communications of the ACM, (2000) 43(7).
  2. Computer Security Institute - CSI. Computer Crime and Security Survey. (2002)
  3. René Sant-Germain. Information Security Management Best Practice Based on ISO17799. Setting Standars, The information Management Journal - July/August 2005.
  4. María Eugenia Corti, Gustavo Betarte, and Reynaldo de la Fuente. Hacia una implementación Exitosa de un SGSI. 3er Congreso Iberoamericano de seguridad Informática, Nov, (2005).
  5. Eloff, J. y Eloff, M. Information Security Management - A New Paradigm. Proc. of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology SAICSIT03, (2003) 130- 136.
  6. Tsujii, S. Paradigm of Information Security as Interdisciplinary Comprehensive Science. Proc. of the 2004 International Conference on Cyberworlds (CW'04), IEEE Computer Society, (2004) 1-12.
  7. Jongsook Lee, Jieun Lee, Seunghee Lee and Byoungju Choi. A CC-based Security Engineering Process Evaluation Model. Proceedings of the 27th Annual International Computer Software and Applications Conference (COMPSAC03)
  8. Rodriguez, Luis Ángel. Seguridad de la Información en Sistemas de Computo. Ventura Ediciones, México, (1995).
  9. Cabrera Martin, Álvaro. Políticas de Seguridad. Boletín del Criptonomicón #71.Madrid, (2000).
  10. Isg, Information Security Governance a call to action, Abril 2004.
  11. Von Solms, B. y Von Solms, R. Incremental Information Security Certification. Computers & Security 20, (2001) 308-310.
  12. Walton, J.P. Developing an Enterprise Information Security Policy. Proc. of the 30th annual ACM SIGUCCS conference on User services, (2002) 153-156.
  13. Peltier, T.R. Preparing for ISO 17799. Security Management Practices, jan/feb, (2003) 21- 28.
  14. Endorf, C. Outsourcing Security: The Nedd, the Risks, the Providers, and the Process. Information Security Management, (2004) 17-23.
  15. Von Solms, B. Information Security governance: COBIT or ISO 17799 or both? Computers & Security 24, (2005) 99-104.
  16. Rebecca T. Mercuri. Analysing Security Costs. Communications of the ACM, June 2003/vol.46, nº 6.
  17. S. Kim and I.Choi. Cost-Benefit Análisis of Security Investments: Methodology and Case Study. P. Gervasi et al. (Eds.): ICCSA 2005, LNCS 3482, pp. 1239 - 1248, 2005.
  18. Karen A. Areiza, Andrea M. Barrientos, Rafael Rincón, and Juan G. Lalinde-Pulido. Hacia un modelo de madurez para la seguridad de la información. 3er Congreso Iberoamericano de seguridad Informática, Nov, (2005).
  19. Vicente Aceituno. Ism3 1.0: Information security management matury model, 2005. 12 Karen A. Areiza et al.
  20. Bruce A. Lobree, CISSP. Impact of legislation and information security management. Security Management Practices, November/December 2002
  21. Andrea M. Barrientos Karen A. Areiza. Integración de un sistema de gestión de seguridad de la información conun sistema de gestión de calidad. Master's thesis, Universidad EAFIT, 2005.
  22. ISO/IEC. International standard ISO17799 (2000). information technology - code of practice for information security management, 2000.
Download


Paper Citation


in Harvard Style

Enrique Sánchez L., Villafranca D., Fernández-Medina E. and Piattini M. (2006). Developing a Maturity Model for Information System Security Management within Small and Medium Size Enterprises . In Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006) ISBN 978-972-8865-52-8, pages 256-266. DOI: 10.5220/0002502602560266


in Bibtex Style

@conference{wosis06,
author={Luis Enrique Sánchez and Daniel Villafranca and Eduardo Fernández-Medina and Mario Piattini},
title={Developing a Maturity Model for Information System Security Management within Small and Medium Size Enterprises},
booktitle={Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)},
year={2006},
pages={256-266},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002502602560266},
isbn={978-972-8865-52-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)
TI - Developing a Maturity Model for Information System Security Management within Small and Medium Size Enterprises
SN - 978-972-8865-52-8
AU - Enrique Sánchez L.
AU - Villafranca D.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2006
SP - 256
EP - 266
DO - 10.5220/0002502602560266