MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs

Luis Enrique Sánchez, Daniel Villafranca, Mario Piattini

2007

Abstract

For enterprises to be able to use information technologies and communications with guarantees, it is necessary to have an adequate security management system. However, this requires that enterprises know in every moment their security maturity level and to what extend their information security system must evolve. Moreover, this security management system must have very reduced costs for its implementation and maintenance in small and medium-size enterprises (from now on, SMEs) to be feasible. In this paper, we will put forward our proposal of a maturity model for security management in SMEs and we will briefly analyze other models that exist in the market. This approach is being directly applied to real cases, thus obtaining an improvement in its application.

References

  1. Dhillon, G. and J. Backhouse, Information System Security Management in the New Millennium. Communications of the ACM, 2000. 43(7): p. 125-128.
  2. CSI, Computer Security Institute. 2002: Computer Crime and Security Survey.
  3. Wood, C.C. Researchers Must Disclose All Sponsors And Potential Conflicts. in Computer Security Alert. 2000. San Francisco, CA: Computer Security Institute.
  4. Biever, C., Revealed: the true cost of computer crime. Computer Crime Research Center, 2005.
  5. Goldfarb, A., The medium-term effects of unavailability Journal Quantitative Marketing and Economics 2006. 4(2): p. 143-171
  6. Telang, R. and S. Wattal. Impact of Vulnerability Disclosure on Market Value of Software Vendors: An Empirical Analysis. in 4h Workshop on Economics and Information Security. 2005. Boston.
  7. Sant-Germain, R., Information Security Management Best Practice Based on ISO/IEC 17799. Setting Standars, The information Management JournaL, 2005. 39(4): p. 60-62, 64- 66.
  8. Areiza, K.A., A.M. Barrientos, R. Rincón, and J.G. Lalinde-Pulido. Hacia un modelo de madurez para la seguridad de la información. in IV Congreso Internacional de Auditoría y Seguridad de la Información. 2005.
  9. COBIT, Cobit Guidelines, Information Security Audit and Control Association. 2000.
  10. Aceituno, V., Ism3 1.0: Information security management matury model. 2005.
  11. Barrientos, A.M. and K.A. Areiza, Integración de un sistema de gestión de seguridad de la información conun sistema de gestión de calidad., in Master's thesis. 2005, Universidad EAFIT.
  12. Eloff, J. and M. Eloff. Information Security Management - A New Paradigm. in Annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology SAICSIT03. 2003.
  13. Lee, J., J. Lee, S. Lee, and B. Choi. A CC-based Security Engineering Process Evaluation Model. in Proceedings of the 27th Annual International Computer Software and Applications Conference (COMPSAC). 2003.
  14. Areiza, K.A., A.M. Barrientos, R. Rincón, and J.G. Lalinde-Pulido. Hacia un modelo de madurez para la seguridad de la información. in 3er Congreso Iberoamericano de seguridad Informática. 2005.
  15. Walton, J.P. Developing an Enterprise Information Security Policy. in 30th annual ACM SIGUCCS conference on User services. 2002.
  16. Lund, M.S., F.d. Braber, and K. Stolen, Proceedings of the Seventh European Conference On Software Maintenance And Reengineering (CSMR'03). IEEE, 2003.
  17. MageritV2, Metodología de Análisis y Gestión de Riesgos para las Tecnologías de la Información, V2. 2005.
  18. Siegel, C.A., T.R. Sagalow, and P. Serritella, Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security. Security Management Practices, 2002. sept/oct: p. 33-49.
  19. Garigue, R. and M. Stefaniu, Information Security Governance Reporting. Information Systems Security, 2003. sept/oct: p. 36-40.
  20. Von Solms, B. and R. Von Solms, Incremental Information Security Certification. Computers & Security, 2001. 20: p. 308-310.
  21. Stephenson, P., Forensic Análisis of Risks in Enterprise Systems. Law, Investigation and Ethics, 2004. sep/oct: p. 20-21.
Download


Paper Citation


in Harvard Style

Enrique Sánchez L., Villafranca D. and Piattini M. (2007). MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs . In Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007) ISBN 978-972-8865-96-2, pages 233-244. DOI: 10.5220/0002430402330244


in Bibtex Style

@conference{wosis07,
author={Luis Enrique Sánchez and Daniel Villafranca and Mario Piattini},
title={MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs},
booktitle={Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)},
year={2007},
pages={233-244},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002430402330244},
isbn={978-972-8865-96-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)
TI - MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs
SN - 978-972-8865-96-2
AU - Enrique Sánchez L.
AU - Villafranca D.
AU - Piattini M.
PY - 2007
SP - 233
EP - 244
DO - 10.5220/0002430402330244