Desirable Characteristics for an ISMS Oriented to SMEs

Antonio Santos-Olmo

, Luis Enrique Sánchez

, Eduardo Fernández-Medina

and

Mario Piattini

SICAMAN Nuevas Tecnologías. Departament R+D

Ave Maria, 5. Tomelloso, Ciudad Real, Spain

GSyA Research Group. Universidad de Castilla-La Mancha

Paseo de la Universidad, 4 – 13071, Ciudad Real, Spain

ALARCOS Research Group. Universidad de Castilla-La Mancha

Paseo de la Universidad, 4 – 13071, Ciudad Real, Spain

Abstract. Information Society depends more and more on Information Security

Management Systems (ISMSs) and the availability of these systems has become

vital for SMEs’ evolution. However, this kind of companies need that ISMSs

are adapted to their special characteristics as well as optimized from the view-

point of the necessary resources to implement and maintain them. In this paper,

we present an analysis of the different proposals that are arising oriented to im-

plement ISMSs into SMEs with the purpose of determining the characteristics

that a security management methodology oriented to SMEs should have.

1 Introduction

It is very important for enterprises to implement security controls that let them know

and control the risks they can be submitted to[1, 2], given that the implementation of

these controls carries out important improvements for these companies [3].But the

implementation of these controls is not enough and enterprises need to use systems

that manage security throughout the time, allowing them to react agilely to new risks,

vulnerabilities, threats, etc. [4, 5]. However, it is common that enterprises do not

have security management systems and if they have them, they are made without

adequate guides, without documentation or with insufficient resources [6].

As we will show later in this paper, some proposals for information security man-

agement already exist (ISO/IEC27001, ISO/IEC21827, ISM3, Areiza’s proposal,

Eloff’s proposal, ASD, IS2ME, Carey-Smith’s proposal, Tawileh’s proposal, etc);

almost all of them made by international organizations for standardization. Neverthe-

less, although these proposals are very complete and interesting; they are mainly

oriented to big enterprises. In fact, there are numerous research sources ([4, 7]) that

confirm that these proposals are not adequate for SMEs at all because they offer

processes excessively bureaucratic and expensive for them.

Therefore, considering that SMEs represent the great majority of enterprises at

both the domestic and the international level and are very important for the business

sector of any country, we believe that going further in the research to improve securi-

Santos-Olmo A., Enrique Sánchez L., Fernández-Medina E. and Piattini M..

Desirable Characteristics for an ISMS Oriented to SMEs.

DOI: 10.5220/0003593801510158

In Proceedings of the 8th International Workshop on Security in Information Systems (WOSIS-2011), pages 151-158

ISBN: 978-989-8425-61-4

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

ty management for this kind of enterprises can generate important contributions. This

can help improve not only SMEs’ security but also their level of competitiveness. For

this reason, in the last years, we have created a methodology (MMSM-SME) for secu-

rity management and the establishment of the maturity level of SMEs’ information

systems [8-10]. In addition, we have built a tool to fully automatize the methodology

[11], and we have applied it to actual cases [12]. This has allowed us to validate the

methodology as well as the tool.

The paper continues in Section 2, describing the existing methodologies and mod-

els for security management and their current tendency in the case of SMEs. In Sec-

tion 3, we analyze the characteristics that the new methodology should have to be

adapted to SMEs. These characteristics have been obtained through the application of

the “action-research” method to actual cases. In section 4, the activities composing

the new methodology and their main characteristics are introduced. At last, in Section

5, we conclude by indicating the work we will develop in the future.

2 Developed Work

With the purpose of reducing the lacks shown in the previous section as well as the

losses caused by them, a great number of processes, frameworks and information

security methods, whose need of implementation is being more and more acknowl-

edged and considered by organizations, have appeared. However, as shown before,

they are inefficient in the case of SMEs.

Regarding the most outstanding standards, we have been able to prove that the

majority of security management models have been based on ISO/IEC17799 and

ISO/IEC27002 international standards and that the most successful security manage-

ment models in big enterprises are ISO/IEC27001, COBIT and ISM3 but they are

very difficult to implement and demand a too high investment that the majority of

SMEs cannot make [13]. Although new very interesting proposals oriented to this

kind of companies are arising, they face problems in a very incomplete way.

Among the main security management standards we can find:

• ISO/IEC27001 [14]: This standard was tailored to provide a model for the

establishment, implementation, operation, monitoring, review, maintenance

and improvement of ISMS. ISO/IEC27001 gives total freedom to decide the

criteria to establish the security global process and choose the method to ana-

lyze, evaluate and manage risks.

• ISO/IEC20000 [15] and ITIL [16]: They consist of a wide set of manage-

ment procedures created to make it easier for organizations to achieve quali-

ty and efficiency in IT operations.

• COBIT [17]: COBIT is a methodology for the adequate control of technolo-

gy projects, information flows and the risks that the lack of adequate controls

implies.

• ISM3 [18]: This management model of security and its maturity is oriented

to implement an ISMS and define different security levels where each one of

them can be the final objective of an organization.

When studying the existing literature we have found several attempts (see

Figure 1) to solve the problem of applying the traditional ISMS systems to SMEs

152

centered in some aspects of ISMSs. In the following subsections, we will show some

of the security management maturity models oriented to SMEs that are being devel-

oped. Although these models do not solve the existing problems, we consider that

they make interesting contributions that must be analyzed. Among them, we can high-

light the ones listed below: Eloff’s proposal [19], Areiza’s proposal [20], Dojkovski’s

proposal [21] and Sneza’s proposal[22], IS2ME [23], Wiander and Holapa’s proposal

[24], Carey-Smith’s proposal [25] and Tawileh’s proposal [26].

In numerous bibliographic sources, the difficulty of using methodologies and ma-

turity models for traditional security management that have been created for big en-

terprises in SMEs is detected and highlighted[27-30]. The fact that the application of

this kind of methodologies and maturity models in SMEs is difficult and expensive is

justified on repeated occasions. Moreover, organizations, even the big ones, tend

more to adopt groups of processes related as a set than to deal with processes inde-

pendently [31].

Therefore and to conclude this section, we can state that it is pertinent and appro-

priate to focus the problem of developing a new methodology for the management of

security and its maturity for SMEs information systems with a model that validates its

functioning together with a tool that supports this model, taking as a basis the problem

that this kind of companies face and that has lead to continuous failures in the imple-

mentation attempts into this kind of enterprises.

3 Characteristics of an ISMS Oriented to SMEs

The methodology for the management of security and its maturity in SMEs that has

been developed allows any organization to manage, evaluate and measure the security

of its information systems but it is mainly oriented to SMEs because they are the

enterprises with a higher rate of failure in the implementation of the existing security

management methodologies.

In this section, we analyze the characteristics that an ISMS should have for its im-

plementation and correct functioning within the SMEs environment. These characte-

ristics have been obtained through a detailed analysis of the ISO27001 standard and

the action research method. Eleven main characteristics that we have determined that

an ISMS implementation methodology oriented to SMEs should have: Life cycle of

the ISMS, Framework, Oriented culture of security, good practice guides, risk analy-

sis and management, metrics, maturity level, oriented SMEs, reuse of knowledge,

software tools available, and case studies. These eleven characteristics have been

obtained through the application of the “action research method” to actual cases.

One of the objectives pursued by the MMSM-SME methodology is to be easy to

apply and that the model developed with it, allows us to obtain the highest possible

level of automation and reusability with minimum information, collected in a very

short period of time. In the methodology, we have prioritized speed and cost saving

and to do so we have sacrificed the precision offered by other methodologies. That is

to say, the developed methodology has the purpose of developing one of the best

security configurations but not the optimum one, prioritizing time and cost saving

against precision although guaranteeing that the obtained results have enough quality.

153

Table 1. Comparison of security management methodologies and desirable characteristics for

ISMSs in SMEs.

ISMS Cycle

Framework

Maturity level

Security culture

Guide of good practices

Risk analysis and management

Metrics

Oriented to SMEs

Reusing knowledge

Availability of a software tool

Practical cases

ISO/IEC27000

Yes Yes Yes Parc Yes Yes Parc No No Parc Yes

ISO/IEC15408/CC

No No Yes No No No Parc No No Parc Yes

ISO/IEC21827/SSE–

CMM

Yes Yes Yes No No Parc No No No Parc Yes

ISO/IEC20000

Yes Yes

Yes No No

No No

Parc Yes

ITIL

Yes Yes

No No No

No No

Parc Yes

COBIT

Yes Yes No Parc Yes Yes Yes No No Yes Yes

ISM3

Yes Yes Yes No Yes Parc Yes Parc No Parc Yes

Eloff´s proposal

No No Yes No Yes No Yes Yes No No No

Areiza´s proposal

No No Yes No Yes No No Yes No No No

Dojkovski´s proposal

No Yes

No Yes No No No Parc

No Parc

IS2ME

Yes No

No No Yes No No Yes

Parc Yes

ASD

Parc Parc

Yes No Yes Parc No Yes

No Parc

Carey-Smith proposal

Parc No

No No Yes No No Yes Parc No No

Tawileh´s proposal

Yes No

No No No No No Yes No No Yes

Sneza´s proposal

No Yes

No Yes No No No Parc No No Yes

MMSM-SME

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

In Table 1, we can see a comparison of the different models, methodologies and

guides to manage security analyzed in the previous section including the methodology

we have developed with the desirable characteristics for SMEs. We consider that the

considered aspects can be fully fulfilled, partially fulfilled or not taken into account

by the model. Now, we will describe each one of the analyzed aspects:

• ISMS Cycle: The model describes clearly the development, implementation

and maintenance phases of the ISMS. Commonly, models use the PDCA

cycle.

• Framework: The model describes clearly all of the elements composing the

ISMS once implemented.

• Maturity Levels: The model is oriented to the implementation of a progres-

sive security based on levels.

• Security Culture: The model has taken into account the orientation to

154

securety culture and not only the technical and management orientation like

the classical models.

• Guide of Good Practices: The model includes or considers the integration of

a guide of good practices or security controls within the ISMS.

• Risk Analysis and Management: The model includes mechanisms for esti-

mation and management of the risks to which the information system assets

are exposed.

• Metrics: The model includes mechanisms for measuring the fulfillment of

the security controls.

• Oriented to SMEs: The model has been developed thinking of the special

case of SMEs.

• Reusing Knowledge: The model obtains knowledge from implementations

in a way that this knowledge can be reused to facilitate further implementa-

tions.

• Availability of a Software Tool: The model is supported by a tool.

• Practical Cases: The model has been developed and refined from practical

cases.

4 MMSM-SME Methodology

In this section, we offer a global vision of the set of subprocesses and activities com-

posing the MMSM-SME methodology [32] and the standards and proposals used for

creating it.

The MMSM-SME methodology includes all aspects considered desirable for

SMEs including the automatization of security management models to reduce the

system generation costs and a development completely oriented to SMEs; avoiding

the generalization of other models.

Other advantage of MMSM-SME as compared to the rest of analyzed models is

that it uses the knowledge obtained during different implementations to reduce the

ISMS generation costs in similar companies. To do so, it uses the concept of “sche-

mas”. This is especially relevant because it allows the understanding of the relation-

ships between the elements forming the enterprise information with the objective of

managing its security[33].

This methodology is formed by three subprocesses:

• Subprocess P1 (GEGS – Generation of schemas). The main purpose of this

subprocess is to allow the generation of a schema (structure formed by the

main elements taking part in an ISMS and their relationships for a specific

type of companies that share common characteristics -same sector and size-

that can be used later to reduce time and cost of ISMS generation for a com-

pany.

• Subprocess P2 (GSGS – ISMS Generation): The main objective of this sub-

process is to allow the generation of the elements that will form the security

management system (ISMS) for a company, from a schema (structured gen-

erated through the GEGS subprocess) valid for a set of companies; perform-

ing this process at a reduced cost.

155

• Subprocess P3 (MSGS – ISMS Maintenance): The main objective of this

subprocess is to allow and support the company to manage the information

system security.

5 Conclusions and Future Works

In this paper, we have carried out a review of the different guides and methodologies

for the management of security and its maturity in information systems as well as of

the processes associated with the implementation of the classical security manage-

ment systems.

Regarding the most outstanding standards, we have been able to prove that the

majority of security management models have been based on the ISO/IEC17799

international standard and that the most successful security management models in

big enterprises are ISO/IEC27001, COBIT and ISM3 but they are very difficult to

implement and demand a too high investment that the majority of SMEs cannot make

[13]. Although, new very interesting proposals oriented to this kind of companies are

arising; they face problems in a very incomplete way.

In numerous bibliographic sources, the difficulty of using methodologies and ma-

turity models for traditional security management that have been created for big en-

terprises in SMEs is detected and highlighted[29, 30]. The fact that the application of

this kind of methodologies and maturity models in SMEs is difficult and expensive is

justified on repeated occasions. Moreover, organizations, even the big ones, tend

more to adopt groups of processes related as a set than to deal with processes inde-

pendently [31].

The main problem of all management models of security and its maturity presented

is that they are not being successful when being implemented into SMEs. This is

mainly due to the following reasons:

• Some models were developed thinking of big organizations (ISO/IEC27001,

ISO/IEC21827, Common Criteria, ISO/IEC20000, ITIL, COBIT) and of the

organizational structures associated with them.

• Others (ISM3, Areiza’s proposal, Eloff’s proposal, ASD, IS2ME, Carey-

Smith’s proposal, Tawileh’s proposal) have attempted to focus SMEs prob-

lems but they are incomplete models that only face part of the problem. Fur-

thermore, most of them are theoretical models and are still being developed.

All these standards and proposals for security management are very important and

their contributions have been taken into account for the development of the stated

methodology.

As a result of this research, we have been able to obtain the set of characteristics

that an ISMS oriented to SMEs should have and how we can face each one of these

characteristics using different components of the most relevant standards and re-

searches existing today.

156

Acknowledgements

This research is part of the following projects: MEDUSAS (IDI-20090557), financed

by the Centre for Industrial Technological Development (CDTI), ORIGIN (IDI-

2010043(1-5)) financed by the CDTI and the FEDER, BUSINESS (PET2008-0136)

awarded by the Spanish Ministry for Science and Technology and MARISMA

(HITO-2010-28), SISTEMAS (PII2I09-0150-3135) and SERENIDAD (PII11-0327-

7035) financed by the Council of Education and Science of the Castilla-La Mancha

Regional Government.

References

1. Kluge, D. Formal Information Security Standards in German Medium Enterprises. in

CONISAR: The Conference on Information Systems Applied Research. 2008.

2. Dhillon, G. and J. Backhouse, Information System Security Management in the New Mil-

lennium. Communications of the ACM, 2000. 43(7): p. 125-128.

3. Park, C.-S., S.-S. Jang, and Y.-T. Park, A Study of Effect of Information Security Manage-

ment System [ISMS] Certification on Organization Performance. IJCSNS International

Journal of Computer Science and Network Security., 2010. 10(3): p. 10-21.

4. Barlette, Y. and V. Vladislav. Exploring the Suitability of IS Security Management Stan-

dards for SMEs. in Hawaii International Conference on System Sciences, Proceedings of

the 41st Annual. 2008. Waikoloa, HI, USA.

5. Fal, A.M., Standardization in information security management Cybernetics and Systems

Analysis 2010. 46(3): p. 181-184.

6. Wiander, T. and J. Holappa, Theoretical Framework of ISO 17799 Compliant. Information

Security Management System Using Novel ASD Method., in Technical Report, V.T.R.C.o.

Finland, Editor. 2006.

7. Coles-Kemp, E. and R.E. Overill. The Design of Information Security Management Systems

for Small-to-Medium Size Enterprises. in ECIW - The 6th European Conference on Infor-

mation Warfare and Security. 2007. Shrivenham, UK: Defence College of Management

and Technology.

8. Sánchez, L. E., et al. MMISS-SME Practical Development: Maturity Model for Information

Systems Security Management in SMEs. in 9th International Conference on Enterprise In-

formation Systems (WOSIS’07). 2007b. Funchal, Madeira (Portugal). June.

9. Sánchez, L. E., et al. Developing a model and a tool to manage the information security in

Small and Medium Enterprises. in International Conference on Security and Cryptography

(SECRYPT’07). 2007a. Barcelona. Spain.: Junio.

10. Sánchez, L. E., et al. Developing a maturity model for information system security man-

agement within small and medium size enterprises. in 8th International Conference on En-

terprise Information Systems (WOSIS’06). 2006. Paphos (Chipre). March.

11. Sánchez, L. E., et al. SCMM-TOOL: Tool for computer automation of the Information

Security Management Systems. in 2nd International conference on Software and Data

Technologies (ICSOFT‘07). . 2007c. Barcelona-España Septiembre.

12. Sánchez, L. E., et al. Practical Application of a Security Management Maturity Model for

SMEs Based on Predefined Schemas. in International Conference on Security and Crypto-

graphy (SECRYPT’08). 2008. Porto–Portugal.

13. Velásquez, N. and M. Estayno. Desarrollo y Mantenimiento Seguro de Software para

Pyme: MoProSoft alienado a ISO/IEC 17799:2005. in IV Congreso Iberoamericano de Se-

guridad Informática (CIBSI’07). 2007. Mar de Plata. Argentina.: Noviembre.

157

14. ISO/IEC27001, ISO/IEC 27001, Information Technology - Security Techniques Information

security management systemys - Requirements. 2005.

15. ISO/IEC20000, ISO/IEC20000, Service Management IT. 2005.

16. ITILv3.0, ITIL, Information Technology Infrastructure Library., C.C.a.T.A. (CCTA). Edi-

tor. 2007.

17. COBITv4.0, Cobit Guidelines, Information Security Audit and Control Association. 2006.

18. ISM3, Information security management matury model (ISM3 v.2.0). 2007, ISM3 Consor-

tium.

19. Eloff, J. and M. Eloff, Information Security Management - A New Paradigm. Annual re-

search conference of the South African institute of computer scientists and information

technologists on Enablement through technology SAICSIT´03, 2003: p. 130-136.

20. Areiza, K.A., et al., Hacia un modelo de madurez para la seguridad de la información. 3er

Congreso Iberoamericano de seguridad Informática, 2005a. Nov, (2005): p. 429 - 442.

21. Dojkovski, S., S. Lichtenstein, and M.J. Warren. Challenges in Fostering an Information

Security Culture in Australian Small and Medium Sized Enterprises. in 5th European Con-

ference on Information Warfare and Security. 2006. Helsinki, Finland: 1-2 June.

22. Sneza, D., L. Sharman, and W. Matthew John. Fostering information security culture in

small and medium size enterprises: An interpretive study in australia. in the Fifteenth Eu-

ropean Conference on Information Systems. 2007. University of St. Gallen, St. Gallen.

23. Linares, S. and I. Paredes (2007) IS2ME: Information Security to the Medium Enterprise.

Volume,

24. Wiander, T. and J. Holappa, Managing Information Security in Small and Medium-sized

Organization, in Handbook of Research on Information Security and Assurancence. 2007.

25. Carey-Smith, M.T., K.J. Nelson, and L.J. May. Improving Information Security Manage-

ment in Nonprofit Organisations with Action Research. in Proceedings of The 5th Australi-

an Information Security Management Conference. 2007. Perth, Western Australia: School

of Computer and Information Science. Edith Cowan University.

26. Tawileh, A., J. Hilton, and S. McIntosh, Managing Information Security in Small and Me-

dium Sized Enterprises: A Holistic Approach, in ISSE/SECURE 2007 Securing Electronic

Business Processes, Vieweg, Editor. 2007. p. 331-339.

27. Batista, J. and A. Figueiredo, SPI in very small team: a case with CMM. Software Process

Improvement and Practice, 2000. 5(4): p. 243-250.

28. Hareton, L. and Y. Terence, A Process Framework for Small Projects. Software Process

Improvement and Practice, 2001. 6: p. 67-83.

29. Tuffley, A., B. Grove, and M. G, SPICE For Small Organisations. Software Process

Improvement and Practice, 2004. 9: p. 23-31.

30. Calvo-Manzano, J.A., Método de Mejora del Proceso de desarrollo de sistemas de infor-

mación en la pequeña y mediana empresa (Tesis Doctoral). Universidad de Vigo

. 2000.

31. Mekelburg, D., Sustaining Best Practices: How Real-World Software Organizations Im-

prove Quality Processes. Software Quality Professional, 2005. 7(3): p. 4-13.

32. Sánchez, L.E., et al., MGSM-PYME: Metodología para la gestión de la seguridad y su

madurez en las PYMES., in V Congreso Iberoamericano de Seguridad Informática. 2009:

Montevideo, Uruguay.

33. Awad, E. and H. Ghaziri, Knowledge Management, ed. P. Hall. 2003.

158