Support tool for verifying the compliance of standards and regulations in implementations of strategies for information security

Felipe Reyes López, Yaneth Betancurt Domínguez, Ingrid Lucia Muñoz Periñán, Andrés Felipe Paz Loboguerrero

Abstract


Organizations are increasingly concerned about ensuring the security of their information. In addition, government regulations and the market itself are demanding compliance with appropriate levels to remain in operation. This article presents a support tool to the process of gap analysis on the current state of the company and the specifications of the most recognized referents in the Colombian scope in the subject of information security. The tool allows for the evaluation of an organization’s level of compliance with regard to the ISO 27001 and ISO 27002 standards in their 2013 versions and Notices 038 and 042 of the financial regulatory authority of Colombia (Superintendencia Financiera de Colombia). The tool conceives a data model that incorporates the results of a comparative analysis between the ISO 27001:2013 and ISO 27002:2013 standards and the Notices 038 and 042, and allows the inclusion of new referents and relates them to the existing ones. Several evaluation scenarios were created to validate the functional completeness and precision of the implemented prototype.


Keywords


Information security, ISO 27001, ISO 27002, Notice 038, Notice 042, gap analysis.

Full Text:

PDF

References


Álvarez, F.M. & García, P.A. (2007). Implementación de un sistema de gestión de seguridad de la información basado en la

norma ISO 27001, para la intranet de la Corporación Metropolitana de Salud [thesis]. Escuela Politécnica Nacional: Quito,

Ecuador.

Check-up digital (2013). Retrieved from http://www.naa.gov.au/records-management/check-up/

Ernst & Young [EY]. (2012). Internal audit [online]. Retrieved from http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit

Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft

Computing, 11(7), 4332–4340. doi:10.1016/j.asoc.2010.06.005

International Organization for Standardization / International Electrotechnical Commission [ISO/IEC]. (2013a). ISO/IEC

:2013: Information technology -- Security techniques --

Information security management systems -- Requirements.

Geneva, Switzerland: ISO.

International Organization for Standardization / International Electrotechnical Commission [ISO/IEC]. (2013b). ISO/IEC

:2013: Information technology -- Security techniques -- Code of practice for information security controls. Geneva,

Switzerland: ISO.

Robinson, M. (2014). Risk assessment toolkit [online]. Retrieved from http://www.cio.ca.gov/OIS/Government/risk/toolkit.asp

Superintendencia Financiera de Colombia [SFC]. (2009). Circular externa 038 [memo].

Superintendencia Financiera de Colombia [SFC]. (2012). Circular externa 042 [memo].

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the Ground

Up. The Netherlands: Elsevier. doi:10.1016/B978-1-59749-615-5.00022-0




DOI: http://dx.doi.org/10.18046/syt.v13i32.2032

Refbacks

  • There are currently no refbacks.

Comments on this article

View all comments