Support tool for verifying the compliance of standards and regulations in implementations of strategies for information security
Organizations are increasingly concerned about ensuring the security of their information. In addition, government regulations and the market itself are demanding compliance with appropriate levels to remain in operation. This article presents a support tool to the process of gap analysis on the current state of the company and the specifications of the most recognized referents in the Colombian scope in the subject of information security. The tool allows for the evaluation of an organization’s level of compliance with regard to the ISO 27001 and ISO 27002 standards in their 2013 versions and Notices 038 and 042 of the financial regulatory authority of Colombia (Superintendencia Financiera de Colombia). The tool conceives a data model that incorporates the results of a comparative analysis between the ISO 27001:2013 and ISO 27002:2013 standards and the Notices 038 and 042, and allows the inclusion of new referents and relates them to the existing ones. Several evaluation scenarios were created to validate the functional completeness and precision of the implemented prototype.
norma ISO 27001, para la intranet de la Corporación Metropolitana de Salud [thesis]. Escuela Politécnica Nacional: Quito,
Check-up digital (2013). Retrieved from http://www.naa.gov.au/records-management/check-up/
Ernst & Young [EY]. (2012). Internal audit [online]. Retrieved from http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit
Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft
Computing, 11(7), 4332–4340. doi:10.1016/j.asoc.2010.06.005
International Organization for Standardization / International Electrotechnical Commission [ISO/IEC]. (2013a). ISO/IEC
27001:2013: Information technology -- Security techniques --
Information security management systems -- Requirements.
Geneva, Switzerland: ISO.
International Organization for Standardization / International Electrotechnical Commission [ISO/IEC]. (2013b). ISO/IEC
27002:2013: Information technology -- Security techniques -- Code of practice for information security controls. Geneva,
Robinson, M. (2014). Risk assessment toolkit [online]. Retrieved from http://www.cio.ca.gov/OIS/Government/risk/toolkit.asp
Superintendencia Financiera de Colombia [SFC]. (2009). Circular externa 038 [memo].
Superintendencia Financiera de Colombia [SFC]. (2012). Circular externa 042 [memo].
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the Ground
Up. The Netherlands: Elsevier. doi:10.1016/B978-1-59749-615-5.00022-0
This journal is licensed under the terms of the CC BY 4.0 licence (https://creativecommons.org/licenses/by/4.0/legalcode).