Support tool for verifying the compliance of standards and regulations in implementations of strategies for information security

  • Felipe Reyes López Universidad Icesi, Cali
  • Yaneth Betancurt Domínguez Universidad Icesi, Cali
  • Ingrid Lucia Muñoz Periñán Universidad Icesi, Cali
  • Andrés Felipe Paz Loboguerrero Universidad Icesi, Cali
Keywords: Information security, ISO 27001, ISO 27002, Notice 038, Notice 042, gap analysis.

Abstract

Organizations are increasingly concerned about ensuring the security of their information. In addition, government regulations and the market itself are demanding compliance with appropriate levels to remain in operation. This article presents a support tool to the process of gap analysis on the current state of the company and the specifications of the most recognized referents in the Colombian scope in the subject of information security. The tool allows for the evaluation of an organization’s level of compliance with regard to the ISO 27001 and ISO 27002 standards in their 2013 versions and Notices 038 and 042 of the financial regulatory authority of Colombia (Superintendencia Financiera de Colombia). The tool conceives a data model that incorporates the results of a comparative analysis between the ISO 27001:2013 and ISO 27002:2013 standards and the Notices 038 and 042, and allows the inclusion of new referents and relates them to the existing ones. Several evaluation scenarios were created to validate the functional completeness and precision of the implemented prototype.

Author Biographies

Felipe Reyes López, Universidad Icesi, Cali

Electronics Engineer (Universidad del Valle, Cali-Colombia) and Master in Information and Telecommunications Management (Universidad Icesi, Cali). He works as Professional Services Engineer at Schneider Electric

Yaneth Betancurt Domínguez, Universidad Icesi, Cali
Systems Engineer (Universidad del Valle, Cali-Colombia) and Master in Information and Telecommunications Management (Universidad Icesi, Cali). She works as a process, functional requirements and SQA analyst at Expert LA Information
Ingrid Lucia Muñoz Periñán, Universidad Icesi, Cali
Electronic Engineer (Universidad del Valle, Cali-Colombia), Specialist in Organizational Informatics Management and Master in Information and Telecommunications Management (Universidad Icesi, Cali-Colombia); Project Management Professional (PMP) and ISO 27001 Lead Auditor, COBIT Foundation Certified. She is the current manager of Domuz Consultoría S.A.S. and a private consultant in Information Security, Project Management and IT Governance. Currently she coordinates the diploma course in Project Management at Universidad Icesi
Andrés Felipe Paz Loboguerrero, Universidad Icesi, Cali
Systems Engineer (Universidad Icesi, Cali-Colombia); Master in Informatics and Telecommunications (Universidad Icesi); professor (Information and Communications Technologies Department) and researcher (Informatics and Telecommunications research group) at Universidad Icesi.

References

Álvarez, F.M. & García, P.A. (2007). Implementación de un sistema de gestión de seguridad de la información basado en la
norma ISO 27001, para la intranet de la Corporación Metropolitana de Salud [thesis]. Escuela Politécnica Nacional: Quito,
Ecuador.

Check-up digital (2013). Retrieved from http://www.naa.gov.au/records-management/check-up/

Ernst & Young [EY]. (2012). Internal audit [online]. Retrieved from http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit

Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft
Computing, 11(7), 4332–4340. doi:10.1016/j.asoc.2010.06.005

International Organization for Standardization / International Electrotechnical Commission [ISO/IEC]. (2013a). ISO/IEC
27001:2013: Information technology -- Security techniques --
Information security management systems -- Requirements.
Geneva, Switzerland: ISO.

International Organization for Standardization / International Electrotechnical Commission [ISO/IEC]. (2013b). ISO/IEC
27002:2013: Information technology -- Security techniques -- Code of practice for information security controls. Geneva,
Switzerland: ISO.

Robinson, M. (2014). Risk assessment toolkit [online]. Retrieved from http://www.cio.ca.gov/OIS/Government/risk/toolkit.asp
Superintendencia Financiera de Colombia [SFC]. (2009). Circular externa 038 [memo].

Superintendencia Financiera de Colombia [SFC]. (2012). Circular externa 042 [memo].

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the Ground
Up. The Netherlands: Elsevier. doi:10.1016/B978-1-59749-615-5.00022-0
Published
2015-03-30
Section
Original Research