Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
6741-6750
© Research India Publications. http://www.ripublication.com
1,2
Ricardo Guagalango Vega, 2Rubén Arroyo and 2,3,*
Sang Guun Yoo
1
Centro de Posgrados, Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui s/n, Sangolquí, Ecuador.
2
Departamento de Ciencias de la Computación, Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui s/n,
Sangolquí, Ecuador.
3
Facultad de Ingeniería de Sistemas, Escuela Politécnica Nacional, Ladrón de Guevara, E11-253, Quito, Ecuador.
*
ORCID ID: 0000-0003-1376-3843, Scopus Author ID: 36187649600
6741
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
For the development of this paper, we have used the principal IMPROVEMENT OF INFORMATION SECURITY
and most important standard denominated ISO/IEC 27001 [9] PROCESSES
which contains the requirements of the Information Security
First, to improve the security processes of the Company, it was
Management System (ISMS) and it is distributed in 14 domains
necessary to know the current situation of the Department of
[10] which are: (1) Information security policies, (2)
Technology and Information. For this purpose, interviews and
Organization of information security, (3) Human resource
surveys were carried out to the personnel. The controls
security, (4) Asset management, (5) Access control, (6)
indicated in ISO/IEC 27001 were taken and questions were
Cryptography [11], (9) Physical and environmental security,
transformed for each domain with true/false answers to
(10) Operations security, (11) Communications security, (12)
evidence the percentage of compliance. Fig. 1 below shows the
Systems acquisition, development and maintenance, (13)
obtained results. The results indicates that the Department of
Supplier relationships, (14) Information security incident
Technology and Information is compliant with 62% of most of
management [12], (15) Information security aspects of business
the ISO/IEC 27001 domains. It also indicates that the 38% of
continuity management, and (16) Compliance with internal
necessary controls have not been applied to strengthen the
requirements, such as policies, and with external requirements,
Information Security of the Company.
such as laws.
Subsequently, it was necessary to verify the genuineness of the
Additionally, we also have applied the ISO/IEC 27002 which
obtained results, so it was imperative to apply the MAGERIT
delivers the good information security practices [13].
methodology to carry out the risk analysis based on the
Additional to ISO/IEC 27000, the Methodology of Analysis following process:
and Management of Risks of Information Systems
i) Identification of information assets. At this stage,
(MAGERIT) v.3 [14] was also used to make a better risk
technological assets relevant to the Company were
analysis. MAGERIT is a methodology created by the Spanish
identified to analyze their risks. After identifying the main
governmental organization called Consejo Superior de
assets of the technological area, these were entered to the
Administración Electrónica to meet their corporate strategic
PILAR tool to know their main vulnerabilities and the
objectives. This methodology, that allows a systematic
threats that could exploit those vulnerabilities.
execution of risk analysis, contemplates the following phases:
1. Identify the assets with the greatest relevance and
value to the organization, and what detriment or cost ii) Valuation of assets. PILAR tool allows to measure the
it would cause their degradation. value of each asset based on the following dimensions:
4. Estimate the impact i.e. the damage to the asset due to b. Integrity (represented by [I]): It protects data and
the materialization of a threat information from unauthorized modification or
deletion.
5. Assess the risk, using the impact formula weighted
with the occurrence rate of the threat. c. Confidentiality (represented by [C]): It ensures
information/assets access only to authorized users
6. Establish safeguards or controls to mitigate, accept,
[15].
eliminate or transfer risks that have a high impact.
d. Authenticity (represented by [A]): It identifies
When applying the methodology MAGERIT, a tool called
users who generated the information and block
PILAR (developed by the Centro Criptológico Nacional) can
the possibility of impersonation.
be used. Such tool has a standard library capable to generate
ratings based on the international ISO/IEC 27002 standard. The e. Traceability (represented by [T]): It make
ISO/IEC 27002 standard includes the code of good practices possible to track who did what and when [17].
for information security management.
6742
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
NO YES
6743
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
Problems caused deliberately by people. dimensions indicated before in this sections. In the tables,
People with access to the information system the frequency of such threats can also be observed
can cause problems intentionally. (1=once a year, 10=monthly, 100=daily, 0.2=every
several years; this probability of occurrence was defined
Tables 1 and 2 show the main threats to the most critical by the guidance of the technology department’s staff of
information assets of the company, organized by the the company).
6744
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
iv) Impact and risk. With the information of threats, it is Figure 3, shows the list of the assets with the highest
possible to establish the impact, which can be defined as valuation with highest criticality levels. The results
the measure of the damage on the asset derived from the obtained using the PILAR tool indicate the level of
materialization of a threat [17]. Knowing the value of the compliance of the domains of ISO/IEC 27002 standard. It
assets (in their different dimensions) and the degradation is important to consider that the safeguards or controls to
caused by the threats, it is possible to identify the impact be applied are associated with the controls of ISO/IEC
that these would cause on the system. The impact is standard. The fulfillment and implementation of the
calculated for each information asset according to the recommendations will strengthen the security of the
related threats and dimensions. Company.
6745
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
Fig. 4 shows (in percentages) the current situation and the [PR] Preventive: When the chances of an incident
expected goals to be achieved by applying the safeguards occurring are reduced, e.g. pre-production tests.
indicated by the software PILAR. [CR] Corrective: Executed after damage. The damage
is repaired and reduced, e.g. incident management.
v) Application of safeguards. In this phase, it is necessary to [DC] Detective: The event is reported when an attack
consider the following aspects for the identification and occurs, e.g. anti-virus.
valuation of safeguards. (1) The type of assets to be
protected, each type is protected in a different way. (2)
Threats to which the asset requires protection. (3) If there The safeguards will be applied to those domains with a lower
are alternative or additional safeguards. (4) Focus on the percentage of compliance of ISO/IEC standard since they have
most important risks. greater risks. These domains are as follows.
It should be noted that there are different types of protection
provided by safeguards [17]:
6746
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
6747
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
vi) Impact and residual risk analysis. This is the last stage and it allows the analysis of results after implementation of the
safeguards. It allows to measure the modification of impact and the risk from a potential value to a residual value. Fig. 5 and
6 show the impact and residual risk results after applying safeguards recommendations.
6748
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
6749
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp. 6741-6750
© Research India Publications. http://www.ripublication.com
6750