TY - GEN
T1 - Information Security Risk Management Model for Peruvian SMEs
AU - Garcia-Porras, Chris
AU - Huamani-Pastor, Sarita
AU - Armas-Aguirre, Jimmy
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/12/27
Y1 - 2018/12/27
N2 - In this paper, we propose a risk management model of information security for Peruvian SMEs, taking as reference the OCTAVE-S methodology and the ISO / IEC 27005 standard. The model consists of the 3 phases of OCTAVE-S (Construction of the threats profile, Identification of infrastructure vulnerabilities, and Strategies and security plans). This model contains the contemplated lists of ISO / IEC 27005, it also contains the calculation and the risk treatment of this standard. Likewise, the model adopts a quantitative approach that allows calculating the residual risk, for example, the most critical asset identified obtained 216 of risk value and the residual risk obtained was 109 of risk value, this is obtained on the basis of the effectiveness of the controls that are part of the proposed model, for example, formalize procedures and policies and their occasional review. This model provides guidelines for information security risks for companies. It was implemented in the sales process of a Peruvian SME of the ceramic sector, proving to be easy to use and it was possible to identify the necessary controls to reduce the risk, whose implementation reduces the risk by 53%.
AB - In this paper, we propose a risk management model of information security for Peruvian SMEs, taking as reference the OCTAVE-S methodology and the ISO / IEC 27005 standard. The model consists of the 3 phases of OCTAVE-S (Construction of the threats profile, Identification of infrastructure vulnerabilities, and Strategies and security plans). This model contains the contemplated lists of ISO / IEC 27005, it also contains the calculation and the risk treatment of this standard. Likewise, the model adopts a quantitative approach that allows calculating the residual risk, for example, the most critical asset identified obtained 216 of risk value and the residual risk obtained was 109 of risk value, this is obtained on the basis of the effectiveness of the controls that are part of the proposed model, for example, formalize procedures and policies and their occasional review. This model provides guidelines for information security risks for companies. It was implemented in the sales process of a Peruvian SME of the ceramic sector, proving to be easy to use and it was possible to identify the necessary controls to reduce the risk, whose implementation reduces the risk by 53%.
KW - Information Security
KW - ISO/IEC 27005
KW - OCTAVE
KW - Risk Management model
UR - https://www.scopus.com/pages/publications/85061485053
U2 - 10.1109/SHIRCON.2018.8592994
DO - 10.1109/SHIRCON.2018.8592994
M3 - Contribución a la conferencia
AN - SCOPUS:85061485053
T3 - Proceedings of the 2018 IEEE Sciences and Humanities International Research Conference, SHIRCON 2018
BT - Proceedings of the 2018 IEEE Sciences and Humanities International Research Conference, SHIRCON 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2018 IEEE Sciences and Humanities International Research Conference, SHIRCON 2018
Y2 - 20 November 2018 through 22 November 2018
ER -