TY - GEN
T1 - Modelo de gestión de riesgos de seguridad de información para mitigar el impacto en las PYMEs en Perú
AU - Garay, Daniel Felipe Carnero
AU - Marcos Antonio, Carbajal Ramos
AU - Armas-Aguirre, Jimmy
AU - Molina, Juan Manuel Madrid
N1 - Publisher Copyright:
© 2020 AISTI.
PY - 2020/6
Y1 - 2020/6
N2 - This paper proposes an information security risk management model that allows mitigating the threats to which SMEs in Peru are exposed. According to studies by Ernst Young, 90% of companies in Peru are not prepared to detect security breaches, and 51% have already been attacked. In addition, according to Deloitte, only 10% of companies maintain risk management indicators. The model consists of 3 phases: 1. Inventory the information assets of the company, to conduct the risk analysis of each one; 2. Evaluate treatment that should be given to each risk, 3. Once the controls are implemented, design indicators to help monitor the implemented safeguards. The article focuses on the creation of a model that integrates a standard of risk management across the company with a standard of IS indicators to validate compliance, adding as a contribution the results of implementation in a specific environment. The proposed model was validated in a pharmaceutical SME in Lima, Peru. The results showed a 71% decrease in risk, after applying 15 monitoring and training controls, lowering the status from a critical level to an acceptable level between 1.5 and 2.3, according to the given assessment.
AB - This paper proposes an information security risk management model that allows mitigating the threats to which SMEs in Peru are exposed. According to studies by Ernst Young, 90% of companies in Peru are not prepared to detect security breaches, and 51% have already been attacked. In addition, according to Deloitte, only 10% of companies maintain risk management indicators. The model consists of 3 phases: 1. Inventory the information assets of the company, to conduct the risk analysis of each one; 2. Evaluate treatment that should be given to each risk, 3. Once the controls are implemented, design indicators to help monitor the implemented safeguards. The article focuses on the creation of a model that integrates a standard of risk management across the company with a standard of IS indicators to validate compliance, adding as a contribution the results of implementation in a specific environment. The proposed model was validated in a pharmaceutical SME in Lima, Peru. The results showed a 71% decrease in risk, after applying 15 monitoring and training controls, lowering the status from a critical level to an acceptable level between 1.5 and 2.3, according to the given assessment.
KW - information security
KW - ISO/IEC 27004
KW - ISO/IEC 31000
KW - IT Risk
KW - Magerit
UR - https://www.scopus.com/pages/publications/85089023750
U2 - 10.23919/CISTI49556.2020.9140980
DO - 10.23919/CISTI49556.2020.9140980
M3 - Contribución a la conferencia
AN - SCOPUS:85089023750
T3 - Iberian Conference on Information Systems and Technologies, CISTI
BT - Proceedings of CISTI 2020 - 15th Iberian Conference on Information Systems and Technologies
A2 - Rocha, Alvaro
A2 - Perez, Bernabe Escobar
A2 - Penalvo, Francisco Garcia
A2 - del Mar Miras, Maria
A2 - Goncalves, Ramiro
PB - IEEE Computer Society
T2 - 15th Iberian Conference on Information Systems and Technologies, CISTI 2020
Y2 - 24 June 2020 through 27 June 2020
ER -