A proposal for the management of the information security applied to a Colombian public entity
Information Security, ISO/IEC 27000, ISMS, IT Risks.Abstract
Information is considered today one of the most important resources in organizations, not only as fundamental input of processes, but as a resource to properly run allows to define organizational strategies, what has not been outside in the public sector, especially in what it has to do with its protection. This article aims to present a case for the application of the management of information security in a public entity, using, prior review of the literature, four international information security standards) ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO/IEC 27003:2010 and ISO/IEC 27005:2008) and their contextualization in Colombia, from the guidelines laid down by the Ministry of information technologies. Resulted in the development of a methodology adjusted to the needs of the public entity with management of risk and controls relevant indicators and parameters to reduce the uncertainty in the management of information. The contributions made by this work is related to the integration of international standards of security of the information and their contextualization in a Government area, responding to regulatory requirements and allowing once After implementation, having a relevant methodological development that allows the public organization develop information security management processes continuously.
Bauer, S., Bernroider, E. W., y Chudzikowski, K. «Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks.,» Computers and Security, nº 68, pp. 145-159, 2017.
Chan, M., Woon, I., y Kankanhalli, A. «Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior Mark Chan National University of Singapore Irene Woon School of Computing ,National University of Singapore Atreyi Kankanhalli School of Com.,» Journal of Information Privacy and Security, vol. 1, nº 3, pp. 18-41, 2005.
Dor, D., y Elovici, Y. «A model of the information security investment decision-making process.,» Computers & Security, nº 63, p. 1–13, 2016.
Said, A. R., Abdullah, H., Uli, J., y Mohamed, Z. A. «Relationship between Organizational Characteristics and Information Security Knowledge Management Implementation.,» Procedia - Social and Behavioral Sciences, vol. 123, pp. 433-443, 2014.
Ku, C. Y., Chang, Y. W., y Yen, D. C. «National information security policy and its implementation: A case study in Taiwan.,» Telecommunications Policy, vol. 33, nº 7, pp. 371-384, 2009.
Valencia, F. J., y Orozco, M. «Metodología para la implementación de un Sistema de Gestión de Seguridad de la Información basado en la familia de normas ISO / IEC 27000.,» RISTI, nº 22, p. 73–88, 2015.
Ozkan, S., y Karabacak, B. «Collaborative risk method for information security management practices: A case context within Turkey,» International Journal of Information Management,, vol. 30, nº 6, pp. 567-572, 2010.
Patrick, H., Van Niekerk, B., y Fields, Z. «Information Security Management: A South African Public Sector Perspective,» de Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution. IGI Global., IGI Global, 2018, pp. 382-405.
Patiño, S., y Yoo, S. G. «Study of the Maturity of Information Security in Public Organizations of Ecuador,» de International Conference on Technologies and Innovation, 2018.
Campos, J. F. «Seguridad de la información en el sector público colombiano,» 2015.
ESET, «ESET Security Report Latinoamérica 2017,» 19 03 2018. [En línea]. Available: https://www.welivesecurity.com/wp-content/uploads/2017/04/eset-security-report-2017.pdf.
Centro cibernético Policial, «Amenazas del Cibercrimen en Colombia 2016-2017,» Bogotá, 2017.
MINTIC, «Decreto Numero 1078 de 2015. Decreto Único Reglamentario del Sector de Tecnologías de la Información y las Comunicaciones,» Bogotá, 2015.
MINTIC, «Modelo de Seguridad y Privacidad de la Información.,» Bogotá, 2016.
Congreso de la República de Colombia, «Ley de Transparencia y del Derecho al Acceso a la Información Pública Nacional [Ley 1712 de 2014],» Bogotá, 2014.
Congreso de la República de Colombia, «Ley 1581 de 2012. Por la cual se dictan disposiciones generales para la protección de datos personales.,» Bogotá, 2012.
Kitchenham, B. «Procedures for Performing Systematic Literature Reviews,» 2004. [En línea]. Available: http://www.inf.ufsc.br/~aldo.vw/kitchenham.pdf. [Último acceso: 15 1 2019].
MINTIC, «Guía para la Gestión y Clasificación de Activos de Información,» Bogotá, 2016.
A. A. Angarita, C. A. Tabares y J. I. Rios, «Definición de un modelo de medición de análisis de riesgos de la seguridad de la información aplicando lógica difusa y sistemas basados en el conocimiento,» Entre Ciencia e Ingeniería, vol. 9, nº 17, pp. 71-80, 2015.
Valencia, F. J., Marulanda, C. E., y López, M. «Gobierno y gestión de riesgos de tecnologías de información y aspectos diferenciadores con el riesgo organizacional,» Gerencia Tecnológica Informática, vol. 15, nº 41, pp. 65-77, 2015.
Direcciòn General de Modernizaciòn Administrativa Procedimientos e Impulso de la Administraciòn Electrònica., «MAGERIT - versión 3.0 Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información. Libro I - Mètodo,» 2012.