Information security risk management model for Peruvian PYMES
DOI:
https://doi.org/10.15381/rpcs.v1i1.14856Keywords:
Risk Management, Security Information, SMES, OCTAVE, ISO/IEC 27005.Abstract
Nowadays, companies seek to protect their information because it is a very valuable asset. In order to protect it, it is necessary to manage the risks, which will prevent scenarios that generate a negative impact such as significant financial losses, violation of the confidentiality of sensitive information, loss of integrity, or the availability of confidential information. Organizations such as SMEs do not implement risk management models because they do not care about allocating a budget for information security. There are different approaches that are used to manage the risks, but, in general, these focus on big companies. However, those that target SMEs have a qualitative approach. This paper presents a suitable risk management model, based on the OCTAVE-S methodology and the standard ISO/IEC 27005, it consists of the 3 phases of OCTAVE to which is added the list of vulnerabilities and scenarios in phase 1, as well as the calculation and treatment of the risk of ISO/IEC 27005 in the last phase. Likewise, the model takes a quantitative approach that allows to calculate the residual risk based on the effectiveness of the controls given, creating a suitable model for the organizations, in order to and, therefore, to facilitate decision making. This model has been applied in a Peruvian clay-ceramic industry SME in its sales process, showing its easy use and managing to identify the necessary controls to reduce the risk, whose implementation could reduce the risk by 53%.
Downloads
Published
Issue
Section
License
Copyright (c) 2018 Johari C. García Porras, Sarita C. Huamani Pastor, Rómulo F. Lomparte Alvarado
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
THE AUTHORS RETAIN THEIR RIGHTS:
(a) The authors retain their trademark and patent rights, and also over any process or procedure described in the article.
(b) The authors retain the right to share, copy, distribute, execute and publicly communicate the article published in the Revista Peruana de Computación y Sistemas (for example, place it in an institutional repository or publish it in a book), with acknowledgment of its initial publication in Revista Peruana de Computación y Sistemas.
(c) Authors retain the right to make a subsequent publication of their work, to use the article or any part of it (for example: a compilation of their work, lecture notes, thesis, or for a book), provided that they indicate the source. of publication (authors of the work, magazine, volume, number and date).
