МЕТОД АНАЛІЗУВАННЯ ВИМОГ ДО СИСТЕМ УПРАВЛІННЯ ІНФОРМАЦІЙНОЮ БЕЗПЕКОЮ

The process of analyzing the requirements for information security management systems is considered. The obligation to comply with the requirements of the international standard ISO/IEC 27001 is shown. This provides confidence to stakeholders in the proper management of information security risks with an acceptable level. This is due to the internal and external circumstances of influencing the goal and achieving the expected results of organizations. In addition, the identification of stakeholders, their needs and expectations from the development of information security management systems are also considered. It is established that now the main focus is on taking into account the requirements for the process of developing these systems or to ensure information security in organizations. The transformation of the needs, expectations and related constraints of stakeholders into an appropriate systemic solution has been overlooked. These limitations have been overcome through the method of analyzing the requirements for information security management systems. Its use allows, based on the needs, expectations and related constraints of stakeholders, to identify relevant statements in established syntactic forms. There is need to check each of them for correctness of formulation and compliance with the characteristics of both the individual requirement and the set of requirements. For their systematization, establishment of relations the graphic notation SysML is applied. In view of this, the requirement is considered as a stereotype of a class with properties and constraints. Relationships are used to establish relationships between requirements. Their combination is represented by a diagram in the graphical notation SysML and, as a result, allows you to specify the requirements for information security management systems. In the prospects of further research, it is planned to develop its logical structure on the basis of the proposed method.Розглянуто процес аналізування вимог до систем управління інформаційною безпекою. Показано обов’язковість дотримання їхнього переліку настановам міжнародного стандарту ISO/IEC 27001. Завдяки цьому надається впевненість зацікавленим сторонам належного управління ризиками інформаційної безпеки з прийнятним рівнем. Це обумовлюється врахуванням внутрішніх і зовнішніх обставин впливання на мету та досягнення очікуваного результату діяльності організацій. До того ж визначенням зацікавлених сторін, їхніх потреб та очікувань від розроблення систем управління інформаційною безпекою. При цьому встановлено, що нині здебільшого зосереджується увага на врахуванні вимог до процесу розроблення даних систем або до забезпечення інформаційної безпеки в організаціях. При цьому поза увагою залишено перетворення потреб, очікувань і пов’язаних з ними обмежень зацікавлених сторін у відповідне системне рішення. Ці обмеження подолано завдяки методу аналізування вимог до систем управління інформаційною безпекою. Його використання дозволяє на основі потреб, очікувань і пов’язаних з ними обмежень зацікавлених сторін визначити відповідні твердження за встановленими синтаксичними формами. Кожне з них перевіряється стосовно правильності формулювання і відповідності характеристикам як індивідуальної вимоги, так і набору вимог. Для їх систематизування, встановлення відношень використано графічну нотацію SysML. З огляду на це вимогу розглянуто як стереотип класу з властивостями та обмеженнями. Для встановлення взаємозв’язків між вимогами використано відношення. Їхнє поєднання відображається діаграмою у графічній нотації SysML і, як наслідок, дозволяє специфікувати вимоги до систем управління інформаційною безпекою. У перспективах подальших досліджень планується на основі запропонованого методу розробити її логічну структуру

Digital Transformation: A Foundational Capability Building Block Perspective on Maturing the IT Capability

The enterprise-wide scope of an organisation's IT capability in sustainably leveraging technology for business value is well-researched, and the level of maturity of this capability is a key determinant of an organisation's success. IT capability maturity has become more critical as technological developments continue at an accelerated pace and as whole industries are being disrupted by digital developments. Maturity in terms of IT leadership, IT processes, IT infrastructure, and a myriad of other supporting organisation-wide capabilities is required. Since the 1980s, maturity models in the literature have focused on specialist niche areas, with few adopting a holistic perspective. Across these models, a lack of consensus is evident on the key capabilities that should be matured and on what the important sub elements or building blocks of these capabilities are. How does the organisation achieve an adequate level of maturity if the required capabilities are unclear? As one of the most holistic IT capability maturity models identified, this paper undertakes a systematic analysis of the 36 IT capabilities within IT Capability Maturity Framework (IT-CMF) and the 315 sub elements (Capability Building Blocks (CBBs)) that comprise these capabilities. This research aims to identify the common sub elements or building blocks inherent across the 36 capabilities, which we will refer to as Foundational Capability Building Blocks (FCBBs), and a high-level definition of these FCBBs abstracted from the relevant sub elements and discussed in terms of their recognised importance to effecting successful digital transformations. From an academic perspective, the research provides deeper insight on common themes that are pertinent to IT capability improvement. From an industry practitioner perspective, it breaks down the complexities of IT capability maturity with a focus on a manageable number of considerations. © 2022 Authors. All rights reserved

Integrating NIST and ISO Cybersecurity Audit and Risk Assessment Frameworks into Cameroonian Law

This paper reviews cybersecurity laws and regulations in Cameroon, focusing on cybersecurity and information security audits and risk assessments. The importance of cybersecurity risk assessment and the implementation of security controls to cure deficiencies noted during risk assessments or audits is a critical step in developing cybersecurity resilience. Cameroon\u27s cybersecurity legal framework provides for audits but does not explicitly enumerate controls. Consequently, integrating relevant controls from the NIST frameworks and ISO Standards can improve the cybersecurity posture in Cameroon while waiting for a comprehensive revision of the legal framework. NIST and ISO are internationally recognized as best practices in information security systems and cybersecurity risk management. This paper highlights the lack of specific international law provisions addressing cybersecurity audits and risk assessments. Overall, the paper highlights the importance of continuous risk assessment and monitoring, implementation of security controls, and compliance with organizational policies, relevant laws and regulations to ensure the adequate protection of information systems. Finally, the paper underscores the importance of improving Cameroon\u27s cybersecurity regulations by integrating provisions from NIST and ISO

INFORMATION SECURITY AND QUALITY MANAGEMENT SYSTEMS INTEGRATION: CHALLENGES AND CRITICAL FACTORS

Implementing a new management system in organizations that already have a certified management system can be challenging. This research discussed enabler factors that influence the integration of an information security management system certified following ISO 27001 with a quality management system certified following ISO 9001. Five factors were identified as the basis of this research: Implementation Model, Human Resources, Resources Availability, Standard Issues, and Standards Integration. Four factors were validated through the qualitative study with consultants specialized in implementing and integrating these standards. Then, by prioritizing these factors through the Analytic Hierarchy Process method, it was found that the most relevant aspect is Standards Integration for the managers from the institution object of study. For specialist consultants, the most pertinent factor is Human Resources

Improvement of IT infrastructure management by using configuration management and maturity models: a systematic literature review and a critical analysis

Background and purpose: This research aims to investigate which benefits one may expect using Maturity Models in Configuration Management (CM) domain. CM is a support process that helps organizations have better management of their infrastructure. Its importance, in the Information Technology (IT) domain, has increased in recent years, despite this process not being technologically new, and the fact that many organizations implement this process in a haphazard way, which results in it not producing the benefits that it should produce. With the intention of assessing and improving the organizations' IT processes practices and capabilities, MMs have been developed and implemented. However, the application of MM in the CM domain is yet to be explored. Design/Methodology/Approach: Two Systematic Literature Reviews (SLRs) and a Critical Analysis were performed. In sum, 80 scientific articles of the most rated conferences and scientific journals were analyzed and conclusions were drawn. Results: This research concludes that despite the CM process being badly implemented, using a MM this process could decrease operational costs and increase the quality management of the infrastructure. Conclusion: However, no MM has been developed so far for the CM process practices. This MM would be a viable support tool for the IT organizations providers since this would help organizations have a mature CM process and better control of their IT infrastructure. Therefore, the existence of a MM for the CM domain would be a welcome advancement that should be developed in the future.info:eu-repo/semantics/publishedVersio

AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity

In today’s world, private and government organizations are legally obligated to prioritize their information security. They need to provide proof that they are continually improving their cybersecurity compliance. One approach that can help organizations achieve this goal is implementing information security maturity models. These models provide a structured framework for measuring performance and implementing best practices. However, choosing a suitable model can be challenging, requiring cultural, process, and work practice changes. Implementing multiple models can be overwhelming, if possible. This article proposes a prioritization strategy for public institutions that want to improve their information security maturity. We thoroughly analyzed various sources through systematic mapping to identify critical similarities in information security maturity models. Our research led us to create the AIM (Awareness, Infrastructure, and Management) Triad. This triad is a practical guide for organizations to achieve maturity in information security practices.This work received partial support from Proyecto DIUFRO DI21-0079 and Proyecto DIUFRO DI22-0043, Universidad de La Frontera, Temuco. Chile

SGSI según ISO/IEC 27001:2013 para el control de activos de TI en una empresa privada de Outsourcing, Lima 2023

El objetivo general del estudio titulado “SGSI para el control de activos TI en empresas privadas de outsourcing según ISO/IEC 27001:2013, Lima 2023” es: crear un sistema de gestión de seguridad de la información (SGSI) basado en la norma ISO/IEC 27001: 2013 estándar para proteger los activos de información. El método utilizado en este estudio se basó en un diseño preexperimental, niveles de correlación y métodos cuantitativos. La muestra consta de 20 empleados de TI. Los datos fueron recolectados utilizando dos instrumentos técnicos tipo encuesta para medir las variables. Ambas herramientas han sido probadas por 3 expertos para garantizar su eficacia y fiabilidad. Los resultados se analizaron utilizando el software SPSS. En resultados se concluyó que existe una correlación significativa entre las dos variables, SGSI y control de activos. Según la correlación de Pearson, se encontró un coeficiente de correlación de 0,713, lo que indica una fuerte correlación de los resultados con significancia estadística en p=0,000 (p < 0,05). Por lo tanto, se aceptó la hipótesis del investigador y se rechazó la hipótesis nul

Respite for SMEs: a systematic review of socio-technical cybersecurity metrics

Featured Application The results of this work will be incorporated in an application for SMEs in Europe, which aims to improve cybersecurity awareness and resilience, as part of the EU Horizon 2020 GEIGER project. Cybersecurity threats are on the rise, and small- and medium-sized enterprises (SMEs) struggle to cope with these developments. To combat threats, SMEs must first be willing and able to assess their cybersecurity posture. Cybersecurity risk assessment, generally performed with the help of metrics, provides the basis for an adequate defense. Significant challenges remain, however, especially in the complex socio-technical setting of SMEs. Seemingly basic questions, such as how to aggregate metrics and ensure solution adaptability, are still open to debate. Aggregation and adaptability are vital topics to SMEs, as they require the assimilation of metrics into an actionable advice adapted to their situation and needs. To address these issues, we systematically review socio-technical cybersecurity metric research in this paper. We analyse aggregation and adaptability considerations and investigate how current findings apply to the SME situation. To ensure that we provide valuable insights to researchers and practitioners, we integrate our results in a novel socio-technical cybersecurity framework geared towards the needs of SMEs. Our framework allowed us to determine a glaring need for intuitive, threat-based cybersecurity risk assessment approaches for the least digitally mature SMEs. In the future, we hope our framework will help to offer SMEs some deserved respite by guiding the design of suitable cybersecurity assessment solutions.Prevention, Population and Disease management (PrePoD)Public Health and primary car

Desarrollo de un sistema hotelero para gestionar la información de los clientes, basado en el apartado de operación de la norma iso 27001:2014, para el Hotel El Puerto

En su estudio titulado: “desarrollo de un sistema hotelero para gestionar la información de los clientes, basado en el apartado de operación de la norma ISO 27001:2014, para el Puerto Hotel-La Libertad tiene por finalidad Determinar de qué manera influye el desarrollo de un sistema hotelero para gestionar la información de los clientes, basado en el apartado de operación de la Norma ISO 27001:2014, para la empresa El puerto Hotel La Libertad. Este estudio empleo una metodología de tipo aplicada de diseño pre experimental de enfoque cuantitativo, la población está compuesta por 70 trabajadores del Hotel y la muestra está compuesta por 50 trabajadores. Se realizó el análisis de datos mediante software SPSS V 26. Los resultados es que de implementarse mejorará la gestión de la información mantendrá la información segura, secreta y confiable. Se concluye el desarrollo de un sistema hotelero mejorara la gestión de la información, porque el desarrollo del sistema está amparado en la norma ISO 2700

Comunicação da Ciência em Portugal: o caso da Gestão e Curadoria da Informação

A comunicação da ciência permite ligar o conhecimento científico e a sociedade. A sua importância vem crescendo e tem sido demonstrada através do seu estabelecimento como uma disciplina própria, assim como, no aumento de pesquisas direcionadas ao tema. Contudo, ainda existem áreas a ser exploradas, nomeadamente a comunicação da gestão e curadoria da informação. Este estudo tem por objetivo compreender como é feita a comunicação de ciência do mestrado em gestão e curadoria da informação. Procuramos igualmente traçar algumas estratégias de comunicação da ciência por meio da expertise adquirida através da revisão de literatura e do conhecimento da gestão e curadoria da informação. Visando melhor analisar e atestar o nosso estudo, formulamos algumas hipóteses que serão pontos de partidas para a observação e análise do tema as quais são: a comunicação do mestrado em gestão e curadoria da informação é direcionada a públicos diversos, através de canais tradicionais e modernos; a comunicação do mestrado em gestão e curadoria da informação é interdisciplinar; as estratégias de comunicação da ciência melhoram a comunicação do mestrado em gestão e curadoria da informação. O método qualitativo de caráter exploratório foi utilizado visando, por um lado, familiarizarmos com o tema dentro desta problemática e por outro, atingirmos os objetivos através da utilização dos instrumentos de pesquisa documental. Algumas das principais conclusões desta investigação versam sobre a diversidade de públicos e de canais utilizados para a comunicação do mestrado em GCI. Efetivamente o mestrado em GCI, apesar de recente, vem comunicando ciência para a “comunidade académica”, mas também para um “público atento”, “tomadores de decisão” e, em menor escala a “mediadores”. Essa comunicação não está restrita à um único modelo de comunicação da ciência, mas utiliza o modelo do défice e a participação. Um dos principais objetivos das comunicações é a disseminação e divulgação do mestrado, da profissão e do profissional de GCI.Science communication makes it possible to connect scientific knowledge and society. Its importance has been growing and has been demonstrated through its founding as a discipline, as well as the increase of directed research on the subject. However, there are still areas to be explored, namely communication of information management and curation (GCI). This study aims to understand how the science communication of the master in information management and curation occurs. We also sought to outline some science communication strategies through the expertise acquired through literature review and knowledge of information management and curation.Aiming to better analyze and attest our study, we formulated some hypotheses that will be starting points for the observation and analysis of the theme, which are: the communication of the master's degree in information management and curation is directed to different audiences, through traditional and modern channels; the communication of the master's degree in information management and curation is interdisciplinary; science communication strategies improve the communication of the master's degree in information management and curation. The exploratory qualitative method was used aiming, on the one hand, to familiarize us with the theme within this issue and, on the other, to achieve the objectives using documentary research instruments. Some of the main conclusions of this investigation are about the diversity of audiences and channels used for the communication of the master's degree in GCI. The master's degree in GCI, despite being recent, has been communicating science to the 'academic community', but also an 'attentive public', 'decision makers' and, to a lesser extent, to 'mediators'. This communication is not restricted to a single science communication model but uses the deficit and participation model. One of the main objectives of communications is the dissemination and dissemination of the Master's course, the profession, and the GCI professional