Compliance with Saudi NCA-ECC based on ISO/IEC 27001

Organizations are required to implement an information security management system (ISMS) for making a central cybersecurity framework, reducing costs, treating risks, and so on. Several ISMS standards have been issued and implemented locally and internationally. In Saudi Arabia, the most widely implemented international ISMS is ISO/IEC 27001. Currently, the Saudi National Cybersecurity Authority (NCA) issued a local framework called Essential Cybersecurity Controls (NCA-ECC). Therefore, many ISO/IEC 27001 certified organizations in Saudi Arabia are trying to convert from ISO/IEC 27001 to NCA-ECC or comply with both frameworks. Nevertheless, cybersecurity experts need to know which cybersecurity controls are already implemented, based on the ISO/IEC 27001, and which are not. This paper first measures the extent to which certified ISO/IEC 27001 Saudi organizations comply with the NCA-ECC. Second, it presents a framework for complying with the required unimplemented or partially implemented NCA-ECC controls. The framework can also help organization to be in compliance with both frameworks, if required. Three ISO/IEC 27001-certified Saudi public universities are selected as samples. The data is collected by interviewing the cybersecurity officers in the selected universities. This research shows that certified ISO/IEC 27001 organizations are approximately 64% in compliance with the NCA-ECC. The presented framework can help any ISO/IEC 27001 certified Saudi organization convert from ISO/IEC 27001 to NCA-ECC in a quick and cost-effective manner by considering only NCA-ECC nonconformities

Analysis and Development of Information Security Framework for Distributed E-Procurement System

This paper proposes an information security framework for distributed E-Procurement system in Indonesia. E-Procurement in Indonesia has been implemented since 2008, and has provided many benefits. However, there are also information security issues in the use of IT. Developing an information security program is needed to overcome the issues. We compare and analyze the LPSE and ISO 27001 Standards to develop framework. The results show there are some gaps between LPSE Standard and ISO 27001. By implementing the proposed framework, LPSE as a provider of distributed EProcurement system can be easier to implement the LPSE and ISO 27001 Standards simultaneously as an obligation to comply with government regulation

Practical Guidelines and Major Issues in Information Security Management Systems Implementations

Information is a major asset for any organization, to public or private. Threatsto information and information handling resources are getting more sophisticatedcontinuously. Also, regulatory requirements for data and system protection areincreasing in number as well as complexity. There are number of frameworks todeal with these issues systematically and effectively. One of such framework is theISO 27001 Information Security Management System (ISMS), which provides aframework for organizations to protect themselves against internal and externalthreats as well as natural disasters. The ISMS provides guidelines on how tomanage information processing, storage and transmission with appropriate controlsin order to avoid any security breaches. ISMS considers people, policies and ITtechnology as major categories of a security system. An organizations personal hasto be trained for establishing, implementing, operating, monitoring, reviewing,maintaining and continuous improving ISMS. Implementation of ISMS requiresrole-model attitude from the top management. Without a visionary and supportiveleadership, the ISMS cannot be used to properly identify and address the risks for anorganization. The practices show that an effective ISMS operation may requiremajor changes to some routine work practices. Clear direction from seniormanagers as well as coordination/support among team members is crucial for asuccessful ISMS project execution. In this work, some practical guidelines forsuccessful, cost effective and functional ISMS implementation will be provided.Also, observations gathered from years of auditing trails and lessons obtainedthrough practical applications will be presented. Major considerations for thesuccess/failure of security systems shall be discussed. It is concluded that security ispreparation of adequate policies/procedures/instructions and the support of wellinformed/diligent people, rather than utilization of sophisticated high-technologies.The importance of human factor for the success such management systems will beexemplified with real-life cases

ISMS role in the improvement of digital forensics related process in SOC's

Organizations concerned about digital or computer forensics capability which establishes procedures and records to support a prosecution for computer crimes could benefit from implementing an ISO 27001: 2013-compliant (ISMS Information Security Management System). A certified ISMS adds credibility to information gathered in a digital forensics investigation; certification shows that the organization has an outsider which verifies that the correct procedures are in place and being followed. A certified ISMS is a valuable tool either when prosecuting an intruder or when a customer or other stakeholder seeks damages against the organization. SOC (Security Operation Center) as an organization or a security unit which handles a large volume of information requires a management complement, where ISMS would be a good choice. This idea will help finding solutions for problems related to digital forensics for non-cloud and cloud digital forensics, including Problems associated with the absence of standardization amongst different CSPs (Cloud service providers).Comment: 8 pages, 4 figures, 1 tabl

Applying data protection part of ISO 27001 to patient and user data produced by medical devices – Case: disease specific quality registers

Data protection may be considered a subset of information security, consisting of the rules that define who may have access to what data and under what conditions. Rules concerning the handling of personally identifiable information have also become a major topic of discussion with regulation such as the GDPR by the European Union. To improve data protection of personally identifiable information, initiatives such as MyData and IHAN have been developed. In the field of information security, standards such as ISO 27001 exist to improve and unify information security in organizations. This thesis studies the requirements that the data protection initiatives MyData and IHANimpose on organizations processing personally identifiable information, as well as the requirements imposed by the ISO 27001 standard. The requirements of MyData and IHAN are compared to the ISO 27001 standard, along with a case study that looks at the requirements of both in the context of patient data stored and processed in disease specific quality registers. A gap analysis of the ISO 27001 - security controls is performed to evaluate the current situation against the standards requirements. Suggestions for measures to meet the different potential requirements of MyData and IHAN are also given, along with discussion of their relevance to disease specific quality registers. Considerations of legal aspects of the protection of patient data related to these are however omitted

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

Purpose \u2013 After 15 years of research, this paper aims to present a review of the academic literature on the ISO/ IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theorybased research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach \u2013 The study is structured as a systematic literature review. Findings \u2013 Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value \u2013The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities

SANI: Asistente para Auditorías de seguridad de la información sobre ISO/IEC 27001

Information security is a fundamental aspect to any organization, not something exclusive to large companies. Implementing good practices in security management is relevant to being competitive in the context, however, adopting a standard in this regard is a tedious and expensive process for small companies. Audits are part of the proper management of information security, as these help to prevent incidents and mitigate risks on information assets. Many auditing applications are developed and executed in private technological settings, are expensive and not available to the community, or focus on functionality, but have serious difficulties in guaranteeing or documenting confidentiality and anonymity services. With this problem in mind, SANI, an alternative tool that implements these capabilities, was designed, developed, and tested in a real operating scenario.La seguridad de la información es un aspecto fundamental de toda organización, no es exclusiva de empresas grandes; disponer de unas buenas prácticas en gestión de seguridad es relevante para ser competitivo en el contexto, sin embargo adoptar un estándar en este sentido, es un  proceso tedioso y costoso para las empresas pequeñas. Las auditorias hacen parte de la adecuada gestión de la seguridad de información, ayudan a prevenir incidentes y también a mitigar riesgos sobre los activos de información. Muchas aplicaciones de este tipo, se desarrollan y ejecutan en escenarios tecnológicos privados o son costosas; no están disponibles para la comunidad y se enfocan en el funcionamiento, pero con serias dificultades en garantizar o documentar los servicios de confidencialidad y anonimato. Con este propósito se diseñó y desarrolló una herramienta alternativa denominada SANI; que implementa estas capacidades, las cuales fueron verificadas en un escenario real de operació