Modelo de gestión de riesgos de seguridad de la información para PYMES peruanas

Nowadays, companies seek to protect their information because it is a very valuable asset. In order to protect it, it is necessary to manage the risks, which will prevent scenarios that generate a negative impact such as significant financial losses, violation of the confidentiality of sensitive inf...

Descripción completa

Detalles Bibliográficos
Autores: García Porras, Johari C., Huamani Pastor, Sarita C., Lomparte Alvarado, Rómulo F.
Tipo de recurso: artículo
Estado:Versión publicada
Fecha de publicación:2018
País:Perú
Institución:Universidad Nacional Mayor de San Marcos
Repositorio:Revistas - Universidad Nacional Mayor de San Marcos
Idioma:español
OAI Identifier:oai:revistasinvestigacion.unmsm.edu.pe:article/14856
Acceso en línea:https://revistasinvestigacion.unmsm.edu.pe/index.php/rpcsis/article/view/14856
Access Level:acceso abierto
Palabra clave:Gestión de riesgos
Seguridad de la Información
Pymes
OCTAVE
ISO/IEC 27005.
Risk Management
Security Information
SMES
Descripción
Sumario:Nowadays, companies seek to protect their information because it is a very valuable asset. In order to protect it, it is necessary to manage the risks, which will prevent scenarios that generate a negative impact such as significant financial losses, violation of the confidentiality of sensitive information, loss of integrity, or the availability of confidential information. Organizations such as SMEs do not implement risk management models because they do not care about allocating a budget for information security. There are different approaches that are used to manage the risks, but, in general, these focus on big companies. However, those that target SMEs have a qualitative approach. This paper presents a suitable risk management model, based on the OCTAVE-S methodology and the standard ISO/IEC 27005, it consists of the 3 phases of OCTAVE to which is added the list of vulnerabilities and scenarios in phase 1, as well as the calculation and treatment of the risk of ISO/IEC 27005 in the last phase. Likewise, the model takes a quantitative approach that allows to calculate the residual risk based on the effectiveness of the controls given, creating a suitable model for the organizations, in order to and, therefore, to facilitate decision making. This model has been applied in a Peruvian clay-ceramic industry SME in its sales process, showing its easy use and managing to identify the necessary controls to reduce the risk, whose implementation could reduce the risk by 53%.