Information Security Maturity Assessment Model in the IT Departments of the Oil Industry Subsidiaries in Iran
Subject Areas : Investigating the optimal situation of technology growth in the country and how to achieve itReza Radfar 1 , Fatemeh akhavan 2 *
1 -
2 -
Abstract :
The business approach and risk management framework of the company through the establishment and maintenance of the information security management system (ISMS) is a framework for identifying, assessing, controlling and managing the risks associated with information security in the company. It is based on privacy standards, integrity and availability of information assets. In the present report, not only a model for evaluating the information security maturity in the headquarters of one of the oil industry companies is developed, but also the defect analysis and implementation of the existing organization are initially carried out in accordance with the requirements of ISO 27000. By defining the indicators of evaluation and measurement of these indicators in the organization, its maturity is estimated in this security standard. Different models are presented to identify the weaknesses and security powers of a particular organization. The goal is to identify a gap between theory and practice that can be approximated by the process-oriented approach. The puberty model introduced and used in this project, provides a starting point for implementing security, a public view of security, and a framework for prioritizing operations. This model of information security maturity has 5 phases. (The maturity model is information security as a tool for assessing the ability of organizations to meet security goals, that is, confidentiality, integrity and availability, and prevent attacks and access to the mission of the organization in spite of attacks and accidents)??. This model defines a process that has all aspects of security management, measurement, and control. The results of the evaluation show that the organizations which have security investments ahead of time have to understand the needs for high-level management of information security in the organization, and in addition to the actions taken in the field of physical environment, network and personal computers, controls access and encryption have been made to identify the necessary training and culture.
1- هیأتوزیران, تصویبنامه. "تصویبنامه درخصوص تعیین سند راهبردی امنیت فضای تولید و تبادل اطلاعات کشور." مرکز پژوهشهای مجلس شورای اسلامی ایران. 1387.
2- سازمان فناوري اطلاعات ايران، "سامانه مدیریت امنیت اطلاعات دستگاههای اجرایی." درگاه پایش جامعه اطلاعاتی جمهوری اسلامی ایران. 1394.
3- Nader, Sohrabi Safa, Rossouw Von Solms, and Steven Furnell. "Information security policy compliance model in organizations." Elsevier (computers & security 56 (2016)), 2015: 1-13.
4- Werlinger, Rodrigo, and and et al. "Security Practitioners in Context:Their Activities and Interactions withOther Stake holders within Organizations." International Journal of Human-Computer Studies, 2009: 584-606.
5- Arachchilage, Nalin Asanka Gamagedara, and and et al. "Phishing threat avoidance behaviour: An empirical investigation." Elsevier (Computers in Human Behavior 60 (2016)), 2015: 185-197.
6- ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems – Requirements, 2013.
7- bsi. (2017). Available at: https://www.bsigroup.com/en-VN/ISOIEC-27001-Information-Security/
8- Proença, D., & Borbinha, J. (2018, June). Information Security Management Systems - A Maturity Model Based on ISO/IEC 27001. In Business Information Systems (pp. 102-114). doi:10.1007/978-3-319-93931-5_8
9- Rosenzweig, Roy . "Scarcity or Abundance? Preserving the Past in a Digital Era." The American Historical Review, 2003: 735–762.
10- Anderson, Ross, et al. "Measuring the Cost of Cybercrime." The Economics of Information Security and Privacy, October 2013: 265-300.
11- PERLROTH, NICOLE. Hackers in China Attacked The Times for Last 4 Months. TECHNOLOGY, New York: The New York Times Company, JAN. 30, 2013.
12- SANGER, DAVID E. In Cyberspace, New Cold War. New York: The New York Times Company, FEB. 24, 2013.
13- Saleh, Malik F. "Information Security Maturity Model." International Journal of Computer Science and Security (IJCSS), July / August 2011: 316 - 337 .
14- H. van Loon, “Process Assessment and Improvement: A Practical Guide,” Jan. 2015.
15- 16. J. Becker, R. Knackstedt, J. Pöppelbuβ, “Developing maturity models for IT management: A procedure model and its application,” Business and Information Systems Engineering, Vol. 3, pp 213-222, 2009
16- "https://www.commoncriteriaportal.org/ccra/." https://www.commoncriteriaportal.org/. 2005.
17- CMMI Product Team, “CMMI for Development, Version 1.3,” Carnegie Mellon Univ., no. November, p. 482, 2010.
18- https://www.isaca.org/resources/cobit. (2020). Retrieved from ISACA.
19- Xiao-yan, Ge, Yuan Yu-qing, and Lu Li-lei. "An Information Security Maturity Evaluation Model." 2011 International Conference on Advances in Engineering. Procedia Engineering, 2011. 335-339.
20- Hefner, R. and Monroe." System security engineering capability maturity model." Software Process Improvement. 1997.
21- Johnson, L A, Kelley L Dempsey, Ronald S, and Ross S. "https://www.nist.gov/publications/guide-security-focused-configuration-management-information-systems." https://www.nist.gov/. August 12, 2011.
22- Office, Cabinet, and National security and intellige. "https://www.gov.uk/government/publications/hmg-personnel-security-controls." https://www.gov.uk/. April 1, 2013.
23- Wiley, John, and Sons. Capability Maturity Model® Integration (CMMI), Version 1.1--Continuous Representation. Technical, Carnegie Mellon University, 05 February 2002.
24- ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems – Requirements, 2005.
25- Freeman, J.W., Neely, R.B., & Heckard, M.A. “A Validated Security Policy Modeling Approach.” Proceedings of the 10th Annual Computer Security Applications Conference, Orlando, FL, 189-200., (1994).
26- Bruce, Glen, & Dempsey, Rob. “Security in Distributed Computing: Did You Lock the Door?” Upper Saddle, River, NJ: Prentice Hall PTR, Prentice-Hall, Inc., (1997)