Abstract
The Information Technologies Directorate of the Micaela Bastidas de Apurímac National University (UNAMBA) (UNAMBA Rationalization Office, «Organization and Functions Manual,» Abancay, 2018.), is in charge of managing the technologies and information; it also has to safeguard the computer assets under its responsibility. However, it does not have any plan, standard, or directive that allows correctly protecting the information. For this reason, our research aimed to contribute to improving the level of information security in the Information Technology Directorate (DTI) of UNAMBA, implementing the Information Security Management System based on the standard ISO/IEC 27001: 2013 (ISO 27001 - ISO 27001 Management Systems Software, «ISO Software,» 2018. [Online]. Available: https://www.isotools.org/normas/riesgos-y-seguridad/iso-27001/. [Last access: July 21, 2018].). This standard allows the assurance of the confidentiality, availability, and integrity of information and information systems.
Regarding the research methodology, the type of research is applied with a pre-experimental research design. As a methodology for the design of the Information Security Management System, the Deming PDCA method («PDCA Cycle (Plan, Do, Check and Act): Deming's circle of continuous improvement | PDCA Home,» Pdcahome.com, 2018. [Online]. Available: https://www.pdcahome.com/5202/ciclo-pdca/. [Last access: July 25, 2018].) (Plan, Do, Check, Act) was used, which consists of identifying the computer assets, performing the analysis and risk management, to then establish response actions (controls) and mitigate the associated risks. Also, carry out information security policies. For the analysis and risk management, the MAGERIT III methodology (General Directorate for Administrative Modernization, Procedures and Promotion of Electronic Administration, MAGERIT - version 3.0. Information Systems Risk Analysis and Management Methodology., Madrid: Ministry of Finance and Public Administrations, 2012.) was used. The sample is n = 20 people.
As results, it was obtained that the level of security risks before the implementation of the controls was 86.15%, to obtain 11.15% later; therefore, there was a decrease of 75%. Likewise, there was an increase in security controls, since before carrying out the risk treatment plan, only 18 (15.78%) controls were obtained, but then it was increased to 65 (57.01%) controls, representing an increase of 41.23%. Also, there was an improvement in the level of training in information security issues in DTI users because, before the implementation of the ISMS, only 48% of the respondents had knowledge about information security, but then it rose to 95%.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
UNAMBA Rationalization Office, «Organization and Functions Manual», Abancay (2018)
ISO 27001 - ISO 27001 Management Systems Software, «ISO Software» (2018). https://www.isotools.org/normas/riesgos-y-seguridad/iso-27001/. Accessed 21 July 2018
PDCA Cycle (Plan, Do, Check and Act): Deming's circle of continuous improvement | PDCA Home, Pdcahome.com (2018). https://www.pdcahome.com/5202/ciclo-pdca/. Accessed 25 July 2018
General Directorate for Administrative Modernization, Procedures and Promotion of Electronic Administration, MAGERIT - version 3.0. Information Systems Risk Analysis and Management Methodology. Ministry of Finance and Public Administrations, Madrid (2012)
Bertolín, J.A.: Information security. Networks, computing and information systems. Editorial Paraninfo (2008)
Alcantara Ramirez, M.A.: Strategy for adapting a university information security management system to cloud computing (2019)
Doria Corcho, A.F.: Design of an Information Security Management System by applying the ISO 27001: 2013 standard in the office of information systems and telecommunications at the University of Cordova, Monteria (2015)
Guerrero Angulo, Y.C.: Information Security Management System (ISMS) based on ISO 27001 and 27002 for the computer and Telecommunications unit of the University of Nariño, Pasto (2014)
Martinez Ramos, J.: Management System to Improve Information Security in the Institution Industrial Services of the Navy, Nuevo Chimbote (2014)
Alcantara Flores, J.C.: In the ISO/IEC 27001 standard, to support security in the computer systems of the PNP northern police station in the city of Chiclayo, Chiclayo (2015)
Aliaga Flores, L.C.: Design of an information security management system for an educational institute, Lima (2013)
Zeña Ortiz, V.E.: International standard ISO 27001 for the management of information security in the central office of informatics of the UNPRG, Lambayeque (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Aquino Cruz, M., Huallpa Laguna, J.N., Huillcen Baca, H.A., Carpio Vargas, E.E., Palomino Valdivia, F.d.L. (2021). Implementation of an Information Security Management System Based on the ISO/IEC 27001: 2013 Standard for the Information Technology Division. In: Botto-Tobar, M., S. Gómez, O., Rosero Miranda, R., Díaz Cadena, A. (eds) Advances in Emerging Trends and Technologies. ICAETT 2020. Advances in Intelligent Systems and Computing, vol 1302. Springer, Cham. https://doi.org/10.1007/978-3-030-63665-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-63665-4_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63664-7
Online ISBN: 978-3-030-63665-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)