Modelo Balanced Scorecard para los controles críticos de seguridad informática según el Center for Internet Security (CIS)

William-Rogelio Marchand-Niño; Edwin Jesús Vega Ventocilla

doi:10.26439/interfases2020.n013.4876

Authors

William-Rogelio Marchand-Niño Universidad Nacional Agraria de la Selva, Tingo María, Perú http://orcid.org/0000-0003-2650-4226
Edwin Jesús Vega Ventocilla Universidad Nacional Agraria de la Selva, Tingo María, Perú http://orcid.org/0000-0002-3628-9016

DOI:

https://doi.org/10.26439/interfases2020.n013.4876

Keywords:

Compliance, security and privacy, organizational modeling

Abstract

In different sectors of human activities, organizations are adopting information technology (IT) more intensively, exposing sensitive and confidential information of employees and customers. This situation makes public and private entities to develop standards and regulations to protect these information assets, ensuring confidentiality, integrity and availability. As a result of the study, a Balanced Scorecard model that links the critical security controls of the CIS is formulated and supported by an office IT application as a preliminary tool that facilitates the presentation of the results. Such results highlight that the highest proportion (80%) of the preliminary application that occurred in five institutions agrees with the proposed model and its usefulness for monitoring and managing security controls.

Downloads

Download data is not yet available.

References

AT&T Cybersecurity. (2020). AlienVault OSSIM. Recuperado de https://cybersecurity.att.com/products/ossim

Caudle, S. (2008). The Balanced Scorecard: A Strategic Tool in Implementing Homeland Security Strategies. Homeland Security Affairs, 4(3).

CIS (Center for Internet Security). (2018). Homepage. Recuperado de https://www.cisecurity.org/

CNSS. (2015). Committee on National Security Systems (CNSS) Glossary. CNSS Instruction.

https://doi.org/10.1016/0020-7292(88)90192-0

DeLooze, L. L. (2006). Creating a Balanced Scorecard for Computer Security. 2006 IEEE Information Assurance Workshop, 15-18. https://doi.org/10.1109/IAW.2006.1652071

Grembergen, W. Van. (2005). Strategies for information technology governance. (J. Travers, M. Khosrow-Pour y A. Appicello, Eds.). Londres: Idea Group Inc. https://doi.org/10.4018/978-1-59140-140-7

Groš, S. (2019). A Critical View on CIS Controls. Cornell University. Recuperado de http://arxiv.org/abs/1910.01721

Gutzwiller, R. S., Hunt, S. M. y Lange, D. S. (2016). A Task Analysis toward Characterizing Cyber-Cognitive Situation Awareness (CCSA) in Cyber Defense Analysts. 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support, CogSIMA 2016, (Marzo), 14-20. https://doi.org/10.1109/COGSIMA.2016.7497780

Herath, T., Herath, H. y Bremser, W. G. (2010). Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management. Information Systems Management, 27(1), 72-81. https://doi.org/10.1080/10580530903455247

IBM. (2020). Security information and event management (SIEM). Recuperado de https://www.ibm.com/security/security-intelligence

Indecopi. (2014). Norma Técnica Peruana NTP-ISO/IEC 27001-2014. Tecnología de la Información. Lima: Indecopi.

Industria de tarjetas de pago (PCI). Norma de seguridad de datos. Requisitos y procedimientos de evaluación de seguridad. Versión 3.2. (2016). PCI Securiry Standards Council. Recuperado de https://es.pcisecuritystandards.org/_onelink_/pcisecurity/en2es/minisite/en/docs/PCI_DSS_v3-2_es-LA.pdf

ISO/IEC. (2013). International Standard ISO/IEC-27002-2013. Switzerland.

Johnson, L. (2015). Security Controls Evaluation, Testing, and Assessment Handbook. (C. Katsaropoulos, Ed.), Security Controls Evaluation, Testing, and AssessmentHandbook. Walthman: Elsevier. https://doi.org/10.1016/C2013-0-13416-2

Kaplan, R. y Norton, D. (2002). Cuadro de Mando Integral (The Balanced Scorecard). Barcelona: Ediciones Gestion 2000.

Kaplan, R. S. y Norton, D. P. (1996). The Balanced Scorecard: Translating Strategy Into Action. Proceedings of the IEEE. https://doi.org/10.1109/JPROC.1997.628729

Kaplan, R. S. y Norton, D. P. (2005). Cómo utilizar el Cuadro de Mando Integral. Barcelona: Gestión 2000.

Keyes, J. (2005). Implementing the IT Balanced Scorecard. Auerbach Publications (first). Florida: Auerbach Publications. Recuperado de http://doi.wiley.com/10.1002/jcaf.20198

Marchand-Niño, W. R. (2013). Metodología de implantación del modelo Balanced Scorecard para la gestión estratégica de TIC. Caso: Universidad Nacional Agraria de la Selva. PIRHUA-Universidad de Piura. Recuperado de https://hdl.handle.net/11042/1842

Martinsons, M., Davison, R. y Tse, D. (1999). The Balanced Scorecard: a Foundation for the Strategic Management of Information Systems. Decision Support Systems, 25(1), 71-88. https://doi.org/10.1016/S0167-9236(98)00086-4

Montesino, R., Fenz, S. y Baluja, W. (2012). SIEM-based framework for security controls automation. Information Management & Computer Security, 20(4), 248-263. https://doi.org/10.1108/09685221211267639

NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. Sp-800-53Ar4, 462. (2014). National Institute of Standards and Technology https://doi.org/10.6028/NIST.SP.800-53Ar4

Perminov, P., Kosachenko, T., Konev, A., & Shelupanov, A. (2020). Automation of Information Security Audit in the Information System on the Example of a Standard “cis Palo Alto 8 Firewall Benchmark.” International Journal of Advanced Trends in Computer Science and Engineering, 9(2), 2085–2088. https://doi.org/10.30534/ijatcse/2020/182922020

Splunk® Enterprise Security (2020). Splunk. Recuperado de https://www.splunk.com/en_us/software/enterprise-security.htm

Balanced Scorecard model for critical computer security controls according to the Center for Internet Security (CIS)

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

Issue

Section

License

How to Cite

Language

Make a Submission