Abstract
The present paper makes a study of the maturity of Information Security Management Systems of the Public Sector of Ecuador. Through a theoretical study, 5 factors were determined that make up an effective Information Security Management System: internal organizational control, information security policy, information security culture, and technical activities for the security of information and new technologies. The five factors were evaluated through a scale to determine the level of maturity of the process of information security from the perception of ICT (Information Technology and Communication) managers of public sector entities. Findings of the analysis showed that technical activities for information security was the factor with a higher level of maturity due to the implementation of technological tools by the personnel of ICT area. On the other hand, internal organizational control was the least mature factor, indicating that this area needs more attention. Despite the requirement of the international standards of information security in most public entities, the process is still at a level of maturity between repeatable and defined.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Secretaria Nacional de Administración Pública: Acuerdo Interministerial 804
Comisión para la Seguridad Informática y de las Tecnologías de la Información: Informe Final
Secretaria Nacional de Administración Pública: Acuerdo ministerial 166
Coram, P., Ferguson, C., Moroney, R.: The value of internal audit in fraud detection. J. Account. Financ. 48(4), 543–559 (2006)
Badara, M.S., Saidin, S.Z.: The Relationship between audit experience and internal audit effectiveness in the public sector organizations. Int. J. Acad. Res. Account. Financ. Manag. Sci. 3(3), 329–339 (2013)
Chen, R.S., Sun, C.M., Helms, M.M., Jih, W.J.K.: Aligning information technology and business strategy with a dynamic capabilities perspective: a longitudinal study of a Taiwanese Semiconductor Company. Int. J. Inf. Manag. 28(5), 366–378 (2008)
AlHogail, A.: Design and validation of information security culture framework. Comput. Hum. Behav. 49, 567–575 (2015)
Hwang, K., Choi, M.: Effects of innovation-supportive culture and organizational citizenship behavior on e-government information system security stemming from mimetic isomorphism. Gov. Inf. Q. 34(2), 183–198 (2017)
Patiño, S., Mosquera, C., Suárez, F., Nevarez, R.: Evaluación de seguridad informática basada en ICREA e ISO27001. Universidad Ciencia y Tecnología 21(85), 129–139 (2017)
Candra, J., Brillyant, O., Tamba, S.: ISMS planning based on ISO/IEC 27001:2013 using analytical hierarchy process at gap analysis phase (case study: XYZ institute). In: Proceedings of 11th International Conference on Telecommunication Systems Services and Applications (TSSA). IEEE, Lombok (2017)
Rukth, L., Afzal, A.: Swiss army knife of software processes generic framework of ISO 27001 and its mapping on resource management. In: Proceedings of 2017 International Conference on Communication Technologies (ComTech). IEEE, Rawalpindi (2017)
Lichtenstein, S.: Factors in the selection of a risk assessment method. Inf. Manag. Comput. Secur. 4(4), 20–25 (1996)
Shedden, P., Scheepers, R., Smith, W., Ahmad, A.: Incorporating a knowledge perspective into security risk assessments. Vine 41(2), 152–166 (2011)
Patiño, S., Solís, E., Yoo, S.G., Arroyo, R.: ICT risk management methodology proposal for governmental entities based on ISO/IEC 27005. In: 2018 Fifth International Conference on eDemocracy and eGovernment (ICEDEG). IEEE (2018)
Vega, R.G., Arroyo, R., Yoo, S.G.: Experience in applying the analysis and risk management methodology called MAGERIT to identify threats and vulnerabilities in an Agro-Industrial Company. Int. J. Appl. Eng. Res. 12(17), 6741–6750 (2017)
Chen, J., Pedrycz, W., Ma, L., Wang, C.: A new information security risk analysis method based on membership degree. Kybernetes 43(5), 686–698 (2014)
Stvilia, B., Gasser, L., Twidale, M.B., Smith, L.C.: A framework for information quality assessment. J. Assoc. Inf. Sci. Technol. 58(12), 1720–1733 (2007)
Shamala, P., Ahmad, R., Zolait, A., Sedek, M.: Integrating information quality dimensions into information security risk management (ISRM). J. Inf. Secur. Appl. 36, 1–10 (2017)
Moon, Y.J., Choi, M., Armstrong, D.J.: The impact of relational leadership and social alignment on information security system effectiveness in Korean governmental organizations. Int. J. Inf. Manag. 40, 54–66 (2018)
Siponen, M., Pahnila, S., Mahmood, A.: Employees’ adherence to information security policies: an empirical study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC 2007. IIFIP, vol. 232, pp. 133–144. Springer, Boston (2007). https://doi.org/10.1007/978-0-387-72367-9_12
Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F.: Information security: management’s effect on culture and policy. Inf. Manag. Comput. Secur. 14(1), 24–36 (2006)
Alqahtani, F.H.: Developing an information security policy: a case study approach. Procedia Comput. Sci. 124, 691–697 (2017)
Zakaria, O.: Employee security perception in cultivating information security culture. In: Security Management, Integrity, and Internal Control in Information Systems, pp. 83–92. Kluwer Academic Publishers, Boston (2006)
Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manag. 36(2), 215–225 (2016)
Kaufman, L.M.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)
Grembergen, W.V.: Strategies for information technology governance. IGI Publishing, Hershey (2003)
Fernández, R., Montero, N.: Propuesta Metodológica para la Gestión de Riesgos Tecnológicos en Empresas Proveedoras de Servicios de Telecomunicaciones (2014)
Yi, M.Y., Davis, F.D.: Developing and validating an observational learning model of computer software training and skill acquisition. Inf. Syst. Res. 14(2), 146–169 (2003)
Flowerday, S.V., Tuyikeze, T.: Information security policy development and implementation: the what, how and who. Comput. Secur. 61, 169–183 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Patiño, S., Yoo, S.G. (2018). Study of the Maturity of Information Security in Public Organizations of Ecuador. In: Valencia-García, R., Alcaraz-Mármol, G., Del Cioppo-Morstadt, J., Vera-Lucio, N., Bucaram-Leverone, M. (eds) Technologies and Innovation. CITI 2018. Communications in Computer and Information Science, vol 883. Springer, Cham. https://doi.org/10.1007/978-3-030-00940-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-00940-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00939-7
Online ISBN: 978-3-030-00940-3
eBook Packages: Computer ScienceComputer Science (R0)