Preparation of an audit instrument that evaluates the logical security applicable in servers in Public Institutions of Higher Education of Zone 5 of Ecuador
DOI:
https://doi.org/10.29076/issn.2528-7737vol13iss34.2020pp127-143pKeywords:
information security, information asset security, web server audit, ISO 27002, NIST 800-53Abstract
The globalization of information technology worldwide leads Public Institutions of Higher Education of the Republic of Ecuador to protect the security of information, of their information assets through audits on web servers. The importance of evaluating the logical security of these servers lies in the relationship of information security, the analysis and the selection of standards that allow an alignment in the security controls and their validation techniques through reliable and relevant instruments. The objective of this research is to design an instrument that allows auditing servers with web applications based on the ISO 27002: 2013 standard. For this study a descriptive qualitative research was considered that would reflect the human attitude towards the use and control of information security, information asset security and executive decrees that led to the analysis of ISO 27002: 2013 and NIST 800- 53 R4. An instrument with 82 items is created with a validity and reliability that is provided by the focus group and the judgment of experts, which allows to achieve corrective plans for web servers, their vulnerabilities and the adoption of security measures for HEIs, avoiding economic losses or delay in the delivery of computer services which could lead to deterioration of the organization's.
Downloads
References
Allinson, C. (2001). Information systems audit trails in legal proceedings as evidence. Computers and Security, 20(5), 409–421. https://doi.org/10.1016/S0167-4048(01)00513-2
Contraloría General del Estado. (2016). Normas de Control Interno de la Contraloría General del Estado 1. 14-Dic-2009, 1–79. Retrieved from https://www.registroficial.gob.ec/index.php/registro-oficial-web/publicaciones/suplementos/item/4160-suplemento-al-registro-oficial-no-87
Da Silva, M. P., & De Barros, R. M. (2017). Maturity Model of Information Security for Software Developers. IEEE Latin America Transactions, 15(10), 1994–1999. https://doi.org/10.1109/TLA.2017.8071246
Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24(4), 361–372. https://doi.org/10.1080/10580530701586136
Damyanov, I. (2019). Corporate information infrastructure - Management aspects. TEM Journal, 8(1), 102–106. https://doi.org/10.18421/TEM81-14
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, 04(02), 92–100. https://doi.org/10.4236/jis.2013.42011
Escobar-Pérez, J., & Cuervo-Martínez, Á. (2008). Validez De Contenido Y Juicio De Expertos: Una Aproximación a Su Utilización. Avances En Medición, 6, 27–36. Retrieved from http://www.humanas.unal.edu.co/psicometria/files/7113/8574/5708/Articulo3_Juicio_de_expertos_27-36.pdf
Fernández Martínez, A., & Llorens, F. (2013). UNIVERSITIC LATAM 2014. Journal of Chemical Information and Modeling, 53(9), 1689–1699. https://doi.org/10.1017/CBO9781107415324.004
Gumbau Castelló, J. P. (2016). S10 : Modelo de Madurez para una universidad. Retrieved from http://tic.crue.org/wp-content/uploads/2016/07/S10-Modelo-de-Madurez-GTI4U.-V1.pdf
Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57(1), 54–63. https://doi.org/10.1016/j.dss.2013.07.010
Hernández, J. C. (2018). Estrategias Nacionales de Ciberseguridad en America Latina. Revista de Estudio En Seguridad Internacional, 1–8. Retrieved from http://www.seguridadinternacional.es/?q=es/content/estrategias-nacionales-de-ciberseguridad-en-américa-latina
Instituto Nacional de Estadísticas y Censos, I. (2017). Contenido Ficha técnica Equipamiento del hogar. Retrieved from http://www.ecuadorencifras.gob.ec/documentos/web-inec/Estadisticas_Sociales/TIC/2016/170125.Presentacion_Tics_2016.pdf
International Organization for Standardization ISO/IEC. (2013). Information technology - Security techniques - Code of practice for Information security controls (ISO/IEC 27002:2013, IDT). (Second Edi). Retrieved from https://www.iso.org
Jackson, C. (2010). Network Security Auditing. Indianapolis: Cisco Press.
Kavis, M. (2014). Architecting The Cloud. In Architecting The Cloud. https://doi.org/10.1002/9781118691779
Kritzinger, E., & Smith, E. (2008). Information security management: An information security retrieval and awareness model for industry. Computers and Security, 27(5–6), 224–231. https://doi.org/10.1016/j.cose.2008.05.006
Kumah, P., Yaokumah, W., & Okai, E. S. A. (2019). A conceptual model and empirical assessment of HR security risk management. Information and Computer Security, 27(3), 411–433. https://doi.org/10.1108/ICS-05-2018-0057
Li, X., & Xue, Y. (2014). A survey on server-side approaches to securing web applications. ACM Computing Surveys, 46(4), 1–29. https://doi.org/10.1145/2541315
Martinez Olmo, F. (2016). La investigación evaluativa. In A. La Muralla (Ed.), Metodología de la investigación educativa. (5th ed.). Madrid: 2015.
Morales Carrillo, J. J., Avellán Zambrano, N., Mera Cantos, J. S., & Zambrano Bravo, M. (2019). Ciberseguridad y su aplicación en las Instituciones de Educación Superior. Revista Ibérica de Sistemas e Tecnologias de Informação, 438–448. Retrieved from http://repositorio.espam.edu.ec/bitstream/42000/1032/1/TTMTI3.pdf
National Institute of Standards and Technology - NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. In NIST Special Publication 800-53 Revision 4 (R4 ed.). https://doi.org/http://dx.doi.org/10.6028/NIST.SP.800-53r4
Nicho, M. (2018). A process model for implementing information systems security governance. Information and Computer Security, 26(1), 10–38. https://doi.org/10.1108/ICS-07-2016-0061
Nugroho, H. (2014). Conceptual model of IT governance for higher education based on COBIT 5 framework. Journal of Theoretical and Applied Information Technology, 60(2), 216–221. https://doi.org/ISSN: 1992-8645
Onwubiko, C. (2009). A Security Audit Framework for Security Management in the Enterprise. https://doi.org/10.1007/978-3-642-04062-7_2
Organization International Standarization, I. (2015). ISO/IEC 38500:2015 Information technology — Governance of IT for the organization. Retrieved from https://www.iso.org/standard/62816.html
Pineda, J., Córdova, C., & Pérez, E. (2014). INFORME DE RESULTADOS DE LA “1° ENCUESTA DE SEGURIDAD DE LA INFORMACIÓN EN UNIVERSIDADES ECUATORIANAS MIEMBROS DE CEDIA.” 12. Retrieved from www.utpl.edu.ec
Ponce Regalado, F., & Rojas Sifuentes, W. (2010). Promoción y desarrollo de las TIC en América Latina. Research Report, 1–14.
Pourzargham, H. (2015). Importance of Security in Database. IJCSNS International Journal of Computer Science and Network Security, 15(5), 29–31. Retrieved from http://paper.ijcsns.org/07_book/201505/20150504.pdf
Roussos, J., Roussos, S., & Roussos, A. (2014). El focus group como técnica de investigación cualitativa. Expert Review of Ophthalmology, 9(5), 353–354. https://doi.org/10.1586/17469899.2014.964497
Secretaria Nacional de Planificación y Desarrollo del Ecuador. (2008). Zonas administrativas de planificación del Ecuador. (878). Retrieved from http://www.planificacion.gob.ec/wp-content/uploads/downloads/2012/08/Decreto-Ejecutivo-878-y-sus-reformas-determina-Zonas-de-Planificación.-Registro-Oficial-Nro.-268.pdf
Secretaria Nacional del Ecuador - Administracion Pública. (2013). Esquema Gubernamental de Seguridad de la Información EGSI. 1–47. Retrieved from https://www.planificacion.gob.ec/wp-content/uploads/downloads/2013/12/Esquema-Gubernamental-de-Seguridades-de-la-InformaciÃ3n.pdf
Sedaghat, F., Haghparast, M., & Maeen, M. (2018). Security and Trust In Cloud Computing: A Survey. Cyber Security and Threats: Concepts, Methodologies, Tools, and Applications, 11(12), 1251–1271. https://doi.org/10.4018/978-1-5225-5634-3.ch062
Sunkel, G. (2006). Las tecnologías de la información y la comunicación (TIC) en la educación en América Latina. Una exploración de indicadores. In Cepal. https://doi.org/1680-8983
Tariq, M. I., Tayyaba, S., Ashraf, M. W., Rasheed, H., & Khan, F. (2016). Analysis of NIST SP 800-53 Rev.3 Controls Effectiveness for Cloud Computing. 1st National Conference on Emerging Trends and Innovations in Computing & Technology, 88–92. Retrieved from https://www.researchgate.net/profile/Muhammad_Tariq26/publication/303315109_Analysis_of_NIST_SP_800-53_Rev3_Controls’_Effectiviness_for_Cloud_Computing/links/573cb05208ae9f741b2eb9f8.pdf
Tyler, R. W. (1942). General statement on evaluation. Journal of Educational Research, 35(7), 492–501. https://doi.org/10.1080/00220671.1942.10881106
Vroom, C., & Von Solms, rossouw. (2004). Towards information security behavioural compliance. Computers and Security, 23(3), 191–198. https://doi.org/10.1016/j.cose.2004.01.012
Downloads
Published
Issue
Section
License
Authors can keep the copyright, granting the journal right of first publication. Alternatively, authors can transfer copyright to the journal, which allow authors non-commercial use of the work, including the right to place it in a file open access.