Preparation of an audit instrument that evaluates the logical security applicable in servers in Public Institutions of Higher Education of Zone 5 of Ecuador

DOI: https://doi.org/10.29076/issn.2528-7737vol13iss34.2020pp127-143p
Keywords: information security, information asset security, web server audit, ISO 27002, NIST 800-53

Abstract

The globalization of information technology worldwide leads Public Institutions of Higher Education of the Republic of Ecuador to protect the security of information, of their information assets through audits on web servers. The importance of evaluating the logical security of these servers lies in the relationship of information security, the analysis and the selection of standards that allow an alignment in the security controls and their validation techniques through reliable and relevant instruments. The objective of this research is to design an instrument that allows auditing servers with web applications based on the ISO 27002: 2013 standard. For this study a descriptive qualitative research was considered that would reflect the human attitude towards the use and control of information security, information asset security and executive decrees that led to the analysis of ISO 27002: 2013 and NIST 800- 53 R4. An instrument with 82 items is created with a validity and reliability that is provided by the focus group and the judgment of experts, which allows to achieve corrective plans for web servers, their vulnerabilities and the adoption of security measures for HEIs, avoiding economic losses or delay in the delivery of computer services which could lead to deterioration of the organization's.

Downloads

Download data is not yet available.

References

Allinson, C. (2001). Information systems audit trails in legal proceedings as evidence. Computers and Security, 20(5), 409–421. https://doi.org/10.1016/S0167-4048(01)00513-2

Contraloría General del Estado. (2016). Normas de Control Interno de la Contraloría General del Estado 1. 14-Dic-2009, 1–79. Retrieved from https://www.registroficial.gob.ec/index.php/registro-oficial-web/publicaciones/suplementos/item/4160-suplemento-al-registro-oficial-no-87

Da Silva, M. P., & De Barros, R. M. (2017). Maturity Model of Information Security for Software Developers. IEEE Latin America Transactions, 15(10), 1994–1999. https://doi.org/10.1109/TLA.2017.8071246

Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24(4), 361–372. https://doi.org/10.1080/10580530701586136

Damyanov, I. (2019). Corporate information infrastructure - Management aspects. TEM Journal, 8(1), 102–106. https://doi.org/10.18421/TEM81-14

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, 04(02), 92–100. https://doi.org/10.4236/jis.2013.42011

Escobar-Pérez, J., & Cuervo-Martínez, Á. (2008). Validez De Contenido Y Juicio De Expertos: Una Aproximación a Su Utilización. Avances En Medición, 6, 27–36. Retrieved from http://www.humanas.unal.edu.co/psicometria/files/7113/8574/5708/Articulo3_Juicio_de_expertos_27-36.pdf

Fernández Martínez, A., & Llorens, F. (2013). UNIVERSITIC LATAM 2014. Journal of Chemical Information and Modeling, 53(9), 1689–1699. https://doi.org/10.1017/CBO9781107415324.004

Gumbau Castelló, J. P. (2016). S10 : Modelo de Madurez para una universidad. Retrieved from http://tic.crue.org/wp-content/uploads/2016/07/S10-Modelo-de-Madurez-GTI4U.-V1.pdf

Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57(1), 54–63. https://doi.org/10.1016/j.dss.2013.07.010

Hernández, J. C. (2018). Estrategias Nacionales de Ciberseguridad en America Latina. Revista de Estudio En Seguridad Internacional, 1–8. Retrieved from http://www.seguridadinternacional.es/?q=es/content/estrategias-nacionales-de-ciberseguridad-en-américa-latina

Instituto Nacional de Estadísticas y Censos, I. (2017). Contenido Ficha técnica Equipamiento del hogar. Retrieved from http://www.ecuadorencifras.gob.ec/documentos/web-inec/Estadisticas_Sociales/TIC/2016/170125.Presentacion_Tics_2016.pdf

International Organization for Standardization ISO/IEC. (2013). Information technology - Security techniques - Code of practice for Information security controls (ISO/IEC 27002:2013, IDT). (Second Edi). Retrieved from https://www.iso.org

Jackson, C. (2010). Network Security Auditing. Indianapolis: Cisco Press.

Kavis, M. (2014). Architecting The Cloud. In Architecting The Cloud. https://doi.org/10.1002/9781118691779

Kritzinger, E., & Smith, E. (2008). Information security management: An information security retrieval and awareness model for industry. Computers and Security, 27(5–6), 224–231. https://doi.org/10.1016/j.cose.2008.05.006

Kumah, P., Yaokumah, W., & Okai, E. S. A. (2019). A conceptual model and empirical assessment of HR security risk management. Information and Computer Security, 27(3), 411–433. https://doi.org/10.1108/ICS-05-2018-0057

Li, X., & Xue, Y. (2014). A survey on server-side approaches to securing web applications. ACM Computing Surveys, 46(4), 1–29. https://doi.org/10.1145/2541315

Martinez Olmo, F. (2016). La investigación evaluativa. In A. La Muralla (Ed.), Metodología de la investigación educativa. (5th ed.). Madrid: 2015.

Morales Carrillo, J. J., Avellán Zambrano, N., Mera Cantos, J. S., & Zambrano Bravo, M. (2019). Ciberseguridad y su aplicación en las Instituciones de Educación Superior. Revista Ibérica de Sistemas e Tecnologias de Informação, 438–448. Retrieved from http://repositorio.espam.edu.ec/bitstream/42000/1032/1/TTMTI3.pdf

National Institute of Standards and Technology - NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. In NIST Special Publication 800-53 Revision 4 (R4 ed.). https://doi.org/http://dx.doi.org/10.6028/NIST.SP.800-53r4

Nicho, M. (2018). A process model for implementing information systems security governance. Information and Computer Security, 26(1), 10–38. https://doi.org/10.1108/ICS-07-2016-0061

Nugroho, H. (2014). Conceptual model of IT governance for higher education based on COBIT 5 framework. Journal of Theoretical and Applied Information Technology, 60(2), 216–221. https://doi.org/ISSN: 1992-8645

Onwubiko, C. (2009). A Security Audit Framework for Security Management in the Enterprise. https://doi.org/10.1007/978-3-642-04062-7_2

Organization International Standarization, I. (2015). ISO/IEC 38500:2015 Information technology — Governance of IT for the organization. Retrieved from https://www.iso.org/standard/62816.html

Pineda, J., Córdova, C., & Pérez, E. (2014). INFORME DE RESULTADOS DE LA “1° ENCUESTA DE SEGURIDAD DE LA INFORMACIÓN EN UNIVERSIDADES ECUATORIANAS MIEMBROS DE CEDIA.” 12. Retrieved from www.utpl.edu.ec

Ponce Regalado, F., & Rojas Sifuentes, W. (2010). Promoción y desarrollo de las TIC en América Latina. Research Report, 1–14.

Pourzargham, H. (2015). Importance of Security in Database. IJCSNS International Journal of Computer Science and Network Security, 15(5), 29–31. Retrieved from http://paper.ijcsns.org/07_book/201505/20150504.pdf

Roussos, J., Roussos, S., & Roussos, A. (2014). El focus group como técnica de investigación cualitativa. Expert Review of Ophthalmology, 9(5), 353–354. https://doi.org/10.1586/17469899.2014.964497

Secretaria Nacional de Planificación y Desarrollo del Ecuador. (2008). Zonas administrativas de planificación del Ecuador. (878). Retrieved from http://www.planificacion.gob.ec/wp-content/uploads/downloads/2012/08/Decreto-Ejecutivo-878-y-sus-reformas-determina-Zonas-de-Planificación.-Registro-Oficial-Nro.-268.pdf

Secretaria Nacional del Ecuador - Administracion Pública. (2013). Esquema Gubernamental de Seguridad de la Información EGSI. 1–47. Retrieved from https://www.planificacion.gob.ec/wp-content/uploads/downloads/2013/12/Esquema-Gubernamental-de-Seguridades-de-la-InformaciÃ3n.pdf

Sedaghat, F., Haghparast, M., & Maeen, M. (2018). Security and Trust In Cloud Computing: A Survey. Cyber Security and Threats: Concepts, Methodologies, Tools, and Applications, 11(12), 1251–1271. https://doi.org/10.4018/978-1-5225-5634-3.ch062

Sunkel, G. (2006). Las tecnologías de la información y la comunicación (TIC) en la educación en América Latina. Una exploración de indicadores. In Cepal. https://doi.org/1680-8983

Tariq, M. I., Tayyaba, S., Ashraf, M. W., Rasheed, H., & Khan, F. (2016). Analysis of NIST SP 800-53 Rev.3 Controls Effectiveness for Cloud Computing. 1st National Conference on Emerging Trends and Innovations in Computing & Technology, 88–92. Retrieved from https://www.researchgate.net/profile/Muhammad_Tariq26/publication/303315109_Analysis_of_NIST_SP_800-53_Rev3_Controls’_Effectiviness_for_Cloud_Computing/links/573cb05208ae9f741b2eb9f8.pdf

Tyler, R. W. (1942). General statement on evaluation. Journal of Educational Research, 35(7), 492–501. https://doi.org/10.1080/00220671.1942.10881106

Vroom, C., & Von Solms, rossouw. (2004). Towards information security behavioural compliance. Computers and Security, 23(3), 191–198. https://doi.org/10.1016/j.cose.2004.01.012

Published
2020-09-14
How to Cite
Chifla-Villón, M., Puma- Aucapiña, L., & Villacís-Real, K. (2020). Preparation of an audit instrument that evaluates the logical security applicable in servers in Public Institutions of Higher Education of Zone 5 of Ecuador. Science Magazine Unemi, 13(34), 127-143. https://doi.org/10.29076/issn.2528-7737vol13iss34.2020pp127-143p
Issue
Vol 13 No 34 (2020): Septiembre-Diciembre
Section
Artículos Científicos

Copyright (c) 2020 Science Magazine Unemi

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Authors can keep the copyright, granting the journal right of first publication. Alternatively, authors can transfer copyright to the journal, which allow authors non-commercial use of the work, including the right to place it in a file open access.