The increase in the production of digital information, the challenges to secure communication and the maintenance and safeguarding of data go hand in hand with an increase in cybercrime manifested through intrusion techniques and vulnerability exploitation. This scenario requires companies to improve their security paradigms, otherwise they risk compromising an asset that is fundamental to their very existence: INFORMATION.
To better face the dangers and challenges of presence in cyberspace, the public company Investimentos Habitacionais da Madeira, EPERAM (IHM) intended to analyze and raise the level of security of information and communications following the best practices in this area, because, despite the procedures already in place, security events are still mostly addressed downstream and reactively. After investigating the state of the art on standards, frameworks and certifications for information security, consulting related legislation and conducting an analysis of the company’s current situation, a methodology was proposed, based on risk management, for the establishment, implementation, maintenance and continuous improvement of an information security management system, through a set of 18 processes framed in the NP ISO/IEC 27001:2013 standard. In parallel, to ensure its sustainability, the continuous PDCA cycle was applied, which was useful so that safety controls could already be implemented and measured. The NIST SP 800-61r2 standard, with 4 processes, was incorporated into the proposed methodology, due to its specificity in the field of incident management.
The implementation resulted in the definition of 8 policies, accompanied by 47 security controls, of which 37 were measured. The results allowed us to identify the most pressing improvements needed through a color scheme. The use of the corporate governance and information technology management model – COBIT 5 – contributed to the subsequent analysis of the processes’ capacity and measurement of their maturity.
Keywords: Information security; Risk management; ISO/IEC Standard 27001:2013; Security policies; Operations security; Communications security; NIST Standard SP 800-61r2; Incident management; COBIT Framework 5; RGPD; Auditing;
Publication Year: 2018
Student: Carla Margarida Rocha Carvalho
Advisor: Prof. Dr. Eduardo Miguel Dias Marques
University: University of Madeira (Portugal)