Mapping the variations for implementing information security controls to their operational research solutions
- PDF / 1,011,186 Bytes
- 30 Pages / 439.37 x 666.142 pts Page_size
- 10 Downloads / 180 Views
Mapping the variations for implementing information security controls to their operational research solutions Mauricio Diéguez1 · Jaime Bustos2 · Carlos Cares1 Received: 1 June 2018 / Revised: 29 March 2019 / Accepted: 2 April 2020 © Springer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract Information Security Management is currently guided by process-based standards. Achieving one or some of these standards means deploying their corresponding set of security controls under different constraints on resources, budgets, information assets to protect, and risks to avoid or mitigate, among other factors. This constitutes a complex combinatorial problem in the decision-making process. To select, schedule and deploy these security controls, qualitative approaches have mainly been proposed. Quantitative approaches to information security management are just emerging, and they have been applied only to simplified theoretical cases. The purpose of this paper is to support the notion that the problems of implementing information security controls, in the sense of being put into effect, can be formulated as a family of existing and already solved optimization problems. The main result is a mapping from a set of seven information security management types of problems to their corresponding operational research formulations. A solved case from a governmental institution illustrates the use of the proposed map. Keywords Information security management · Security standard · Security controls · Optimization · Operational research
1 Introduction Today, information is deemed an essential element in any organization, regardless of whether it is a public or private organization. Information, as a strategic asset, provides positioning and competitive advantages in the market, and its protection enables the continuous operation of an organization.
* Mauricio Diéguez [email protected] 1
Department of Computer Sciences and Informatics, Universidad de La Frontera, Av. Francisco Salazar, 01145 Temuco, Chile
2
Department of Industrial Engineering and Systems, Universidad de La Frontera, Temuco, Chile
13
Vol.:(0123456789)
M. Diéguez et al.
As a formal way of protecting their information, management initiatives looked to deploy a known set of good management practices. These practices subsequently became the standard for information security, which are recognized and implemented worldwide, and today these constitute the formalized controls of information security standards (Humphreys 2011). Therefore, a standard for information security consists of a set of rules that aims to regulate a company’s operation, with a special emphasis on information management and information assurance. In general, the accomplishment of any information security standard means achieving a set of objectives, obtaining resources or implementing actions defined by the standards (Pereira and Santos 2014). All of these elements are known as information security controls (Yau 2014). Today, a variety of Information Security Standar
Data Loading...
