Abstract
The information society is increasingly more dependent upon Information Security Management Systems (ISMSs), and the availability of these systems has become crucial to the evolution of Small and Medium-size Enterprises (SMEs). However, this type of companies requires ISMSs which have been adapted to their specific characteristics. In this paper we show the strategy that we have designed for the management and reuse of security information in the information system security management process. This strategy is set within the framework of a methodology that we have designed for the integral management of information system security and maturity, denominated as “Methodology for Security Management and Maturity in Small and Medium-sized Enterprises (MSM2-SME)”. This model is currently being applied in real cases, and is thus constantly improving.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Fernández-Medina, E., et al.: Model-Driven Development for secure information systems. Information and Software Technology Journal 51(5), 809–814 (2009)
Kluge, D.: Formal Information Security Standards in German Medium Enterprises. In: CONISAR: The Conference on Information Systems Applied Research (2008)
Dhillon, G., Backhouse, J.: Information System Security Management in the New Millennium. Communications of the ACM 43(7), 125–128 (2000)
De Capitani, S., Foresti, S., Jajodia, S.: Preserving Confidentiality of Security Policies in Data Outsourcing. In: WPES’08. ACM, Alexandria (2008)
Barlette, Y., Vladislav, V.: Exploring the Suitability of IS Security Management Standards for SMEs. In: Hawaii International Conference on System Sciences, Proceedings of the 41st Annual, Waikoloa, HI, USA (2008)
Vries, H., et al.: SME access to European standardization. Enabling small and medium-sized enterprises to achieve greater benefit from standards and from involvement in standardization. In: E.U. Rotterdam School of Management (ed.) Rotterdam, the Netherlands, pp. 1–95 (2009)
Wiander, T., Holappa, J.: Theoretical Framework of ISO 17799 Compliant. Information Security Management System Using Novel ASD Method in Technical Report, V.T.R.C.o. Finland, Editor (2006)
Wiander, T.: Implementing the ISO/IEC 17799 standard in practice – experiences on audit phases. In: AISC ’08: Proceedings of the Sixth Australasian Conference on Information Security, Wollongong, Australia (2008)
Sánchez, L.E., et al.: Security Management in corporative IT systems using maturity models, taking as base ISO/IEC 17799. In: International Symposium on Frontiers in Availability, Reliability and Security (FARES’06) in Conjunction with ARES, Viena, Austria (2006)
Sánchez, L.E., et al.: MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs. In: 9th International Conference on Enterprise Information Systems (WOSIS’07), Funchal, Madeira (Portugal) (June 2007b)
Sánchez, L.E., et al.: Developing a model and a tool to manage the information security in Small and Medium Enterprises. In: International Conference on Security and Cryptography (SECRYPT’07), Barcelona, Junio, Spain (2007a)
Sánchez, L.E., et al.: Developing a maturity model for information system security management within small and medium size enterprises. In: 8th International Conference on Enterprise Information Systems (WOSIS’06), Paphos, Chipre (March 2006)
Sánchez, L.E., et al.: SCMM-TOOL: Tool for computer automation of the Information Security Management Systems. In: 2nd International Conference on Software and Data Technologies (ICSOFT’07), Barcelona-España Septiembre (2007c)
Sánchez, L.E., et al.: Practical Application of a Security Management Maturity Model for SMEs Based on Predefined Schemas. In: International Conference on Security and Cryptography (SECRYPT’08), Porto–Portugal (2008)
Sánchez, L.E., et al.: Managing Security and its Maturity in Small and Medium-Sized Enterprises. Journal of Universal Computer Science (J.UCS) 15(15), 3038–3058 (2009)
Sánchez, L.E., et al.: MMSM-SME: Methodology for the management of security and its maturity in Small and Medium-sized Enterprises. In: 11th International Conference on Enterprise Information Systems (WOSIS09), Milan, Italy, pp. 67–78 (2009)
Kostina, A., Miloslavskaya, N., Tolstoy, A.: Information Security Incident Management Process. In: SIN’09, North Cyprus, Turkey (2009) ACM 978-1-60558-412-6/09/10
Ohki, E., et al.: Information Security Governance Framework. In: WISG’09, Chicago, Illinois, USA (2009) ACM 978-1-60558-787-5/09/11
Siponen, M., Willison, R.: Information security management standards: Problems and solutions. Information & Management 46, 267–270 (2009)
Gupta, A., Hammond, R.: Information systems security issues and decisions for small businesses. Information Management & Computer Security 13(4), 297–310 (2005)
Batista, J., Figueiredo, A.: SPI in very small team: a case with CMM. Software Process Improvement and Practice 5(4), 243–250 (2000)
Hareton, L., Terence, Y.: A Process Framework for Small Projects. Software Process Improvement and Practice 6, 67–83 (2001)
Tuffley, A., Grove, B.,, M.: SPICE For Small Organisations. Software Process Improvement and Practice 9, 23–31 (2004)
Calvo-Manzano, J.A., et al.: Experiences in the Application of Software Process Improvement in SMES. Software Quality Journal 10(3), 261–273 (2004)
Mekelburg, D.: Sustaining Best Practices: How Real-World Software Organizations Improve Quality Processes. Software Quality Professional 7(3), 4–13 (2005)
Dick, B.: Applications. Sessions of Areol. Action research and evaluation (2000)
Kock, N.: The threee threats of action research: a discussion of methodological antidotes in the context of an information systems study. Decision Support Systems, 265–286 (2004)
Eloff, J., Eloff, M.: Information Security Management - A New Paradigm. In: Annual research conference of the South African Institute of Computer Scientists and Information Technologists on Enablement Through Technology SAICSIT’03, pp. 130–136 (2003)
ISO/IEC27002, ISO/IEC 27002, Information Technology - Security Techniques - The international standard Code of Practice for Information Security Management (2007)
MageritV2, Methodology for Information Systems Risk Analysis and Management (MAGERIT version 2), Ministerio de Administraciones Públicas, Spain (2006)
ISO/IEC27005, ISO/IEC 27005, Information Technology - Security Techniques - Information Security Risk Management Standard (under development) (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M. (2010). Building ISMS through the Reuse of Knowledge. In: Katsikas, S., Lopez, J., Soriano, M. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2010. Lecture Notes in Computer Science, vol 6264. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15152-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-15152-1_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15151-4
Online ISBN: 978-3-642-15152-1
eBook Packages: Computer ScienceComputer Science (R0)