Show simple item record

dc.contributor.advisorMayol Arnao, Reinaldo Nicolásspa
dc.contributor.authorGómez Nova, Arelisspa
dc.date.accessioned2020-06-26T21:34:49Z
dc.date.available2020-06-26T21:34:49Z
dc.date.issued2017
dc.identifier.urihttp://hdl.handle.net/20.500.12749/3441
dc.description.abstractLa información cada vez toma mayor valor para las organizaciones, sin importar su razón de ser, ni su sector de desempeño; siendo situada como un activo intangible que proporciona ventaja competitiva. Para su adecuado tratamiento, se debe acudir a herramientas tecnológicas, que faciliten el procesamiento de datos, la generación de informes y la toma de decisiones. El uso tecnológico ha transformado el desempeño y desarrollo de las empresas; en consecuencia, también se ha convertido en un medio para ampliar el margen de riesgos informáticos; siendo un factor en ascenso por el auge de la era digital e Internet. El planteamiento de la propuesta, fue el resultado de la identificación de la carencia de procesos de auditoria en seguridad, para sistemas orientados a la gestión e información académica en la Universidad Pontificia Bolivariana, Seccional Bucaramanga. Con base en lo expuesto, esta investigación tuvo como propósito contribuir a la detección de amenazas y vulnerabilidades para mitigar el riesgo informático, mediante el diseño de una metodología para auditar la inclusión y calidad de los criterios de seguridad, en la prestación de servicios académicos a través de sistemas de información. En la estructura de la metodología, se definieron tres dimensiones, consideradas relevantes para desarrollar un programa de auditoria. Para cada dimensión, se estableció un criterio, sujeto de evaluación mediante la verificación de la existencia de controles de seguridad. Los controles estuvieron definidos por un listado de requisitos, con el propósito de validar su implementación. Para verificar la metodología, se aplicó los instrumentos de medición diseñados, en una institución de educación superior, se realizó análisis de los resultados, se emitió el concepto técnico de los hallazgos detectados, las recomendaciones y se verificó la completitud y validez del diseño de la metodologíaspa
dc.description.sponsorshipUniversitat Oberta de Catalunya UOCspa
dc.description.tableofcontentsINTRODUCCIÓN 1. ANTECEDENTES 27 2. MARCO METODOLÓGICO 30 2.1 Problema a Resolver 30 2.2 Justificación 30 2.3 Pregunta de Investigación 31 2.4 Objetivos de la Investigación 31 2.5 Alcance de la Propuesta 32 2.6 Resultados Esperados 32 3. MARCO CONCEPTUAL 34 3.1 Estado del Arte 34 3.2 Fundamentos Teóricos 46 4. DISEÑO METODOLÓGICO 84 4.1 Descripción Metodológica 84 4.2 Definición de las Dimensiones a Evaluar 84 4.3 Criterios de Seguridad para Evaluar las Dimensiones Establecidas 85 5. DISEÑO DE LOS INSTRUMENTOS 88 5.1 Cuestionario 88 5.2 Matriz para el Análisis de Riesgos 89 6. ESTRUCTURA CICLO DE VIDA PROGRAMA DE AUDITORIA 92 6.1 Principios y Generalidades 93 7. RESULTADOS DE LA APLICACIÓN DE LOS INSTRUMENTOS 96 7.1 Instrumento 1 (cuestionario) 97 7.2 Instrumento Dos (matriz de análisis de riesgo, Criterio 2)………………………109 7.3 Instrumento Tres (matriz de análisis de riesgo, Criterio 3)……………………..118 7.4 Informe Ejecutivo…………………………………………………….............…….125 8. VERIFICACIÓN COMPLETITUD Y VALIDEZ DE LA METODOLOGÍA 131 8.1 Completitud 131 8.2 Validez 132 9. CONCLUSIONES 135 10. FUTURAS LÍNEAS DE INVESTIGACIÓN 138 11. BIBLIOGRAFÍA 139spa
dc.format.mimetypeapplication/pdfspa
dc.language.isospaspa
dc.rights.urihttp://creativecommons.org/licenses/by-nc-nd/2.5/co/*
dc.titleDiseño de una metodología para auditar la seguridad de la información en productos de software orientados a servicios de gestión e información en instituciones de educación superiorspa
dc.title.translatedDesign of a methodology to audit information security in software products oriented to management and information services in higher education institutionseng
dc.degree.nameMagíster en Gestión, Aplicación y Desarrollo de Softwarespa
dc.coverageBucaramanga (Colombia)spa
dc.publisher.grantorUniversidad Autónoma de Bucaramanga UNABspa
dc.rights.localAbierto (Texto Completo)spa
dc.publisher.facultyFacultad Ingenieríaspa
dc.publisher.programMaestría en Gestión, Aplicación y Desarrollo de Softwarespa
dc.description.degreelevelMaestríaspa
dc.type.driverinfo:eu-repo/semantics/masterThesis
dc.type.localTesisspa
dc.type.coarhttp://purl.org/coar/resource_type/c_bdcc
dc.subject.keywordsMethodologyeng
dc.subject.keywordsAuditeng
dc.subject.keywordsPost-secondary of institutioneng
dc.subject.keywordsSoftware developmenteng
dc.subject.keywordsTechnological solutionseng
dc.subject.keywordsSystems engineereng
dc.subject.keywordsFree softwareeng
dc.subject.keywordsInformatic securityeng
dc.subject.keywordsData protectioneng
dc.subject.keywordsResearcheng
dc.subject.keywordsAnalysiseng
dc.identifier.instnameinstname:Universidad Autónoma de Bucaramanga - UNABspa
dc.identifier.reponamereponame:Repositorio Institucional UNABspa
dc.type.hasversioninfo:eu-repo/semantics/acceptedVersion
dc.rights.accessrightsinfo:eu-repo/semantics/openAccessspa
dc.rights.accessrightshttp://purl.org/coar/access_right/c_abf2spa
dc.relation.referencesGómez Nova, Arelis (2017). Diseño de una metodología para auditar la seguridad de la información en productos de software orientados a servicios e información en instituciones de educación superior. Bucaramanga (Colombia) : Universidad Autónoma de Bucaramanga UNAB, Universitat Oberta de Catalunya UOCspa
dc.relation.referencesACIS. 2016. “Sistemas Fraude Informático:: Viejos Trucos, Nuevos Entornos.”spa
dc.relation.referencesAhmad, Atif, Sean B. Maynard, and Graeme Shanks. 2015. “A Case Analysis of Information Systems and Security Incident Responses.” Int. J. Inf. Manag. 35(6):717–23.spa
dc.relation.referencesAlberts, Crhistopher; Dorefee, Audrey; Stevens, James; Woody Carol. 2003. “Introduction to the OCTAVE Approach.”spa
dc.relation.referencesAlqahtani, Sultan S., Ellis E. Eghan, and Juergen Rilling. 2016. “Tracing Known Security Vulnerabilities in Software Repositories - A Semantic Web Enabled Modeling Approach.” Science of Computer Programming 121:153–75.spa
dc.relation.referencesAnalysis, Zrugv et al. n.d. “Risk Analysis in Security of Information ¡¢£¤¥¦§ ¨© ¢ £¤ ©.” 39–53.spa
dc.relation.referencesAnon. n.d. “A Case-Based Management System for Secure Software.pdf.”spa
dc.relation.referencesAnon. n.d. “A Novel Security Information and Event Management System for Enhancing Cyber Security in a Hydroelectri Dam.pdf.”spa
dc.relation.referencesAnon. n.d. “Capturing Security Requirements for Software.pdf.”spa
dc.relation.referencesAnon. n.d. “Current Practices and Challenges in Industrial Control.pdf.”spa
dc.relation.referencesAnon. n.d. “Estimation of Deficiency Risk and Prioritization of Information Security Co.”spa
dc.relation.referencesAnon. n.d. “Evaluation of the Patter-Based Method for Secure Development a Controlled Experiment.pdf.”spa
dc.relation.referencesAnon. n.d. “Ministerio de Educación Nacional.” Retrieved (http://www.mineducacion.gov.co/1759/w3-article-235585.html).spa
dc.relation.referencesAnon. n.d. “The Relationship between Internal Audit and Information Security.pdf.”spa
dc.relation.referencesBaca, Dejan and Kai Petersen. 2013. “Countermeasure Graphs for Software Security Risk Assessment: An Action Research.” J. Syst. Softw. 86(9):2411–28.spa
dc.relation.referencesBarton, Kevin Andrew. 2014. “Information System Security Commitment: A Study of External Influences on Senior Management.” 109.spa
dc.relation.referencesCongreso de Colombia. 2012. “Ley Estatutaria 1581 de 2012 | Protección de Datos Personales.” 167.spa
dc.relation.referencesFeng, Nan. 2014. “A Security Risk Analysis Model for Information Systems: Causal Relationships of Risk Factors and Vulnerability Propagation Analysis.” Information Sciences 256:57–73.spa
dc.relation.referencesGlen, Cecilia Álvarez-correa. 2016. “C Onpes.”spa
dc.relation.referencesHamidovic, Haris, Independent Researcher, and Information Sec. 2015. “Fundamentos Del Gobierno de TI Basados En ISO/IEC 38500.” (November).spa
dc.relation.referencesHerath, Hemantha S. B. and Tejaswini C. Herath. 2014. “IT Security Auditing: A Performance Evaluation Decision Model.” Decision Support Systems 57(1):54–63.spa
dc.relation.referencesIsaca. 2013. A Business Framework for the Governance and Management of Enterprise IT.spa
dc.relation.referencesISACA. 2015. “State of Cybersecurity : Implications for 2015.” 22.spa
dc.relation.referencesIso, Referencia. 2011. “Norma Internacional Iso 19011.” 2011.spa
dc.relation.referencesKnowles, William, Alistair Baron, and Tim McGarr. 2016. “The Simulated Security Assessment Ecosystem: Does Penetration Testing Need Standardisation?” Computers & Security 62:296–316.spa
dc.relation.referencesMakori, Abanti Cyrus and Laban Oenga. n.d. “A Survey of Information Security Incident.” 19–31.spa
dc.relation.referencesManuel, Carlos, Fernández Sánchez, and Piattini Velthuis. 2012. Modelo Para El Gobierno de Las TIC Basado En Las Normas ISO.spa
dc.relation.referencesMcCallister, E., T. Grance, and K. Kent. 2010. “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).” Recommendations of the National Institute of … 1–59.spa
dc.relation.referencesNtc-iso-iec, Norma Técnica. 2013. “Norma Técnica Ntc-Iso-Iec Colombiana 27001 2013-12-11.” (571).spa
dc.relation.referencesPiattini Velthuis, Mario; Del Peso Navarro, Emilio; Del Peso Ruiz, Mar. 2008. Auditoría de Tecnologías Y Sistemas de Información, Ra – Ma Editorial.spa
dc.relation.referencesREDCLARA; TICAL. 2015. Las Tecnologías de La Información Y La Comunicación Potenciado La Universidad Del Siglo XXI.spa
dc.relation.referencesRehman, Huma, Ashraf Masood, and Ahmad Raza Cheema. 2013. “Information Security Management in Academic Institutes of Pakistan.” 2013 2nd National Conference on Information Assurance (NCIA) 47–51.spa
dc.relation.referencesSaint-Germain, R. 2005. “Information Security Management Best Practice Based on ISO/IEC 17799.” Information Management Journal 39(4):60–66.spa
dc.relation.referencesShamala, Palaniappan, Rabiah Ahmad, and Mariana Yusoff. 2013. “A Conceptual Framework of Info Structure for Information Security Risk Assessment ( ISRA ).” Journal of Information Security and Applications 18(1):45–52.spa
dc.relation.referencesShameli-Sendi, Alireza, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. “Taxonomy of Information Security Risk Assessment (ISRA).” Computers & Security 57:14–30.spa
dc.relation.referencesShaw, R. S., Charlie C. Chen, Albert L. Harris, and Hui-Jou Huang. 2009. “The Impact of Information Richness on Information Security Awareness Training Effectiveness.” Computers & Education 52(1):92–100.spa
dc.relation.referencesSoediono, Budi. 1989. “No Title No Title.” Journal of Chemical Information and Modeling 53(1991):160.spa
dc.relation.referencesSoftware Engeneering Institute (SIE) at Carnegie Mellon University, OCTAVE. 2009. “The OCTAVE Approach to Information Security Risk Assessment.”spa
dc.relation.referencesSohrabi Safa, Nader, Rossouw Von Solms, and Steven Furnell. 2016. “Information Security Policy Compliance Model in Organizations.” Computers and Security 56:1–13.spa
dc.relation.referencesSolic, Kresimir, Hrvoje Ocevcic, and Marin Golub. 2015. “The Information Systems’ Security Level Assessment Model Based on an Ontology and Evidential Reasoning Approach.” Computers & Security 55:100–112.spa
dc.relation.referencesStore, Rahman I. S. O. 2013. “INTERNATIONAL STANDARD ISO / IEC Information Technology — Security Techniques — Code of Practice for Information Security Controls.” 2013.spa
dc.relation.referencesTøndel, Inger Anne, Maria B. Line, and Martin Gilje Jaatun. 2014. “Information Security Incident Management: Current Practice as Reported in the Literature.” Computers & Security 45(SEPTEMBER):42–57.spa
dc.relation.referencesWebb, Jeb, Atif Ahmad, Sean B. Maynard, and Graeme Shanks. 2014. “A Situation Awareness Model for Information Security Risk Management.” Computers & Security 44(March 2016):1–15.spa
dc.relation.referencesYu, Yijun, Virginia N. L. Franqueira, Thein Than Tun, Roel J. Wieringa, and Bashar Nuseibeh. 2015. “Automated Analysis of Security Requirements through Risk-Based Argumentation.” Journal of Systems and Software 106:102–16.spa
dc.contributor.cvlachttps://scienti.minciencias.gov.co/cvlac/visualizador/generarCurriculoCv.do?cod_rh=0001436025*
dc.contributor.orcidhttps://orcid.org/0000-0003-3854-812X*
dc.contributor.researchgatehttps://www.researchgate.net/profile/Reinaldo_Mayol*
dc.subject.lembIngeniería de sistemasspa
dc.subject.lembSoftware librespa
dc.subject.lembSeguridad informáticaspa
dc.subject.lembProtección de los datosspa
dc.subject.lembInvestigacionesspa
dc.subject.lembAnálisisspa
dc.description.abstractenglishInformation is increasing its value to organizations each day, regardless of their reason of being/existence, or their development sector, placing it as an intangible asset that gives competitive advantages. A set of technological tools must be used for the adequate treatment of information, allowing data processing, report generation and decision making process. The use of technology has transformed performance and development of business, thus turning into a channel to broaden informatics risks; one of the main causes being the upswing of the digital era and Internet. The proposal approach was a result of the identification of the lack of Security processes audit for systems oriented to management and academic information at the Pontificia Bolivariana University, Bucaramanga, Colombia. Based on the above, the purpose of this investigation was to contribute the threats and vulnerabilities detection in order to attenuate computer risk, using a designed methodology to audit the inclusion and correctness of security criteria, in the academic services, offered through information systems. In the methodology structure, three dimensions were defined, thought of as relevant to develop an audit program. For every dimension, criteria were established, evaluation through the verification of the existence of security controls was done. Those security controls were defined by a list of requirements, with the aim of validating their implementation. To validate the methodology, the designed measuring instruments were applied in a university institution. An analysis of the outcome was performed, the technical concept of the detected findings was emitted, the recommendations and the completeness and validity of the design of the methodology were verifiedeng
dc.subject.proposalMetodologíaspa
dc.subject.proposalAuditoríaspa
dc.subject.proposalInstitución de educación superiorspa
dc.subject.proposalDesarrollo de softwarespa
dc.subject.proposalSoluciones tecnológicasspa
dc.subject.proposalISO 27000spa
dc.rights.creativecommonsAtribución-NoComercial-SinDerivadas 2.5 Colombia*


Files in this item

Thumbnail
Thumbnail
Thumbnail
Thumbnail

This item appears in the following Collection(s)

Show simple item record

Atribución-NoComercial-SinDerivadas 2.5 Colombia
Except where otherwise noted, this item's license is described as Atribución-NoComercial-SinDerivadas 2.5 Colombia