dc.contributor.advisor | Mayol Arnao, Reinaldo Nicolás | spa |
dc.contributor.author | Gómez Nova, Arelis | spa |
dc.date.accessioned | 2020-06-26T21:34:49Z | |
dc.date.available | 2020-06-26T21:34:49Z | |
dc.date.issued | 2017 | |
dc.identifier.uri | http://hdl.handle.net/20.500.12749/3441 | |
dc.description.abstract | La información cada vez toma mayor valor para las organizaciones, sin importar su razón de ser, ni su sector de desempeño; siendo situada como un activo intangible que proporciona ventaja competitiva. Para su adecuado tratamiento, se debe acudir a herramientas tecnológicas, que faciliten el procesamiento de datos, la generación de informes y la toma de decisiones. El uso tecnológico ha transformado el desempeño y desarrollo de las empresas; en consecuencia, también se ha convertido en un medio para ampliar el margen de riesgos informáticos; siendo un factor en ascenso por el auge de la era digital e Internet. El planteamiento de la propuesta, fue el resultado de la identificación de la carencia de procesos de auditoria en seguridad, para sistemas orientados a la gestión e información académica en la Universidad Pontificia Bolivariana, Seccional Bucaramanga.
Con base en lo expuesto, esta investigación tuvo como propósito contribuir a la detección de amenazas y vulnerabilidades para mitigar el riesgo informático, mediante el diseño de una metodología para auditar la inclusión y calidad de los criterios de seguridad, en la prestación de servicios académicos a través de sistemas de información. En la estructura de la metodología, se definieron tres dimensiones, consideradas relevantes para desarrollar un programa de auditoria. Para cada dimensión, se estableció un criterio, sujeto de evaluación mediante la verificación de la existencia de controles de seguridad. Los controles estuvieron definidos por un listado de requisitos, con el propósito de validar su implementación.
Para verificar la metodología, se aplicó los instrumentos de medición diseñados, en una institución de educación superior, se realizó análisis de los resultados, se emitió el concepto técnico de los hallazgos detectados, las recomendaciones y se verificó la completitud y validez del diseño de la metodología | spa |
dc.description.sponsorship | Universitat Oberta de Catalunya UOC | spa |
dc.description.tableofcontents | INTRODUCCIÓN
1. ANTECEDENTES 27
2. MARCO METODOLÓGICO 30
2.1 Problema a Resolver 30
2.2 Justificación 30
2.3 Pregunta de Investigación 31
2.4 Objetivos de la Investigación 31
2.5 Alcance de la Propuesta 32
2.6 Resultados Esperados 32
3. MARCO CONCEPTUAL 34
3.1 Estado del Arte 34
3.2 Fundamentos Teóricos 46
4. DISEÑO METODOLÓGICO 84
4.1 Descripción Metodológica 84
4.2 Definición de las Dimensiones a Evaluar 84
4.3 Criterios de Seguridad para Evaluar las Dimensiones Establecidas 85
5. DISEÑO DE LOS INSTRUMENTOS 88
5.1 Cuestionario 88
5.2 Matriz para el Análisis de Riesgos 89
6. ESTRUCTURA CICLO DE VIDA PROGRAMA DE AUDITORIA 92
6.1 Principios y Generalidades 93
7. RESULTADOS DE LA APLICACIÓN DE LOS INSTRUMENTOS 96
7.1 Instrumento 1 (cuestionario) 97
7.2 Instrumento Dos (matriz de análisis de riesgo, Criterio 2)………………………109
7.3 Instrumento Tres (matriz de análisis de riesgo, Criterio 3)……………………..118
7.4 Informe Ejecutivo…………………………………………………….............…….125
8. VERIFICACIÓN COMPLETITUD Y VALIDEZ DE LA METODOLOGÍA 131
8.1 Completitud 131
8.2 Validez 132
9. CONCLUSIONES 135
10. FUTURAS LÍNEAS DE INVESTIGACIÓN 138
11. BIBLIOGRAFÍA 139 | spa |
dc.format.mimetype | application/pdf | spa |
dc.language.iso | spa | spa |
dc.rights.uri | http://creativecommons.org/licenses/by-nc-nd/2.5/co/ | * |
dc.title | Diseño de una metodología para auditar la seguridad de la información en productos de software orientados a servicios de gestión e información en instituciones de educación superior | spa |
dc.title.translated | Design of a methodology to audit information security in software products oriented to management and information services in higher education institutions | eng |
dc.degree.name | Magíster en Gestión, Aplicación y Desarrollo de Software | spa |
dc.coverage | Bucaramanga (Colombia) | spa |
dc.publisher.grantor | Universidad Autónoma de Bucaramanga UNAB | spa |
dc.rights.local | Abierto (Texto Completo) | spa |
dc.publisher.faculty | Facultad Ingeniería | spa |
dc.publisher.program | Maestría en Gestión, Aplicación y Desarrollo de Software | spa |
dc.description.degreelevel | Maestría | spa |
dc.type.driver | info:eu-repo/semantics/masterThesis | |
dc.type.local | Tesis | spa |
dc.type.coar | http://purl.org/coar/resource_type/c_bdcc | |
dc.subject.keywords | Methodology | eng |
dc.subject.keywords | Audit | eng |
dc.subject.keywords | Post-secondary of institution | eng |
dc.subject.keywords | Software development | eng |
dc.subject.keywords | Technological solutions | eng |
dc.subject.keywords | Systems engineer | eng |
dc.subject.keywords | Free software | eng |
dc.subject.keywords | Informatic security | eng |
dc.subject.keywords | Data protection | eng |
dc.subject.keywords | Research | eng |
dc.subject.keywords | Analysis | eng |
dc.identifier.instname | instname:Universidad Autónoma de Bucaramanga - UNAB | spa |
dc.identifier.reponame | reponame:Repositorio Institucional UNAB | spa |
dc.type.hasversion | info:eu-repo/semantics/acceptedVersion | |
dc.rights.accessrights | info:eu-repo/semantics/openAccess | spa |
dc.rights.accessrights | http://purl.org/coar/access_right/c_abf2 | spa |
dc.relation.references | Gómez Nova, Arelis (2017). Diseño de una metodología para auditar la seguridad de la información en productos de software orientados a servicios e información en instituciones de educación superior. Bucaramanga (Colombia) : Universidad Autónoma de Bucaramanga UNAB, Universitat Oberta de Catalunya UOC | spa |
dc.relation.references | ACIS. 2016. “Sistemas Fraude Informático:: Viejos Trucos, Nuevos Entornos.” | spa |
dc.relation.references | Ahmad, Atif, Sean B. Maynard, and Graeme Shanks. 2015. “A Case Analysis of Information Systems and Security Incident Responses.” Int. J. Inf. Manag. 35(6):717–23. | spa |
dc.relation.references | Alberts, Crhistopher; Dorefee, Audrey; Stevens, James; Woody Carol. 2003. “Introduction to the OCTAVE Approach.” | spa |
dc.relation.references | Alqahtani, Sultan S., Ellis E. Eghan, and Juergen Rilling. 2016. “Tracing Known Security Vulnerabilities in Software Repositories - A Semantic Web Enabled Modeling Approach.” Science of Computer Programming 121:153–75. | spa |
dc.relation.references | Analysis, Zrugv et al. n.d. “Risk Analysis in Security of Information ¡¢£¤¥¦§ ¨© ¢ £¤ ©.” 39–53. | spa |
dc.relation.references | Anon. n.d. “A Case-Based Management System for Secure Software.pdf.” | spa |
dc.relation.references | Anon. n.d. “A Novel Security Information and Event Management System for Enhancing Cyber Security in a Hydroelectri Dam.pdf.” | spa |
dc.relation.references | Anon. n.d. “Capturing Security Requirements for Software.pdf.” | spa |
dc.relation.references | Anon. n.d. “Current Practices and Challenges in Industrial Control.pdf.” | spa |
dc.relation.references | Anon. n.d. “Estimation of Deficiency Risk and Prioritization of Information Security Co.” | spa |
dc.relation.references | Anon. n.d. “Evaluation of the Patter-Based Method for Secure Development a Controlled Experiment.pdf.” | spa |
dc.relation.references | Anon. n.d. “Ministerio de Educación Nacional.” Retrieved (http://www.mineducacion.gov.co/1759/w3-article-235585.html). | spa |
dc.relation.references | Anon. n.d. “The Relationship between Internal Audit and Information Security.pdf.” | spa |
dc.relation.references | Baca, Dejan and Kai Petersen. 2013. “Countermeasure Graphs for Software Security Risk Assessment: An Action Research.” J. Syst. Softw. 86(9):2411–28. | spa |
dc.relation.references | Barton, Kevin Andrew. 2014. “Information System Security Commitment: A Study of External Influences on Senior Management.” 109. | spa |
dc.relation.references | Congreso de Colombia. 2012. “Ley Estatutaria 1581 de 2012 | Protección de Datos Personales.” 167. | spa |
dc.relation.references | Feng, Nan. 2014. “A Security Risk Analysis Model for Information Systems: Causal Relationships of Risk Factors and Vulnerability Propagation Analysis.” Information Sciences 256:57–73. | spa |
dc.relation.references | Glen, Cecilia Álvarez-correa. 2016. “C Onpes.” | spa |
dc.relation.references | Hamidovic, Haris, Independent Researcher, and Information Sec. 2015. “Fundamentos Del Gobierno de TI Basados En ISO/IEC 38500.” (November). | spa |
dc.relation.references | Herath, Hemantha S. B. and Tejaswini C. Herath. 2014. “IT Security Auditing: A Performance Evaluation Decision Model.” Decision Support Systems 57(1):54–63. | spa |
dc.relation.references | Isaca. 2013. A Business Framework for the Governance and Management of Enterprise IT. | spa |
dc.relation.references | ISACA. 2015. “State of Cybersecurity : Implications for 2015.” 22. | spa |
dc.relation.references | Iso, Referencia. 2011. “Norma Internacional Iso 19011.” 2011. | spa |
dc.relation.references | Knowles, William, Alistair Baron, and Tim McGarr. 2016. “The Simulated Security Assessment Ecosystem: Does Penetration Testing Need Standardisation?” Computers & Security 62:296–316. | spa |
dc.relation.references | Makori, Abanti Cyrus and Laban Oenga. n.d. “A Survey of Information Security Incident.” 19–31. | spa |
dc.relation.references | Manuel, Carlos, Fernández Sánchez, and Piattini Velthuis. 2012. Modelo Para El Gobierno de Las TIC Basado En Las Normas ISO. | spa |
dc.relation.references | McCallister, E., T. Grance, and K. Kent. 2010. “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).” Recommendations of the National Institute of … 1–59. | spa |
dc.relation.references | Ntc-iso-iec, Norma Técnica. 2013. “Norma Técnica Ntc-Iso-Iec Colombiana 27001 2013-12-11.” (571). | spa |
dc.relation.references | Piattini Velthuis, Mario; Del Peso Navarro, Emilio; Del Peso Ruiz, Mar. 2008. Auditoría de Tecnologías Y Sistemas de Información, Ra – Ma Editorial. | spa |
dc.relation.references | REDCLARA; TICAL. 2015. Las Tecnologías de La Información Y La Comunicación Potenciado La Universidad Del Siglo XXI. | spa |
dc.relation.references | Rehman, Huma, Ashraf Masood, and Ahmad Raza Cheema. 2013. “Information Security Management in Academic Institutes of Pakistan.” 2013 2nd National Conference on Information Assurance (NCIA) 47–51. | spa |
dc.relation.references | Saint-Germain, R. 2005. “Information Security Management Best Practice Based on ISO/IEC 17799.” Information Management Journal 39(4):60–66. | spa |
dc.relation.references | Shamala, Palaniappan, Rabiah Ahmad, and Mariana Yusoff. 2013. “A Conceptual Framework of Info Structure for Information Security Risk Assessment ( ISRA ).” Journal of Information Security and Applications 18(1):45–52. | spa |
dc.relation.references | Shameli-Sendi, Alireza, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. “Taxonomy of Information Security Risk Assessment (ISRA).” Computers & Security 57:14–30. | spa |
dc.relation.references | Shaw, R. S., Charlie C. Chen, Albert L. Harris, and Hui-Jou Huang. 2009. “The Impact of Information Richness on Information Security Awareness Training Effectiveness.” Computers & Education 52(1):92–100. | spa |
dc.relation.references | Soediono, Budi. 1989. “No Title No Title.” Journal of Chemical Information and Modeling 53(1991):160. | spa |
dc.relation.references | Software Engeneering Institute (SIE) at Carnegie Mellon University, OCTAVE. 2009. “The OCTAVE Approach to Information Security Risk Assessment.” | spa |
dc.relation.references | Sohrabi Safa, Nader, Rossouw Von Solms, and Steven Furnell. 2016. “Information Security Policy Compliance Model in Organizations.” Computers and Security 56:1–13. | spa |
dc.relation.references | Solic, Kresimir, Hrvoje Ocevcic, and Marin Golub. 2015. “The Information Systems’ Security Level Assessment Model Based on an Ontology and Evidential Reasoning Approach.” Computers & Security 55:100–112. | spa |
dc.relation.references | Store, Rahman I. S. O. 2013. “INTERNATIONAL STANDARD ISO / IEC Information Technology — Security Techniques — Code of Practice for Information Security Controls.” 2013. | spa |
dc.relation.references | Tøndel, Inger Anne, Maria B. Line, and Martin Gilje Jaatun. 2014. “Information Security Incident Management: Current Practice as Reported in the Literature.” Computers & Security 45(SEPTEMBER):42–57. | spa |
dc.relation.references | Webb, Jeb, Atif Ahmad, Sean B. Maynard, and Graeme Shanks. 2014. “A Situation Awareness Model for Information Security Risk Management.” Computers & Security 44(March 2016):1–15. | spa |
dc.relation.references | Yu, Yijun, Virginia N. L. Franqueira, Thein Than Tun, Roel J. Wieringa, and Bashar Nuseibeh. 2015. “Automated Analysis of Security Requirements through Risk-Based Argumentation.” Journal of Systems and Software 106:102–16. | spa |
dc.contributor.cvlac | https://scienti.minciencias.gov.co/cvlac/visualizador/generarCurriculoCv.do?cod_rh=0001436025 | * |
dc.contributor.orcid | https://orcid.org/0000-0003-3854-812X | * |
dc.contributor.researchgate | https://www.researchgate.net/profile/Reinaldo_Mayol | * |
dc.subject.lemb | Ingeniería de sistemas | spa |
dc.subject.lemb | Software libre | spa |
dc.subject.lemb | Seguridad informática | spa |
dc.subject.lemb | Protección de los datos | spa |
dc.subject.lemb | Investigaciones | spa |
dc.subject.lemb | Análisis | spa |
dc.description.abstractenglish | Information is increasing its value to organizations each day, regardless of their reason of being/existence, or their development sector, placing it as an intangible asset that gives competitive advantages. A set of technological tools must be used for the adequate treatment of information, allowing data processing, report generation and decision making process. The use of technology has transformed performance and development of business, thus turning into a channel to broaden informatics risks; one of the main causes being the upswing of the digital era and Internet. The proposal approach was a result of the identification of the lack of Security processes audit for systems oriented to management and academic information at the Pontificia Bolivariana University, Bucaramanga, Colombia.
Based on the above, the purpose of this investigation was to contribute the threats and vulnerabilities detection in order to attenuate computer risk, using a designed methodology to audit the inclusion and correctness of security criteria, in the academic services, offered through information systems. In the methodology structure, three dimensions were defined, thought of as relevant to develop an audit program. For every dimension, criteria were established, evaluation through the verification of the existence of security controls was done. Those security controls were defined by a list of requirements, with the aim of validating their implementation.
To validate the methodology, the designed measuring instruments were applied in a university institution. An analysis of the outcome was performed, the technical concept of the detected findings was emitted, the recommendations and the completeness and validity of the design of the methodology were verified | eng |
dc.subject.proposal | Metodología | spa |
dc.subject.proposal | Auditoría | spa |
dc.subject.proposal | Institución de educación superior | spa |
dc.subject.proposal | Desarrollo de software | spa |
dc.subject.proposal | Soluciones tecnológicas | spa |
dc.subject.proposal | ISO 27000 | spa |
dc.type.redcol | http://purl.org/redcol/resource_type/TM | |
dc.rights.creativecommons | Atribución-NoComercial-SinDerivadas 2.5 Colombia | * |
dc.coverage.campus | UNAB Campus Bucaramanga | spa |
dc.description.learningmodality | Modalidad Presencial | spa |