Dissertação
Gestão de riscos de segurança da informação baseada na norma NBR ISO/IEC 27005 usando padrões de segurança
Fecha
2013-02-26Registro en:
KONZEN, Marcos Paulo. Risk management of information security based on standard NBR ISO/IEC 27005 using security patterns. 2013. 121 f. Dissertação (Mestrado em Engenharia de Produção) - Universidade Federal de Santa Maria, Santa Maria, 2013.
Autor
Konzen, Marcos Paulo
Institución
Resumen
In the last years more vulnerabilities and threats have emerged, compromising information
security in Information and Communication Technology (ICT) systems. In addition, many
organizations are unprepared to deal with the risks of information security, making them the
most vulnerable to such threats. Thus the negative impact caused by security incidents tends
to be more frequent. The implementation of information security risk management based on a
set of best practices is critical, but still a challenge for most companies. This work proposes a
methodology for managing risks based on NBR ISO/IEC 27005:2008. The methodology
presents a sequence of activities and a series of guidelines and goals that must be achieved to
make the risk management effective. As with most standards and reference models, the
methodology does not describe how activities should be implemented, which makes it
difficult to implement for organizations less experienced in security procedures. The reuse of
solutions already tested and consolidated to recurring security problems it can assist in
ensuring the use of best practices. These solutions can be found in security standards that
capture and document the knowledge of security experts, but its application to develop
standards for risk management activities is unknown. Thus, this work reviews the guidelines
of NBR ISO/IEC 27005:2008 standards and pattern catalogs in order to identify security
patterns to develop activities in accordance with the guidelines described by the standard.
Therefore, the main contribution of this work is to develop a methodology for risk
management centered in solutions, tasks and techniques described by 22 security standards.
An analysis and risk assessment using security standards was applied to a DC (Data Center)
of a private university, whose result shows the final risk for each asset, meeting the guidelines
of NBR ISO/IEC 27005:2008.