MePRiSIA: risk prevention methodology for academic information systems

Isabel Cristina Satizábal-Echavarría; Nancy María Acevedo-Quintana

doi:10.17533/udea.redin.n89a11

Authors

Isabel Cristina Satizábal-Echavarría Antonio Nariño University https://orcid.org/0000-0002-6823-9718
Nancy María Acevedo-Quintana University of Pamplona https://orcid.org/0000-0002-8706-1433

DOI:

https://doi.org/10.17533/udea.redin.n89a11

Keywords:

educational information system, information management, information system evaluation, methodology, risk assessment

Abstract

Information of academic systems can be stolen, modified or erased by attackers, causing losses to institutions. Applying a risk prevention methodology at educational institutions would help to avoid academic information misuse by users or attackers. MePRiSIA was designed as a risk prevention methodology to be simple and easy to understand while including the human factor in each step. This methodology has four steps to be considered in the process: setting the context, risk identification, risk analysis, and risk prevention. After being applied to the academic information system of Universidad de Pamplona (Colombia) called ACADEMUSOFT, MePRiSIA was evaluated by experts. In conclusion, after applying MePRiSIA to ACADEMUSOFT, the human factor was part of its most important assets and involved in the very high-level risks identified. According to the experts, implementation of MePRiSIA is hard when institution directors do not provide staff and financial resources for this purpose.

|Abstract

= 358 veces | PDF

= 236 veces|

Downloads

Download data is not yet available.

Author Biographies

Isabel Cristina Satizábal-Echavarría, Antonio Nariño University

LACSER (Laboratory for Advanced Computational Science and Engineering Research).

Nancy María Acevedo-Quintana, University of Pamplona

LOGOS.

References

Sistema Informativo de Canal 1. (2013, Oct. 20) Investigan venta de notas y títulos profesionales en universidad de pamplona. Accessed Jun. 12, 2014. [Online]. Available: https://goo.gl/cmuvYR

J. E. L. Rueda. (2013, September) El ser humano: Factor clave en la seguridad de la información. [Online]. Available: http://apuntesdeinvestigacion.bucaramanga.upbbga.edu.co/

R. Yilmaz and Y. Yalman, “A comparative analysis of university information systems within the scope of the information security risks,” TEM Journal, vol. 5, no. 2, pp. 180–191, 2016.

R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE allegro: Improving the information security risk assessment process,” Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, Tech. Rep. CMU/SEI-2007-TR-012, May 2007.

The CORAS Model-based Method for Security Risk Analysis, SINTEF, Oslo, 2006.

Estándar Australiano, Administración de Riesgos, AS/NZS 4360:1999, 1999.

NTC-ISO/IEC 27005: Tecnología de la Información. Técnicas de Seguridad. Gestión del Riesgo en la Seguridad de la Información, ICONTEC, Bogotá, Colombia, 2009.

M. M. Qasem, “Information technology risk assessment methodologies: Current status and future directions,” International Journal of Scientific & Engineering Research, vol. 4, no. 12, pp. 966–972, Dec. 2013.

Magerit version 1.0: Risk Analysis and Management Methodology for Information Systems, 1st ed., Ministerio de Administraciones Públicas, Madrid, España, 1997.

Risk Management Guide for Information Technology Systems, National Institute of Standars and Technology, Gaithersburg, 2002.

M. García. (2010) Metodología para el diagnóstico, prevención y control de la corrupción en programas de seguridad ciudadana. [Online]. Available: https://goo.gl/PF1oMo

P. M. Mell, K. Kent, and J. Nusbaum, “Guide to malware incident prevention and handling,” National Institute of Standards and Technology (NIST), Gaithersburg, Maryland, Tech. Rep. 800-83, Nov. 2005.

N. Acevedo and C. Satizábal, “Risk management and prevention methodologies: a comparison,” Sistemas & Telemática, vol. 14, no. 36, pp. 39–58, 2016.

A. G. Alexander, Diseño de un Sistema de Gestión de Seguridad de Información: Óptica ISO 27001:2005, 1st ed. Bogotá, Colombia: Alfaomega, 2007.

G. Alvarez and P. P. Pérez, Seguridad Informática para Empresas y Particulares. Madrid, España: McGraw-Hill Interamericana, 2004.

Norma Técnica NTC-ISO/IEC Colombiana 27001. Tecnología de la Información. Técnicas de Seguridad. Sistemas de Gestión de la Seguridad de la información (SGSI). Requisitos, ICONTEC, Bogotá, Colombia, 2006.

CIADTI. (2017) Academusoft. Accessed Aug. 25, 2017. [Online]. Available: https://goo.gl/yPS97Z

J. J. Cano and G. M. Saucedo, “Vii encuesta latinoamericana de seguridad de la información,” ACIS, Bogotá, Colombia, Tech. Rep., Jun. 2015.

M. Badii, A. Guillen, E. Cerna, and J. Valenzuela, “Nociones introductorias de muestreo estadístico,” International Journal of Good Conscience, vol. 6, no. 1, pp. 89–105, Jun. 2011.

N. M. A. Quintana, “Metodología para la prevención de riesgos en el manejo de la información personal almacenada en el sistema de información académica de la universidad de pamplona,” unpublished.

C. de Colombia. (2012, Oct. 17). [Online]. Available: http://www.alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=49981

K. J. R. Lara, “Sistema de índices para la valoración de los activos intangibles,” Contribuciones a la Economía, no. 2014-04, July 2014.