Methodology for implementing an ISMS in a hierarchical business group

It is a fact that management and information systems are deeply rooted in productive, industrial, services, governmental processes and almost any active sector of society. This dependence on information systems in general requires providing security to them to preserve the quality of services and ensure the effectiveness and efficiency of business processes and the value of their assets. It is no longer enough to establish controls in isolation or ad hoc, nor is it enough to act in a merely reactive and defensive manner; an Information Security Management System (ISMS) and proactive action are required. If we consider a business group, where two or more companies are vertically integrated, the challenge of managing security in a convenient way is even greater. There are different standards that were developed to manage information security, some more general, some focused on risk management (ISO/IEC 27,000 series), and others even aimed at developing an information security maturity model (ISM3 for instance); however, their specification does not address their application to a business group, which requires additional considerations. In this work, different approaches to these standards are analyzed, in order to propose a methodology for the implementation, management and improvement of an ISMS in a hierarchical business group. Different strategic alternatives are also presented and their convenience or not is discussed. Different known methods of risk analysis and management are analyzed. Some of them promoted by the governments and/or industry of cutting-edge countries and recognized track records in information security that have been widely accepted.

+++

A systemic and pragmatic, non-dogmatic, approach is promoted in favor of an effective and sustainable methodology, prioritizing a criterion of cost-benefit convenience. The need for orientation and adaptation to the real security requirements of the business is emphasized. A methodology appropriate to a business group is presented, which seeks to integrate the best of each of the analyzed approaches; A proposed Security organizational chart is included that makes the structural hierarchy of the group and the needs of an ISMS compatible. Additionally, the application of graph techniques for asset valuation is explored; The concept is formalized in terms of properties and algorithms of graphs, and is defined with its own vision of the subject, an algorithm for adjustment contemplating qualitative and quantitative valuations and partial and/or total dependencies between assets. Desirable characteristics and functionalities of a software tool to support the methodology are also described. Finally, the application of the methodology to a Case Study is analyzed, in particular, an ISP vertically integrated with a TelCo. It analyzes the particularities of the case study: the specific international standards and recommendations, the organizational model applicable to the business, statistical data, and the security required for this sector of the industry.