Assessment of information technology (IT) services and development of issue-specific security policies of a government agency using ISO/IEC 27001:2013 standard

Author

Justin J. Buenaventura, De La Salle University, ManilaFollow

Date of Publication

4-2023

Document Type

Master's Thesis

Degree Name

Master in Information Security

Subject Categories

Information Security

College

College of Computer Studies

Department/Unit

Computer Technology

Thesis Advisor

Michelle Renee D. Ching

Defense Panel Chair

Arlyn Verina O. Tiu

Defense Panel Member

Michelle Renee D. Ching

Abstract/Summary

The 21^st century has seen data emerge as the new oil. The significance of information in making management decisions has increased, making it essential to ensure that it retains the fundamental features of confidentiality, integrity, and availability. Most organizations believe that information security is a technological issue that can be resolved through technology alone. However, it is a comprehensive process that requires risk management, and developing an information security policy is the primary step toward mitigating such risks. This study aims to help a government agency protect its IT services against cyber attacks by developing Issue-specific policies (ISSPs) and a compliance roadmap based on the ISO 27001:2013 standard. The study used the Capability Maturity Model for Integration (CMMI) to conduct a gap analysis and a high-level risk assessment to identify the risks that are the basis of the policies developed. Data triangulation validated the conducted interviews, observations, and analysis of presented documents. The project developed twelve (12) ISSPs to mitigate the seven (7) high risks identified, and the policies' applicability, scope, purpose, penalties, effectiveness, coherence, and completeness were assessed through an expert review. The project concludes by providing the compliance roadmap of the agency to ISO 27001:2013 certification based on the standard's Plan-Do-Check-Act (PDCA) cycle. The author recommends completing policies for medium and low risks, implementing policies, and following the compliance roadmap for future work. It also recommends conducting a detailed risk assessment, creating an enterprise information security policy (EISP), and engaging with an accredited certification body for an external audit to achieve ISO 27001 certification.

Keywords: Information Security, ISO 27001:2013, Issue-specific security policies, gap analysis, high-level risk assessment, compliance roadmap

Abstract Format

html

Language

English

Format

Electronic

Physical Description

195, [5] leaves

Keywords

Information technology; Computer security; Electronic data processing--Security measures

Recommended Citation

Buenaventura, J. J. (2023). Assessment of information technology (IT) services and development of issue-specific security policies of a government agency using ISO/IEC 27001:2013 standard. Retrieved from https://animorepository.dlsu.edu.ph/etdm_comtech/18

Upload Full Text

wf_yes

Embargo Period

4-2024