MePRiSIA: risk prevention methodology for academic information systems

Isabel Cristina Satizábal-Echavarría, Nancy María Acevedo-Quintana

Abstract


The information of academic systems can be stolen, modified or erased by attackers and cause major losses to institutions. Since, prevention is better than cure, educational institutions should apply a risk prevention methodology to avoid the academic information misuse by users or attackers. For that reason, we design MePRiSIA, a simple and easy to understand risk prevention methodology that, unlike the existing ones, includes the human factor in each step. MePRiSIA has four steps: setting the context, risk identification, risk analysis and risk prevention. It was applied to the academic information system of Universidad de Pamplona (Colombia) called ACADEMUSOFT and was evaluated by experts. After apply MePRiSIA to ACADEMUSOFT, we can conclude that human factor is part of its most important assets and is involved in the very high-level risks identified. According to the experts, implementation of MePRiSIA is hard when institution directors don’t provide staff and financial resources for this purpose.

Keywords


Educational information system, information management, information system evaluation, methodology, risk assessment

Full Text:

PDF

References


Sistema Informativo de Canal 1. (2013, Oct. 20) Investigan venta de notas y títulos profesionales en universidad de pamplona. Accessed Jun. 12, 2014. [Online]. Available: https://goo.gl/cmuvYR

J. E. L. Rueda. (2013, September) El ser humano: Factor clave en la seguridad de la información. [Online]. Available: http://apuntesdeinvestigacion.bucaramanga.upbbga.edu.co/

R. Yilmaz and Y. Yalman, “A comparative analysis of university information systems within the scope of the information security risks,” TEM Journal, vol. 5, no. 2, pp. 180–191, 2016.

R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE allegro: Improving the information security risk assessment process,” Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, Tech. Rep. CMU/SEI-2007-TR-012, May 2007.

The CORAS Model-based Method for Security Risk Analysis, SINTEF, Oslo, 2006.

Estándar Australiano, Administración de Riesgos, AS/NZS 4360:1999, 1999.

NTC-ISO/IEC 27005: Tecnología de la Información. Técnicas de Seguridad. Gestión del Riesgo en la Seguridad de la Información, ICONTEC, Bogotá, Colombia, 2009.

M. M. Qasem, “Information technology risk assessment methodologies: Current status and future directions,” International Journal of Scientific & Engineering Research, vol. 4, no. 12, pp. 966–972, Dec. 2013.

Magerit version 1.0: Risk Analysis and Management Methodology for Information Systems, 1st ed., Ministerio de Administraciones Públicas, Madrid, España, 1997.

Risk Management Guide for Information Technology Systems, National Institute of Standars and Technology, Gaithersburg, 2002.

M. García. (2010) Metodología para el diagnóstico, prevención y control de la corrupción en programas de seguridad ciudadana. [Online]. Available: https://goo.gl/PF1oMo

P. M. Mell, K. Kent, and J. Nusbaum, “Guide to malware incident prevention and handling,” National Institute of Standards and Technology (NIST), Gaithersburg, Maryland, Tech. Rep. 800-83, Nov. 2005.

N. Acevedo and C. Satizábal, “Risk management and prevention methodologies: a comparison,” Sistemas & Telemática, vol. 14, no. 36, pp. 39–58, 2016.

A. G. Alexander, Diseño de un Sistema de Gestión de Seguridad de Información: Óptica ISO 27001:2005, 1st ed. Bogotá, Colombia: Alfaomega, 2007.

G. Alvarez and P. P. Pérez, Seguridad Informática para Empresas y Particulares. Madrid, España: McGraw-Hill Interamericana, 2004.

Norma Técnica NTC-ISO/IEC Colombiana 27001. Tecnología de la Información. Técnicas de Seguridad. Sistemas de Gestión de la Seguridad de la información (SGSI). Requisitos, ICONTEC, Bogotá, Colombia, 2006.

CIADTI. (2017) Academusoft. Accessed Aug. 25, 2017. [Online]. Available: https://goo.gl/yPS97Z

J. J. Cano and G. M. Saucedo, “Vii encuesta latinoamericana de seguridad de la información,” ACIS, Bogotá, Colombia, Tech. Rep., Jun. 2015.

M. Badii, A. Guillen, E. Cerna, and J. Valenzuela, “Nociones introductorias de muestreo estadístico,” International Journal of Good Conscience, vol. 6, no. 1, pp. 89–105, Jun. 2011.

N. M. A. Quintana, “Metodología para la prevención de riesgos en el manejo de la información personal almacenada en el sistema de información académica de la universidad de pamplona,” unpublished.

C. de Colombia. (2012, Oct. 17). [Online]. Available: http://www. alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=49981 [22] K. J. R. Lara, “Sistema de índices para la valoración de los activos intangibles,” Contribuciones a la Economía, no. 2014-04, July 2014.




DOI: https://doi.org/10.17533/udea.redin.n89a11 Abstract : 151 PDF : 137

Article Metrics

Metrics Loading ...

Metrics powered by PLOS ALM


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Esta publicación hace parte del Sistema de Revistas de la Universidad de Antioquia
¿Quieres aprender a usar el Open Journal system? Ingresa al Curso virtual
Este sistema es administrado por el Programa Integración de Tecnologías a la Docencia
Universidad de Antioquia
Powered by Public Knowledge Project