Name: | Description: | Size: | Format: | |
---|---|---|---|---|
4.5 MB | Adobe PDF |
Advisor(s)
Abstract(s)
O incremento da produção de informação digital, os desafios à comunicação segura e à manutenção e salvaguarda dos dados estão a par com o aumento da criminalidade informática manifestada através de técnicas de intrusão e aproveitamento de vulnerabilidades. Este cenário impõe às empresas a realização de melhorias aos paradigmas da segurança, sob pena de verem comprometido um bem fundamental à sua própria existência: a INFORMAÇÃO.
Para melhor enfrentar os perigos e desafios da presença no ciberespaço, pretendeu a empresa pública Investimentos Habitacionais da Madeira, EPERAM (IHM) analisar e elevar o nível de segurança da informação e das comunicações seguindo as boas práticas desta área, pois, não obstante os procedimentos já aplicados, os eventos de segurança são ainda abordados maioritariamente a jusante e de forma reativa.
Investigado o estado da arte sobre normas, frameworks e certificações para a segurança da informação, consultada legislação relacionada e realizada uma análise à situação atual da empresa, foi proposta uma metodologia, fundamentada na gestão do risco, para o estabelecimento, implementação, manutenção e melhoria, de forma contínua, de um sistema de gestão de segurança da informação, através de um conjunto de 18 processos com enquadramento na norma NP ISO/IEC 27001:2013. Paralelamente, para garantir a sua sustentabilidade, foi aplicado o ciclo contínuo PDCA, que foi útil para que os controlos de segurança pudessem ser já implementados e medidos. Foi incorporada na metodologia proposta a norma NIST SP 800-61r2, com 4 processos, pela especificidade no campo da gestão de incidentes.
A implementação resultou na definição de 8 políticas, acompanhadas de 47 controlos de segurança, dos quais 37 foram medidos. Os resultados permitiram identificar as melhorias necessárias mais prementes através de um esquema de cores. O recurso ao modelo corporativo de governança e gestão de tecnologias de informação - COBIT 5 - contribuiu para a realização posterior de uma análise à capacidade dos processos e aferição da sua maturidade.
The increase in the production of digital information, the challenges to communication’s security and to the maintenance and safeguarding of data are in line with the increase in computer crime manifested through intrusion techniques and exploitation of vulnerabilities. This scenario imposes on companies the realization of improvements to the security paradigms, under penalty of being compromised a fundamental asset to their own existence: INFORMATION. To better face the dangers and challenges of the presence in cyberspace, the public company Investimentos Habitacionais da Madeira, EPERAM (IHM) intended to analyze and raise the level of information and communications security following good practices in this area, since, despite the procedures already applied, security events are still mostly addressed downstream and reactively. After an investigation to the state of the art on norms, frameworks and certifications for information security, the examination of related legislation and the carried out an analysis to the current situation of the company, a methodology, based on risk management, was proposed for the establishment, implementation, maintenance and improvement in a continuous way, of an information security management system, through a set of 18 processes covered by the NP ISO/IEC 27001:2013 standard. In parallel, to ensure its sustainability, the PDCA continuous cycle was applied, which was useful so that the safety controls could be already implemented and measured. The NIST SP 800-61r2 standard was incorporated into the proposed methodology, with 4 processes, for its specificity in the field of incident management. The implementation resulted in the definition of 8 policies, accompanied by 47 safety controls, of which 37 were measured. The results allowed the identification of the necessary improvements through a color scheme. The use of the corporate governance and information technology management model - COBIT 5 - contributed to the subsequent accomplishment of an analysis of the processes’ capacity and measurement of their maturity.
The increase in the production of digital information, the challenges to communication’s security and to the maintenance and safeguarding of data are in line with the increase in computer crime manifested through intrusion techniques and exploitation of vulnerabilities. This scenario imposes on companies the realization of improvements to the security paradigms, under penalty of being compromised a fundamental asset to their own existence: INFORMATION. To better face the dangers and challenges of the presence in cyberspace, the public company Investimentos Habitacionais da Madeira, EPERAM (IHM) intended to analyze and raise the level of information and communications security following good practices in this area, since, despite the procedures already applied, security events are still mostly addressed downstream and reactively. After an investigation to the state of the art on norms, frameworks and certifications for information security, the examination of related legislation and the carried out an analysis to the current situation of the company, a methodology, based on risk management, was proposed for the establishment, implementation, maintenance and improvement in a continuous way, of an information security management system, through a set of 18 processes covered by the NP ISO/IEC 27001:2013 standard. In parallel, to ensure its sustainability, the PDCA continuous cycle was applied, which was useful so that the safety controls could be already implemented and measured. The NIST SP 800-61r2 standard was incorporated into the proposed methodology, with 4 processes, for its specificity in the field of incident management. The implementation resulted in the definition of 8 policies, accompanied by 47 safety controls, of which 37 were measured. The results allowed the identification of the necessary improvements through a color scheme. The use of the corporate governance and information technology management model - COBIT 5 - contributed to the subsequent accomplishment of an analysis of the processes’ capacity and measurement of their maturity.
Description
Keywords
Segurança da informação Gestão de risco Norma ISO/IEC 27001 Politicas de segurança Segurança de operações Segurança em comunicações Norma NIST SP 800-61r2 Gestão de incidentes Framework COBIT 5 RGPD Auditoria Information security Risk management ISO/IEC 27001:2013 standard Security policies Security of operations Security in communications NIST SP 800-61r2 Incident management COBIT 5 framework GDPR Audit Engenharia Informática . Faculdade de Ciências Exatas e da Engenharia