Logo do repositório
 
Publicação

A Customizable Web Platform to Manage Standards Compliance of Information Security and Cybersecurity Auditing

2022Comunicação em conferência Acesso aberto
Ver registo simples
datacite.subject.fosCiências Naturais::Ciências da Computação e da Informação
datacite.subject.sdg08:Trabalho Digno e Crescimento Económico
datacite.subject.sdg09:Indústria, Inovação e Infraestruturas
datacite.subject.sdg10:Reduzir as Desigualdades
dc.contributor.authorAntunes, Mário
dc.contributor.authorMaximiano, Marisa
dc.contributor.authorGomes, Ricardo
dc.date.accessioned2026-04-24T10:17:04Z
dc.date.available2026-04-24T10:17:04Z
dc.date.issued2022
dc.description.abstractInformation security and cybersecurity are key subjects in modern enterprises' management, being ISO-27001:2013, NIST Cybersecurity Framework and ISO-27009 some of the most implemented international frameworks and standards. Their main goal is to globally reduce the risk, by leveraging enterprises' competitiveness in global markets and enhancing business processes and collaborators' cyber awareness. Auditing processes examine and assess a list of predefined controls. For each control, a set of corrective measures could be proposed, to increase its compliance with the standard being used. These processes are time-consuming, involve on-site intervention by specialized consulting teams on the intervened enterprises, and a set of status reports of all the interventions should be elaborated and delivered. The existing auditing information systems are not developed to meet Small and Medium-sized Enterprises (SME) requirements, as they are mostly proprietary and expensive, ground usually on off-the-shelf applications, and are not generic to be used by several standards with different checklists and auditing methodologies. In this paper, a generic and web-integrated cybersecurity auditing information system is described. Its architecture, design, and data model enable it to be used in a wide set of auditing processes, by loading a predefined controls checklist assessment and their corresponding mitigation tasks list. It was designed to meet both SMEs and large enterprises' requirements, and stores auditing and intervention-related data in a relational database. The information system was tested on an ISO-27001:2013 information security auditing project, which has integrated fifty SMEs. The results obtained during the project are promising and reveal the appropriateness of using this information system in further similar auditing processes.eng
dc.description.sponsorshipThe authors acknowledge NERLEI business association project team by the support given along the implementation of the project. This project was funded by “POCI—Programa Operacional para a Competitividade e Internacionalização” grant number POCI-02-0853-FEDER-026352. This publication and the research was funded by FCT—Fundação para a Ciência e Tecnologia, I.P., under the project UIDB/04524/2020.
dc.identifier.citationMário Antunes, Marisa Maximiano, Ricardo Gomes, A Customizable Web Platform to Manage Standards Compliance of Information Security and Cybersecurity Auditing, Procedia Computer Science, Volume 196, 2022, Pages 36-43, ISSN 1877-0509, https://doi.org/10.1016/j.procs.2021.11.070.
dc.identifier.doi10.1016/j.procs.2021.11.070
dc.identifier.eissn1877-0509
dc.identifier.urihttp://hdl.handle.net/10400.8/16190
dc.language.isoeng
dc.peerreviewedyes
dc.publisherElsevier
dc.relationResearch Center in Informatics and Communications
dc.relation.hasversionhttps://www.sciencedirect.com/science/article/pii/S1877050921022092?via%3Dihub
dc.relation.ispartofProcedia Computer Science
dc.rights.urihttp://creativecommons.org/licenses/by-nc-nd/4.0/
dc.subjectCybersecurity
dc.subjectInformation Security
dc.subjectAuditing
dc.subjectISO-27001
dc.subjectSmall and Medium-sized Enterprises
dc.titleA Customizable Web Platform to Manage Standards Compliance of Information Security and Cybersecurity Auditingeng
dc.typeconference paper
dspace.entity.typePublication
oaire.awardNumberUIDB/04524/2020
oaire.awardTitleResearch Center in Informatics and Communications
oaire.awardURIinfo:eu-repo/grantAgreement/FCT/6817 - DCRRNI ID/UIDB%2F04524%2F2020/PT
oaire.citation.endPage43
oaire.citation.startPage36
oaire.citation.titleProcedia Computer Science
oaire.citation.volume196
oaire.fundingStream6817 - DCRRNI ID
oaire.versionhttp://purl.org/coar/version/c_970fb48d4fbd8a85
person.affiliation.nameCIIC / ESTG
person.familyNameAntunes
person.familyNameMaximiano
person.familyNamePereira Gomes
person.givenNameMário
person.givenNameMarisa
person.givenNameRicardo Jorge
person.identifierR-000-NX4
person.identifierurn:authenticus_id:R-002-SEG
person.identifier.ciencia-idAF10-7EDD-5153
person.identifier.ciencia-idA919-B117-A16D
person.identifier.ciencia-id2319-A0CE-6813
person.identifier.gsid6gzjmMkAAAAJ
person.identifier.orcid0000-0003-3448-6726
person.identifier.orcid0000-0002-1212-7864
person.identifier.orcid0000-0002-0438-9119
person.identifier.ridADM-8923-2022
person.identifier.scopus-author-id25930820200
person.identifier.scopus-author-id26767664900
person.identifier.scopus-author-id57413754100
project.funder.identifierhttp://doi.org/10.13039/501100001871
project.funder.nameFundação para a Ciência e a Tecnologia
relation.isAuthorOfPublicatione3e87fb0-d1d6-44c3-985d-920a5560f8c1
relation.isAuthorOfPublication18092229-fa61-402b-978c-56b8127d46e9
relation.isAuthorOfPublication21f92f87-2dd6-4d26-be3d-cd2b13a0e19a
relation.isAuthorOfPublication.latestForDiscoverye3e87fb0-d1d6-44c3-985d-920a5560f8c1
relation.isProjectOfPublication67435020-fe0d-4b46-be85-59ee3c6138c7
relation.isProjectOfPublication.latestForDiscovery67435020-fe0d-4b46-be85-59ee3c6138c7

Ficheiros

Principais
A mostrar 1 - 1 de 1
Miniatura
Nome:
A Customizable Web Platform to Manage Standards Compliance of Information Security and Cybersecurity Auditing.pdf
Tamanho:
924.46 KB
Formato:
Adobe Portable Document Format
Descrição:
Information security and cybersecurity are key subjects in modern enterprises' management, being ISO-27001:2013, NIST Cybersecurity Framework and ISO-27009 some of the most implemented international frameworks and standards. Their main goal is to globally reduce the risk, by leveraging enterprises' competitiveness in global markets and enhancing business processes and collaborators' cyber awareness. Auditing processes examine and assess a list of predefined controls. For each control, a set of corrective measures could be proposed, to increase its compliance with the standard being used. These processes are time-consuming, involve on-site intervention by specialized consulting teams on the intervened enterprises, and a set of status reports of all the interventions should be elaborated and delivered. The existing auditing information systems are not developed to meet Small and Medium-sized Enterprises (SME) requirements, as they are mostly proprietary and expensive, ground usually on off-the-shelf applications, and are not generic to be used by several standards with different checklists and auditing methodologies. In this paper, a generic and web-integrated cybersecurity auditing information system is described. Its architecture, design, and data model enable it to be used in a wide set of auditing processes, by loading a predefined controls checklist assessment and their corresponding mitigation tasks list. It was designed to meet both SMEs and large enterprises' requirements, and stores auditing and intervention-related data in a relational database. The information system was tested on an ISO-27001:2013 information security auditing project, which has integrated fifty SMEs. The results obtained during the project are promising and reveal the appropriateness of using this information system in further similar auditing processes.
Ver/Abrir
Licença
A mostrar 1 - 1 de 1
Miniatura indisponível
Nome:
license.txt
Tamanho:
1.32 KB
Formato:
Item-specific license agreed upon to submission
Descrição:
Ver/Abrir

Coleções

CIIC - Publicações em Atas de Conferências com Peer Review
ESTG - Comunicações em conferências e congressos internacionais