Abstract
Business objectives could be affected by the materialization of several types of risks, including operational, legal, or contractual, technological and information security risks. As part of the treatment and mitigation of the threats, specifically those related to regulatory and information security, the following research work offers proposed mitigation actions - adjusted to the organizational context of a company - that are required to treat the aforementioned risks. This is done by using the ISO 27002 reference guide as a tool, and two specific input variables: a) organizational risk profile and b) a regulatory environment restricted to the nature of the organization. The study is conducted for a Costa Rican financial institution dedicated to pension fund management. As a result of the analysis, mitigation practices are established, which contemplate an outline of the organizational activities and responsibilities related to regulatory compliance with the general regulation of information technology management and the law of personal data protection, providing guidelines that enrich the internal management regarding the treatment of failure modes identified during the study period.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Superintendent General of Financial Institutions. It is a public entity that supervises the stability, resilience, and efficiency of the Costa Rican financial system, and inspects and regulates the operations and activities of financial entities.
- 2.
A methodological framework widely used in the public and private sectors to guide strategic, operational and other forms of risk management.
- 3.
A risk matrix is a table that has several categories of “probability,” “likelihood,” or “frequency” for its rows (or columns) and several categories of “severity,” “impact,” or “consequences” for its columns (or rows, respectively). It associates a recommended level of risk, urgency, priority, or management action with each row-column pair.
- 4.
Quota value: minimum daily amount credited to customers as part of their savings.
- 5.
Costa Rica Computer Security Incident Response Center (CSIRT-CR), part of the Ministry of Science, Technology and Telecommunications (MICITT).
References
Barahona, C., Zamora, D.: Valuation of the digital public experience. INCAE Business School, Alajuela Costa Rica (2019)
Attorney General’s Office (PGR) Law 8968: Homepage. last accessed 08 Oct 2020
Superintendent of Pensions of Costa Rica (SUPEN): General Technology Management Regulation. Costa Rica (2011)
Standards Australia: AS/NZS 4360–1999 Homepage. https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/ob-007/as-slash-nzs--4360-1999. last accessed 05 June 2020
Cox, L.: What’s wrong with risk matrices? In: Society for Risk Analysis, Risk Analysis, vol. 28(2), p. 497. Denver, United States (2008)
Superintendent of Pensions of Costa Rica (SUPEN): Information Manual for Supervised Entities and Managed Funds. San Jose, Costa Rica (2020). Homepage, https://www.supen.fi.cr/documents/10179/148522/Manual+de+Informaci%C3%B3n+para+las+entidades. last accessed 20 Oct 2020
INTE ISO IEC 27001:2014: Information technology — Security techniques — Information security management systems — Overview and vocabulary. San José, Costa Rica (2018)
NIST SP 800–30: Information Security. Guide for Conducting Risk Assessments. Revision 1. U.S Department of Commerce, Gaithersburg, United States (2012)
Superintendent of Pensions of Costa Rica (SUPEN): Supervision Framework, https://www.supen.fi.cr/marco-de-supervisión
Valencia, F., Marulanda, C.: Governance and management of information technology risks and aspects that differentiate it from organizational risk. National University of Colombia. Bogotá, Colombia (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Andrade Mafla, A. (2022). Proposal for Information Security Risk Mitigation Practices Based on a Regulatory Approach. In: Botto-Tobar, M., Zambrano Vizuete, M., Diaz Cadena, A., Vizuete, A.Z. (eds) Latest Advances in Electrical Engineering, and Electronics. Lecture Notes in Electrical Engineering, vol 933. Springer, Cham. https://doi.org/10.1007/978-3-031-08942-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-08942-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08941-1
Online ISBN: 978-3-031-08942-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)