Skip to main content

Proposal for Information Security Risk Mitigation Practices Based on a Regulatory Approach

  • Conference paper
  • First Online:
Latest Advances in Electrical Engineering, and Electronics

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 933))

  • 212 Accesses

Abstract

Business objectives could be affected by the materialization of several types of risks, including operational, legal, or contractual, technological and information security risks. As part of the treatment and mitigation of the threats, specifically those related to regulatory and information security, the following research work offers proposed mitigation actions - adjusted to the organizational context of a company - that are required to treat the aforementioned risks. This is done by using the ISO 27002 reference guide as a tool, and two specific input variables: a) organizational risk profile and b) a regulatory environment restricted to the nature of the organization. The study is conducted for a Costa Rican financial institution dedicated to pension fund management. As a result of the analysis, mitigation practices are established, which contemplate an outline of the organizational activities and responsibilities related to regulatory compliance with the general regulation of information technology management and the law of personal data protection, providing guidelines that enrich the internal management regarding the treatment of failure modes identified during the study period.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Superintendent General of Financial Institutions. It is a public entity that supervises the stability, resilience, and efficiency of the Costa Rican financial system, and inspects and regulates the operations and activities of financial entities.

  2. 2.

    A methodological framework widely used in the public and private sectors to guide strategic, operational and other forms of risk management.

  3. 3.

    A risk matrix is a table that has several categories of “probability,” “likelihood,” or “frequency” for its rows (or columns) and several categories of “severity,” “impact,” or “consequences” for its columns (or rows, respectively). It associates a recommended level of risk, urgency, priority, or management action with each row-column pair.

  4. 4.

    Quota value: minimum daily amount credited to customers as part of their savings.

  5. 5.

    Costa Rica Computer Security Incident Response Center (CSIRT-CR), part of the Ministry of Science, Technology and Telecommunications (MICITT).

References

  1. Barahona, C., Zamora, D.: Valuation of the digital public experience. INCAE Business School, Alajuela Costa Rica (2019)

    Google Scholar 

  2. Attorney General’s Office (PGR) Law 8968: Homepage. last accessed 08 Oct 2020

    Google Scholar 

  3. Superintendent of Pensions of Costa Rica (SUPEN): General Technology Management Regulation. Costa Rica (2011)

    Google Scholar 

  4. Standards Australia: AS/NZS 4360–1999 Homepage. https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/ob-007/as-slash-nzs--4360-1999. last accessed 05 June 2020

  5. Cox, L.: What’s wrong with risk matrices? In: Society for Risk Analysis, Risk Analysis, vol. 28(2), p. 497. Denver, United States (2008)

    Google Scholar 

  6. Superintendent of Pensions of Costa Rica (SUPEN): Information Manual for Supervised Entities and Managed Funds. San Jose, Costa Rica (2020). Homepage, https://www.supen.fi.cr/documents/10179/148522/Manual+de+Informaci%C3%B3n+para+las+entidades. last accessed 20 Oct 2020

  7. INTE ISO IEC 27001:2014: Information technology — Security techniques — Information security management systems — Overview and vocabulary. San José, Costa Rica (2018)

    Google Scholar 

  8. NIST SP 800–30: Information Security. Guide for Conducting Risk Assessments. Revision 1. U.S Department of Commerce, Gaithersburg, United States (2012)

    Google Scholar 

  9. Superintendent of Pensions of Costa Rica (SUPEN): Supervision Framework, https://www.supen.fi.cr/marco-de-supervisión

  10. Valencia, F., Marulanda, C.: Governance and management of information technology risks and aspects that differentiate it from organizational risk. National University of Colombia. Bogotá, Colombia (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Alejandro Andrade Mafla .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Andrade Mafla, A. (2022). Proposal for Information Security Risk Mitigation Practices Based on a Regulatory Approach. In: Botto-Tobar, M., Zambrano Vizuete, M., Diaz Cadena, A., Vizuete, A.Z. (eds) Latest Advances in Electrical Engineering, and Electronics. Lecture Notes in Electrical Engineering, vol 933. Springer, Cham. https://doi.org/10.1007/978-3-031-08942-8_14

Download citation

Publish with us

Policies and ethics