Mogrit: Towards a IT risks management model for MSME
DOI:
https://doi.org/10.18046/syt.v12i30.1860Keywords:
Software Process Improvement, IT Risk, Models, Standards, Harmonization, SMEsAbstract
Nowadays, software development projects can fail for multiple factors. In this sense, both project management that establishes the way forward as analysis of the risks, which may face a software development project, is becoming increasingly necessary. This paper presents the harmonization of IT Risk models such as: CRAMM, COBIT, EBIOS, ITIL V3 MAGERIT, OCTAVE, RISK IT and some models to support the IT Risk such as: ISO/IEC 27000, ISO/IEC 27005, ISO/IEC 31010, AS/NZS ISO 31000, BS 7799-3:2006, and UNE 71504:2008. It also presents a comparative analysis of high and low level, which allows knowing the most common, and representative of each model. Likewise, with the results obtained, are established the benefits and the manner in which the models compared can be harmonized to carry out their implementation of a harmonized wayand thus to support management processes within development activities of an organization. This work provides a clearer view of the differences, similarities and possible integrations between IT Risk models and standards for Small and medium enterprises of software development.
References
Axwloa. (2011). ITIL, continual service improvement. Norwich, UK: TSO
British Standards [BSI] (2006). Information security management systems. Part 3: Guidelines for information security risk management [BS 7799-3:2006] London, UK: BSI
CERT [Software Engineering Institute, Carnegie Mellon University]. (2008). Octave. Retrieved from http://www.cert.org/octave/
International Organization for Standardization [ISO]., & International Electrotechnical Commission [IEC]. (2011a). ISO/IEC 27005: gestión de riesgos de seguridad de la Información. Geneve, Swizerland: ISO
International Organization for Standardization [ISO]., & International Electrotechnical Commission [IEC]. (2011b). Risk management — Risk assessment techniques [IEC/FDIS 31010]. Retrieved from http://www.previ.be/pdf/31010_FDIS.pdf
Ionita, D. Hartel, P.H., Pieters, W. & Wieringa, R.J. (2013). Current established risk assessment methodologies and tools [Technical report, TR-CTIT-14-04]. Enschede, The Netherlands: Centre for Telematics and Information Technology, University of Twente
ISACA (2013). The RISK IT Framework [online]. Retrieved from http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx
Ministerio de Hacienda y Administraciones Públicas [MHAP]. (2012). MAGERIT – versión 3.0. Metodología de análisis y gestión de riesgos de los sistemas de información. Madrid, España: MHAP
Pardo, C. (2012). A framework to support the harmonization between multiple models and standards [Tesis doctoral]. Universidad Castilla–La Mancha: Ciudad Real, España
Pardo, C., Pino, F., García, F., Baldassarre, M., & Plattini, M. (2010). From chaos to the systematic harmonization of multiple reference models: A harmonization framework applied in two case studies. Journal of Systems and Software, 86(1), 25-43
Seguridad Informática (2005). Herramienta de Evaluación de Riesgo-CRAMM, Metodologías de análisis de riesgos [en línea]. Retrieved from http://seguridadinformaticaufps.wikispaces.com/Herramienta+de+Evaluacion+de+Riesgo-CRAMM
Stoneburner, G., Gouguen, A., & Feringa, A. (2002). SP 800-30. Risk management guide for information technology systems [technical report]. Gaithersburg, MD: National Institute of Standards & Technology
Universidad EAFIT (2007). COBIT: modelo para auditoria y control de sistemas de información. Medellín, Colombia: EAFIT
Downloads
Published
Issue
Section
License
This journal is licensed under the terms of the CC BY 4.0 licence (https://creativecommons.org/licenses/by/4.0/legalcode).
