Impact of using different security frameworks in it audits within organizations: systematic review
DOI:
https://doi.org/10.18004/ucsa/2409-8752/2024.011.02.0103Keywords:
Security framework, IT audit, organizationsAbstract
In a world where attacks on the information security of organizations have increased, computer auditing emerges as a solution to prevent these unwanted incidents. However, to ensure the effectiveness of these audits, the use of an appropriate security framework is essential. This review article offers a comprehensive analysis of how different security frameworks can influence the effectiveness of computer audits in organizations. A systematic review has been conducted, which includes original articles published in English and Spanish between 2018 and 2023, and available in recognized databases such as Sciencedirect, Springerlink, JSTOR, Dialnet, Scielo, Scopus, and Latinindex.The main purpose of the study is to understand how the implementation of a specific security framework, such as COBIT, LCCI, NIST, CSF, ISG, D4I, and ISO/IEC 27001, can affect computer audits and their corresponding impact on organizations. In addition, it has been discovered that the choice of the security framework can have a significant repercussion on an organization's ability to identify and mitigate security risks, as well as to maintain regulatory compliance and ensure the integrity and confidentiality of data.
Downloads
References
Abstracts of the MASCC/ISOO Annual Meeting 2018. (2018). Supportive Care in Cancer: Official Journal of the Multinational Association of Supportive Care in Cancer, 26(2), 39-364. https://doi.org/10.1007/S00520-018-4193-2/METRICS [ Links ]
AlGhamdi, S., Win, K. T., & Vlahu-Gjorgievska, E. (2020). Information security governance challenges and critical success factors: Systematic review. Computers and Security, 99. https://doi.org/10.1016/j.cose.2020.102030 [ Links ]
Antunes, M., Maximiano, M., & Gomes, R. (2022). A Customizable Web Platform to Manage Standards Compliance of Information Security and Cybersecurity Auditing. Procedia Computer Science, 196, 36-43. https://doi.org/10.1016/J.PROCS.2021.11.070 [ Links ]
Argaw, S. T., Troncoso-Pastoriza, J. R., Lacey, D., Florin, M. V., Calcavecchia, F., Anderson, D., Burleson, W., Vogel, J. M., O’Leary, C., Eshaya-Chauvin, B., & Flahault, A. (2020). Cybersecurity of Hospitals: Discussing the challenges and working towards mitigating the risks. BMC Medical Informatics and Decision Making, 20(1), 1-10. https://doi.org/10.1186/S12911-020-01161-7/PEER-REVIEW [ Links ]
Asghar, M. R., Hu, Q., & Zeadally, S. (2019). Cybersecurity in industrial control systems: Issues, technologies, and challenges. Computer Networks, 165, 106946. doi=https://doi.org/10.1016/J.COMNET.2019.106946 [ Links ]
Bailon Lourido, W. A. (2019). Auditoria informática al control y mantenimiento de una infraestructura tecnológica. CIENCIAMATRIA, 5(1), 73-87. https://doi.org/10.35381/cm.v5i1.248 [ Links ]
Blažič, B. J. (2022). Changing the landscape of cybersecurity education in the EU: Will the new approach produce the required cybersecurity skills? Education and Information Technologies, 27(3), 3011-3036.doi=https://doi.org/10.1007/s10639-021-10704-y [ Links ]
CALDER, A. (2020). The Cyber Security Handbook: Prepare for, respond to and recover from cyber attacks with the IT Governance Cyber Resilience Framework (CRF). IT Governance Publishing.doi=https://doi.org/10.2307/j.ctv19shhms [ Links ]
Checco, J. C. (2022). Cyber-Physical Coordinated Attacks: The Emerging Complexity of Crisis Management. The Cyber Defense Review, 7(4), 69-90. https://www.jstor.org/stable/48703292 [ Links ]
Chidukwani, A., Zander, S., & Koutsakis, P. (2022). A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations. IEEE Access, 10, 85701-85719.doi=https://doi.org/10.1109/ACCESS.2022.3197899 [ Links ]
CYBERSECURITY CERTIFICATION VALIDATES PROGRAMS. (2020). Computer Security Update, 21(2), 2-4.doi=https://www.jstor.org/stable/48597909 [ Links ]
CYNET LAUNCHES THE SECURITY FOR MANAGEMENT TEMPLATE. (2019). Computer Security Update, JSTOR, 20(9), 1-2.doi=https://www.jstor.org/journal/compsecupdate [ Links ]
Montalvo Cisneros, OAUNIVERSIDAD POLITÉCNICA SALESIANA SEDE QUITO Efectos de la implementación de una auditoría informática a las empresas de seguros a través de la ISO 27001 :2013 ubicadas en el Norte del DMQ. 3 http://dspace.ups.edu.ec/handle/123456789/19918 [ Links ]
Dimitriadis, A., Ivezic, N., Kulvatunyou, B., & Mavridis, I. (2020). D4I - Digital forensics framework for reviewing and investigating cyber attacks. Array, 5, 100015. https://doi.org/10.1016/j.array.2019.100015 [ Links ]
Enfoque, U. (2018). Un modelo práctico para realizar auditorías exhaustivas de Ciberseguridad (A Practical Model to Perform Comprehensive Cybersecurity Audits). Enfoque UTE, 1, 127-137. http://ingenieria.ute.edu.ec/enfoqueute/ [ Links ]
FAIRVIEW HEALTH SELECTS CYNERGISTEK SECURITY. (2020). Computer Security Update, JSTOR, 21(11), 7-8. https://www.jstor.org/stable/48597898 [ Links ]
Frayssinet Delgado, M., Esenarro, D., Juárez Regalado, F. F., & Díaz Reátegui, M. (2021). Methodology based on the NIST cybersecurity framework as a proposal for cybersecurity management in government organizations. 3C TIC: Cuadernos de Desarrollo Aplicados a Las TIC, 10(2), 123-141. https://doi.org/10.17993/3ctic.2021.102.123-141 [ Links ]
Gourisetti, S. N. G., Mylrea, M., & Patangia, H. (2020). Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis. Future Generation Computer Systems, 105, 410-431. https://doi.org/10.1016/j.future.2019.12.018 [ Links ]
Guerra, E., Neira, H., Díaz, J. L., & Patiño, J. (2021). Desarrollo de un sistema de gestión para la seguridad de la información basado en metodología de identificación y análisis de riesgo en bibliotecas universitarias. Información Tecnológica, 32(5), 145-156.doi=https://doi.org/10.4067/s0718-07642021000500145 [ Links ]
Ibrahim, A., Valli, C., McAteer, I., & Chaudhry, J. (2018). A security review of local government using NIST CSF: a case study. Journal of Supercomputing, 74(10), 5171-5186. https://doi.org/10.1007/s11227-018-2479-2 [ Links ]
Ibrahim, E., & Greenberg, M. R. (2018). Managing the Cybersecurity Risks of an Increasingly Digital Power System. In V. Sivaram (Ed.), Digital Decarbonization: Promoting Digital Innovations to Advance Clean Energy Systems (pp. 91-97). Council on Foreign Relations.doi= http://www.jstor.org/stable/resrep21838.12 [ Links ]
Levite, A. E., Kannry, S., & Hoffman, W. (2018). Complementary Efforts by Governments and the Insurance Industry. In Addressing the Private Sector Cybersecurity Predicament: The Indispensable Role of Insurance (pp. 19-23). Carnegie Endowment for International Peace. http://www.jstor.org/stable/resrep20984.7 [ Links ]
Negrín Sosa, E., López García, L., Rodríguez Cabrera, K., & Martínez Guerra, D. (2017). Facultad de Ciencias Administrativas y Económicas. In UTM Diciembre (Vol. 8). [ Links ]
Orellana Cabrera, X. E., & Álvarez Galarza, M. D. (2022). Marco de trabajo de gobierno de TI orientado a la ciberseguridad para el sector bancario bajo COBIT 2019. Universidad Católica de Cuenca, Ecuador. [ Links ]
Oswaldo Chuquimarca-Espinoza, M. I., Edwin Ormaza-Andrade III, J., & Carlos Erazo-Álvarez, J. I. (n.d.). El futuro de la auditoría y las innovaciones tecnológicas El futuro de la auditoría y las innovaciones tecnológicas The future of auditing and technological innovations O futuro da auditoria e das inovações tecnológicas. Especial, Dominio De Las Ciencias, 6(1), 316-339. doi=https://doi.org/10.23857/dc.v6i1.1149 [ Links ]
Pawar, S., & Palivela, D. H. (2022). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). International Journal of Information Management Data Insights, 2(1). https://doi.org/10.1016/j.jjimei.2022.100080 [ Links ]
Politou, E., Michota, A., Alepis, E., Pocs, M., & Patsakis, C. (2018). Backups and the right to be forgotten in the GDPR: An uneasy relationship. Computer Law and Security Review, 34(6), 1247-1257. https://doi.org/10.1016/j.clsr.2018.08.006 [ Links ]
Proaño Escalante, R. A., Saguay Chafla, C. N., Jácome Canchig, S. B., & Sandoval Zambrano, F. (2017). Sistemas basados en conocimiento como herramienta de ayuda en la auditoría de sistemas de información. Enfoque UTE . [ Links ]
Progoulakis, I., Rohmeyer, P., & Nikitakos, N. (2021). Cyber physical systems security for maritime assets. Journal of Marine Science and Engineering, 9(12). https://doi.org/10.3390/JMSE9121384 [ Links ]
Radanliev, P. (2023). Review and Comparison of US, EU, and UK Regulations on Cyber Risk/Security of the Current Blockchain Technologies: Viewpoint from 2023. The Review of Socionetwork Strategies 2023, 1-25. https://doi.org/10.1007/S12626-023-00139-X [ Links ]
Randall, R. G., & Allen, S. (2021). Cybersecurity professionals information sharing sources and networks in the U.S. electrical power industry. International Journal of Critical Infrastructure Protection, 34, 100454. https://doi.org/10.1016/J.IJCIP.2021.100454 [ Links ]
Rubén, A., & Guerra, M. (n.d.). Gestión de seguridad de la información con la norma ISO 27001:2013 Information security management with ISO 27001: 2013 standard (Vol. 39). [ Links ]
Russell, S., & Jackson, S. (2018). Operating in the Dark: Cyber Decision-Making from First Principles. Journal of Information Warfare, 17(1), 1-15. https://www.jstor.org/stable/26504126 [ Links ]
Sabillón, R., & M., J. J. C. (2019). Auditorías en Ciberseguridad: Un modelo de aplicación general para empresas y naciones. RISTI - Revista Ibérica de Sistemas e Tecnologias de Informação, 32, 33-48. https://doi.org/10.17013/risti.32.33-48 [ Links ]
Sánchez-García, I. D., Feliu Gilabert, T. S., & Calvo-Manzano, J. A. (2023). Countermeasures and their taxonomies for risk treatment in cybersecurity: A systematic mapping review. Computers & Security, 128, 103170. https://doi.org/10.1016/j.cose.2023.103170 [ Links ]
Schmitz, C., Schmid, M., Harborth, D., & Pape, S. (2021). Maturity level assessments of information security controls: An empirical analysis of practitioners assessment capabilities. Computers and Security, 108. https://doi.org/10.1016/j.cose.2021.102306 [ Links ]
Serna Ramírez, S., Montoya Londoño, Á., Quintero Barco, Y. A., Henao Villa, C. F., & Castro Ramírez, F. D. J. (2022). Desarrollo de un sistema de seguridad informática a partir de una auditoría sobre una red empresarial. INGENIERÍA: Ciencia, Tecnología e Innovación, 9(2), 135-151. https://doi.org/10.26495/icti.v9i2.2267 [ Links ]
Sulistyowati, D., Handayani, F., & Suryanto, Y. (2020). Comparative analysis and design of cybersecurity maturity assessment methodology using nist csf, cobit, iso/iec 27002 and pci dss. International Journal on Informatics Visualization, 4(4), 225-230. https://doi.org/10.30630/JOIV.4.4.482 [ Links ]
Tsohou, A., Diamantopoulou, V., Stefanos Gritzalis, & Lambrinoudakis, · Costas. (2023). Cyber insurance: state of the art, trends and future directions. International Journal of Information Security, 22, 737-48. https://doi.org/10.1007/s10207-023-00660-8 [ Links ]
Wylde, V., Rawindaran, N., Lawrence, J., Balasubramanian, R., Prakash, · Edmond, Jayal, A., Khan, I., Hewage, C., & Platts, J. (2022). Cybersecurity, Data Privacy and Blockchain: A Review. SN Computer Science, 3, 127. https://doi.org/10.1007/s42979-022-01020-4 [ Links ]
Yadav, A., Kumar, A., & Singh, V. (2023). Open-source intelligence: a comprehensive review of the current state, applications and future perspectives in cyber security. Artificial Intelligence Review, 1-32. https://doi.org/10.1007/S10462-023-10454-Y/TABLES/17 [ Links ]
Zboril, M., & Svatá, V. (2022). Cloud Adoption Framework. Procedia Computer Science, 207, 483-493. https://doi.org/10.1016/j.procs.2022.09.103 [ Links ]
Zhu, P., & Liyanage, J. P. (123 C.E.). Cybersecurity of Offshore Oil and Gas Production Assets Under Trending Asset Digitalization Contexts: A Specific Review of Issues and Challenges in Safety Instrumented Systems. European Journal for Security Research, 6, 125-149. https://doi.org/10.1007/s41125-021-00076-2 [ Links ]
Mero Paredes, G. D., & Zambrano González, S. K. (2018). Auditoría informática soportada por COBIT e ISO 27001 en las instituciones financieras públicas de la ciudad de Guayaquil. Universidad Católica de Santiago de Guayaquil. Recuperado de http://repositorio.ucsg.edu.ec/handle/3317/10431 [ Links ]
Gourisetti, S. N. G., Mylrea, M., & Patangia, H. (2020). Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis. Future Generation Computer Systems. Elsevier. https://doi.org/10.1016/j.future.2019.12.018 [ Links ]