Luis Enrique Sánchez

A systematic review of security requirements engineering

One of the most important aspects in the achievement of secure software systems in the software development process is what is known as Security Requirements Engineering. However, very few reviews focus on this theme in a systematic, thorough and unbiased manner, that is, none of them perform a systematic review of security requirements engineering, and there is not, therefore, a sufficiently good context in which to operate. In this paper we carry out a systematic review of the existing literature concerning security requirements engineering in order to summarize the evidence regarding this issue and to provide a framework/background in which to appropriately position new research activities.

Security Culture in Small and Medium-Size Enterprise

The information society depends ever-increasingly on Information Security Management Systems (ISMSs), and these systems have become vital to SMEs. However, ISMSs must be adapted to SME’s specific characteristics, and they must be optimised from the point of view of the resources which are necessary to install and maintain them. Furthermore, when installing ISMSs, the majority of models have until now been centred on technical and management aspects, and the third aspect, which is institutional and is of particular relevance to SMEs, has been virtually ignored. In this paper we present the importance of the security culture for SMEs, along with our proposal to introduce this concept into SMEs in a progressive and sustainable manner. The model is currently being applied in real cases, thus leading to a constant improvement in its application.

Managing the Asset Risk of SMEs

The information society is becoming increasingly dependent on systems for managing and analyzing the risk to which its main information assets are exposed and having access to these systems has become vital for the evolution of SMEs. However, this type of company requires the systems to be adapted to their special characteristics and to be optimized from the point of view of resources required to set them up and maintain them. This article presents a proposed method for carrying out risk analysis adaptation, which is suitable for SMEs, set within the framework of the methodology for security management in small and medium-sized enterprises (MSM2-SME). This model is being applied directly to real cases, and therefore its application is constantly being improved.

Practical approach of a secure management system based on ISO/IEC 17799

For enterprises to be able to properly use information and communications technologies, it is necessary to have guides, metrics and tools that allow us to always know the level of our security and the points in which we are not covering it. In small and medium-size enterprises, the application of security standards has an additional problem, that is, the fact that they do not have enough resources to perform an appropriate management. In this article we analyze some of the existing maturity models and we compare them to the maturity model we are applying in practice. Finally we introduce a first approach to a scoreboard which is being developed as part of a security management tool for IT systems. This approach is being directly applied to real cases and it is obtaining a constant improvement in its application.

Content related to Computing Security on Computer Engineering Degree according to International Professional Certificates

Companies and professionals are currently demanding increasingly more specialized profiles, and it is therefore desirable for future graduates to have obtained one or more international professional certificates in computing security and auditing, or to at least to have received the preparation required to obtain them. It is therefore of the utmost importance that new studies be focused on professional needs without losing the scientific rigor demanded in engineers. If this objective is to be achieved, it is fundamental that these new study plans be oriented toward facilitating the attainment of these professional certificates. In this paper we establish transversal guidelines for the implementation of content related to computing security in all the subjects, materials and modules of the new degree in Computer Engineering. This will fit perfectly with the material already being taught, will be an enriching element and will allow students to obtain the basic minimum knowledge on security required by any computer engineer from the beginning of their education. The security-related content that is required to be taught during the degree course will additionally be focused on industry and present-day society by means of existing professional security and auditing certificates that will provide future professionals with the knowledge and skills needed as regards security.

Health Ontology and Information Systems: A Systematic Review

One of the most important aspects for the development of information systems is that they were interoperable, so many initiatives consider that ontologies as useful tools for their development, especially when the application is in complex and dynamic domains as the case of health. In this article, a systematic review (SR) of the existing literature related to ontologies used in the health sector is carried out, not only to interpret and synthesize the available studies but also to provide a framework as a basis for conducting new researches. Recent publications (2010- 2016) in which topics such as the use and impact of ontologies in the development of information systems are discussed, taking into account the organizational objectives and the involved stakeholders were considered. The number of published studies shows a growing interest by researchers because they consider ontologies artifacts that facilitate interoperability, understanding of information and communication structures.

The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets

The information society is increasingly more dependent on Information Security Management Systems (ISMSs), and the availability of these kinds of systems is now vital for the development of Small and Medium-Sized Enterprises (SMEs). However, these companies require ISMSs that have been adapted to their special features, and which are optimized as regards the resources needed to deploy and maintain them. This article shows how important the security culture within ISMSs is for SMEs, and how the concept of security culture has been introduced into a security management methodology (MARISMA is a Methodology for “Information Security Management System in SMEs” developed by the Sicaman Nuevas Tecnologias Company, Research Group GSyA and Alarcos of the University of Castilla-La Mancha.) for SMEs. This model is currently being directly applied to real cases, thus allowing a steady improvement to be made to its implementation.

Development of an Expert System for the Evaluation of Students’ Curricula on the Basis of Competencies

The concept of competence, which emerged during the reform of computer engineering degrees, has not brought benefits to companies when attempting to select the most suitable candidates for their jobs. This article aims to show some of the research that has been conducted to determine why companies have not found these skills useful and how both can be aligned. Finally, we show the development of an Expert System that will enable companies to select the most suitable candidates for their jobs, considering personal and social skills, along with technical knowledge. This prototype will serve as a basis to align the competencies defined in the curricula with professional requirements, thus allowing a true alignment between degree courses and the needs of professional companies.

Applying the Action-Research Method to Develop a Methodology to Reduce the Installation and Maintenance Times of Information Security Management Systems

Society is increasingly dependent on Information Security Management Systems (ISMS), and having these kind of systems has become vital for the development of Small and Medium-Sized Enterprises (SMEs). However, these companies require ISMS that have been adapted to their special features and have been optimized as regards the resources needed to deploy and maintain them, with very low costs and short implementation periods. This paper discusses the different cycles carried out using the ‘Action Research (AR)’ method, which have allowed the development of a security management methodology for SMEs that is able to automate processes and reduce the implementation time of the ISMS.

LOPD Compliance and ISO 27001 legal requirements in the Health Sector

In a society based on information, the Safety Management Systems (ISMS) are increasingly critical for businesses. Within the Management of Information Security issues are very critical in certain sectors, such as the processing of personal data for the Health Sector, where a bad use of them can mean irreparable damage to their owners and organizations are obligation to protect them. This paper presents a real case of success that allowed to solve issues related to privacy of patient information at the time of making the quotation of these consultations, as well as compliance with the Organic Law for the protection of Personal Data (OLPD) in environments health and other benefits of the implemented solution.