You are on page 1of 10

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 17 (2017) pp.

© Research India Publications.

Experience in Applying the Analysis and Risk Management Methodology
called MAGERIT to Identify Threats and Vulnerabilities in an Agro-
industrial Company

Ricardo Guagalango Vega, 2Rubén Arroyo and 2,3,*
Sang Guun Yoo

Centro de Posgrados, Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui s/n, Sangolquí, Ecuador.

Departamento de Ciencias de la Computación, Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui s/n,
Sangolquí, Ecuador.

Facultad de Ingeniería de Sistemas, Escuela Politécnica Nacional, Ladrón de Guevara, E11-253, Quito, Ecuador.

ORCID ID: 0000-0003-1376-3843, Scopus Author ID: 36187649600

Abstract Security Investment (ROSI) [4] i.e. analyzing the economic
benefits that the investments could deliver to the organization.
The present work focuses on sharing our experience in applying
This is possible by executing the risk analysis that allow to
the methodology MAGERIT to identify threats and
understand the vulnerabilities and threats that the company
vulnerabilities that could be materialized in risks and affect
owns and the security measures that will allow to prevent or
company’s financial statements. The present work was
avoid the detected risks [5].
executed in a real company of the Agro-industrial field. The
research results indicate that the application of ISO/IEC In this paper, we share our experience in executing the risk
270000 standard with the help of MARGERIT and PILAR is analysis of an Agro-industrial company in Ecuador that handles
an excellent combination for identifying the risks and critical and sensitive information. Along this paper, we will
proposing the controls to mitigate them, to improve the demonstrate how a systematic methodology can help the
Information Security Management of an organization. detection of threats and vulnerabilities to then establish
prevention and correction measures.
Keywords: MAGERIT, PILAR, risk analysis, vulnerabilities
The present paper is organized as follows. First, section 2
explains briefly the standards, methodology and tool used for
INTRODUCTION this research. Then, section 3 details the security risk analysis
Security have become an important area since organizations are executed in the mentioned company. Later, section 4 discusses
managing more valuable assets, such as databases and and evaluates the results obtained in section 3. Finally, section
information systems, each day. This is the reason why many 5 concludes this work.
researchers have focused in providing different security
solutions in different areas [1-3].
In this aspect, organizations that develop their security
For the management of Information Security, there are a
strategies for the digital business must consider that
worldwide standard called ISO/IEC 27000 [6-8] which aims to
Information Security not only applies to technology, but it also
establish the minimum requirements to comply with an
involves the processes and people who are part of the company.
Information Security Management System (ISMS). The
It is imperative to mention that many companies are reactive
standard ISO/IEC 27000 was developed by a Joint Technical
towards information security and implement computer
Committee of the International Organization for
solutions that generate significant expenses which are not
Standardization (ISO) and International Electrotechnical
reflected in return on investment. To justify the security
Commission (IEC) and it comprised of a series of standards.
investments, it must be done by measuring the Return on


Subsequently. development and maintenance. At this stage. http://www. Assess the risk. (14) Information security incident Technology and Information is compliant with 62% of most of management [12]. and with external requirements. such as laws. a tool called users who generated the information and block PILAR (developed by the Centro Criptológico Nacional) can the possibility of impersonation. it was necessary to verify the genuineness of the Additionally. the damage to the asset due to b. a. The results indicates that the Department of Supplier relationships. execution of risk analysis. Establish safeguards or controls to mitigate. Determine safeguards or controls that can mitigate the authorized collaborators to access to the identified threats and their effectiveness. Information Security of the Company. (MAGERIT) v. PILAR tool allows to measure the it would cause their degradation. accept. Authenticity (represented by [A]): It identifies When applying the methodology MAGERIT. we also have applied the ISO/IEC 27002 which obtained results. and what detriment or cost ii) Valuation of assets. and (16) Compliance with internal necessary controls have not been applied to strengthen the requirements. contemplates the following phases: 1. transformed for each domain with true/false answers to (10) Operations security. 6742 . Number 17 (2017) pp. value of each asset based on the following dimensions: 2. Establish threats to which the identified assets are exposed. methodology to carry out the risk analysis based on the Additional to ISO/IEC 27000. 4. that allows a systematic threats that could exploit those vulnerabilities. Fig. This methodology. eliminate or transfer risks that have a high impact. Estimate the impact i. After identifying the main governmental organization called Consejo Superior de assets of the technological area. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. for information security management. For this purpose. 1 below shows the Systems acquisition. (13) obtained results. (12) evidence the percentage of compliance. Availability (represented by [D]): It ensures 3. Integrity (represented by [I]): It protects data and the materialization of a threat information from unauthorized modification or deletion. [15]. to improve the security processes of the Company. (9) Physical and environmental security. (15) Information security aspects of business the ISO/IEC 27001 domains. so it was imperative to apply the MAGERIT delivers the good information security practices [13]. using the impact formula weighted with the occurrence rate of the threat. Identify the assets with the greatest relevance and value to the organization. Such tool has a standard library capable to generate ratings based on the international ISO/IEC 27002 standard.e. (5) Access control. such as policies. It also indicates that the 38% of continuity management. MAGERIT is a methodology created by the Spanish identified to analyze their risks. the Methodology of Analysis following process: and Management of Risks of Information Systems i) Identification of information assets. The controls security. d. (11) Communications security. (4) Asset For the development of this paper. information and assets when they require them.ripublication. we have used the principal IMPROVEMENT OF INFORMATION SECURITY and most important standard denominated ISO/IEC 27001 [9] PROCESSES which contains the requirements of the Information Security First. interviews and Organization of information security. c. it was Management System (ISMS) and it is distributed in 14 domains necessary to know the current situation of the Department of [10] which are: (1) Information security policies. 5. be used. 6741-6750 © Research India Publications. Confidentiality (represented by [C]): It ensures information/assets access only to authorized users 6. (3) Human resource surveys were carried out to the personnel.3 [14] was also used to make a better risk technological assets relevant to the Company were analysis. these were entered to the Administración Electrónica to meet their corporate strategic PILAR tool to know their main vulnerabilities and the objectives. (6) indicated in ISO/IEC 27001 were taken and questions were Cryptography [11]. The e. (2) Technology and Information. Traceability (represented by [T]): It make ISO/IEC 27002 standard includes the code of good practices possible to track who did what and when [17].

com ISO/IEC 27001 Compliance TOTAL 38 62 Compliance 40 60 Information security aspects of business… 0 100 Information security incident managment 60 40 Systems acquisition. development and… 40 60 Access control 44 56 Operations security 55 45 Phsycal and environmental security 27 73 Human resources security 44 56 Asset management 17 83 Organizational of information security 13 87 Information security policy 50 50 0 20 40 60 80 100 NO YES Figure 1: Percentage of Compliance of ISO/IEC 27001’s Domains Figure 2: Identification and valuation of assets  Nature threats. such as earthquakes. etc. fire. PILAR  Accidents caused by people. Number 17 (2017) pp. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. floods. http://www. 6741-6750 © Research India Publications. This stage identifies the threats defects in its design or its implementation). Planning (ERP) and databases. such assets for the organization are: Enterprise Resource as pollution. People with tool includes a library with the most common threats.ripublication. 2 shows the identified assets generated by PILAR with their valuation. such access to the information system can cause as: unintentional problems.  Defects of applications/equipments (due to iii) Threats identification. that may have an impact on information assets. breakdowns. Fig. among others. 6743 . either by mistake or by omission. electrical failures. Such figure indicates that the most valuable  Environmental threats (industrial origin).

24] Depletion of the system due to resource depletion 10 10% . - [A.21] Errors of maintenance / Software update 10 10% 1% . 30% . dimensions indicated before in this sections. 100% .5] Impersonation of identity 0. . 90% . . (1=once a year.18] Destruction of information 1 . People with access to the information system the frequency of such threats can also be observed can cause problems intentionally. - [E. Number 17 (2017) pp. . - [E. .20] Vulnerabilities of programs (software) 1 .ripublication. 20% [E.22] Manipulation of programs 1 10% 100% 100% .1] User Errors 1 . 6741-6750 © Research India Publications. http://www.3] Manipulation of activity logs 100 .2 . 10% 10% . 10=monthly. . - [E. 10% [A.11] Unauthorized access 1 . 0. organized by the the company). 10% 10% . - [I. this probability of occurrence was defined Tables 1 and 2 show the main threats to the most critical by the guidance of the technology department’s staff of information assets of the company.8] Diffusion of harmful software 1 80% 10% 10% .15] Modification of information 1 40% 90% . - [E.13] Repudiation (denial of actions) 1 .2] System Administrator or Security Errors 1 30% 20% 20% . 100=daily. 60% [E.6] Abuse of access privileges 1 . .2=every several years. - 6744 . - [A. 10% [  Problems caused deliberately by people.3] Monitoring errors (log) 1 . 100% 100% 100% 10% [A. 10% [E.15] Alteration of information 1 10% 10% 100% 10% 20% [E. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. . - [A. . . 10% 10% 100% - [A.19] Information leaks 1 . 10% 50% 100% - [A. 20% 20% . 50% . . . . . .7] Unplanned use 1 . . .5] Fault of physical or logical origin 1 .24] Denial of Service 1 100% . - [A. - [E.9] Interruption of other essential services or supplies 1 20% . . In the tables. 20% [A.18] Destruction of information 1 20% 100% 30% . 1% . 60% 100% [A. . Table 1: Percentage of impact caused by threats related to the ERP resource Threat Frequency [D] [I] [C] [A] [T] [I.19] Disclosure of information 1 . 30% [A.

The fulfillment and implementation of the calculated for each information asset according to the recommendations will strengthen the security of the related threats and dimensions. 10% 10% 100% - [A. 20% [E. Company.24] Denial of Service 1 100% .13] Repudiation (denial of actions) 1 . . - [I. . 40% 40% . - [A. 100% .19] Disclosure of information 1 .3] Manipulation of activity logs 100 . 10% 10% .18] Destruction of information 1 .1] User Errors 1 . . 10% [A. shows the list of the assets with the highest possible to establish the Table 2: Percentage of impact caused by threats related to the Database resource Threat Frequency [D] [I] [C] [A] [T] [I.8] Diffusion of harmful software 1 80% 40% 10% . International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. .24] Depletion of the system due to resource 10 10% . 20% [A.5] Fault of physical or logical origin 1 . 6745 . - supplies [E. . 10% [E.18] Destruction of information 1 20% 100% 30% . - iv) Impact and risk.21] Errors of maintenance / Software update 10 10% 1% .ripublication. 60% 100% [A. it is Figure 3. . . . - [A. . . 100% 100% 100% 10% [A.2 .9] Interruption of other essential services or 1 20% . The results the measure of the damage on the asset derived from the obtained using the PILAR tool indicate the level of materialization of a threat [17].15] Modification of information 1 40% 100% . 20% [E. 10% 20% . 10% 50% 100% - [A. Number 17 (2017) pp. 30% [A.6] Abuse of access privileges 1 . . . which can be defined as valuation with highest criticality levels. . 60% [E. it is possible to identify the impact be applied are associated with the controls of ISO/IEC that these would cause on the system. 100% . . - [E. http://www. - [E. .15] Alteration of information 1 10% 100% 100% 10% 20% [E.22] Manipulation of programs 1 10% 100% 100% .3] Monitoring errors (log) 1 . . 90% . With the information of threats.5] Impersonation of identity 0. - depletion [A. - [E. - [E. 6741-6750 © Research India Publications. 100% . . Knowing the value of the compliance of the domains of ISO/IEC 27002 standard.7] Unplanned use 1 .20] Vulnerabilities of programs (software) 1 .19] Information leaks 1 .11] Unauthorized access 1 . - [A.2] System Administrator or Security Errors 1 30% 60% 90% . . 90% . It assets (in their different dimensions) and the degradation is important to consider that the safeguards or controls to caused by the threats. The impact is standard.

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. each type is protected in a different way. pre-production tests. e. anti-virus.g. valuation of safeguards. (3) If there The safeguards will be applied to those domains with a lower are alternative or additional safeguards. (1) The type of assets to be protected. 6741-6750 © Research India Publications. The damage is repaired and reduced. incident management. it is necessary to  [DC] Detective: The event is reported when an attack consider the following aspects for the identification and occurs. greater risks. It should be noted that there are different types of protection provided by safeguards [17]: 6746 . (4) Focus on the percentage of compliance of ISO/IEC standard since they have most important risks. e. 4 shows (in percentages) the current situation and the  [PR] Preventive: When the chances of an incident expected goals to be achieved by applying the safeguards occurring are Figure 3: Accumulative risk assessment Figure 4: Domain Compliance Percentages of ISO/IEC 27002 Standard Fig.g. http://www. In this phase.  [CR] Corrective: Executed after damage. (2) Threats to which the asset requires protection.ripublication. v) Application of safeguards. These domains are as follows. e. indicated by the software PILAR.g. Number 17 (2017) pp.

 “Information security policies should be reviewed at planned intervals or if significant changes occur to ensure their continued suitability.3] Recovery targets should be established for each critical process Recovery Time Objective (RTO) [20]  [BC.6.SW.BIA] There must do a Business Impact Analysis (BIA) [19].  [14. diversions.3. Safeguards to be applied The information security policy should have the following activities:  [G. Safeguards to be applied  [BC. adequacy and effectiveness”.6] Be regularly reviewed. approve.3. a series of policies for information security”. http://www.  [ DOMAIN: INFORMATION SECURITY POLICY Current: 10% Goal: 50% ISO/IEC 27001 Controls  “Management must define. Safeguards to be applied  [NEW. For instance: During a crisis or disaster.S.4] All the personnel that are part of the organization must have access to the documents.4] Recovery targets should be established for each critical information Recovery Point Objective (RPO) [20].4.  [G.2. DEVELOPMENT AND MAINTENANCE Current: 13% Goal: 50% ISO/IEC 27001 Controls  It should include the security of the information related to the requirements in the requirements of new information systems or in the improvement of existing information systems.BIA. Number 17 (2017) pp.3.  You must protect the information that comes from the transaction services application.  The organization must verify the controls of the continuity of the information security established and implemented.2] There must be procedures to control changes in systems.  The organization shall establish. procedures and controls to ensure the required level of continuity of information security during an adverse situation.4.9] There must be user acceptance tests for systems that go into production by external suppliers [18].3. 6741-6750 © Research India Publications.  [14.ripublication. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12.3.  [NEW. and disclosure and unauthorized modifications.3. duplicate or unauthorized reproduction of messages. 6747 .3.BIA.  [BC. implement and maintain processes. Date of implementation: September 2017 DOMAIN: INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGMENT Current: 17% Goal: 50% ISO/IEC 27001 Controls  The organization must determine its requirements for information security and for the continuity of information security management in adverse situations.  [14. contractual disputes.  [G.  [NEW.  [G.2. Date of implementation: Immediate DOMAIN: SYSTEMS ACQUISITION. at regular intervals with the purpose of assuring its validity and effectiveness during adverse situations.1] Be approved by the Information Security Committee  [G.3] There must be technical revisions of the applications after making changes to the operating system.  Information that passes through public networks should be protected from fraudulent activities.  [14.2.3.S.3.4] There must be restrictions on changes to software packages.2] There must consider identification and authentication requirements.1] There must access control requirements must be considered.BIA.3.2] The assets involved in critical processes must be identified.2.3] Specify the responsibility of the people regarding their compliance and violation.2] Specify what is proper use and misuse. to avoid incomplete transmissions. document.2] There must be a separation of functions between the personnel that develops and the personnel in charge of production.6. publish and communicate to the workers and external parties involved.

com  [BC.3] Tests should be performed and the incidents detected should be analyzed as if they had occurred on the base system. 5 and 6 show the impact and residual risk results after applying safeguards recommendations. Number 17 (2017) pp.  [17. Figure 5: Residual impact analysis Figure 6: Residual risk analysis Figure 7: Evolution phases of ISO/IEC 27002 Standard 6748 .1. 6741-6750 © Research India Publications. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12.2.2.ripublication. Date of implementation: December 2018 vi) Impact and residual risk analysis. Fig.  [BC. http://www. It allows to measure the modification of impact and the risk from a potential value to a residual value.DRP] There must generate a Disaster Recovery Plan (DRP) [21]. This is the last stage and it allows the analysis of results after implementation of the safeguards.1] There must be redundancy to ensure the availability of information processing resources [22].

[1] Yoo. To reduce the identified risks Publications. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. p. the level CONCLUSIONS of evolution of ISO/IEC 27002 standard improved This paper has identified a methodology called MAGERIT and significantly. management was set to 50% (from 17%). The first phase Security and Communication Networks. S. pp. It is important to consider that these results were obtained through interviews and REFERENCES questionnaires with the staff of Technology and Information. security in environments development. International Conference on Hybrid Information Technology. After applying the mentioned safeguards or controls. pp. 2016. "Processing encrypted data. &. 2011. 27002 for Information. "Information Security Challenge occurrence of threats related to impersonation. field of information systems. A. When considering safeguards. issue consisted on identifying and valuing the main assets.. “A Performance the improvement process of the information security and Usability Aware Secure Two-Factor User management. acceptance tests. This process allowed to Based on the obtained results. This will allow the [11] Ahituv.. T. R. 2005. 9. "Information Security based on ISO applications after making changes. 30(9). 2010. it was necessary to start [3] Yoo.. On the report allowed investors and executives to be informed of other hand. Lee.. 2.A Management Guide. J. Doi: 10.” necessary to carry out the risk analysis. malicious and Breaches: Novelty Approach on International software dissemination. The risk analysis management with 83% (in the current situation phase).. use of engineering principles in systems ed. 1452-1461. The domains 10. modification in 175-187. 27001 and tests during the development of systems. Yoo. ensuring the secure software development. J. p. 163. 2012. This was able by identifying the domains of Authentication Scheme for Wireless Sensor ISO/IEC 27001 standard with the highest percentage of non- Networks. services. p. p.” improvement of security level from 10% to 50% was set as the New York. and Kim. “Information Security Risks the domain of Systems acquisition. "Audit for Information Systems of Information security aspects of business continuity Security. H. “Confidential In order to have a greater degree of certainty of results. investment (ROSI)-a practical quantitative model. 2013. Number 17 (2017) pp.. 2013. in this 12. “Security were detected as more valuable ones. Fig. W. 1987. 45-56. which means that no type of control had been applied. T. management with 100% of non-compliance. 142-152. pp. 2-5. "Information Security Policies." Reserach disasters and security breaches.. and Kim. S. K. the current situation of Information Security in the Department of Technology and Information of a real company applying the ISO/IEC 27000 standard. Company to be prepared for possible risks such as natural Communications of the ACM. 6741-6750 © Research India Publications. 43.. protection. Journal of Engineering and Technology. T. operating systems. 85. databases were strengthened by Information Security. The mentioned controls allowed to reduce the possibility of [9] Susanto." Second packages chances.516 phase the Enterprise Resource Planning (ERP) and Databases [2] Park. 2009." Auerbach Publications. Vol 5." 14(1). etc. restrictions on software 27001 / ISO 27002 . applications. Similarly. J. Threats that primarily Requirements Prioritization Based on Threat. “Return on security Security Policy with 10%.” degraded assets were impersonation. R. N. expected goal of this domain.. p. functional [8] [Disterer. Contribution. spreading harmful Modeling and Valuation Graph. H. Van Haren Publishing.. it was possible to observe that report safeguards and controls to mitigate threats and to know the domains with the highest percentage of compliance were the maturity level of each domain of ISO/IEC 27001 standard Organizational of information security with 87% and Asset of the analyzed Agro-industrial Company. Smilar goal was established with [5] Peltier.1155/2013/543950 detected with lower percentage level was the Information [4] Sonnenreich. F. A. pp. S. This work also complemented such EVALUATION OF RESULTS AND DISCUSSION analysis by using the PILAR software. and Standards: Guidelines for Effective infrastructure. Park. G. 2006.. M. Procedures. 2012. K. http://www. To improve the security of these assets... the domains with the lowest degree of compliance required investments related to the Information Security with was Information security aspects of business continuity the best Return on Security Investment. 6749 . control procedures in systems. 7 shows the maturity levels from the current it was used to perform the risk analysis focused on assessing situation to the situation recommended by PILAR.” Second ed. of ERP application and Databases. and Kim. pp.. Proceedings of software.1002/sec. DOI: and establishing the necessary safeguards...” International Journal of Distributed compliance extrapolated with the assets with the highest threats Sensor Networks 2013(2).ripublication. the goal of percentage of compliance of the domain [10] Suduc. and program manipulation. the domains related to the [6] Peltier. 4." Scientific Research. technical revisions of [7] Calder.. development and Analysis. and manipulation of programs. Auerbach maintenance from 13% to 50%. "ISO/IEC 27000. " Vol. it was information protection system for mobile devices.

S." Procedings of the J. Vol." 5th IFIP International Conference on Network Control & Engineering for QoS. [18] Sualim. 59-62." In Proceedings of the 13th International Conference on Extending Database Technology. 46(8). [17] Bass. 6741-6750 © Research India Publications. [22] Huffman. J. P. http://www. 2003. 2010." In Fast. 6750 . 2006. [20] Keeton. [16] Withman. A.. "Disaster recovery planning: a strategy for data." Information & Management. 40(9). pp. D. pp. pp.. 1952. A revision of models and methodologies. S. p. 51(1). "Designing for disasters... 2001. 9.. T. "The risks analysis like a practice of secure.... 6." National Institute of Standards and Technology. [14] Verdún. "A Method for the Construction of Minimum-Redundancy Codes. S. 138-151." International Journal of Software Engineering and Technology." p.48." Information Management & Computer Security.. [19] Radeschütz. 222-229.. pp. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12. Georgia. [13] Sojčík.R. M." Kennesaw. 2017. [21] Hawkins. K. 1098-1101. pp. p. 2014. 1-10. 4. "Standards for security categorization of federal information and information systems. [15] Zevin.E. Number 17 (2017) pp. 2(2).com [12] Baskerville. 1-4. 8. Vienna. pp. R. Security and Mobility.ripublication. 2009. "Incident-centered information security: Managing a strategic balance between prevention and response. "Enemy of the gate: threats of information security. "Defense-in-depth revisited: qualitative risk analysis methodology for complex network-centric operations. 2012. 2000. 2004. S. "BIAEditor: matching process and operational data for a business impact analysis. Madrid... "Tools for information security managment." Milcom 2001. "Comparative Evaluation of Automated User Acceptance Testing Tool for Web Based Application. Vol.