ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

Maturity Model for Information Access Management

of Peruvian IT Service Providers based on ISO/IEC
27001 and CMMI Security Controls
Sergio Huamán, Luis Ponce, Lenis Wong
Universidad Peruana de Ciencias Aplicadas
Lima, Perú
u201816393, u201916220, pcsilewo @upc.edu.pe

Abstract—In the current context of increasing cyber threats to Similarly, maturity models, being ideal tools for measuring
Latin American IT service providers, the cost of data breaches is process performance, have been criticized for their lack of clarity
expected to increase 31% by 2023, which highlights the urgency of and consistency in defining maturity levels and assessment
strengthening security practices. Therefore, it is proposed to criteria, which limits their usefulness and effectiveness [3]. Also,
improve maturity in access management, with the development of the organizational uniqueness and technological complexity of
a model based on ISO/IEC 27001:2022 designed for Peruvian IT each enterprise can make it difficult to implement authorized
service providers. The study consists of three stages: analysis, access controls because the adoption of these controls requires
design, and validation. In the first stage, a comparative analysis is changes in the operation and new learning for employees, which
made between success factors, cybersecurity aspects, maturity
can generate resistance to change [4].
models and access management mechanisms. The second and third
stages cover the model building phases according to De Bruin's This is how several studies through different proposals try to
methodology. In the second stage, the evaluation scope, and the improve the mitigation of existing gaps in security controls, such
level structure according to CMMI are defined as well as the as proposing maturity models for each context of the
criteria of the model where the evaluation is based on a user life organization and thus be able to detect weaknesses and establish
cycle, type of access and regulatory compliance. Finally, in the future improvements [3]. Also, the identification of success
third stage, the model is validated by experts in the field and factors in the organization that allow the good performance of
deployed in an enterprise in the sector. The results obtained from
security controls and the establishment of strategies based on
the validation showed that "understandability", "usefulness and
them [5]. However, these studies expand on the generality of all
practicality", “accuracy”, "comprehensiveness", "sufficiency",
“relevance”, "usability" and "accuracy" obtained an average
the controls that make up an organization's information security
rating of 4.6 (agree). Finally, with respect to the implementation of (IS) and cybersecurity, which limits the improvement of each
the proposed model, the elimination phase had a maturity index of control and management process.
0.14, which placed it at an initial maturity level. On the other hand, For this reason, this study proposes a maturity model for
the other phases exceeded an index of 0.55, placing them in the
information access management in Peruvian IT service
three highest levels of maturity achievable. In this way, an
improvement proposal for the enterprise was made and accepted. providers based on ISO/IEC 27001 security controls [6]. The
model will consist of phases such as: Scope (i), Design (ii),
Populate (iii), Test (iv), Deploy (v) and Maintain (vi).
I. INTRODUCTION
As IT evolves and the value of information increases, so do II. RELATED WORK
the threats, vulnerabilities and risks that beset organizations. For the analysis of the related works, we performed a
Attackers that constitute a form of threat seek to exploit systematic review of the literature based on the following steps
vulnerabilities with diverse objectives, which can range from
[7]: planning, development, and analysis.
affecting technological infrastructure to accessing
organizational information or data for various malicious In the "planning" phase, research categories were defined
purposes. During 2023 the cost of data breaches in Latin based on the following questions: What organizational factors
America has increased 31% over the previous year, representing are determinant for the success of controls focused on
a warning of great negative impact for all companies. Such information security? (Q1) What cybersecurity aspects impact
incidents occur when attackers use various methods to exploit the performance of controls focused on information security?
vulnerabilities and gain access to confidential information. (Q2) What maturity models currently exist for the evaluation of
Among the most common external attack vectors are those that information security oriented to access management and what
generate unauthorized access, such as phishing (16%) and
deficiencies do they present? (Q3) What mechanisms exist for
credential theft (15%). In contrast, the least frequent attack
access management in an organization? (Q4). In the
vectors were those of internal origin (6%); however, these
generated the most significant losses for the companies [1]. "development" phase, keywords such as "maturity model",
Although there are several standardized sources of good security "security information", "access management", "access control"
and cybersecurity practices, there is significant difficulty in were defined. Also, the scientific database engines consulted
interpreting them due to their very general and non-prescriptive were Scopus, Web of Science and IEEE considering articles
nature that seeks to cover a wide range of business contexts [2]. after 2019. In the "analysis" phase, a taxonomy was elaborated

---------------------------------------------------------------------------- 259 ----------------------------------------------------------------------------

ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

where the literature obtained was classified according to its C. Maturity models
contribution to the questions posed in the first phase (see We have identified the use of three maturity models
Table ITABLE I). published by international institutions and associations for the
TABLE I. TAXONOMY OF ARTICLE DISTRIBUTION BY CATEGORY evaluation of the performance of information security controls
in different small and medium-sized organizations: C2M2,
Taxonomy References
Organizational success factors [8] [9] [10] [5] [11] [12] [13] [14] COBIT and CMMI. Regarding "C2M2" studies such as [2]
(Q1) [15] [16] [17] [18] analyze the application of the cybersecurity capability maturity
Cybersecurity aspects (Q2) [11] [13] [12] [14] [16] [18] model to evaluate security technology controls where it was
Maturity Models (Q3) [2] [3] [19] [20] [21] [22] [23] [24] highlighted for its use with other cybersecurity frameworks.
[25] [26] [27] [28]
Similarly, regarding "COBIT", research by [25] analyzed the
Access Management Mechanisms [29] [30] [31] [32] [33] [34] [35]
(Q4) [36] [37] [38] [39] application of the maturity model proposed by the framework,
based on its information technology (IT)-related governance
A. Organizational success factors essence, and its usefulness in highlighting areas for
improvement in critical processes was appreciated. In addition,
We identified five organizational success factors that regarding "CMMI", in [26], [27], [28] analyzed the use of the
influence information security: human resources, technological
model for process improvement and recognized the flexibility
complexity, organizational complexity, risk management and in its application, adapting better to the different requirements
vulnerability management. In [5], [10] they argue that the and contexts of each organization.
"human resource" is the main factor responsible for executing
security controls from start to finish and its performance can be
D. Access Management Mechanisms
optimized through training and awareness-raising,
strengthening the most vulnerable link in the organization. We identified three mechanisms used by companies to define
Regarding the "technological complexity" factor, in [12] their access management process for the systems that are part
mentions the variability of technological infrastructures among of their organization: access control model, access and identity
organizations and emphasizes the need to implement technical management, and privileged user management. With regard to
controls, previously analyzed by a specialized area under a risk "Access Control Models" in organizations, according to their
perspective, and to have technically specialized personnel. organizational aspects, models such as Role-Based Access
Regarding the "organizational complexity" factor, several Control (RBAC) [29], [31], [34], Mandatory Access Control
authors argue that it is important to consider some (MAC) [30] and Discretionary Access Control (DAC) [29].
characteristics of an organization, such as organizational size Complementing the use of the different models of access
[13] and industry [10], for the design of controls, since there is control management, organizations employ cybersecurity
no possibility of changing them from the security position [5]. capabilities such as the practice of "Access and Identity
With respect to the "Risk Management" factor, several authors Management" in that [36], [37], [38] study the controls and
argue that it is a process present in many organizations where mechanisms for the correct use of applications and data.
different methodologies are used to address risk through Likewise, in [39] he controls and risks present in the "Privileged
prevention, tolerance and exposure by means of the ISO/IEC User Management" were analyzed, where the criticality of
27001 and NIST CSF standards [40]. According to the factor handling superusers and privilege management in the systems
"Vulnerability Management", in [18] organizations usually deal of the organizations is highlighted.
with vulnerabilities by associating them with technical aspects.
Such management can only be highly efficient if the III. PROPOSED MODEL
organization is aware of all its assets and infrastructure. This section presents the maturity model oriented to the
access management of Peruvian IT service provider companies
B. Cybersecurity aspects based on ISO/IEC 27001:2022 and CMMI.
On the other hand, four aspects of cybersecurity have been
According to [41], for the development of a maturity model,
identified that are highly related to the performance of
it is important to consider the maturity levels of the model. For
information security controls: technological controls,
this purpose, there are two variations: the fixed-level model and
cybercrime legislation, organizational and specialized
the focus area model. The former is a model with linear stages
equipment. Referring to "technological controls" in [11], [18]
that results in a maturity level according to the average of the
technical security measures in emerging technologies such as
assessment. The second is built by capabilities and can include
IoT were analyzed for risk mitigation. Regarding "cybercrime
any number of levels. Since the present study aims to develop a
legislations" in [12], [18] addressed the need for a local
maturity model to serve as a basis for the assessment of access
regulatory body to promote a cybersecurity capacity assessment
management in organizations, a fixed-level model is chosen.
guide in organizations. For the "organizational" aspect, in [14]
it is argued that cybersecurity measures should include the For this purpose, the De Bruin methodology [42] will be
participation of all areas of an organization and ensure applied, which consists of 6 phases: (i) Scope, (ii) Design, (iii)
coordination in the event of incidents. Also, regarding Populate, (iv) Test, (v) Deploy and (vi) Maintain. Phase I
"specialized teams", in [13], [16] argues that organizations must delimits the process in which the maturity level assessment will
have specialized areas for the execution of security and be carried out. The security frameworks are defined, as well as
cybersecurity controls, as well as be continuously trained and the structure of the maturity model on which the proposal will
capable of responding to incidents and emergencies. be based in phase II. In phase III, the evaluation criteria for each

---------------------------------------------------------------------------- 260 ----------------------------------------------------------------------------

 ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

maturity level are defined. The model will be validated under 1) ISO/IEC 27001:2022 requirements: As a first
expert judgment in phase IV. In phase V, the model will be component, an analysis and interpretation of Annex A of the
deployed in a proposed case study. Finally, in phase VI, the standard was carried out and the following requirements related
results obtained will be evaluated by validating it in accordance to access control were selected (see Table III).
with the case study (see Fig. 1).
2) Lyfe cycle of an access: In this section an access lifecycle
will be established based on the study of [35] and the Oracle
Cloud Infrastructure documentation [45], in Table IV the
Lifecycle for Managing Users (LMU) phases are shown.
3) Types of access: It is important to define and segregate
the evaluation for the different recurring accesses in an
organization because they contain different criteria. In the
present section the types of access are determined based on the
concepts provided by the COBIT framework and ISO/IEC
27001:2022 resulting in the following (see Table V).

TABLE II. CMMI MATURITY LEVELS [44]

Level Description
Initial (L1) The organization's processes are AD HOC, so it may have
access management processes that are poorly structured or
non-existent. Likewise, they do not follow a clear
methodology on the life cycle of an access, which can
lead to a risk of greater vulnerability in information
security
Managed (L2) The organization is aware of the aspects of information
access management and establishes systematic processes
Defined (L3) The organization has clearly defined and documented its
Fig. 1 Phases of the De Bruin methodology [42] processes related to access management
A. Phase I: scope Quantitatively The organization manages the potential risks of the
Managed (L4) process related to access management and evaluates
The proposed maturity model will be focused on Peruvian IT according to the impact on privacy. In addition, they
services companies, whose main scope is to evaluate their establish monitoring that is used to detect suspicious
information access management process using different behavior in access management
Optimizing The enterprise has a high level of maturity in access
security frameworks. (L5) management and information security and is constantly
looking for ways to strengthen security controls. Regular
As a result of the literature review conducted in section II of tests are conducted to evaluate the effective protection of
this study, three information security frameworks were selected. security controls
As the first framework, ISO/IEC 27001:2022 was selected
because of its certifiable international status and its ability to
establish information security controls. Likewise, NIST CSF TABLE III. ISO/IEC 27001:2022 REQUIREMENTS [6]
will be used as it has a risk and incident assessment clearly
focused on cybersecurity, in addition to the fact that the use of Domain Control
the framework is customizable for each enterprise. Finally, Policies for information security (5.1)
COBIT [43] will be used because it focuses on Information Information security roles and responsibilities (5.2)
Segregation of duties (5.3)
Technology (IT) governance and control. Organizational
Access control (5.15)
controls
B. Phase II: design Identity management (5.16)
Authentication information (5.17)
For the design of the maturity model, the levels are defined Access rights (5.18)
according to CMMI [44], highlighting its structure designed by People Controls
Confidentiality or non-disclosure agreements (6.6)
stages and flexibility for the evaluation of access management; Remote working (6.7)
Table II shows the five maturity levels with their description, in Physical entry (7.2)
Physical security monitoring (7.4)
which each level represents a key milestone in the development Physical controls
Security of assets off-premises (7.9)
of access management, providing a clear framework of Storage media (7.10)
compliance identified in the current state of the enterprise. User end point devices (8.1)
Privileged access rights (8.2)
C. Phase III: populate Information access restriction (8.3)
This phase establishes the criteria to be measured to Access to source code (8.4)
Technological Secure authentication (8.5)
determine the organization's access management maturity level. controls Data leakage prevention (8.12)
The criteria will be defined based on the relationship between
the following components: (i) ISO/IEC 27001:2022 Segregation of networks (8.22)
requirements regarding access control, (ii) access lifecycle and Separation of development, test and production
environments (8.31)
(iii) types of access.

---------------------------------------------------------------------------- 261 ----------------------------------------------------------------------------

ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

TABLE IV. PHASES OF LIFECYCLE FOR MANAGING USERS [35] [45] With the components established and detailed, we proceeded
Phase Description to draw up the list of ISO/IEC 27001:2022 compliance criteria
In this phase, user records are created and collected. User according to the six phases of the LMU: P1 (Table VI), P2, P3,
Create (P1) identification and authentication data are also stored in a P4, P5 and P6 (Table IX). For example, Table VI shows the
centralized system [35] [45] defined criteria of the "Create" (P1) phase and classified by five
In this phase, access rights are assigned to registered users. levels (L1, L2, L3, L4 and L5), by the three types of access:
Activate (P2) Specific permissions are configured so that users can access
the resources required for their roles or tasks [35] [45] physical, logical, and privileged.
In this phase, security policies and controls are implemented
to ensure that users access only those resources and data to
D. Phase IV: test
Assign (P3) which they are authorized. The study is validated in a Peruvian IT service provider
This involves the implementation of security and enterprise through the participation of a group of experts who
authentication measures [35] [45]
In this phase, continuous monitoring of user access is
occupy different positions in the Information Security
performed. Management System (ISMS), in order to obtain an integral
Review (P4)
Access activities are monitored and audited to detect strange validation of access management, approaching the evaluation
behavior or possible security threats [35] from different perspectives of the process. The group of experts,
This phase establishes the activities to be carried out when a
Modify/
user is no longer authorized, or their roles change. Access
belonging to the enterprise, is made up of a Security Officer, an
Deactivate information security analyst, and IT security analyst.
permissions are revoked, either delete or adjust existing ones
(P5)
as necessary [35]
In this phase, the user is removed from the system, however, a For the validation process with the experts, the design
Delete (P6) detailed log of all access activities is maintained, including developed in the "Design" phase is presented and shared with
who accessed which resources and when [35] [45] them in order to obtain their appreciation of the proposal by
means of a questionnaire based on the survey structure proposed
TABLE V. TYPES OF ACCESS [6] [43]
in Salah's study [46]. In Table VII shows the questionnaire
made up of 14 questions classified by category to be validated.
Access Description The closed questions will be evaluated on a Likert scale (1 =
Ability of a user to enter the organization's physical facilities,
Physical
such as offices, data centers, warehouses, others
Strongly Disagree, 2 = Disagree, 3 = Neither Disagree Nor
The ability of a user or system to access digital resources, such Agree, 4 = Agree and 5 = Strongly Agree).
Logical
as computer systems, networks, applications, and databases
A user's capacity to access digital resources by means of certain TABLE VII. QUESTIONNAIRE FOR EXPERTS
Privileged
special privileges that go beyond normal access parameters
Category Question Type
Sufficiency Q1 Does the model allow you to Close-
TABLE VI. CRITERIA OF MATURITY LEVELS FOR THE PHASE “CREATE” (P1) evaluate all aspects of the ended
OF LMU processes that make up access
management?
L1 L2 L3 L4 L5 Accuracy Q2 Are there no Close-
Type: Physical overlaps/redundancies between ended
Responsible Responsible Documented Technological Advanced maturity level criteria and
not assigned. defined for policy and controls to technologies descriptions?
No registry registering procedure for register access Biometric Q5 Are processes and practices Close-
managing identification clearly differentiated? ended
systems, facial Q6 Are processes and practices Close-
recognition, correctly assigned to their ended
and behavioral respective maturity level?
analysis Relevance Q3 Are the processes and practices Close-
Type: Logical relevant to access management? ended
Responsible Responsible Documented Data accuracy Metrics are Comprehensivene Q4 Do the processes and practices Close-
for user and approver policy and is measured. periodically ss cover all aspects affecting or ended
creation not for user procedure for Compliance analyzed to involved in access management?
defined. creation. the creation of with identify Understandability Q7 Are the maturity levels Close-
No Generic users. established opportunities understandable? ended
nomenclatu nomenclature Centralized in a policies and for Q8 Are the evaluation guidelines Close-
re specialized area. procedures improvement understandable? ended
Nomenclature is evaluated. Q9 Is the documentation Close-
for each type of understandable? ended
user Usability Q10 Is the scoring system easy to use? Close-
Type: Privileged ended
Not Inventoried Documented Risk Regularly Q11 Are the evaluation guidelines Close-
inventoried superusers policy and assessment. analyze easy to use? ended
superusers procedure for: Personnel metrics data to Q12 Is the documentation easy to use? Close-
"acceptable use authorized to identify ended
of superuser use superuser opportunities Usefulness and Q13 Is the maturity model useful for Close-
accounts" and accounts. for practicality conducting assessments for the ended
"creation of Generation of improvement access management process?
privileged users" privileged users in the Q14 Is the maturity model practical Close-
superuser for use in the IT services ended
usage process industry?

---------------------------------------------------------------------------- 262 ----------------------------------------------------------------------------

 ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

In Fig. 2, the results obtained from the validation emphasized that the compliance status is recorded in the 'Status'
questionnaire completed by the three case study experts are column of the diagnostic tool in coordination with the members
shown. According to this definition, the results are broken down of the enterprise's ISMS. As an example, Table VIII shows how
into several categories: "sufficiency" with an average score of to fill in the compliance status of the P6 evaluation criteria.
4.3, "accuracy" with an average of 4.5, "completeness" with an
average of 4.6, "comprehensibility" of 4.4, "usability" with an TABLE VIII. EVALUATION OF THE PHASE P6 OF LMU
average of 5, and "usefulness and practicality" with a total of Type Criteria Domain Status
4.8. These scores indicate that the experts are satisfied with the Logical There is an operational responsible 5.2 Not
maturity model, which validates its usefulness in real for the elimination of access rights comply
environments. Logical There is specialized area for the 5.2 Not
elimination of access rights comply
Logical The elimination of user accounts is 5.15 Not
supported in a policy and comply
procedure
Logical The elimination of "identities" is 5.16 Not
carried out if the applicant and comply
approving
Logical Period of time for the elimination 5.18 Not
of users based on regulatory comply
compliance applicable to the
organization is established
Logical Auditable registration of 5.18 Partially
eliminated users is maintained complies
Physical There is a procedure or instruction 7.2 Not
for the elimination and insurance comply
deletion corporate identification
cards.
Physical The insurance erase of 8.1 Not
technological identification comply
controls information is carried out
for reuse
Physical Advanced elimination techniques 8.1 Not
are used, such as safe survey and comply
detailed verification, to ensure that
no trace of confidential data is
exposed.
Privileged There is operational responsible 5.2 Not
Fig. 2. Expert Satisfaction Level per question for the elimination of privileged comply
users
Privileged There is specialized area for the 5.2 Not
E. Phase V: deploy elimination of privileged users comply
The validated model was implemented in the enterprise, Privileged There is a procedure or instruction 8.2 Not
for the elimination of users with comply
having as scope the access management process under the privileged functions.
applications and physical facilities defined in its scope of the Privileged Responsible personnel inventory 8.2 Complies
Information Security Management System (ISMS). for the use of superusers are
updated
With the purpose of carrying out the implementation, a Privileged The custody flow of superusers is 8.2 Complies
diagnostic tool was built that includes all the defined and updated
validated criteria of the "Design" phase. Privileged Auditable record of privileged 5.18 Not
users eliminated is maintained comply
The diagnostic tool developed will be used for two purposes.
The first purpose of use will be to obtain the degree of Once the diagnostic tool has been completed, it calculates the
compliance with ISO/IEC 27001:2022 according to its controls maturity of each type of access, each phase of the LMU and the
related to access management. Also, the second purpose of use regulatory compliance of access management using the formula
will be to calculate: the overall maturity level of the access (1):
management process, the maturity by LMU phase and the
∑
maturity by access type. The two purposes of use will be 𝑀 (1)
presented by the tool through a graphical report for a better
visualization of results for the user. Where:
 n: Is the total number of factors evaluated.
For the implementation of the maturity model in the  βi: Is the degree of relative importance with respect
enterprise, the diagnostic tool was used in collaboration with the to maturity determination.
parties involved in the access management of the enterprise,  wi: Are the weights assigned to each factor,
where all the LMU phases were evaluated with their respective reflecting their relative importance in determining
criteria. The diagnostic tool calculates maturity using a scale of maturity.
scores according to the status of compliance with each criterion  Wi is the maximum relative weight in determining
(0 = Not met, 1 = Partially met and 2 = Compliant). It should be maturity.

---------------------------------------------------------------------------- 263 ----------------------------------------------------------------------------

 ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

The results obtained from the calculation are shown representing an information security gap for the enterprise, as
graphically in the final report (Fig. 3), where the following is shown in Fig. 4. This improvement proposal was presented to
detailed: the overall "Maturity level" of the access management the case study through its Information Security Committee,
process (Fig. 3a), the "Maturity by life cycle phase" (Fig. 3b) contributing to the decision making of senior management and
and "Maturity level by type of access" (Fig. 3c). the security team, obtaining their approval for the
implementation of the proposal, and thus improving the
A based on the analysis of the results and the report in Fig.
maturity of the access management of its applications,
3, an improvement proposal covering phase P6 was presented
considering in the future to evaluate areas of improvement in
to enterprise A, since a maturity level L1 was identified,
other types and phases of access.

TABLE IX. OPTIMIZED MATURITY LEVEL FOR THE STAGES P2, P3, P4, P5 AND P6 OF LMU

Activate (P2) Assign (P3) Review (P4) Modify / Deactivate (P5) Delete (P6)
Type: Physical
Maintenance plans are in Automatic communication by Preventive maintenance Accurate, real-time tracking Advanced deletion
place for identification official means plans for technological of physical assets techniques, such as secure
technology controls and controls Measurement of overwriting and detailed
physical security for all personnel access to critical verification, are employed
physical facilities including areas to improve and to ensure that no trace of
critical areas restrict access dynamically sensitive data is exposed
Type: Logical
The activation of user Authentication requirements Ongoing, automated and Automatic abandoned Advanced auditing system
accounts is fully automated are based on risk analysis and comprehensive assessment account detection system at that records and retains logs
and without significant continuously improved. Role- of access rights in relation all access levels after user deletion
manual intervention based access with real-time to roles, duties and
visibility into active usage positions held. Self-
learning analysis tools
Type: Privileged
The request for superuser use Activities are measured under Continuous superuser usage Automatically updates Thorough verification that
is automatically the use of privileged functions analysis and alerts under a period Changes in all associated data and
communicated to the in the accounts to guarantee Automatic report creation privileged user are accounts have been
custodians minimum accesses communicated to completely and effectively
custodians deleted

Fig. 3 Report on the results of the enterprise's implementation

---------------------------------------------------------------------------- 264 ----------------------------------------------------------------------------

 ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

ACKNOWLEDGMENT
We thank the professors who participated in the study. We
also thank the Research Department of the Universidad Peruana
de Ciencias Aplicadas for their support.

REFERENCES
[1] IBM. (s/f). ¿Qué son los controles de seguridad?. [Online].
Available: https://www.ibm.com/mx-es/topics/security-
controls
[2] M. Zammani, R. Razali & D. Singh, “Organisational
Information Security Management Maturity Model,”
(IJACSA) International Journal of Advanced Computer
Science and Applications, vol. 12, no. 9, pp. 668-678, January
2021.
[3] S. Assoul, A. Rabii, K. Ouzzani & O. Roudies, “Information
and cyber security maturity models: a systematic literature
review,” Information and Computer Security, vol. 28, no. 4,
pp. 627-644, October 2020.
[4] D. Aponte & G. Maestre, “Dataset about information
Fig. 4. Improvement proposal for the case study technology governance: A survey in Colombian enterprises,”
ISSN 2352-3409, vol. 50, p. 109480, October 2023.
IV. CONCLUSION AND FUTURE WORKS [5] R. Diesch, M. Pfaff & H. Krmar, “A comprehensive model of
information security factors for decision-makers,” Computers
In this study, the construction of a maturity model based on and Security, no. 92, p. 101747, May 2020.
the methodology proposed by De Bruin, composed of 6 phases, [6] ISO, "Information security, cybersecurity and privacy
was carried out. For this reason, the proposal was developed protection", 27001, October, 2022
under the structure of 5 maturity levels (L1, L2, L3, L4 and L5) [7] L. Wong, D. Rodriguez & D. Mauricio, “A systematic
according to the CMMI model, detailing a set of criteria based literature review about software requirements elicitation,”
on the controls established by the ISO/IEC 27001:2022 Journal of Engineering Science and Technology, vol. 12, no.
2, pp. 296-317, February 2017.
standard distributed in 6 phases of the life cycle for 3 types of
[8] B. Barnes & T. Daim, “Information Security Maturity Model
accesses. for Healthcare Organizations in the United States,” IEEE
Transactions on Engineering Management, vol. 71, pp. 928-
To validate the maturity model, the proposal was exposed to
939, January 2022.
the evaluation of three experts who occupy different positions [9] K. Wehrle, V. Tozzi, S. Braune, F. Robnagel, H. Dikow, S.
in the Information Security Management System (ISMS) of the Paddock, A. Bergmann & P. Van, “Implementation of a data
case study. This made it possible to evaluate 6 aspects of the control framework to ensure confidentiality, integrity, and
proposal from different perspectives linked to the access availability of high-quality real-world data (RWD) in the
management process. NeuroTransData (NTD) registry,” JAMIA Open, vol. 5, no. 1,
pp. 1-9, April 2022.
In the same way, the validated model was deployed to an [10] A. Chu & M. So, “Organizational Information Security
enterprise in order to corroborate the performance and Management for Sustainable Information Systems: An
usefulness of the proposal for the evaluation of the access Unethical Employee Information Security Behavior
management process. Perspective,” Sustainability (Switzerland), vol. 12, no. 8, pp.
1-25, April 2020.
The results obtained showed that the construction of the [11] A. Alagappan, L. Andrews, S. Venkatachary, D. Sarathkumar
& R. Raj, “Cybersecurity Risks Mitigation in the Internet of
maturity model based on a standard accepted by the industry,
Things,” in Proceedings - 2022 2nd International Conference
such as ISO/IEC 27001:2022, facilitated acceptance and on Innovative Sustainable Computational Technologies,
reliability in its implementation for the case study. In the same CISCT 2022, Dehradun, December 2022.
way, the diagnosis of the maturity level based on an access [12] S. AlDaajeh, H. Saleous, S. Alrabaee, E. Barka, F. Breitinger
lifecycle contributed to the understanding of the evaluation & K. Raymond, “The role of national cybersecurity strategies
criteria, consequently, it was possible to clearly identify an area on the improvement of cybersecurity education,” Computers &
of improvement for the case study. Finally, based on the Security, vol. 119, August 2022.
identification of the improvement area, an improvement [13] A. Jamal, G. Amjad & E. Sanaa, “GoSafe: On the practical
proposal was developed and presented, which was promptly characterization of the overall security posture,” Journal of
King Saud University - Computer and Information Sciences,
accepted by the case study for implementation.
vol. 34, no. 6, pp. 3079-3095, June 2022.
As future work, it is proposed to complete the last phase of [14] T. Callari, F. Chiarugi, D. Guerri, A. Pollini, A. Tedeschi, D.
Ruscio & L. Save, “Leveraging human factors in
the methodology used in this study so that the model can
cybersecurity: an integrated methodological approach,”
strengthen compliance with security controls related to access Cognition, Technology and Work, vol. 24, no. 2, pp. 371-390,
management by considering the integration of other information May 2022.
security standards and regulations applicable to the IT services [15] A. Reyana, S. Kautish, S. Juneja, K. Mohiuddin, F. Karim, H.
industry. Elmannai, S. Ghorashi & Y. Hamid, “Enhanced Cloud Storage

---------------------------------------------------------------------------- 265 ----------------------------------------------------------------------------

ISSN 2305-7254________________________________________PROCEEDING OF THE 35TH CONFERENCE OF FRUCT ASSOCIATION

Encryption Standard for Security in Distributed [31] Z. Han, X. Li, G. Xu, N. Xiong, E. Merlo & E. Stroulia, “An
Environments,” Electronics (Switzerland), vol. 12, no. 3, Effective Evolutionary Analysis Scheme for Industrial
February 2023. Software Access Control Models,” IEEE Transactions on
[16] I. Skarga, I. Kotsiuba & E. Velasco, “Cyber Hygiene Maturity Industrial Informatics, vol. 16, no. 2, pp. 1024-1034, February
Assessment Framework for Smart Grid Scenarios,” Frontiers 2020.
in Computer Science, vol. 3, March 2021. [32] L. Zhang, B. Li, H. Fang, G. Zhang & C. Liu, “An Internet of
[17] J. Yang, G. Lan, S. Xiao, Y. Li, J. Wen & Y. Zhu, “Enriching Things Access Control Scheme Based on Permissioned
Facial Anti-Spoofing Datasets via an Effective Face Swapping Blockchain and Edge Computing,” Applied Sciences
Framework,” Sensors, vol. 22, no. 13, July 2022. (Switzerland), vol. 13, no. 7, April 2023.
[18] A. Georgiadou, S. Mouzakitis & D. Askounis, “Assessing [33] A. K. Malik, N. Emmanuel, S. Zafar, H. Khattak, B. Raza, S.
MITRE ATT&CK Risk Using a Cyber-Security Culture Khan, A. Al-Bayatti, M. Alassafi, A. Alfakeeh & M. Alqarni,
Framework,” Sensors, vol. 21, no. 9, May 2021. “From Conventional to State-of-the-Art IoT Access Control
[19] O. Al-Matari, I. Helal, S. Mazen & S. Elhennawy, “Adopting Models,” Electronics (Switzerland), vol. 9, no. 10, pp. 1-34,
security maturity model to the organizations capability model,” October 2020.
Egyptian Informatics Journal, vol. 22, no. 2, pp. 193-199, July [34] S. Alshammari, A. Albeshri & K. Alsubhi, “Integrating a High-
2021. Reliability Multicriteria Trust Evaluation Model with Task
[20] T. Shimels & L. Lessa, “Maturity of information systems Role-Based Access Control for Cloud Services,” Symmetry,
security in selected private Banks in Ethiopia,” in 2021 vol. 13, no. 3, March 2021.
International Conference on Information and Communication [35] A. Schrimpf, A. Drechsler & K. Dagianis, “Assessing Identity
Technology for Development for Africa, ICT4DA 2021, Bahir and Access Management Process Maturity: First Insights from
Dar, November 2021. the German Financial Sector,” Information Systems
[21] H. Berrada, J. Boutahar & S. Houssaini, “Simplified IT Risk Management, vol. 38, no. 2, pp. 94-115, April 2021.
Management Maturity Audit System based on “COBIT 5 for [36] M. Abdul, S. Mishra, A. Mansour & R. Mohammed, “Identity
Risk”,” International Journal of Advanced Computer Science Governance Framework for Privileged Users,” Computer
and Applications, vol. 12, no. 8, pp. 641-652, January 2021. Systems Science and Engineering, vol. 40, no. 3, pp. 995-1005,
[22] K. Razikin & A. Widodo, “General Cybersecurity Maturity September 2021.
Assessment Model: Best Practice to Achieve Payment Card [37] A. Alsirhani, M. Ezz & M. Mostafa, “Advanced authentication
Industry-Data Security Standard (PCI-DSS) Compliance,” mechanisms for identity and access management in cloud
CommIT Journal, vol. 15, no. 2, pp. 91-104, August 2021. computing,” Computer Systems Science and Engineering, vol.
[23] I. Riadi, I. Yanto & E. Handoyo, “Analysis of academic service 43, no. 3, pp. 967-984, January 2022.
cybersecurity in university based on framework COBIT 5 [38] S. Fugkeaw, “Achieving Decentralized and Dynamic SSO-
using CMMI,” in IOP Conference Series: Materials Science Identity Access Management System for Multi-Application
and Engineering, Sorong, October 2019. Outsourced in Cloud,” IEEE Access, vol. 11, pp. 25480-25491,
[24] D. Sulistyowati, F. Handayani & Y. Suryanto, “Comparative March 2023.
Analysis and Design of Cybersecurity Maturity Assessment [39] E. Sindiren & B. Ciylan, “Application model for privileged
Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and account access control system in enterprise networks,”
PCI DSS,” International Journal on Informatics Visualization, Computers & Security, vol. 83, pp. 52-67, June 2019.
vol. 4, no. 4, pp. 225-230, December 2020. [40] NIST. (2023, August 15). NIST Cybersecurity Framework
[25] B. Yigit & M. Spruit, “Adaptable Security Maturity (CSF) 2.0 Reference Tool. [Online]. Available:
Assessment and Standardization for Digital SMEs,” Journal of https://csrc.nist.gov/Projects/Cybersecurity-
Computer Information Systems, vol. 63, no. 4, pp. 965-987, Framework/Filters#/csf/filters
September 2022. [41] J. B. Santos-Neto & A. P. Costa, “Enterprise maturity models:
[26] D. Romero, M. Baldassarre, M. Rodriguez & M. Piattini, a systematic literature review,” Enterprise Information
“Maturity model based on CMMI for governance and Systems, vol. 13, no. 5, pp. 719-769, May 2019.
management of Green IT,” IET Software, vol. 13, no. 6, pp. [42] T. De Bruin, R. Freeze, U. Kulkarni & M. Rosemann,
555-563, December 2019. “Understanding the Main Phases of Developing a Maturity
[27] A. Hassan, S. Mahmood, A. Mohammad & N. Mahmood, “A Assessment Model,” in ACIS 2005 Proceedings - 16th
Maturity Model for Secure Software Design: A Multivocal Australasian Conference on Information Systems,
Study,” IEEE Access, vol. 8, pp. 215758-215776, January Australasian, December 2005.
2020. [43] ISACA COBIT 2019 Framework: Governance and
[28] M. Jami, F. Abbasi & B. Sohrabi, “Toward a Maturity Model Management Objectives. Schaumburg: ISACA, 2019
for Big Data Analytics: A Roadmap for Complex Data [44] R. Waina. (2018, December 04). Intro to CMMI-SVC Module
Processing,” International Journal of Information Technology 1.1. [Online]. Available:
and Decision Making, vol. 22, no. 1, pp. 377-419, January https://static.spacecrafted.com/eff8f1444ff547dc97bb98fe24e
2023. 32d2d/r/bcadbce7d8524899a4eeeba71308c14c/1/CMMI%20
[29] Z. Wang, Y. Li, G. Liu & D. Zhang, “A Multi-User V2.0%20Overview.pdf
Collaborative Access Control Scheme Based on New Hash [45] Oracle. (2023, April 27). Lifecycle for Managing Users.
Chain,” Electronics (Switzerland), vol. 12, no. 8, p. 1792, April [Online]. Available: https://docs.oracle.com/en-
2023. us/iaas/Content/Identity/users/lifecycle-managing-users.htm
[30] B. Brimhall, J. Garrard, C. De La Garza & J. Coffman, “A [46] D. Salah, R. Paige & P. Cairns, “An Evaluation Template for
Comparative Analysis of Linux Mandatory Access Control Expert Review of Maturity Models,” Lecture Notes in
Policy Enforcement Mechanisms,” in EUROSEC 2023 - Computer Science (including subseries Lecture Notes in
Proceedings of the 2023 European Workshop on System Artificial Intelligence and Lecture Notes in Bioinformatics),
Security, Rome, May 2023. vol. 8892, pp. 318-321, December 2014.

---------------------------------------------------------------------------- 266 ----------------------------------------------------------------------------