Maturity Model for Information Access Management of Peruvian IT Service Providers based on ISO/IEC 27001 and CMMI Security Controls

Abstract

In the current context of increasing cyber threats to Latin American IT service providers, the cost of data breaches is expected to increase 31% by 2023, which highlights the urgency of strengthening security practices. Therefore, it is proposed to improve maturity in access management, with the development of a model based on ISO/IEC 27001:2022 designed for Peruvian IT service providers. The study consists of three stages: analysis, design, and validation. In the first stage, a comparative analysis is made between success factors, cybersecurity aspects, maturity models and access management mechanisms. The second and third stages cover the model building phases according to De Bruin's methodology. In the second stage, the evaluation scope, and the level structure according to CMMI are defined as well as the criteria of the model where the evaluation is based on a user life cycle, type of access and regulatory compliance. Finally, in the third stage, the model is validated by experts in the field and deployed in an enterprise in the sector. The results obtained from the validation showed that 'understandability', 'usefulness and practicality', 'accuracy', 'comprehensiveness', 'sufficiency', 'relevance', 'usability' and 'accuracy' obtained an average rating of 4.6 (agree). Finally, with respect to the implementation of the proposed model, the elimination phase had a maturity index of 0.14, which placed it at an initial maturity level. On the other hand, the other phases exceeded an index of 0.55, placing them in the three highest levels of maturity achievable. In this way, an improvement proposal for the enterprise was made and accepted.