AN INFORMATION SECURITY ASSESSMENT MODEL FOR VERY SMALL ENTITIES

Download
2024-6-7
Bitlisli Erdivan, Halime Eda
In today’s digital landscape, the significance of information security is undeniable for Very Small Entities (VSEs) just like larger corporations. Despite their size, VSEs handle sensitive data and must safeguard their assets. Therefore, information security is crucial for their sustainability and success. It is obvious that VSEs face challenges in meeting the costs, time constraints, and resource limitations required for certification against complex information security standards such as ISO/IEC 27001, CIS Controls, and NIST SP 800-53. Considering that the majority of organizations in the sector are VSEs, it becomes evident that there is a demand for information security standards specifically tailored to address the unique needs and challenges of small-scale organizations. The literature review conducted revealed a substantial gap in the assessment of information security concerning VSEs. Due to these reasons, this thesis aims to analyze and harmonize ISO/IEC 27001 standard, CIS Controls, CMMC framework, Information and Communication Security Guide, NIST IR 7621, and NIST Special Publication (SP) 800-53 security and privacy control framework in order to develop an information security assessment model for VSEs. This model, named SecureVSE, comprises 15 processes and a total of 52 associated practices specifically designed to cater to the needs of VSEs. The applicability and usefulness of this study have been confirmed through expert reviews conducted with five lead auditors who have extensive experience in the security domain, as well as through detailed case studies conducted in three VSEs.
Citation Formats
H. E. Bitlisli Erdivan, “AN INFORMATION SECURITY ASSESSMENT MODEL FOR VERY SMALL ENTITIES,” M.S. - Master of Science, Middle East Technical University, 2024.