Küçük ve Orta Büyüklükteki İşletmelerde Bilgi Güvenliği

Küçük ve Orta Büyüklükteki İşletmeler (KOBİ) ülke ekonomilerinin lokomotifleridir. KOBİ’lerin esnek yapıları, değişime çabuk adapte olmaları; ülke ekonomilerinin krizleri çabuk atlatmalarını kolaylaştırmaktadır. Rekabet, değişim, küreselleşme gibi etkenler KOBİ’leri bilgi ve iletişim teknolojilerini kullanmayı zorunlu kılmaktadır. Bu teknolojiler sayesinde zaman ve mekân kavramı ortadan kalkmış, bir mobil araç ve ağ sayesinde dünyanın herhangi bir yerinden elektronik finansal hizmet ve ürünlere ulaşmak mümkün hale gelmiştir. Bütün bu gelişmelere paralel olarak; özellikle son yıllarda yaşanan sosyal mühendislik katkılı dolandırıcılık olayları ve çalışan suiistimalleri bilgi güvenliğini ön plana çıkarmıştır. Bilgi teknolojileri konusunda nitelikli yeterli işgücü istihdam etmeyen, bilgi güvenliği riski yalnızca büyük şirketleri etkiler önyargısına sahip KOBİ’ler, teknoloji hırsızları için kolay hedefler haline gelmektedir. Geçmişteki kasa hırsızlarının yerlerini artık klavye hırsızları almıştır. Bilgi güvenliği sağlanamaması sonucu oluşan riskler; itibar riski, yasal risk gibi diğer riskleri de beraberinde getirmektedir. Bu çalışmanın amacı; ellerinde kısıtlı imkânlar bulunan KOBİ’lerin bilgi güvenliği risklerine karşı kullanabilecekleri basit ve yalın bir metodolojinin ortaya çıkarılmasıdır.

Information Security in Small And Medium Size Companies

Small and Medium Enterprises (SMEs) are locomotives of national economies. Flexible structures of SMEs and their quick adaptation to changes make easier for the economies of countries to overcome the crises quickly. Factors such as competition, change and globalization require SMEs to use information and communication technologies. As a result of these technologies, the concept of time and space has disappeared, and it becomes very easy to reach electronic financial services and products from anywhere in the world via a mobile tool and network. In parallel with all these developments; especially in recent years, social engineering added fraud incidents and employee misconceptions highlighted information security. SMEs, which do not employ sufficient qualified labor force in information technology and have prejudge that information security risks only affect large companies, are becoming easy targets for technology thieves. Keyboard thieves have now taken over the place of the thieves of the past. The risks arising as a result of not providing information security bring along with other risks such as reputation risk and legal risk. The purpose of this study is to reveal a simple and plain methodology for SMEs with limited opportunities to use against information security risks.

___

Abbas, J., Mahmood, K. H., & Hussain, F. (2015). INFORMATION SECURITY MANAGEMENT FOR SMALL AND MEDIUM SIZE ENTERPRISES. Science International (Lahore), 2393-2398.
Alberts, C., & Dorofee, A. (2002). Managing Information Security Risks: The OCTAVE Approach. . Boston: Addison-Wesley.
Al-Safwani, N., Hassan, S., & Katuk, N. (2014). A Multiple Attribute Decision Making for Improving Information Security Control Assessment. International Journal of Computer Applications, 89(3), 19-24.
Amrin, N. (2014). The Impact of Cyber Security on SMEs. Twente: University of Twente, Electrical Engineering, Mathematics and Computer Science. Ekim 9, 2018 tarihinde https://essay.utwente.nl/65851/1/Amrin_MA_EEMCS.pdf adresinden alındı
ASQ. (tarih yok). WHAT IS THE PLAN-DO-CHECK-ACT (PDCA) CYCLE? Ağustos 12, 2018 tarihinde https://asq.org: https://asq.org/quality-resources/pdca-cycle adresinden alındı
Caralli , R., Stevens , J., Young , L., & Wilson , W. (2007). Introducing OCTAVE Allegro:Improving the Information Security Risk Assessment Process. Hanscom: SEI Administrative Agent.
Central Computer and Telecommunication Agency. (2009). Risk Analysis and Management Method, Issue 2.0. CRAMM User Guide. UK Central Computer and Telecommunication Agency.
Chang, S. E., & Ho, C. B. (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems(106), 345– 361.
Cohen, J. K. (2017). Health Information Technology. www.beckershospitalreview.com: https://www.beckershospitalreview.com/healthcare-information-technology/ adresinden alındı
Dunkerley, K. D., & Tejay, G. (2011). A confirmatory analysis of information systems security success factors. 2011 44th Hawaii International Conference on System Sciences, (s. 1– 10). Honolulu, Hawaii.
Ein-Dor, P., & Segev, E. (1978). Organizational context and the success of management information systems. Manage Sci.(24), 1064–1077.
Ersoy, E. V. (2012). ISO/IEC 27001 Bilgi Güvenliği Standardı. Ankara: ODTÜ Yayıncılık.
European Network and Information Security Agency. (tarih yok). CRAMM. Temmuz 29, 2018 tarihinde www.enisa.europa.eu: https://www.enisa.europa.eu/topics/threat-riskmanagement/risk-management/current-risk/risk-management-inventory/rm-ramethods/m_cramm.html adresinden alındı
FAIR Institute. (tarih yok). Mart 09, 2019 tarihinde https://www.fairinstitute.org/what-is-fair adresinden alındı
Gordas, V. (2014). Implementing Information Security Management System in SMEs and ensuring Effectiveness in its Governance. Egham: University of London.
Guttman, B., & Roback, E. A. (1995). Special Publication 800– 12. An introduction to computer security: the NIST handbook. Gaithersburg, MD: NIST.
Hanacek, N. (2018). Helping organizations to better understand and improve their management of cybersecurity ris. NIST web Sitesi: https://www.nist.gov/cyberframework/onlinelearning/five-functions adresinden alındı
Hanseth, O., & Ciborra, C. (2007). Risk, complexity and ICT. Cheltenham, İngiltere: Edward Elgar Publishing.
Harris, K. D. (2016). California Data Breach Report 2012-2015. Kaliforniya: California Department of Justice.
Haythorn, M. (2015). Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines. East Carolina: East Carolina University. Eylül 15, 2018 tarihinde https://infosecwriters.com/Papers/MHaythorn_Risk_Frameworks_guidelines.pdf adresinden alındı
Hiscos. (2018). 2018 HISCOX Small Business Cyber Risk Report. Kasım 15, 2018 tarihinde https://www.hiscox.com/documents/2018-Hiscox-Small-Business-Cyber-Risk-Report.pdf adresinden alındı
Houmb, S. H. (2007). Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD) Framework. Trondheim: Norwegian University of Science and Technology.
Ionita, D., Hartel, P., Pieters, W., & Wieringa, R. (2013). Current Established Risk Assessment Methodologies and Tools. Twente: University of Twente. doi:10.13140/RG.2.2.22914.68806
ISSA (Information Systems Security association). (2011, Mart). ISSA-UK 5173 Information Security for Small and Medium Sized Enterprises. https://issa.org: https://issa.org.pl/63- issa-uk-draft-standard-on-information-security-for-smes/file adresinden alındı
Jansen, W., & Scarfone, K. (2008). Guidelines on Cell Phonand PDA Security, Recommendations of NIST. NIST Special Publication 800-124. Gaithersburg: NIST.
Kankanhalli, A., Teo, H.-H., Tan, B., & Wei, K.-K. (2003). An integrative study of information systems security effectiveness. The International Journal of Information Management(23), 139-154.
Kirkpatrickprice. (2019). What is HITRUST? . https://kirkpatrickprice.com: https://kirkpatrickprice.com/hitrust/ adresinden alındı
Kotulic, A. G., & Clarck, J. (2004). Why there aren’t more information security research studies. Information & Management(41), 597-607.
Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in computer and information security: pathways to vulnerabilities. Computer & Security(28), 509-520.
Lacey, D., & James, B. (2010, Mart). Review of Availability of Advice on Security for Small/Medium Sized Organisations. Information Commissioner's Office: https://ico.org.uk/media/about-the-ico/documents/1042344/review-availablility-ofsecurity-advice-for-sme.pdf adresinden alındı
Lord, N. (2018, September 11). Datainsider. https://digitalguardian.com: https://digitalguardian.com/blog/what-nist-sp-800-53-definition-and-tips-nist-sp-800-53- compliance adresinden alındı
Manso, C. G., Rekleitis, E., Papazafeiropoulos, F., & Maritsas, V. (2015). Information security and privacy standards for SMEs. European Union Agency for Network and Information Security (ENISA). doi:10.2824/829076
Marttin, V., & Pehlivan, İ. (2010). ISO 27001:2005 Bilgi Güvenliği Yönetimi Standardı ve Türkiye’deki Bazı Kamu Kuruluşu Uygulamaları Üzerine Bir inceleme. Mühendislik Bilimleri ve Tasarım Dergisi, 1(1), 49-56.
Mayer, N. (2009). Overview of CRAMM. Kasım 22, 2018 tarihinde www.researchgate.net: https://www.researchgate.net/figure/Overview-of-CRAMM-as-appears-incra_fig5_30512823 adresinden alındı
Mijnhardt , F., Thijs , B., & Spruit, M. (2016). Organizational Characteristics Influencing SME Information Security Maturity. Journal of Computer Information Systems, 56(2), 106- 115.
Miller, G. (2017). 60% of small companies that suffer a cyber attack are out of business within six months. Aralık 20, 2018 tarihinde The Denver Post: https://www.denverpost. com/2016/10/23/small-companies-cyber-attack-out-of-business/ adresinden alındı
NIST. (2012). Information Security. Guide for Conducting Risk Assesments, s. 2. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf adresinden alındı
NIST. (2016, Ağustos 25). Cybersecurity Framework FAQS Framework Basics. Aralık 24, 2018 tarihinde NIST Web Sitesi: https://www.nist.gov/cyberframework/cybersecurityframework- faqs-framework-basics adresinden alındı
NSBA. (2013). 2013 SMALL BUSINESS TECHNOLOGY SURVEY. Mart 2019, 07 tarihinde National Small Bussiness Associaton: https://www.nsba.biz/wpcontent/uploads/2013/09/Technology-Survey-2013.pdf adresinden alındı
Öztürk, G. (2008). Bilgi Güvenliği Politikası Oluşturma Kılavuzu Doküman Kodu: BGYS-0005. Kocaeli: TÜBİTAK.
Park, J.-Y., Robles, J. R., Hong, C.-H., & Yeo, S.-S. (2008, Ocak). IT Security Strategies for SME's. International Journal of Software Engineering and its Applications, 2(3), 91-98.
Pironti, J. P. (2013). Key Elements of an Information Risk Profile. ISACA JOURNA(4), 1-5.
Rapid7. (tarih yok). CIS Critical Security Controls. www.rapid7.com/: https://www.rapid7.com/fundamentals/cis-critical-security-controls/ adresinden alındı
Rehage, K., Hunt , S., & Nikitin, F. (2008). Global technology audit guide: developing the IT audit plan. ABD: Altamonto Springs.
Risk Management Insight LLC. (2006). FAIR (Factor Analysıs Of Informatıon Rısk) Basic Risk Assessment Guide. ABD: Risk Management Insight LLC.
SANS. (2018). CIS Controls. Haziran 21, 2018 tarihinde Poster4_CIS-SecurityControls_2018.indd: https://www.sans.org/security-resources/posters/security-leadershipcis-controls/55/download adresinden alındı
Sean , M. B., Ahmad, A., & Ng, Z. (2013). Information Security Management: Factors That Influence Security Investments in SMEs. 11th Australian Information Security Management Conference. Churchlands: Australia:Edith Cowan University.
Secure Shell. (2018). NIST CYBERSECURITY FRAMEWORK. www.ssh.com: https://www.ssh.com/compliance/cybersecurity-framework/#sec-Overview-of-the-NISTCybersecurity-Framework adresinden alındı
Shanthamurthy, D. (2011, Ağustos). NIST SP 800-30 standard for technical risk assessment: An evaluation. Computerweekly.com: https://www.computerweekly.com/tip/NIST-SP-800- 30-standard-for-technical-risk-assessment-An-evaluation adresinden alındı
Smith, S., & Jamieson, R. (2006). Determining Key Factors in E-Government Information System Security. Information Systems Management, 23(2), 23-32.
Soomro , Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literatüre review. International Journal of Information Management, 36(2), 215-225.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). SP800-30 Risk Management Guide for Information Technology Systems. Gaithersburg: NIST. Temmuz 27, 2018 tarihinde Threat and Risk Management: https://www.enisa.europa.eu/topics/threat-risk-management/riskmanagement/current-risk/risk-management-inventory/rm-ra-methods/m_sp800_30.html adresinden alındı
Tawileh, A., Hilton , J., & McIntosh, S. (2007). Managing Information Security in Small and Medium Sized Enterprises: A Holistic Approach. ISSE/SECURE 2007 Securing Electronic Business Processes, 331-339.
Tewari, A. (2019). Comparison between ISO 27005, OCTAVE & NIST SP 800-30. Mart 2019 tarihinde https://www.sisainfosec.com/blogs/comparison-between-iso-27005-octave-nistsp-800-30/ adresinden alındı
The Open Group. (2009). Technical Standard Risk Taxonomy. Berkshire: The Open Group. Eylül 15, 2018 tarihinde http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf adresinden alındı
TS ISO/IEC 27002. (2013). Bilgi Güvenliği - Güvenlik Teknikleri - Bilgi Güvenliği Kontrolleri İçin Uygulama Prensipleri. ISO/IEC.
Whitman, M., & Mattford, H. (2011). Principles of information security (4 b.). İngiltere: Cengage Learning.
Zaras, D. (2018). Information Security Frameworks and Controls Catalogs. ABD: Impactmakers.