MMSM-SME: Methodology for the Management of Security and its Maturity in SME

Luís Enrique Sánchez, Antonio Santos-Olmo Parra, Eduardo Fernández-Medina, Mario Piattini



Due to the growing dependence of information society on Information and Communication Technologies (ICTs), the need to protect information is getting more and more important for enterprises. In this context, Information Security Management Systems (ISMSs), that are very important for the stability of the information systems of enterprises, have arisen. The fact of having these systems available has become more and more vital for the evolution of Small and Medium-Sized Enterprises (SMEs). In this article, we show the methodology that we have developed for the development, implementation and maintenance of a security management system, adapted for the needs and resources available for SMEs. This approach is being directly applied to real case studies and thus, we are obtaining a constant improvement in its application.


  1. April, A., J. Huffman, et al. (2005). "Software Maintenance Maturity Model: the software maintenance process model. Journal of Software Maintenance and Evolution." Research and Practice 17: 197-223.
  2. Batista, J. and A. Figueiredo (2000). "SPI in very small team: a case with CMM." Software Process Improvement and Practice 5(4): 243-250.
  3. Calvo-Manzano, J. A. (2000). Método de Mejora del Proceso de desarrollo de sistemas de información en la pequeña y mediana empresa (Tesis Doctoral). Universidad de Vigo.
  4. COBITv4.0 (2006). Cobit Guidelines, Information Security Audit and Control Association.
  5. Dhillon, G. and J. Backhouse (2000). "Information System Security Management in the New Millennium." Communications of the ACM 43(7): 125-128.
  6. Doherty, N. F. and H. Fulford (2006). "Aligning the Information Security Policy with the Strategic Information Systems Plan." Computers & Security 25(2): 55-63.
  7. Gupta, A. and R. Hammond (2005). "Information systems security issues and decisions for small businesses." Information Management & Computer Security 13(4): 297-310.
  8. Hareton, L. and Y. Terence (2001). "A Process Framework for Small Projects." Software Process Improvement and Practice 6: 67-83.
  9. Humphrey, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Tech. Report.
  10. ISM3 (2007). Information security management matury model (ISM3 v.2.0), ISM3 Consortium.
  11. ISO/IEC17799 (2005). ISO/IEC 17799, Information Technology - Security Techniques - Code of practice for information security management.
  12. ISO/IEC27001 (2005). ISO/IEC 27001, Information Technology - Security Techniques Information security management systemys - Requirements.
  13. Johnson, D. W. and H. Koch (2006). Computer Security Risks in the Internet Era: Are Small Business Owners Aware and Proactive? 39th Annual Hawaii International Conference on System Sciences (HICSS'06).
  14. KcKinney, C. (2005). "Capability Maturity Model and Outsourcing: A Case for Sourcing Risk Management." Information Systems Control 5.
  15. MageritV2 (2005). Metodología de Análisis y Gestión de Riesgos para las Tecnologías de la Información, V2, Ministerio de Administraciones Públicas.
  16. Masacci, F., M. Prest, et al. (2005). "Using a security requirements engineering methodology in practice: The compílanse with the Italian data protection legislation." Computer Standards & Interfaces 27: 445-455.
  17. McBride, T., B. Henderson-Sellers, et al. (2004). Project Management Capability Levels: An Empirical Study. 11th Asia-Pacific Software Engineering Conference (APSEC04), IEEE Computer Society.
  18. Mekelburg, D. (2005). "Sustaining Best Practices: How Real-World Software Organizations Improve Quality Processes." Software Quality Professional 7(3): 4-13.
  19. NASCIO (2003). National Association of State Chief Financial Officers. Enterprise Architecture Maturity Model, Version 1.3. National Association of State Chief Financial Officers. Lexington KY.
  20. O'Halloran, J. (2003). "ICT business management for SMEs." Computer Weekly December 11.
  21. OMB (2004). OMB Enterprise Architecture Assessment v 1.0. The Office of Management and Budget, The Executive Office of the President.
  22. Pertier, T. R. (2003). "Preparing for ISO 17799." Security Management Practices jan/feb: 21-28.
  23. Ramasubbu, N., M. S. Krihsnan, et al. (2005). "Leveraging Global Resources: A Process Maturity Framework for Managing Distributed Development." IEEE Software: 80-86.
  24. Schekkerman, J. (2003). Extended Enterprise Architecture Maturity Model. Institute for Enterprise Architecture Developments (IFEAD). Amersfoort, The Netherlands.
  25. Schumacher, M. (2003). Security Engineering with Patterns, Springer-Verlag.
  26. Siponen, M. T. (2006). Information Security Standards Focus on the Existence of Process, Not Its Content? C. o. t. ACM. 49: 97-100.
  27. Sommerville, I. and J. Ransom (2005). "An Empirical Study of Industrial Requirements Engineering Process Assessment and Improvement." ACM Transactions on Software Engieering and Methodology 14(1): 85-117.
  28. SSE-CMM (2003). Systems Security Engineering Capability Maturity Model (SSE-CMM), Version 3.0. Department of Defense. Arlington VA. 326.
  29. Tsujii, S. (2004). Paradigm of Information Security as Interdisciplinary Comprehensive Science. International Conference on Cyberworlds (CW'04), IEEE Computer Society.
  30. Tuffley, A., B. Grove, et al. (2004). "SPICE For Small Organisations." Software Process Improvement and Practice 9: 23-31.
  31. Van der Raadt, B., J. F. Hoorn, et al. (2005). Alignment and Maturity are siblings in architecture assesment. Caise 2005.
  32. Von Solms, B. (2005). "Information Security governance: COBIT or ISO 17799 or both?" Computers & Security . 24: 99-104.
  33. Walker, E. (2005). "Software Development Security: A Risk Management Perspective." The DoD Software Tech. Secure Software Engineering 8(2): 15-18.
  34. Widdows, C. and F. Duijnhouwer (2003). Open Source Maturity Model. Cap Gemini Ernst & Young. New York NY.

Paper Citation

in Harvard Style

Enrique Sánchez L., Santos-Olmo Parra A., Fernández-Medina E. and Piattini M. (2009). MMSM-SME: Methodology for the Management of Security and its Maturity in SME . In Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009) ISBN 978-989-8111-91-3, pages 67-78. DOI: 10.5220/0002221200670078

in Bibtex Style

author={Luís Enrique Sánchez and Antonio Santos-Olmo Parra and Eduardo Fernández-Medina and Mario Piattini},
title={MMSM-SME: Methodology for the Management of Security and its Maturity in SME},
booktitle={Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)},

in EndNote Style

JO - Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)
TI - MMSM-SME: Methodology for the Management of Security and its Maturity in SME
SN - 978-989-8111-91-3
AU - Enrique Sánchez L.
AU - Santos-Olmo Parra A.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2009
SP - 67
EP - 78
DO - 10.5220/0002221200670078