Evaluation of an information security management system at a Mexican higher education institution

Abstract: The purpose of this research was to know the degree of administrative knowledge, the degree of training of human resources, the degree of commitment of administrators and the degree of effectiveness of the administration for information security risk based on ISO/IEC 27001.The population consisted of 81 subjects (66 administrators and 15 ITD personnel). Those evaluated were employers of the administrative office of the university and also staff of the Information Technology Department (ITD). To make the comparisons, three groups of managers were formed according to classifications of administrative staff, the classification was as follows: (a) first-line manager, (b) middle management and (c) top management. About the results, it can be corroborated that administrative staff with a lower rank have more problems in making the best decisions in relation to the implementation of an ISMS, it should be noted that the first-line manager is the one who has more contact with the students and is the one who is less involved in the implementation of an ISMS. It can also be inferred that the institution\'s planners are not fully trained in the institution\'s information security efforts. This in turn prevents the generation of proposals for initiatives to implement an ISMS. With this shortcoming, it is possible that security breaches could be generated.