MEJORES PRACTICAS EN CIBERSEGURIDAD

Similar documents
NCSF Foundation Certification

Improving Cybersecurity through the use of the Cybersecurity Framework

The NIST Cybersecurity Framework

NCSF Foundation Certification

Developing a Model for Cyber Security Maturity Assessment

Framework for Improving Critical Infrastructure Cybersecurity

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity for Service Providers

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Rethinking Information Security Risk Management CRM002

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

THE POWER OF TECH-SAVVY BOARDS:

Position Description IT Auditor

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Business Context: Key for Successful Risk Management

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Critical Infrastructure Partnership

GUÍAS COMPLEMENTARIAS

Securing Digital Transformation

FDIC InTREx What Documentation Are You Expected to Have?

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Designing and Building a Cybersecurity Program

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CISO as Change Agent: Getting to Yes

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Les joies et les peines de la transformation numérique

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Cybersecurity Auditing in an Unsecure World

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Run the business. Not the risks.

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

IoT & SCADA Cyber Security Services

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

ENISA EU Threat Landscape

Cybersecurity & Privacy Enhancements

Information Security Risk Strategies. By

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Dr. Stephanie Carter CISM, CISSP, CISA

Predstavenie štandardu ISO/IEC 27005

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

ACR 2 Solutions Compliance Tools

FOR FINANCIAL SERVICES ORGANIZATIONS

Cybersecurity for Health Care Providers

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Changing face of endpoint security

Cybersecurity, safety and resilience - Airline perspective

Framework for Improving Critical Infrastructure Cybersecurity

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Angela McKay Director, Government Security Policy and Strategy Microsoft

Cyber Resilience. Think18. Felicity March IBM Corporation

Certified Information Security Manager (CISM) Course Overview

Cyber Security: Threat and Prevention

Altius IT Policy Collection Compliance and Standards Matrix

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

NISTCSF Enterprise Training Solutions. By David Nichols & Rick Lemieux December 2018

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF)

Altius IT Policy Collection Compliance and Standards Matrix

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Automating the Top 20 CIS Critical Security Controls

MITIGATE CYBER ATTACK RISK

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

EU General Data Protection Regulation (GDPR) Achieving compliance

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Sage Data Security Services Directory

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Healthcare HIPAA and Cybersecurity Update

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

How to Prepare a Response to Cyber Attack for a Multinational Company.

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Risk Advisory Academy Training Brochure

A Global Look at IT Audit Best Practices

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Cybersecurity in Higher Ed

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Transcription:

MEJORES PRACTICAS EN CIBERSEGURIDAD Roberto Hernández Rojas Valderrama, CISA, CISM, CGEIT, CRISC, ITIL Foundation ISO 27001 LA, PMP, CFSP Presidente ISACA Capítulo Ciudad de México

OBJETIVO Revisar el contenido de algunas guías de la ISACA que pueden apoyar a las organizaciones en la mejora de la ciberseguridad Nota: Se presenta la documentación en inglés, puesto que los documentos actualmente no tienen traducción al español

AGENDA ISACA - Principios de Privacidad y administración del programa NIST Marco de Trabajo para mejorar la ciberseguridad en Infraestructura Crítica Ciberseguridad y COBIT 5

ISACA - Principios de Privacidad y administración del programa

DIFERENCIA ENTRE PRIVACIDAD Y SEGURIDAD Fuente: ISACA Privacy Principles and Program Management Guide

7 CATEGORÍAS DE PRIVACIDAD Fuente: ISACA Privacy Principles and Program Management Guide

7 CATEGORÍAS DE PRIVACIDAD Fuente: ISACA Privacy Principles and Program Management Guide

RIESGOS ASOCIADOS Social media Evolving cloud and container computing services Mobile applications (apps) Big data analytics Internet of Things (IoT) Bring your own device practices (BYOD) Tracking/surveillance technologies Fuente: ISACA Privacy Principles and Program Management Guide

14 PRINCIPIOS DE PRIVACIDAD DE ISACA Principle 1: Choice and consent Principle 2: Legitimate purpose specification and use limitation Principle 3: Personal information and sensitive information life cycle Principle 4: Accuracy and quality Principle 5: Openness, transparency and notice Principle 6: Individual participation Principle 7: Accountability Principle 8: Security safeguards Principle 9: Monitoring, measuring and reporting Principle 10: Preventing harm Principle 11: Third party/vendor management Principle 12: Breach management Principle 13: Security and privacy by design Principle 14: Free flow of information and legitimate restriction Fuente: ISACA Privacy Principles and Program Management Guide

NIST Marco de Trabajo para mejorar la ciberseguridad en Infraestructura Crítica

INFRAESTRUCTURA CRÍTICA Critical infrastructure is defined in the Executive Order as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary regardless of an organization s size, threat exposure, or cybersecurity sophistication today Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

MARCO DE TRABAJO The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

MARCO DE TRABAJO The Framework Core Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

MARCO DE TRABAJO The Framework Core Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

MARCO DE TRABAJO Framework Implementation Tiers ( Tiers ) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive Risk Management Process Integrated Risk Management Program External Participation Cyber Supply Chain Risk Management Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

MARCO DE TRABAJO A Framework Profile ( Profile ) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

IMPLANTACIÓN DEL MARCO DE TRABAJO Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

IMPLANTACIÓN DEL MARCO DE TRABAJO Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets. identifies threats to, and vulnerabilities of, those systems and assets. Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved. Step 4: Conduct a Risk Assessment. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

IMPLANTACIÓN DEL MARCO DE TRABAJO Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization s desired cybersecurity outcomes. Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the Target Profile - drawing upon mission drivers, a cost/benefit analysis, and risk understanding - to achieve the outcomes in the Target Profile. The organization then determines resources necessary to address the gaps. Step 7: Implement Action Plan. The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs. Fuente: NIST Framework for Improving Critical Infrastructure Cybersecurity

CIBERSEGURIDAD Y COBIT 5

COBIT 5

CIBERSEGURIDAD VS. SEGURIDAD DE LA INFORMACIÓN Information security deals with information, regardless of its format. It includes: Paper documents Digital and intellectual property Verbal or visual communications Cybersecurity is concerned with protecting digital assets. Includes: Networks Hardware Software Information that is processed, stored or transported by internetworked IS

SEVERIDADES DE LOS ATAQUES Fuente: Transforming Cybersecurity: Using COBIT 5

RIESGOS ORGANIZACIONALES Fuente: Transforming Cybersecurity: Using COBIT 5

RIESGOS SOCIALES Fuente: Transforming Cybersecurity: Using COBIT 5

RIESGOS TÉCNICOS Fuente: Transforming Cybersecurity: Using COBIT 5

DETALLE DE COBIT 5 Y CIBERSEGURIDAD Fuente: Transforming Cybersecurity: Using COBIT 5

AGENTES DE AMENAZAS FUENTE: ENISA Threat Landscape 2013

ATRIBUTOS DE UN CIBERATAQUE Attack Vector Payload Exploit Vulnerability Target (Asset)

COBIT 5 CONJUNTO DE POLITICAS DE SEGURIDAD DE LA INFORMACIÓN Risk Management Business Continuity/ Disaster Recovery Asset Management Compliance Information Security Rules of Behavior Communications and Operations Acquisition/ Development/ Maintenance Vendor Management Fuente: Transforming Cybersecurity: Using COBIT 5

ASEGURAMIENTO DE LA CIBERSEGURIDAD Fuente: Transforming Cybersecurity: Using COBIT 5

PASOS DE INVESTIGACIÓN

8 PRINCIPIOS PARA TRANSFORMAR LA CIBERSEGURIDAD Principle 1. Know the potential impact of cybercrime and cyberwarfare. Principle 2. Understand end users, their cultural values and their behavior patterns. Principle 3. Clearly state the business case for cybersecurity, and the risk appetite of the enterprise. Principle 4. Establish cybersecurity governance. Principle 5. Manage cybersecurity using principles and enablers. Principle 6. Know the cybersecurity assurance universe and objectives. Principle 7. Provide reasonable assurance over cybersecurity. Principle 8. Establish and evolve systemic cybersecurity. Fuente: Transforming Cybersecurity: Using COBIT 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback