Datos personales y riesgos digitales

1. Datos personales y riesgos digitales

2. Casandra

3. Ambientes digitales • Windows XP Service Pack 2 • 12 de agosto, 2004 • Por primera vez, Microsoft habilito de forma predeterminada un firewall de software • Cuando las características de seguridad se habilitaron, muchas aplicaciones dejaron de funcionar

4. Default Close Default Open Confidencialidad Disponibilidad

5. SB1386, California 1 de julio, 2003 Según la ley, las partes afectadas deben revelar cualquier violación de la seguridad de los datos personales a cualquier residente de California, cuya información personal no fue cifrada, y razonablemente se cree que ha sido adquirida por una persona no autorizada.

6. Fugas de información recientes 40 millones de registros Entre 45 y 94 millones de registros 4.2 millones de 100 millones de registros datos de tarjetas

7. Las Tecnologías de seguridad de información se triplican cada 6 años

8. Usamos estrategias de ataque y contra ataque, espionaje y contra espionaje

9. Físico vs Digital En 1990, las ventas de la enciclopedia Britannica logro el record de ventas… $650 millones de dólares

10. Físico vs Digital Una Enciclopedia Britannica se vendía desde $1,500 y hasta en $2,200 USD Una enciclopedia en CD-ROM se vendía desde $50 y hasta $70 USD

11. El cambio de paradigma

12. Robo físico

13. Robo digital

14. ¿Cuánto cuesta el robo digital, por año?

15. ¿1 millón de dólares? CONFIDENCIAL Sm4rt Security 34

16. ¿1 billón de dólares?

17. 1 trillón de dólares por año

18. Robo digital 1trillón de dólares por año en pérdidas, con crecimiento del 300% anual

19. ¿Por qué la seguridad de los datos digitales es una preocupación creciente?

20. El Riesgo de seguridad ha incrementado por 4 aspectos

21. 1. Velocidad

22. Antes tomaba días o semanas para compartir información

23. ¡Ahora es instantáneo!

24. 2. Dispersión

25. Las mismas personas que mantenían tus secretos…

26. … son ahora los principales difusores de tu información personal

27. •A I N I C I O S D E 2 011, 140 millones DE T WEETS POR DÍA •E N 2 010 E X I S T I A N 50 millones DE T WEETS POR DÍA •H OY, 350 millones D E T W E E T S POR DÍA durante los segundos finales del superbowl, los fans enviaron 4,064 tweets por segundo

28. 3. Persistencia

29. Solíamos controlar, restringir el acceso y destruir físicamente las copias de nuestros datos personales

30. Sm4rt Security CONFIDENCIAL 52

31. 4. Agrupación

32. Nuestros archivos solían ser difíciles de acceder

33. agrupados y Ahora están todos disponibles en todo el mundo

34. Ahora, si eres visto en un estado inconveniente…

35. …tu novia tendrá acceso a la información al momento…

36. …así como sus amigas…

37. …probablemente ¡para siempre!

38. Necesitamos aceptar los riesgos Los riesgos potenciales son infinitos

39. Los ambientes son altamente dinámicos

40. Las Piezas cambian sin previo aviso

41. Las reglas cambian constantemente

42. Los jugadores cambian

43. El Fin justifica los Medios En la prevención del Riesgo Intencional Nada menos que asegurar todos los vectores es suficiente

44. Las Defensas deben ser Optimizadas

45. Optimizar la velocidad

46. Optimizar los Recursos

47. 3 Tipos de Riesgo Digital 1. Accidental 2. Oportunistico 3. Intencional

48. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado Confidencialidad Amenaza Integridad Impacto Externa Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores

49. 86

50. Necesitamos usar la analogía médica

51. 101

52. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado Confidencialidad Amenaza Integridad Impacto Externa Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores

53. Tres Vectores para gestionar Riesgo Accesibilidad para terceros Anonimidad Valor de los terceros para terceros

54. Risk Analysis

55. Main Risks Always Weak password storage protocol Absence of robust password policy Absence of data entry validation for Probability web applications Possibl Existing applications with vulnerable e remote support Weak wireless ciphered communication protocol Absence of operating system security configuration Almost never Insignificant Medium Very high Impact

56. Action Plan Quick Hits High Password Policy Positive Impact of Implementation Migration of wireless communication protocol Quick Hits Strategic Strategic Security configuration guidelines for applications Moderate Security configuration guidelines for operating systems Migration of passwords storage Nice To Have Not Viable protocols Secure application development process Minimum Migration of remote support protocol Minor Medium Major Effort

57. Recommendations Policies and Configuration Guidelines Security configuration guidelines for applications Security configuration guidelines for operating systems Password policy Superior Technologies Governance Migration of remote support protocols Processes and Roles Migration of password storage User controls protocols Migration of wireless communication protocols Network controls Recommendations for Host controls Sustainability Application controls Secure change process administration Data level controls Risk administration process Vulnerability patches and updates process Secure application development process

58. Mitigation Roadmap Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Risk Administration Implementation Secure application development implementation Vulnerability patches and updates process administration Secure change process administration Migration to robust remote support protocols Migration of wireless communication protocol Migration of password storage Password policy Security configuration guidelines for operating system Security configuration guidelines for applications 2012 2013

59. Demystifying the Business Process Analysis Data Lifecycle Inventory Privacy Legal & Regulatory Data Value (IVA) Implementation Requirements (PIA) Process Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit

60. Business Process Analysis • Identification of Business Process Analysis Data Lifecycle Inventory applicable Law Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Issuers Obligations Auditors Asset Inventory • Legislators • Laws • Authorities • Regulators • Norms • Organizations Policy Generation • Organizations • Industry Standards Controls, Standards, Procedures • Contracts Implementation & Audit

61. Business Process Analysis • Stakeholder Information Business Process Analysis Data Lifecycle Inventory acquisition Legal & Regulatory Data Value (IVA) – Types of data Requirements (PIA) – Internal and external Data Categories Data Categories data flows – Purpose of treatment Asset Inventory – Information systems and Policy Generation security measures – Retention policies Controls, Standards, Procedures Implementation & Audit

62. Data Lifecycle Inventory Business Process Analysis Data Lifecycle Inventory Data Data Data Value (IVA) Legal & Regulatory Destruction Reception Requirements (PIA) Data Categories Data Categories Data Purpose Asset Inventory Retention of Use Policy Generation Information 3rd Parties Systems and Controls, Standards, Procedures Involved Storage Implementation & Audit

63. Privacy Legal & Regulatory Requirements (PIA) Business Process Analysis 1. Legal & Regulatory Data Lifecycle Inventory – Contracts Legal & Regulatory Data Value (IVA) – Clauses Requirements (PIA) – Privacy notices Data Categories Data Categories – Authorizations – Jurisdictions Asset Inventory – Other regulations Policy Generation • Money laundering • Sectorial Controls, Standards, Procedures • Etc. Implementation & Audit

64. Privacy Legal & Regulatory Requirements (PIA) Business Process Analysis 2. Technical Data Lifecycle Inventory – Authentication & Legal & Regulatory Data Value (IVA) authorization Requirements (PIA) – Access control Data Categories Data Categories – Incident log – Removable media and Asset Inventory document management Policy Generation – Security copies – Recovery tests Controls, Standards, Procedures – Physical Access Implementation & Audit

65. Privacy Legal & Regulatory Requirements (PIA) Business Process Analysis 3. Organizational Data Lifecycle Inventory – Data privacy officer Legal & Regulatory – Roles and Data Value (IVA) Requirements (PIA) responsibilities – Policies, procedures and Data Categories Data Categories standards Asset Inventory – Notifications to authorities Policy Generation – Audits – Compliance and Controls, Standards, Procedures evidence Implementation & Audit

66. Legal & Regulatory Data Categories • High Risk Business Process Analysis Data Lifecycle Inventory – Syndicate Affiliation – Health Legal & Regulatory – Sexual life Data Value (IVA) Requirements (PIA) – Beliefs – Racial Origin Data Categories Data Categories • Medium Risk – Financial Profile Asset Inventory – Personal Fines – Credit Scoring – Tax Payment Information Policy Generation • Basic Risk – Personal Identifying Controls, Standards, Procedures Information – Employment Implementation & Audit

67. External Economic Data Value (IVA) • Black Market Value Business Process Analysis Data Lifecycle Inventory – Sale price • News Value Data Value (IVA) Legal & Regulatory Requirements (PIA) – Newspaper – Magazines Data Categories Data Categories – Television • Competition Asset Inventory – Market Value Policy Generation – Brand Value – Political Value Controls, Standards, Procedures • Authorities – Fines Implementation & Audit

68. Data Value Categories Business Process Analysis Lvl Value Classification Example Data Lifecycle Inventory CC Magnetic Strip, Legal & Regulatory Data Value (IVA) Requirements (PIA) 4 > $10M Secret PIN number, User & Password Data Categories Data Categories Name, Address, $100K - 3 Confidential Credit History, $10M Account Statements Asset Inventory Bank Account $1,000 - Numbers, Policy Generation 2 Private $100K Pre-published Marketing Info Controls, Standards, Procedures Published 1 $0 - $1,000 Public Marketing Information Implementation & Audit

69. Asset Inventory Legal & Data Most Business Process Analysis Applicable Applicable Asset Regulatory Value Sensitive Data Lifecycle Inventory Policy Controls level level Data Legal & Regulatory Data Value (IVA) L&R 1. Oracle Requirements (PIA) Application 1. Secret DB1 Medium Secret Secret Data Passwords Data Policy Risk Standard Data Categories Data Categories 1. J2EE High Security Asset Inventory Standard L&R Payment 1. L&R High App5 High Confidential Card Risk Policy 2. Application Risk Number Confidential Policy Generation Data Mgmt Standard 1. Private Controls, Standards, Procedures Data Policy 1. Solaris 10 L&R Client Medium Srvr3 Medium Private Account 2. L&R Hardening Risk Data Medium Standard Implementation & Audit Risk Policy

70. Policy Generation How should this data be: Business Process Analysis Data Lifecycle Inventory – generated? – stored? Legal & Regulatory Data Value (IVA) – transferred? Requirements (PIA) – processed? – accessed? Data Categories Data Categories – backed-up? – destroyed? Asset Inventory – monitored? • How should we react and Policy Generation escalate an incident or breach? Controls, Standards, Procedures • How will we punish compliance? Implementation & Audit

71. Controls, Standards & Procedures • Controls are defined Business Process Analysis Data Lifecycle Inventory and mapped for each Legal & Regulatory Data Value (IVA) policy level Requirements (PIA) – Technical Standards Data Categories Data Categories – Procedures – Compensatory Controls Asset Inventory DB2 HP/UX J2EE Oracle Policy Generation High Risk     Controls, Standards, Procedures Med Risk     Low Risk    Implementation & Audit

72. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Norms Controls Controls, Standards, Procedures Implementation & Audit

73. Implementation & Audit Laws and Regulations Best Practices Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) LOPD SOX LSSI Data Categories Data Categories Asset Inventory PROCESSES APPLICATIONS Policy Generation PEOPLE Evidence Controls Controls, Standards, Procedures Implementation & Audit I.ACT D.SEG CONTRACT COMUNIC ASSETS NETWORKS .

74. Implementation & Audit Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit

Datos personales y riesgos digitales

Estás leyendo una previsualización.

Eche un vistazo a continuación

Datos personales y riesgos digitales

Más Contenido Relacionado

A los espectadores también les gustó (20)

Similares a Datos personales y riesgos digitales (20)

Más de Juan Carlos Carrillo (20)

Más reciente (20)