Presentacion reducida de mejores practicas de seguridad informatica, para evento Mexico, Diciembre 2007 - LiveMeeting

1. Mejores Practicas de Seguirdad de la Informacion Santiago Gabriel Cavanna SANS-GSEC /ISC2 CISSP CA Solution Strategist [email_address]

4. Definición simplificada del problema

8. Estado del arte: parte 2 Attack Sophistication email propagation of malicious code “ stealth”/advanced scanning techniques widespread attacks using NNTP to distribute attack widespread attacks on DNS infrastructure executable code attacks (against browsers) automated widespread attacks GUI intruder tools hijacking sessions Internet social engineering attacks automated probes/scans widespread denial-of-service attacks techniques to analyze code for vulnerabilities without source code DDoS attacks increase in worms sophisticated command & control anti-forensic techniques home users targeted distributed attack tools increase in wide-scale Trojan horse distribution Windows-based remote controllable Trojans (Back Orifice) Intruder Knowledge 1990 2005 packet spoofing

14. Modelos de Madures

16. Level 0 ITIL Maturity Model (information from Pink Elephant) Awareness Process driven by tools Roles and responsibilities poorly defined Initiation Some policies statements Words no Docs No dedicated resources Absence No evidence of activities supporting the process Control Measurable Targets Mgmt Reports produced Formal Planning Tasks, responsibilities, well defined Integration Significant quality improvements Interdepartmental communications Quality & Per. Metrics transferred between processes Absence Level 1 Level 2 Level 3 Level 4 Level 5 Initiation Awareness Control Integration Optimization Optimization Links between IT & Corporate Policy Innovation QA & Continuous improvement World Class Perf. Measurements

17. Maturity Model: Cobit Version 4.0

18. Modelo de madurez de Seguridad (basado en la capacidad)

19. Modelo de madurez de Seguridad (basado en la completitud)

21. Maturity Capability Blueprint – Active to Efficient

22. Estándares y Regulaciones y Mejores Practicas

23. ISO27001 Communications and Operations Management Organizational Security Security Policy Asset Classification and Control Business Continuity Management Access Control Physical and Environmental Security Personnel Security Systems Development and Maintenance Compliance COBiT Monitor and Support Acquire and Implement Plan and Organize Define and Support COSO Monitoring Internal Environment Risk Assessment Control Activities Information and Communications ITIL ICT Infrastructure Management Service Delivery / Support Business Perspective Planning to Implement Service Management Application Management Security Management Objective Setting Risk Response Event Identification

24. Modelo de Gobierno IT IT OPERATIONS IT Governance Quality Systems & Frameworks COBIT Service Mgmt. App. Dev. Project Mgmt. IT Planning IT Security Quality System COSO ITIL BS 7799 PMI ISO Six Sigma TSO IS Strategy ASL CMM Sarbanes Oxley US Securities & Exchange Commission

29. Recomendaciones generales

31. Muchas gracias