Datos personales y riesgos digitales

518 views
417 views

Published on

Presentación para el diplomado de derecho en las tecnologías de información del ITAM sobre riesgos digitales.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
518
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Datos personales y riesgos digitales

  1. 1. Datos personales y riesgosdigitales
  2. 2. Casandra
  3. 3. Ambientes digitales• Windows XP Service Pack 2• 12 de agosto, 2004• Por primera vez, Microsoft habilito de forma predeterminada un firewall de software• Cuando las características de seguridad se habilitaron, muchas aplicaciones dejaron de funcionar
  4. 4. Default Close Default Open Confidencialidad Disponibilidad
  5. 5. SB1386, California 1 de julio, 2003 Según la ley, las partes afectadas deben revelar cualquier violación de la seguridad de los datos personales a cualquier residente de California, cuya información personal no fue cifrada, y razonablemente se cree que ha sido adquirida por una persona no autorizada.
  6. 6. Fugas de información recientes40 millones de registros Entre 45 y 94 millones de registros 4.2 millones de 100 millones de registros datos de tarjetas
  7. 7. Las Tecnologías de seguridad deinformación se triplican cada 6 años
  8. 8. Usamos estrategias de ataque ycontra ataque, espionaje ycontra espionaje
  9. 9. Físico vs Digital En 1990, las ventas de la enciclopedia Britannica logro el record de ventas… $650 millones de dólares
  10. 10. Físico vs Digital Una Enciclopedia Britannica se vendía desde $1,500 y hasta en $2,200 USD Una enciclopedia en CD-ROM se vendía desde $50 y hasta $70 USD
  11. 11. El cambio de paradigma
  12. 12. Robo físico
  13. 13. Robo digital
  14. 14. ¿Cuánto cuesta el robo digital, por año?
  15. 15. ¿1 millón de dólares?CONFIDENCIALSm4rt Security 34
  16. 16. ¿1 billón de dólares?
  17. 17. 1 trillón de dólares por año
  18. 18. Robo digital1trillón de dólares por año en pérdidas, con crecimiento del 300% anual
  19. 19. ¿Por qué la seguridad de los datos digitales es una preocupación creciente?
  20. 20. El Riesgo de seguridadha incrementado por 4 aspectos
  21. 21. 1. Velocidad
  22. 22. Antes tomaba días o semanas para compartir información
  23. 23. ¡Ahora es instantáneo!
  24. 24. 2. Dispersión
  25. 25. Las mismas personasque mantenían tussecretos…
  26. 26. … son ahora los principales difusores detu información personal
  27. 27. •A I N I C I O S D E 2 011, 140 millonesDE T WEETS POR DÍA•E N 2 010 E X I S T I A N 50 millonesDE T WEETS POR DÍA•H OY, 350 millones D E T W E E T SPOR DÍA durante los segundos finales del superbowl, los fans enviaron 4,064 tweets por segundo
  28. 28. 3. Persistencia
  29. 29. Solíamos controlar,restringir el accesoy destruirfísicamente lascopias de nuestrosdatos personales
  30. 30. Sm4rt Security CONFIDENCIAL 52
  31. 31. 4. Agrupación
  32. 32. Nuestrosarchivossolían serdifíciles deacceder
  33. 33. agrupados yAhora están todos disponibles en todo elmundo
  34. 34. Ahora, si eres visto en un estadoinconveniente…
  35. 35. …tu noviatendrá accesoa lainformación almomento…
  36. 36. …así como sus amigas…
  37. 37. …probablemente ¡para siempre!
  38. 38. Necesitamos aceptar los riesgosLos riesgos potenciales son infinitos
  39. 39. Los ambientes son altamente dinámicos
  40. 40. Las Piezascambian sinprevio aviso
  41. 41. Las reglas cambianconstantemente
  42. 42. Losjugadorescambian
  43. 43. El Fin justifica los Medios En la prevención del Riesgo Intencional Nada menos que asegurar todos los vectores es suficiente
  44. 44. Las Defensas deben ser Optimizadas
  45. 45. Optimizar la velocidad
  46. 46. Optimizar los Recursos
  47. 47. 3 Tipos de Riesgo Digital 1. Accidental 2. Oportunistico 3. Intencional
  48. 48. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado ConfidencialidadAmenaza Integridad ImpactoExterna Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores
  49. 49. 86
  50. 50. Necesitamos usar la analogía médica
  51. 51. 101
  52. 52. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado ConfidencialidadAmenaza Integridad ImpactoExterna Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores
  53. 53. Tres Vectores para gestionar Riesgo Accesibilidad para terceros Anonimidad Valor de los terceros para terceros
  54. 54. Risk Analysis
  55. 55. Main Risks Always Weak password storage protocol Absence of robust password policy Absence of data entry validation for Probability web applications Possibl Existing applications with vulnerable e remote support Weak wireless ciphered communication protocol Absence of operating system security configuration Almost never Insignificant Medium Very high Impact
  56. 56. Action Plan Quick Hits High Password Policy Positive Impact of Implementation Migration of wireless communication protocol Quick Hits Strategic Strategic Security configuration guidelines for applications Moderate Security configuration guidelines for operating systems Migration of passwords storage Nice To Have Not Viable protocols Secure application development process Minimum Migration of remote support protocol Minor Medium Major Effort
  57. 57. Recommendations Policies and Configuration Guidelines Security configuration guidelines for applications Security configuration guidelines for operating systems Password policy Superior Technologies Governance Migration of remote support protocols Processes and Roles Migration of password storage User controls protocols Migration of wireless communication protocols Network controls Recommendations for Host controls Sustainability Application controls Secure change process administration Data level controls Risk administration process Vulnerability patches and updates process Secure application development process
  58. 58. Mitigation RoadmapQ1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Risk Administration Implementation Secure application development implementation Vulnerability patches and updates process administration Secure change process administration Migration to robust remote support protocols Migration of wireless communication protocol Migration of password storage Password policy Security configuration guidelines for operating system Security configuration guidelines for applications 2012 2013
  59. 59. Demystifying the Business Process Analysis Data Lifecycle Inventory Privacy Legal & Regulatory Data Value (IVA)Implementation Requirements (PIA) Process Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
  60. 60. Business Process Analysis• Identification of Business Process Analysis Data Lifecycle Inventory applicable Law Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Issuers Obligations Auditors Asset Inventory • Legislators • Laws • Authorities • Regulators • Norms • Organizations Policy Generation • Organizations • Industry Standards Controls, Standards, Procedures • Contracts Implementation & Audit
  61. 61. Business Process Analysis• Stakeholder Information Business Process Analysis Data Lifecycle Inventory acquisition Legal & Regulatory Data Value (IVA) – Types of data Requirements (PIA) – Internal and external Data Categories Data Categories data flows – Purpose of treatment Asset Inventory – Information systems and Policy Generation security measures – Retention policies Controls, Standards, Procedures Implementation & Audit
  62. 62. Data Lifecycle Inventory Business Process Analysis Data Lifecycle Inventory Data Data Data Value (IVA) Legal & Regulatory Destruction Reception Requirements (PIA) Data Categories Data Categories Data Purpose Asset InventoryRetention of Use Policy Generation Information 3rd Parties Systems and Controls, Standards, Procedures Involved Storage Implementation & Audit
  63. 63. Privacy Legal & RegulatoryRequirements (PIA) Business Process Analysis1. Legal & Regulatory Data Lifecycle Inventory – Contracts Legal & Regulatory Data Value (IVA) – Clauses Requirements (PIA) – Privacy notices Data Categories Data Categories – Authorizations – Jurisdictions Asset Inventory – Other regulations Policy Generation • Money laundering • Sectorial Controls, Standards, Procedures • Etc. Implementation & Audit
  64. 64. Privacy Legal & RegulatoryRequirements (PIA) Business Process Analysis2. Technical Data Lifecycle Inventory – Authentication & Legal & Regulatory Data Value (IVA) authorization Requirements (PIA) – Access control Data Categories Data Categories – Incident log – Removable media and Asset Inventory document management Policy Generation – Security copies – Recovery tests Controls, Standards, Procedures – Physical Access Implementation & Audit
  65. 65. Privacy Legal & RegulatoryRequirements (PIA) Business Process Analysis3. Organizational Data Lifecycle Inventory – Data privacy officer Legal & Regulatory – Roles and Data Value (IVA) Requirements (PIA) responsibilities – Policies, procedures and Data Categories Data Categories standards Asset Inventory – Notifications to authorities Policy Generation – Audits – Compliance and Controls, Standards, Procedures evidence Implementation & Audit
  66. 66. Legal & RegulatoryData Categories• High Risk Business Process Analysis Data Lifecycle Inventory – Syndicate Affiliation – Health Legal & Regulatory – Sexual life Data Value (IVA) Requirements (PIA) – Beliefs – Racial Origin Data Categories Data Categories• Medium Risk – Financial Profile Asset Inventory – Personal Fines – Credit Scoring – Tax Payment Information Policy Generation• Basic Risk – Personal Identifying Controls, Standards, Procedures Information – Employment Implementation & Audit
  67. 67. External Economic Data Value (IVA)• Black Market Value Business Process Analysis Data Lifecycle Inventory – Sale price• News Value Data Value (IVA) Legal & Regulatory Requirements (PIA) – Newspaper – Magazines Data Categories Data Categories – Television• Competition Asset Inventory – Market Value Policy Generation – Brand Value – Political Value Controls, Standards, Procedures• Authorities – Fines Implementation & Audit
  68. 68. Data Value Categories Business Process AnalysisLvl Value Classification Example Data Lifecycle Inventory CC Magnetic Strip, Legal & Regulatory Data Value (IVA) Requirements (PIA)4 > $10M Secret PIN number, User & Password Data Categories Data Categories Name, Address, $100K -3 Confidential Credit History, $10M Account Statements Asset Inventory Bank Account $1,000 - Numbers, Policy Generation2 Private $100K Pre-published Marketing Info Controls, Standards, Procedures Published1 $0 - $1,000 Public Marketing Information Implementation & Audit
  69. 69. Asset Inventory Legal & Data Most Business Process Analysis Applicable ApplicableAsset Regulatory Value Sensitive Data Lifecycle Inventory Policy Controls level level Data Legal & Regulatory Data Value (IVA) L&R 1. Oracle Requirements (PIA) Application 1. SecretDB1 Medium Secret Secret Data Passwords Data Policy Risk Standard Data Categories Data Categories 1. J2EE High Security Asset Inventory Standard L&R Payment 1. L&R HighApp5 High Confidential Card Risk Policy 2. Application Risk Number Confidential Policy Generation Data Mgmt Standard 1. Private Controls, Standards, Procedures Data Policy 1. Solaris 10 L&R Client MediumSrvr3 Medium Private Account 2. L&R Hardening Risk Data Medium Standard Implementation & Audit Risk Policy
  70. 70. Policy GenerationHow should this data be: Business Process Analysis Data Lifecycle Inventory – generated? – stored? Legal & Regulatory Data Value (IVA) – transferred? Requirements (PIA) – processed? – accessed? Data Categories Data Categories – backed-up? – destroyed? Asset Inventory – monitored?• How should we react and Policy Generation escalate an incident or breach? Controls, Standards, Procedures• How will we punish compliance? Implementation & Audit
  71. 71. Controls, Standards & Procedures• Controls are defined Business Process Analysis Data Lifecycle Inventory and mapped for each Legal & Regulatory Data Value (IVA) policy level Requirements (PIA) – Technical Standards Data Categories Data Categories – Procedures – Compensatory Controls Asset Inventory DB2 HP/UX J2EE Oracle Policy GenerationHigh Risk     Controls, Standards, ProceduresMed Risk    Low Risk    Implementation & Audit
  72. 72. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy GenerationNorms Controls Controls, Standards, Procedures Implementation & Audit
  73. 73. Implementation & Audit Laws and Regulations Best Practices Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) LOPD SOX LSSI Data Categories Data Categories Asset Inventory PROCESSES APPLICATIONS Policy Generation PEOPLE Evidence Controls Controls, Standards, Procedures Implementation & AuditI.ACT D.SEG CONTRACT COMUNIC ASSETS NETWORKS .
  74. 74. Implementation & Audit Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit

×