Your SlideShare is downloading. ×

Datos personales y riesgos digitales

238

Published on

Presentación para el diplomado de derecho en las tecnologías de información del ITAM sobre riesgos digitales.

Presentación para el diplomado de derecho en las tecnologías de información del ITAM sobre riesgos digitales.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
238
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Datos personales y riesgosdigitales
  • 2. Casandra
  • 3. Ambientes digitales• Windows XP Service Pack 2• 12 de agosto, 2004• Por primera vez, Microsoft habilito de forma predeterminada un firewall de software• Cuando las características de seguridad se habilitaron, muchas aplicaciones dejaron de funcionar
  • 4. Default Close Default Open Confidencialidad Disponibilidad
  • 5. SB1386, California 1 de julio, 2003 Según la ley, las partes afectadas deben revelar cualquier violación de la seguridad de los datos personales a cualquier residente de California, cuya información personal no fue cifrada, y razonablemente se cree que ha sido adquirida por una persona no autorizada.
  • 6. Fugas de información recientes40 millones de registros Entre 45 y 94 millones de registros 4.2 millones de 100 millones de registros datos de tarjetas
  • 7. Las Tecnologías de seguridad deinformación se triplican cada 6 años
  • 8. Usamos estrategias de ataque ycontra ataque, espionaje ycontra espionaje
  • 9. Físico vs Digital En 1990, las ventas de la enciclopedia Britannica logro el record de ventas… $650 millones de dólares
  • 10. Físico vs Digital Una Enciclopedia Britannica se vendía desde $1,500 y hasta en $2,200 USD Una enciclopedia en CD-ROM se vendía desde $50 y hasta $70 USD
  • 11. El cambio de paradigma
  • 12. Robo físico
  • 13. Robo digital
  • 14. ¿Cuánto cuesta el robo digital, por año?
  • 15. ¿1 millón de dólares?CONFIDENCIALSm4rt Security 34
  • 16. ¿1 billón de dólares?
  • 17. 1 trillón de dólares por año
  • 18. Robo digital1trillón de dólares por año en pérdidas, con crecimiento del 300% anual
  • 19. ¿Por qué la seguridad de los datos digitales es una preocupación creciente?
  • 20. El Riesgo de seguridadha incrementado por 4 aspectos
  • 21. 1. Velocidad
  • 22. Antes tomaba días o semanas para compartir información
  • 23. ¡Ahora es instantáneo!
  • 24. 2. Dispersión
  • 25. Las mismas personasque mantenían tussecretos…
  • 26. … son ahora los principales difusores detu información personal
  • 27. •A I N I C I O S D E 2 011, 140 millonesDE T WEETS POR DÍA•E N 2 010 E X I S T I A N 50 millonesDE T WEETS POR DÍA•H OY, 350 millones D E T W E E T SPOR DÍA durante los segundos finales del superbowl, los fans enviaron 4,064 tweets por segundo
  • 28. 3. Persistencia
  • 29. Solíamos controlar,restringir el accesoy destruirfísicamente lascopias de nuestrosdatos personales
  • 30. Sm4rt Security CONFIDENCIAL 52
  • 31. 4. Agrupación
  • 32. Nuestrosarchivossolían serdifíciles deacceder
  • 33. agrupados yAhora están todos disponibles en todo elmundo
  • 34. Ahora, si eres visto en un estadoinconveniente…
  • 35. …tu noviatendrá accesoa lainformación almomento…
  • 36. …así como sus amigas…
  • 37. …probablemente ¡para siempre!
  • 38. Necesitamos aceptar los riesgosLos riesgos potenciales son infinitos
  • 39. Los ambientes son altamente dinámicos
  • 40. Las Piezascambian sinprevio aviso
  • 41. Las reglas cambianconstantemente
  • 42. Losjugadorescambian
  • 43. El Fin justifica los Medios En la prevención del Riesgo Intencional Nada menos que asegurar todos los vectores es suficiente
  • 44. Las Defensas deben ser Optimizadas
  • 45. Optimizar la velocidad
  • 46. Optimizar los Recursos
  • 47. 3 Tipos de Riesgo Digital 1. Accidental 2. Oportunistico 3. Intencional
  • 48. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado ConfidencialidadAmenaza Integridad ImpactoExterna Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores
  • 49. 86
  • 50. Necesitamos usar la analogía médica
  • 51. 101
  • 52. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado ConfidencialidadAmenaza Integridad ImpactoExterna Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores
  • 53. Tres Vectores para gestionar Riesgo Accesibilidad para terceros Anonimidad Valor de los terceros para terceros
  • 54. Risk Analysis
  • 55. Main Risks Always Weak password storage protocol Absence of robust password policy Absence of data entry validation for Probability web applications Possibl Existing applications with vulnerable e remote support Weak wireless ciphered communication protocol Absence of operating system security configuration Almost never Insignificant Medium Very high Impact
  • 56. Action Plan Quick Hits High Password Policy Positive Impact of Implementation Migration of wireless communication protocol Quick Hits Strategic Strategic Security configuration guidelines for applications Moderate Security configuration guidelines for operating systems Migration of passwords storage Nice To Have Not Viable protocols Secure application development process Minimum Migration of remote support protocol Minor Medium Major Effort
  • 57. Recommendations Policies and Configuration Guidelines Security configuration guidelines for applications Security configuration guidelines for operating systems Password policy Superior Technologies Governance Migration of remote support protocols Processes and Roles Migration of password storage User controls protocols Migration of wireless communication protocols Network controls Recommendations for Host controls Sustainability Application controls Secure change process administration Data level controls Risk administration process Vulnerability patches and updates process Secure application development process
  • 58. Mitigation RoadmapQ1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Risk Administration Implementation Secure application development implementation Vulnerability patches and updates process administration Secure change process administration Migration to robust remote support protocols Migration of wireless communication protocol Migration of password storage Password policy Security configuration guidelines for operating system Security configuration guidelines for applications 2012 2013
  • 59. Demystifying the Business Process Analysis Data Lifecycle Inventory Privacy Legal & Regulatory Data Value (IVA)Implementation Requirements (PIA) Process Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
  • 60. Business Process Analysis• Identification of Business Process Analysis Data Lifecycle Inventory applicable Law Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Issuers Obligations Auditors Asset Inventory • Legislators • Laws • Authorities • Regulators • Norms • Organizations Policy Generation • Organizations • Industry Standards Controls, Standards, Procedures • Contracts Implementation & Audit
  • 61. Business Process Analysis• Stakeholder Information Business Process Analysis Data Lifecycle Inventory acquisition Legal & Regulatory Data Value (IVA) – Types of data Requirements (PIA) – Internal and external Data Categories Data Categories data flows – Purpose of treatment Asset Inventory – Information systems and Policy Generation security measures – Retention policies Controls, Standards, Procedures Implementation & Audit
  • 62. Data Lifecycle Inventory Business Process Analysis Data Lifecycle Inventory Data Data Data Value (IVA) Legal & Regulatory Destruction Reception Requirements (PIA) Data Categories Data Categories Data Purpose Asset InventoryRetention of Use Policy Generation Information 3rd Parties Systems and Controls, Standards, Procedures Involved Storage Implementation & Audit
  • 63. Privacy Legal & RegulatoryRequirements (PIA) Business Process Analysis1. Legal & Regulatory Data Lifecycle Inventory – Contracts Legal & Regulatory Data Value (IVA) – Clauses Requirements (PIA) – Privacy notices Data Categories Data Categories – Authorizations – Jurisdictions Asset Inventory – Other regulations Policy Generation • Money laundering • Sectorial Controls, Standards, Procedures • Etc. Implementation & Audit
  • 64. Privacy Legal & RegulatoryRequirements (PIA) Business Process Analysis2. Technical Data Lifecycle Inventory – Authentication & Legal & Regulatory Data Value (IVA) authorization Requirements (PIA) – Access control Data Categories Data Categories – Incident log – Removable media and Asset Inventory document management Policy Generation – Security copies – Recovery tests Controls, Standards, Procedures – Physical Access Implementation & Audit
  • 65. Privacy Legal & RegulatoryRequirements (PIA) Business Process Analysis3. Organizational Data Lifecycle Inventory – Data privacy officer Legal & Regulatory – Roles and Data Value (IVA) Requirements (PIA) responsibilities – Policies, procedures and Data Categories Data Categories standards Asset Inventory – Notifications to authorities Policy Generation – Audits – Compliance and Controls, Standards, Procedures evidence Implementation & Audit
  • 66. Legal & RegulatoryData Categories• High Risk Business Process Analysis Data Lifecycle Inventory – Syndicate Affiliation – Health Legal & Regulatory – Sexual life Data Value (IVA) Requirements (PIA) – Beliefs – Racial Origin Data Categories Data Categories• Medium Risk – Financial Profile Asset Inventory – Personal Fines – Credit Scoring – Tax Payment Information Policy Generation• Basic Risk – Personal Identifying Controls, Standards, Procedures Information – Employment Implementation & Audit
  • 67. External Economic Data Value (IVA)• Black Market Value Business Process Analysis Data Lifecycle Inventory – Sale price• News Value Data Value (IVA) Legal & Regulatory Requirements (PIA) – Newspaper – Magazines Data Categories Data Categories – Television• Competition Asset Inventory – Market Value Policy Generation – Brand Value – Political Value Controls, Standards, Procedures• Authorities – Fines Implementation & Audit
  • 68. Data Value Categories Business Process AnalysisLvl Value Classification Example Data Lifecycle Inventory CC Magnetic Strip, Legal & Regulatory Data Value (IVA) Requirements (PIA)4 > $10M Secret PIN number, User & Password Data Categories Data Categories Name, Address, $100K -3 Confidential Credit History, $10M Account Statements Asset Inventory Bank Account $1,000 - Numbers, Policy Generation2 Private $100K Pre-published Marketing Info Controls, Standards, Procedures Published1 $0 - $1,000 Public Marketing Information Implementation & Audit
  • 69. Asset Inventory Legal & Data Most Business Process Analysis Applicable ApplicableAsset Regulatory Value Sensitive Data Lifecycle Inventory Policy Controls level level Data Legal & Regulatory Data Value (IVA) L&R 1. Oracle Requirements (PIA) Application 1. SecretDB1 Medium Secret Secret Data Passwords Data Policy Risk Standard Data Categories Data Categories 1. J2EE High Security Asset Inventory Standard L&R Payment 1. L&R HighApp5 High Confidential Card Risk Policy 2. Application Risk Number Confidential Policy Generation Data Mgmt Standard 1. Private Controls, Standards, Procedures Data Policy 1. Solaris 10 L&R Client MediumSrvr3 Medium Private Account 2. L&R Hardening Risk Data Medium Standard Implementation & Audit Risk Policy
  • 70. Policy GenerationHow should this data be: Business Process Analysis Data Lifecycle Inventory – generated? – stored? Legal & Regulatory Data Value (IVA) – transferred? Requirements (PIA) – processed? – accessed? Data Categories Data Categories – backed-up? – destroyed? Asset Inventory – monitored?• How should we react and Policy Generation escalate an incident or breach? Controls, Standards, Procedures• How will we punish compliance? Implementation & Audit
  • 71. Controls, Standards & Procedures• Controls are defined Business Process Analysis Data Lifecycle Inventory and mapped for each Legal & Regulatory Data Value (IVA) policy level Requirements (PIA) – Technical Standards Data Categories Data Categories – Procedures – Compensatory Controls Asset Inventory DB2 HP/UX J2EE Oracle Policy GenerationHigh Risk     Controls, Standards, ProceduresMed Risk    Low Risk    Implementation & Audit
  • 72. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy GenerationNorms Controls Controls, Standards, Procedures Implementation & Audit
  • 73. Implementation & Audit Laws and Regulations Best Practices Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) LOPD SOX LSSI Data Categories Data Categories Asset Inventory PROCESSES APPLICATIONS Policy Generation PEOPLE Evidence Controls Controls, Standards, Procedures Implementation & AuditI.ACT D.SEG CONTRACT COMUNIC ASSETS NETWORKS .
  • 74. Implementation & Audit Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit

×