Sei sulla pagina 1di 22

Gestón de la Seguridad de la info

Gestón de proveedores

Foundaton Controls

Gestón de proyectos

Desarrollo, Manto y adq de apl

Gestón de Infraestructura

Datos en producción

Gestón de Problemas e incidentes

Administración de accesos

*
Gestón de Seguridad fsica y Ambiental

Org y plan estrategica de TI

Contnuidad del Negocio

:
DSS 01.04
DSS 01.05

*
DSS 05.05

*
DSS 05.05

*
DSS 05.05

*
DSS 05.06

* *
DSS 05.07

* *
DSS 06.02

* *
DSS 06.06

* *
Objetivo de Control Descripción de Control

01 Manage operations.
Co-ordinate and execute the actvites and
operatonal procedures required to deliver
internal and outsourced IT services,
including the executon of
pre-defined standard operatng procedures
and the required monitoring actvites.
01 Manage operations.
Co-ordinate and execute the actvites and
operatonal procedures required to deliver
internal and outsourced IT services,
including the executon of
pre-defined standard operatng procedures
and the required monitoring actvites.

05 Manage security services.


Protect enterprise informaton to maintain
the level of informaton security risk
acceptable to the enterprise in accordance
with the security policy.
Establish and maintain informaton security
roles and access privileges and perform
security monitoring.

05 Manage security services.


Protect enterprise informaton to maintain
the level of informaton security risk
acceptable to the enterprise in accordance
with the security policy.
Establish and maintain informaton security
roles and access privileges and perform
security monitoring.
05 Manage security services.
Protect enterprise informaton to maintain
the level of informaton security risk
acceptable to the enterprise in accordance
with the security policy.
Establish and maintain informaton security
roles and access privileges and perform
security monitoring.

05 Manage security services.


Protect enterprise informaton to maintain
the level of informaton security risk
acceptable to the enterprise in accordance
with the security policy.
Establish and maintain informaton security
roles and access privileges and perform
security monitoring.

05 Manage security services.


Protect enterprise informaton to maintain
the level of informaton security risk
acceptable to the enterprise in accordance
with the security policy.
Establish and maintain informaton security
roles and access privileges and perform
security monitoring.

06 Manage business process controls.


Define and maintain appropriate business
process controls to ensure that informaton
related to and processed by in-house or
outsourced business
processes satsfies all relevant informaton
control requirements. Identfy the relevant
informaton control requirements and
manage and operate
adequate controls to ensure that
06 Manage business process controls. informaton and informaton processing
Define and maintain
satsfy these appropriate business
requirements.
process controls to ensure that informaton
related to and processed by in-house or
outsourced business
processes satsfies all relevant informaton
control requirements. Identfy the relevant
informaton control requirements and
manage and operate
adequate controls to ensure that
informaton and informaton processing
satsfy these requirements.
Descripción de Control Actividad de Control

DSS 01 Manage operatons. DSS 01.04


Co-ordinate and execute the actvites and operatonal procedures required to Manejo de
deliver internal and outsourced IT services, including the executon of medio
pre-defined standard operatng procedures and the required monitoring actvites. ambiente.
Maintain
measures for
protecton
against
environmental
factors. Install
specialised
equipment and
devices to
monitor and
control the
environment.
DSS 01 Manage operatons. DSS 01.05
Co-ordinate and execute the actvites and operatonal procedures required to Manejo de
deliver internal and outsourced IT services, including the executon of Instalaciones.
pre-defined standard operatng procedures and the required monitoring actvites. Manage
facilites,
including power
and
communicatons
equipment, in
line with laws
and regulatons,
technical
and business
requirements,
vendor
specificatons,
and
health and
safety
guidelines.

DSS 05 Manage security services. DSS 05.05


Protect enterprise informaton to maintain the level of informaton security risk Manejo de
acceptable to the enterprise in accordance with the security policy. acceso físico a
Establish and maintain informaton security roles and access privileges and perform los activos de
security monitoring. TI. Control de
acceso personal
Interno
Define and
implement
procedures to
DSS 05 Manage security services. DSS 05.05a
grant, limit and
Protect enterprise informaton to maintain the level of informaton security risk Manejo de to
revoke access
acceptable to the enterprise in accordance with the security policy. acceso
premises, a
físico
Establish and maintain informaton security roles and access privileges and perform los activosand
buildings de
security monitoring. TI. Control de
areas
acceso
accordingpersonal
to
externo
business needs,
Define and
including
implement
emergencies.
procedures
Access to to
grant, limit and
premises,
revoke access
buildings and to
premises,
areas should be
buildings
justfied, and
areas
authorised,
according
logged andto
business
monitored. needs,
This
including
should apply to
emergencies.
all persons
Access
enteringtothe
DSS 05 Manage security services. DSS 05.05b
Protect enterprise informaton to maintain the level of informaton security risk Manejo de
acceptable to the enterprise in accordance with the security policy. acceso físico a
Establish and maintain informaton security roles and access privileges and perform los activos de
security monitoring. TI. Control de
acceso Site
principal y
alterno
Define and
implement
DSS 05 Manage security services. DSS 05.06 to
procedures
Protect enterprise informaton to maintain the level of informaton security risk Manejo de and
grant, limit
acceptable to the enterprise in accordance with the security policy. documentos
revoke access to
Establish and maintain informaton security roles and access privileges and perform sensibles
premises,y
security monitoring. salidas
buildingsdeand
dispositvos.
areas
Establish
according to
appropriate
business needs,
physical
including
safeguards,
emergencies.
DSS 05 Manage security services. DSS 05.07
accountng
Access to de
Protect enterprise informaton to maintain the level of informaton security risk Monitoreo
practces and
premises,
acceptable to the enterprise in accordance with the security policy. infraestructura
inventory
Establish and maintain informaton security roles and access privileges and perform buildings and
sobre eventos
management
areas should be
security monitoring. de
overseguridad
sensitve IT
justfied,
Using
assets, intrusion
such as
authorised,
detecton
special tools,
forms,
logged and
monitor
negotable the
monitored. This
infrastructure
instruments,
should apply to
for
special-purpose
DSS 06 Manage business process controls. all
DSS persons
06.02
unauthorised
printers or
Define and maintain appropriate business process controls to ensure that entering
Control
access the
del
and
security
premises, tokens.
informaton related to and processed by in-house or outsourced business procesamiento
ensure that any
processes satsfies all relevant informaton control requirements. Identfy the including
de staff,
la seguridad.
events are
relevant informaton control requirements and manage and operate temporary
Operate staff,
thewith
integrated
adequate controls to ensure that informaton and informaton processing satsfy clients,
executon vendors,
of the
general event
these requirements. visitors
business or any
monitoring and
other
process third
incident
party.
actvites
management.
and related
DSS 06 Manage business process controls. DSS 06.06based
controls,
Define and maintain appropriate business process controls to ensure that Secure
on enterprise
informaton related to and processed by in-house or outsourced business informaton
risk, to
processes satsfies all relevant informaton control requirements. Identfy the assets.
ensure that
relevant informaton control requirements and manage and operate Secure
informaton
adequate controls to ensure that informaton and informaton processing satsfy informaton
processing is
these requirements. assets
valid, complete,
accessible by
accurate, tmely,
the
and business
secure (i.e.,
through
reflects
approved
legitmate and
methods,
authorised
including
business use).
informaton in
electronic form
(such as
methods that
create new
assets in any
form, portable
media devices,
user
applicatons and
storage
devices),
informaton in
physical form
(such as source
Guía Rápida del Control

Administracion de la operación de TI.


Controles ambientales:
-Temperatura
-Humedad
-Detección de fuego
-Detección de humo
-Sistema supresión de incendio
-Cancelación de falsos positvos
-Sistemas de desalojo de agua
-Tipo de cableado (blindado)
-Distribución de equipos
-Paneles de control de monitoreo
Administración de la operación de TI.
-La infraestructura que soportan los equipos de la
operación de TI, deben ser acorde a las
especificaciones establecidas por el proveedor y
regulaciones locales.

Gestón de acceso fsico a las instalaciones de


empresas.
*Procedimientos y polítcas de acceso a las
instalaciones de la compañía para empleados.
*Método de identficación para el acceso fsico de
los empleados
*Lideres solicitántes
*Autorizadores para accesos
*Modificaciones a los privilegios de accesos
Gestón de acceso fsico a las instalciones de
empresas.

*Procedimientos y polítcas de acceso a las


instalaciones de la compañía para clientes,
proveedores, vistantes, etc.
*Método de identficación para el acceso fsico de
los externos
*Lideres solicitántes
*Autorizadores para accesos
*Modificaciones a los privilegios de accesos
Gestón de acceso fsico a las instalciones de
empresas.

*Procedimiento para el acceso al Site


*Identficar tpos de control de acceso fsico a las
áreas en donde se maneja, transmite, almacena la
información sensible de compañía.

Polítcas y procedimientos para la protección de la


información de la compañía considerando:
*Servidores de archivos
*Clasificación de la información
*Protección de medios de almacenamiento.
*Definición de tempos de retención de
información.
*Mecanismos para la destrucción de información y
medios de almacenamiento.
Polítcas y procedimientos para el monitoreo de la
infraestructura de TI referentes a eventos de
seguridad.
*Configuraciones de logs de equipos de TI.
*Herramientas de monitoreo de eventos de
seguridad.
*Clasificación de eventos de seguridad en la
infraestructura de TI.
*Monitoreo y revisión periódica de logs de
seguridad.
Obj Ctrl. Administración
*Mecanismos de controles
para la notficación del proceso
de incidentes de
del negocio
seguridad.
Act Ctrl. Pruebas de funcionamiento de los
controles basados en riesgos para los procesos
relacionados con el negocio; para asegurar que la
información es valída, precisa, oportuna, efcaz y
segura.

Obj Ctrl. Administración de controles del proceso


del negocio

Act Ctrl. Validar que el acceso y manejo de los


actvos de información (fsica como eléctronica)
este alíneada a los estandares de seguridad
formalmente establecidos por el negocio, para
asegurar que sea correcta eficaz y segura desde su
creación hasta su destno final.
Puntos de Revisión en Pruebas
Requerimientos
*Polítca de control de acceso
--excepciones a los privilegios de accesos
*Procedimiento de asignación de accesos
*Solicitud de acceso
--Nuevo ingreso
--Reingreso
*Procedimiento para modificaciones a los accesos
*Bitácora de accesos en el periodo a auditar

*Polítca de control de acceso

*Procedimiento de asignación de accesos


*Solicitud de acceso de externos
*Bitácora de accesos en el periodo a auditar
Ayuda para Diseño de PruebasActividad de Control

01 Identfy natural and man-made disasters that


might occur in the area within which the IT
facilites are located. Assess the potental effect
on the IT facilites.
2. Identfy how IT equipment, including mobile
and off-site equipment, is protected against
environmental threats. Ensure that the policy
limits or excludes eatng, drinking and smoking
in sensitve areas, and prohibits storage of
statonery and other supplies posing a fire
hazard within computer rooms.
3. Sitúate and construct IT facilites to minimise
and mitígate susceptbility to environmental
threats.
4. Regularly monitor and maintain devices that DSS 01.04 Manejo de
proactvely detect environmental threats (e.g., medio ambiente.
fire, water, smoke, humidity). Maintain measures for
5. Respond to environmental alarms and other protecton against
notficatons. Document and test procedures, environmental
which should include prioritsaton of alarms and factors. Install specialised
contact with local emergency response equipment and devices
authorites, and train personnel in these to
procedures. monitor and control the
6. Compare measures and contngency plans environment.
against insurance policy requirements and report
results. Address points of non-compliance in a
tmely manner.
7. Ensure that IT sites are built and designed to
minimise the impact of environmental risk (e.g.,
theft, air, tre, smoke, water, vibraton, terror,
vandalism, chemicals, explosives). Consider
specific security zones and/or fireproof cells
(e.g., locatng producton and development
environments/servers away from each other).
8. Keep the IT sites and server rooms clean and
in a safe conditon at all tmes (i.e., no mess, no
paper or cardboard boxes, no filled dustbins, no
flammable chemicals or materials).
01 Examine the IT facilites' requirement for
protecton against power fluctuatons and
outages, in conjuncton with other business
contnuity planning requirements. Procure
suitable uninterruptble supply equipment (e.g.,
bateries, generators) to support business
contnuity planning.

2. Regularly test the uninterruptble power


supply's mechanisms, and ensure that power
can be switched to the supply without any
significant effect on business operatons.
DSS 01.05 Manejo de
3. Ensure that the facilites housing the IT Instalaciones.
systems have more than one source for Manage facilites,
dependent utlites (e.g., power, including power and
telecommunicatons, water, gas). Separate the communicatons
physical entrance of each utlity. equipment, in line with
laws and regulatons,
4. Confirm that cabling external to the IT site is technical
located underground or has suitable alternatve and business
protecton. Determine that cabling within the IT requirements, vendor
site is contained within secured conduits, and specificatons, and
wiring cabinets have access restricted to health and safety
authorised personnel. Properly protect cabling guidelines.
against damage caused by fire, smoke, water,
intercepton and interference.

5. Ensure that cabling and physical patching


(data and phone) are structured and organised.
Cabling and conduit structures should be
documented (e.g., blueprint building plan and
wiring diagrams).

6. Analyse the facilites housing's high-availability


systems for redundancy and fail-over cabling
requirements (external and internal).
01 Manage the requestng and grantng of access DSS 05.05 Manejo de
to the computng facilites. Formal access acceso físico a los activos
requests are to be completed and authorised by de TI. Control de acceso
management of the IT site, and the request personal Interno
records retained. The forms should specifically Define and implement
identfy the areas to which the individual is procedures to grant, limit
granted access. and revoke access to
2. Ensure that access profiles remain current. premises, buildings and
Base access to IT sites (server rooms, buildings, areas
áreas or zones) on Job functon and according to business
responsibilites. DSS 05.05a
needs, Manejo de
including
3. Log and monitor all entry points to IT sites. acceso físico a los activos
emergencies.
Register all visitors, including contractors and de TI. Control
Access de acceso
to premises,
vendors, to the site. personal
buildings externo
and areas
4. Instruct all personnel to display visible Define
should and implement
be justfied,
identficaton at all tmes. Prevent the issuance procedures
authorised, to grant,and
logged limit
of identty cards or badges without proper and revoke access
monitored. This shouldto
authorisaton. premises,
apply to allbuildings
persons and
5. Require visitors to be escorted at all tmes areas
entering the premises,
while on-site. If an unaccompanied, unfamiliar according to business
including staff, temporary
needs, including
individual who is not wearing staff identficaton staff, clients, vendors,
is identfied, alert security personnel. emergencies.
visitors or any other third
6. Restrict access to sensitve IT sites by Access
party. to premises,
establishing perimeter restrictons, such as buildings and areas
fences, walls, and security devices on interior should be justfied,
and exterior doors. Ensure that the devices authorised, logged and
record entry and trigger an alarm in the event of monitored. This should
unauthorised access. Examples of such devices apply to all persons
include badges or key cards, keypads, closed- entering the premises,
circuit television and biometric scanners. including staff, temporary
DSS 05.05b Manejo de
acceso físico a los activos
de TI. Control de acceso
Site principal y alterno
Define and implement
procedures to grant, limit
and revoke access to
premises, buildings and
areasDSS 05.06 Manejo de
documentos
according to business sensibles y
01 Establish procedures to govern the receipt, salidas
needs, includingde dispositvos.
use, removal and disposal of special forms and emergencies. Establish appropriate
output devices into, within and out of the Access physical safeguards,
to premises,
enterprise. accountng
buildings and areas
2. Assign access privileges to sensitve practces
should and inventory
be justfied,
documents and output devices based on the authorised, loggedover
management and
least-privilege principie, balancing risk and monitored. sensitve IT
This should
business requirements. applyassets,
to allsuch as special
persons
3. Establish an inventory of sensitve documents entering forms, negotable
theMonitoreo
premises, de
and output devices, and conduct regular DSS 05.07 instruments,
including staff,
infraestructura temporary
sobre
01 Log security-related events reported by
reconciliatons. special-purpose printers
staff, clients,
eventos de vendors,
seguridad
infrastructure security monitoring
4. Establish appropriate tools,
physical safeguards over visitors or security tokens.
or any other
Using intrusion third
detecton
identfying
special forms theand
level of informaton
sensitve devices.to be party. tools, monitor the
recorded
5. Destroybased
sensitveon ainformaton
consideraton andofprotect
risk. Retain
them for an appropriate period to assist
output devices (e.g., degaussing of electronic in future infrastructure
investgatons.
media, physical destructon of memory devices, for unauthorised access
2. Define and communicate the
making shredders or locked paper basketsnature and and ensure that any
characteristcs of potental security-related DSS 06.02 events Control
are del
available to destroy special forms and other procesamiento de la
incidents
confidental so papers).
they can be easily recognised and integrated with general
their impacts understood to enable a event seguridad.
monitoring and
01 Créate transactons
commensurate response.by authorised individuáis Operate incidentthe executon of
management.
following
3. Regularlyestablished
review theprocedures,
event logs including,
for potental the business process
where appropriate,
incidents. adequate segregaton of actvites
dutes regarding
4. Maintain the originaton
a procedure and approval
for evidence collecton of and related controls,
these based DSSon06.06 Securerisk,
enterprise
in linetransactons.
with local forensic evidence rules and informaton
2. Authentcate
ensure the are
that all staff originator of transactons
made aware of the to assets.
and verify that he/she has the authority to Secure informaton
ensure that informaton assets
requirements. accessible by the
origínate
5. Ensure the
thattransacton.
security incident tckets are processing is valid,
3. Input in
transactons in a tmely business
complete,through
created a tmely manner whenmanner.
monitoringVerify
approved methods,
that transactons
identfies potental are accurate,
security complete and
incidents. accurate, tmely, and
01 Apply
valid. data
Valídate classificaton
input data and and acceptable
edit or, whereuse including
secure (i.e.,informaton
reflects in
and security policies and procedures
applicable, send back for correcton as cióse toto protect electroniclegitmate form (such as
and
informaton assets under the
the point of originaton as possible. control of the methods
authorised that create
business new
use).
business.
4. Correct and resubmit data that were assets in any form,
2. Provide acceptable
erroneously input withoutuse awareness
compromising and original portable media devices,
training.
transacton authorisaton levels. Where user applicatons and
3. Restrict use, distributon and physical
appropriate for reconstructon, retain original access storage devices),
of informaton
source documents according
for thetoappropriate
its classificaton.
amount of informaton in physical
4. Identfy and implement processes, tools and
tme. form (such as source
techniques to reasonably verify compliance.
5. Maintain the integrity and validity of data documents or output
5. Report to business and other stakeholders
throughout the processing cycle. Ensure that on reports) and informaton
violatons
detecton of and deviatons.
erroneous transactons does not during transit. This
disrupt processing of valid transactons. benefits the business by
6. Maintain the integrity of data during providing end-to-end
unexpected interruptons in business processing safeguarding of
and confirm data integrity after processing informaton.
failures.
7. Handle output in an authorised manner,
deliver to the appropriate recipient and protect
the informaton during transmission. Verify the
accuracy and completeness of the output.
8. Before passing transacton data between
internal applicatons and business/operatonal
functons (inside or outside the enterprise),
checkfor proper addressing, authentcity of
origin and integrity of content. Maintain
authentcity and integrity during transmission or
transport.
e Control