Beruflich Dokumente
Kultur Dokumente
Seguridad de la Informacin en el
sector pblico de Mxico?
Juan Gutirrez
Director Mxico y Centroamrica
Gartner Executive Programs
Mayo 2011
Juanjose.gutierrez@gartner.com
Una estrategia gubernamental para el aseguramiento de la informacin
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other
authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied,
distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
2010 Gartner, Inc. and/or its affiliates. All rights reserved.
Confidentiality
Integrity
Availability
Enhancing IT security
10
Lo saba usted?
Un estimado del
en Mxico
Initial
Developing
1
Blissful Ignorance
Defined
Managed
Awareness
Corrective
10%
35%
30%
Develop New
Policy Set
Review Status Quo
10%
10%
Operations Excellence
Conclude Catch-Up
Projects
Design
Architecture
Optimizing
5%
Continuous
Process
Improvement
Track Technology and
Business Change
Process
Formalization
Initiate Strategic Program
Composite Risk
Position
Programa de Seguridad
Estrategia
Responsibility
Arquitectura
Plan & Presupuesto
ID
P
C
AWARENESS
Plan
Diseo de Infraestructura
Procesos
Controles
Build
Executive Support
Steering
Committee
Govern
Delegation of
Authority
Risk Assessment
Run
Communicaciones y
Relationship Mgmt
Monitoreo
Incident Mgmt
Implementar y
Operar
Deteccin y
respuesta
Administrar
La seguridad
Mantener a los
chicos malos
Business Continuity
Management
17
Information
Security
Compliance
Privacy
Risk Management
IT Score by area
Business Continuity
Management
18
Information Security
Compliance
Privacy
Risk Management
Lo saba usted?
En Mxico los principales problemas para adoptar una
estrategia de seguridad de la informacin son la falta de:
Apoyo directivo
Colaboracin entre reas
Polticas de seguridad
Entendimiento de la SI
CIO
Risk Management
ESP
Policy Management
Program Management
BCM
Architecture
Awareness
ITOps
Implementation
LOB Management
Administration
Governance
IT Infosec Team
Risk Assessment
ESP
BU Infosec Teams
BCP
Awareness
Local Policy Management
BCM = business continuity management; BCP = business continuity planning; BU = business unit; DRP = disaster recovery planning;
ESP = external service provider; ITOps = IT operations; LOB = line of business; Infosec = information security.
ESP
Gobierno de seguridad
Mtricas de Seguridad
Inventory
Communications/awareness
investigated, actionable)
# hours induced downtime by system crit.
# of incidents by type (config. error, zero-day
vuln., unpatched vuln., user error, hacker)
Security systems status/health
% desktops with fresh AV
% of FW/IDs/VPN/etc. with fresh firmware
% availability of security infrastructure
Service requests
Arquitectura
Polticas
Policy Catalog
Polticas
Policy Catalog
Polticas
Lo saba usted?
de las organizaciones
Un estimado del
en Mxico
Carecen de un programa de
concientizacin en seguridad
Maniobrar con un
ejrcito es
ventajoso.
Maniobrar con una
multitud
indisciplinada, es
peligroso
Sun-Tzu
Iniciativas tpicas
Proyectos estratgicos
Desarrollo de la
arquitectura de seguridad
de la informacin.
Establecimiento de un
programa de Awareness
Definicin de los procesos
de seguridad(Por ejemplo ,
risk assesment,
clasificacin de
informacin/activos)
Rediseo de polticas de
seguridad
Programa de mejora y
madurez
Iniciativas tpicas
Proyectos de infraestructura y
controles:
Infraestructura
IAM
Estrategia de encripcin
Acceso remoto seguro
Vulnerability management
Patch management
Administracin de la seguridad
de la informacin.
Network- and host-based
intrusion prevention systems
Business continuity
management
Endpoint security
Network access control
La Planificacin Estratgica no es ms
que analizar dnde estamos, reflexionar
sobre dnde nos gustara estar en un
futuro cercano y disear los pasos que
nos permitan ir en la direccin adecuada
Bibliografa
The Structure and Scope of an Effective
Information Security Program, 24 January 2011
,ID:G00210133
Information Security Architecture Model ,7 July
2010 ID:G00204027
Introducing the Gartner Information Security
Governance Model, 24 June 2010,
ID:G00201410
The New CISO's Crucial First 100 Days , 17
February 2011,ID:G00210488