Cmo elaborar una estrategia de

Seguridad de la Informacin en el
sector pblico de Mxico?
Juan Gutirrez
Director Mxico y Centroamrica
Gartner Executive Programs
Mayo 2011
Juanjose.gutierrez@gartner.com
Una estrategia gubernamental para el aseguramiento de la informacin
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other
authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied,
distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
2010 Gartner, Inc. and/or its affiliates. All rights reserved.

Confidentiality

Integrity

Availability

Los procesos de negocio no estn

diseados con seguridad

2011 Top 10 CIO Strategic Priorities

Gobierno

Top 10 CIO Strategies 2011

Please indicate the top three priorities that you expect to focus on in
2011
Developing or managing a flexible infrastructure

Improving IT management and governance

Reducing the cost of IT

Consolidating IT operations and resources

Reorganizing IT (attracting/retaining IT personnel)

Delivering application and grow th projects

Improving data management

Enhancing IT security

Improving IT solution development

Increased use of virtualization

Note: In the survey respondents identified their top three issues (not in any order). These priorities are ordered based on the
percentage of respondents that included the issue in their top three.
9

10

Lo saba usted?
Un estimado del
en Mxico

23.5% de las organizaciones

NO hace pruebas de seguridad

informtica

ENSI Mxico 2010

La curva de madurez de la Seguridad

Informtica
Level of Program Maturity
Nonexistent

Initial

Developing
1

Relative Program Maturity

Blissful Ignorance

Defined

Managed

Awareness

Corrective

10%

35%

30%
Develop New
Policy Set
Review Status Quo

10%

10%

Operations Excellence

Conclude Catch-Up
Projects
Design
Architecture

Optimizing

5%

Continuous
Process
Improvement
Track Technology and
Business Change

Process
Formalization
Initiate Strategic Program

(Re-)Establish Security Team

NOTE: Population distributions represent typical, large, Global-2000-type organizations

Composite Risk
Position

Programa de Seguridad
Estrategia
Responsibility

Arquitectura
Plan & Presupuesto

ID
P
C

AWARENESS

Plan

Diseo de Infraestructura
Procesos
Controles

Build
Executive Support

Steering
Committee

Govern

Delegation of
Authority

Risk Assessment

Run
Communicaciones y
Relationship Mgmt
Monitoreo

Incident Mgmt
Implementar y
Operar

Deteccin y
respuesta

Dejar a los chicos

Buenos entrar

Administrar
La seguridad

Mantener a los
chicos malos

Visin conceptual de la seguridad de la informacin

Business Continuity
Management

17
Information
Security

Compliance

Privacy

Identity and Access Management

Risk Management

IT Score by area

Business Continuity
Management

18

Information Security

Compliance

Privacy

Identity and Access

Management

Risk Management

Lo saba usted?
En Mxico los principales problemas para adoptar una
estrategia de seguridad de la informacin son la falta de:

Apoyo directivo
Colaboracin entre reas
Polticas de seguridad
Entendimiento de la SI

ENSI Mxico 2010

Los principales componentes son:

Una solida organizacin

Corporate Risk Manager
Corporate Infosec Team
ESP

CIO

Risk Management

ESP

Policy Management
Program Management
BCM
Architecture
Awareness

ITOps
Implementation

LOB Management

Administration
Governance
IT Infosec Team
Risk Assessment
ESP

Design and Implementation

DRP Security Monitoring
Vulnerability Assessment

BU Infosec Teams
BCP

Awareness
Local Policy Management

BCM = business continuity management; BCP = business continuity planning; BU = business unit; DRP = disaster recovery planning;
ESP = external service provider; ITOps = IT operations; LOB = line of business; Infosec = information security.

ESP

Gobierno de seguridad

Mtricas de Seguridad
Inventory

Communications/awareness

People: Users, sec. FTEs

% users made aware during period

Equipment: Desktops, servers, network

% IT personnel trained during period

devices, sec. devices

Resources: connections, applications
Program Status
% YTD spending of security budget
% completion of annual objectives
% confidence of completing objectives
% security policies refreshed
# new policies created/implemented
% security processes refreshed
# new processes created/implemented
Project status (major, per project)
% completion
% project timeline elapsed
% project budget expended
% confidence of completion
Compliance
# compliance deficiencies, last audit
# remaining open compliance deficiencies
Y/N compliance audit up-to-date
# of policy deficiencies, last audit
# remaining open policy deficiencies
Y/N policy audit up-to-date

Risk assessment status

# risk assessments conducted
# risk assessments in progress
# risk assessments pending/backlogged
# of crit. systems with expired RA
Vulnerability management (incl. patch)
# security alerts processed
# of vuln. scans in period
# open vuln. by criticality
# open vuln. area by criticality
# vuln. reduction during period (area, vol.)
Event/incident management
# privacy violations
# events (total, reportable, ability to be

investigated, actionable)
# hours induced downtime by system crit.
# of incidents by type (config. error, zero-day
vuln., unpatched vuln., user error, hacker)
Security systems status/health
% desktops with fresh AV
% of FW/IDs/VPN/etc. with fresh firmware
% availability of security infrastructure
Service requests

Mecnismos para el seguimiento y

comunicacin de la efectividad

Estrategia de admon del Riesgo

Arquitectura

Polticas
Policy Catalog

Polticas

Policy Catalog

Polticas

Lo saba usted?
de las organizaciones
Un estimado del

en Mxico

Carecen de un programa de
concientizacin en seguridad

ESET report Mxico 2010

Las organizaciones gastan

millones de dlares en
dispositivos de seguridad,
pero tiran el dinero porque
ninguna de estas medidas
cubre el eslabn ms dbil de
la cadena de seguridad: la
gente que usa y administra
los ordenadores
Kevin Mitnick

Maniobrar con un
ejrcito es
ventajoso.
Maniobrar con una
multitud
indisciplinada, es
peligroso
Sun-Tzu

La gente NO HACE LAS

COSAS PORQUE NO:
Quiere
Sabe
Puede

Ningn control tcnico por

si solo podr alcanzar un
buen nivel de efectividad
si no cuenta con la
colaboracin del usuario
El soporte por parte de los
niveles directivos es
primordial

Iniciativas tpicas
Proyectos estratgicos
Desarrollo de la
arquitectura de seguridad
de la informacin.
Establecimiento de un
programa de Awareness
Definicin de los procesos
de seguridad(Por ejemplo ,
risk assesment,
clasificacin de
informacin/activos)
Rediseo de polticas de
seguridad
Programa de mejora y
madurez

Iniciativas tpicas
Proyectos de infraestructura y
controles:

Infraestructura
IAM
Estrategia de encripcin
Acceso remoto seguro
Vulnerability management
Patch management
Administracin de la seguridad
de la informacin.
Network- and host-based
intrusion prevention systems
Business continuity
management
Endpoint security
Network access control

La Planificacin Estratgica no es ms
que analizar dnde estamos, reflexionar
sobre dnde nos gustara estar en un
futuro cercano y disear los pasos que
nos permitan ir en la direccin adecuada

Bibliografa
The Structure and Scope of an Effective
Information Security Program, 24 January 2011
,ID:G00210133
Information Security Architecture Model ,7 July
2010 ID:G00204027
Introducing the Gartner Information Security
Governance Model, 24 June 2010,
ID:G00201410
The New CISO's Crucial First 100 Days , 17
February 2011,ID:G00210488