SISTEMA DE GESTIÓN DE CALIDAD DE LA EMPRESA

Título: Modelo operativo de seguridad de la información

Documento No
XX-XXX-XX-XXX
Estado de revisión
00
Fecha efectiva

Fecha de la última revisión

Aprobado por

Nombre del preparador

Firma

Fecha

Desarrollado por Global Markets - EY Knowledge

Tabla de Contenido
SISTEMA DE GESTIÓN DE CALIDAD DE LA EMPRESA 1
1. PROPÓSITO ................................................................................................................. 4
2. LISTA DE ABREVIACIONES ......................................................................................... 4
3. INTRODUCCIÓN ........................................................................................................... 5
4. VISIÓN DE CONJUNTO ................................................................................................ 6
5. PROCESO DE GESTIÓN DE LA SEGURIDAD DE LA INFORMACIÓN........................ 7
5.1. Objetivo del proceso y objetivos ............................................................................. 7
5.2. Pasos de proceso de alto nivel ................................................................................... 8
6. RELACIONES CON LAS PARTES INTERESADAS DE SEGURIDAD DE LA
INFORMACIÓN ..................................................................... Error! Bookmark not defined.
6.1. Partes interesadas internas ..................................... Error! Bookmark not defined.
6.1.1. El tablero de COMPANY X ............................... Error! Bookmark not defined.
6.1.2. Ejecutivo Responsable de Seguridad de la InformaciónError! Bookmark not defined.
6.1.3. Director de información (CIO) ........................... Error! Bookmark not defined.
6.1.4. Funciones / servicios de soporte....................... Error! Bookmark not defined.
6.1.5. Servicios TIC .................................................... Error! Bookmark not defined.
6.1.6. Oficina de privacidad de la información ............ Error! Bookmark not defined.
6.1.7. Oficina de seguridad (física) ............................. Error! Bookmark not defined.
6.1.8. Servicios jurídicos ............................................. Error! Bookmark not defined.
6.1.9. Oficina de riesgos ............................................. Error! Bookmark not defined.
6.1.10. Auditoría interna ............................................... Error! Bookmark not defined.
6.1.11. Comunicaciones ............................................... Error! Bookmark not defined.
6.1.12. Unidades / Centros Operativos (OU) ................ Error! Bookmark not defined.
6.2. Interesados externos ............................................... Error! Bookmark not defined.
6.2.1. Agencia de Seguridad del Estado (SSA) .......... Error! Bookmark not defined.
6.2.2. Auditor General (AG) ........................................ Error! Bookmark not defined.
6.2.3. Regulador de información ................................. Error! Bookmark not defined.
6.2.4. Centro de seguridad cibernética ....................... Error! Bookmark not defined.
6.2.5. Proveedores de servicio ................................... Error! Bookmark not defined.
6.3. Grupos de interés especial ...................................... Error! Bookmark not defined.
6.4. Buenas prácticas de seguridad de la información .... Error! Bookmark not defined.
6.5. Requisitos Regulatorios y Legislativos ..................... Error! Bookmark not defined.
7. IS OFICINA DISEÑO ORGANIZACIONAL...................... Error! Bookmark not defined.
7.1. Oficina de seguridad de la información .................... Error! Bookmark not defined.
7.2. COMPAÑÍA X Estructura organizacional ................. Error! Bookmark not defined.
7.3. Líneas de informes de la oficina de seguridad de la informaciónError! Bookmark not defined.
 7.4. Estructura interna de la Oficina de Seguridad de la InformaciónError! Bookmark not defined.
7.5. Descripciones de funciones de la oficina de seguridad de la informaciónError! Bookmark not defin
7.5.2.2. Especialista Senior en Gestión de la Seguridad de la InformaciónError! Bookmark not defined
7.5.2.3. Especialista Senior en Seguridad de la InformaciónError! Bookmark not defined.
7.5.2.4. Especialista en seguridad de la información ..... Error! Bookmark not defined.
7.5.3. Operaciones de seguridad de la información ....... Error! Bookmark not defined.
7.5.3.1. Jefe de Equipo de Operaciones de Seguridad de la InformaciónError! Bookmark not defined.
7.5.3.2. Equipo de operaciones de seguridad de la información (*recursos
existentes*)
Error! Bookmark not defined.
7.5.3.3. Analista de seguridad de la información ........... Error! Bookmark not defined.
7.6. Roles de seguridad de la información organizacionalError! Bookmark not defined.
7.6.2. Responsabilidades del empleado para la seguridad de la informaciónError! Bookmark not def
7.6.3. Responsabilidades de la administración para la seguridad de la informaciónError! Bookmark n
8. COMPAÑÍA X FOROS Y COMITÉS DE SEGURIDAD DE LA INFORMACIÓNError! Bookmark not def
8.1. Comités y foros estratégicos .................................... Error! Bookmark not defined.
8.1.1. Comité Directivo de Seguridad de la Información (ISSC)Error! Bookmark not defined.
8.1.2. Comité Ejecutivo (EXCO) ................................. Error! Bookmark not defined.
8.1.3. Comité Directivo del Proyecto de Privacidad de la Información (IPPSC)Error! Bookmark not d
8.2. Comités tácticos y foros ........................................... Error! Bookmark not defined.
8.2.1. Comité de Operaciones (OPCO) ...................... Error! Bookmark not defined.
8.2.2. Comité de planificación conjunta (JPC) ............ Error! Bookmark not defined.
8.2.3. Reuniones de la Unidad Operativa / Centro de GestiónError! Bookmark not defined.
8.2.4. Reuniones sobre TIC de Business Service Manager (BSM)Error! Bookmark not defined.
8.2.5. Grupo de trabajo de seguridad de la información (ISWG)Error! Bookmark not defined.
8.2.6. Comité de Gobierno de las TIC ........................ Error! Bookmark not defined.
8.2.7. Foro de seguridad integrada ............................. Error! Bookmark not defined.
8.3. Comités y foros operativos ...................................... Error! Bookmark not defined.
8.3.1. Reuniones de Gestión de TIC y Gestión de ProgramasError! Bookmark not defined.
8.3.2. Reuniones del equipo de seguridad de la informacionError! Bookmark not defined.
8.3.3. Reuniones del programa de seguridad de la informacionError! Bookmark not defined.
9. TECNOLOGIAS DE SEGURIDAD DE LA INFORMACIONError! Bookmark not defined.
1. PURPOSE
The Information Security Operating Model (ISOM) is an abstract model describing the
COMPANY X information security function. It highlights the high-level supporting
processes, details the required governance structure, and describes the supporting
organisational structures and technologies.

2. LIST OF ABBREVIATIONS
Abbreviation Full term
AG Auditor General
BSM Business Service Manager
BYOD Bring your Own Device
CAM Competency Area Manager
CEO Chief Executive Officer
CIO Chief Information Officer
CISO Chief Information Security Officer
COBIT (ISACA’s) Control Objectives for Information and Related
Technologies
CPO Chief Privacy Officer
EA Enterprise Architecture
ECT Electronic Communications and Transactions (ECT) Act
EISA Enterprise Information Security Architecture
ICT Information and Communications Technology
IPPSC Information Privacy Project Steering Committee
IS Information Security
ISACA Information Systems Audit and Control Association
ISC Information Security Champion
ISSC Information Security Steering Committee
ISO International Organisation of Standardisation
ISOM Information Security Operating Model
ISMS Information Security Management System
ISWG Information Security Working Group
IT Information Technology
JPC Joint Planning Committee
NCPF National Cybersecurity Policy Framework
NHA National Health Act
NKPA National Key Points Act
OU Operating Unit/Centre
POPI Protection of Personal Information (Act)
RICA Regulation of Interception of Communications and Provision of
Communication-Related Information Act
SITA State Information Technology Agency
SLA Service Level Agreement
SSA State Security Agency
3. INTRODUCTION
Cyber-attacks and cybercrime are on the rise. Often these result in information security
and privacy breaches that draw unwanted attention, loss of reputation, customer
confidence, and sometimes large recovery costs to organisations. At the same time,
organisations are embracing new technologies that drive growth and productivity. These
include Enterprise Mobility, BYOD, cloud-based services, Internet of Things, just to name
a few. These new technologies, and ways of working, have made it increasingly more
challenging to control and secure any organisation.

Over the past few years, Information and Cyber Security threats to any organisation have
increased ten-fold, with thousands of new threats, malware and attacks-methods being
discovered every day. Symantec reports in its quarterly Internet Security Threat Report
that in 2015 alone, over half a billion personal records were lost and that 431 million new
malware variants were discovered.

Within any organisation, there needs to be a strong culture of information security founded
on positive influences at the various organisational levels. In general, over the past few
years, business expectations of information security teams have increased as threats to
the organisation have advanced and amplified.

Further to this, the focus of information security must change from being an operational IT
problem, to a strategic business objective addressing a business problem and need,
striving to achieve effective and sustainable protection of the organisation’s information
resources.

This has typically resulted in establishing a standardised and acknowledged corporate

information security function, reporting to C-level executives or even directly to the board
of directors/CEO, which is supported by an approved and implementable organisation-
wide Information Security Operating Model (ISOM).

Within the context of the COMPANY X, information, whether in electronic or paper form, is
a critical business asset, and the ability of the COMPANY X to operate effectively, achieve
its business objectives and comply with several legislative and regulatory imperatives,
depends on its ability to ensure that information is adequately managed and protected. In
particular, our intellectual property needs to be closely protected, as our adversaries
(including nation states) and competitors could greatly and unduly benefit from gaining
access to this information. This loss of information could also inadvertently pose a threat to
national security.

Taking all of this into consideration, there is a great need for the COMPANY X to establish
a strong, effective Information Security Governance capability to create and embed a
culture and practice of information security into its operations and through its employees.
4. OVERVIEW
Information security benefits are achieved only if the information security governance
structure is effectively and adequately integrated into the various Operating Units/Centres
(OUs) and support functions throughout the COMPANY X. Information security needs to
be strategically positioned within the COMPANY X in order to support key strategic
objectives, while still protecting the COMPANY X’s information resources.
There must be a shift in the information security function from an operational level to a
strategic level. This is to better align with organisational objectives, without losing sight of
and supporting ICT security operations. This strategic shift is supported by defining
measurable information security controls and operational processes, with appropriate
metrics and reporting mechanisms.
This shift in focus will result in the establishment of the following key functional areas
within the COMPANY X’s Information Security Office, as shown in
Figure 1.

Figure 1: Information Security Functional Areas

The Information Security Office within the COMPANY X aims to achieve the following key
strategic objectives:

• Create the foundation for a sustainable IS Office within the COMPANY X

• Drive strategic alignment of information security with business strategy to support
organisational objectives
• Allow the COMPANY X to mature the current information security posture –
currently information security consists only of an ICT based operations, it needs to
mature into an organisation-wide information (and cyber) security programme and
function. The reach and scope of such a programme should extend to all facets of
the organisation
• Facilitate closer adherence to best practice corporate governance, as well as legal
and regulatory requirements for information security
• Drive information risk management by executing appropriate measures to manage
and mitigate risks and reduce impacts on information resources to an acceptable
level
• Optimise resource management by utilising information security knowledge and
infrastructure efficiently and effectively
• Support performance measurement by measuring, monitoring and reporting
information security governance metrics to ensure that organisational objectives
are achieved
• Drive value delivery by optimising information security investments in support of
organisational objectives

5. INFORMATION SECURITY MANAGEMENT PROCESS

The Information Security Management Process specifies the steps required for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving
information security policies and controls within the context of the COMPANY X’s overall
business objectives, but in particular, the protection of information within the COMPANY X.
The COMPANY X Information Security Management Process has been defined by
combining elements of the ISO 27001 standard for establishing an Information Security
Management System, as well as COBIT 5 processes, namely “Manage Security” (AP013)
and “Manage Security Services” (DSS05).
The high-level information security management process is as follows:

Establish & Monitor &

Plan ISMS Maintain Manage IS Operate IS Review
ISMS ISMS

5.1. Process Objective and Goals

Plan, establish, manage, operate and monitor a system for information security
management that achieves the following:
1) Protects COMPANY X information in order to maintain an acceptable level of
information security risk in accordance with the information security policy
2) Establishes and communicates an accepted information security strategy and
plan throughout the COMPANY X
 3) Considers and effectively addresses the COMPANY X information security
requirements, including legal and regulatory obligations
4) Provides for the identification and implementation of information security
controls
5) Implements and operates effective and adequate information security services
and solutions throughout the COMPANY X
6) Promotes an information security culture within the COMPANY X
7) Supports and drive continuous improvement of information security controls

5.2. High-level Process Steps

The process steps (as illustrated above) include the following:
1) Plan Information Security Management System (ISMS) – to ensure that a
complete, accurate and thorough analysis of the COMPANY X’s strategy,
objectives and operations is performed in order to identify and document an
information security strategy and plan, which will enable the COMPANY X to
achieve its business objectives as well as meet its legal and regulatory
obligations.

2) Establish and Maintain the ISMS – To establish and maintain an ISMS that
provides a standard, formal and continuous approach to information security
management. This will be achieved by defining an information security policy
framework to provide management direction and support for information
security. ISMS will also support the enablement of secure technology and
business processes that are aligned with business and information security
requirements.

3) Manage Information Security (IS) – To ensure that identified Information

Security controls are accurately, completely and timeously prioritised. It is also
to ensure that recommendations for implementing security improvements are
based on approved business cases, and are implemented as an integral part of
services and solutions development, then operated as an integral part of
business operation.

4) Operate IS – To ensure that Information Security controls and services are

operated and maintained on a day-to-day and week-by-week basis.

5) Monitor and Review ISMS - Maintain and regularly communicate the need for,
and benefits of, continuous information security capability and controls
improvement.
Please refer to the Information Security Strategy for more details on the Information
Security Management Process.