This document discusses various topics related to personal data and digital risks. It covers ambientes digitales (digital environments) like Windows XP and software firewalls. It also discusses data breach laws in California, recent data leaks involving millions of records, and the growth of security technologies. Other topics include physical vs digital transformations, the costs of digital theft, and why digital data security is an increasing concern due to factors like speed, dispersion, persistence and aggregation of data online.
18. Ambientes digitales
• Windows XP Service Pack 2
• 12 de agosto, 2004
• Por primera vez, Microsoft
habilito de forma
predeterminada un firewall de
software
• Cuando las características de
seguridad se habilitaron,
muchas aplicaciones dejaron de
funcionar
19. Default Close Default Open
Confidencialidad Disponibilidad
20. SB1386, California
1 de julio, 2003
Según la ley, las partes afectadas deben
revelar cualquier violación de la seguridad
de los datos personales a cualquier
residente de California, cuya información
personal no fue cifrada, y razonablemente
se cree que ha sido adquirida por una
persona no autorizada.
21.
22.
23.
24. Fugas de información recientes
40 millones de registros
Entre 45 y 94 millones
de registros
4.2 millones de 100 millones de
registros datos de tarjetas
28. Físico vs Digital
En 1990, las ventas
de la enciclopedia
Britannica logro el
record de ventas…
$650 millones de
dólares
29. Físico vs Digital
Una Enciclopedia Britannica se
vendía desde $1,500 y hasta en
$2,200 USD
Una enciclopedia en CD-ROM se
vendía desde $50 y hasta $70
USD
48. … son ahora los principales difusores de
tu información personal
49. •A I N I C I O S D E 2 011, 140 millones
DE T WEETS POR DÍA
•E N 2 010 E X I S T I A N 50 millones
DE T WEETS POR DÍA
•H OY, 350 millones D E T W E E T S
POR DÍA
durante los segundos finales del superbowl, los fans enviaron
4,064 tweets por segundo
112. Main Risks
Always
Weak password storage protocol
Absence of robust password policy
Absence of data entry validation for
Probability
web applications
Possibl
Existing applications with vulnerable e
remote support
Weak wireless ciphered communication
protocol
Absence of operating system security
configuration
Almost
never
Insignificant Medium Very high
Impact
113. Action Plan
Quick Hits
High
Password Policy
Positive Impact of Implementation
Migration of wireless communication
protocol
Quick Hits Strategic
Strategic
Security configuration guidelines for
applications
Moderate
Security configuration guidelines for
operating systems
Migration of passwords storage Nice To Have Not Viable
protocols
Secure application development
process
Minimum
Migration of remote support protocol
Minor Medium Major
Effort
114. Recommendations
Policies and Configuration
Guidelines
Security configuration guidelines for
applications
Security configuration guidelines for
operating systems
Password policy
Superior Technologies Governance
Migration of remote support protocols Processes and Roles
Migration of password storage
User controls
protocols
Migration of wireless communication
protocols Network controls
Recommendations for Host controls
Sustainability
Application controls
Secure change process
administration
Data level controls
Risk administration process
Vulnerability patches and updates
process
Secure application development
process
115. Mitigation Roadmap
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Risk Administration Implementation
Secure application development
implementation
Vulnerability patches and updates
process administration
Secure change process administration
Migration to robust remote support protocols
Migration of wireless
communication protocol
Migration of password storage
Password policy
Security configuration guidelines for
operating system
Security configuration guidelines for applications
2012 2013
116. Demystifying the Business Process Analysis
Data Lifecycle Inventory
Privacy Legal & Regulatory
Data Value (IVA)
Implementation Requirements (PIA)
Process Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
117. Business Process Analysis
• Identification of
Business Process Analysis
Data Lifecycle Inventory
applicable Law Legal & Regulatory
Data Value (IVA)
Requirements (PIA)
Data Categories Data Categories
Issuers Obligations Auditors
Asset Inventory
• Legislators • Laws • Authorities
• Regulators • Norms • Organizations
Policy Generation
• Organizations • Industry
Standards
Controls, Standards, Procedures
• Contracts
Implementation & Audit
118. Business Process Analysis
• Stakeholder Information
Business Process Analysis
Data Lifecycle Inventory
acquisition Legal & Regulatory
Data Value (IVA)
– Types of data Requirements (PIA)
– Internal and external Data Categories Data Categories
data flows
– Purpose of treatment Asset Inventory
– Information systems and
Policy Generation
security measures
– Retention policies Controls, Standards, Procedures
Implementation & Audit
119. Data Lifecycle Inventory
Business Process Analysis
Data Lifecycle Inventory
Data Data Data Value (IVA)
Legal & Regulatory
Destruction Reception Requirements (PIA)
Data Categories Data Categories
Data Purpose
Asset Inventory
Retention of Use
Policy Generation
Information
3rd Parties
Systems and Controls, Standards, Procedures
Involved
Storage
Implementation & Audit
120. Privacy Legal & Regulatory
Requirements (PIA)
Business Process Analysis
1. Legal & Regulatory Data Lifecycle Inventory
– Contracts Legal & Regulatory
Data Value (IVA)
– Clauses Requirements (PIA)
– Privacy notices Data Categories Data Categories
– Authorizations
– Jurisdictions Asset Inventory
– Other regulations Policy Generation
• Money laundering
• Sectorial Controls, Standards, Procedures
• Etc.
Implementation & Audit
121. Privacy Legal & Regulatory
Requirements (PIA)
Business Process Analysis
2. Technical Data Lifecycle Inventory
– Authentication & Legal & Regulatory
Data Value (IVA)
authorization Requirements (PIA)
– Access control Data Categories Data Categories
– Incident log
– Removable media and Asset Inventory
document management
Policy Generation
– Security copies
– Recovery tests Controls, Standards, Procedures
– Physical Access
Implementation & Audit
122. Privacy Legal & Regulatory
Requirements (PIA)
Business Process Analysis
3. Organizational Data Lifecycle Inventory
– Data privacy officer
Legal & Regulatory
– Roles and Data Value (IVA)
Requirements (PIA)
responsibilities
– Policies, procedures and Data Categories Data Categories
standards
Asset Inventory
– Notifications to
authorities
Policy Generation
– Audits
– Compliance and Controls, Standards, Procedures
evidence
Implementation & Audit
123. Legal & Regulatory
Data Categories
• High Risk Business Process Analysis
Data Lifecycle Inventory
– Syndicate Affiliation
– Health Legal & Regulatory
– Sexual life Data Value (IVA)
Requirements (PIA)
– Beliefs
– Racial Origin Data Categories Data Categories
• Medium Risk
– Financial Profile Asset Inventory
– Personal Fines
– Credit Scoring
– Tax Payment Information Policy Generation
• Basic Risk
– Personal Identifying Controls, Standards, Procedures
Information
– Employment
Implementation & Audit
124. External Economic Data Value (IVA)
• Black Market Value Business Process Analysis
Data Lifecycle Inventory
– Sale price
• News Value Data Value (IVA)
Legal & Regulatory
Requirements (PIA)
– Newspaper
– Magazines Data Categories Data Categories
– Television
• Competition Asset Inventory
– Market Value
Policy Generation
– Brand Value
– Political Value
Controls, Standards, Procedures
• Authorities
– Fines Implementation & Audit
125. Data Value Categories
Business Process Analysis
Lvl Value Classification Example Data Lifecycle Inventory
CC Magnetic Strip, Legal & Regulatory
Data Value (IVA)
Requirements (PIA)
4 > $10M Secret PIN number, User &
Password
Data Categories Data Categories
Name, Address,
$100K -
3 Confidential Credit History,
$10M
Account Statements Asset Inventory
Bank Account
$1,000 - Numbers, Policy Generation
2 Private
$100K Pre-published
Marketing Info
Controls, Standards, Procedures
Published
1 $0 - $1,000 Public Marketing
Information Implementation & Audit
126. Asset Inventory
Legal & Data Most Business Process Analysis
Applicable Applicable
Asset Regulatory Value Sensitive Data Lifecycle Inventory
Policy Controls
level level Data
Legal & Regulatory
Data Value (IVA)
L&R 1. Oracle Requirements (PIA)
Application 1. Secret
DB1 Medium Secret Secret Data
Passwords Data Policy
Risk Standard
Data Categories Data Categories
1. J2EE High
Security
Asset Inventory
Standard
L&R Payment
1. L&R High
App5 High Confidential Card
Risk Policy 2. Application
Risk Number
Confidential Policy Generation
Data Mgmt
Standard
1. Private Controls, Standards, Procedures
Data Policy 1. Solaris 10
L&R Client
Medium
Srvr3 Medium Private Account
2. L&R Hardening
Risk Data
Medium Standard Implementation & Audit
Risk Policy
127. Policy Generation
How should this data be: Business Process Analysis
Data Lifecycle Inventory
– generated?
– stored? Legal & Regulatory
Data Value (IVA)
– transferred? Requirements (PIA)
– processed?
– accessed? Data Categories Data Categories
– backed-up?
– destroyed? Asset Inventory
– monitored?
• How should we react and Policy Generation
escalate an incident or
breach?
Controls, Standards, Procedures
• How will we punish
compliance?
Implementation & Audit
128. Controls, Standards & Procedures
• Controls are defined
Business Process Analysis
Data Lifecycle Inventory
and mapped for each Legal & Regulatory
Data Value (IVA)
policy level Requirements (PIA)
– Technical Standards Data Categories Data Categories
– Procedures
– Compensatory Controls Asset Inventory
DB2 HP/UX J2EE Oracle Policy Generation
High Risk
Controls, Standards, Procedures
Med Risk
Low Risk Implementation & Audit
129. Controls, Standards & Procedures
Business Process Analysis
Data Lifecycle Inventory
Legal & Regulatory
Data Value (IVA)
Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Norms Controls Controls, Standards, Procedures
Implementation & Audit
130. Implementation & Audit
Laws and Regulations Best Practices Business Process Analysis
Data Lifecycle Inventory
Legal & Regulatory
Data Value (IVA)
Requirements (PIA)
LOPD SOX LSSI
Data Categories Data Categories
Asset Inventory
PROCESSES
APPLICATIONS Policy Generation
PEOPLE
Evidence Controls Controls, Standards, Procedures
Implementation & Audit
I.ACT D.SEG CONTRACT COMUNIC
ASSETS NETWORKS
.
131. Implementation & Audit
Business Process Analysis
Data Lifecycle Inventory
Legal & Regulatory
Data Value (IVA)
Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit