Embed Size (px)
Citation preview
COBIT y la Administración de los Datos
Facilitador:
José Ángel Peña Ibarra, CGEIT, CRISC
CONFERENCIA ANUAL 2012 DE ISACA MONTERREY
Agenda
• White Paper: Data Leak Prevention de ISACA
• COBIT y la Administración de Datos:
– Objetivos de Control
– Riesgos relacionados con Administración de Datos
– Prácticas de Control
• Ejercicio Colaborativo
COBIT y la Administración de Datos
• El proceso de DS11 de COBIT 4.1 está
enfocado en la administración de los datos y
de este proceso se derivan prácticas de
control para responder adecuadamente a los
riesgos correspondientes.
• En COBIT 5 también se trata el tema de la
administración de los datos, pero es en varios
procesos, como el de seguridad.
Proceso DS11 Administración de Datos
• DS11.1 Business Requirements for Data Management
• DS11.2 Storage and Retention Arrangements
• DS11.3 Media Library Management System
• DS11.4 Disposal
• DS11.5 Backup and Restoration
• DS11.6 Security Requirements for Data Management
Objetivo de Control DS11.1
• DS11.1 Business Requirements for Data Management
Verify that all data expected for processing are
received and processed completely, accurately
and in a timely manner, and all output is
delivered in accordance with business
requirements. Support restart and
reprocessing needs.
DS11.1 Business Requirements for Data Management
Risk Drivers:
- Data management failing to support business
requirements
- Security breaches
- Business, legal and regulatory requirements
not met
Practicas de Control DS11.1
1. Define the business requirements for the management of data by IT.
2. Define and implement a policy that addresses segregation of duties within operations for the entry,
processing and authorisation of data transactions, including overrides and corrections. Address the
responsibilities for segregation of duties within both the business and operations.
3. Ensure that data completeness and restart and reprocessing requirements are included in batch job
schedules and procedures.
4. Define and implement a process that ensures that data inputs are prepared with embedded checks
for completeness, validity, accuracy, security, authorisation and integrity.
5. Define and implement a process that ensures that all operational errors requiring transaction
reprocessing are brought to the attention of the originating business function and resubmitted in a
timely fashion. All erroneous transactions should go through the same checks for segregation of
duties, completeness, validity, etc., as for first-time data processing.
6. As appropriate and in accordance with defined security policies, communicate to management
security breaches during any operational phase of data receipt, processing and transmission.
7. Define and implement a process that verifies and logs the distribution of the output to appropriate
departments, with special handling of confidential information.
8. Define and implement a process that properly safeguards and stores source data and prevents their
unauthorised modification.
9. Institute policies and procedures for retention of data received from the business and their
subsequent destruction according to the data’s sensitivity.
Objetivo de Control DS11.2
• DS11.2 Storage and Retention Arrangements.
Define and implement procedures for
effective and efficient data storage, retention
and archiving to meet business objectives, the
organisation’s security policy and regulatory
requirements.
DS11.2 Storage and Retention Arrangements.
Risk Drivers:
- Data not protected from unauthorised viewing
or altering
- Documents not retrieved when needed
- Non-compliance with regulatory and legal
obligations
- Unauthorised data access
Objetivo de Control DS11.3
• DS11.3 Media Library Management System
Define and implement procedures to maintain
an inventory of stored and archived media to
ensure their usability and integrity.
Risk Drivers
- Media integrity compromised
- Backup media unavailable when needed
- Unauthorised access to data tapes
- Destruction of backups
- Inability to determine location of backup media
Objetivo de Control DS11.4
• DS11.4 Disposal
Define and implement procedures to ensure
that business requirements for protection of
sensitive data and software are met when
data and hardware are disposed or
transferred.
Risk Drivers
- Disclosure of corporate information
- Compromised integrity of sensitive data
- Unauthorised access to data tapes
Objetivo de Control DS11.5
• DS11.5 Backup and Restoration
Define and implement procedures for backup
and restoration of systems, applications, data
and documentation in line with business
requirements and the continuity plan.
DS11.5 Backup and Restoration
Risk Drivers:
- Disclosure of corporate information
- Inability to recover backup data when needed
- Recovery procedures failing to meet business
requirements
- Inability to restore data in the event of a disaster
- Inappropriate time requirement for performing
backups
Objetivo de Control DS11.6
• DS11.6 Security Requirements for DataManagement
Define and implement policies and procedures
to identify and apply security requirements
applicable to the receipt, processing, storage
and output of data to meet business
objectives, the organisation’s security policy
and regulatory requirements.
DS11.6 Security Requirements for Data Management
Risk Drivers
- Sensitive data misused or destroyed
- Unauthorised data access
- Incompleteness and inaccuracy of transmitted
data
- Data altered by unauthorised users
Ejercicio Colaborativo
• Trabajo en equipos:
• A cada equipo se le asignará un objetivo de
control del proceso DS11, y deberá:
– Explicar el objetivo de control, enfatizando lo que
tiene que ver con DLP.
– De los riesgos asociados, decir cuáles dos
considera más importantes, y porque.
– De las prácticas de control, indicar los dos que
considera más importantes y porque.
• ¡Muchas Gracias!
Facilitador:
José Ángel Peña Ibarra, CGEIT, CRISC
CONFERENCIA ANUAL 2012 DE ISACA MONTERREY
