Un Modelo Práctico para Realizar Auditorías Exhaustivas de Ciberseguridad

  • Regner Sabillon Universitat Oberta de Catalunya

Resumen

En la actualidad, las organizaciones se enfrentan continuamente a ser blanco de ciberataques y amenazas cibernéticas; la sofisticación y complejidad de los ciberataques modernos y el modus operandi de los ciberdelincuentes, incluidas las Técnicas, Tácticas y Procedimientos (TTP), continúan creciendo a un ritmo sin precedentes. Los ciberdelincuentes siempre están adoptando nuevas estrategias para planificar y lanzar ataques cibernéticos basados ​​en las vulnerabilidades de ciberseguridad existentes y explotar a los usuarios finales mediante el uso de técnicas de ingeniería social. Las auditorías de ciberseguridad son extremadamente importantes para verificar que los controles de seguridad de la información estén en su lugar y para detectar debilidades en los controles inexistentes u obsoletos de ciberseguridad. Este artículo presenta un modelo de auditoría de ciberseguridad innovador e integral. El Modelo de Auditoría de Ciberseguridad (CSAM) se puede implementar para realizar auditorías de ciberseguridad internas o externas. Este modelo se puede usar para realizar auditorías únicas de ciberseguridad o puede ser parte de cualquier programa de auditoría corporativa para mejorar los controles de ciberseguridad. Cualquier equipo de auditoría de seguridad de la información o ciberseguridad tiene la opción de realizar una auditoría completa para todos los dominios de ciberseguridad o seleccionando dominios específicos para auditar ciertas áreas que necesitan verificación y fortalecimiento del control. El CSAM tiene 18 Dominios; El Dominio 1 es específico para Estados y los Dominios 2-18 se pueden implementar en cualquier organización. La organización puede ser cualquier empresa pequeña, mediana o grande, el modelo también es aplicable a cualquier organización sin fines de lucro (OSFL).

Descargas

La descarga de datos todavía no está disponible.

Citas

Bodeau, D., Boyle, S., Fabius-Greene, J. and Graubart R. (2010). “Cyber Security Governance”, MITRE. Retrieved January 24, 2018, from https://www.mitre.org/sites/default/files/pdf/10_3710.pdf.

Boyce, R. (2001). “Vulnerability Assessment: The Pro-Active Steps to Secure your Organization”, SANS Institute. Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-pro-active-steps-secure-organization-453.

CERT Division (2017). “CSIRT Frequently Asked Questions”, Carnegie Mellon University.
Retrieved January 24, 2018, from https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm.

Department of Homeland Security (2012). “Vulnerability Assessment and Management”, NICSS. Retrieved January 24, 2018, from https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/vulnerability-assessment-and-management.

Donaldson, S., Siegel, S., Williams, C. and Aslam, A. (2015). “Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats”. New York: Apress, pp. 201-204.

Financial Executives International – FEI (2014). “Financial Executives, Cyber Security & Business Continuity”, Canadian Executives Research Foundation (CFERF). Retrieved January 24, 2018, from https://www.feicanada.org/enews/file/CFERF%20studies/2013-2014/IBM%20Cyber%20Security%20final3%202014.pdf.

Financial Industry Regulatory Authority – FINRA (2015). “Report on Cybersecurity Practices”, pp 1- 46. Retrieved January 24, 2018, from https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

Foresite (2016). “Quick guide to common Cybersecurity Frameworks”.
Retrieved January 24, 2018, from https://www.foresite.com/blog/quick-guide-to-common-cybersecurity-frameworks/.

ISACA (2014). Implementing the NIST Cybersecurity Framework. Rolling Meadows: ISACA.
ISACA (2013). Transforming Cybersecurity. Rolling Meadows: ISACA.

ISACA (2015). Cybersecurity Fundamentals. Rolling Meadows: ISACA

Kaspersky Lab (2015). “Top 10 Tips for Educating Employees about Cybersecurity”, AO Kaspersky Lab. Retrieved January 24, 2018, from http://go.kaspersky.com/rs/kaspersky1/images/Top_10_Tips_For_Educating_Employees_About_Cybersecurity_eBook.pdf.

Lee, R. (2015). “The Sliding Scale of Cybersecurity”, SANS Institute.
Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240.

Ministry of Economic Affairs and Communication (2017). “2014-2017 Estonia Cybersecurity Strategy”, ENISA. Retrieved January 24, 2018, from https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/Estonia_Cyber_security_Strategy.pdf.

National Cyber Security Alliance (2017). “Stay Safe Online”, NCS.
Retrieved January 24, 2018, from https://staysafeonline.org/ncsam/.

National Institute of Standards and Technology - NIST (2017). “Framework for Improving Critical Infrastructure Cybersecurity”, version 1.1.

National Institute of Standards and Technology – NIST(2017). “NIST Special Publications SP”. Retrieved January 24, 2018, from http://csrc.nist.gov/publications/PubsSPs.html.

NATO Cooperative Cyber Defence Centre of Excellence – CCDCOE (2015). “Cyber Security Strategy Documents”. Retrieved January 24, 2018, from https://ccdcoe.org/strategies-policies.html.

North American Electric Relaibility Corporation – NERC (2010). “Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets”, NERC. Retrieved January 24, 2018, from
Organisation for Economic Co-Operation and Development – OECD (2012). “Cybersecurity Policy Making at a Turning Point”, OECD. Retrieved January 24, 2018, from http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf.

PCI Security Standards Council (2014). “Best Practices for implementing a Security Awareness Program”, PCI DSS. Retrieved January 24, 2018, from
Pricewaterhouse Coopers - PwC (2016). “PwC’s Board Cybersecurity Governance Framework”, PwC. Retrieved January 24, 2018, from
Proaño, R., Saguay, C., Jacome, S. and Sandoval, F. (2017). “Knowledge based systems as an aid in information systems audit”. Enfoque UTE V.8 Sup. 1, Feb 2017, pp.148-159.
https://doi.org/10.29019/enfoqueute.v8n1.122

Sabillon, R., Serra-Ruiz, J., Cavaller, V. and Cano, J. (2017). "A Comprehensive Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity Audit Model (CSAM)". 2017 Second International Conference on Information Systems and Computer Science (INCISCOS), Quito, Ecuador.

SANS Institute (2017). “SANS Forensics Whitepapers”, SANS Institute.
Retrieved January 24, 2018, from https://digital-forensics.sans.org/community/whitepapers.

Shackleford, D. (2015). “Who’s using Cyberthreat Intelligence and how?”,SANS Institute.
Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767.

Trusted Computing Group (2013). “Architect’s Guide: Cybersecurity”.
Retrieved January 24, 2018, from https://www.trustedcomputinggroup.org/wp-content/uploads/Architects-Guide-Cybersecurity.pdf.

United States Computer Emergency Readiness Team - US-CERT (2017). “Cybersecurity Framework”, US-CERT. Retrieved January 24, 2018, from https://www.us-cert.gov/ccubedvp/cybersecurity-framework.

U.S. Department of Homeland Security (2016). “Cybersecurity”.
Retrieved January 24, 2018, from https://www.dhs.gov/topic/cybersecurity.

U.S. Department of Energy (2007). “IT Security Architecture”.
Retrieved January 24, 2018, from https://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf.
Publicado
2018-03-30
Cómo citar
Sabillon, R. (2018). Un Modelo Práctico para Realizar Auditorías Exhaustivas de Ciberseguridad. Enfoque UTE, 9(1), pp. 127 - 137. https://doi.org/https://doi.org/10.29019/enfoqueute.v9n1.214
Sección
Informática, TIC, ...