COBIT & ITIL
COBIT
is sponsored and updated by IT Governance Institute (ITGI).
Includes - Principles - which are :
P1: An Integrated Framework refers to how to build a System's Arquitecture
called COBIT Arquitecture satisfies Stakeholder's needs through Processes better
called Enablers which have TYPES: Processes , Principles and policies,
Organizational Structures, Skills & Competences, Culture & Behaviour, Service
Capabilities and Information.
P2: Stakeholder value drivers refers to Identification of Stakeholders Needs
Through Questions
Where Stakeholders can be:
Internal which are Members of the Director's Board ; example: CEO, CIO, HR
manager,etc.
External which are People who dont work at the Enterprise; example: Supplier,
Customer, Regulator/Government,etc.
P3: Resources focus on a business context refers that Value for the
Stakeholders with the Accomplishment of Governance Objectives/Goals as:
Benefits Realization, Risk optimization, Resource Optimization.
With divide in Categories: Financtial, Customer, Internal.
P4: Risk management refers that Risk Management in the Enterprise is
achieved by Enablers Management where as mentioned in P1: An Integrated
Framework for Each Enabler there are: Enabler Stakeholders, Goals & Metrics,
Enabler Life Cycles, Good Practices, Enabler Attributes.
P5: Performance measurement states the Difference between:
Enterprise Management is the Instrument that Givernance uses to achieve
Governance Objectives .
Enterprise Governance is all Mechanisms & Means that allow Stakeholders to
have in Evaluating Conditions both: Monitoring(Performance & Progress) and
Direction Setting.
COBIT IS AN IT Internal Control Framework to achieve IT Governance in an
Enterprise.
Used for IT Governance Processes Establishment & Internal Control's
Assesment.
ITIL
Is a Collection of IT Governance Best Practices
As a Framework is composed of:
Service Strategy Components starts asked by IT Management to define
General IT Controls to support Service Strategy Process are also supported by
�Financial Management which uses Procedures like: IT Budgeting , IT Accounting,
Charging.
Service Delivery Capacity Management ensures IT Infraestructure is aligned
to Business Needs to maintain Service Delivery at an Acceptable Cost.
Divides subprocesses: Business , Service , Capacity Management ( has
input: SLA & SLA Breaches, Business Plans & Strategies, Operational Schedules,
Application Development Issues, Technology Constraints & Acquisitions, IT
Incidents & Problems)
Service Delivery Availability Management suggests Inputs: Business
Availability Requirements, Reliability Information, Maintainability, Recoverability,
Serviceability, Other Process Information(Incidents, Problems, Achieved Service
Levels)
Performs Activities like: Planning, Measurement, Improvement.
Service Delivery Information Systems Security and Continuity
Management provides Strategic Direction for Security Activities and ensures
their Achievement ; to protect Business Continuity.
Includes Information Security Management which has GOALS : Availability
Objective, Confidentiality Objective, Integrity Objective, Authenticity and
Nonrepudation Objective.
Service Transition Management Processes is composed of:
Service Transition Change Management uses Methods & Procedures for Efficient
Change Handling to minimize Impact on Service Quality.
Service Transition Configuration Management supports (Identification, Record,
Report) of (IT Components, Constituent Components, Relationships)
Maintains Relationships between Assets.
Service Operation Processes is composed of:
Service Operation Event & Incident Management covers Activities for restoring IT
Service
Where Incident Management Process is managed by Service Desk
performs Tasks like: Incident Reporting, Investigation, Diagnosis.
Service Operation Problem Management takes place when Incident Management
Process encounters Unknown Deviation Cause then Incident.
where Problem Management Process minimizes Total Impact of Problem
through Process of: Detection, Repair, Prevention.
Problem Management Process has Subprocesses : Problem Control,
Error Control, Proactive Problem Management.
�Service Operation Processes helps Coordination & Delivery of IT Services to
Customers.
COBIT y ITIL(spanish)
COBIT
con el patrocinio y actualizado por IT Governance Institute (ITGI).
Incluye - Principios - los cuales son:
P1: Marco integrado se refiere a cmo construir Arquitectura de un sistema
llamado COBIT Arquitectura satisface las necesidades de los interesados a travs
de los procesos mejor llamado Facilitadores que tienen tipos: Procesos, principios
y polticas, estructuras organizativas, Habilidades y Competencias, Cultura y
Comportamiento, las capacidades de servicio e informacin.
P2: impulsores de valor de las partes interesadas se refiere a la
identificacin de las necesidades de los interesados
-A travs de preguntas
-Cuando las partes interesadas pueden ser:
Interna que sean miembros de la Junta Directiva del Director; ejemplo: CEO,
CIO, director de recursos humanos, etc.
Exterior, que son personas que no trabajan en la empresa; ejemplo: proveedor,
cliente, regulador / Gobierno, etc.
P3: Recursos enfoque en un contexto de negocios que se refiere valor para
las partes interesadas con la realizacin de Gobernabilidad Objetivos / Metas
como: Realizacin, optimizacin de riesgos, Optimizacin de Recursos de
Beneficios.
Con divisin en categoras: Financtial, Cliente, Interna.
P4: La gestin de riesgos se refiere que la Gestin de Riesgos en la empresa
se logra por la Direccin Facilitadores donde como se menciona en P1: Marco
integrado para cada Enabler hay: Enabler partes interesadas, Objetivos y
mtricas, Ciclos Enabler de la vida, las buenas prcticas, Enabler Atributos.
P5: La medicin del rendimiento indica la diferencia entre:
Gestin de la Empresa es el instrumento que Givernance utiliza para lograr
Objetivos de Gobierno.
�Gobernanza Enterprise es todos los mecanismos y medios que permitan a los
interesados tienen en evaluar las condiciones de ambos: Monitoreo (Rendimiento
y avance) y Direccin Setting.
COBIT es un marco de control interno de TI para lograr Gobierno de TI en una
empresa.
Se utiliza para los procesos de TI de gobierno Establecimiento y Assesment de
Control Interno.
ITIL
Es una coleccin de Gobierno de TI Mejores Prcticas
Como marco se compone de:
Servicio Estrategia Componentes comienza pregunt por la Gerencia de TI
para definir controles generales de TI para apoyar proceso de la estrategia de
servicio tambin son apoyados por Gestin Financiera que utiliza procedimientos
como: Informtica Presupuesto, TI Contabilidad de carga.
Servicio de Gestin de Capacidad de entrega asegura TI Infraestructura est
alineado a las necesidades empresariales para mantener la prestacin de
servicios a un costo aceptable.
Divide subprocesos: de negocios, Servicio, Gestin de la Capacidad (tiene
entrada: SLA y SLA infracciones, Planes de Negocio y Estrategias,
Programas Operativos, Solicitud cuestiones de desarrollo, limitaciones
tecnolgicas y Adquisiciones, incidentes informticos y Problemas)
Entrega de Servicios de administracin de disponibilidad sugiere
Entradas: Business Disponibilidad Requisitos, confiabilidad de la informacin,
facilidad de mantenimiento, de recuperacin, mantenimiento, Otra Informacin
Proceso (Incidentes, Problemas, niveles de servicio alcanzados)
Realiza actividades como: Planificacin, Medicin, Mejora.
Sistemas de Informacin de Entrega de Servicios de Seguridad y
Gestin de Continuidad proporciona orientacin estratgica de las actividades
de seguridad y asegura su consecucin;
para proteger a la Continuidad del Negocio.
Incluye informacin sobre la gestin de seguridad que tiene OBJETIVOS:
Objetivo disponibilidad, confidencialidad Objetivo, Integridad Objetivo, la
autenticidad y Nonrepudation Objetivo.
Servicio de Gestin de Procesos de Transicin se compone de:
�Transicin del Servicio de Gestin del Cambio utiliza Mtodos y
Procedimientos para el Cambio Eficiente Manejo de minimizar el impacto sobre la
Calidad de los Servicios.
Transicin del Servicio Gestin de la Configuracin apoya (Identificacin,
registro, la comunicacin) de (TI Componentes, Componentes Constituyente,
relaciones)
Mantiene relaciones entre los activos.
Servicio procesos de operacin se compone de:
Operacin del Servicio de eventos de Gestin de Incidentes abarca las
actividades de restauracin de servicios de TI
Donde Proceso de Gestin de Incidentes es administrado por Service Desk
realiza tareas como: Reporte de Incidentes, Investigacin, Diagnstico.
Operacin del Servicio Gestin de Problemas tiene lugar cuando el proceso de
Gestin de Incidentes encuentra Desviacin Causa desconocida entonces
Incidente.
donde Proceso de Gestin de Problemas minimiza el impacto total del
problema a travs de procesos de: Deteccin, Reparacin, Prevencin.
Proceso de Gestin de Problemas tiene subprocesos: Control de
problemas, control de errores, Gestin Proactiva de Problemas.
Servicio procesos de operacin ayuda Coordinacin y entrega de servicios de
TI a clientes.
Activity 4
1. Find the peruvian information security law and explain it using a conceptual map.
2. From the article by Julish:
Search in the Internet for an example of a contract with a cloud provider.
Prepare a PDCA to implement a V ISMS according to the contract you found.
1. Encuentra la ley de seguridad de informacin peruano y explicarlo utilizando un mapa
conceptual.
2. En el artculo de Julish:
Buscar en la Internet para un ejemplo de un contrato con un proveedor de la nube.
Prepare una PDCA para implementar un SGSI V segn el contrato que encontraste.
�PDCA to implement a Virtual ISMS based on Dropbox for Business
Contract
CC
Customer data is identified as
account and stored data. Stored
data refers to the files stored in the
cloud service, while account data is
the personal information that the
customer shared with Dropbox.
PLAN
The Services are not intended for
End Users under the age of 13. If
Dropbox account using minors will
be removed from the account.
CP
Provide information about the:
-Suspension
clause
where
when
a
Security
Emergency1 takes place, the customers use of the
Services may be suspended.
-Services clause where Dropbox states that it will use
their industry standards and organizational security
measures to transfer, store, and process customer data.
-Indemnification clause where Dropbox will defend the
customer against liabilities, damages and costs
1 (i) Use of the Services which can alter or disrupt the Service, use of the Services by
other customers or used to provide the Services infrastructure; and (ii) unauthorized
access to the Services by third parties.
�Refer to Ernst & Young reports and
ISO 27001 standard specifications.
CHECK
Ernst & Young CertifyPoint in the Netherlands maintain
ISO 27001. Ernst & Young ELP conduct and perform
examinations in Dropbox for SOC 3 for Security,
Confidentiality and Integrity. Reports and certificates are
available to ensure that the security and quality
measures treated in the contract are achieved.
Dropbox and the customer agree to resolve any claims
against the terms in the Agreement with the arbitration
of the American Arbitration Association (AAA).
Computer Crime is penalized in Peru through Law No. 30096 which includes:
Chapter 1: Purpose of the Law states in Article 1 that the Purpose of the Law
is Prevention and Sanction of Unlawful Behaviour that affect :Data, Systems ,
Other Legal Rights.
Chapter 2: Crime Against Information Systems and Data states in:
Article 2 that an Unauthorized User which vulnerates a System's Security
Measures will be sanctioned 1-4 Year Prison Sentence & 30-90 Days Fine.
Article 3 that an Unauthorized User that performs Addition, Deletion, Altering,
Deterioration, Work to DATA will be sanctioned 3-6 Year Prison Sentence & 80120 Days Fine.
Article 4 that an Unauthorized User that provoques in an Information System
either Parcial Inutilization, Total Inutilization, Malfunction, Interruption of
Services.
Chapter 3 states in Article 5 that any Person that contacts an Underaged
to obtain from him Pornografic Material
to achieve Sexual Relationships
through the use of Information Technologies & Comunication Technologies.
Chapter 4 states in
Article 6 that any Person that performs Creation, Accessing, Use of Other
Identifiable Person's Database for Commercialization, Selling, Trafic of the
Information Contained
Article 7 that any Person that performs Data Interceptation in Public
Transmision will be sanctioned 3-6 Year Prision Sentence.
�Chapter 5 states in Article 8 that any person that performs misuse of
information technology harm others will be sanctioned 5-10 Year Prision
Sentence & 60-120 Days Fine.
Chapter 6 states in Article 9 that any person that performs through
information technology assumes the identity of a natural or legal person
will be sanctioned 3-5 Year Prision Sentence.
Chapter 7 states in
Article 10 that any person that matter one or more mechanisms, computer
programs or other information data specifically designed for the
commission of crimes will be sanctioned
1-4 Year Prison Sentence & 30-90 Days Fine.
Article 11 this is when Judge prison increases above the Law when :
-The agent commits the crime as a constituent of a criminal organization.
-The agent commits the offense by abusing a special position to access the data
or proprietary information.
- The agent commits the offense in order to obtain an economic benefit.
- The offense committed welfare purposes, defense, security and national
sovereignty.
Delitos Informticos es penalizado en el Per a travs de la Ley N 30.096,
que incluye:
Captulo 1: Objeto de la Ley establece en su artculo 1 que el propsito de la
Ley es la Prevencin y Sancin de la conducta ilegal que afecta: Datos,
Sistemas, otros derechos legales.
Captulo 2: Crimen contra los sistemas de informacin y los estados de datos
en:
Artculo 2 que un usuario no autorizado que vulnera Medidas de Seguridad de un
sistema ser sancionado 1-4 Ao Prisin Sentencia y 30-90 das multa.
Artculo 3 que un usuario no autorizado que realiza adicin, supresin, modificar,
Deterioro, Trabajar para DATOS ser sancionado 3-6 Ao Prisin Sentencia
y 80-120 das multa.
Artculo 4 que un usuario no autorizado que provoques en un Sistema de
Informacin ya sea Parcial Inutilization, Total Inutilization, mal
funcionamiento, la interrupcin de los servicios.
Captulo 3 dispone en su artculo 5 que cualquier persona que hace contacto
con un menor de edad
para obtener de l pornogrfico material
para lograr relaciones sexuales
�mediante el uso de Tecnologas de la Informacin y Comunicacin
Tecnologas.
Captulo 4 estados
Artculo 6 que cualquier persona que realiza la Creacin, Acceso, Uso de la Base
de datos de Otros identificable persona para la comercializacin, venta,
Trafic de la informacin contenida
Artculo 7 que cualquier persona que realiza Datos interceptacin de Transmisin
Pblica ser sancionado 3-6 Ao Prisin Sentencia.
Captulo 5 dispone en su artculo 8 que cualquier persona que realiza mal uso
de tecnologa de la informacin daar a otros ser sancionado 5-10 Ao
Prisin Sentencia y 60-120 das multa.
Captulo 6 dispone en su artculo 9 que cualquier persona que lleva a cabo a
travs de la tecnologa de la informacin asume la identidad de una
persona fsica o jurdica sern sancionados 3-5 Ao Prisin Sentencia.
Captulo 7 estados en
El artculo 10 que toda persona que importa uno o ms mecanismos, programas
de ordenador u otros datos de informacin diseados especficamente
para la comisin de delitos sern sancionados
1-4 Ao Prisin Sentencia y 30-90 das multa.
Artculo 11 que es cuando aumenta la prisin del juez por encima de la Ley,
cuando:
-El Agente comete el delito como constituyente de una organizacin criminal.
-El Agente comete el delito aprovechndose de una posicin especial para
acceder a los datos o informacin de propiedad.
- El agente comete el delito con el fin de obtener un beneficio econmico.
- El delito cometido con fines sociales, la defensa, la seguridad y la soberana
nacional.
