IT Security and Risk Calculator - v01

DRAFT - FOR INTERNAL DISCUSSION ONLY
Standard
Tpico
Requerimiento del Standard
Importancia para el
estndar
Importancia STD
Importancia para la
empresa
Importancia
empresa
Importancia ponderada
Impacto
Riesgo
Residual
Administracin de Operaciones y Soporte
Documentacin de Implementacin de
Infraestructura / Sistemas
Information systems including operating systems, infrastructure, business applications, mobile applications, off-the-shelf
products, services, and user-developed applications are designed, documented, and maintained to be in compliance with
information security standards.
3 - Crtico
3 - Crtico
Err:508
Err:508
Documentacin de Implementacin de
Infraestructura / Sistemas
Procedures are performed for the handover of infrastructure systems from development (or Engineering), to testing and to
operations. Both the receiving and delivering functions must agree to the transfer and ensure adequate documentation
exists so that they may carry out their responsibilities.
3 - Crtico
3 - Crtico
Err:508
Err:508
Manejo de Incidentes
An Information Technology Help Desk function is available to support users in the organization. Recorded help desk issues
are appropriately prioritized and a working knowledge base has been implemented to enhance help desk services.
3 - Crtico
3 - Crtico
Err:508
Err:508
Mecanismos de Integridad de Base de Datos
Mechanisms have been implemented to maintain the integrity of databases and constituent transactions.
Err:508
Err:508
Patch Management
A process exists to approve, test, and install infrastructure related patches, versions and release upgrades issued by
vendors, in a timely manner.
Err:508
Err:508
Patch Management
A process exists to evaluate, approve, test, and install application patches, version and release upgrades. Updates issued
by vendors are performed in a timely manner
Err:508
Err:508
Patch Management
Infrastructure changes, including system updates, patches and releases are managed and tracked through completion using
a centralized repository system.
Err:508
Err:508
Procesos Batch y Tareas Programadas
Scheduled or batch processing is organized into the most efficient sequence, maximizing throughput and utilization to meet
business requirements. Processing is monitored for successful completion.
Err:508
Err:508
Administracin del Riesgo
Anlisis de Riesgos
the Enterprise functions, lines of business, and regions must execute IT risk assessments using processes defined by the
Enterprise Global
Err:508
Err:508
4 - Plazo menor a un ao
4 - Alto
16
Anlisis de Riesgos
the Enterprise must document, implement, and maintain processes and controls to conduct periodic IT risk assessments
for the Enterprise functions, lines of business, and regions
Err:508
Err:508
1 - Menos de una vez en 7 aos
1 - Bajo
Anlisis de Riesgos
A process to determine whether or not risks can be accepted is established, and for each of the risks identified following the
risk assessment, a risk treatment decision is made. Action and/or remediation plans are identified for key IT risks and are
tracked to completion.
Err:508
Err:508
Anlisis de Riesgos
Formal processes are developed, implemented and maintained to identify, monitor and report significant IT risks to senior
management, executives and board members.
Err:508
Err:508
Anlisis de Riesgos
IT risk assessment standards and criteria for identifying, measuring and managing risk have been documented.
Err:508
Err:508
Anlisis de Riesgos
Key risk Indicators exists and are monitored for prevention and detection of significant IT risks within the organization.
Err:508
Err:508
Anlisis de Riesgos
Risk assessments (i.e. IT RCSA) are conducted for IT controls, IT processes and information assets, and are reviewed at
least annually. Risks are identified, measured, and prioritized against objectives relevant to the organization.
Err:508
Err:508
Anlisis de Riesgos
The diagram below illustrates the IT Risk Management function and dependencies between the Enterprise and the
Enterprise functions, lines of business, and regions:
Err:508
Err:508
Anlisis de Riesgos
The Enterprise corporate functions and business units must identify, assess, mitigate and manage IT risks by conducting IT
risk self-assessments to confirm that selected risk treatment options are designed and operating effectively using tools and
structured IT risk assessment methodologies provided by the IT Security, Risk and Compliance (ITSRC) group or other
designated risk groups (e.g., Operational Risk Management).
Err:508
Err:508
Anlisis de Riesgos
The Enterprise corporate functions and business units must implement, document, and maintain processes for conducting
vulnerability and threat assessments to evaluate and identify external and internal vulnerabilities that could affect the
Enterprise corporate function and business unit information resources. For each identified vulnerability, threat or risk, the
Enterprise corporate functions and business units must:
Assess the likelihood and impact.
Determine if the current residual risk exposure is acceptable based on their risk tolerance.
Apply further risk management options to reduce the risk exposure to an acceptable level.
Err:508
Err:508
Anlisis de Riesgos
The Enterprise functions, lines of business, and regions must assess the level of risk (e.g., risk-tolerance) for in-scope areas
(e.g., information resources, facilities) by determining the composite risk ratings for risk frequency (i.e., rate of occurrence)
and risk severity (i.e., impact) using the following criteria:
Err:508
Err:508
Anlisis de Riesgos
The Enterprise functions, lines of business, and regions must assess the level of risk for in-scope areas (e.g., information
resources, facilities) by assessing both risk frequency (i.e., rate of occurrence) and risk severity (i.e., impact) using the
following criteria defined by the Enterprise Operational Risk Management:
Err:508
Err:508
2 - Importante
3 - Crtico
Cumple?
Valor Cump
% Cumplimiento
Comentarios sobre el cumplimiento
Puntos de incumplimiento
Controles comp.?
Lista de controles compensatorios
Comentarios
Posibilidad de Ocurrencia
Posibilidad
Impacto al
Negocio
Risk frequency, or rate of occurrence, of a risk materializing using the following criteria:
Risk Rating by Frequency (Measured By Occurrence)
1 Unanticipated Not within 100 years
2 Very Rare Not every 25 years, but within 100 years
3 Rare Not every 5 years, but at least every 25 years
4 Moderate Not annually, but at least every 5 years
5 Frequent Not monthly, but at least annually
6 Regular At least monthly
* Please refer to the Enterprise Operational Risk Management Risk and Control Self-Assessment (RCSA) Process
Methodology Document
Risk severity by considering expected impact (e.g., financial, image, reputation) using the following criteria:
Risk Rating by Severity (Measured by Impact)
Severity Rating Description
1 Minimal Negligible impact.
2 Low risk, generally acceptable to the business, but should be periodically monitored.
3 Medium Risk with mitigation potential which requires regular observation and analysis by supervisory staff.
4 Significant Risk that has material department level (but not firm level) financial impact potential. Requires continual
department level management attention.
5 - Very High Risk material to the Business Segment, but not to an extent that could threaten core business aims. Requires
management attention.
6 - Catastrophic Severe risk that could seriously threaten the Companys viability.
Anlisis de Riesgos
The Enterprise must document, implement, and maintain processes to identify risks relative to the established scope with
input from the Enterprise functions, lines of business, and regions, and at minimum, consider the following:
Threats potential (e.g., accidental, deliberate) to harm the Enterprise IT personnel, processes, and information
resources, including those managed by third parties
Vulnerabilities weaknesses that can be exploited by a threat
Err:508
Err:508
Anlisis de Riesgos
The Enterprise with input from the Enterprise functions, lines of business, and regions must identify IT risks relevant to IT
personnel, processes, and information resources using the the Enterprise corporate IT risks and controls library. Risks
identified that require incorporation into the library must be communicated to the the Enterprise corporate library custodian.
Err:508
Err:508
Capacitacin en Seguridad de TI
Employees and third parties must complete ITSRC policies and standards training on an annual basis. Training content
must be evaluated by the Enterprise corporate functions and business units upon completion for relevance, quality, and
overall effectiveness.
Err:508
Err:508
Establecimiento de contextos y alcances
The Enterprise must document, implement, and maintain a process to define the scope (e.g., aim, purpose) of IT risk
management activities (e.g., identification of risks, mitigate risks) for execution by the Enterprise functions, lines of business,
and regions. At a minimum, the following IT risk management activities must be considered:
IT, legal, regulatory, statutory requirements and contractual obligations
Business processes and information resources
Location of the Enterprise functions, lines of business and regions, including geographical characteristics (e.g.,
earthquakes, tsunamis)
Expectations of internal and external stakeholders
Err:508
Err:508
Evaluacin de Controles
the Enterprise functions, lines of business, and regions must assess IT controls based on guidance provided in the the
Enterprise IT risks and controls library in Open Pages for design and operating effectiveness
Err:508
Err:508
Evaluacin de Controles
the Enterprise must document, implement, and maintain processes and controls to conduct periodic IT control
assessments for the Enterprise functions, lines of business, and regions to mitigate risks identified during the IT risk
assessment process
Err:508
Err:508
Mitigacin de Riesgos
Each corporate function and business unit is responsible for establishing and executing a plan for IT risk remediation in the
event that an IT/IS risk issue is identified or in the event that an IT risk is not treated appropriately during a self-assessment,
internal audit, or regulatory review.
Err:508
Err:508
The Enterprise and the Enterprise functions, lines of business, and regions must document, implement, and maintain
processes and controls to respond to identified IT risks, including:
Evaluate options to respond to identified IT risks per defined acceptable level of risk tolerance based on:
I. Criticality of information and information resources
II. Requirements and constraints of applicable legislations and regulations
III. Organizational business objectives
IV. Operational requirements and constraints
V. Cost of implementation and operation compared to the estimated/potential benefits
Treat identified IT risks by performing one or more of the following:
I. Accept risks that meet risk acceptance criteria
II. Reduce risks through the selection of controls
Err:508
Err:508
22

The Enterprise business users must take the following precautionary measures in order to prevent potential malware or
malicious code by:
Not alter their workstation anti-virus program installation and configuration
Notify the help desk upon the discovery of system behaviors that shows symptoms of an malware infection (e.g., automatic
shut-down of system, automatic change in the file sizes, display of unexpected messages or images) found
Err:508
Err:508
The Enterprise corporate functions and business units must consider security implications when transmitting or storing
information on publicly accessible systems.
Err:508
Err:508
The Enterprise corporate functions and business units must implement, document, and maintain an information security
program that is consistent with applicable industry standards, laws, and regulations. the information security program must
establish and manage information security requirements within the Enterprise corporate functions and business units,
including the following:
Defining information security responsibilities and coordinating information security activities with representatives from
different functional areas, senior management and the Board of Directors (or a designated committee).
Maintaining contacts with special interest groups or other specialist security forums and professional associations.
Requiring the Enterprise corporate functions and business unit employees, users, and third parties to apply IT security,
risk, and compliance policies and standards.
Err:508
Err:508
Plan de Seguridad de la Empresa
An information security program (inclusive of PII) has been established and is reviewed and updated periodically based on
changes to the business, security, or regulatory environment.
Err:508
Err:508
An IT security strategy exists for the organization and is reviewed at least annually. the strategy considers changes to the IT
operating environment, new security products, and new or emerging security threats.
Err:508
Err:508
Processes are developed, implemented and managed for an incident response program to handle and escalate information
security incidents and events.
Err:508
Err:508
The security incident management plan addresses, at a minimum:

- specific incident response procedures
- roles and responsibilities
- issue resolution
- disciplinary process
Mechanisms are in place to enable the types, volumes, etc. of incidents to be quantified and monitored.
The Enterprise IT Security and IT Regional Security with input from the Enterprise information resource owners must
document, implement, and maintain processes and controls to support the information security program, by:
Developing an enterprise-wide information security strategy and roadmap to provide direction on information security
Identifying a Chief Information Security Officer and/or defining an Information Security Steering Committee that is
responsible for overseeing and coordinating information security throughout the Enterprise
Defining roles and responsibilities to support the Enterprise information security including planning, utilization, and
evaluation of the Enterprise resources (e.g., budgeting, personnel)
Dedicating personnel responsible for operational aspects of information security (e.g., threat and vulnerability, security
monitoring)
Implementing, documenting and maintaining information security policies and standards to align with the Enterprise
corporate directives and the Enterprise applicable IT, legal, regulatory, statutory requirements and contractual obligations
Developing and communicating training and awareness programs related to the Enterprise ITSRC policies and standards
Coordinating with other the Enterprise and the Enterprise IT and information security-related functions
Communicating information security objectives, risks, and compliance
Reviewing the the Enterprise information security program at least once in two years for modifications based on the
Enterprise directives and the Enterprise applicable IT, legal, regulatory, statutory requirements and contractual obligations
Implementing, documenting and maintaining a security risk acceptance (SRA) process when the Enterprise and the
Enterprise information security policies and standards are not met
Err:508
Err:508
The Enterprise IT Security must align the Enterprise information security program objectives with the the Enterprise IT
security, risk and compliance (ITSRC) program, including defining the following capabilities or domains to manage
information security risks:
Identity and access management
Information and asset management
Threat and vulnerability management
Organizational security and awareness
Information security program management
Information protection
Service provider security
IT operations
IT risk management
IT compliance management
Err:508
Err:508
The Enterprise IT Security must document, implement, and maintain an information security program to provide direction
and oversight on information security to the Enterprise functions, lines of business and regions. the Enterprise information
security program objectives must at a minimum:
Protect the confidentiality, integrity and availability of the Enterprise information resources
Drive adoption of information security best practices throughout the Enterprise
Support adherence to the Enterprise applicable IT, legal, regulatory, statutory requirements and contractual obligations
Err:508
Err:508
The Enterprise ITSRC (tier 2) standard documents must conform to a consistent taxonomy that is applied the Enterprisewide, including standard requirements that must adhere to the following:
Written with clear prescriptive statements
Based on the Enterprise applicable laws, regulations, or specific business needs with input from the Compliance team
Demonstrable and provide for a clear determination of compliance or noncompliance
Exclude aspirational elements, best practice statements, or terms such as "all", "appropriate", "should", "may", "optionally",
"will", and ensure
Exclude requirements that are temporary in nature or constantly subject to change (e.g., contact lists, stakeholder names)
Err:508
Err:508
The Enterprise ITSRC (tier 2) standards must adhere to a formal life cycle management process (e.g., development,
approval, implementation, maintenance, and exception management) that meets legal, regulatory, or business needs,
Developed based on applicable external (e.g., laws, regulations) or internal (e.g., business needs) requirements
Reviewed and approved by ITSRC (tier 2) standard approval stakeholders prior to implementation
Reviewed annually or when deemed necessary by ITSRC (tier 2) standard approval stakeholders (e.g., Legal, Business
Practice Council) or the Enterprise corporate.
Reviewed and approved when modifications to standards require a review and approval of content even if the standard
has already been approved within the calendar year
Published in a centralized repository and readily available to the Enterprise personnel and third parties that manage the
Enterprise information resources
Communicated to key stakeholders within the Enterprise functions, lines of business, and regions through formal
communication (e.g., email, webcast) or a training and awareness program
Exceptions to the Enterprise ITSRC (tier 2) standards must be submitted using the the Enterprise Exceptions Management
Process
Err:508
Err:508
The Enterprise ITSRC (tier 2) standards must be approved by the following standard stakeholders:
ITSRC (Tier 2) Standard Approval Stakeholders
Type First Level Approval Second Level Approval
IT Security the Enterprise Chief Information Security Officer the Enterprise Head of ITSRC
IT Risk Head of IT Risk the Enterprise Head of ITSRC
IT Compliance Head of IT Compliance the Enterprise Head of ITSRC
the Enterprise ITSRC must submit recommendations to the the Enterprise CIO for approval of the Enterprise ITSRC (tier
2) standards
Polticas de Seguridad
An enterprise IT risk and IT controls framework (i.e. IT RCSA Risk and Controls framework) has been established that aligns
to IT Policies, Standards and regulatory requirements.
Err:508
Err:508
An information security policy document has been established in accordance with business requirements and relevant laws
and regulations. the policy is published and communicated to employees and relevant external parties. the information
security policy is reviewed at planned intervals or when significant changes occur.
Err:508
Err:508

Employees are not allowed to take actions that bypass security controls or processes.
If an the Enterprise corporate function or business unit chooses to accept the risk, the risk acceptance process must be
completed by the corporate function or business unit.
0
0
0
0
0
0
Err:508
Err:508
Err:508
Err:508
0
0
0
0
0
0
The Enterprise corporate function and business unit information resources are intended for business purposes.
Err:508
Err:508
The Enterprise corporate functions and business units must establish and implement information technology policies and
standards to manage security, risk, and compliance in alignment with the IT Security, Risk and Compliance (ITSRC)
program.
Err:508
Err:508
The Enterprise corporate functions and business units must implement, document, and maintain an internal control
framework that addresses administrative, technical, logical, procedural, and physical considerations through IT risk
assessments and testing, including the execution of IT risk assessments on an annual basis. the scope of IT risk
management activities must be established to ensure that the IT operating environment is adequately covered.
Err:508
Err:508
22

The Enterprise corporate functions and business units must implement, document, and maintain comprehensive IT/IS
security standards that contain administrative, technical, and physical safeguards to:
Ensure security and confidentiality of the Enterprise corporate functions and business unit information resources.
Protect against any anticipated threats or hazards to the security or integrity of the Enterprise corporate function and
business unit information resources.
Protect against unauthorized access or use of the Enterprise corporate functions and business unit information resources.
Err:508
Err:508
The Enterprise must define and implement an IT risk management function including organizational structure, roles and
responsibilities, and staffing aligning with the Enterprise requirements. Additionally, the Enterprise must establish an IT Risk
Committee (ITRC) and define an ITRC charter and operating processes. the scope of the ITRC is to understand the impact
of IT risks, identify trends, and manage identified risks within the Enterprise environment.
Err:508
Err:508
The Enterprise must document, implement, and maintain reports on relevant metrics (e.g., KRIs) to the ITRC and senior
management following each IT risk assessment.
Err:508
Err:508
The the Enterprise corporate function and business unit information security program must be externally reviewed at least
once every two years. the information security program must be formally documented and monitored regularly to enhance
information security safeguards (as necessary) and to adhere to regulatory requirements.
Err:508
Err:508
Comercio Electrnico
Procesos de Disputa en Comercio Electrnico
The Enterprise information resource owners must interface with the Enterprise Legal for managing information resources
that store, process and/or transmit electronic commerce transactions.
Err:508
Err:508
Comercio Electrnico
The Enterprise IT Security must liaise with corporate compliance, legal, privacy, security and other corporate functions to
assist the Enterprise information resource owners in meeting the requirements outlined in this standard including the
Enterprise applicable laws or regulations (e.g. FFIEC).
Err:508
Err:508
Comercio Electrnico
When interacting with the Enterprise Legal the following at a minimum must be completed for public-facing information
resources:
Definition of terms of use (e.g., ownership of information, trademarks and copyrights) and agreements with end users,
service providers, and third parties
Review of contracts for newly implemented electronic commerce information resources or when contract effective date
expiration is approaching
Err:508
Err:508
Comercio Electrnico
Registro, Monitoreo y Reporteo de Transacciones de

Comercio Electrnico
Information resource administrators or delegated information security analysts must periodically review electronic commerce
transactions for unusual or suspicious activity (e.g., overrides to approval or established approval limits).
Err:508
Err:508
Comercio Electrnico
Registro, Monitoreo y Reporteo de Transacciones de

Comercio Electrnico
The Enterprise information resource owners or delegated information security analysts must document, implement, and
maintain processes and controls to log, monitor, and report on electronic commerce transactions that process information
classified as confidential over public-facing networks and demilitarized zones. Monitoring and reporting requirements must
satisfy the the Enterprise ITSRC (tier 2) Incident Management Standard. (Please refer to the the Enterprise ITSRC (tier 2)
Incident Management Standard for further details).
Err:508
Err:508
Comercio Electrnico
Seguridad de las Transacciones de Comercio

Electrnico
Controls and mechanisms have been implemented over electronic commerce services (e.g., ensure non-repudiation for online transactions) and for storing data on publicly available systems.
Err:508
Err:508
Comercio Electrnico

Electrnico
The Enterprise corporate function and business unit information resources involved in electronic commerce services must:
Be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification (e.g., incorrect
routing, unauthorized message alteration) when transmitting over public networks.
Use nonrepudiation techniques for electronic commerce transactions.
Protect electronic messages from unauthorized access, modification, and denial of service.
Err:508
Err:508
Comercio Electrnico

Electrnico
The Enterprise corporate functions and business units must implement, document, and maintain processes and controls to
make sure the integrity, availability, and confidentiality of electronic commerce transmissions.
Err:508
Err:508
Comercio Electrnico

Electrnico
The Enterprise information resource owners must document, implement, and maintain processes and controls for the
integrity, availability, and confidentiality of electronic commerce transactions. This includes transmissions with information
classified as confidential that are transmitted over public-facing networks and demilitarized zones (e.g., Internet, VPN),
including but not limited to:
Electronic funds transfer (e.g., electronic bill payment, wire transfers, ACH)
Electronic data interchange (EDI)
Business-to-business (B2B) or third party related services
Messages exchanged via email or other digital methods
Electronic commerce payments (e.g., bill payment, cash management)
Transactional internet banking (e.g., opening account, closing account)
Err:508
Err:508
Comercio Electrnico

Electrnico
The Enterprise information resource owners must protect information resources that store, process and/or transmit
electronic commerce transactions by implementing, at a minimum, the following:
Non-repudiation services to facilitate validation of user identification, including:
I. Assignment of unique user IDs
II. Verification of user credentials
III. Use of digital signatures
Encryption of communication paths between involved parties using the Enterprise approved encryption protocols
Secure protocols to communicate between involved parties
Digital signatures and digital certificates from a trusted authority
Approved logical access controls to protect electronic messaging information resources and prevent unauthorized access
or modification of electronic messages
Err:508
Err:508
Comercio Electrnico

Electrnico
The Enterprise IT Security must review and approve processes and controls developed by the Enterprise information
resource owners to support the integrity, availability, and confidentiality of electronic commerce transactions.
Err:508
Err:508
Cmputo Mvil
Control de Acceso a la Red
The Enterprise mobile computing device administrators must document, implement, and maintain processes and controls to
restrict access to the Enterprise approved mobile computing devices, including the following:
Require use of the Enterprise approved authentication mechanisms (e.g., user ID, password) on power up or login
Restrict devices from establishing simultaneous connections to the Enterprise corporate network and the public networks
(e.g., internet)
Err:508
Err:508
Cmputo Mvil
Requerimientos de Seguridad de Equipos de Cmputo
Mobile computing devices storing Confidential information must require the use of cryptographic controls and must be encrypted.
Err:508
Err:508
Cmputo Mvil
Occasional, incidental, or personal use that does not affect performance or compliance with regulations is allowed.
Err:508
Err:508
Cmputo Mvil
The office of the the Enterprise Chief Technology Officer (CTO) is responsible for performing technology reviews (e.g.,
assessing smartphones for acceptability) and defining mobile device implementation (e.g., Bring Your Own Device Program)
throughout the Enterprise.
Err:508
Err:508
Continuidad del Negocio
Acceso a la Informacin
Procedures are established, and implemented as needed, to ensure necessary electronic information is obtainable during
an emergency.
Err:508
Err:508
Accesos de Emergencia
Information resource owners with input from the logical access administration team must document, implement, and
maintain procedures to grant emergency access (i.e., extraordinary circumstances where access controls must be bypassed
to maintain business operations) to the Enterprise managed information resources.
Err:508
Err:508
Diseo de los Sistemas
Critical systems are engineered to ensure redundancy, fault tolerance and diversity, to avoid single points of failure.
Err:508
Err:508
Proceso de Respaldo
Back-up media is stored in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a
commercial storage facility and are in compliance with data storage requirements. Secure locations are reviewed
periodically.
Err:508
Err:508
Proceso de Respaldo
Changes to scheduled or batch processing jobs are authorized and follow change management processes and controls.
Err:508
Err:508
Proceso de Respaldo
System back-up requirements are documented and back-ups are scheduled, completed and monitored.
Err:508
Err:508
Proceso de Respaldo
The integrity of back-up media and ability to successfully recover data from the back-up media is verified through testing.
Err:508
Err:508
Control de Accesos
Administracin de Acceso Remoto
Client (e.g., AT&T client, Checkpoint Client) and clientless (e.g., Outlook Web Access, Citrix) based remote access must be
approved by the Enterprise IT Security.
Err:508
Err:508
Control de Accesos
Non-The Enterprise entity and non-The Enterprise entity site-to-site service providers are permitted only in the the
Enterprise / the Enterprise extranet unless IT Security third party review process has authorized internal network
connectivity and ECC is approved for access from extranet to any the Enterprise / the Enterprise internal network services
by client based and clientless remote access.
Err:508
Err:508
Control de Accesos
Remote access administrators must implement, at a minimum, the following to information resources:
Utilize system, application, folder, and file level access control permissions
Restrict use of remote access tools, (e.g., Microsoft Terminal Services Client, telnet) except for authorized personnel (e.g.,
authorized server operators, information security personnel)
Employ the following:
I. Network Address Translation (NAT) to mask the internal IP addresses
II. Internal / choke firewall to restrict connections to authorized users
III. Encrypted traffic must be terminated prior to firewall filtering
IV. Information resources must be configured to pass unique Dynamic Host Configuration Protocol (DHCP) and Domain
Name System (DNS) information specific to VPN clients
Prohibit sharing of credentials (e.g., ID, passwords)
Restrict ability to create multiple sessions per user account
Restrict split tunneling and route network traffic directly through the the Enterprise / the Enterprise network
Err:508
Err:508
Control de Accesos
Remote access, including remote administration, to the Enterprise corporate function and business unit information
resources must include the following:
Use of an the Enterprise approved remote-access solution.
Use of an encrypted channel with a secure session and strong authentication (e.g., user ID, password, token).
Logging and audit processes.
Err:508
Err:508
Control de Accesos
Remote sessions from public networks must be treated as external connections and require use of the Enterprise IT
Security approved authentication, authorization, and security protocols.
Err:508
Err:508
Control de Accesos
restrict remote access to information resources.
Err:508
Err:508
3 - Crtico
3 - Crtico
22

Control de Accesos
The Enterprise employees are permitted to access the Enterprise / the Enterprise internal network (e.g., Core, DMZ) by
client based and clientless remote access.
Err:508
Err:508
Control de Accesos
The Enterprise remote access administrators must secure the remote access environment (e.g., VPN, RDP, terminal server
access) by using at least one of the following:
the Enterprise approved authentication, authorization, and security protocols (e.g., RADIUS, Multi-factor authentication,
LDAP) and encryption protocols (e.g., IPSEC, SSL, SSH)
Unique user IDs and encrypted passwords
Public key infrastructure (PKI)
Err:508
Err:508
Control de Accesos
To gain authorization for remote access the following must be adhered to:
the Enterprise employees must successfully complete the HR (firm-wide) on-boarding process, a background check, and
be assigned an Employee ID (EID)
the Enterprise employees, non-The Enterprise entity users, and non-The Enterprise entity site-to-site service providers
must complete an the Enterprise Employee RAS Account request form and submit to their Line Manager or delegated the
Enterprise employee for approval
Non-The Enterprise entity users and non-The Enterprise entity site-to-site service providers must complete an Entity
Assessment Submission (EAS) that must be approved by the Enterprise IT Security
Non-The Enterprise entity users and non-The Enterprise entity site-to-site service providers using non-The Enterprise
managed / registered information resources (e.g., laptop, desktop) connected through the Enterprise remote access
protocols must adhere to the Enterprise IT security requirements and IT security, risk and compliance (ITSRC) policies and
standards
Err:508
Err:508
Control de Accesos
Control de Acceso de Terceros, de manera local o

remota
Non-Enterprise entity site-to-site service providers must document, implement and maintain processes and controls
approved by the Enterprise and the Enterprise IT Security, to include the following:
Physical and network environments must be segregated from the entitys other service environments and be dedicated to
the systems and services used to support the Enterprise information resources. Physical access controls must be defined
and operated to restrict access to only authorized personnel
Business user security controls (e.g., DLP, anti-virus) must be in place and managed locally through a segregated and
dedicated control console, separate from the entitys other service and network environments
Host and business user infrastructure environment must have same level of security controls and processes as required of
the Enterprise / the Enterprise internal network (e.g., system vulnerability process and controls, logging and monitoring)
the Enterprise approved, managed and monitored security infrastructure at both ends of the VPN (virtual private network)
tunnel or private line
Err:508
Err:508
Control de Accesos
Control de Accesos Lgico
The Enterprise information resource owners must apply, at a minimum, access controls to the following:
Servers (i.e., web servers, applications) and their operating systems
Database systems or file systems
Applications
the Enterprise managed utilities and tools
Servers, workstations, laptops, PDAs, and other devices with storage capabilities
E-mail accounts
Infrastructure systems and appliances
Mobile computing and mobile devices
Err:508
Err:508
Control de Accesos
Manejo de Identidades
. the Enterprise information resource administrators must implement access controls to identify and authenticate users to
the Enterprise managed information resources for, at minimum, the following accounts:
User Accounts (user ID) - accounts that have regular privileges and are assigned to the Enterprise personnel for access
to the Enterprise managed information resources (e.g., applications, web-based services)
Privileged User Accounts - accounts used by system or application administrators must not be shared with other personnel
for system access
Default Administrative Accounts out of the box accounts that have elevated or application privileges (e.g., root and
administrator, or equivalents)
Service Accounts - accounts that are designed for use by controlled, automated processes (e.g., batch processing, system
interface applications)
Third Party User Accounts accounts that are created for third parties, vendors, or contractors to access the Enterprise
information resources. Third party accounts must uniquely identify each third party, vendor, or contractor. Requests for thirdparty access must be made by the the Enterprise personnel supervising the third-party and authorized by IT Services prior
to access being granted
Err:508
Err:508
Control de Accesos
An Identity Theft Prevention program has been established and is adequately documented, managed and maintained.
Err:508
Err:508
Control de Accesos
Automated access control systems and proper authentication methods (e.g. unique ids, passwords) are implemented per
company policy and consistently enforced to prevent unauthorized access to information systems and resources.
Err:508
Err:508
Control de Accesos
Each user must have an the Enterprise user ID that uniquely identifies the associated individual. Users are accountable for
all activities performed by their user ID. the Enterprise must implement a process for each user ID that includes the
following:
User IDs and authentication credentials must not be shared (e.g. peers, managers, coworkers).
User IDs intended for testing or training must be assigned to an individually identified owner.
User IDs must be disabled upon termination of employment or business relationship.
User IDs that are inactive for 90 days must be disabled.
Err:508
Err:508
Control de Accesos
Granting and revoking logical security access to applications, data, infrastructure (including operating systems and
databases), privileged user access and 3rd party contractors and vendors, are performed in accordance to applicable user
access policy/standards.
Err:508
Err:508
Control de Accesos
Privileges for the Enterprise managed information resources must:

Require approval from the users line manager and information resource owner and/or delegate based on user functions
and profiles
Adhere to the principle of least privilege
Be verified for segregation of duties conflicts. Identified conflicts must be approved by the information resource owner
and/or delegate
Limit access of administrative privileges to authorized the Enterprise personnel
Segregate system administrator access from non-privileged access by providing two user IDs (with exception to tools, and
utilities, and where technically not feasible)
Err:508
Err:508
Control de Accesos
Software, systems, programs or tools that provide privileged access or could override system and application controls are
monitored, restricted and controlled. Access is granted in accordance to the applicable access control policy.
Err:508
Err:508
Control de Accesos
manage user provisioning, access authorization, allocation of privileges, and de-provisioning to the Enterprise information
resources.
Err:508
Err:508
Control de Accesos
The Enterprise information resource owners must document, implement, and maintain processes and controls to provide a
consistent credential source (e.g., ID, password) to facilitate user ID administration
Err:508
Err:508
Control de Accesos
The Enterprise information resource owners with input with system access administrators must document, implement, and
maintain processes and controls to manage user IDs on the Enterprise information resources, including the following:
Adhere to a standard naming convention (e.g., Enterprise ID, Corporate ID)
Disabled upon defined time frames after termination or end of business relationship
Reviewed at least annually for compliance with standard naming conventions and based on the Enterprise IT legal,
regulatory, statutory requirements
Deleted after one-hundred-fifty (150) days of inactivity
Records of deletions must be maintained as defined in the the Enterprise Domestic Records Retention Schedule
Remove custom application accounts and user IDs before applications become active or are released to customers, where
technically feasible
Remove test accounts before production systems become active
Not use group, shared, or generic accounts
Err:508
Err:508
Control de Accesos
The Enterprise managed information resource accounts must uniquely identify specific personnel for the duration of
employment, or third party contractual agreement, with the Enterprise and thereafter according to the Enterprise applicable
IT, legal, regulatory, statutory requirements and contractual obligations (please refer to the the Enterprise Domestic
Retention Schedule for retention requirements related to user ID provisioning and de-provisioning)
Err:508
Err:508
Control de Accesos
User access provisioning and de-provisioning policy and standards have been established and documented. Procedures
are developed to create, modify, and remove information system (i.e. application, operating systems, databases, data, etc.)
access for all users, including third party contractors/vendors.
Err:508
Err:508
Control de Accesos
Polticas de Contraseas
Passwords must not be hard-coded into software or batch programs developed by or modified by business users, where
technical feasible
Information resource administrators must change passwords when information resource passwords have been
compromised (e.g., disclosed, cracked)
Err:508
Err:508
22

Control de Accesos
Passwords must not be shared or revealed to unauthorized or unintended recipients

the storage, display, and printing of passwords must be masked, suppressed, or otherwise obscured
Business users must not use the "Remember Password" feature of information resources (e.g., applications), where
technically possible
To resolve a problem, an information resource owner may need an end users password to troubleshoot a problem. When
this occurs, the following must be followed:
I. Users must confirm they are working with a system/security administrator
II. Passwords must be changed after the problem has been resolved
A user is allowed a maximum of five consecutive failed login attempts to the Enterprise information resources, after which
the users access must be suspended
Passwords must not be documented on, under, around, or near the information resource or any of its components
Passwords must be treated and as information classified as confidential
Information resource owners must not construct separate mechanisms (e.g., not intended to the purpose of the information
resource, application, or system) to collect passwords or user IDs
Information resource owners must not construct or install non approved authentication mechanisms without the advanced
permission of the Enterprise IT Security to identify or authenticate the identity of business users
Err:508
Err:508
Control de Accesos
Passwords must not be stored outside of the Enterprise information resources or mechanisms (e.g., separate file) with the
exception of the Enterprise approved password vaults
Default account passwords must be changed immediately when commissioning new system or installing new software,
where technically possible
Business users must require a password to access the Enterprise information resources
Err:508
Err:508
Control de Accesos
the length and structure of passwords must be compared automatically by the security system, where technically possible
Temporary passwords set must prompt the user to change their password upon initial login
Temporary passwords must be randomly generated, where technically possible, and must not be reused
the distribution of each password must be handled with the strictest confidentiality to determine that only the assigned user
is provided the password
Err:508
Err:508
Control de Accesos
A user authentication (i.e. how the system verifies the identity of a user) policy and/or standard has been established and
documented for information resources, application software, and system utilities. At minimum, the policy and/or standard
defines requirements for authentication and password requirements to application systems and infrastructure (O/S,
database, etc).
Err:508
Err:508
Control de Accesos
Approved authentication methods and network protocols are used to control remote access to networks (internal and
external), including wireless networks, by remote users and network devices.
Err:508
Err:508
Control de Accesos
Authentication and authorization to the Enterprise managed information resources must utilize the Enterprise approved
mechanisms and require a unique user ID and password.
Err:508
Err:508
Control de Accesos
Configuration of password settings must satisfy the the Enterprise ITSRC Password Management Standard
Err:508
Err:508
Control de Accesos
Control de Accesos
System ID passwords, when present, must be changed every 180 days.

The Enterprise corporate functions and business units must implement, document, and maintain processes and controls for
the allocation of passwords. Passwords used to access the Enterprise corporate function and business unit information
resources must include the following:
At least 8 characters.
A minimum of one numeric character.
A minimum of one special character (e.g., @, #, $).
A leading and ending alpha character.
Be unique to the previous 13 passwords.
Be restricted to one change(s) within a 24 hour period except for one-time-password implementations.
Not be programmed into "remember password" features, scripts or function keys.
User account passwords must be changed every 90 days.
Maximum number of 5 consecutive failed login attempts, after which the users access must be suspended.
Store and transmit passwords in protected (e.g., encrypted or hashed) form.
0
0
0
0
0
0
Err:508
Err:508
Err:508
Err:508
0
0
0
0
0
0
Control de Accesos
The Enterprise information resource owners must encrypt authentication credentials (e.g., user name, password) prior to
transmission over a public network. Authentication credentials must be secured using the Enterprise-approved encryption
protocols when stored on the following information resources
Enterprise servers, network infrastructure, appliances, databases, and directories
End user desktops and laptops
Mobile computing devices or handheld devices, including Personal Digital Assistants (PDAs), smartphones, or handheld
personal computers
Removable media
Err:508
Err:508
Control de Accesos
Provisin de acceso a Fuerza de Trabajo Contingente
The Enterprise logical access control administration team must document, implement, and maintain access termination,
modification, and revocation procedures for contingent (e.g., intern, third party) workers to include, at minimum, the
following:
Disable user IDs in accordance to the date provided on an approved access request and no more than 90 days from the
date of issuance
Extension for user IDs must be for no longer than 90 day increments and approved by the information resource owner
Restrict information resource administrative privileges to the Enterprise personnel directly responsible for information
resource management and/ or security administration
Restrict access to information classified as confidential with formal approval from information resource owners
Err:508
Err:508
Control de Accesos
Roles y Responsabilidades de los Usuarios
The Enterprise corporate functions and business units must implement, document, and maintain access controls based on
business and security access requirements to the Enterprise information resources.
Err:508
Err:508
Control de Accesos
Terminacin, Modificacin, Cancelacin
Information resource owners must report significant changes in duties or employment status (e.g., change in role, user
termination) to information resource security administrators.
Err:508
Err:508
Control de Accesos
Terminacin, Modificacin, Cancelacin
The Enterprise logical access control team must document, implement, and maintain access termination, modification, and
revocation procedures including disabling information resource privileges at the time that the Enterprise personnel or third
parties cease to be employed by or provide services to the Enterprise.
Err:508
Err:508
Control de Accesos
Validacin de Accesos
If a re-certification process is not available or does not exist then it must be defined and operated by the information
resource owner.
Err:508
Err:508
Control de Accesos
The Enterprise information resource owner and/or line manager must:

Follow the the Enterprise logical access administration control team defined re-certification process to review access rights
to the Enterprise information resources annually, including:
I. Critical information resources
II. Production and nonproduction information resources that store, process, or transmit information classified as confidential
III. File directories
Review active IDs on a periodic basis and notify the Enterprise logical access control team when IDs are no longer
required
Notify the Enterprise logical access control team to disable inactive user ID accounts (i.e., more than 90 days); inactive
accounts must be reviewed by the users manager prior to deactivation
Perform entitlement reviews to validate appropriateness of access
Err:508
Err:508
Control de Accesos
The Enterprise information resources that meet the following criteria are considered critical for access review:
Required for business operations (i.e., when the business processes fail, business operations will fail)
Information resource is repeatedly misused or infiltrated
Store, process, or transmit information classified as confidential
Err:508
Err:508
Control de Amenazas y Vulnerabilidades
Anlisis de Amenazas y Vulnerabilidades
The Enterprise information resource owners or delegated administrators must identify threats using, at a minimum, the
following:
Threat feeds from vendors around attack vectors, application and network vulnerabilities
Threat intelligence from sources (e.g., SANS, CERT) that monitor the IT threat landscape
Err:508
Err:508
The Enterprise information resource owners or delegated administrators must identify vulnerabilities using, at a minimum,
the following:
Internal and external vulnerability scans (e.g., email scans, application scans)
Patch management tools to identify release of security patches or hot fix by vendors. Critical patches must be addressed
immediately and integrated into the incident response program
Configuration reviews to identify non-secure configuration settings
Vendor websites and advisories
The Enterprise information resource owners or delegated administrators must perform an inventory of software at least
annually to identify information resources that are susceptible to known vulnerabilities and must perform threat and
vulnerability assessments, where technically feasible, at the following frequencies:
Annually for critical applications identified by the Enterprise functions, lines of business, and regions based on the
following criteria:
I. Required for business operations (i.e., if the business processes fail, business operations will also fail)
II. Information resource is repeatedly misused or infiltrated
III. Store, process, or transmit information classified as confidential or Customer/Employee confidential information
Quarterly for networks/perimeters
Ad hoc for new applications and major application releases slated for implementation
Err:508
Err:508
The Enterprise information resource owners, or delegated administrators, must either monitor announcements to identify
threats and vulnerabilities that impact critical the Enterprise information resources or where feasible leverage managed
services and solutions to identify threats and vulnerabilities that impact critical the Enterprise information resources.
Err:508
Err:508
22

Anlisis de Impacto al Negocio
Determine the magnitude of the impact should a threat successfully exploit the vulnerability, using the following criteria:
Err:508
Err:508
Impact Magnitude Threat/Vulnerability Realization

Impact Description
Low Exploitation of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably
affect an organizations mission,
reputation, or interest
Medium Exploitation of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate,
harm, or impede an organizations mission,
reputation, or interest; or (3) may result in human injury
High Exploitation of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may
significantly violate, harm, or impede an organizations mission, reputation, or interest; or (3) may result in human death or
serious injury
Critical Suspected or confirmed imminent threat of enterprise wide impact that must be addressed through the incident
response program.
Determine the risk rating for a threat/vulnerability pair based on the threat likelihood and impact, using the following matrix:
Risk Matrix
Err:508
Err:508
After vulnerabilities and threats are identified and the risk ratings are calculated, root cause analysis must be performed and
remediation plans must be created where required.
Remediation plans must include:
I. Processes that address root causes to avoid vulnerabilities
II. Timelines and responsibilities for the proposed remediation activities
Err:508
Err:508
Err:508
Err:508
Err:508
Err:508
Remediation timelines must be based on risk ratings as follows:

Risk Rating Remediation Timeline
High Within 30 days of vulnerability identification
Medium Within 60 days of vulnerability identification
Low Within 90 days of vulnerability identification
Upon execution of the remediation plan, the Enterprise information resource administrators must evidence (e.g.,
screenshot, script output, etc.) that remediation has been implemented and tested where applicable
the Enterprise Regional IT Security must submit periodic summary reports to the Enterprise IT Security indicating the
number of vulnerabilities identified, vulnerability descriptions, risk ratings, current remediation status, and issues or
concerns
The Enterprise Information resource owners must assess the level of risk to critical information resources when an existing
vulnerability is exploited by an identified threat. To determine the risk for a threat/vulnerability pair, the Enterprise must:
Determine the likelihood of a threat attempting to exploit a vulnerability using the following criteria:
Threat Likelihood Criteria
Likelihood Description
Low the threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the
vulnerability from being exercised
Medium the threat source is motivated and capable, but controls are in place that may impede successful exercise of the
vulnerability
High the threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being
exploited are ineffective
Critical Suspected or confirmed imminent threat due to vulnerability that must be addressed through the incident response
program
Anlisis de Seguridad de los Sistemas
Procedures are developed, implemented and maintained to proactively identify information technology and information
security risks and threats, including executing vulnerability and threat assessments for both internal and external
applications and infrastructure.
Independent security reviews are conducted on software source code where possible based on application sensitivity and
exposure to threats (e.g. the Internet). Exposures are evaluated and appropriate measures taken to address the risk.
Procedures are developed, implemented, and maintained to protect against the risks of mobile computing (e.g. PDA,
laptops, tablets, etc.) including:
- appropriate security measures (e.g. password protected mobile devices);
- reporting of lost and stolen devices using the Incident Response Program;
- enabling for remote data clearing or wiping of lost or stolen devices;
- mobile code operates according to a clearly defined security policy, and unauthorized mobile code is prevented from
executing.
Err:508
Err:508
The integrity of information being made available on a publicly accessible system is protected to prevent unauthorized
modification. the publicly accessible system is tested against weaknesses and failures prior to information being made
available. All commercial web sites holding personal information have adopted appropriate security procedures.
Err:508
Err:508
Configuracin de Anti-Malware
Processes and controls have been developed, implemented, and maintained to safeguard against malicious code (malware)
including logging, notification and remediation actions. Examples of malware may include Trojans, viruses, key loggers,
anonymizers, logic bombs, rootkits
Err:508
Err:508
Deteccin de Intrusos
Intrusion detection and prevention controls are developed, implemented and actively monitored and maintained, including
notification and remediation actions.
Err:508
Err:508
Mechanisms are in place to monitor files, applications and networks, including file integrity, intrusion detection, and network
traffic monitoring systems.
Err:508
Err:508
The Enterprise corporate functions and business units must implement, document and maintain processes and controls to
safeguard against malicious code (e.g., Trojans, viruses, key loggers, anonymizers, logic bombs, rootkits) in the operating
environment.
Err:508
Err:508
The Enterprise corporate functions and business units must implement, document, and maintain a program to proactively
identify information technology and information security risks and threats inherent to the environment using available
authoritative sources, including regulations, frameworks, and industry best practices along with current threat information.
Err:508
Err:508
Seguridad del Cmputo Mvil
The Enterprise corporate functions and business units must implement, document, and maintain operational plans,
processes, controls, and appropriate security measures to protect against the risks of mobile computing, communication
facilities, and teleworking activities. Mobile computing devices must be:
Attended and/or secured at all times.
Returned upon termination.
Promptly reported if lost or stolen using the Incident Response Program.
Enabled for remote data clearing or wiping of lost or stolen devices as technically supported.
Configured with an authentication-based access control system as technically supported.
Configured and secured to restrict the unauthorized transfer of the Enterprise corporate function and business units'
information beyond their control.
Err:508
Err:508
Seguridad del Cmputo Personal
secure workstations and devices used to store, process, or transmit the Enterprise Confidential information, including the
following:
User sessions must be locked or logged-off when unattended.
Internal workstation sessions must be timed out after no more than 20 minutes of inactivity.
Internet/customer-facing sessions must be timed out after no more than 60 minutes of inactivity.
Session reactivation must require a user to re-authenticate.
Information resources (e.g., laptops) must be physically secured when not in use or in a secure area (e.g., cable lock,
secure container).
Err:508
Err:508
Seguridad Perimetral
Controls are developed, approved, implemented and maintained to manage firewall configuration and routing rules as well
as diagnostic tools to protect information system resources.
Err:508
Err:508
External connections (e.g. extranet/DMZ segments) to the Enterprise Network are reviewed on a periodic basis for
appropriateness.
Err:508
Err:508
The network is securely architected, network devices are securely configured, and secure network protocols are in place.
Network diagrams (including WAN and LANs) and security standards have been documented and are reviewed on a
periodic basis for suitability. Groups of information services, users and information systems are segregated on networks.
Sensitive systems have a dedicated (isolated) computing environment.
Err:508
Err:508
Control de Cambios
Flujo de Prueba e Implementacin
A process to control the scheduling and promotion of code changes between development, testing, and into production,
have been established in accordance to the applicable application development standard(s) and/or change management
standard(s). In addition, Enterprise-Mexico IT department works within the bounds of Enterprise
Err:508
Err:508
Control de Cambios
Flujo de Prueba e Implementacin
Infrastructure changes, new systems, and configurations are tested in accordance with the test plan to verify that design
specifications are appropriately implemented and released into production per applicable infrastructure change
management policy, and operating as intended to satisfy requirements.
Err:508
Err:508
Control de Cambios
Procedimientos de Control de Cambios en Desarrollo

de Aplicaciones
A change control system has been established to track application development and application changes from request,
through development, testing, and approval to production deployment. Issues and problems identified during the
development through implementation phase are also documented and tracked.
Err:508
Err:508
22

Control de Cambios

de Aplicaciones
An application change management standard has been established for development and maintenance of developed
applications; and modification to 3rd party applications. the standard defines the baseline requirements for requesting,
reviewing, prioritizing, approving and scheduling application changes prior to deployment to production.
Err:508
Err:508
At minimum, the standard includes:

- Change request documentation
- Change schedule
- Approved changed request by authorized parties
- Back-out procedures
- Test case and test results
- Quality Assurance Standards
- Emergency changes
- Separate test and production environment
Control de Cambios

de Aplicaciones
Appropriate approvals are obtained before new systems are moved into production and, before any old system is
decommissioned, the new system has successfully been tested.
Err:508
Err:508
Control de Cambios

de Aplicaciones
Emergency change requests, evaluation, testing, and documentation are conducted in accordance to the application change
management standard(s).
Err:508
Err:508
Control de Cambios

de Aplicaciones
Post-implementation reviews are conducted at the end of a project to validate the completion of project objectives.
Err:508
Err:508
Cultura de Seguridad
Campaas de Concientizacin y Difusin sobre

Seguridad Informtica
Ongoing notifications must be communicated to users in an effort to increase awareness pertaining to information security
policies and standards.
Err:508
Err:508

The Enterprise IT Security must document, implement, and maintain processes and controls to manage information security
awareness campaigns, including the following:
Information security awareness must be an ongoing process
Periodic communication must be delivered, at a minimum, regarding the following:
I. Newly discovered cyber threats and security threats
II. New or updated the Enterprise Corporate ITSRC policies and standards
Awareness messages must be tailored based on audience role and responsibilities
Err:508
Err:508

The Enterprise third party relationship management must document, implement, and maintain processes and controls to
manage information security training and awareness for third party personnel (e.g., vendors, contractors), including:
Requiring that third party personnel with access to the Enterprise information resources complete information security
training at the start of a contract and at least annually
Documenting and maintaining training history (e.g., completed, not completed) for third party personnel
Err:508
Err:508
Education and training content, related to information technology and information security for IT personnel, is evaluated on
completion for relevance to roles and responsibilities, effectiveness, capturing and retention of knowledge, and value.
Err:508
Err:508
Information security awareness training is delivered for employees, contractors and third party users. the status of security
awareness training activities are tracked and reported.
Err:508
Err:508
The Enterprise corporate functions and business units must provide formal training and awareness to employees and third
parties with access to the Enterprise information resources including their responsibilities and expectations as to what
actions are required based on the Enterprise IT Security, Risk and Compliance (ITSRC) policies and standards.
Err:508
Err:508
The Enterprise IT Security must document, implement, and maintain processes and controls to align with the the Enterprise
Corporate ITSRC information security training and awareness program, including:
Requiring that the Enterprise personnel with access to the Enterprise information resources must complete information
security training upon hire and at least annually
Documenting roles and responsibilities (e.g., facilitator, content developer) for training programs along with specific training
requirements (e.g., acceptable use)
Periodically refreshing training programs based on feedback from information security training participants
Documenting and maintaining training history (e.g., completed, not completed) for the Enterprise personnel
Making available the Enterprise Corporate ITSRC policies and standards to the Enterprise personnel
Err:508
Err:508
Evaluacin del Material de Capacitacin
The Enterprise IT Security must evaluate and refine training and awareness materials at least annually to:
Reflect changes in the Enterprise Corporate ITSRC policies and standards
Reflect the current security threat landscape (e.g., cyber-attacks, malware outbreak)
Tailor messaging based on the Enterprise personnel roles and responsibilities
Improve training materials based on feedback from training participants
Measure training for relevance, quality, and overall effectiveness
Err:508
Err:508
Manejo del personal
Background verification checks on all contractors and third party users are carried out in accordance with relevant laws,
regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed,
and the perceived risks.
Err:508
Err:508
Manejo del personal
Background verification checks on full time employees are carried out in accordance with relevant laws, regulations and
ethics, and proportional to the business requirements, the classification of the information to be accessed, and the
perceived risks.
Err:508
Err:508
Responsabilidad de los usuarios de la Lnea de Negocio Users must, at minimum, "lock" their computers when their workspace is unattended
Users must keep documents or electronic media with information classified as confidential out of plain sight. Information
classified as confidential must also be encrypted using the Enterprise approved protocols outlined in the the Enterprise
ITSRC (tier 2) Encryption Standard
Passwords must not be posted on or around information resources or in any other publicly accessible location
Copies of documents containing information classified as confidential must be removed from multifunctional devices (e.g.,
facsimile machines, printers, scanners) when left unattended
Err:508
Err:508
Err:508
Err:508
Information security responsibilities for employees, contractors and third party vendors are clearly defined. Information
security activities are coordinated by appropriate personnel.
The organization has a chief security officer who is responsible at an organization level for overseeing and coordinating
information security throughout the organization. the chief security officer has delegates in each BU/CF to ensure
awareness and consistency of IT security activities and programs.
Desarrollo de Aplicaciones
Activities required for data conversion projects follows the Enterprise Application Development Standard. Conversion of
company record(s) are performed in accordance to the applicable Record and Information Policy. Parallel testing is
conducted to validate new or enhanced application(s) against the original application. the conversion of data includes
applicable records management and data management practices.
Err:508
Err:508
Business requirements for new information systems or enhancements to existing information systems are specified and
implemented in accordance to the applicable change management standard(s) or policy.
Err:508
Err:508
System data architecture requirements have been considered and implemented, in accordance to the Enterprise Enterprise
Data Management Policy. This can include:
- data definition (including data dictionary)
- data modeling
- authoritative source data
- standard naming convention
Err:508
Err:508
Metodologas de Desarrollo
Application Development Standards have been formally established and define baseline software development
requirements for in house and 3rd party applications.
Err:508
Err:508
At minimum, the standards include:

- Project planning
- Business and Feasibility Requirements
- Design Specification
- Quality assurance (testing) standards and procedures.
- Training
- Data Management activities
- Change Management standards
Repositorio de versiones
A centralized repository system is used to track and maintain application configuration items including details on software
versions, patches and release upgrades.
Err:508
Err:508
Repositorio de versiones
Access to source code repositories and tools used to promote code changes are appropriately restricted.
Err:508
Err:508
Requerimientos de Control de Calidad de Desarrollo

de Aplicaciones
Test environments provide an adequate representation of the production environment for application changes.
Err:508
Err:508

de Aplicaciones
Testing requirements for development and maintenance of in house developed applications; and modifications to 3rd party
applications are performed in accordance to the quality assurance standard.
Err:508
Err:508
Err:508
Err:508
Err:508
Err:508
Testing may include unit, integration, system, user acceptance, end-to-end, parallel, regression, stress/performance/volume,
security testing.

de Aplicaciones
The need for automated/validation checks and controls within an application is considered as part of the functional
specifications during the SDLC development and addressed in the applications design. This can include, but is not limited
to:
- Data entry and validation checks (i.e. data format or values are as expected)
- Control total checks (e.g. record counts)
- Automate calculations
- Requirements for ensuring authenticity and protecting message integrity
Gestin de la Informacin
Access to the Enterprise information resources must adhere to the following requirements:
Granted based on the principle of least privilege (e.g., minimum access required to perform a job function) and segregation
of duties.
Restricted to authorized users, roles, and groups through authentication and authorization based on business need.
Approved by the Enterprise corporate or business unit assigned information resource owner(s).
Removed when IDs are no longer needed and IDs do not affect the operating environment.
3 - Crtico
3 - Crtico
22

Information classified as confidential that is available in hard copy within the Enterprise premises must be protected and not
left unattended.
Err:508
Information resources susceptible to malicious code must be evaluated at periodic intervals. Approved anti-malware
solutions must be installed, active, and configured to run and scan automatically.
Err:508
Err:508
Err:508
Information resources that are determined to be high risk must undergo an annual review and certification to confirm access
is appropriate.
Err:508
Err:508
Locations that are designated as file rooms, storage areas, or cabinets that contain information classified as confidential
must remain locked at all times and only accessible to those that are authorized.
Err:508
Err:508
The Enterprise information resources (e.g., laptops, flash drives) that store information classified as confidential must be
secured by business users by:
Using a cable lock to secure an information resource to a desk, stationary object, or other heavy furniture, OR;
Locking an information resource in a cabinet or drawer if unattended for a long period of time
Err:508
Err:508
Work areas (e.g., desks, conference rooms, offices) throughout the Enterprise corporate functions and business units, when
not under direct control or management, must be cleared of any media, including paper, which contains Confidential
information or media containing Confidential information must be appropriately secured (e.g., locked cabinets, locked
office).
Err:508
Err:508
Administracin del Ciclo de Vida de la Informacin
Disposal of information system data and media adheres to the applicable disposal procedure. Equipment containing storage
media, e.g. hard drives, is checked to ensure that any sensitive data and licensed software has been removed or
overwritten prior to disposal.
Err:508
Err:508
Administracin del Ciclo de Vida de la Informacin
Process and procedures have been established and documented to comply with requirements set forth in the Enterprise
Records and Information Management (RIM) Policy and the Enterprise Global Information Handling Policy. Requirements
for data retention have been communicated to all personnel including the data back-up service provider (e.g.Enterprise, HP,
Iron Mountain) and are monitored for compliance.
Err:508
Err:508
Almacenamiento de la Informacin
Multifunctional devices must be configured by MFD Administrators for secure printing and scanning. Secure usage,
printing/imaging devices, and MFDs used for producing hard copies of information classified as confidential must be set up
as follows:
Devices must be situated in a location that is physically restricted to authorized personnel and accessed by the Enterpriseapproved authentication mechanisms (e.g., PIN codes, smartcards)
Access to configuration settings must be restricted to authorized personnel
Hard drives must be encrypted using the Enterprise-approved encryption protocols
Hard drives must be purged monthly to remove any residual data stored in memory or maintain a process of a rolling buffer
which overwrites data
Err:508
Err:508
Almacenamiento de la Informacin
Processes are developed, implemented and managed to protect documents, computer media, input/output information
system data and system documentation from unauthorized disclosure, modification, falsification, removal, and destruction.
Err:508
Err:508
Cifrado de la Informacin
Controls have been developed, implemented and maintained to encrypt confidential information and software when
distributed over public (Internet), wireless, or other uncontrolled networks (e.g. non-Enterprise e-mail, client ftp sites, etc.).
Err:508
Err:508
Information classified as Confidential may only be distributed via public (Internet), wireless, or other uncontrolled networks if
it has been encrypted.
Err:508
Err:508
The Enterprise information resource owners must use the Enterprise-approved encryption protocols and mechanisms (e.g.,
encrypted containers) to encrypt, at a minimum the following information:
Information classified as confidential that is transmitted over uncontrolled networks (e.g. Internet, third-party, or other public
networks) and controlled networks (e.g. VPN, DMZ)
Information classified as confidential that is at rest or stored on the Enterprise information resources. Where not feasible
mitigating controls defined by the Enterprise IT Security and Data Privacy must be applied
Information classified as confidential stored on mobile devices or removable media (e.g., USB storage device, CD-ROM)
Err:508
Err:508
Clasificacin de la Informacin
Confidential information in electronic form must display the information classification in a manner appropriate to the media
that allows for appropriate protection and management of the information. Where labeling is not feasible, other means of
designating the classification of information may be applied (e.g., meta-data).
Err:508
Err:508
Confidential information in printed form must display the information classification.

Confidential information, regardless of media, format or location, must be labeled with the applicable data classification and
attributes.
0
0
0
0
0
0
Err:508
Err:508
Err:508
Err:508
0
0
0
0
0
0
Information resource owners must document, implement, and maintain processes and controls to adhere to the Enterprise
Information Handling Policy, including:
Assign and define the appropriate classification of information, unless otherwise specified or delegated
Periodically review and update classifications and labels to confirm classifications and labels are applicable and valid
Define mitigating controls and coordinate with the Enterprise IT Security and the Enterprise Compliance Office where
information labeling is not feasible
Err:508
Err:508
Information resource owners must document, implement, and maintain processes and controls to label information
classified as confidential, regardless of media, format, or location, with the applicable data classification labels.
Err:508
Err:508
Processes are documented, implemented and maintained to ensure that confidential information, regardless of media,
format or location is labeled with applicable data classification and attributes, and is handled in accordance with the
applicable corporate data classification policy.
Err:508
Err:508
The Enterprise information resources owners must maintain accurate information labels based the information classification
criteria defined within the the Enterprise Information Handling Policy, by:
Maintaining accurate information labels for information classified as confidential
Specifying a retention date for information classified as confidential based on the requirements defined in the the
Enterprise Records and Information Management Policy and the Enterprise Records Retention Schedule. Records
Management must define and approve retention dates.
Specifying a review date for reclassification of information classified as confidential based on the requirements defined by
the the Enterprise Compliance Group. Reclassifications must be approved by the the Enterprise Compliance Office
Err:508
Err:508
The Enterprise personnel (e.g., employees, directors, officers, contractors) and other personnel of the Enterprise functions,
lines of business, and regions and regions must apply the following classification requirements when handling (e.g., usage,
storage, disposal) information as defined by the the Enterprise Information Handling Policy:
Err:508
Err:508
3 - Crtico
the Enterprise Information Classifications

-Firm Confidential
This classification applies to sensitive non-public business information of the Enterprise or the Enterprise functions, lines of
business, and regions
This classification applies to, but is not limited to, trade secrets and know how, merger and acquisition plans, internal
documents prepared in connection with actual or anticipated litigation, and internal audit reports
Access to such information must be restricted and sharing must be limited even between the Enterprise or the Enterprise
functions, lines of business, and regions
-Customer/Employee Confidential
This classification applies to non-public information and information subject to legal protection about, or belonging to, the
Enterprise or the Enterprise customers and customers of the Enterprise or the Enterprise business partners, other third
parties with which the Enterprise or the Enterprise do business, and the Enterprise functions, lines of business, and regions
personnel
Customer/Employee Confidential information includes Personal Information or Sensitive Personal Information about an
individual that is handled by, or is under the control of, the Enterprise functions, lines of business, and regions (whether or
not such Personal Information is publicly available from other sources external to the Enterprise functions, lines of business,
and regions)
Any reference to Personal Information also includes Sensitive Personal Information
-Restricted
This classification applies to the Enterprise functions, lines of business, and regions non-public business information that
is not as sensitive as Firm confidential, but which must still not be disclosed outside of the Enterprise functions, lines of
business, and regions, as it is intended for internal use only
This classification applies to, but is not limited to, general internal correspondence between the Enterprise personnel,
including memoranda and emails, or marketing plans or techniques, provided that the information does not require the level
of confidentiality applied to Firm confidential information.
Publicly Accessible
This classification applies to information that has been explicitly approved by the Enterprise or the Enterprise functions,
lines of business, and regions for release to the public
This classification applies to, but is not limited to, public facing websites, product and service brochures, advertisements,
public recruitment announcements, and press releases
This information is not intended to be confidential.
Uso autorizado de la informacin
Unclassified and un-vetted information must be treated as Firm confidential.

Existing configuration to the Enterprise information resources must not be modified by System Administrators in a manner
that affects the intended functionality, degrades the performance, or causes damage to the information resource.
0
0
0
0
0
0
Err:508
Err:508
Err:508
Err:508
0
0
0
0
0
0
Guidelines for the acceptable use of information and assets associated with information processing facilities have been
established and are adhered to.
Err:508
Err:508
Information stored, sent, or received using the Enterprise information resources is the property of the Enterprise and no
privacy must be expected.
Err:508
Err:508
Occasional, incidental, or personal use of the Enterprise information resources is permitted, if such use does not interfere
with work performance, have undue impact on operations, or violate the Enterprise ITSRC standards, processes, and
controls.
Err:508
Err:508
22

The following is prohibited when using the Enterprise information resources:

Activity that is unauthorized, unlawful, or illegal according to local, state, country, or international law
Violations of the rights of a person or the Enterprise protected by copyright, trade secret, patent, or other intellectual
property
Installation, distribution, or use of pirated or other software products that are not appropriately licensed for use by the
Enterprise
Unauthorized copying of copyrighted material, including, but not limited to, digitization and distribution of copyrighted
sources
Unauthorized intentional introduction of malicious code (e.g., Trojans, viruses) into the Enterprise information resources
Providing information about (e.g., lists, personal information), the Enterprise personnel, including information classified as
confidential to unauthorized parties outside the Enterprise
Making fraudulent offers of products, items, or services originating from a the Enterprise account
Accessing or viewing of pornography, nudity, or similar offensive and illicit material
Use of profanity, obscenity, or other language or terms offensive to another user, including, without limitation, jokes or
derogatory comments directed toward members of a race, gender, disabilities, age, sexual orientation, religious beliefs and
practice, political beliefs, or national origin
Interception of communication intended for others or misrepresentation as other users on the Enterprise information
resources
Acts of waste that disproportionately burden the Enterprise information resources, including, but not limited to, sending
chain or mass emails, playing games, engaging in nonbusiness-related chat groups, downloading of music or movies, using
peer-to-peer software, or otherwise creating unnecessary network traffic
Err:508
Err:508
Gestin del Inventario
Inventario de Equipos de Cmputo Mvil
The Enterprise mobile computing device administrators must document, implement, and maintain processes and controls to
track the Enterprise approved mobile computing devices, by assigning the following identifiers:
Device Name / ID
User ID
Device Serial Number
Device media access control (MAC) address, where technically feasible
Err:508
Err:508
Procesos de Inventario de Activos Tecnolgicos
Asset owners and custodians are periodically reviewed for appropriateness and re-established as necessary.
Err:508
Err:508
Inventories for applications and software are maintained and have nominated asset owners and custodians. the inventory is
verified for accuracy on a recurring basis.
Err:508
Err:508
Inventories for infrastructure are maintained and have nominated asset owners and custodians. the inventory is verified for
accuracy on a recurring basis.
Err:508
Err:508
Processes are in place to collect Enterprise owned assets (laptop, ID cards, mobile phones, mobile storage, etc.) from
employee, contractors, and third parties prior to termination of employment, contract, or agreement.
Err:508
Err:508
Gobierno de TI
Modelo de Informacin EIM / Gestin de la

Informacin EDM
An enterprise information model has been established and maintained to enable application development and decisionsupporting activities, to be conducted in accordance to the Enterprise Enterprise Data Management Policy.
Err:508
Err:508
Gobierno de TI
Modelo de Informacin EIM / Gestin de la

Informacin EDM
Application data models are mapped to the Enterprise Information Model "EIM" and are compliant to the Standards in the
Enterprise Data Management "EDM" Data Policy.
Err:508
Err:508
Gobierno de TI
Gobierno de TI
Plan Estratgico de TI
A cost/benefit analysis is created for IT projects and is reviewed by management.

A process to communicate awareness and understanding of business and IT objectives and direction to appropriate
stakeholders and users throughout the enterprise is defined and established. Management is able to communicate the
objectives and direction of IT within the organization in the form of policy manuals, memoranda, e-mails, bulletin board,
notices, webcasts, and videotaped messages.
0
0
0
0
0
0
Err:508
Err:508
Err:508
Err:508
0
0
0
0
0
0
Gobierno de TI
A quality management system is established and maintained that provides a formal and continuous approach to quality
management
Err:508
Err:508
Gobierno de TI
Activities such as knowledge capture, knowledge sharing, succession planning, and staff backup are used to minimize the
exposure to critical dependency on key technology resources.
Err:508
Err:508
Gobierno de TI
An annual IT Budget is prepared by O&S Finance that accounts for information security and technology initiatives. the
budget is distributed to the Business and Corporate Functions who manage and monitor performance against the budget.
Err:508
Err:508
Gobierno de TI
Business and IT management define IT service requirements/demand, creating a catalog of services that IT management
has agreed to deliver and support.
Err:508
Err:508
Gobierno de TI
Business cases and requirements are presented to boards or board-designated committees for review and approval during
project initiation justifying project rationale, overall scope & identifying desired system features.
Err:508
Err:508
The organization also adheres to funding and artifact requirements as detailed in the Enterprise Enterprise Program Office
(EPO) Policy and by the respective Investment Decision Board (IDB).
Gobierno de TI
IT governance framework and mechanisms (e.g. decision making committees) are in place that ensure the IT strategy and
associated investments are aligned to business objectives. Accountability for the delivery of the IT strategy and IT
projects/program is clear.
Err:508
Err:508
Gobierno de TI
IT governance/management practices and organization structure has been established, reviewed and maintained to monitor
the planning and execution of IT strategies.
Management reports of the organization's progress toward identified goals are provided for senior management's review.
Err:508
Err:508
Gobierno de TI
IT Projects, programs and tactical plans are in place to the carry out the objectives of the IT and Security Strategies. They
are re-evaluated and updated in alignment with the strategy at least annually.
Err:508
Err:508
Gobierno de TI
IT Staffing requirements are evaluated on a regular basis or upon major changes to the business, operational, or IT
environments.
Err:508
Err:508
Gobierno de TI
Key Performance Indicators (KPIs) are developed, implemented and maintained to monitor the achievement of IT
objectives. Action items are defined, documented and communicated for the remediation, prioritization and escalation of
identified issues.
Err:508
Err:508
Gobierno de TI
Major projects follow an established Program Management (PM) process. PM standards are in accordance with
organizational/project characteristics and risks and in accordance with the Enterprise Project, Program, Portfolio
Management Policy.
Err:508
Err:508
Gobierno de TI
Project feasibility and budgets are developed and documented within the business case. Project costing reports and
budgets, including budgets to actual, are monitored against the approved business case throughout the project and reported
to management.
Err:508
Err:508
Gobierno de TI
Risks faced by the project are established and centrally recorded. Specific risks associated with projects are eliminated or
minimized through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the
areas or events that have the potential to cause unwanted change.
Err:508
Err:508
Gobierno de TI
The cost/recharge model (including charge backs) and underlying assumptions are reviewed for appropriateness,
relevance, and appropriateness to the business and IT activities.
Err:508
Err:508
Gobierno de TI
The organization has a defined an IT Steering Committee responsible for providing guidance on information technology
decisions throughout the organization.
Err:508
Err:508
The committees include sufficient representation from business, technology, security, quality assurance, and audit
departments to ensure changes support business objectives and do not adversely affect operations or security.
IT Compliance
Difusin de Polticas y Procedimientos
Programs are in place to communicate requirements and monitor compliance with IT regulations, policies, standards. Issues
of non-compliance are documented and action plans are tracked through to resolution.
Err:508
Err:508
IT Compliance
Revisin de Polticas y Procedimientos
Information technology policies and standards must be formally documented, approved, and provided to the Enterprise
corporate function and business unit employees and relevant third parties and they must be reviewed at least annually.
Err:508
Err:508
IT Compliance
Revisin de Polticas y Procedimientos
Processes are developed, implemented and maintained to identify new and changes to statutes, laws, regulations and other
legislative actions that apply to the information technology environment of the organization. IT policies and risk
assessments, and IT processes and controls are updated accordingly to reflect these changes.
Err:508
Err:508
IT Compliance
Revisin del Cumplimiento de Estndares
Information system compliance with security standards is assessed on a periodic basis (e.g. Security Software Assessment).
Err:508
Err:508
IT Compliance
IT technical compliance processes and controls must ensure that:

Access to information systems compliance tools is protected to restrict possible misuse or compromise.
IT compliance activities are carried out to verify that information systems are compliant with applicable security
implementation standards.
IT compliance activities are executed with minimal risk of disruptions to business processes and production systems.
Processes are defined to respond to IT compliance findings for the remediation of controls to meet requirements or receipt
of approval for exceptions.
Err:508
Err:508
IT Compliance
The Enterprise corporate functions and business units must implement, document, and maintain IT technical compliance
processes and controls to detect possible violations to IT security, risk, and compliance policies and standards.
Err:508
Err:508
IT Compliance
The Enterprise functions, lines of business, and regions must implement and adhere to IT compliance examination
processes established by the Enterprise Global, including:
Organizing and preparing documents requested by IT examiners within established timelines
Tracking findings and gaps identified during IT compliance examinations
Providing responses to IT compliance examination findings within established timeframes
Monitoring and reporting on the status of examination requests, findings, and gaps to senior management of the Enterprise
functions, lines of business, and regions, and the Enterprise
Err:508
Err:508
22

IT Compliance
The Enterprise Global, in conjunction with, the Enterprise functions, lines of business, and regions must perform IT
compliance remediation activities, including:
Consolidating lists of identified findings and gaps identified during IT compliance examinations
Identifying non-compliance to the Enterprise IT policies and standards based on IT compliance examination findings and
gaps
Developing remediation plans (e.g., action plans with task ownership and target dates) to address IT compliance
examination findings and gaps, and monitor progress of remediation plans
Managing and monitoring IT compliance remediation plans and exception requests
Err:508
Err:508
IT Compliance
The Enterprise Global, in conjunction with, the Enterprise functions, lines of business, and regions, must develop metrics for,
and report on, IT compliance examination finding, gaps, remediation plans, to senior management.
Err:508
Err:508
IT Compliance
The Enterprise must coordinate compliance activities with the Enterprise Corporate and the Enterprise functions, lines of
business, and regions, including the following:
Ensure access to information systems compliance tools is protected by maintaining recertification of users according to the
Enterprise policy.
Ensure routine evaluation of applicable security standards to verify information systems compliance.
Ensure compliance monitoring processes do not cause business disruptions due to application degradation and overall
performance of the Enterprise production systems.
Ensure action plans associated with the remediation of IT compliance findings meet the requirements of the controls.
Err:508
Err:508
IT Compliance
The Enterprise must coordinate IT compliance activities with the Enterprise corporate and the Enterprise functions, lines of
business, and regions, including the following:
IT compliance examination management
IT compliance remediation
IT compliance monitoring
IT reporting
Err:508
Err:508
IT Compliance
The Enterprise must define and implement an IT compliance program to enable the the Enterprise functions, lines of
business, and regions to manage compliance with applicable IT legal, regulatory, statutory requirements and contractual
obligations.
Err:508
Err:508
IT Compliance
The Enterprise must establish:

Processes to manage IT compliance examination requests
Processes to track findings and gaps resulting from IT compliance examinations and to manage associated documentation
(e.g., findings report, gaps report)
Err:508
Err:508
IT Compliance
The Enterprise must work with the Enterprise Corporate to enable the the Enterprise functions, lines of business, and
regions to implement, document and maintain IT technical compliance processes and controls to detect possible violations
to IT security, risk, and compliance policies and standards.
Err:508
Err:508
Manejo de Incidentes de Seguridad
Anlisis y Manejo de Incidentes
Information security and data privacy incidents that require forensics investigation must adhere to the following:
IRT must be trained in the collection, preservation, and transmission of data for forensics investigations
IT Security must be engaged prior to any information security and data privacy incident forensics investigations and must
approve of outsourcing investigation to a third party (legal entity, government entity, forensics investigation services)
Chain of custody processes must be observed for data movement
Information movement to third parties must be approved by IT security, Legal and Compliance
Err:508
Err:508
Potential information security and data privacy incidents must be reported to the local/regional incident response team as
defined through the local incident management process IRT must:
Categorize each incident (e.g., security incident, data privacy incident, security and data privacy incident) upon receiving
the initial notification
Perform an initial diagnosis and document the details of the incident
Refer to the Incident Response Plan to assign a severity level for the incident, the Incident Response Plan should
define the severity levels and associated response times
Open a ticket to track the details and investigation steps of the event / incident
Err:508
Err:508
Prompt investigation of Information Security Incident(s) involving the unauthorized acquisition of and access to electronic
records containing Personal Information are performed, including assessment of the nature and scope of the Incident(s), the
individuals affected, and/or integrity of the data systems.
Err:508
Err:508
The Enterprise functions, lines of business, and regions must identify and assign 24/7 support staff that can record and
communicate incident records in a common language or refer to a local/regional IRT (incident response team) to support
incident management.
Err:508
Err:508
The Enterprise identified information security and data privacy incidents must be investigated, diagnosed, and tested. Refer
to the Incident Response Plan for details on incident handling including, response plan development and execution.
Err:508
Err:508
The Enterprise information security and data privacy incident related information must be logged and secured. Designated
members of the IRT must record incident details in an incident reporting system. the information collected must include:
Date and time of initial notification
Date and time when incident was discovered or occurred
IRT members involved in responding to the incident
Information resources (e.g., systems, programs, networks) affected
Err:508
Err:508
The Enterprise information security and data privacy incidents must be identified, categorized, and prioritized when an event
(e.g., attempt to gain unauthorized access, gather intelligence) appears to have a pattern or impact to the Enterprise.
Err:508
Err:508
The Enterprise IT Security must document, implement and maintain processes to support evidence collection and retention
in accordance with applicable regulatory requirements. IRT must complete an assessment, identification, and remediation of
the underlying security vulnerability for incidents according to the Incident Response Plan.
Err:508
Err:508
The Enterprise IT Security with input from the Enterprise information resource owners must document, implement, and
maintain incident management processes and controls to identify, analyze, and resolve information security and data
privacy incidents (incident) defined as follows:
Type of Event Description
Information Security Event An information security event is any activity that generates notification to the Enterprise
Information Security (e.g., monitoring tools, customer
suspected activities)
Information Security Incident An information security incident is any suspected or confirmed breach of security controls,
policies and standards, or malicious activity
Data Privacy Incident A data privacy incident is any suspected or confirmed compromise or exposure of company data to an
unauthorized party
Err:508
Err:508
The Enterprise must identify, assess, respond to, and monitor IT risks within its operating environment using the following
lifecycle phases:
Context Establishment
Risk Identification
Risk Assessment
Control Assessment
Risk Estimation and Evaluation
Risk Response
Risk Reporting
Err:508
Err:508
Comunicacin de Incidentes
The Enterprise employees and third parties must report suspected or confirmed information security incidents, to BISOs
and/or contact in the Security Schedule, immediately upon discovery.
Err:508
Err:508
Comunicacin de Incidentes
The Enterprise IT Security with input from the Enterprise and the Enterprise corporate communications departments must
document, implement, and maintain processes and controls for incident related communication to the initial reporter of the
incident, general public or the Enterprise affiliates (e.g., other jurisdictions and regions), including the following:
Communicate actions taken to remediate an incident to the business user that reported the incident on the need to know
basis. Further updates may not include the initial reporter, but must include the Enterprise line management and IRT
IRT in coordination with information resource owner(s) must contact the the Enterprise and the Enterprise corporate
communications departments for the Enterprise information security and data privacy incidents that lead to sharing of
information or notification to the general public
the Enterprise communications department must disseminate notice of information security and data privacy incidents to
the Enterprise affiliates (e.g., other jurisdictions and regions) who have responsibilities regarding the information resources
affected by the incident
Err:508
Err:508
Planes de Respuesta a Incidentes
Incident response plans are in place for operational issues. Incidents are documented, investigated, escalated, and resolved
in a timely manner and according to applicable policies.
Err:508
Err:508
The Enterprise and the Enterprise functions, lines of business, and regions must determine timelines to respond to IT risks
by creating and logging issues and associated action plans as necessary.
Err:508
Err:508
The Enterprise corporate functions and business units must implement, document, and maintain incident response controls
and processes to manage reported and/or known events/incidents. This includes prompt investigation and response to
remediate incidents, including the following:
Incident response escalation procedures and roles and responsibilities must be defined.
Communication and contact procedures for incident reporting and escalation must be identified.
Formally documented processes must be readily available to support emergency situations.
Processes to support evidence collection and retention must be implemented, documented, and maintained to meet
regulatory requirements.
Incident response controls must be actively used and/or tested and maintained at least annually to enable recovery from
disruptions.
Security incidents must be formally documented and collected in a centralized repository, quantified (e.g., types, volumes,
costs) and monitored to enable the collection of incident types, volumes, and costs.
Err:508
Err:508
The Enterprise IT Security must document, implement and maintain a globally accepted incident response plan document
that includes, at a minimum the following:
Specific steps for implementation of the incident response plan
Roles and responsibilities of IRT and War Room members
Post incident response analysis to determine incident response process improvements
Information security and data privacy incident scenarios that contains common procedures
Indicators for initiation of data collection and protection for forensics investigation
Topology of incidents that is composed of incident types and affected data types
Err:508
Err:508
22

Err:508
Manejo de Llaves de Cifrado (KLM)
Err:508
Administracin del Ciclo de Vida de las Llaves de cifrado Controls have been developed, implemented and maintained to securely manage cryptographic keys protecting production
systems.
Err:508
Err:508
Administracin del Ciclo de Vida de las Llaves de cifrado Key management processes and controls must be implemented, auditable, and maintained.
Err:508
Err:508
Administracin del Ciclo de Vida de las Llaves de cifrado The Enterprise corporate functions and business units must implement, document, and maintain processes and controls
that apply approved cryptographic techniques to encrypt and protect the confidentiality of information based on risk, legal,
regulatory, and statutory requirements.
Err:508
Err:508
Administracin del Ciclo de Vida de las Llaves de cifrado The life span (e.g., cryptoperiod, expiration) of cryptographic keys used to protect information classified as confidential on
the Enterprise information resources must, at a minimum, meet the following requirements:
Adhere to the following cryptoperiods:
I. Asymmetric: annually
II. Symmetric: annually
Mitigate risk of key compromise
Minimize cost of key reissue
Err:508
Err:508
Algoritmos de Cifrado Aprobados
The Enterprise IT Security must annually review algorithms and protocols in use to determine adherence to the Enterpriseapproved encryption requirements.
Err:508
Err:508
The Enterprise IT Security must approve encryption algorithms and protocols native to third-party software and third-party
vendors, which are not compliant with the approved "Algorithm / Protocols" defined within this standard.
Err:508
Err:508
The Enterprise IT Security must approve the use of encryption algorithms and protocols. Only the Enterprise-approved
encryption algorithms and protocols must be used, unless prohibited by local, state, county, country, or international law.
Err:508
Err:508
The following have been approved for the Enterprise usage: (See Table 1 Below)
Err:508
Err:508
Almacenamiento de las Llaves de Cifrado
The Enterprise information resource owners must document, implement, and maintain IT processes and controls to manage
the storage of cryptographic keys in production operating environments that contain information classified as confidential,
where not defined and distributed by the Enterprise IT Security, by:
Using the Enterprise approved certificate storage and retrieval mechanisms (e.g., certificate repositories based on PKI)
where technically feasible
Restricting cryptographic key access to the Enterprise-authorized users (e.g., information security, third party key escrow)
that have agreed to a confidentiality agreement
Err:508
Err:508
Compromiso de las Llaves de Cifrado
cryptographic keys in production operating environments that contain information classified as confidential when a known
compromise or incident has occurred, where not defined and distributed by the Enterprise IT Security, including the following
processes:
Immediate deactivation or destruction of cryptographic keys
Immediate notification to the Information Security team using the the Enterprise Incident Management Process (Please
refer to the Enterprise ITSRC (tier 2) Incident Management Standard for further details)
Err:508
Err:508
Creacin y Distribucin de las Llaves de Cifrado
Cryptographic techniques and tools are implemented in accordance with policy/standards, legal obligations, and regulatory
requirements.
Err:508
Err:508
Keys must have the fewest number of authorized custodians and must be securely generated, transmitted, stored, and
managed throughout their lifecycle.
Err:508
Err:508
Production Infrastructure Systems using cryptographic keys (keys) must utilize the Enterprise corporate function and
business unit-approved key management services and processes.
Err:508
Err:508
generation and distribution methods for cryptographic keys in production operating environments that contain information
classified as confidential, where not defined and distributed by the Enterprise IT Security, including:
Aligning with the Enterprise IT Security on key generation and distribution services and processes
Generating cryptographic keys using the Enterprise-approved encryption protocols to encrypt authentication credentials or
information classified as confidential during transmission across networks or at rest. (Please refer to the the Enterprise
ITSRC (tier 2) Encryption Standard for further details)
Generating cryptographic keys using secure methods (e.g., least privilege, dual control, split knowledge) to protect keys
from compromise
Distributing cryptographic keys to designated custodians within 24 hours of cryptographic key generation
Defining key custodian responsibilities and requiring that key custodians agree to the responsibilities defined through
formal acknowledgement (e.g., key custodian form)
Distributing cryptographic keys using only the Enterprise-approved out-of-band communication methods (e.g., secure
email, tamper proof envelopes)
Restricting usage of cryptographic keys for a single activity or purpose (e.g., encryption, authentication)
Permitting the sharing of cryptographic keys between authorized parties
Err:508
Err:508
Desactivacin y Destruccin de las Llaves de Cifrado
Cryptographic keys must be destroyed using the Enterprise IT Security approved disposal procedures. Prior to destruction,
the the Enterprise information resource owner must verify whether or not cryptographic keys are associated with archived
data (e.g., backups). If cryptographic keys are associated with archived data, then necessary measures must be taken so
that archived data may continue to be retrieved.
Err:508
Err:508
Desactivacin y Destruccin de las Llaves de Cifrado
deactivation and destruction of cryptographic keys in production operating environments that contain information classified
as confidential, where not defined and distributed by the Enterprise IT Security, when:
A known compromise or incident has occurred
Cryptographic keys are scheduled to expire
Err:508
Err:508
Monitoreo y Registro de Actividades
Monitoreo de Acceso Remoto
Session recording of users privileged activities on non-development servers must be conducted for non-The Enterprise
entity users.
Err:508
Err:508
Monitoreo de Acceso Remoto
The Enterprise information resource administrators, with input from logging and monitoring administrators must enable
logging and audit capabilities (e.g., sign-on, activity, connections) and disable the ability to automate authentication on the
client server for remote access, including remote administration.
Err:508
Err:508
Monitoreo de Accesos Privilegiados
Access to sensitive data and all privileged or administrative actions is logged. Monitoring and reporting actions are
addressed based on risks and available technologies. Logs are retained to meet retention requirements to the applicable
retention policy and regulatory, statutory or industry requirements.
Err:508
Err:508
Monitoreo de Base de Datos
Procedures for operational system activities have been defined to facilitate consistency in information processing, and in the
logging, monitoring and reporting of system events.
Err:508
Err:508
Monitoreo de Rendimiento de Recursos de

Infraestructura y Aplicaciones
IT performance and capacity of IT infrastructure and applications are monitored and managed to meet current requirements
and are assessed to determine if sufficient capacity and performance exist to meet expected future requirements.
Err:508
Err:508
Monitoreo del Manejo de Identidades
The Enterprise information resource owners must document, implement, and maintain processes and controls to log and
monitor user ID administration, including activities involving privileged user ID creations, deletions, and changes.
Err:508
Err:508
Poltica de Registro de Actividades y Eventos
At minimum, information resource logging must be enabled to capture the following:

Privileged operations (e.g., the use of supervisor account, console log-on, system reboot, starting and stopping of system
services)
Unauthorized attempts (e.g., failed access, failed login attempts, failed or rejected actions)
System alerts or failures (e.g., system log exceptions, network management alarms)
Application logs to capture audit trails and monitor application security events
Network logs for network devices (e.g., routers, switches) to monitor traffic. For network activity, at minimum, the following
must be logged:
I. Internet traffic
II. Electronic mail traffic
III. LAN traffic
Operating system logs to enable the review of security parameters
Err:508
Err:508
At minimum, information resource logs must provide the following information:

Identity or name of affected information resource (e.g., IP Address, MAC address)
Type of event (e.g., create, read, update, or delete)
Date and time of event
Associated user or system IDs
Events (e.g., user actions, system failures, device status changes)
Err:508
Err:508
For non-critical information resources, system logs must be stored locally and available for review for one month, at
minimum, where technically feasible
Err:508
Err:508
IT systems are monitored for outages, performance degradation, and/or system events. Operational Incidents (either
reported by users or from events generated by infrastructure) are appropriately identified, classified, recorded, and resolved.
Err:508
Err:508
The Enterprise must appoint a Chief Information Security Officer, or equivalent who is responsible for overseeing and
coordinating information security throughout the Enterprise.
Examples of system events may include:

1. File System Utilization
2. CPU Utilization
3. databases size, performance
4. Application Response time
5. Ping Response
Logs are classified as Restricted unless Confidential information is exposed.
Err:508
Err:508
Security logging is enabled on all technologies and are monitored for suspicious and unauthorized activity in accordance
with applicable security policy. Audit logs record user activities, data changes, exceptions and information security events,
and are kept for an agreed period for future investigations & access control monitoring. Security logs are protected against
tampering and unauthorized access.
Err:508
Err:508
The Enterprise corporate functions and business units must implement, document, and maintain logging and monitoring
processes and controls on critical information resources (e.g., systems, applications, network devices). Tools and processes
must be implemented, documented, and maintained to monitor the Enterprise corporate function and business unit
information resources and to provide notifications or alerts for suspicious events.
Err:508
Err:508
22

The Enterprise corporate functions and business units must perform the following as part of log management processes:
Logging facilities and log information must be protected against tampering and unauthorized access.
Logs recording user activities, faults, exceptions, and information security events must be produced, retained for 90 days,
and readily available based on the the Enterprise Domestic Records Retention Schedule.
Err:508
Err:508
The Enterprise information resource owners must confirm logs for critical the Enterprise information resources are retained
and protected. the Enterprise information resources owners must document retention periods based on the information
resources that are logged and confirm that:
Logging facilities and log information are protected against tampering and unauthorized changes (e.g., modification or
alteration of log information, deletion of logs)
At minimum, logs containing user ID security events are retained for a minimum of 365 days. Log history must be available
for analysis (e.g., online, archived, restorable from back-up) for a minimum of 90 days
the Enterprise information resource host clocks are synchronized
Retain logs based on the Enterprise Records Management requirements
Err:508
Err:508
The Enterprise information resource owners must define the criticality of their information resources for logging, monitoring,
and review. the Enterprise information resources that meet the following criteria are considered critical for logging,
monitoring, and review:
Required for business operations (i.e., if the business processes fail, business operations will also fail)
Information resource is repeatedly misused or infiltrated
Store, process, or transmit information classified as confidential or Customer/Employee confidential information
Requires logging enabled based on business need
Err:508
Err:508
The Enterprise IT Security in coordination with the Enterprise information resource owners must document, implement, and
maintain processes and controls to monitor and detect violations against IT security, risk, and compliance (ITSRC) policies
and standards and to record events or other incidents that are deemed inappropriate upon review. Audit trails, logs, and
reports must be maintained and reviewed periodically by an information security analyst to detect security breaches or
incidents. the results of such monitoring activities will be maintained for sufficient and required durations to support any
violation investigations
Err:508
Err:508
Revisin de Registros de Monitoreo
Log reviews can consist of manual review for log entries or automated review for outputs of alerts or reports.
Err:508
Err:508
The Enterprise Information Security Analyst and the Enterprise information resource owners must monitor, review, and
report violations against ITSRC policies and standards for critical the Enterprise information resources. This includes the
following:
the Enterprise Information Security Analyst must report violations that are unauthorized, unlawful, or illegal according to
local, state, country, or international laws and regulations to the Enterprise IT Security and/or the proper authorities
the Enterprise IT Security in coordination with the Enterprise information resource owners must implement an automated
solution for log collection and review. Where not technically feasible, logs must be reviewed by Information Security Analyst
at a minimum weekly and at a greater frequency for information resources and applications defined as critical.
Err:508
Err:508
The Enterprise IT Security and IT Regional Security with input from the Enterprise functions, lines of business, and regions
must document, implement, and maintain processes and controls to review effectiveness of the information security
program by:
Establishing metrics to measure effectiveness of the the Enterprise information security program
Establishing metrics for monitoring, and reporting of information security program related controls
Periodically reporting status on the information security program to the Enterprise senior management
Err:508
Err:508
PCI-DSS
For information resources subject to PCI requirements, the Enterprise corporate functions and business units must
implement, document, and maintain processes and controls to restrict remote access to the Enterprise's information
systems, including the following:
Vendor remote access accounts used by vendors to access, support, and maintain information resources must be
monitored when in use.
Vendor remote access accounts used by vendors to access, support, and maintain information resources must be disabled
when not in use.
Vendor remote access accounts used by vendors to access, support, and maintain information resources must only be
enabled during the time period needed.
Err:508
Err:508
PCI-DSS
Administracin del Ciclo de Vida de las Llaves de cifrado For information resources subject to PCI requirements, the Enterprise corporate functions and business units must protect
keys used to secure cardholder data against disclosure and misuse by implementing, documenting, and maintaining key
management processes and procedures to include the following:
Generation of strong keys.
Secure key distribution, including the restriction of access to keys to the fewest number of custodians necessary.
Secure key storage, including the storing of keys securely in the fewest possible locations and forms.
Key-management procedures are implemented to require periodic key changes at the end of a defined cryptoperiod, as
defined by the associated application vendor or key owner, and based on industry best practices and guidelines (e.g., NIST
Special Publication 800-57).
Retirement or replacement (e.g., destruction, revocation) of keys as deemed necessary when the integrity of the key has
been weakened or keys are suspected of being compromised.
I. If retired or replaced keys are retained then they must be securely archived and must not be used for encryption
operations.
If manual clear-text cryptographic key management operations are used, these operations must be managed using split
knowledge and dual control.
Require the prevention of unauthorized substitution of cryptographic keys.
Require key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities
Err:508
Err:508
PCI-DSS
Administracin del Ciclo de Vida de las Llaves de cifrado The above requirements also apply to key encrypting keys used to protect data encrypting keys; such key-encrypting keys
must be at least as strong as the data encrypting key.
Err:508
Err:508
PCI-DSS
2. Address new threats and vulnerabilities, for public-facing web applications, on an ongoing basis and protect applications
against known attacks by either of the following methods:
Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or
methods, at least annually and after any changes.
Installing a Web-application firewall in front of public-facing Web applications
Err:508
Err:508
PCI-DSS
For information resources subject to PCI requirements, the Enterprise corporate functions and business units must:
Err:508
Err:508
1. Implement, document, and maintain processes and controls to run internal and external network vulnerability scans that
identify vulnerabilities, including the following:
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network
(e.g., new system component installations, changes in network topology, firewall rule modifications, product).
Perform and review results of quarterly internal vulnerability scans by a qualified internal resource(s) or qualified external
third party. If an internal resource is used, this resource must be independent and does not need to be a QSA or ASV.
Perform and review results of quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), approved by
the Payment Card Industry Security Standards Council (PCI SSC).
Perform internal and external scans after any significant change.
Perform external and internal penetration testing at least once a year and after any significant infrastructure or application
upgrade or modification (e.g., such as an operating system upgrade, a sub- network added to the environment). These
penetration tests must include network layer penetration tests, application layer penetration tests, and Web application
penetration tests.
Check specific vulnerabilities including cross-site scripting, injection flaws (particularly SQL injection), malicious file
execution, insecure direct object references, cross-site request forgery (CSRF), information leakage and improper error
handling, broken authentication and session management, insecure cryptographic storage, insecure communications and
failure to restrict URL access.
Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
PCI-DSS
Anlisis de Riesgos
document and approve IT security, risk, and compliance usage policies and standards for critical technologies (e.g., remoteaccess technologies, wireless technologies, removable electronic media, laptops).
Err:508
Err:508
PCI-DSS

[PCI] For information resources subject to PCI requirements, the Enterprise corporate functions and business units must
implement a formal security awareness program to make all personnel aware of the importance of cardholder data security,
Educate the Enterprise personnel upon hire and at least annually.
Require the Enterprise personnel to acknowledge at least annually that they have read and understood ITSRC information
security policies and standards.
Err:508
Err:508
PCI-DSS

implement, document, and maintain, and disseminate IT security, risk, and compliance information security policies and
standards that include the following:
Addresses all PCI Data Security Standards (DSS) requirements.
An annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.
An annual review to information security policies and standards and when updates to the when the environment changes.
Daily operational security procedures that are consistent with PCI requirements and must include administrative and
technical procedures for each requirement.
Err:508
Err:508
22

PCI-DSS
For information resources subject to PCI requirements, the Enterprise corporate function and business units must
implement, document, and maintain processes and controls to ensure that cardholder data is secure while in transit and
while at rest, including the following:
For wireless networks transmitting cardholder data or connected to the cardholder data environment, industry best
practices (e.g., IEEE 802.11i) are used to implement strong encryption for authentication and transmission.
I. the use of WEP as a security control is prohibited as of 6/30/2010.
Strong cryptography and security protocols (e.g., SSL/TLS or IPSEC) must be used to safeguard cardholder data when it is
transmitted or received over open, public networks.
Unprotected Primary Account Numbers (PANs) must never be sent using end-user messaging technologies (e.g., email,
instant messaging).
I. PAN must be rendered unreadable, or secured with strong cryptography, whenever it is sent via end-user messaging
technologies.
PANs must be masked when displaying cardholder data, except for employees or other parties with a legitimate business
need to see full PAN.
PAN must be rendered unreadable anywhere it is stored, including on portable digital media, backup media, and in logs by
using any of the following approaches:
a. One-way hashes based on strong cryptography (hash must be of the entire PAN).
b. Truncation (hashing cannot be used to replace the truncated segment of PAN).
c. Index tokens and pads (pads must be securely stored).
d. Strong cryptography with associated key-management processes and procedures.
When disk encryption is used, logical access must be managed independently of native operating system access control
mechanisms. Decryption keys must not be tied to user accounts.
Err:508
Err:508
PCI-DSS
deploy anti-virus software on all critical systems including those that are commonly affected by malicious software. This
includes, but is not limited to, personal computers and servers. the Enterprise corporate functions and business units must
ensure that implemented antivirus software must include the following:
Antivirus software is capable of detecting, removing, and protecting against all known types of malicious software.
Antivirus software is current, actively running, and generating audit logs.
Err:508
Err:508
PCI-DSS
Control de Acceso a la Informacin
2. Implement, document, and maintain an access control system, for information resources with multiple users, that restricts
access based on a users need to know, including the following requirements:
Coverage of all PCI information resource system components.
Assignment of privileges to individuals based on job classification and function.
Is set by default to deny all unless specifically allowed.
Err:508
Err:508
PCI-DSS
For critical technologies, the Enterprise corporate functions and business units must ensure usage policies and standards
require the following:
Explicit approval from authorized parties to use the technologies.
Technology use be authenticated with user ID and password or other authentication item (e.g., token).
A list of technologies and personnel authorized to use these devices.
Labeling of technologies with information that can be correlated to owner, contact information, and purpose.
Acceptable uses for the technology.
Acceptable network locations for the technologies.
A list of company approved products.
Activation of remote-access technologies for vendor remote access is required.
Automatic disconnect of sessions for remote-access technologies used by vendors and business partners only when
needed by vendors and business partners, with immediate deactivation after use.
Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when
accessing such data via remote-access technologies.
the protection of cardholder data in accordance with PCI DSS Requirements.
Err:508
Err:508
PCI-DSS
2. Deploy the following processes and controls to securely monitor the cardholder environment:
Intrusion-detection systems (IDS), and/or intrusion-prevention systems (IPS) must monitor all traffic at the perimeter of the
cardholder data environment, as well as, at critical points inside of the cardholder data environment, and alert personnel to
suspected compromises. All intrusion-detection and prevention engines, baselines, and signatures must be kept up-to-date.
File-integrity monitoring or change-detection software must monitor logs to ensure that existing log data cannot be
changed without generating alerts (although new data being added should not cause an alert). These file-integrity
monitoring tools must be configured to alert personnel to unauthorized modification of critical system files, configuration
files, or content files and to perform critical file comparisons at least weekly.
Err:508
Err:508
PCI-DSS
Estndares de Desarrollo Seguro
[PCI] For information resources subject to PCI requirements, the Enterprise information resource owners must prevent
common coding vulnerabilities in software development processes by verifying that processes and controls require training
in secure coding techniques for developers.
Err:508
Err:508
PCI-DSS
For information resources subject to PCI or FFIEC requirements, the Enterprise corporate functions and business units must
use two-factor authentication for remote access to the network.
Err:508
Err:508
PCI-DSS
Patch Management
For information resources subject to PCI requirements by the Enterprise functions, lines of business and regions must:
Install the latest vendor-supplied security patches to protect information resources from known vulnerabilities
Align with the the Enterprise ITSRC and the Enterprise IT Security enterprise wide threat and vulnerability management
program to identify and assign a risk ranking (e.g., CVSS base score of 4.0 or above, vendor-supplied patches classified by
the vendor as critical) to discovered security vulnerabilities
Err:508
Err:508
PCI-DSS
implement, document, and maintain an incident response plan and be prepared to respond immediately to a security
breach. the Enterprise management must assign, to an individual or team, responsibilities to distribute security incident
response and escalation procedures and to ensure timely and effective handling of all situations.
Err:508
Err:508
PCI-DSS
For information resources subject to PCI requirements, the Enterprise IT Security must document, implement and maintain
an incident response plan, be prepared to respond immediately to a security breach, and test the incident response plan at
least annually.
Err:508
Err:508
PCI-DSS
The incident response plan must address the following, at a minimum:

Formally documented roles, responsibilities, and communication and contact strategies including the notification of credit
card payment brands, at a minimum.
Business recovery and continuity procedures.
Data back-up processes.
Analysis of legal requirements for reporting compromises.
Coverage and response procedures for all critical system components.
Reference or inclusion of incident response procedures from the payment brands.
Annual testing of incident response plan(s).
Designated specific personnel to be available on a 24/7 basis to respond to alerts.
Appropriate training to staff with security breach response responsibilities.
Include alerts from intrusion detection, intrusion-prevention, and file-integrity monitoring systems.
Processes to modify and evolve the incident response plan according to lessons learned and to incorporate industry
developments.
Err:508
Err:508
PCI-DSS
3. Implement processes and controls to ensure the availability and timely review of audit logs for the cardholder
environment, including the following:
Logs must be available for at least one (1) year and processes must be established to immediately restore at least the last
three months logs for immediate analysis.
Logs for all system components must be reviewed at least daily by appropriate the Enterprise management.
Log reviews must include servers that perform security functions like intrusion detection (IDS) and authentication,
authorization, and accounting protocol (AAA) servers.
Err:508
Err:508
PCI-DSS
4. Verify that the shared hosting providers have logging and audit trails enabled that are unique to each entity's cardholder
data environment and that are consistent with PCI DSS Requirements (if a shared hosting provider is utilized).
Err:508
Err:508
22

PCI-DSS
Err:508
Err:508
1. Implement processes and controls to automate the recording of audit trails so that individual user access to cardholder
data can be logged and retained as needed. Audit trail logging and monitoring must include the following:
Logging and audit trails must be enabled and unique to each entity's cardholder data environment.
All access to system components (especially administrative-level access, such as root) must be linked to each individual
user.
Automated audit trails must be implemented for all system components to reconstruct all actions taken by any individual
with root or administrative privileges.
All individual accesses to cardholder data must be logged.
All access to audit trails must be logged and monitored.
Audit trail viewing must be specifically limited to only those with a job related need.
Audit trails must be protected from unauthorized modification through access control mechanisms, physical segregation,
and/or network segregation.
Audit trail files must be promptly backed up to a centralized log server or media that is difficult to alter.
Logs for external-facing technologies must be written onto a log server on the internal LAN.
Automated audit trails must be implemented for all system components to reconstruct the following events:
I. Invalid logical access attempts.
II. Use of identification and authentication mechanisms.
III. Initialization of audit logs.
IV. Creation and deletion of system level objects.
V. User identification.
VI. Type of event, date and time, success or failure indication for event.
VII. Origination of event.
VIII. Identity or name of affected data, system, component or resource.
PCI-DSS
implement a comprehensive password management system that includes the following:
Minimum password length of at least 7 characters.
User passwords must be changed at least every 90 days.
User passwords must contain both numeric and alphabetic characters.
Individuals must be restricted from submitting a new password that is the same as any of the last 4 passwords.
Repeated access attempts must be limited by locking out the user ID after no more than 6 attempts.
Lockout duration must be set to a minimum of 30 minutes or until a system-administrator enables the user ID.
User identity must be verified when performing password resets.
First-time passwords must be set to a unique value for each user and changed immediately after the first use.
Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
IT security, risk and compliance (ITSRC) authentication and information security policies and standards must be
communicated to all users who have access to cardholder data.
Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords,
simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
Err:508
Err:508
PCI-DSS
For PCI DSS compliance, programs and processes are developed, implemented and maintained in all areas where payment
card data is handled, processed, transmitted, and stored meet industry standards. This includes encryption of data at rest
and in transit, as well as appropriate configuration controls for network segregation, access controls and monitoring.
Err:508
Err:508
PCI-DSS
1. Implement, document, and maintain access controls that limit access to only those individuals whose job requires such
access, including the following requirements:
Assignment of privileges to individuals based on job classification and function.
Documented approval by authorized parties specifying required privileges.
Implementation of access controls via an automated access control system.
Employment of at least one of the following methods to authenticate all users:
I. Something you know, such as a password or passphrase
II. Something you have, such as a token device or smart card
III. Something you are, such as a biometric
Authenticate all access to any database containing cardholder data, including access by applications, administrators, and
all other users.
Restrict direct user access or queries to databases to only database administrators.
Ensure that if a session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the
terminal or session.
Err:508
Err:508
PCI-DSS
implement, document, and maintain processes and controls secure systems and applications, including the following:
Remove or disable user accounts that have been inactive over 90 days.
Remove custom application accounts, user IDs, and passwords before applications become active or are released to
customers.
Remove test accounts before production systems become active.
Not use group, shared, or generic accounts and passwords, or other authentication methods
Err:508
Err:508
Prevencin de Prdida de Informacin (DLP)
The office of the the Enterprise CTO must document, implement, and maintain processes and controls to protect information
classified as confidential on mobile computing and mobile devices by:
Approving the Enterprise third party applications (e.g., email, office applications)
Implementing the Enterprise approved encryption protocols
Implementing remote wipe or block capabilities
Reporting loss or theft immediately to the Incident Response Team
Err:508
Err:508
Utilizacin de Sistemas de Mensajera Electrnica
The use of the Enterprise electronic messaging systems (e.g., email, instant messaging) is permitted to meet business goals
and objectives.
Err:508
Err:508
Utilizacin de Sistemas de Mensajera Electrnica
Usage of the Enterprise electronic messaging systems must adhere to the following requirements:
the creation and distribution of offensive electronic messages about race, gender, disabilities, age, sexual orientation,
pornography, religious beliefs and practice, political beliefs, or national origin is prohibited
Personal email accounts must not be used for business-related communications
Automatic forwarding of the Enterprise-related electronic messages to external accounts is not permitted
Electronic messages that attempt to hide the identity of the sender or represent the sender as someone else, unless
officially delegated, is prohibited
Instant Message (IM) communication is to be conducted using only the Enterprise-approved electronic messaging systems
Err:508
Err:508
Revisin de Seguridad de Terceros
Proceso de Compra de Activos Tecnolgicos
Controls are in place to consistently procure software and hardware equipment in accordance to applicable IT acquisition
policies and are aligned with approved technology standards.
Err:508
Err:508
Vendor Management
A process exists to ensure adherence to applicable corporate policies in the engagement of third party vendors, and security
testing of technology service provider is performed based on risk to the organization.
Examples of security testing/assessments may include: Software Security Assessment (SSA), Security Assessment
Questionnaire (SAQ), Security Risk Acceptance (SRA).
Additionally, control objectives and audit results (e.g. SSAE16 reports) relating to information technology of 3rd party
services are reviewed.
Err:508
Err:508
Vendor Management
Processes and procedures are implemented prior to releasing/sharing confidential Information with affiliates, vendors and
other third parties. A verification is performed to ensure that the data can be shared in a secure manner, that proper
approvals and contractual provisions are in place, and that Privacy requirements are being met.
Err:508
Err:508
Vendor Management
The creation, modification, and termination of third party IT services and contracts are performed consistent with vendor
governance requirements. Performance against contracts and vendor service agreements are monitored.
Err:508
Err:508
Vendor Management
Third party contracts, service level agreements (SLA), and request for proposals (RFP) have been established with roles
and responsibilities for vendors/service providers.
Err:508
Err:508
Segregacin de Funciones
Roles y Responsabilidades de Usuarios Privilegiados / Developers/programmers do not have direct update access to production data or access to implement changes directly into
Desarrolladores
production environments.
Err:508
Err:508
Roles y Responsabilidades de Usuarios Privilegiados / Duties and areas of responsibilities between application development and production deployment are segregated from one
Desarrolladores
another.
Err:508
Err:508
Roles y Responsabilidades de Usuarios Privilegiados / Periodic reviews of user access rights and segregation of duties to applications, data, and infrastructure are performed in
Desarrolladores
accordance to the user access standard. Where segregation of duties conflicts cannot be avoided, sufficient mitigating
controls are in place.
Err:508
Err:508
Roles y Responsabilidades de Usuarios Privilegiados / Segregation of duties must be maintained among and/or within the different functions within the Enterprise.
Desarrolladores
Err:508
Err:508
Roles y Responsabilidades de Usuarios Privilegiados / The Enterprise corporate functions and business units must implement, document and maintain controls to manage
Desarrolladores
privileged IDs. Privileged IDs or administrative access must adhere to the following:
Administrative access must be logged and additional periodic review on privileged access must occur.
Review of logs of activities performed by privileged IDs (e.g., system change activities).
Err:508
Err:508
22

Roles y Responsabilidades de Usuarios Privilegiados / The Enterprise corporate functions and business units must incorporate segregation of duties into its processes to protect
Desarrolladores
the Enterprise information resources from unauthorized or unintentional modification or misuse.
Err:508
Err:508
Roles y Responsabilidades de Usuarios Privilegiados / The Enterprise information resource owners must document, implement, and maintain processes and controls to protect the
Desarrolladores
Enterprise information resources through segregation of duties (SoD) between IT functions, including the following:
the Enterprise personnel must not have control of two or more related responsibilities for an information resource (i.e.,
create and approve access for individuals)
Access to information resources must be based on business need and job function (please refer to the the Enterprise
ITSRC (tier 2) Access Control Standard for additional requirements)
the Enterprise personnel must not be assigned or perform a combination (i.e., more than one) of the following functions:
I. Computer operations process and backup information
II. Network management acquire, maintain, and configure of infrastructure devices (e.g., servers, routers)
III. System administration access to modify information resource configuration and security parameters
IV. Database administration configure and maintain databases
V. System development implement new applications and/or services
VI. System management manage and configure information resources
VII. Change management manage changes (e.g., scheduled, emergency) to information resources
VIII. Security audit monitor key security events for information resources
Segregation of access levels for development and production environments must be enforced (i.e., users with
development access must not make changes to production systems)
Access to information classified as confidential must also be segregated (i.e., users with access to information classified as
confidential must not be allowed to approve the access requests to that same information)
Where duties cannot be fully segregated, the information resource owner must document, implement, and maintain
mitigating controls (e.g., passwords, dual authorization requirements) where duties cannot be fully segregated
Information security delegated functions must be segregated from organizations or groups responsible for management of
information and application development. (e.g., password resets, system security administration must not be handled by
developers or systems owners)
Where the default information resource configuration supports segregation of duties, combination of special privileges
(e.g., system administration and auditing) must be prevented
Err:508
Err:508
Roles y Responsabilidades de Usuarios Privilegiados / The Enterprise information resource owners must provide business requirements pertaining to segregation of duties for
Desarrolladores
implementation by the Enterprise IT. Monitoring of segregation of duties must be performed by information resource owners
through access reviews
Err:508
Err:508
Separacin de Entornos
Application Development, Testing, and Production environments are logically separated from one another.
Err:508
Err:508
Development (i.e. Lab), Testing, and Production environment for infrastructure changes are logically or physically separated
from one another.
Err:508
Err:508
In cases where direct modifications to production data are required (e.g. in production databases), the need for the access
and justification is documented and approved, and mechanisms are in place to monitor the access and updates made to the
production systems.
Err:508
Err:508
Seguridad del Equipo de Usuario (EndPoint)
For the Enterprise-managed information resources susceptible to malicious code, the Enterprise must utilize an antimalware solution approved by the Enterprise IT Security. Information resource administrators must make sure that the
current version of the approved anti-malware software is installed and active. To prevent, detect, and remove malicious
code, the Enterprise anti-malware must:
Actively scan for heuristics (e.g., correlation, aggregation) during virus outbreaks and when anti malware signatures are
not available from the anti-malware software vendors
Execute full system scans at least weekly
Initiate scan on mount of removable media (e.g., USB, portable hard drive)
Initiate scan on execute for all executable files
Clean, quarantine or delete infected files and provide notification of action to authorized the Enterprise personnel
Restrict administrative functions to anti-malware solution administrators
Allow authorized users to disable anti-malware solution for a restricted period of time (e.g., 5 minutes, 10 minutes, 30
minutes) but not indefinitely to perform administrative activities
Prohibit end users from using programs that can disable the anti-malware solution
Send alerts to the anti-malware administrators when viruses are detected; malware identified across multiple systems must
be escalated to the incident response team (IRT)
Possess the ability to update virus definitions as they become available either on an internal (e.g., intranet) or an external
(e.g., internet) network. Mobile computing devices, where required, must be configured to attempt anti-malware updates
from the internal network or directly from the vendor when connected to an external network
Err:508
Err:508
Filtrado de URL e Inspeccin de contenidos
Inbound and outbound content must be scanned and filtered for known malicious code for the Enterprise managed
information resources. Information resource administrators overseeing file transfer, network, and messaging technologies
must implement, at a minimum, the following:
Inbound and outbound email must be inspected for potential malware
Data and file transmissions (e.g., SFTP, SMTP, SSH) must be inspected for potential malware where technically possible
and must cover external services
Inbound web traffic (e.g., http, https) must be inspected for potential malware
Inbound and outbound emails must be inspected for prohibited file types (e.g., *.exe, *.bat)
URL filtering must be performed using the Enterprise approved content filtering technologies (e.g., Blue Coat, Web Sense)
Err:508
Err:508
Seguridad Fsica del Entorno
Appropriate processes and mechanisms are established in accordance to the applicable security policy to protect and
secure physical access to critical or sensitive information processing facilities (i.e. data rooms, data centers, branch offices).
Err:508
Err:508
Authorization is required to remove hardware or media off-site (e.g. for maintenance, storage, or disposal). Where
necessary and appropriate, equipment is logged out and logged back in when returned. (Note: This does not apply to
laptops and mobile devices).
Err:508
Err:508
Granting and revoking physical security access to information processing facilities (e.g. data center, network rooms, etc.) is
performed in accordance to applicable access policy/standards.
Err:508
Err:508
Periodic reviews are performed to validate that only authorized individuals have physical access to facilities and secure
areas (i.e. data center, server rooms).
Err:508
Err:508
Policies and procedures for repairs and modifications to the security-related physical components (e.g., hardware, walls,
doors, locks) of the facility are defined. Facility support equipment is correctly maintained to ensure its continued availability
and integrity. Preventive maintenance follows a pre-determined schedule and is controlled appropriately.
Err:508
Err:508
Anlisis de Riesgos
Equipment and information processing facilities are protected to reduce the risks from environmental threats and hazards.
Err:508
Err:508
USA FFIEC - Regulaciones para Instituciones

Financieras

Financieras
2. Implement, document, and maintain the scope for examination of the Enterprise E-Banking activities and review
significant changes in the funds transfer operation since the last examination for establishing the scope and objective of the
examination.
Err:508
Err:508

Financieras

Financieras
E-Banking sensitive transactions must be approved by more than one authorized employee.
Err:508
Err:508

Financieras

Financieras
For information resources subject to FFIEC E-Banking requirements, the Enterprise corporate functions and business units
must ensure that sensitive transactions (e.g., funds transfers, access to encryption keys) are approved by more than one
employee before authorization.
Err:508
Err:508

Financieras

Financieras
For information resources subject to FFIEC E-Banking requirements, the Enterprise corporate functions and business units
must ensure that users and contractors are trained in, and acknowledge that they will abide by, rules that govern their use.
Err:508
Err:508

Financieras

Financieras
For information resources subject to FFIEC E-Banking requirements, the Enterprise information resource owners must
provide requirements to segregate roles for initiating, executing, and approving sensitive e-banking transactions (e.g., wire
transfers, bill pay) to the Enterprise IT.
Err:508
Err:508

Financieras

Financieras
For information resources subject to FFIEC requirements, the Enterprise corporate functions and business units must make
special security considerations for token based, biometric and single-sign-on authentication mechanisms.
Err:508
Err:508

Financieras

Financieras
For information resources subject to FFIEC requirements, the Enterprise corporate functions and business units must:
1. Implement, document, and maintain a risk assessment process and guidelines, including the following:
Identification and ranking of information assets must be multidisciplinary in nature and updated at least annually.
Identification of cross-border risks and legal requirements.
Err:508
Err:508

Financieras

Financieras
For systems subject to FFIEC E-Banking requirements where the Enterprise E-banking operations use trade names other
than the institutions legal name (i.e. the Enterprise). the Enterprise information resource owners must:
Disclose clearly and conspicuously, in signs, advertising, and similar materials that the associated trade name is a the
Enterprise function or lines of business
Use the the Enterprise legal name for legal documents, certificates of deposit, signature cards, loan agreements, account
statements, checks, drafts, and other similar documents
Train the Enterprise function or line of business staff regarding disclosure of associated trade names to alleviate the
possibility of customer confusion
Exercise care in selecting website name(s) in order to reduce possible confusion with those of other Internet sites for
conducting E-banking operations
Err:508
Err:508

Financieras

Financieras
For systems subject to FFIEC E-Banking requirements, the Enterprise corporate functions and business units must
implement, document, and maintain processes and controls to periodically scan the Internet to identify websites with similar
names and investigate any that appear to be posing as that of the institution. Suspicious websites should be reported to
appropriate criminal and regulatory authorities.
Err:508
Err:508
Err:508
Err:508
USA HIPAA - Regulaciones para Entidades del Sector HIPAA - Proteccin de Datos Mdicos Personales
Mdico
[HIPAA] For information resources subject to HIPAA requirements, the Enterprise corporate functions and business units
must implement processes and controls to record and examine activity in information resources that contain or use
electronic protected health information.
0 - No Relevante
0 - No Relevante
No Aplica
22

Mdico
As defined by HIPAA, for information resources that process, store or transmit personal health information, information
resource owners must:
Confirm that access to electronic protected health information is appropriately restricted to employees who are explicitly
granted such access
Authorize and /or supervise workforce members who work with electronic protected health information
Verify that a person or entity seeking access to electronic protected health information is the one claimed
Document any special considerations for access privileges
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For information resources subject to HIPAA requirements, the Enterprise corporate function and business units must
implement, document, and maintain procedures for obtaining necessary electronic protected health information during an
emergency.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For information resources subject to HIPAA requirements, the Enterprise corporate functions and business units must assign
a security official who is responsible for the implementation, documentation, and maintenance of HIPAA-required IT security,
risk, and compliance policies and standards.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For information resources subject to HIPAA requirements, the Enterprise corporate functions and business units must
implement, document, and maintain IT security, risk, and compliance policies and standards, including procedures, that
allow access only to those persons/personnel or software programs that have been granted access rights, including the
following:
Ensure that access to electronic protected health information is appropriately restricted to employees who are explicitly
granted such access.
Authorize and /or supervise workforce members who work with electronic protected health information.
Verify that a person or entity seeking access to electronic protected health information is the one claimed.
Document any special considerations for access privileges.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For information resources subject to HIPAA requirements, the Enterprise corporate functions and business units must
implement, document, and maintain security measures to guard against unauthorized access to electronic protected health
information transmitted over an electronic communications network.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For information resources subject to HIPAA requirements, the Enterprise corporate functions and business units must:
Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information held.
Perform a periodic technical and non-technical evaluation in response to environmental or operational changes affecting
the security of electronic protected health information that establishes the extent to which IT security, risk, and compliance
policies and standards meet HIPAA Security requirements.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For information resources subject to HIPAA requirements, the Enterprise information resource owners must document,
implement, and maintain processes, controls, and procedures for obtaining necessary electronic protected health
information during an emergency.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
For the Enterprise information resources subject to HIPAA requirements, the Enterprise information resource owners must
use the Enterprise-approved encryption protocols to guard against unauthorized access to electronic protected health
information transmitted over an electronic communications network, unless prohibited by local, state, country, or
international law.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
Mdico
To ensure HIPAA compliance with regulatory standards, programs and processes are developed, implemented and
maintained in areas where Protected Health Information is handled, processed, transmitted, and stored.
0 - No Relevante
0 - No Relevante
No Aplica
Err:508
Err:508
22
1000.00%
900.00%
800.00%
700.00%
600.00%
500.00%
400.00%
300.00%
200.00%
100.00%
0.00%
#VALUE!
Comercio Electrnico
Cmputo Mvil
Control de Accesos
Control de Cambios
Gobierno de TI
IT Compliance
PCI-DSS
USA FFIEC - Regulaciones para Instituciones Financieras
USA HIPAA - Regulaciones para Entidades del Sector Mdico
Total Result
Area de Impacto
Descripcin del Impacto
Cliente
Efectos de un incidente o serie de

incidentes sobre los servicios brindados
a los clientes de la empresa.
Operacin

incidentes en el entorno operativo endto-end de la empresa.
Regulaciones

incidentes en la percepcin que las
entidades regulatorias tienen de la
empresa.
Reputacin

incidentes en la reputacin de la
empresa ante el pblico (clientes,
socios, inversionistas, entidades
auditoras y calificadoras, pblico en
general).
Financiero
Costo identificable de un incidente o

serie de incidentes en la Compaa.
Incluye tanto impacto financiero directo
como otros costos (por ejemplo, costos
de oportunidad)
1
Impacto mnimo en la capacidad de un grupo extenso de clientes de realizar
operaciones con la Empresa
Mnimo impacto sobre la capacidad de alcanzar objetivos estratgicos o previsiones

financieras indicadas en los planes anuales.
Los procesos del da a da no son impactados ms all de la respuesta inmediata
requerida para remediar el incidente.
Brechas pequeas, no peridicas.

Mnimos requerimientos o solicitudes de las autoridades
Intervencin limitada del Departamento interno de Cumplimiento (Compliance).
Las solicitudes de informacin por entidades regulatorias externas se limitan a un
producto nico.
Impacto local mnimo.

Los reportes desfavorales se limitan a los medios de comunicacin locales.
La preocupacin se limita a la comunidad local.
Nivel de Impacto
2
Un nmero significativo de clientes no puede realizar transacciones con la Empresa
por un da.
Amenaza significativa para alcanzar los objetivos estratgicos o previsiones

financieras indicadas en los planes anuales.
Menos del 25% de las operaciones y/o procesos son impactados por el incidente
ms all de la respuesta inmediata.
El impacto alcanza funciones crticas en mltiples areas de una lnea de negocio
Se requieren recursos adicionales para solucionar el incidente y se involucra a las
Gerencias.
Se espera por parte de las autoridades regulatorias una auditora o revisin de las
operaciones relevantes y coloca a la empresa bajo observacin.
Repeticiones del incidente ocasionan un escrutinio a detalle por parte de las
autoridades regulatorias.
El Departamento de Cumplimiento (Compliance) requiere dedicar tiempo y recursos
para el monitoreo del incidente hasta su solucin.
Las solicitudes de informacin por entidades regulatorias externas se limitan a un
producto nico.
Los reportes desfavorables se presentan en los medios regionales o nacionales.
Impacto potencial en el valor de las acciones y/o de la empresa.
Disminucin del apoyo de clientes, socios, proveedores o pblico en general.
* Costos indicados en MDP (Millones de Pesos)
Nivel de Impacto
s)
3
por ms de un da.
Se repiten incidentes similares en un lapso de tiempo notable que resultan en un
nmero significativo de clientes que no pueden realizar transacciones en diversas
ocasiones.
Impacto en la capacidad de alcanzar los objetivos estratgicos a largo plazo.
Menos del 50% de las operaciones del da a da son impactadas por el incidente
ms all de la respuesta inmediata.
Se presenta impacto en servicios o funciones crticas en mltiples reas de
mltiples lneas de negocio
Se requieren recursos adicionales para solucionar el incidente y el involucramiento
de la Alta Gerencia.
Las autoridades regulatorias pueden colocar a la Empresa bajo auditora o revisin
a fondo y/o alertar a otras entidades regulatorias que supervisan la Operacin de la
Empresa..
Situaciones potenciales obligan a la Empresa a notificat a todas las autoridades
regulatorias.
Suspensin potencial de individuos.
Coordinacin permanente de la Alta Gerencia con posibles implicaciones a largo
plazo.
La auditora se enfoca a una Lnea de Negocio especfica.
Dao en la reputacin global de la Empresa.
Impacto en el valor de las acciones y/o la Empresa.
Posibles implicaciones legales y/o sanciones.
4
por ms un periodo significativo de tiempo que lleva a la prdida de los clientes.
Amenaza significativa al cumplimiento de los objetivos estratgicos.

Ms del 50% de las operaciones da a da se ven severamente impactadas por el
incidente ms all de la respuesta inmediata.
Impacto en todas las reas y Lneas de Negocio de la Empresa.
Se requiere un nmero considerable de recursos adicionales para solucionar el
incidente, con involucramiento de la Direccin de la Empresa.
Respuesta de las autoridades regulatorias que pueden limitar la capacidad de

negocio de la Empresa y/o prdida de permisos y/o licencias.
Sanciones o acciones regulatorias, incluidas legales, contra la Empresa o sus Lneas
de Negocio.
La reputacin de la Empresa se ve daada al punto de amenazar la continuidad y/o

permanencia de la misma.
Prdida de clientes, socios, inversionistas y/o capital.
Quiebra potencial.

IT Security and Risk Calculator - v01

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

IT Security and Risk Calculator - v01

Transféré par

Droits d'auteur :

Formats disponibles

DRAFT - FOR INTERNAL DISCUSSION ONLY

Requerimiento del Standard

Administracin de Operaciones y Soporte

Administracin de Operaciones y Soporte

Administracin de Operaciones y Soporte

Administracin de Operaciones y Soporte

Mecanismos de Integridad de Base de Datos

Administracin de Operaciones y Soporte

Administracin de Operaciones y Soporte

Administracin de Operaciones y Soporte

Administracin de Operaciones y Soporte

Procesos Batch y Tareas Programadas

Administracin del Riesgo

Administracin del Riesgo

1 - Menos de una vez en 7 aos

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Comentarios sobre el cumplimiento

Lista de controles compensatorios

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Establecimiento de contextos y alcances

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

DRAFT - FOR INTERNAL DISCUSSION ONLY

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Plan de Seguridad de la Empresa

The security incident management plan addresses, at a minimum:

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Plan de Seguridad de la Empresa

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

Administracin del Riesgo

DRAFT - FOR INTERNAL DISCUSSION ONLY