POSTGRADO EN AUDITORÍA DE TECNOLOGÍAS DE LA INFORMACIÓN

Permanent URI for this collectionhttp://201.159.223.65:4000/handle/123456789/1050

Browse

Recent Submissions

Now showing 1 - 20 of 32
  • Item
    VALIDACIÓN DE UN MODELO DE MEDICIÓN PARA LA GESTIÓN DE LA CALIDAD DEL SERVICIO EN EL ÁMBITO DE LA AUDITORÍA DE TECNOLOGÍAS DE LA INFORMACIÓN
    (2018-01) Zumba Vásquez, Carlos Polivio; García Peláez, Diana Laura; Bolaños Burgos, Francisco Joseph
    The objective of the research is the validation of an instrument (rubric) for the management of the quality of the service in the IT department. Methodologically, the construction of a 73-item rubric based on the standards and standards for the GSTI is described, analyzing processes such as: Change management (16 items), Release and deployment management (15 items), Incident management (14 items), Problem management (15 items) and the service desk function (13 items). The items were measured on a Likert scale of 4 levels (Not done, Need to be reinforced, Partially Achieved, Completely Achieved). In turn, the content validity of the instrument focused on the evaluation of expert judgment. Later it was applied in a private company related to the provision of telephone and telemarketing services. An analysis based on the Theory of Generalizability was used to confirm the validity and reliability of the design of the rubric and in order to generalize the results found, for which a mixed measurement model and a 3-facet design were determined (Departments, Items and Auditors). The results show that the instrument is reliable because in all the processes the Generalizability coefficient was 0. Thus, this study verifies the validity of the proposed instrument in the field of IT audit; On the other hand, it demonstrates that Theory G allows to validate instruments in the area of IT audit, diminishing the bias that the instruments have during this process.
  • Item
    PROPUESTA DE CONTROLES DE SEGURIDAD DE LA INFORMACIÓN DESDE EL ENFOQUE DE PROTECCIÓN DE DATOS PERSONALES PARA LOS ENTES GUBERNAMENTALES DEL ECUADOR QUE TIENEN IMPLEMENTADO LA ESTRATEGIA DE GOBIERNO EN LÍNEA
    (2018-08) Yánez Navarrete, Angel Ignacio; Gonzales Arbaiza, Cesar Martín
    In the public sector of Ecuador, the online government has facilitated the paperwork between citizens and state entities, however, this interaction can expose the personal information of citizens to risks that violate their privacy. For this research, an understanding of the requirements for the protection of personal data was made, the current situation of other countries in the region and of Ecuador in the area of protection of personal data was reviewed, contrasting these results with the common problems of the public institutions of Ecuador. On the same subject, a compliance checklist for personal data protection was developed and validated by a group of experts. This work proposes the minimum security controls of the information that the public institutions of Ecuador that have implemented the online government and private organizations (of all sectors), should put into practice to protect the personal data of citizens, which they are managed and processed in their technological infrastructure. Finally, the proposed control chart should be considered for implementation in the private sector.
  • Item
    NIVEL DE APLICACIÓN DE SEGURIDAD INFORMÁTICA PARA EVITAR LA FUGA DE INFORMACIÓN EN LAS COOPERATIVAS DE AHORRO Y CRÉDITO DE LA ZONA 1 DEL ECUADOR
    (2018-11) Yandún Velasteguí, Marco Antonio; Flores Marín, Mónica Jeannette
    In this article is exposed, the leakage of information as an existing problem in the Savings and Credit Cooperatives due to the level of application of securities, it shows the statistics of the information that employees take from their place of work according to the Safety reports of manufacturers and suppliers of computer security tools, shows the results of the field research carried out to the personnel of Technology, Systems, Securities, through surveys that include 38 items related to people, processes and technology that intervene in the control, distribution and safeguarding of physical and digital documents that contain sensitive or valuable information, forms of information leakage and their countermeasures. With the results it is concluded that confidence in the personnel that manages the file of physical documents, database, programmers, batch processes, securities, can not be guaranteed, there may be loss of physical documents with information of partners and clients, when it is shared information with other entities not all information is sent encrypted, computer security reviews reveal vulnerabilities in cardholder information, these conclusions constitute the inputs to establish the criteria for compliance with the recommendations and activities to be met in the short, medium and long term that contribute to the problem and strengthen the securities to avoid the leakage of information in the financial cooperatives.
  • Item
    VALIDEZ DE UNA RÚBRICA PARA LA AUDITORÍA DE REDES EN EL CONTEXTO DE UNA INSTITUCIÓN PÚBLICA DE GUAYAQUIL
    (2018-03) Villacís Real, Kléber David; Bolaños Burgos, Francisco Joseph
    The objective of the study is to validate an instrument for network security auditing, applicable to firewalls; for this, a three-level Likert scale was developed, consisting of 5 clauses, 10 categories and 68 items, distributed according to ISO27002 in Organization of Information Security (7), Access Control (17), Physical and Environmental security (6), Operations Security (18), Communications Security (20). As for the validation of the instrument, the reliability was measured with the G Theory and the software Edug1.6- e; The design of the measure consists of 3 facets: Business unit, Items and Auditors. On the other hand, the results in the analysis of Theory G show coefficients ρ equal 0, which indicates that the instrument is reliable. In relation to future work, the instrument proposes an exploratory diagnosis as a starting point for a technical network audit, where the operational effectiveness of safety controls can be evaluated.
  • Item
    ASEGURAMIENTO DE ARCHIVOS DIGITALES MEDIANTE UN SELLADO DE TIEMPO INDEPENDIENTE DE UNA AUTORIDAD CERTIFICADORA
    (2017-09) Vera Cadena, Romel André; Durango Espinoza, Rayner Stalyn
    Trusted timestamping is the process used to certify that a computer document is not altered from the date it was registered; however, the current timestamping procedure depends on a certifying authority, which is subject to trust, and currently there have been trust problems that have caused various damages, ranging from identity theft to the spread of malware. Consequently, the objective of this paper is to create an alternative time-stamping scheme that allows digital files to be secured by means of a time stamp that does not depend on a certification authority. To do this, the study was based on an explanatory methodology in which three cases of trust problems were analyzed in order to overcome the trust problem by checking the integrity using the hash function. Based on the analysis, the possibility of using the alternative scheme when it is necessary to avoid trust problems since it excludes the certifying authorities from the time-stamping scheme.
  • Item
    MODELO DE GOBERNANZA DE TECNOLOGÍAS DE INFORMACIÓN BASADO EN EL MODELO REFERENCIAL CALDER-MOIR APLICADO EN PYMES DE LA ZONA 7 DEL ECUADOR
    (2018-03) Tenesaca Luna, Gladys Alicia; Castillo Almeida, Norma Fernanda
    Currently, any organization that makes use of Information Technology (IT) should apply the different guidelines and guidelines defined in IT Governance to facilitate the optimization of their processes and resources, as well as the integration and alignment with the strategic objectives that the companies possess leading to the obtaining of competitive advantage, reduction of risks and costs and improvement in the quality of service. In this context, the case study presented includes the analysis and implementation of the IT governance model Calder-Moir based on the ISO 38500 standard in a PYME type company in Zone 7 of Ecuador. For this, a detailed analysis of each of the segments of the reference model is carried out, the alignment of the Reference Model and the ISO 38500 Standard is investigated, as well as, the appropriate methodology for the implementation of the Reference Model is determined. The governance framework is used as COBIT and the ScoreCard Balance Management tool to deepen the strategic actions approach. Therefore, it is concluded that the Calder-Moir Framework allows SMEs in Ecuador to achieve an alignment between the strategic objectives and Information Technology objectives that contribute to good IT management and the continuity of PYME.
  • Item
    MARCO DE REFERENCIA PARA EL DESARROLLO DE UNA AUDITORÍA DE SEGURIDAD INFORMÁTICA EN APLICACIONES ANDROID.
    (2018-11) León Cabrera, Santiago Fabricio; Sotomayor Sanchez, Marco Vinicio
    The present work is focused on proposing a frame of reference for the development of an IT security audit in Android applications, specifying procedures and adjusting nomenclatures that facilitate the auditors to define the impact, the probability that a vulnerability will materialize and the level security of the safeguards found within the frequent vulnerabilities in Android applications. For this, a bibliometric analysis of the main concepts on the phases of an audit focused on information technologies, risk treatments focused on information technologies and methodologies focused on the analysis of failures in mobile applications is carried out, with the result obtained They selected three academic articles which were chosen because they are based on recognized and proven methodologies: the audit and information systems assurance guide proposed by the Isaca, the risk analysis and management methodology of the Information Systems (Magerit ) and the Owasp Mobile Security Project security analysis methodologies, which serve as the basis for the construction of the proposed framework, which exposes the stages and procedures that must be followed within an audit, also with the information obtained from the elaboration of the frame of reference you get a li This is the checklist with the most frequent failures that should be analyzed with the option to classify their probability of occurrence and specify the level of implementation of the safeguards found. The validation of this work is done through the technique of a focus group with a qualitative approach, which facilitated the participation of five professionals in the area who provided their opinions and points of view about the feasibility of using the proposed framework. In the end the acceptance of one hundred percent of the participants was obtained considering it a viable alternative to perform a security audit in Android applications.
  • Item
    MODELO DE MADUREZ PARA EL ANÁLISIS DE RIESGOS DE LOS ACTIVOS DE INFORMACION BASADO EN LAS METODOLOGÍAS MAGERIT, OCTAVE Y MEHARI; CON ENFOQUE A EMPRESAS NAVIERAS
    (2018-03) Holguín García, Fresia Yanina; Lema Moreta, Lohana Mariella
    The aim of this essay is the proposal of a Maturity Model for the risk analysis of information assets in shipping companies, which provides opportunities for technological and consequently business improvement, based on the best practices of MAGERIT, OCTAVE and MEHARI methodologies. The proposed model is based on literature review about main risk concepts; for its design those defined in the Capability Maturity Model Integration (CMMI) structure were established as maturity levels; in addition, a control map was defined to guide compliance by levels to incorporate the selected best practices. The resulting model has been validated by a group of experts using the Delphi technique, in order to obtain a quantitative assessment of its applicability in the shipping companies. As a main result and based on a Likert scale of five points, it was obtained that the model is very applicable (valuation 5) for these companies, and it is estimated that by using it they can reach a defined level of maturity (level 3 of 5), arriving to have a formalized risk analysis process and with proactive techniques.
  • Item
    MARCO DE REFERENCIA DE BUENAS PRÁCTICAS PARA EL CUMPLIMIENTO DE LA NORMATIVA SBS-JB-3066 Y SU MEDICIÓN DEL IMPACTO
    (2018-11) Gualsaquí Vivar, Juan Carlos; Cevallos Gamboa, Washington Antonio
    Information technology is the tool that offers organizations support for the demand for new products and financial services for their clients. Currently, the trend of a new digital age has generated that customers make transactions through different electronic channels, increasing in turn potential risks that could affect the security of information. The present article develops a framework of good practices regarding technological governance, business continuity, security in electronic channels, operational risk management and information security that should be implemented by the country's financial institutions governed by the Superintendence of Banks. For the purpose, local and international regulations and good practices were reviewed to develop a framework with the minimum necessary security measures that should be implemented in the internal control system of the institutions in order to minimize threats and risks related to the security, integrity and availability of your information. Finally, a measurement of these good practices applied to a financial institution is presented, determining minimum requirements and findings that said institution must take before the on-site visit by the control entity.
  • Item
    DESARROLLO Y APLICACIÓN DE UN MODELO PARA EVALUAR EL NIVEL DE MADUREZ DE GESTIÓN DE SEGURIDAD DE LA INFORMACIÓN EN INSTITUCIONES DE SALUD PÚBLICA EN LA CIUDAD DE CUENCA
    (2018-11) Capelo Vásquez, Miriam Gabriela; Sotomayor, Marco
    Nowadays, many institutions have taken advantage of information technologies to improve services, reduce costs and make decisions; in healthcare. The Information Systems currently used become a vital tool for the timely diagnosis and treatment of patients. Therefore, it is necessary to implement policies and standards that ensure the reliability, availability and integrity of medical record information and complementary examinations; and of course, these implemented strategies need to be monitored and controlled on a regular basis. After the literature review, there are no works in Ecuador regarding the measurement of the maturity of Information Security in the health area; therefore, the present research work aims to propose a model to evaluate the maturity of information security in public health institutions; for that matter, it was an evaluation of the regulations to be met in the health sector was carried out; in order to generate a Maturity Model developed by following the methodology proposed by Becker, Knackstedt and Pöppelbuß, which will be validated by experts from different areas and after the correction of the observations received, the reliability of the validation carried out using the Cronbach's alpha coefficient method; Once an acceptable level of reliability has been verified, the proposed model is applied in a Public Hospital Institution of Third Level of complexity, to finally propose the recommendations based on the results analyzed.
  • Item
    ANÁLISIS DE BRECHAS DE SEGURIDAD EN EL ACCESO A DATOS EN LA NUBE PARA SOLUCIONES BIG DATA
    (2018-09) Azúa Campos, María Soledad; Merchán Millán, Christian
    Providers of data storage in the cloud, allow their customers to share or save any type of information, such as files or documents from any device connected to the Internet. The user seeks that these providers manage to keep their data safe and protected from external attacks, ransomware or any type of data leakage that makes the stored information vulnerable. The purpose of this research work is to identify security breaches in access, existing in two of the storage service providers in the cloud. For the present study, Amazon and Google Cloud were taken as references, the same ones that were chosen under the analysis of international and local surveys (Ecuador); The use of public services in the cloud was defined as indicators, as indicated by SADA Systems, highlighting Google Cloud with 49% as one of the first at the international level. Another of the indicators was by the suppliers of public IaaS, which leads in the part of economic income placing Amazon in the number one position, having more than 51.80% of the entire market. To identify the trend in Ecuador, eleven SMEs were surveyed whose dedication is of different types and they are located in different geographical points of the country. One of the main requirements of the SMEs surveyed to opt for a storage solution in the cloud is access control (Authentication of users and applications), identifying that Google Cloud and Amazon are the cloud service providers most required by them. To identify security gaps in the access of the two selected providers, we worked with the Information Security and Privacy Model (SPI), presenting at the beginning the characteristics of each of the providers for the storage of data in the cloud in regards to access control. The comparison of the two providers in Identification, Authentication and Authorization was made, evaluating the existing security gaps between Amazon and Google Cloud, it was identified that the incorrect administration and the ignorance of the multiple resources that the providers possess, generate an access door to attacks and becomes a vulnerability for those involved.
  • Item
    FUTURAS INVESTIGACIONES PARA EL COMPORTAMIENTO DE SEGURIDAD DE LA INFORMACIÓN: UNA REVISIÓN SISTEMÁTICA
    (2018-03) Arciniegas Coral, Alexandra Jacqueline; Del Pezo Saona, Angélica del Rocío; Bolaños Burgos, Francisco Joseph
    The increase in the use of information technologies also leads to the growing threats to information security, which are sometimes ignored or their risks underestimated by the internal users of the organizations; So, one of the main concerns of information security administrators is the internal threat. In the present work, a systematic review of the existing studies in the literature on the compliance behavior of Information Security Policies [ISP] of employees in organizations from 2000 to 2016 is carried out; and, through four selected taxonomies, the state of the art of information security behavior is examined, to identify the approaches that have received the most attention from researchers, types of behavior, types of internal users, and the determinants they influence the behavioral behavior of employees. Information on current trends in this field of research is presented; and, future works are proposed that could be considered by the information security research community.
  • Item
    EVALUACIÓN DE LA GESTIÓN DE CONTINUIDAD DEL NEGOCIO EN EL SECTOR INDUSTRIAL Y PESQUERO DE LA CIUDAD DE MANTA: CASO DE ESTUDIO TERREMOTO 16A
    (2018-04) Velásquez Moreira, Gabriela Maholy; Lema Moreta, Lohana Mariella
    Natural disasters are one of the reasons why business continuity may be affected. On April 16, 2016 - 16A, the city of Manta, fishing port of Ecuador, was affected by an earthquake measuring 7.8 degrees on the Richter scale, which changed the lives of its inhabitants and put to the test the capacity of resilience of the companies based in this city. This investigation, makes an evaluation of the Business Continuity Management of 30 companies located in the city of Manta belonging to the fishing-industrial sector, in order to obtain a situational diagnosis in three instances of time: before, during and after the natural event; that contributes to the information published by official entities. To achieve this goal, the methodological process included the interview technique as the main source of data collection for a sample of 30 companies. Based on the research carried out, it is stated that 27% of the companies interviewed had implemented the minimum rules of business continuity management before 16A, therefore it can be inferred that there was great disinterest in preventing companies from catastrophes and emergency situations; during 16A it is evident that there was a corrective and proactive reaction on the part of these companies to lift their operations; and after 16A they have also become aware of the importance of investing and implementing business continuity in the organization, with the result that 47% of companies, after the event, established the baseline guidelines for business continuity management
  • Item
    ELABORAR UN GUIÓN DE AUDITORÍA PARA EVALUAR LA MADUREZ DE LA GESTIÓN DE SERVICIOS DE TI BASADOS EN ITIL EN EMPRESAS PETROLERAS DEL SECTOR PÚBLICO
    (2018-04) Naranjo Villacís, Alex Rolando; Viejó Maestre, Miguel Antonio
    The IT Service Management allows to obtain an evaluation of the level of technological maturity of the organizations, through an audit that presents the use of a series of norms and standards based on the best practices, according to the needs, objectives and goals of each organization. Through this investigation an audit script is proposed, based on the needs of public oil companies. The evaluation of experts and the studies around ITIL allowed to validate the instrument in three phases: design, operation and transition of IT services. The result of the application of the audit script in the public oil company, the level of maturity administered quantitatively is shown, the results are an efficient management according to the rating scale used to measure the management of IT services in ITIL V3.
  • Item
    MARCO DE REFERENCIA PARA EL DESARROLLO DE UN ANÁLISIS FORENSE A FUENTES DE EVIDENCIAS DIGITALES EN SISTEMAS INFOTAINMENT DE VEHÍCULOS
    (2018-04) León Cabrera, Javier Fernando; Chavez Jara, Roberth Darío
    Within the computer forensic analysis there are several frames of reference, some traditional and others specific to computer equipment or some other special equipment, that allow the researcher to carry out a digital forensic analysis. But there are devices that, due to their particular characteristics, require a different treatment, such as vehicle infotainment equipment, for which there is no framework that allows a forensic process to be fulfilled that covers the demands that these devices present during an investigation. For this reason, a paper is presented that addresses forensic analysis from a vehicle infotainment perspective, based on the literary review of information and entertainment equipment for vehicles, its technical characteristics, as well as recommendations and difficulties They are presented within a forensic work. Similarly, it is based on the literary review of other frames of reference, whose phases may be applicable to this type of technology. This will allow a better management in the processes of forensic image acquisition and analysis of the evidences which will avoid an affectation to the chain of custody. This research presents a specific frame of reference to carry out a forensic analysis on infotainment equipment of vehicles, where each phase covers the requirements that this type of technology demands, likewise allows to comply with the objective and principles of forensic analysis. The validation of this framework was carried out through the focus group technique, which allowed the participation of professionals with great experience in the area, obtaining qualitative information, which showed the perspective of each one of them on the reference framework presented.
  • Item
    ESTUDIO COMPARATIVO SOBRE EL ENTENDIMIENTO DE LA IMPORTANCIA DE LA SEGURIDAD DE LA INFORMACIÓN EN USUARIOS DE TI MAYORES A 45 AÑOS DE LOS ESTRATOS SOCIALES C, D Y E DE SUDAMÉRICA
    (2018-04) Flores Loayza, Mónica Daniela; González Arbaiza, César Martín
    In the present research, the understanding that the IT users older than 45 years have about the importance of information security in their daily activities was analyzed; in order to identify the level of knowledge and prevention that they possess when interacting with technology. During the investigation, semi-structured interviews were conducted focus to users between 45 and 70 years old; which allowed us to analyze and distinguish the knowledge failures in information security by this segment of the population. At the same time, a literature review was carried out on the management of this problem in other South American countries, in contrast to what has been done in Ecuador. Based on the analysis and review carried out, guidelines and recommendations were established with the purpose of helping adults with the subject of information security, based on the vulnerabilities found.
  • Item
    ANÁLISIS DE BRECHAS DEL PROCESO DE COMPUTACIÓN FORENSE EN ECUADOR RESPECTO A LAS BUENAS PRÁCTICAS INTERNACIONALES
    (2018-04) Mera Mero, Doris María; Benavides Córdova, Vaneza Mariana; Cevallos Gamboa, Washington Antonio
    This article focuses on determining the level of maturity of the forensic computing process in Ecuador with respect to international good practices. For this purpose, based on the Delphi methodology, five computer experts qualified by the Judicial Council of Ecuador, experienced in forensic analysis cases and belonging to several cities of the country, were selected. Likewise, using the Science Design methodology, instruments were created that allowed gathering the information provided by the experts. Therefore, from the information analyzed it can be concluded that currently Ecuador is located at level two of maturity, the presentation stage being the highest score and the record management stage the lowest score, which indicates that within the process of forensic analysis executed in the country the procedures are being implemented, but still need to be documented and be in continuous improvement.
  • Item
    COMPARACIÓN DEL RENDIMIENTO Y NIVEL DE SEGURIDAD EN ALGORITMOS CRIPTOGRÁFICOS LIGEROS PRESENT, CLEFIA, KECCAK Y HIGHT: UNA REVISIÓN SISTEMÁTICA
    (2018-04) Coronel González, César Alvarito; Lema Moreta, Lohana Mariella
    The increase of information generated through mobile and fixed devices and that is exposed to risks and attacks requires of encryption mechanisms that can be adjusted to the new requirements. Therefore there is the importance of choosing an adequate encryption algorithm that can be adapted to the new structures in order to protect the information. The objective of the present article is to determine the security level and performance of cryptographic algorithms such as Present, Clefia, Keccak, and Hight through a systematic revision of the literature that abords these topics. The obtained information determined that three block ciphers have similar characteristics. Among them, Clefia is stronger than the others because it resists about 50% more of attacks compared with the other algorithms. Finally, with exception of Hight the other algorithms have different versions where the key length, block size, number of rounds and implementation size is variable.
  • Item
    GESTIÓN DE RIESGOS DEL ÁREA INFORMÁTICA DE LAS EMPRESAS EXPORTADORAS DE PESCA BLANCA DE MANTA Y JARAMIJÓ, COMO APORTE A LA CONTINUIDAD DEL NEGOCIO
    (2018-04) Bailón Lourido, Walter Alberto; Sotomayor Sánchez, Marco Vinicio
    The constant technological advances and an increase in the amount of information generated, have contributed to an increase in the computer risks of the companies, causing in certain cases loss or alteration of information; therefore, it is necessary to protect it through adequate risk management through a standard or methodology that mitigates or minimizes the impact that this would have on the organization. For this reason, the objective of this paper is to obtain a computer risk management methodology for white fishing exporting companies in the cities of Manta and Jaramijó. For this, a survey was first conducted to determine the level of knowledge and application of risk management in the aforementioned companies. Additionally, international standards and methodologies for computerized risk management were selected based on previous works and a revised literature, which were evaluated comparatively by expert criteria, thus obtaining a new methodology for managing computer risks based on ISO 9001, ISO standards. 31000, ISO 27005 and ISO 27002, supported by the MAGERIT methodology and its PILAR tool, which will preserve the confidentiality, integrity and availability of information. The resulting methodology was evaluated in one of the companies under study, which allowed; manage risks, value assets, assess threats, determine safeguards.
  • Item
    PROPUESTA DE UNA METODOLOGÍA DE PRUEBAS DE PENETRACIÓN ORIENTADA A RIESGOS
    (2018-04) Alvarez Intriago, Vilma Karina; Cevallos Gamboa, Antonio
    The security of information has become in most organizations an important and indispensable aspect for their operations. That is why today there are several methodologies that guide auditors to perform tests and apply metrics; in order to analyze controls and procedures that verify said security. The present investigation carries out a descriptive study, with a qualitative approach, of the OSSTMM, OWASP, PTES, ISSAF and CVSS methodologies in order to make a new proposal that compiles the best practices with both a technical and risk approach. For this, an exploration of all the characteristics of the aforementioned methodologies was carried out using bibliographic review, interviews and expert judgments; finding procedures and standards that guide the effective performance of penetration tests. As a result, a risk-oriented methodology proposal is obtained, which contains four stages: the first, regarding the agreement, scope, information gathering; the second to the execution, the third that deals with the risk assessment and the last one that contemplates the generation of reports. The same, is considered a contribution for the technological auditors since in addition to informing on technical aspects, it also does it, on approaches of risks prioritizing them through levels of incidence or of gravity on the objectives of the company.