AUDITORÍA DE TECNOLOGÍAS DE INFORMACIÓN
Permanent URI for this collectionhttps://repositorio.uees.edu.ec/handle/123456789/352
Browse
Recent Submissions
Item ESTUDIO COMPARATIVO ENTRE INSTITUCIONES PÚBLICAS LATINOAMERICANAS REFERENTE A LA APLICACIÓN DEL GOBIERNO DE LA SEGURIDAD DE LA INFORMACIÓN(2019-04-13) Guillén Rivas, Karol Dayanna.; Véliz Loor, Clara Marisela; González Carrión, Raúl VicenteThe general objective of this research work is to carry out a comparative study among Latin American public institutions, regarding the security of information at the government level, taking as a case study the Ecuadorian institutions Senae and SRI. Its approach is qualitative, with an exploratory-descriptive scope; An analysis of the initial situation was carried out on the guidelines proposed by the governmental information security scheme (hereinafter EGSI) and the compliance of these in each of the public institutions in contrast with the best practices based on international standards focused on safeguarding the most important asset of the organisms, such as information, to subsequently propose best practices oriented to information security, evaluated by experts in the area through the focus group technique; evidencing that the application of the EGSI is not enough to maintain an optimal management of information security.Item METODOLOGÍA PARA LA REALIZACIÓN DE AUDITORÍAS DE SEGURIDAD INFORMÁTICA DE INFRAESTRUCTURA DE REDES DE DATOS EN EMPRESAS DEL SECTOR INDUSTRIAL PESQUERO (UN ESTUDIO COMPARATIVO): DEL CANTÓN MANTA, PROVINCIA DE MANABÍ, ECUADOR.(2019-07-13) Sendón Varela, Juan Carlos; Pacheco Villamar, Rubén AntonioInformation is one of the most significant assets of an organization. Due to the threats and risks to which IT assets are exposed in organizations, it becomes very important to have control and supervision tools that help to create a culture of security in these, that reveal the state of Security Computing. The objective of this research work is to determine the most suitable methodology for carrying out computer security audits to the data network infrastructure in the companies of the fishing industry of the Manta municipality. Through a literature review, statistical models and a comparative analysis between different methodologies, and with the help of a validated questionnaire, the most appropriate methodology was evaluated to carry out this audit process to guarantee the reliability, availability, confidentiality, and integrity of information; as well as minimizing the risks in the use of technology. As a result, the deficiencies in the computer security of the studied object were evidenced and it could be corroborated that the alternative more in line with the characteristics of the sector is OSSTMM, due to its medium complexity and easy implementation in those organizations that initiate restructuring processes of the models of computer security. This subject, as a line of research, has received the attention of researchers, observing the need to deepen its study, justifying its relevance and relevance.Item ESTUDIO COMPARATIVO SOBRE PRIVACIDAD Y CONFIANZA EN REDES SOCIALES HORIZONTALES Y VERTICALES EN UNA INSTITUCIÓN DE EDUCACIÓN SUPERIOR(2019-04-13) Rojas Bustos, Janneth Alexandra.; Lema Moreta, Lohana MariellaIn the present article, a comparison of privacy and trust characteristics in friends is made in four social networks; 2 horizontals and 2 verticals specifically: Facebook, Twitter, Instagram and LinkedIn. In order to fulfill this goal, literature related to the theme that allowed the design of a survey measurement instrument was reviewed, which was applied in a Higher Education Institution to a sample of 222 people between 17 and 50 years old. The results indicated that there are very marked borders in terms of behaviors in privacy and trust in the horizontal social network Facebook with high degree of use and, in the vertical social network LinkedIn with low degree of use; so no comparison can be made. However, the horizontal social network Twitter and the vertical social network Instagram showed similarities in user behavior. In conclusion, it is shown that it will depend on the use of a network and the theme of it so that the levels of privacy and trust in friends are high, so in this case the Instagram vertical network is the second preferred and therefore the users protect the account with more privacy and rely more on the network and on their friends.Item ESTUDIO DE LA SEGURIDAD DE LA INFORMACIÓN DE LOS PACIENTES EN LOS HOSPITALES PÚBLICOS TIPO II DE ECUADOR.(2019-02-13) Quimiz Moreira, Mauricio Alexander.; Durango Espinoza, Rayner StalynInformation is a very important asset for most organizations or companies. In the health sector, the information handled is highly sensitive because it contains detailed information on patients about their socioeconomic status, analyzes, diagnoses and medical treatments that are taken for these health centers. It is essential that these institutions consider the security of information as the primary axis for good management and information management, this is because currently filtering, alteration or theft of data is a latent problem that may affect the information systems that they are managed in these environments. Cybersecurity in public hospitals must be in accordance with clear information assurance policies to defend against any type of threats that are increasingly more advanced. This paper studies the current situation of patient information security in type II public hospitals in Ecuador, establishing a methodology for analyzing HIPAA, Regulation 2016/679 and ISO 27799, and establishing evaluation groups in each of the health entities chosen, which are governed by standards and ministerial agreements issued by the Ministry of Public Health of Ecuador, which are general in the area of information security. Finally, guidelines for the security of patient information are defined as an essential component for the adequate treatment of patient information. The result of this study clearly demonstrates the shortcomings in the assurance of patient information despite the efforts made, thus making a process of continuous improvement.Item POLÍTICAS DE SEGURIDAD DE LA INFORMACIÓN DE APROVECHAMIENTO ESTUDIANTIL EN LA EDUCACIÓN GENERAL BÁSICA BASADO EN LA NORMA ISO 27002.(2018-06-13) Pacheco Alvarado, Luis Angel.; Pacheco Villamar, Rubén Antonio.Within the educational organization where information and communication technologies are involved, computer security is a fundamental pillar for the stability of institutional activity, especially due to the processes inherent to student information. Faced with this phenomenon, information has become one of the most valuable assets of any educational institution, which makes it necessary to develop Information Security Policies for student achievement, for example, through ISO 27002 and the MAGERIT risk analysis methodology. This approach contributes to the classification of information assets and the reduction of shortcomings, threats and risks of information loss. In this sense, a descriptive investigation was conducted at the Zulima Vaca Rivera school in the city of Pasaje, to characterize the strategies they use with respect to the reliability, integrity and availability of the information assets of the educational process. Surveys and interviews were conducted with teachers, students and authorities, and, a group of security policies were developed and proposed. It was concluded that there are limitations of a subjective and objective nature that interfere in the non-use of Information Security Policies.Item MODELO DE GESTIÓN DE SERVICIOS PARA SOPORTE DE TI EN LOS CENTROS TIC MILITARES.(2019-05-13) Erique Jaramillo, Marlon Stalyn.; Bolaños Burgos, Francisco JosepIn this research work proposes to conduct the study to the quality of service management support provided by the technology centers of a military institution in Ecuador, in order to analyze the management of support service performed by computer technicians and their particularities During the development of this work, the regulations of the ITIL v3 and ISO 27001-27002 norms will be taken into consideration, as well as the evaluation methodology through surveys addressed to the technicians of the ICT centers, thus guaranteeing the confidentiality, integrity and availability of the information of a military nature contained in the information system with good practices and criteria for structuring, as well as focusing on the different types of problems specific to each center, with its resolution of problems. This work arises the need to carry out research to the support services, in order to find a synergy between the management models of IT services based on the best practices that are oriented to the processes of incidents and problems, in order to improve the quality of technical support service provided to administrative staff through the technology centers of the military institution.Item AUDITORÍA DE SEGURIDAD EN EL PROCESO DE DESARROLLO DE SOFTWARE ACORDE A ESTÁNDAR ISO/IEC 15504 EN UNA INSTITUCIÓN FINANCIERA.(2019-04-13) Cárdenas Cantos, Blanca de Lourdes; Sotomayor Sánchez, Marco VinicioThe investigation originates as a response to the lack of assurance of computer processes in certain financial institutions. The objective was to design and implement a security audit in the software development process according to ISO / IEC 15504 standards at a financial institution. The applied methodology assumed a mixed approach and instruments such as: survey about the software development process, interview with the coordinator of the software development process, and a checklist. The results allowed to observe that most of the sub-processes are fully implemented; only a small number would be partially implemented. Based on this, the audited process is concluded in a consistent manner and under clearly defined parameters and guidelines. The application of the computer security audit to the software development process made it possible to identify several problems that, if not solved, put at risk the operation of the computer systems and, mainly, the security of the clients and partners during the transactions. economicItem MODELO DE EVALUACIÓN DE LA GESTIÓN DE TECNOLOGÍA DE INFORMACIÓN BASADO EN COBIT, ITIL, ISO 27002 Y SU EFECTO EN LA COMPETITIVIDAD DE LAS COOPERATIVAS DE AHORRO Y CRÉDITO DE LA ZONA Y SEGMENTO 1(2019-04-13) Cando Salas, Eduardo Patricio.; González Carrión, Raúl VicenteABSTRACT The implementation of best practices should be consistent in the management of information technology (IT), based on a risk control and management framework integrated with other methodologies and practices in compliance with the regulatory requirements of the Savings Cooperatives and Credit; The objective of this research focuses on designing an IT management evaluation model, based on the reference models COBIT 5, ITIL v3 and ISO 27002, to determine the competitiveness of cooperatives in the zone and segment 1; The methodology used was applicative, qualitative, explorative, bibliographic and case study in two cooperatives of segment 1, which by confidentiality criteria named by size as large GR and medium MD. A model was designed that contains the criteria that are related between COBIT 5, ITIL v3 and ISO 27002, applied to the COACs of study, as main results were obtained: none of the cooperatives has ISO certification, the cooperatives case of study and validation are reaching an average maturity in IT management by 58.44%, with the GR and B cooperatives being better located. For the validation of the instrument, it was applied in three cooperatives with similar characteristics and segment 1, categorized as : A, B, and C, which allowed demonstrating that the proposed model is comprehensive and applies to all types of cooperatives in segment 1 of Ecuador.Item EVALUAR LA EFECTIVIDAD EN LAS POLÍTICAS DE LA SEGURIDAD Y CIFRADO DE LOS PROTOCOLOS H.323 Y SIP CON SSL PARA REDES VOLP.(2019-05-13) Barriga Arizabala, Johnny Gerardo; Durango Espinoza, Rayner StalynThe relevant documentation addresses the issue of security in Voice over Internet protocol systems, from a theoretical, cognitive and analytical perspective through a survey conducted to 100 experts in digital security in the main companies of Machala in order to measure the effectiveness of policies of protection gestadas in the H.323 and SIP estandàres. A literary revision is executed when compiling criteria of authors understood in the matter, around the premises, qualities, parameters or reagents that characterize the cited regulations; the applied methodology is Delphi and descriptive based on a descriptive analysis, thanks to the correlations provided by the SPSS software. The purpose of the research is to differentiate which standard is better in terms of security, while measuring the degree of protection offered by the VoIP system, verifying which variables are the most relevant to ensure fidelity, quality and integrity in the data packages ; recommendations or observations are also highlighted that allow optimizing the potential in the use of digital systems according to contemporary trends in technological performance, related to the field of telecommunicationsItem PROPUESTA DE UN MARCO DE TRABAJO PARA LA EVALUACIÓN DE MADUREZ DE LA GESTIÓN DE SEGURIDAD DE LA INFORMACIÓN EN UN RETAIL DE LA CIUDAD DE GUAYAQUIL(2019-02-13) Astudillo Herrera, Juan Antonio.; Stracuzzi Pástor, Salvattore Giulliano.; Reyes Zambrano, Gary XavierThe general objective of this article was to design a framework for evaluating the level of maturity of information security management (ISM) in an organization specialized in the mass commercialization of products (RETAIL) in the Guayaquil city to provide evidence that they know the status of their main business processes with relation to information security (IS). The approach is qualitative, with a descriptive scope based on the revision of maturity assessment models in conjunction with ISM standards. The results obtained identify a low level of maturity of the main business processes of the RETAIL.Item VALIDACIÓN DEL INSTRUMENTO SELF REPORT HABIT INDEX (SRHI) PARA MEDIR LA FUERZA DEL HÁBITO EN EL USO DE LOS SISTEMAS DE INFORMACIÓN EN EL SECTOR HOSPITALARIO.(2019-03-13) Vélez Drouet, Gustavo Mauricio; Galán Abril., Juan Antonio; Bolaños Burgos, Francisco JosepThe objective of this study is to validate the Self Report Habit Index to measure the strength of a public institution's habit in the hospital sector, 3 scenarios were developed in relation with the first 3 most relevant information security policies in the hospital. The items were evaluated with a Likert scale of 5 categories: (1) never, (2) almost never, (3) sometimes, (4) almost always, and (5) always. The analysis of the results was carried out by means of the correlations of the items associated with the frequency and automaticity in each scenario with a sample of 70 medical officers from different specialties. The results show a probability greater than or equal to 0.50 in the 12 items demonstrating a high level of reliability and validity of the SRHI to measure habits of sharing their passwords of access to the information systems in the officials, evidenced in the most relevant policiesItem DESARROLLO DE UN OBSERVATORIO TECNOLÓGICO ENFOCADO A LA SEGURIDAD DE LA INFORMACIÓN PARA INSTITUCIONES DE EDUCACIÓN SUPERIOR (IES)(2019-02-13) Vivanco Toala, Danny; Chilán, González,; Ingrid; Cevallos Gamboa, AntonioThe objective of the study of this research is the development of a technological observatory, oriented towards information security for higher education institutions. To do this, by reviewing the literature and success cases, an analysis was made of the multiple functionalities that these provide and their main characteristics to contribute to knowledge. In addition, through the interview with key informants, it was possible to validate the architecture developed and the relevance of this in the Ecuadorian context. Also, the analysis of the results obtained from the surveys made to key informants, where all agree that they are "in agreement or totally in agreement" with the proposed proposal of the Technological Observatory. It is concluded that the development of a technological observatory on information security is an important tool for knowledge management, dissemination, collaboration and support in the academic-scientific field.Item ANÁLISIS DE LA EFICIENCIA DE LOS IDS OPEN SOURCE SURICATA Y SNORT EN LAS PYMES(2019-02-13) Zambrano B., Alfonso; Guailacela, Franklin; Pacheco, RubénEl avance de las tecnologías de la información en la red de las computadoras, el de los medios de comunicación para los objetivos de una empresa y el mismo tiempo en los objetivos de los ataques informáticos, por ejemplo, los equipos de borde o acceso a Internet que se han Limitado a cerrar o encubrir puertos de comunicación. De ahí la necesidad de un equipo que alerte y permita que se tomen las medidas de prevención de respuesta, como los sistemas de detección de intrusos (IDS), que son una capacidad adicional para la seguridad de los ataques y las respuestas informados de las firmas antivirus. . El objetivo de este artículo es analizar la eficiencia de dos IDS, Snort y Suricata, dentro de una infraestructura virtualizada con una configuración que organiza el tráfico de paquetes para su mejor análisis y dispositivos de almacenamiento que minimicen la latencia de escritura y lectura de datos, de manera que se puede determinar que IDS en condiciones de altas cargas de trabajo es más eficiente y así como una empresa puede tomar la decisión más compatible con sus objetivos estratégicos. Como resultado, se concluyó que el redireccionamiento del tráfico se reanudó el trabajo IDS con la ayuda de la segmentación de redes, además de la utilización de un disco sólido que elimina la alta latencia de lectura y escritura y optimiza el tiempo de análisis de la detección, por otra parte el tiempo de detección, consumo de memoria y procesador a un flujo de tráfico de 1000 mbps determinó que no existe mucha diferencia ni sobrepasa el umbral básico de una computadora básica de trabajo para ambos IDS están en la capacidad de los principales Informes de ataques en una infraestructura, sin embargo, se produjo en su instalación.Item METODOLOGÍA PARA LA IMPLEMENTACIÓN DE UN SISTEMA DE GESTIÓN DE SEGURIDAD DE LA INFORMACIÓN ISO/IEC 27001: PARA SOPORTE DE ÁREAS DE ADMISIÓN Y ATENCIÓN DE UN HOSPITAL PÚBLICO(2019-03-13) Mazorra Olmedo, Erik Ramiro; Pacheco Villamar, Rubén AntonioThe present study analyzes the way to obtain and to propose a methodology that is applicable locally, in a pragmatic way, and dynamic, when implementing an Information Security Management System (ISMS), based on ISO / IEC 27001 for public in Ecuador, by studying similar projects in the health area, in other countries, and even in other industry verticals. Therefore, the importance of ICTs for the internal processes that hospitals have was analyzed and discussed. Once, the level of the importance of the ICTs was understand and determined, the need for information security in each process was analyzed to protect financial resources, information, legal situation and other goods, tangible and intangible, that also allow the internal management of all areas to be safeguarded. Finally, an adequate methodology is proposed for the implementation of a management system based on: 1) maintaining the inventory of information assets, 2) cataloging the processes of the organization, 3) manage the catalog of threats and vulnerabilities, 4) calculate the appraisal of information assets, 5) record and maintain the identification of risks, 6) manage the risk assessment, 7) manage the assignment of responsible for monitoring and actions for the treatment of risks, 8) record the association of documentary evidence, 9) generate reports and queries of monitoring for the management of controls of the Standard and 10) generate the declaration of applicability.Item LA CONTINUIDAD DE NEGOCIO EN LAS INSTITUCIONES DE EDUCACIÓN SUPERIOR DEL ECUADOR. CASO DE ESTUDIO(2019-02-13) Angulo Murillo, Navira Gissela; Cárdenas Encalada, Jhoanna Jackeline; Bolaños Burgos, Francisco JosepThe objective of this article is to evaluate the level of maturity of the business continuity management system of a public sector university. A valuation instrument was applied, reviewed by experts, in order to assess compliance by clauses and dimensions: context of the organization (4), leadership (3), planning (3), support (5), operation (5), evaluation of performance (3) and improvement (2). The questions were assessed using a Likert scale of five levels (Nonexistent (0), Initial (1), Repeatable (2), Managed (3), Optimized (4).) The analysis of the results was made by clause and in a manner The results show that the maturity level of business continuity management of the university is 0. On the other hand, this study shows the need to establish an instrument to validate business continuity in higher education institutions , which decreases the bias of the instruments that are used in other organizations with different business areas, which will facilitate the implementation of a SGCN in this type of educational organizations.Item Item DISEÑO VALIDACIÓN E IMPLEMENTACIÓN DE INDICADORES DE GESTIÓN DE TECNOLOGÍÁ DE LA INFORMACIÓN , PARA INSTITUCIONES FINANCIERAS DEL ECUADOR, UTILIZANDO COMO REFERENCIA BSC, COBIT, ITIL ISO(2016-09) Tello Chevalier, Karen Gabriela; Trujillo Granados, Héctor José; Gonzalez Carrión, Raúl VicenteThe present work consists of the design of a proposal of indicators of information technology management that is feasible to be applied to financial institutions of Ecuador, which were elaborated based on the reference frameworks and the dispositions of the organisms of control; proposal that was developed and submitted to a validation by an expert judgment [7], taking as reference the phases detailed in the Delphi methodology, through which it was possible to obtain the necessary feedback and apply the improvements to enrich the proposal of the work. The aforementioned work involved the design, validation and implementation of 22 management indicators, whose objective was to adopt the instrument in one of the most relevant financial institutions in Ecuador, which served to observe IT performance and make decisions that mainly support optimization, its management and the application of corrective measures. With all the results presented, it was finally shown that the instrument is capable of being implemented in the different financial institutions of Ecuador.Item MARCO DE REFERENCIA PARA EL DESARROLLO E IMPLEMENTACIÓN DE PLANES DE CONTINUIDAD DE NEGOCIO EN PYMES DEL SECTOR INMOBILIARIO DEL ECUADOR.(2018-08) Solis Orobio, Juan Carlos; Gonzalez Carrión, Raúl VicenteThe real estate industry of Ecuador has been affected by disruptive events of different nature in recent years, the levels of impact of these events have been measured from different perspectives by governmental and private entities; this is compounded by the progressive competition among organizations in the industry, increasingly demanding demands from customers and interested parties and high operating costs of several of these organizations. These factors commit companies to be firm in the operation of their key processes, so that, regardless of their size, they can continue to operate in the event of disruptive events. The present research work is the compendium of a thorough literature review and the analysis and interpretation of a qualitative research that has sought to study this particular problem of the sector; With the results obtained, it has been possible to develop a methodological reference framework for the implementation of continuity plans in these companies, which is adapted to the reality and limitations observed in these companies and uses the guidelines of the ISO 22301: 2012 standard as a basis . Finally, the research work leaves open doors to new researches after the implementation of the proposed reference framework, such as the subsequent measurement of results through the use of administrative tools.Item ANÁLISIS DE LLAVES DE CIFRADO AUTOMÁTICOS PARA ENTIDADES FINANCIERAS DEL ECUADOR(2018-06) Silva Zambrano, Cristhian Fabricio; Merchán Millán, Christian MauricioThis article analyzes the life cycle of ATM encryption keys for financial entities in Ecuador, with the aim of presenting recommendations on the operating processes involved. The national standard for operational risk JB-2014-3066 of the Banking Board of Ecuador, and the international standard PCI DSS, were used as a basis to prepare a survey on the analysis of the life cycle of encryption keys. The financial entities evaluated decided to keep their commercial names in reserve. The personnel surveyed correspond to risk departments, operation of ATMs, security and information technologies. It was identified that the most critical vulnerability is found in the training of personnel in the departments of operation of ATMs, risk and information security. It has been determined as an opportunity for improvement, to evaluate the loss of confidentiality of the encryption keys, and its impact on the economy and reputation of financial entities. It is concluded, based on the regulations, that financial entities comply with minimum security requirements for the life cycle of encryption keys, however, lack of staff training, the constant evolution of technologies, and low level of security. commitment of senior management, generate new risks. One factor that was not analyzed in this study is the financial performance of a financial institution and its influence on the investment in security of the life cycle of ATM encryption keys.Item POLARIDAD DE LAS OPINIONES EN REDES SOCIALES APLICADA A LA CLASIFICACIÓN DE LOS SERVICIOS UNIVERSITARIOS(2017-06) Sanchez Guerrero, Mentor Javier; Echeverria Reyes, JoeThe present research fulfills the objective of using the Big Data generated through the opinions of the social networks of the Institutions of Higher Education, which are free of biases when manifesting about the IT services offered by these institutions, providing a bank of data that serves as raw material for data mining and text that is used to guide the ITIL process in its Service Strategy phase. The mining process uses the methodology known as CRISP - DM that obtains values that determine the quality of the service studied, giving an input for the decision making that will allow to maintain, improve or eliminate the IT service analyzed. Finally, it is concluded that using social networks to know the opinions of the IT services offered by the institutions and at the same time applying a mining process to guide the adaptation of ITIL best practices is a reliable process because the users feel in the freedom to comment on the service received.