Creación de una guía de aseguramiento de la información para aplicaciones de software en el Sistema Nacional de Certificación Digital en internet
Fecha
2021
Tipo
tesis de maestría
Autores
González Herrera, Andrés
Título de la revista
ISSN de la revista
Título del volumen
Editor
Resumen
En Costa Rica, la ley de Protección de la Persona frente al tratamiento de sus datos
personales establece la responsabilidad de asegurar los datos a quien sea responsable de
almacenarlos. Esta obligatoriedad en la ley provoca que incluso instituciones como el
BCCR deban desarrollar plataformas sumamente seguras, especialmente si se habla de
sistemas tan críticos como la Firma Digital.
El BCCR cuenta con una herramienta que permite firmar digitalmente a través de una
aplicación de escritorio y se ha avanzado en la definición de una nueva herramienta para
hacerlo desde un dispositivo móvil. Por esto, se requiere de una guía de aseguramiento
que contemple los nuevos escenarios, que incluyen tanto el acceso a través de internet y
dispositivos móviles, como el acceso desde la aplicación de escritorio usada actualmente.
En consecuencia, se identificó la necesidad de verificar que la plataforma implementa
correctamente los servicios de seguridad correspondientes y las buenas prácticas de
implementación a nivel de código fuente.
El objetivo general de la presente investigación fue desarrollar una guía de
aseguramiento de la información para una aplicación de software que utilice los servicios
de firma digital del Banco Central de Costa Rica. Para conseguirlo, se abordó la seguridad
desde un enfoque multidimensional de la ciberseguridad, basado en un proceso
sistemático y controlado, a través del cual se valoraron 72 riesgos, se definieron 45
políticas de seguridad, y se establecieron 24 objetivos de control.
Como resultado, se propuso una guía de implementación que podría funcionar
como herramienta para evaluar el cumplimiento de los requisitos de seguridad propuestos.
In Costa Rica, the Law on the Protection of Persons Regarding the Processing of their Personal Data establishes the responsibility of protect the data to whoever is responsible for storing them. This obligation in the law means that the institutions such as the BCCR must develop highly secure platforms, especially when talking about systems as critical as the Digital Signature. The BCCR has a tool that allows digitally sign through a desktop application and a new tool to do so from a mobile device. For this reason, an assurance guide is required that contemplates the new scenarios, which include both access through the internet and mobile devices, as well as access from the desktop application currently used. Consequently, the need to verify that the platform correctly implements the security services and the best coding practices was identified. The main objective of this research was to develop an information assurance guide for a software application that uses the digital signature services of the “Banco Central de Costa Rica”. To achieve this, security was approached from a multidimensional cybersecurity approach, based on a systematic and controlled process, through which 72 risks were assessed, 45 security policies were defined, and 24 control objectives were established. As a result, an implementation guide was proposed that works as a tool to assess compliance with the proposed security requirements.
In Costa Rica, the Law on the Protection of Persons Regarding the Processing of their Personal Data establishes the responsibility of protect the data to whoever is responsible for storing them. This obligation in the law means that the institutions such as the BCCR must develop highly secure platforms, especially when talking about systems as critical as the Digital Signature. The BCCR has a tool that allows digitally sign through a desktop application and a new tool to do so from a mobile device. For this reason, an assurance guide is required that contemplates the new scenarios, which include both access through the internet and mobile devices, as well as access from the desktop application currently used. Consequently, the need to verify that the platform correctly implements the security services and the best coding practices was identified. The main objective of this research was to develop an information assurance guide for a software application that uses the digital signature services of the “Banco Central de Costa Rica”. To achieve this, security was approached from a multidimensional cybersecurity approach, based on a systematic and controlled process, through which 72 risks were assessed, 45 security policies were defined, and 24 control objectives were established. As a result, an implementation guide was proposed that works as a tool to assess compliance with the proposed security requirements.
Descripción
Palabras clave
Tecnología de la información, Firma digital, Seguridad, Dispositivos móviles, Criptografía