Posts

Showing posts from October, 2021

Classes of money laundering offenses

Image
Very serious offenses According to article 51 of Law 10/2010, of April 28, on the prevention of BC / FT, the following behaviors will be considered very serious offenses: 1.             Breach of the duty to notify SEPBLAC (in accordance with article 18 of the aforementioned Law) when any manager or employee of the obligated subject has internally revealed the existence of indications or the certainty that an event or operation was related to the BC / FT (existence of suspicious operations). 2.             Breach of the collaboration obligation (according to article 21 of the aforementioned Law) when there is a written request from the Commission for the Prevention of Money Laundering and Monetary Offenses. 3.             Breach of the prohibition of disclosure (in accordance with article 24 of the aforementioned Law) to the client or to third parties that information has been communicated to the SEPBLAC or that any operation that could be related to money laundering or financi

What is the Datawarehouse

Image
A datawarehouse is a collection of data in which the company's information is integrated and that is used as support for the managerial decision-making process. Although various organizations and individuals come to understand the approach of a Warehouse , experience has shown that there are many potential pitfalls. Gathering the appropriate data elements from various application sources in a centralized comprehensive environment, simplifies the problem of access to information and, consequently, accelerates the process of analysis, consultations and the shortest time of use of the information. The applications for decision support based on one data warehousing can make more practical and easy data mining for greater efficiency of the business, which is not achieved when using only the data from operational applications (which help in operation of the company in its daily operations), in which the information is obtained by carrying out independent and often complex processes.

The security audit according to the LOPD

Image
The Articles 96 and 110 of the RLOPD establish the obligation of both computer files and non automated or manual, which you have to apply the measures medium or high , to conduct safety audits every two years to verify compliance the security measures in the information systems and the data processing and storage facilities that support or house the files of these security levels, whether automated or manual.  techwadia Likewise, and extraordinarily, an audit must be carried out whenever modifications are made to the information system that may affect compliance with the security measures implemented, in order to verify their adaptation, adequacy and effectiveness. The audit report The audit consists of the review and analysis of each of the security measures applied to the medium and high-level files, which must be reflected in a report in which the following must be identified. 1.             The degree of compliance for each of the measures. 2.             The deficiencies

How to make a correct sustainable management of technology

Image
On the other hand, the author establishes a classification of the types of technology based on the process and basis of their generation: 1.             Artisanal technologies : includes those technologies of ancient origin that do not use sophisticated means for their execution, since, generally, it is carried out manually. As examples we can highlight: goldsmithing and carpentry. 2.             Traditional technologies : refers to technologies that have not had a scientific foundation, but are the result of the continuous evolution of ingenuity and the experience acquired over the years. As examples we can highlight: textile technology and printing. 3.             Science-based technologies : are all those technologies that have required scientific knowledge as the basis for their emergence and development. An example is: the car. 4.             Evolutionary technologies : are those that appeared at a certain point in history and have evolved over time, adapting to new circum

What is specially protected data

Image
This type of data, usually called sensitive data , belongs to a special category of data, which due to its influence on privacy requires greater protection than other personal data. This special protection is justified by the fact that, due to the information to which this type of data refers, the improper treatment of the same, in addition to damaging the fundamental right to data protection, could damage other fundamental rights. They are regulated in article 7 of the LOPD, and are divided into three groups: 1.             Those that reveal the ideology, union affiliation, religion and beliefs of a natural person. 2.             Those that refer to racial origin, health and sexual life. 3.             Those relating to the commission of criminal or administrative offenses. Processing of data related to ideology, union affiliation, religion and beliefs The epigraph 1 of article 7 of the LOPD recalls the mandate contained in article 16.2 of the Spanish Constitution , that

What are the objectives of the audits

Image
Any audit should serve to ensure that the following levels are met: 1.             The management system really exists. 2.             The management system satisfies the requirements of the audit reference system. 3.             The planned management system is applicable. 4.             The management system is applied. 5.             The management system is effective and efficient. In short, an organization, depending on the requirements to be considered by its Management System (System Standards, product, legislation, internal operating criteria, etc. ), must define a documentation that includes the what, how, when , the who and the evidence (records) that will demonstrate that the above questions are carried out. When the organization deems it appropriate, an auditor (internal or external) will verify that the above matters are carried out in accordance with the requirements of a Standard and the documentation established by the organization. The differences found w

ICT trends and evolution

Image
Technologies undoubtedly have the capacity to shape a different future. In fact, technological innovations have always set the pace of change in society. It is worth highlighting what will be (in the opinion of some experts) some fundamental characteristics of ICT technologies in the coming years since they are the basis on which the new services of the Information Society will be able to evolve. It must be considered that there are many new capabilities expected from ICT in the next decade, and as in any innovative sector, making a forecast always presents a degree of uncertainty. However, there is a general consensus among experts on the following trends: 1.             Increased processing capacity of devices: ability to perform complex tasks in real time 2.             High capacity broadband 3.             Ubiquitous and transparent connectivity in which diverse technologies converge 4.             Intuitive, personalized (based on user knowledge and past use), and con

Codes of conduct

Image
The Electronic Commerce Directive established that the Member States and the Commission should encourage the development of codes of conduct, albeit of a voluntary nature for information society service providers. To this end, the Directive ordered the Member States and the Commission to promote: 1.             The elaboration of codes of conduct at Community level, through commercial, professional or consumer associations or organizations, in order to contribute to the correct application of the guiding principles of electronic commerce in the internal market. 2.             The voluntary submission to the Commission of draft codes of conduct at national or community level. 3.             The possibility of accessing the codes of conduct electronically in the Community languages. 4.             Communication to the Member States and the Commission, by professional and consumer associations or organizations, of their evaluation of the application of their codes of conduct and

Information Security Management System

Image
An ISMS (Information Security Management System) provides a model to create, implement, operate, monitor, review, maintain and improve the protection of information assets to achieve business objectives. The basis of an ISMS resides in, knowing the context of the organization , evaluating the risks and setting the levels determined as appropriate by the organization's Management for the acceptance of a level of risk so that the risks can be dealt with and managed. risks effectively. Analyzing the requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as necessary, contributes to the successful implementation of an ISMS. The fundamental principles that contribute to the successful implementation of an ISMS are: 1.             Understand the organization, its context and the relevant elements that could affect the objectives of the ISMS. 2.             Understand the needs of stakeholders

Structure of the ISO 27001: 2013 standard

Image
The structure of the international standard ISO 27001: 2013  changes, going from 8 clauses to 10 . This is derived from its alignment to Annex SL of the ISO / IEC Part 1 directives , with which it is no longer based on the PDCA ( Plan-Do-Check-Act ) model, but now applies the high-level structure , titles of the sub-clauses, identical text, common terms and the main definitions defined in Annex SL. Therefore, it maintains compatibility with other management system standards that this Annex has also adopted (such as ISO 22301 Business Continuity management systems - Requirements ). At the controls level, the new ISO, although increasing the number of security domains from 11 to 14, restructures the number of controls , from 133 to 114. The standard is published on October 1, 2013. The update period for companies that are already ISO 27001: 2005 certified is 2 years. Summary of changes compared to the 2005 version 1.             Removal of the reference to the PDCA continuous i

Understand the organization and its context: ISO / IEC 27001

Image
The organization must determine the external and internal contexts that are relevant to its purpose and that affect its ability to achieve the desired result of its Information Security Management System . Before starting the design and implementation of the risk management framework, it is important to assess and understand the external context and the internal context of the organization, since both can significantly influence the design of the framework. Internal context The internal context is the internal environment in which the organization supports itself to achieve its objectives. The risk management process should be aligned with the culture, processes, structure and strategy of the organization. The internal context is made up of everything that within the organization can influence the way an organization manages its security. This context should be established, since: 1.             Risk management is done in the context of the organization's objectives. 2.

How to plan the implementation of an ISMS

Image
Information security objectives and planning to achieve them The organization shall establish information security objectives at the relevant functions and levels. Information security objectives shall: 1.            Be consistent with the information security policy. 2.            Be measurable (if possible) by calculating economic, personnel and execution time costs. 3.            Take into account the applicable information security requirements, the results of the risk assessment and the risk treatment. 4.            Be communicated. 5.            Be updated, as appropriate. Normally, the security objectives are defined annually after the meeting of the Security Committee and usually include training, application of new controls to reduce the level of risk and improvements of the controls already applied. The organization will retain documented information on the information security objectives. When planning how to achieve its information security objectives, the

Risk analysis and impact assessments: GDPR

Image
Probably the introduction of the obligation to carry out risk analysis or impact assessments on privacy is one of the main novelties introduced by the new personal data protection regulations . An impact assessment on the protection of personal data (DPIA) is an analysis of the risks that a product or service may entail for the protection of data of those affected and, as a consequence of this analysis, the management of said risks by adopting of the necessary measures to eliminate or mitigate them. A DPIA is a tool that goes beyond an evaluation of regulatory compliance - although, obviously, the verification of such compliance is an integral part of any DPIA - and that goes so far into the expectations of privacy that people have before any treatment of your personal data as in the general perceptions of society or, specifically, of the groups most affected by the treatment in question. Specifically, the RGPD establishes that in those cases in which it is probable that the proc