Diseño de modelo de ciberseguridad para instituciones financieras: identificación, clasificación y protección de activos críticos ifa (internet facing applications)

Abstract

This research revolves around developing a design for a cybersecurity best practices model primarily focused on protecting critical Information assets (IFAS) in financial institutions. Through methodological exploration, 4 phases are defined, which in their development seek to provide tools that strengthen the cybersecurity posture of financial entities against continuously evolving threats. The research begins with an analysis of frameworks and standards such as ISO 27001, NIST SP 800-53, and COBIT 2019 that provide tools to identify and classify IFAS critical assets according to the CIA triad (Confidentiality, Integrity, Availability). Subsequently, it evaluates vulnerabilities and security gaps using NIST SP 800-30 risk assessment methodologies, complemented by red team exercises to assess the resilience of critical assets. The main contribution focuses on designing a protection model supported by the definition of technical and administrative controls which are aligned with international standards such as ISO 27001 Annex A and NIST CSF functions (Identify, Protect, Detect, Respond, Recover). This is done through proposed incident response guidelines based on NIST IR 8353 for scenarios such as ransomware attacks and data breaches. The final phase focuses on documenting the guidelines that, in the proposed exercises, support the continuous improvement of cybersecurity maturity in financial entities. This includes asset classification parameters, vulnerability management protocols, and general incident response procedures. The model allows measurement using the CMMI cybersecurity maturity model and the levels defined by NIST CSF, which provides entities with steps to follow in the objective of continuous improvement of their cybersecurity capabilities and their general resilience against threats.