Informasi, Keamanan, Risiko, Kendali, Sasaran Kendali dan Perubahan Wisuda STSN, Ciseeng, Bogor 10 November 2015 Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM Sekolah Teknik Elektro dan Informatika Institut Teknologi Bandung
Informasi, Keamanan, Risiko, Kendali, Sasaran Kendali dan Perubahan
Wisuda STSN, Ciseeng, Bogor10 November 2015
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
Sekolah Teknik Elektro dan Informatika
Institut Teknologi Bandung
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
Current:
• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter
• ISACA Academic Advocate at ITB
• SME for Information Security Standard for ISO at ISACA HQ
• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung
• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01 Program Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo.
• Lead Asesor Lembaga Sertifikasi SNI ISO/IEC 27001:2013 KAN
Past:
• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)
• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April 2009 – May 2011
Professional Certification:
• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering, the University of Texas at Austin. 2000
• IRCA Information Security Management System Lead Auditor Course, 2004
• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005
• Brainbench Computer Forensic, 2006
• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007
• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007
Award:
• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior Information Security Professional. http://isc2.org/ISLA
2
Bloom Revised Bloom
• Remember
• Apply
• Understand
• Analyze
• Evaluate
• Create• Evaluation
• Analysis
• Synthesis
• Application
• Comprehension
• Knowledge
Topik
• Informasi dan Keamanan
• Risiko, Kendali, Sasaran Kendali
• Perubahan
• Kemerdekaan
4
Topik
• Informasi dan Keamanan
• Risiko, Kendali, Sasaran Kendali
• Perubahan
• Kemerdekaan
5
Sasaran Tata Kelola: Value Creation
6
ISACA defines information security as something that:
Ensures that information is readily available (availability), when required, and protected against disclosure tounauthorised users (confidentiality) and improper modification (integrity).
7
Keamanan informasi versi isaca
Information security is a business enabler that is strictly bound to
stakeholder trust, either by addressing business risk or by creating
value for an enterprise, such as competitive advantage.
At a time when the significance of information and related technologies
is increasing in every aspect of business and public life, the need to
mitigate information risk, which includes protecting information and
related IT assets from ever-changing threats, is constantly intensifying.
8
Keamanan informasi
......... pemerintah negara Indonesia yang melindungi
segenap bangsa Indonesia dan seluruh tumpah darah
Indonesia dan untuk memajukan kesejahteraan
umum, mencerdaskan kehidupan
bangsa, dan ikut melaksanakan ketertiban dunia yang
berdasarkan kemerdekaan, perdamaian abadi dan
keadilan sosial........
Pemanfaatan INFORMASI sebagai darah nadi kehidupan bangsa
dalam perspektif Pertumbuhan Ekonomi
untuk Kesejahteraan Rakyat
9
Keamanan Nasional
......... pemerintah negara Indonesia yang melindungi
segenap bangsa Indonesia dan seluruh tumpah darah
Indonesia dan untuk memajukan kesejahteraan
umum, mencerdaskan kehidupan
bangsa, dan ikut melaksanakan ketertiban dunia yang
berdasarkan kemerdekaan, perdamaian abadi dan
keadilan sosial........
Pemanfaatan INFORMASI sebagai darah nadi kehidupan bangsa
dalam perspektif Pertumbuhan Ekonomi
untuk Kesejahteraan Rakyat
Topik
• Informasi dan Keamanan
• Risiko, Kendali, Sasaran Kendali
• Perubahan
• Kemerdekaan
10
Risk >< Control
PP 60/2008 Sistem Pengendalian Intern Pemerintah
12
Pasal 3 (1) d. informasi dan
komunikasi (Information and
Communication Internal Control)
Psl 3 (1) c. kegiatan pengendalian
(Internal Control Activities)
Psl 3 (1) b. penilaian risiko
(Internal Control Risk Assessment)
Psl 3 (1) a. lingkungan pengendalian
(Internal Control Environment)T
uP
okS
i In
sta
nsi
Bis
nis
Pro
ses,
SP
O,
dll
Psl 3 (1) e. pemantauan
pengendalian intern (Internal
Control Monitoring)
Pe
ratu
ran
Pe
run
da
ng
an
Risk based categorization Control
13
Three lines of defence
14
15
Prinsip SNI ISO/IEC 31000a. Risk management creates and protects value
b. Risk management is an integral part of all organizational processes
c. Risk management is part of decision making
d. Risk management explicitly addresses uncertainty
e. Risk management is systematic, structured and timely
f. Risk management is based on the best available information
g. Risk management is tailored
h. Risk management takes human and cultural factors into account
i. Risk management is transparent and inclusive.
j. Risk management is dynamic, iterative and responsive to change
k. Risk management facilitates continual improvement of the organization
16
4 Context of the organization
5 Leadership
6 Planning 7 Support 8 Operation
9 Performance evaluation
10 Improvement
4.1Understanding the organization and its context
5.1 Leadership and commitment
6.1 Actions to address risks and opportunities
7.1 Resources
8.1Operational planning and control
9.1Monitoring, measurement, analysis and evaluation
10.1Nonconformity and corrective action
4.2Understanding the needs and expectations of interested parties
5.2 Policy 6.2Information security objectives and plans to achieve them
7.2 Competence
8.2Information security risk assessment
9.2 Internal audit
10.2 Continual improvement
4.3 Determining the scope of the information security management system
7.3 Awareness
8.3Information security risk treatment
9.3 Management review
4.4 Information security management
7.4 Communication
17
MSS series: ISO 9000, 27000, 14000, 20000 (?)
Seri SNI ISO/IEC 27000 SMKI
18
Hubungan antar Kerangka
COBIT 5
Panduan Umum Tata Kelola TIK Nas+
Kuesioner Evaluasi Pengendalian Intern TIK
Internal Control
Framework COSO
SNI ISO 38500
PP60/2008
Sistem Pengendalian Intern PemerintahT
ata
Kelo
laTata
Kelo
la T
IM
anaje
men T
I
SNI ISO 27001SNI ISO 20000
19
Hubungan antar KerangkaKeamanan
COBIT 5
Panduan Umum Tata Kelola TIK Nas+
Kuesioner Evaluasi Pengendalian Intern TIK
Internal Control
Framework COSO
SNI ISO 38500
PP60/2008
Sistem Pengendalian Intern Pemerintah
Tata
Kelo
laM
anaje
men
Perangkat
SNI ISO 20000
20
RSNI ISO 27013
SNI ISO 27014Governance of Information Security
SNI ISO 15408Common Criteria
SNI ISO 27001Information Security Management System
Evaluation Assurance Levels (EAL)
1. Functionally tested
2. Structurally tested
3. Methodically tested and checked
4. Methodically designed, tested, and reviewed
5. Semi-formally designed and tested
6. Semi-formally verified design and tested
7. Formally verified design and tested
Topik
• Informasi dan Keamanan
• Risiko, Kendali, Sasaran Kendali
• Perubahan
• Kemerdekaan
22
Perubahan SNI ISO/IEC 27001:2013
Konteks organisasi Lingkungan organisasi
Isu, risiko dan kesempatan Perubahan dari hanya preventiv
Pihak berkepentingan Perubahan dari stakeholder
Kepemimpinan Persyaratan pimpinan puncak
Komunikasi Sejalan dgn PP60/2008 SPIP Pasal 3 angka 1 huruf d
Sasaran Keamanan Informasi Tiap tingkat dan fungsi harus mempunyai sasaran keamanan informasi
Penilaian Risiko Identifikasi aset, ancaman dan kelemahan bukan lagi persyaratan identifikasi risiko keamanan info
Pemilik Risiko Menggantikan pemilik aset
Rencana Penanganan Risiko Efektivitas rencana penangan risiko lebih penting dari efektivitas kendali
Kendali Kendali ditentukan dalam proses penanganan risiko, bukan lagi dipilih dari Annex A SNI ISO/IEC27001
Informasi terdokumen Mengganti dokumen dan catatan
Evaluasi Kinerja Termasuk pengukuran SMKI dan efektivitas rencana penanganan risiko
Perbaikan berkesinambungan Metoda selain PDCA dapat dipakai
Imam Santosa © LPPM ITB 2011
Terima Kasih
INSTITUT TEKNOLOGI BANDUNG
24