KEAMANAN SISTEM KEAMANAN SISTEM INFORMASIINFORMASI

Prepared By : Afen Pranahttp://afenprana.wordpress.com

06

MEMBANGUN PROGRAM KEAMANAN

2

Upon completion of this chapter,you should be able to:

Recognize & understandthe organizational approaches to infosec

List & describe the functional componentsof the infosec program

Determine how to plan & staffan organization’s infosec program

based on its size

Evaluate the internal & external factorsthat influence the activities & organization

of an infosec program

morePrepared By : Prepared By : AfenAfen PranaPrana

3

Daftar dan MembuatHak jabatan yg jelas dan fungsi

Yg dilakukan dalam program infosec

Membuat komponen2security education, training,

& awareness program& memahami bagaimana organisasi menulis

Dan mengatur program ini

Prepared By : Prepared By : AfenAfen PranaPrana

4

Bbrp organisasi menggunakan program keamananUntuk menggambarkan keseluruhan

personil, perencanaan, kebijakan, & inisiatifYg direlasikan pada infosec

Program InfoSec : disini digunakanUntuk menggambarkan struktur & organisasi

Yg berisi resiko pada aset informasi organisasi

Prepared By : Prepared By : AfenAfen PranaPrana

5

Bbrp variables menggambarkan bagaimanastruktur suatu program infosec yaitu :

Kultur Organisasi

Size

Security personnel budget

Security capital budget

Prepared By : Prepared By : AfenAfen PranaPrana

6

“…Ketika organisasi mendapatkan ukuran yg besar, departemen keamanan mereka tidak dapat mengikuti

permintaan yg meningkat terus pd infrastrukturorganisasi kompleks. Security membelanjakan per user

& per mesin yg memundurkan perkembangan organisasisecara eksponensial

Ketika itu diimplementasikan prosedur keamanan ygefektif.”

Prepared By : Prepared By : AfenAfen PranaPrana

7

Departemen InfosecDalam organisasi yg besar

Cenderung untuk membentuk & membentuk ulangkelompok internal

Untuk tantangan jangka panjangBahkan waktu mereka menangani

operasi keamanan sehari-hari.

Fungsi kemungkinan besar akanDipisahkan kedalam kelompok-kelompok

Prepared By : Prepared By : AfenAfen PranaPrana

8

Pada organisasi yg sangat besarDengan lebih dari 10,000 komputer,

Anggaran security sering sekali tumbuh lebih cepat dibandinganggaran IT

Dengan anggaran besar pun,Rata-rata jumlah yg dibelanjakan

atas security per userMasih lebih kecil dibanding jenis organisasi yg lain

Dimana organisasi kecil membelanjakanLebih dari $5,000 per user atas security,

Organisasi yg sangat besar membelanjakan sekitar1/18 dari belanja tsbt, kira-kira $300 per user

Prepared By : Prepared By : AfenAfen PranaPrana

9

Organisasi yg sangat besar, bagaimanapun,

Melakukan pekerjaan baik dalam kebijakan dan area sumber daya manajemen,

Walaupun hanya 1/3 organisasiMenangani insiden menurut rencana IR

Prepared By : Prepared By : AfenAfen PranaPrana

10

Dalam organisasi yg besardengan 1,000 hingga 10,000 komputer,

Pendekatan pada security sering sekali telah mendewasakan,Perencanaan integrasi & kebijakan

Kedalam kultur organisasi

Patut disayangkan, organisasi yg besarTidak selalu mengambil sumber daya yg besar

kedalam securityMempertimbangkan angka2 yg sangat besar

Ttg komputer & melibatkan para user

Cenderung untuk membelanjakanSecara proporsional lebih sedikit atas security

Prepared By : Prepared By : AfenAfen PranaPrana

11

Pendekatan keamanan dalam organisasi yg besarmemisahkan 4 fungsi area :

1. Fungsi yg dilakukan olehUnit bisnis non-technology diluar IT

2. Fungsi yg dilakukan olehKelompok IT diluar area infosec

3. Fungsi yg dilakukan dalamdepartemen infosec sbg customer service

4. Fungsi yg dilakukan dalamdepartemen infosec sbg pemenuhan

Prepared By : Prepared By : AfenAfen PranaPrana

12

Tanggung jawab CISO’sUntuk melihat fungsi infosec

Cukup dilakukan disuatutempat didalam organisasi

Penyebaran personil keamanan yg full-time Tergantung pd sejumlah faktor,

Mencakup kepekaan info untuk dilindungi,Peraturan industri,

& profitabilitas umum

Dana yg lebihSuatu perusahaan dapat mendedikasikan

Untuk anggaran personil,Kemungkinan besar

Untuk memelihara staff infosec yg besar

Prepared By : Prepared By : AfenAfen PranaPrana

13Prepared By : Prepared By : AfenAfen PranaPrana

14Prepared By : Prepared By : AfenAfen PranaPrana

15

Organisasi Medium-sized 100-1,000 komputer ...

Mempunyai total anggaran kecil

Mempunyai ukuran staff keamanan yg sama Sebagai organisasi yg kecil, tapi kebutuhan

lebih besar

Harus bersandar atas bantuanDari staff IT untuk perencanaan & praktek

Kemampuan menetapkan set kebijakan,Insident yg ditangani dalam cara reguler,

& alokasi sumber daya yg efektif,Secara keseluruhan

Prepared By : Prepared By : AfenAfen PranaPrana

16

Organisasi Medium-sized 100-1,000 komputer

Mungkin cukup besar utk menerapkanPendekatan multi-tiered

Untuk security dengan lebih sedikit kelompok ygdidedikasikan

& fungsi lebih yg ditugaskan untuk ke masing2 kelompok

Organisasi Medium-sizedCenderung untuk mengabaikan

bbrp fungsi keamanan

Prepared By : Prepared By : AfenAfen PranaPrana

17Prepared By : Prepared By : AfenAfen PranaPrana

18

Organisasi yg kecil 10-100 komputersederhana, sentralisasiModel IT organisasi

Membelanjakan lebih tidak sebandingatas security

InfoSec dalam organisasi kecilSeringsekali tanggung jawab tunggal

more ...

Prepared By : Prepared By : AfenAfen PranaPrana

19

Seperti halnya organisasi memilikijalan yg sederhana

Ttg kebijakan formal, perencanaan atau ukurannya

Commonly outsource their Web presenceor electronic commerce operations

Pelatihan keamanan & kesadaranBiasanya diselenggarakan

Atas basis 1-on-1

more ...

Prepared By : Prepared By : AfenAfen PranaPrana

20

Kebijakan issue-specific

Ancaman dari orang dalammungkin lebih sedikit dimana setiap karyawanSaling mengetahui semua karyawan yg lainnya

Prepared By : Prepared By : AfenAfen PranaPrana

21Prepared By : Prepared By : AfenAfen PranaPrana

22

Dalam organisasi yg besar,InfoSec sering sekali ditempatkan dalam departemen IT,

Dipimpin oleh CISOYg melaporkan secara langsung

ke executive, atau CIO

Sangat alami,Suatu program InfoSec

Kadang kadang berselisih dengan tujuan dan sasaran hasilttg departemen IT secara keseluruhannya

Prepared By : Prepared By : AfenAfen PranaPrana

23

Sebab tujuan dan sasaran hasilCIO & CISO

Tidak sulit untuk memahami untuk memisahkan infosec daridivisi IT

TantangannyaAdalah untuk mendesign suatu struktur laporan

Untuk program InfoSecYg menyeimbangkan kebutuhan

dari tiap-tiap masyarakat

Prepared By : Prepared By : AfenAfen PranaPrana

24Prepared By : Prepared By : AfenAfen PranaPrana

25Prepared By : Prepared By : AfenAfen PranaPrana

26Prepared By : Prepared By : AfenAfen PranaPrana

27Prepared By : Prepared By : AfenAfen PranaPrana

28Prepared By : Prepared By : AfenAfen PranaPrana

29Prepared By : Prepared By : AfenAfen PranaPrana

30

Opsi lain:

Option 7: Internal Audit

Option 8: Help Desk

Option 9: Accounting & Finance melalui IT

Option 10: Human Resources

Option 11: Facilities Management

Option 12: Operations

Prepared By : Prepared By : AfenAfen PranaPrana

31

Komponen Program Keamanan

Kebutuhan InfoSec organisasiadalah unik dengan kultur, ukuran

& budget organization

Menentukan tingkatan apa dalammenjalankan program infosec atas

Rencana strategis organisasi; Khususnya, atas rencana statement visi dan misi

CIO & CISOPerlu menggunakan 2 dokumen ini

Untuk merumuskan statement misi untukProgram infosec

Prepared By : Prepared By : AfenAfen PranaPrana

32

Posisi InfoSec dapat diklasifikasikanKedalam 1 - 3 tipe :

1. Menetapkan,2. Membangun, &

3. Mengelola

Prepared By : Prepared By : AfenAfen PranaPrana

33

Menetapkan

Menyediakan kebijakan, petunjuk dan standarmelaksanakan konsoltasi & penilaian resiko

memperkuat product & technical architecturesorang2 senior dengan memiliki pengetahuan yg luas,

Membangun

secara teknis nyatamenciptakan & menginstal solusi security

Pengelolaan

Mengoperasikan & mengurus tools security & fungsi monitoring security

Bekerja berkesinambungan untuk meningkatkan prosesPrepared By : Prepared By : AfenAfen PranaPrana

34

Organisasi khususMemiliki sejumlah individu

Dengan tanggung jawab infosec

Walaupun sebutan dapat digunakan berbeda, Kebanyakan fungsi pekerjaan berkait

dengan salah satu di bawah ini :

Chief infosec Officer (CISO)Security managers

Security administrators & analystsSecurity technicians

Security staffPrepared By : Prepared By : AfenAfen PranaPrana

35Prepared By : Prepared By : AfenAfen PranaPrana

36

Help desk merupakan bagian pentingDari tim infosec,

Meningkatkan kemampuanUntuk mengidentifikasikan masalah potensial

Ketika seorang user menghubungi help deskDengan keluhan komputernya, Koneksi jaringan, atau Internet,

Masalah user tersebut dapat menjadisuatu masalah yg besar,

Seperti serangan hacker, serangan DoS atau virus

Karena teknisi help desk Melaksanakan tugas khusus dalam infosec,

Mereka membutuhkan pelatihan khususPrepared By : Prepared By : AfenAfen PranaPrana

37

Security Education, Training,& Awareness Programs

Di design untuk mengurangiPelanggaran keamanan

Awareness, training, & education programsMenawarkan 2 manfaat utama:

1. Meningkatkan perilaku karyawan

2. Memungkinkan organisasiUntuk menjaga karyawannya yg dapat dipertanggung

jawabkan pada tindakan yg mereka lakukan

Prepared By : Prepared By : AfenAfen PranaPrana

38

Program SETA terdiri dari 3 unsur:

1. security education

2. security training

3. security awareness

Prepared By : Prepared By : AfenAfen PranaPrana

39

Tujuan SETA adalahUntuk meningkatkan keamanan ...

dengan membangun pengetahuan yg mendalam,Jika dibutuhkan,

Untuk design, implementasi, atau operasiProgram security

Pada organisasi dan sistem

dengan mengembangkan skills & pengetahuanSedemikian sehingga pengguna komputer

Dapat melaksanakan pekerjaan merekaSelagi menggunakan sistem IT lebih ‘secure’

Dengan meningkatkan kesadaran yg dibutuhkan untuk melindungisumber daya sistem

Prepared By : Prepared By : AfenAfen PranaPrana

40

Perbandingan Framework SETA

Prepared By : Prepared By : AfenAfen PranaPrana

41

Security training melibatkanTersedianya informasi yg rinci

& catatan instruksiYg memberi skill ke user

Untuk melaksanakan tugas-tugas mereka secara benar

Prepared By : Prepared By : AfenAfen PranaPrana

42

Dua metode pada kebiasaan training

1. Latar belakang fungsional

General user Managerial userTechnical user

2. Tingkat terampil/Skill

BaruMenengahLanjutan

Prepared By : Prepared By : AfenAfen PranaPrana

43

Menggunakan metoda pelatihan yg salah dapat :

Merintangi transfer pengetahuan

Mengakibatkan pengeluaran yg tidak perlu & kekecewaan, pekerja dilatih kurang baik.

Prepared By : Prepared By : AfenAfen PranaPrana

44

Program training yg baik :

Menggunakan teknologi pengetahuan yg terakhirdan mempraktek-kan yg terbaik

MenggunakanKursus publik yg tersentralisasi

& on-site training

Task-oriented modules& training sessions

Prepared By : Prepared By : AfenAfen PranaPrana

45

Pemilihan metode pelatihanTidak selalu didasari padaHasil terbaik para peserta

Faktor-faktor lain, Seperti budget, scheduling,

& kebutuhan organisasiSering menjadi nomor satu

Prepared By : Prepared By : AfenAfen PranaPrana

46

Training delivery methods:

One-on-One

Formal Class

Computer-Based Training (CBT)

Distance Learning/Web Seminars

User Support Group

On-the-Job Training

Self-Study (Noncomputerized)Prepared By : Prepared By : AfenAfen PranaPrana

47

Where can you find trainers?

Local training program

Continuing education department

External training agency

Professional trainer, consultant,or someone from accredited institution

to conduct on-site training

In-house trainingusing organization’s own employees

Prepared By : Prepared By : AfenAfen PranaPrana

48

While each organizationdevelops its own strategy,

the following 7-step methodologygenerally applies:

Step 1: Identify program scope, goals, & objectivesStep 2: Identify training staff

Step 3: Identify target audiencesStep 4: Motivate management & employees

Step 5: Administer the programStep 6: Maintain the programStep 7: Evaluate the program

Prepared By : Prepared By : AfenAfen PranaPrana

49

Security awareness program:one of least frequently implemented,but most effective security methods

Security awareness programs:

set the stage for trainingby changing organizational attitudesto realize the importance of security

& the adverse consequences of its failure

remind usersof the procedures to be followed

Prepared By : Prepared By : AfenAfen PranaPrana

50

SETA best practices

When developing an awareness program:

Focus on people

Refrain from using technical jargon

Use every available venue

Define learning objectives, state them clearly,& provide sufficient detail & coverage

Keep things light

more ... Prepared By : Prepared By : AfenAfen PranaPrana

51

Don’t overload the users

Help users understand their roles in InfoSec

Take advantageof in-house communications media

Make the awareness program formal;plan & document all actions

Provide good information early,rather than perfect information late

Prepared By : Prepared By : AfenAfen PranaPrana

52

10 Commandmentsof InfoSec Awareness Training

I. InfoSec is a people,rather than a technical, issue

II. If you want them to understand,speak their language

III. If they cannot see it, they will not learn it

IV. Make your point so that you can identify it& so can they

V. Never lose your sense of humor

more ... Prepared By : Prepared By : AfenAfen PranaPrana

53

VI. Make your point, support it, & conclude it

VII. Always let the recipients knowhow the behavior that you request

will affect them

VIII. Ride the tame horses

IX. Formalize your training methodology

X. Always be timely,even if it means slipping schedules

to include urgent information

Prepared By : Prepared By : AfenAfen PranaPrana

54

Security awareness & security trainingare designed to modifyany employee behavior

that endangers the securityof the organization’s information

Security training & awareness activitiescan be undermined, however,

if managementdoes not set a good example

Prepared By : Prepared By : AfenAfen PranaPrana

55

Effective training & awareness programsmake employees accountable

for their actions

Dissemination & enforcementof policy become easier

when training & awareness programsare in place

Demonstrating due care & due diligencecan help indemnify the institution

against lawsuits

Prepared By : Prepared By : AfenAfen PranaPrana

56

Awareness can take on different formsfor particular audiences

A security awareness programcan use many methodsto deliver its message

Effective security awareness programsneed to be designedwith the recognition

that people tend to practicea tuning out process (acclimation)

Awareness techniques should becreative & frequently changed

Prepared By : Prepared By : AfenAfen PranaPrana

57

Komponen Security awarenessDari yang murah hingga sangat mahal

Security awareness components Meliputi:

VideosPosters & banners

Lectures & conferencesComputer-based training

NewslettersBrochures & flyers

Trinkets (coffee cups, pens, pencils, T-shirts)Bulletin boards

Prepared By : Prepared By : AfenAfen PranaPrana

58

Security newsletter isa cost-effective way

to disseminate security information

In the form of paper, e-mail, or intranet

Goal: keep infosecuppermost in users’ minds

& stimulate them to care about security

Prepared By : Prepared By : AfenAfen PranaPrana

59

Newsletters might include:

Threats to the organization’s info assets

Schedules for upcomingsecurity classes & presentations

Addition of new security personnel

Summaries of key policies

Summaries of key news articles

Announcements relevant to infosec

How-to’sPrepared By : Prepared By : AfenAfen PranaPrana

60

Security poster seriescan be a simple & inexpensive wayto keep security on people’s minds

Professional posterscan be quite expensive,

so in-house developmentmay be best solution

Prepared By : Prepared By : AfenAfen PranaPrana

61

Keys to a good poster series:

Varying the content& keeping posters updated

Keeping them simple,but visually interesting

Membuat pesan yg jelas

Menyediakan informasiAtas pemberitaan pelanggaran

Prepared By : Prepared By : AfenAfen PranaPrana

62Prepared By : Prepared By : AfenAfen PranaPrana

63

I like some other posters better.

(see www.despair.com)

Prepared By : Prepared By : AfenAfen PranaPrana

64

Trinkets (perhiasan kecil) may notcost much on a per-unit basis,

but they can be expensiveto distribute throughout an organization

Several types of common trinkets:

Pens & pencilsMouse padsCoffee mugsPlastic cups

HatsT-shirts

Prepared By : Prepared By : AfenAfen PranaPrana

65Prepared By : Prepared By : AfenAfen PranaPrana

66

Organizations can establishWeb pages or sites

dedicated topromoting infosec awareness

As with other SETA awareness methods,the challenge lies

in updating the messagesfrequently enoughto keep them fresh

Prepared By : Prepared By : AfenAfen PranaPrana

67

Some tipson creating & maintainingan educational Web site:

See what’s already out there

Plan ahead

Keep page loading time to a minimum

Seek feedback

Assume nothing & check everything

Spend time promoting your sitePrepared By : Prepared By : AfenAfen PranaPrana

68

Another meansof renewing the infosec message

is to have a guest speakeror even a mini-conference

dedicated to the topic of infosec

Perhaps in association withNational Computer Security Day:

November 30

Prepared By : Prepared By : AfenAfen PranaPrana

69

Summary

Organizing for Security

Placing InfoSec Within An Organization

Components of the Security Program

InfoSec Roles & Titles

Implementing SecurityEducation, Training, & Awareness Programs

Prepared By : Prepared By : AfenAfen PranaPrana