Kominfo Solo - Standar Keamanan Informasi v 1-1.1
Transcript of Kominfo Solo - Standar Keamanan Informasi v 1-1.1
![Page 1: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/1.jpg)
1
Standar Keamanan Informasi
Solo, 28 Juni 2012
Hogan Kusnadi
CISSP-ISSAP, SSCP, CISA, CISM
Ir. Hogan Kusnadi, MSc,
CISSP-ISSAP, SSCP, CISA, CISM(Certified Information Systems Security Professional)
(Information Systems Security Architecture Professional)
(System Security Certified Practitioner)
(Certified Information Systems Auditor)
(Certified Information Security Manager)
Certified Consultant for ISO 27001/27002
Founder and Director
PT. UniPro Nuansa Indonesia
E-mail: [email protected]
www.unipro.co.id
blog.unipro.co.id
•
![Page 2: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/2.jpg)
2
Kegiatan dan Keanggotaan
Terkait Keamanan Informasi• Ketua Workgroup Kementerian Kominfo dan BSN, untuk
Keamanan Informasi, mengadopsi berbagai ISO 27000 series menjadi SNI (2012).
• MASPI (Masyarakat Sandi dan Keamanan Informasi). AnggotaPendiri dan Ketua Bidang Pengembangan Kompetensi (2006).
• (ISC)2 International Information Systems Security Certification Consortium
• ISACA (Information Systems Audit and Control Association), Member.
• Mantan anggota Menkominfo “Task Force Pengamanan danPerlindungan Infrastruktur Strategis Berbasis TeknologiInformasi” (2004)
• Mantan Anggota Pokja EVATIK DETIKNAS (2007)
Peresmian SNI-ISO 20000 & 27001
Kominfo & BSN, Oktober 2009
![Page 3: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/3.jpg)
3
Pelatihan Keamanan Informasi
![Page 4: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/4.jpg)
4
Secure Asia Singapore July 2010
![Page 5: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/5.jpg)
5
Penerima ISLA Awards 2011 (Indonesia)
![Page 6: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/6.jpg)
6
Perkembangan Pesat ICT(Information Communication Technology)
Akses dan Transaksi
• Dimana saja
• Kapan Saja
• Siapa Saja
![Page 7: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/7.jpg)
7
e and Mobile Commerce
Electronic Transaction is
Everywhere
• Commerce
• Micropayment
• Auction
• Government
• Learning
• Game
• etc
![Page 8: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/8.jpg)
8
Pentingnya Memahami Risiko
Keamanan Informasi
![Page 9: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/9.jpg)
9
![Page 10: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/10.jpg)
10
Dua Sisi Teknologi
Manfaat vs Risiko
Multi Fungsi
Fleksibel
Mudah digunakan
Kerahasiaan
Integritas
Ketersediaan
Otentisitas
Nir Sangkal
Manfaat
Risiko
Database Application
Web Application
Client Server
Networking Integration
Cloud Computing
Identity Theft
Information Theft
Industrial/State Espionage
Distributed Denial of Service
Sabotage, Cyber Weapon
Cyber War
![Page 11: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/11.jpg)
11
Cyber Attack(Affecting Individual, Corporation & Country)
• Malicious Ware (Virus, Worm, Key logger, Spyware, Trojan, BotNet, etc)
• DOS, DDOS• Account Hijack• Misuse of IT Resources• Web Defaced• Spam, Phishing, Typosite• Identity Theft• Data Leakage/Information Theft• Web Transaction Attack• Cyber Espionage• Attack Control System• Cyber Weapon / Cyber War• Country/National Security
Bagaimana Memitigasi Risiko?
22
![Page 12: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/12.jpg)
12
INFORMATION SECURITY RISK
Bussiness Process
Information Assets
R
I
S
K
P
R
O
T
E
C
T
I
O
NSAFE
23
Dimension of Information Security
• People
– Hiring, Awareness, Training/Education, Compliance, Relocation,Termination.
• Process (Information Security Management System)
– Information Security Policy, Security Management Implementations & Practices, and Assurance Controls
• Technology
– Hardware, Software, Networking, Telecommunication
![Page 13: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/13.jpg)
13
Regulation & Best Practice• Government & Industry Regulation
– UU ITE 2008 (PP pendukung - 2010)
– PP 60/2008
– PBI (Peraturan Bank Indonesia) 2007
– SNI-ISO 27001
– Basell II (Banking Industry)
– PCI-DSS (Payment Card Industry Data Security Standard)
– SOX (Sarbanes-Oxley Act), JSOX (Japan SOX)
• Best Practice / Standard / Framework– COBIT Framework
– COSO Enterprise Risk Management Framework
– ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002
– HISA Framework26
![Page 14: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/14.jpg)
14
Information Security
GovernanceInformation security governance is a
subset of enterprise governance that
provides strategic direction, ensures that
objectives are achieved, manages risks
appropriately, uses organisational
resources responsibly, and monitors the
success or failure of the enterprise
security programme.
Peran Penting
Manajemen
![Page 15: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/15.jpg)
15
Peran Manajemen
Adalah sangat penting bagi manajemen
untuk memastikan bahwa sumber daya
(Organisasi, SDM, Budget & Waktu) yang
memadai dialokasikan untuk mendukung
strategi keamanan informasi secara
menyeluruh.
Tanggung Jawab Manajemen
Komitmen Manajemen
• Mengkomunikasikan pentingnya mencapaitarget/sasaran keamanan informasi, baik untukbisnis, maupun ketentuan hukum danperundangan yang berlaku, serta terusmengupayakan perbaikan yang berkesinambungan.
• Menetapkan Kebijakan Keamanan Informasi, Sasaran dan Rencananya
• Melakukan kajian manajemen
• Menentukan tingkat risiko yang bisa diterima
![Page 16: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/16.jpg)
16
Tanggung Jawab Manajemen
Menyediakan Sumber Daya
• Organisasi yang menjalankan SMKI
• Kecukupan dari kendali untuk keamanan
informasi
• Menyediakan budget yang memadai
• Memperhatikan keseimbangan antara
sumber daya yang dibutuhkan serta waktu
dan tingkat keamanan yang ditargetkan.
Tanggung Jawab Manajemen
Pelatihan, kepedulian dan kompetensi
• Orang yang ditunjuk untuk mengelola
SMKI harus mempunyai kompetensi
dalam bidang keamanan informasi.
• Menyediakan pelatihan
• Memastikan karyawan peduli terhadap
keamanan informasi
![Page 17: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/17.jpg)
17
SNI-ISO 27001
Sistem Manajemen Keamanan Informasi
1. Kebijakan Keamanan Informasi
2. Organisasi Keamanan Informasi
3. Pengelolaan Aset
4. Keamanan Sumber Daya Manusia
5. Keamanan Fisik dan Lingkungan
6. Manajemen Komunikasi dan Operasi
7. Pengendalian Akses
8. Akuisisi, Pengembangan dan Pemeliharaan Sistem Informasi
9. Manajemen Insiden Keamanan Infomasi
10.Manajemen Keberlanjutan Bisnis
11.Kesesuaian (Compliance).
34
http://sisni.bsn.go.id/index.php/sni_main/sni/detail_sni/10233
![Page 18: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/18.jpg)
18
11 Domain dari ISO 27001 & 27002
Security Policy
Organizational
Security
Asset Classification
and Control
Compliance
Personnel Security
Business Continuity
Management
Organizational
Aspect
Access Control
Communication and
Operation Management
System Development
and Maintenance
Information Security
Incident Management
Physical and Environmental
Security
Technical Aspect Physical Aspect
Legend
11 Domains
39 Control Objectives
133 Controls
ISO 27000 Series• 27001: 2005 - Attainable certification (Sudah ada SNI-nya)
• 27002: 2005 - Code of practice 27006: 2007 - Certification vendor process
• 27011: 2008 – Information Security Management for Telecommunication
Organizations
• 27799: 2008 - Health care organizations
• 27000: 2009 - Glossary of terms
• 27004: 2009 - Information security measurement
• 27033-1: 2009 Network Security
• 27003: 2010 – Implementation Guide
• 27007: 2011 – ISMS Auditing Guide
• 27008: 2011 – Technical Auditing [TR-Technical Report]
• 27005: 2011- Risk management
• 27031: 2011 - Business Continuity
• 27034-1: 2011 Application Security
• 27035: 2011 Incident Management
• 27010: 2012 - For Inter-Organization Communications (Critical Infrastructure)
![Page 19: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/19.jpg)
19
Perlindungan Berlapis (Teknikal)
Host SecurityPatches Accounts Ports
Services Files / directories Registry
Protocols Auditing / logging Shares
Software SecurityInput validation Session management
Authentication Parameter manipulation
Authorization Cryptography
Sensitive data protection Exception management
Configuration management Auditing / Logging
Fir
ew
all
Fir
ew
all
Network Security
Routers
Firewalls
Switches
Web Server Database Server
Host
Network
![Page 20: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/20.jpg)
20
LinkedIn confirms
hack, over 60% of
stolen passwords
already cracked
(6 june 2012)
All but two of the
Conficker passwords
were used by
someone in the 6.5
million user
password dump. The
two passwords that
weren't found were
'mypc123' and
'ihavenopass'http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/
Conficker passwords(Note: First Conficker variant appear in Nov 2008 )
![Page 21: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/21.jpg)
21
http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords-slides.pdf
Joseph Bonneau Password Research Finding(University of Cambridge Computer Scientist)
• Experiment run May 23–25, 2011
• Around 70 million passwords from yahoo users
• Too many users were using words found in the
typical dictionary
• Indonesians were the worst offenders in relying on
common dictionary words. Bonneau found he
could find the correct password for 15 per cent of
Indonesian users, after 1,000 attempts at each one
using the most common words in the dictionary.
![Page 22: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/22.jpg)
22
![Page 23: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/23.jpg)
23
http://nasional.kompas.com/read/2012/06/04/17545317/Soal.Password..Indonesia.Negara.Terlemah
Password Tips
• Minimum 8 digit
• Alpha Numeric
• Huruf BESAR dan kecil
• Special Karakter
![Page 24: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/24.jpg)
24
Transpose & Transform (1)
Transpose & Transform (2)
![Page 25: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/25.jpg)
25
Matrix 9 x 9
Kendali Password di SNI-ISO 27001
• 11 Pengendalian Akses
– 11.2 Manajemen Akses Pengguna
• 11.2.3 Manajemen Password Pengguna
– 11.3 Tanggung Jawab Pengguna
• 11.3.1 Penggunaan Password
– Pengendalian Akses Sistem Operasi
• 11.5.3 Sistem Manajemen Password
![Page 26: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/26.jpg)
26
Ancaman dan Proteksi (Multi Layer)
![Page 27: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/27.jpg)
27
ISO 27001 Statistic:
85 Negara
Japan 52%
4 Negara Asia di Top 5
5 Negara Asia di Top 10
Indonesia di posisi no.
41,
terendah diantara negara
awal pendiri ASEAN dan
sudah disusul Vietnam.
ISO 27001 Certificates in The World (April 2012)
http://www.iso27001certificates.com
http://sisni.bsn.go.id/index.php/sni_main/sni/detail_sni/10233
![Page 28: Kominfo Solo - Standar Keamanan Informasi v 1-1.1](https://reader034.fdocuments.in/reader034/viewer/2022051516/55cfe6de5503467d968bb095/html5/thumbnails/28.jpg)
28