PAI B Semi Final 3 Checklist

8/3/2019 PAI B Semi Final 3 Checklist

1/17

NRP Name 1. Clauses 2. Control Name 3. Control Objectives

CONTOH 10.5 Backup

Objective: To maintain the integrity and availability of

information and information processing

facilities.

Routine procedures should be established to

implement the agreed back-up policy and strategy

(see

also 14.1) for taking back-up copies of data and

rehearsing their timely restoration.

10.5.1 Backup Information

Back-up copies of information and software should betaken and tested regularly in accordance with agreed

policy

9.1 Secure areas Objective: To prevent unauthorized physical access,

damage, and interference to the organizations

premises and information.

Critical or sensitive information processing facilities

should be housed in secure areas, protected by

defined security perimeters, with appropriate

security barriers and entry controls. They should be

physically protected from unauthorized access,damage, and interference.

The protection provided should be commensurate

with the identified risks.

1 5206100037 LUCI DWI AGUSTIN

9.1.1 Physical security perimeter Security perimeters (barriers such as walls, card

controlled entry gates or manned reception desks)

should be used to protect areas that contain

information and information processing facilities.

2 5206100064 DIMAS PRAYOGO

9.1.2 Physical entry controls Secure areas should be protected by appropriate

entry controls to ensure that only authorized

3 5206100065 RAMA DHANIAREZA9.1.3 Securing offices, rooms and

facilities

Physical security for offices, rooms, and facilities

should be designed and applied.

4 5206100081 INDAH SRI WAHYUNI

9.1.4 Protecting against external and

environmental threats

Physical protection against damage from fire, flood,

earthquake, explosion, civil unrest, and other

forms of natural or man-made disaster should be

designed and applied.

5 5207100002MOCHAMAD ARIEF

RAMADHANA

9.1.6 Public access, delivery and

loading areas

Access points such as delivery and loading areas and

other points where unauthorized persons may

enter the premises should be controlled and, if

possible, isolated from information processing

facilities to avoid unauthorized access.


2/17

9.2 Equipment security Objective: To prevent loss, damage, theft or

compromise of assets and interruption to the

organizations activities.

Equipment should be protected from physical and

environmental threats.

Protection of equipment (including that used off-

site, and the removal of property) is necessary to

reduce the risk of unauthorized access to

information and to protect against loss or damage.

This

should also consider equipment siting and disposal.

Special controls may be required to protect

against physical threats, and to safeguard

supporting facilities, such as the electrical supply

and

6 5207100005 M RIZAL AVIF KHAN

9.2.1 Equipment siting and protection Equipment should be sited or protected to reduce the

risks from environmental threats and hazards,

7 5207100006 ABDUL WAHAB

9.2.2 Supporting utilities Equipment should be protected from power failures

and other disruptions caused by failures in

supporting utilities.

8 5207100007 CHODIJAH DYANINGTYAS

9.2.3 Cabling security Power and telecommunications cabling carrying data

or supporting information services should be

protected from interception or damage.

9 5207100011 FARIKHAH FARKHANI9.2.4 Equipment maintenance Equipment should be correctly maintained to ensure

its continued availability and integrity.

10 5207100016 SYIFA INDI ADDINI

9.2.5 Security of equipment off-

premises

Security should be applied to off-site equipment

taking into account the different risks of working

11 5207100018 GELAR SATYA PRADANA

9.2.6 Secure disposal or re-use of

equipment

All items of equipment containing storage media

should be checked to ensure that any sensitive data

and licensed software has been removed or securely

overwritten prior to disposal.

12 5207100022 AULIA FEBRIYANTI9.2.7 Removal of property Equipment, information or software should not be

taken off-site without prior authorization

10.1 Operational procedures and

responsibilities

Objective: To ensure the correct and secure

operation of information processing facilities.

Responsibilities and procedures for the management

and operation of all information processing

facilities should be established. This includes the

development of appropriate operating procedures.

Segregation of duties should be implemented, where

appropriate, to reduce the risk of negligent or

deliberate system misuse.

13 5207100024 SYAIKHUL HAADI

10.1.1 Documented operating

procedures

Operating procedures should be documented,

maintained, and made available to all users who need

them.

14 5207100025 FAZA NAILUL MAZIYA

10.1.2 Change management Changes to information processing facilities and

systems should be controlled.

15 5207100030 KHAIRU RAHMAN

10.1.3 Segregation of duties Duties and areas of responsibility should be

segregated to reduce opportunities for unauthorized

or unintentional modification or misuse of the

16 5207100032BUDI CHANDRA

DEKARALOS

10.1.4 Separation of development, test

and operational facilities

Development, test, and operational facilities should

be separated to reduce the risks of unauthorised

access or changes to the operational system.

10.3 System planning and acceptance Objective: To minimize the risk of systems failures.

Advance planning and preparation are required to

ensure the availability of adequate capacity and

resources to deliver the required system

performance.Projections of future capacity requirements should

be made, to reduce the risk of system overload.

The operational requirements of new systems

should be established, documented, and tested prior

to

their acceptance and use.

17 5207100041 FASRIAN EKA FITRIANI

10.3.1 Capacity management The use of resources should be monitored, tuned, and

projections made of future capacity

requirements to ensure the required system

18 5207100047 ANGGIK LIGIA Y P

10.3.2 System acceptance Acceptance criteria for new information systems,

upgrades, and new versions should be establishedand suitable tests of the system(s) carried out during

development and prior to acceptance.


3/17

10.4 Protection against malicious and

mobile code

Objective: To protect the integrity of software and

information.

Precautions are required to prevent and detect the

introduction of malicious code and unauthorized

mobile code.

Software and information processing facilities are

vulnerable to the introduction of malicious code,

such as computer viruses, network worms, Trojan

horses, and logic bombs. Users should be made

aware of the dangers of malicious code.

Managers should, where appropriate, introduce

controls to

prevent, detect, and remove malicious code and

control mobile code.

19 5207100048 ANITA SAFITRI

10.4.1 Controls against malicious code Detection, prevention, and recovery controls to

protect against malicious code and appropriate user

awareness procedures should be implemented.

20 5207100051 TIRTA MUTIARA SARI

10.4.2 Controls against mobile code Where the use of mobile code is authorized, the

configuration should ensure that the authorised

mobile code operates according to a clearly defined

security policy, and unauthorized mobile code

should be prevented from executing.

10.6 Network security management Objective: To ensure the protection of information

in networks and the protection of the supporting

infrastructure.

The secure management of networks, which may

span organizational boundaries, requires careful

consideration to dataflow, legal implications,

monitoring, and protection.

Additional controls may also be required to protect

sensitive information passing over public

networks.

21 5207100055 SINGGIH SETYO JATMIKO

10.6.1 Network controls Networks should be adequately managed and

controlled, in order to be protected from threats, and

to

maintain security for the systems and applications

using the network, including information in transit.

22 5207100058 NYOMAN BAGUS PRASETIA

10.6.2 Security of network services Security features, service levels, and management

requirements of all network services should be

identified and included in any network services

agreement, whether these services are provided

inhouse

10.1 Monitoring Objective: To detect unauthorized information

processing activities.

Systems should be monitored and information

security events should be recorded. Operator logs

and

fault logging should be used to ensure information

system problems are identified.

An organization should comply with all relevant legal

requirements applicable to its monitoring and

logging activities.

System monitoring should be used to check the

effectiveness of controls adopted and to verify

23 5207100062 NURAISA NOVIA HIDAYATI

10.10.1 Audit logging Audit logs recording user activities, exceptions, and

information security events should be produced

and kept for an agreed period to assist in future

investigations and access control monitoring.

24 5207100068NOVIARDI PUTRA

NUGROHO

10.10.2 Monitoring system use Procedures for monitoring use of information

processing facilities should be established and the

results of the monitoring activities reviewed regularly.

25 5207100069 PUTU AGUNG SATRYAWAN

10.10.3 Protection of log information Logging facilities and log information should be

protected against tampering and unauthorized access.

26 5207100072 HADI SUYITNO10.10.4 Administrator and operator logs System administrator and system operator activities

should be lo ed.

27 5207100074 NANDA GAGAH LAKSANA10.10.5 Fault logging Faults should be logged, analysed, and appropriate

action taken.

28 5207100076 GLEND STEVEN MAATITA

10.10.6 Clock synchronization The clocks of all relevant information processing

systems within an organization or security domain

should be synchronized with an agreed accurate time

source.


4/17

11.1 Business requirement for access

control

Objective: To control access to information.

Access to information, information processing

facilities, and business processes should be

controlled

on the basis of business and security requirements.

Access control rules should take account of policies

for information dissemination and authorization.

29 5207100087 RAHMI ROMADHONA P

11.1.1 Access control policy An access control policy should be established,

documented, and reviewed based on business and

securit re uirements for access.11.2 User access management Objective: To ensure authorized user access and to

prevent unauthorized access to information

systems.Formal procedures should be in place to control the

allocation of access rights to information systems

and services.

The procedures should cover all stages in the life-

cycle of user access, from the initial registration of

new users to the final de-registration of users who

no longer require access to information systems and

services. Special attention should be given, where

appropriate, to the need to control the allocation of

privileged access rights, which allow users to

override system controls.

30 5207100092 ARIEF RAKHMAN

11.2.1 User registration There should be a formal user registration and de-

registration procedure in place for granting and

revoking access to all information systems and

31 5207100093 FITRIANNISA UMAMI11.2.2 Privilege management The allocation and use of privileges should be

restricted and controlled

32 5207100095 MUH EKA WIJAYA11.2.3 User password management The allocation of passwords should be controlled

through a formal management process.

33 5207100096 GUSVIANTOKO DALI P11.2.4 Review of user access rights Management should review users access rights at

regular intervals using a formal process.

11.3 User responsibilities Objective: To prevent unauthorized user access, and

compromise or theft of information and

information processing facilities.

The co-operation of authorized users is essential for

effective security.

Users should be made aware of their responsibilities

for maintaining effective access controls,

particularly regarding the use of passwords and the

security of user equipment.

A clear desk and clear screen policy should be

implemented to reduce the risk of unauthorized

access

or damage to papers, media, and information

34 5207100098 GOEIJ YONG SUN

11.3.1 Password use Users should be required to follow good security

ractices in the selection and use of asswords.

35 5207100099 ADITYA OKTALIFRYAN11.3.2 Unattended user equipment Users should ensure that unattended equipment has

appropriate protection.

11.4 Network access control Objective: To prevent unauthorized access to

networked services.

Access to both internal and external networked

services should be controlled.

User access to networks and network services

should not compromise the security of the network

services by ensuring:

a) appropriate interfaces are in place between the

organizations network and networks owned by

other organizations, and public networks;

b) appropriate authentication mechanisms areapplied for users and equipment;

c) control of user access to information services in

36 5207100113 M TRINOFERIANTO

11.4.1 Policy on use of network services Users should only be provided with access to the

services that they have been specifically authorized

to use.

37 5207100115DARWIN PRASETYA EKA

GUNAWAN

11.4.2 User authentication for external

connections

Appropriate authentication methods should be used

to control access by remote users.

38 5208100105 AUSTIANINGRUM F

11.4.3 Equipment identification in the

network

Automatic equipment identification should be

considered as a means to authenticate connections

from

39 5208100106 MAYA SAGITA W 11.4.4 Remote diagnostic andconfi uration ort rotection

Physical and logical access to diagnostic andconfi uration orts should be controlled

40 5208100107 NURUL FATMAWATI

11.4.5 Segregation in networks Groups of information services, users, and

information systems should be segregated on

networks.


5/17

41 5208100108 OKI NIDIANITA HADI

11.4.6 Network connection control For shared networks, especially those extending

across the organizations boundaries, the capability of

users to connect to the network should be restricted,

in line with the access control policy and

requirements of the business applications (see 11.1).

42 5208100114 TATA ARANSTA IMAS P

11.4.7 Network routing control Routing controls should be implemented for networks

to ensure that computer connections and

information flows do not breach the access control

policy of the business applications.

11.5 Operating system access control Objective: To prevent unauthorized access tooperating systems.

Security facilities should be used to restrict access to

operating systems to authorized users. The

facilities should be capable of the following:

a) authenticating authorized users, in accordance

with a defined access control policy;

b) recording successful and failed system

authentication attempts;

c) recording the use of special system privileges;

d) issuing alarms when system security policies are

breached;

e) providing appropriate means for authentication;

f) where appropriate, restricting the connection time

43 5208100133 DEWI NURYATI

11.5.1 Secure log-on procedure Access to operating systems should be controlled by a

secure log-on procedure.

44 5208100135 KHIKMATUL MAULA

11.5.2 User identification and

authentication

All users should have a unique identifier (user ID) for

their personal use only, and a suitable

authentication technique should be chosen to

45 5208100140 LAEILA M11.5.3 Password management system Systems for managing passwords should be

interactive and should ensure quality passwords.

46 5207100111 PERMANA NURDYAHSARI

11.5.4 Use of system utilities The use of utility programs that might be capable of

overriding system and application controls should

be restricted and tightly controlled.

47 5208100130FERLYNA KUSUMA

WARDHANI

11.5.5 Session time-out Inactive sessions should shut down after a defined

eriod of inactivit .

48 5208100151 LUDFI EKA LESMANA

11.5.6 Limitation of connection time Restrictions on connection times should be used to

provide additional security for high-risk

applications.


6/17

Risk Identification Detail Controls Expected

5. Controls used Justification

(procedures, technical tool

or both applicable)

6. Evidence of Procedures

Ref.

7. Evidence of Technical

Controls Ref.

data loss caused by system crash,file damaged or fault transaction

a.) accurate and complete recordsof the back-up copies and

documented restoration

procedures should be produced;

b) the extent (e.g. full or

differential backup) and frequency

of backups should reflect the

business requirements of the

organization, the security

requirements of the information

involved, and the criticality of the

information to the continued

operation of theorganization;

c) the back-ups should be stored

in a remote location, at a

sufficient distance to escape any

damage from a disaster at the

main site;

d) back-up information should be

given an appropriate level of

physical and environmental

protection (see clause 9)

consistent with the standards

applied at the main site; the

controls applied to media at the

main site should be extended to

cover the back-up site;

e) back-up media should be

regularly tested to ensure that

1. . PT. ABG has formalizedthe backup and restore

procedure 2.

the backup should be taken

place every day after working

hours and automatically

scheduled by the system.

3. the backup process divided

into 2 types. The daily backup

should be done incrementally

while the monthly backup

should be delivered as full

backup 4. monthly backuptapes were stored in safe

deposit box in bank

5. backup tapes should be

tested for restoration process

every 3 months 6. the

backup and restoration

process were supported by

HP storageworks backup

drive, using HP Ultrium data

cartridge as backup media

and running by CA Arcserve

11 backup sotware

a. Ref. Number ofprocedure. Provide a copy

procedure b.

provide copy of tape

inventory stored in safe

deposit box within the

year 2009 c.

provide copy of forms

showing that the

restoration process has

been delivered

successfully within the

year 2009

a. capture pictures of datacenter showing the

backup drive, tapes and

their equipment

b. capture the backup

status report from

arcserve within the year

2009


7/17


8/17


9/17


10/17


11/17

8. Audit Findings9. Adequacy of controls

justification10. Recommendation 11. Action Planned 13. Deliverables and Timeline

a. backup tapes for august

and september 2009 were

not listed in safe deposit

box inventory. After

checking the backup

status report, we knew

that the full backup was

not delivered properly in

the appropriate month

b. auditor notified the

absence of restoration

test that should be taken

place in october and

december.

c. there was an incidentreported in november

2009 caused a damage in

ERP server due to system

crash. IT dept needed to

conduct a roll back

process to adjust the

transaction. Since the

restoration test was not

delivered at october and

unfortunately the data

stored in the media can

not be read properly. The

IT dept has nothing to dobut to input the missing

transaction from the

the backup and restore

controls mentioned in the

procedure are sufficient

but consistent and

continous implementation

need to be enforced

Monitoring is the

preventive action that can

be done by the IT

manager or other staf

appointed on behalf o the

management to overview

the implementation of

backup and restore

procedure. This

mechanism is needed to

ensure that the procedure

has been done timely and

appropriately. There

should be formal records

to prove that theimplementation has been

successully delivered,

when, and who is the

person responsible to the

action. These records will

help us to track back if

someday there were

faults or failure, so it

would not happen again in

the future

IT manager is responsible

person to monitor the

implementation of the

backup and restore

procedure. Each process

including schedule,

resources, deliverables

and person responsible

should be registered in

security internal control

quiestionairre form to

make it easily for tracking.

the action plan is effective to be done per

January 2nd, 2010


12/17


13/17


14/17


15/17


16/17


17/17

PAI B Semi Final 3 Checklist

Documents

Transcript of PAI B Semi Final 3 Checklist