Usulanuntukwg1danwg2dandata28 feb2017
Download as PPTX, PDF1 like548 views
The document discusses several topics related to cybersecurity, information security, and IT service management systems. It begins with an overview of the evolution of computing from mainframes to ubiquitous computing and cyber-physical systems. It then discusses hardware trojans and defines information security based on ISACA. The remainder of the document outlines various ISO standards related to information security, IT service management, IT governance, and IT security techniques.
Usulanuntukwg1danwg2dandata28 feb2017
- 1. 1 Usulan Keamanan Siber, Keamanan Informasi dan Sistem Manajemen Layanan serta Kualitas Data v2 Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM Anggota PT35-01 Teknologi Informasi Gedung Sapta Pesona – SDPPI Kominfo, Jakarta 28 Februari 2017
- 2. The Next Computing Revolution Mainframe computing (60’s – 70’s) Large computers to execute big data processing applications Desktop computing & Internet (80’s – 90’s) One computer at every desk to do business/personal activities Ubiquitous computing (00’s) Numerous computing devices in every place/person Millions for desktops vs. billions for embedded processors Cyber Physical Systems (10’s)
- 3. 3
- 5. Presentation: KamInfo.ID5 5 KEAMANAN INFORMASI VERSIISACA Information security is a business enabler that is strictly bound to stakeholder trust, either by addressing business risk or by creating value for an enterprise, such as competitive advantage. At a time when the significance of information and related technologies is increasing in every aspect of business and public life, the need to mitigate information risk, which includes protecting information and related IT assets from ever-changing threats, is constantly intensifying. ISACA defines information security as something that: Ensures that information is readily available (availability), when required, and protected against disclosure to unauthorised users (confidentiality) and improper modification (integrity).
- 6. Presentation: KamInfo.ID6 6 KEAMANAN INFORMASI ......... pemerintah negara Indonesia yang melindungi segenap bangsa Indonesia dan seluruh tumpah darah Indonesia dan untuk memajukan kesejahteraan umum, mencerdaskan kehidupan bangsa, dan ikut melaksanakan ketertiban dunia yang berdasarkan kemerdekaan, perdamaian abadi dan keadilan sosial........ Pemanfaatan INFORMASI sebagai darah nadi kehidupan bangsa dalam perspektif Pertumbuhan Ekonomi untuk Kesejahteraan Rakyat
- 7. Presentation: KamInfo.ID7 7 KEAMANAN NASIONAL ......... pemerintah negara Indonesia yang melindungi segenap bangsa Indonesia dan seluruh tumpah darah Indonesia dan untuk memajukan kesejahteraan umum, mencerdaskan kehidupan bangsa, dan ikut melaksanakan ketertiban dunia yang berdasarkan kemerdekaan, perdamaian abadi dan keadilan sosial........ Pemanfaatan INFORMASI sebagai darah nadi kehidupan bangsa dalam perspektif Pertumbuhan Ekonomi untuk Kesejahteraan Rakyat
- 8. 8
- 9. Kategori Kontrol berbasis Risiko 9 Source: Transforming Cybersecurity: Using COBIT 5, ISACA, 2013
- 10. Hubungan antar Kerangka Keamanan COBIT 5 Panduan Umum Tata Kelola TIK Nas + Kuesioner Evaluasi Pengendalian Intern TIK Internal Control Framework COSO SNI ISO 38500 PP60/2008 Sistem Pengendalian Intern Pemerintah TataKelolaManajemenPerangkat SNI ISO 20000 10 RSNI ISO 27013 SNI ISO 27014 Governance of Information Security SNI ISO 15408 Common Criteria SNI ISO 27001 Information Security Management System
- 11. ISO/IEC JTC 1/SC 40 - IT Service Management and IT Governance ISO/IEC 20000-1:2011 SNI ISO/IEC 20000-1:2013 Teknologi Informasi - Manajemen Layanan - Bagian 1: Persyaratan sistem manajemen layanan IEEE Std 20000-1-2013 ISO/IEC 20000-2:2012 SNI ISO/IEC 20000-2:2013 Teknologi informasi - Manajemen layanan - Bagian 2: Pedoman penerapan sistem manajemen layanan IEEE Std 20000-2-2013 ISO/IEC TR 20000-3:2012 SNI ISO/IEC TR 20000-3:2013 Teknologi informasi - Manajemen layanan - Bagian 3: Pedoman pendefinisian lingkup dan kesesuaian dari SNI ISO/IEC 20000-1 ISO/IEC TR 20000-4:2010 SNI ISO/IEC TR 20000-4:2013 Teknologi informasi - Manajemen layanan - Bagian 4: Model referensi proses ISO/IEC TR 20000-5:2010 – replaced by ISO/IEC TR 20000-5:2013 SNI ISO/IEC TR 20000-5:2013 Teknologi informasi - Manajemen layanan - Bagian 5: Contoh acuan perencanaan implementasi SNI ISO/IEC 20000-1 ISO/IEC FDIS 20000-6 Information technology -- Service management -- Part 6: Requirements for bodies providing audit and certification of service management systems ISO/IEC TR 20000-9:2015 Information technology -- Service management -- Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services ISO/IEC TR 20000-10:2013 Information technology -- Service management -- Part 10: Concepts and terminology ISO/IEC TR 20000-12:2016 Information technology -- Service management -- Part 12: Guidance on the relationship between ISO/IEC 20000- 1:2011 and service management frameworks: CMMI-SVC ISO/IEC 30121:2015 Information technology -- Governance of digital forensic risk framework ISO/IEC 38500:2015 Information technology -- Governance of IT for the organization ISO/IEC TS 38501:2015 Information technology -- Governance of IT -- Implementation guide ISO/IEC TR 38502:2014 Information technology -- Governance of IT -- Framework and model ISO/IEC TR 38504:2016 Governance of information technology -- Guidance for principles-based standards in the governance of information technology 11
- 12. Customers (and other interested parties) Service Requirements Services Customers (and other interested parties) 5. Design and transition of new or changed services 8. Resolution processes 7. Relationship processes 8.1 Incident and service request management 8.2 Problem management 7.1 Business relationship management 7.2 Supplier management 6. Service delivery processes 6.5 Capacity management 6.3 Service continuity & availability management 6.1 Service level management 6.2 Service reporting 6.6 Information security management 6.4 Budgeting & accounting for services 4.1 Management responsibility 4.2 Governance of processes operated by other parties 4.5 Establish the SMS 4.3 Documentation management 4.4 Resource management 4. Service Management System (SMS) 9. Control processes 9.1 Configuration management 9.2 Change management 9.3 Release and deployment management
- 13. ISO/IEC JTC 1/SC 7 - Software and systems engineering ISO/IEC 33001:2015 Information technology -- Process assessment -- Concepts and terminology60.60 35.080 ISO/IEC 33002:2015 Information technology -- Process assessment -- Requirements for performing process assessment ISO/IEC 33003:2015 Information technology -- Process assessment -- Requirements for process measurement frameworks60.60 35.080 ISO/IEC 33004:2015 Information technology -- Process assessment -- Requirements for process reference, process assessment and maturity models60.60 35.080 ISO/IEC TR 33014:2013 Information technology -- Process assessment -- Guide for process improvement ISO/IEC 33020:2015 Information technology -- Process assessment -- Process measurement framework for assessment of process capability ISO/IEC TS 33052:2016 Information technology -- Process reference model (PRM) for information security management ISO/IEC 33063:2015 Information technology -- Process assessment -- Process assessment model for software testing60.60 35.080 ISO/IEC TS 33072:2016 Information technology -- Process assessment -- Process capability assessment model for information security management ISO/IEC NP 33016 Information technology -- Process assessment -- Process assessment body of knowledge 10.99
- 14. Trying to Run Before Walking Reactive Proactive Analyze trends Set thresholds Predict problems Measure appli- cation availability Automate Mature problem, configuration, change, asset and performance mgt processes Fight fires Inventory Desktop SW distribution Initiate problem mgt process Alert and event mgt Measure component availability (up/down) IT as a service provider Define services, classes, pricing Understand costs Guarantee SLAs Measure & report service availability Integrate processes Capacity mgt Service Value IT as strategic business partner IT and business metric linkage IT/business collaboration improves business process Real-time infrastructure Business planning Level 2 Level 3 Level 4 Chaotic Ad hoc Undocumented Unpredictable Multiple help desks Minimal IT operations User call notification Level 1 Tool Leverage Manage IT as a Business Service Delivery Process Engineering Operational Process Engineering Service and Account Management Level 5
- 15. ISO/IEC JTC 1/SC 27 - IT Security techniques (1/2) ISO/IEC 27000:2016 Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements ISO/IEC 27001:2013/Cor 1:2014 60.60 35.040 ISO/IEC 27001:2013/Cor 2:2015 60.60 35.040 ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27002:2013/Cor 1:2014 60.60 35.040 ISO/IEC 27002:2013/Cor 2:2015 60.60 35.040 ISO/IEC DIS 27003.2 Information technology -- Security techniques -- Information security management system -- Guidance 4 ISO/IEC 27003:2010 Information technology -- Security techniques -- Information security management system implementation guidance 90.92 35.040 ISO/IEC 27004:2009 Information technology -- Security techniques -- Information security management – Measurement ISO/IEC 27004 Information technology -- Security techniques -- Information security management -- Monitoring, measurement, analysis and evaluation 60.00 ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management 60.60 35.040 ISO/IEC 27006:2015 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems 60.60 35.040 ISO/IEC CD 27007 Information technology -- Security techniques -- Guidelines for information security management systems auditing ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for information security management systems auditing ISO/IEC PDTS 27008 Information technology -- Security techniques -- Guidelines for the assessment of information security controls ISO/IEC TR 27008:2011 Information technology -- Security techniques -- Guidelines for auditors on information security controls ISO/IEC 27009:2016 Information technology -- Security techniques -- Sector-specific application of ISO/IEC 27001 – Requirements ISO/IEC 27010:2015 Information technology -- Security techniques -- Information security management for inter-sector and inter- organizational communications 60.60 35.040 ISO/IEC FDIS 27011 Information technology -- Security techniques -- Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations 50.60 35.040 ISO/IEC 27011:2008 Information technology -- Security techniques -- Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 90.92 35.040 ISO/IEC 27013:2015 Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 60.60 03.080.99 ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security 60.60 35.040 ISO/IEC TR 27015:2012 Information technology -- Security techniques -- Information security management guidelines for financial services ISO/IEC TR 27016:2014 Information technology -- Security techniques -- Information security management -- Organizational economics 60.60 ISO/IEC 27017:2015 Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services 60.60 35.040 ISO/IEC 27018:2014 Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors 60.60 35.040 ISO/IEC TR 27019:2013 Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry 15
- 16. ISO/IEC JTC 1/SC 27 - IT Security techniques (2/2) ISO/IEC TR 27023:2015 Information technology -- Security techniques -- Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity 90.60 35.040 ISO/IEC 27032:2012 Information technology -- Security techniques -- Guidelines for cybersecurity 60.60 35.040 ISO/IEC 27033-1:2015 Information technology -- Security techniques -- Network security -- Part 1: Overview and concepts 60.60 35.040 ISO/IEC 27033-2:2012 Information technology -- Security techniques -- Network security -- Part 2: Guidelines for the design and implementation of network security 60.60 35.040 ISO/IEC 27033-3:2010 Information technology -- Security techniques -- Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues ISO/IEC 27033-4:2014 Information technology -- Security techniques -- Network security -- Part 4: Securing communications between networks using security gateways 60.60 35.040 ISO/IEC 27033-5:2013 Information technology -- Security techniques -- Network security -- Part 5: Securing communications across networks using Virtual Private Networks (VPNs) 60.60 35.040 ISO/IEC 27033-6:2016 Information technology -- Security techniques -- Network security -- Part 6: Securing wireless IP network access 60.60 35.040 ISO/IEC 27034-1:2011 Information technology -- Security techniques -- Application security -- Part 1: Overview and concepts 90.20 35.040 ISO/IEC 27034-1:2011/Cor 1:2014 60.60 35.040 ISO/IEC 27034-2:2015 Information technology -- Security techniques -- Application security -- Part 2: Organization normative framework 60.60 ISO/IEC CD 27034-3 Information technology -- Security techniques -- Application security -- Part 3: Application security management process 30.60 ISO/IEC DIS 27034-5 Information technology -- Security techniques -- Application security -- Part 5: Protocols and application security controls data structure 40.60 ISO/IEC 27034-6:2016 Information technology -- Security techniques -- Application security -- Part 6: Case studies 60.60 35.040 ISO/IEC DIS 27034-7 Information technology -- Security techniques -- Application security -- Part 7: Application security assurance prediction model ISO/IEC PDTS 27034-5-1 Information technology -- Security techniques -- Application security -- Part 5-1: Protocols and application security controls data structure -- XML schemas 30.60 35.040 ISO/IEC 27035:2011Information technology -- Security techniques -- Information security incident management 90.92 35.040 ISO/IEC 27035-1 Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management ISO/IEC 27035-2 Information technology -- Security techniques -- Information security incident management -- Part 2: Guidelines to plan and prepare for incident response ISO/IEC 27036-1:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 1: Overview and concepts ISO/IEC 27036-2:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 2: Requirements 60.60 ISO/IEC 27036-3:2013 Information technology -- Security techniques -- Information security for supplier relationships -- Part 3: Guidelines for information and communication technology supply chain security 60.60 35.040 ISO/IEC 27036-4:2016 Information technology -- Security techniques -- Information security for supplier relationships -- Part 4: Guidelines for security of cloud services ISO/IEC 27037:2012 Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27038:2014 Information technology -- Security techniques -- Specification for digital redaction 60.60 35.040 ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection and prevention systems (IDPS) 60.60 ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security 60.60 35.040 ISO/IEC 27041:2015 Information technology -- Security techniques -- Guidance on assuring suitability and adequacy of incident investigative method ISO/IEC 27042:2015 Information technology -- Security techniques -- Guidelines for the analysis and interpretation of digital evidence 60.60 35.040 ISO/IEC 27043:2015 Information technology -- Security techniques -- Incident investigation principles and processes 60.60 35.040 ISO/IEC 27050-1 Information technology -- Security techniques -- Electronic discovery -- Part 1: Overview and concepts 60.00 35.040 ISO/IEC CD 27050-2 Information technology -- Security techniques -- Electronic discovery -- Part 2: Guidance for governance and management of electronic discovery 30.60 35.040 ISO/IEC DIS 27050-3 Information technology -- Security techniques -- Electronic discovery -- Part 3: Code of Practice for electronic discovery 16
- 18. threat
- 19. Usulan dari ISO/TC 184/SC 4 - Industrial data (1/2) Page 19 ISO/TS 8000-1:2011 Data quality -- Part 1: Overview90.93 25.040.40 ISO 8000- 2:2012 Data quality -- Part 2: Vocabulary60.60 01.040.25 ISO 8000-8:2015 Data quality -- Part 8: Information and data quality: Concepts and measuring60.60 01.040.25 ISO 8000-100:2016 Data quality -- Part 100: Master data: Exchange of characteristic data: Overview60.60 25.040.40 ISO 8000-110:2009 Data quality -- Part 110: Master data: Exchange of characteristic data: Syntax, semantic encoding, and conformance to data specification90.60 ISO 8000-120:2016 Data quality -- Part 120: Master data: Exchange of characteristic data: Provenance60.60 25.040.40 ISO 8000-130:2016 Data quality -- Part 130: Master data: Exchange of characteristic data: Accuracy60.60 25.040.40 ISO 8000-140:2016 Data quality -- Part 140: Master data: Exchange of characteristic data: Completeness60.60 25.040.40 ISO/TS 8000-150:2011 Data quality -- Part 150: Master data: Quality management framework
- 20. Usulan dari ISO/TC 184/SC 4 - Industrial data (2/2) Page 20 ISO 15926-1:2004 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 1: Overview and fundamental principles90.93 25.ISO 15926-2:2003 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 2: Data model90.93 25.040.40 ISO/TS 15926-3:2009 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 3: Reference data for geometry and topology90.93 75.020 ISO/TS 15926-4:2007 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 4: Initial reference data90.93 75.020 ISO/TS 15926-4:2007/Amd 1:2010 60.60 75.020 ISO/TS 15926-6:2013 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 6: Methodology for the development and validation of reference data90.92 25.040.40 ISO/TS 15926-7:2011 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 7: Implementation methods for the integration of distributed systems: Template methodology90.93 75.020 ISO/TS 15926-8:2011 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 8: Implementation methods for the integration of distributed systems: Web Ontology Language (OWL) implementation90.93 75.020 ISO/TS 15926-11:2015 Industrial automation systems and integration -- Integration of life-cycle data for process plants including oil and gas production facilities -- Part 11: Methodology for simplified industrial usage of reference data
- 21. Seri ISO 8000 Data Quality Page 21 ISO 8000 ontology Part 1 : Scope , Justification and principles Part 3 Taxonomy : ISO 8000 parts & other standards relationships Part 8 Information and Data Quality Measuring Part 9 Information data quality relationship with other standards Part 20 Data Quality: Provenance Part 30 Data Quality Accuracy Part 40 Data Quality Completeness Part 50 Data Quality management framework Part 60 Information & Data Quality Process Assessment Part 100 Master data: Exchange of characteristic data: Overview Part 10 Data Quality Syntax, semantic encoding, and conformance to data specification Part 120 Master data: Exchange of characteristic data: Provenance Part 130 Master data: Exchange of characteristic data: Accuracy Part 140 Master data: Exchange of characteristic data: Completeness Part 150 Master Data Quality management framework Part 311 Guidance for the application of PDQ-S Part 2 Vocabulary Characteristics or Data quality dimensions RequirementsSyntax SemanticsPragmatics Measurements methods Management methods Introduction Vocab. / Onto General concepts & definitions Specialized concepts & definitions Management framework Usage guides Part 110 Master data: Exchange of characteristic data: Overview
- 22. Diskusi 22
Editor's Notes
- #15: Key Issue: What pitfalls should be avoided when implementing ITIL? Strategic Planning Assumption: Through 2012, 30 percent of large enterprises will achieve end-to-end IT service management, up from fewer than 15 percent today (0.8 probability).