�ݺ�ߣ

Pengembangan Kebijakan dan
Strategi Pengamanan Data
Digital dalam Perguruan Tinggi
Sarwono Sutikno
Webinar Keamanan Data Digital, SPI ITB
Rabu, 3 Agustus 2022
v2
1

Seri ISO 27001 SMKI
(Sistem Manajemen Keamanan Informasi)
Sarwono Sutikno
Webinar Keamanan Data Digital, SPI ITB
Rabu, 3 Agustus 2022
v2
2

Sarwono Sutikno, Dr.Eng., CISA(ex), CISSP(ex), CISM(ex), CSX-F
? Anggota Komisi Teknis Perumusan Standar Nasional Indonesia 35-04
Keamanan Informasi, Keamanan Siber dan Perlindungan Privasi
? Expert Liaison ISO/IEC JTC 1/SC 27 Information Security, Cybersecurity and
Privacy Protection:
? WG 2 Cryptography and security mechanisms
? WG 4 Security controls and services
? Anggota Dewan Pengawas Ikatan Audit Sistem Informasi Indonesia (IASII)
? Anggota Komite Manajemen Risiko MWA ITB
? ISACA Academic Advocate for ITB, since 2007
? ISACA Platinum member
? IIA member
? Dosen STEI ITB
3

ISMS and privacy challenges related to PeHS: A Qualita;ve study, Emelie Manneb?ck, 2022 5

Seri ISO 27001 Sistem Manajemen Keamanan Informasi
A. Sumber terbuka https://www.iso27001security.com/
B. ISO/IEC 27000:2018 Information technology �� Security techniques
�� Information security management systems �� Overview and
vocabulary
C. ISO/IEC FDIS 27001 Information security, cybersecurity and privacy
protection �� Information security management systems ��
Requirements
D. ISO/IEC 27002:2022 Information security, cybersecurity and privacy
protection �� Information security controls
6

Rangkuman
? Indeks KAMI (KeAManan Informasi) adalah ukuran untuk mencapai
batas dasar ISO 27001 Persyaratan SMKI;
? Seri ISO 27001 SMKI yang utama:
? ISO 27000 Gambaran umum dan kosakata
? ISO 27001 Persyaratan
? ISO 27002 Kendali Keamanan Informasi
? Wajib dijalankan:
? Plan: Klausul 4 Konteks organisasi s/d Klausul 7 Dukungan ISO 27001
? Do: Klausul 8 Operasi ISO 27001
? Check: Klausul 9 Evaluasi Kinerja ISO 27001
? Act: Klausul 10 Peningkatan ISO 27001
7

A. Sumber terbuka https://www.iso27001security.com/
8

B. ISO/IEC 27000:2018 Overview and vocabulary
9

Prinsip-prinsip utk keberhasilan SMKI
15

4.2.2 Information
Information is an asset that, like other important business assets, is
essential to an organization��s business and, consequently, needs to be
suitably protected.
Information can be stored in many forms, including: digital form (e.g.
data files stored on electronic or optical media), material form (e.g. on
paper), as well as unrepresented information in the form of knowledge
of the employees.
Information can be transmitted by various means including: courier,
electronic or verbal communication.
Whatever form information takes, or the means by which it is
transmitted, it always needs appropriate protection.
16

4.6 ISMS critical success factors
a) information security policy, objectives, and activities aligned with objectives;
b) an approach and framework for designing, implementing, monitoring, maintaining, and
improving information security consistent with the organizational culture;
c) visible support and commitment from all levels of management, especially top management;
d) an understanding of information asset protection requirements achieved through the
application of information security risk management (see ISO/IEC 27005);
e) an effective information security awareness, training and education programme, informing all
employees and other relevant parties of their information security obligations set forth in the
information security policies, standards, etc., and motivating them to act accordingly;
f) an effective information security incident management process;
g) an effective business continuity management approach;
h) a measurement system used to evaluate performance in information security management and
feedback suggestions for improvement.
17

4.7 Benefits of the ISMS family of standards
a) a structured framework supporting the process of specifying, implementing, operating and
maintaining a comprehensive, cost-effective, value creating, integrated and aligned ISMS that
meets the organization��s needs across different operations and sites;
b) assistance for management in consistently managing and operating in a responsible manner
their approach towards information security management, within the context of corporate risk
management and governance, including educating and training business and system owners on
the holistic management of information security;
c) promotion of globally accepted, good information security practices in a non-prescriptive
manner, giving organizations the latitude to adopt and improve relevant controls that suit their
specific circumstances and to maintain them in the face of internal and external changes;
d) provision of a common language and conceptual basis for information security, making it easier
to place confidence in business partners with a compliant ISMS, especially if they require
certification against ISO/IEC 27001 by an accredited certification body;
e) increase in stakeholder trust in the organization;
f) satisfying societal needs and expectations;
g) more effective economic management of information security investments.
18

C. ISO/IEC FDIS 27001 Requirements
4 Context of the
organization
5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
evaluation
10 Improvement
4.1 Understanding
the organization and
its context
5.1 Leadership and
commitment
6.1 Actions to
address risks and
opportunities
7.1 Resources 8.1 Operational
planning and control
9.1 Monitoring,
measurement,
analysis and
evaluation
10.1 Continual
improvement
4.2 Understanding
the needs and
expectations of
interested parties
5.2 Policy 6.2 Information
security objectives
and planning to
achieve them
7.2 Competence 8.2 Information
security risk
assessment
9.2 Internal audit 10.2 Nonconformity
and corrective
action
4.3 Determining the
scope of the
information security
management system
5.3 Organizational
roles,
responsibilities and
authorities
6.3 Planning of
changes
7.3 Awareness 8.3 Information
security risk
treatment
9.3 Management
review
4.4 Information
security
management system
7.4 Communication
7.5 Documented
information
20

D. ISO/IEC 27002:2022 Information security controls
21

5.1 Policies for information
security
5.11 Return of assets 5.21 Managing information
security in the ICT supply chain
5.31 Legal, statutory, regulatory
and contractual requirements
5.2 Information security roles and
responsibilities
5.12 Classification of information 5.22 Monitoring, review and
change management of supplier
services
5.32 Intellectual property rights
5.3 Segregation of duties 5.13 Labelling of information 5.23 Information security for use
of cloud services
5.33 Protection of records
5.4 Management responsibilities 5.14 Information transfer 5.24 Information security
incident management planning
and preparation
5.34 Privacy and protection of PII
5.5 Contact with authorities 5.15 Access control 5.25 Assessment and decision on
information security events
5.35 Independent review of
5.6 Contact with special interest
groups
5.16 Identity management 5.26 Response to information
security incidents
5.36 Compliance with policies,
rules and standards for
5.7 Threat intelligence 5.17 Authentication information 5.27 Learning from information
security incidents
5.37 Documented operating
procedures
5.8 Information security in
project management
5.18 Access rights 5.28 Collection of evidence
5.9 Inventory of information and
other associated assets
5.19 Information security in
supplier relationships
5.29 Information security during
disruption
5.10 Acceptable use of
information and other associated
assets
5.20 Addressing information
security within supplier
agreements
5.30 ICT readiness for business
continuity 22

6.1 Screening 6.3 Information security
awareness, education and
training
6.5 Responsibilities after
termination or change of
employment
6.7 Remote working
6.2 Terms and conditions
of employment.
6.4 Disciplinary process 6.6 Confidentiality or non-
disclosure agreements
6.8 Information security
event reporting
23

7.1 Physical security
perimeters
7.5 Protecting against
physical and
environmental threats
7.9 Security of assets off-
premises
7.13 Equipment
maintenance
7.2 Physical entry 7.6 Working in secure
areas
7.10 Storage media 7.14 Secure disposal or
re-use of equipment
7.3 Securing offices,
rooms and facilities
7.7 Clear desk and clear
screen
7.11 Supporting utilities
7.4 Physical security
monitoring
7.8 Equipment siting and
protection
7.12 Cabling security
24

8.1 User endpoint devices 8.10 Information deletion 8.19 Installation of software on
operational systems
8.28 Secure coding
8.2 Privileged access rights 8.11 Data masking 8.20 Networks security 8.29 Security testing in
development and acceptance
8.3 Information access restriction 8.12 Data leakage prevention 8.21 Security of network services 8.30 Outsourced development
8.4 Access to source code 8.13 Information backup 8.22 Segregation of networks 8.31 Separation of development,
test and production
environments
8.5 Secure authentication 8.14 Redundancy of information
processing facilities
8.23 Web filtering 8.32 Change management
8.6 Capacity management 8.15 Logging 8.24 Use of cryptography 8.33 Test information
8.7 Protection against malware 8.16 Monitoring activities 8.25 Secure development life
cycle
8.34 Protection of information
systems during audit testing
8.8 Management of technical
vulnerabilities
8.17 Clock synchronization 8.26 Application security
requirements
8.9 Configuration management 8.18 Use of privileged utility
programs
8.27 Secure system architecture
and engineering principles
25

Rangkuman
? Indeks KAMI (KeAManan Informasi) adalah ukuran untuk mencapai
batas dasar ISO 27001 Persyaratan SMKI;
? Seri ISO 27001 SMKI yang utama:
? ISO 27000 Gambaran umum dan kosakata
? ISO 27001 Persyaratan
? ISO 27002 Kendali Keamanan Informasi
? Wajib dijalankan:
? Plan: Klausul 4 Konteks organisasi s/d Klausul 7 Dukungan ISO 27001
? Do: Klausul 8 Operasi ISO 27001
? Check: Klausul 9 Evaluasi Kinerja ISO 27001
? Act: Klausul 10 Peningkatan ISO 27001
26

�ݺ�ߣ

Keamanan Data Digital - SPI ITB - Rabu 3 Agustus 2022 -v2.pdf

More Related Content

Keamanan Data Digital - SPI ITB - Rabu 3 Agustus 2022 -v2.pdf