Seri ISO Keamanan InformasiForum Standardisasi TIK: Kartu Cerdas utk Pembayaran
Jakarta, 4 November 2015
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM Sekolah Teknik Elektro dan Informatika
Institut Teknologi Bandung
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISMCurrent:• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter• ISACA Academic Advocate at ITB• SME for Information Security Standard for ISO at ISACA HQ• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01
Program Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo. • Lead Asesor Lembaga Sertifikasi SNI ISO/IEC 27001:2013 KANPast:• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC),
April 2009 – May 2011 Professional Certification:• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering,
the University of Texas at Austin. 2000• IRCA Information Security Management System Lead Auditor Course, 2004• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005• Brainbench Computer Forensic, 2006• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007Award:• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior
Information Security Professional. http://isc2.org/ISLA
2
Bloom Revised Bloom
• Remember
• Apply
• Understand
• Analyze
• Evaluate
• Create• Evaluation
• Analysis
• Synthesis
• Application
• Comprehension• Knowledge
Topik
• Risk >< Control – SNI ISO 31000• Risk Treatment = Control• Standard sebagai Base Practice Control
4
PP 60/2008 Sistem Pengendalian Intern Pemerintah
5
Pasal 3 (1) d. informasi dan komunikasi (Information and
Communication Internal Control)
Psl 3 (1) c. kegiatan pengendalian (Internal Control Activities)
Psl 3 (1) b. penilaian risiko (Internal Control Risk Assessment)
Psl 3 (1) a. lingkungan pengendalian (Internal Control Environment)
Persya
ratan
Bisn
is
TuPo
kSi I
nsta
nsi
Bis
nis
Pros
es, S
PO, d
ll
Prose
s
Tekn
ologi Inform
asi
Psl 3 (1) e. pemantauan pengendalian intern (Internal
Control Monitoring)
Aturan Pen
gendali
an
Prose
dur Pen
gendali
an
Pera
tura
n Pe
rund
anga
n
Risk >< Control
Risk based categorization Control
7
Three lines of defence
8
9
Kategori Kontrol berbasis Risiko
10Source: Transforming Cybersecurity: Using COBIT 5, ISACA, 2013
Prinsip SNI ISO/IEC 31000a. Risk management creates and protects valueb. Risk management is an integral part of all organizational processesc. Risk management is part of decision makingd. Risk management explicitly addresses uncertaintye. Risk management is systematic, structured and timelyf. Risk management is based on the best available informationg. Risk management is tailoredh. Risk management takes human and cultural factors into accounti. Risk management is transparent and inclusive.j. Risk management is dynamic, iterative and responsive to changek. Risk management facilitates continual improvement of the
organization
11
SNI ISO/IEC 31000
12
SNI ISO/IEC 31000
13
4 Context of the organization
5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation
10 Improvement
4.1 Understanding the organization and its context
5.1 Leadership and commitment
6.1 Actions to address risks and opportunities
7.1 Resources 8.1 Operational planning and control
9.1 Monitoring, measurement, analysis and evaluation
10.1 Nonconformity and corrective action
4.2 Understanding the needs and expectations of interested parties
5.2 Policy 6.2 Information security objectives and plans to achieve them
7.2 Competence
8.2 Information security risk assessment
9.2 Internal audit
10.2 Continual improvement
4.3 Determining the scope of the management system
7.3 Awareness
8.3 Information security risk treatment
9.3 Management review
4.4 Information security management system
7.4 Communication
7.5 Documented information
14
Management System Standard (MSS) – Annex SL
4 Context of the organization
5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation
10 Improvement
4.1 Understanding the organization and its context
5.1 Leadership and commitment
6.1 Actions to address risks and opportunities
7.1 Resources 8.1 Operational planning and control
9.1 Monitoring, measurement, analysis and evaluation
10.1 Nonconformity and corrective action
4.2 Understanding the needs and expectations of interested parties
5.2 Policy 6.2 Information security objectives and plans to achieve them
7.2 Competence
8.2 Information security risk assessment
9.2 Internal audit
10.2 Continual improvement
4.3 Determining the scope of the information security management system
7.3 Awareness
8.3 Information security risk treatment
9.3 Management review
4.4 Information security management system
7.4 Communication
7.5 Documented information
15
MSS series: ISO 9000, 27000, 14000, 20000 (?)
Seri SNI ISO/IEC 27000 SMKI
16
Seri SNI ISO/IEC 27000 SMKI
17
Perbaikan ISO27001 versi 2013 disbanding 2005
Perbaikan ISO27001 versi 2013 dibanding v2005
Hubungan antar Kerangka
COBIT 5
Panduan Umum Tata Kelola TIK Nas+
Kuesioner Evaluasi Pengendalian Intern TIK
Internal Control Framework COSO
SNI ISO 38500
PP60/2008 Sistem Pengendalian Intern
PemerintahTata
Kel
ola
Tata
Kel
ola
TIM
anaj
emen
TI
SNI ISO 27001SNI ISO 20000
19
Hubungan antar Kerangka Keamanan
COBIT 5
Panduan Umum Tata Kelola TIK Nas+
Kuesioner Evaluasi Pengendalian Intern TIK
Internal Control Framework COSO
SNI ISO 38500
PP60/2008 Sistem Pengendalian Intern
Pemerintah
Tata
Kel
ola
Man
ajem
enPe
rang
kat
SNI ISO 20000
20
RSNI ISO 27013
SNI ISO 27014Governance of Information Security
SNI ISO 15408Common Criteria
SNI ISO 27001Information Security Management System
SNI ISO/IEC 27014:2013 Tata Kelola Keamanan Informasi
21
22
Seri SNI lain – Kriteria Evaluasi Keamanan TI
• SNI ISO/IEC 15408-1:2014 Teknologi informasi – Teknik keamanan – Kriteria evaluasi keamanan teknologi informasi – Bagian 1: Pengantar dan model umum (ISO/IEC 15408–1:2009, IDT)
• SNI ISO/IEC 15408-2:2014 Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi Bagian 2: Komponen fungsional keamanan (ISO/IEC 15408-2:2008, IDT)
• SNI ISO/IEC 15408-3:2014 Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi - Bagian 3: Komponen jaminan keamanan (ISO/IEC 15408-3:2008, IDT)
• ISO/IEC 18045: Information technology – Security techniques – A framework for IT Security assurance – Methodology for IT Security Evaluation
• ISO/IEC TR 15446 Information technology — Security techniques — Guide for the production of Protection Profiles and Security Targets
ITU-T Workshop - Geneva - February 2009 23
SC 27/WG 3 Security Evaluation Criteria
IT Security Evaluation Criteria (CC) (SNI ISO/IEC 15408-x:2013)
Evaluation Methodology (CEM) (IS 18045)
PP/ STGuide
(TR 15446)
Protection Profile Registration Procedures
(IS 15292)
A Framework forIT SecurityAssurance(TR 15443)
Security Assessment ofOperational Systems
(TR 19791)
Security Evaluation of Biometrics
(FDIS 19792)
Verification of Cryptographic Protocols
(WD 29128)
SSE-CMM(IS 21827)
Secure System Engineering Principles and
Techniques (NWIP)
Responsible VulnerabilityDisclosure
(WD 29147)
Test Requirements for Cryptographic Modules
(IS 24759)
Security Requirements for Cryptographic Modules
(IS 19790)
Common Criteria Model
Helmut Kurth, How Useful are Product Security Certifications for Users of the Product, June 2005
Evaluation Assurance Levels (EAL)
1. Functionally tested
2. Structurally tested
3. Methodically tested and checked
4. Methodically designed, tested, and reviewed
5. Semi-formally designed and tested
6. Semi-formally verified design and tested
7. Formally verified design and tested
Bentuk Uang ElektronikFitur Koin Cek Saldo
Bentuk Pre-build data yang mewakili suatu denominal tertentu
Pre-build data yang digunakan sebagai bukti kepemilikan akun
Nilai dalam bentuk floating point sederhana
Model matematikaKeuntungan • Keamanan nilai uang
tinggi• Penggunaan tidak
terbatas pada ketersediaan pecahan
• Mudah untuk diimplementasikan
Kelemahan • Ukuran data yang meningkat seiring peningkatan nilai uang
• Penggunaan dibatasi oleh jumlah bukti dan nilai uang yang dimiliki
• Nilai uang dapat digandakan dengan mudah
Sumber: Dany Eka Saputra
Analisis Keamanan Bentuk E-Cash
Obyektif Keamanan Koin Cek Saldo
Anonymity rentan rentan kuat
Double Spending/Forgery
kuat rentan rentan
Non-Repudiation kuat kuat rentan
Sumber: Dany Eka Saputra
Imam Santosa © LPPM ITB 2011
Terima Kasih
INSTITUT TEKNOLOGI BANDUNG
29