Seri ISO Keamanan InformasiForum Standardisasi TIK: Kartu Cerdas utk Pembayaran

Jakarta, 4 November 2015

Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM Sekolah Teknik Elektro dan Informatika

Institut Teknologi Bandung

Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISMCurrent:• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter• ISACA Academic Advocate at ITB• SME for Information Security Standard for ISO at ISACA HQ• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01

Program Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo. • Lead Asesor Lembaga Sertifikasi SNI ISO/IEC 27001:2013 KANPast:• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC),

April 2009 – May 2011 Professional Certification:• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering,

the University of Texas at Austin. 2000• IRCA Information Security Management System Lead Auditor Course, 2004• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005• Brainbench Computer Forensic, 2006• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007Award:• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior

Information Security Professional. http://isc2.org/ISLA

2

Bloom Revised Bloom

• Remember

• Apply

• Understand

• Analyze

• Evaluate

• Create• Evaluation

• Analysis

• Synthesis

• Application

• Comprehension• Knowledge

Topik

• Risk >< Control – SNI ISO 31000• Risk Treatment = Control• Standard sebagai Base Practice Control

4

PP 60/2008 Sistem Pengendalian Intern Pemerintah

5

Pasal 3 (1) d. informasi dan komunikasi (Information and

Communication Internal Control)

Psl 3 (1) c. kegiatan pengendalian (Internal Control Activities)

Psl 3 (1) b. penilaian risiko (Internal Control Risk Assessment)

Psl 3 (1) a. lingkungan pengendalian (Internal Control Environment)

Persya

ratan

Bisn

is

TuPo

kSi I

nsta

nsi

Bis

nis

Pros

es, S

PO, d

ll

Prose

s

Tekn

ologi Inform

asi

Psl 3 (1) e. pemantauan pengendalian intern (Internal

Control Monitoring)

Aturan Pen

gendali

an

Prose

dur Pen

gendali

an

Pera

tura

n Pe

rund

anga

n

Risk >< Control

Risk based categorization Control

7

Three lines of defence

8

9

Kategori Kontrol berbasis Risiko

10Source: Transforming Cybersecurity: Using COBIT 5, ISACA, 2013

Prinsip SNI ISO/IEC 31000a. Risk management creates and protects valueb. Risk management is an integral part of all organizational processesc. Risk management is part of decision makingd. Risk management explicitly addresses uncertaintye. Risk management is systematic, structured and timelyf. Risk management is based on the best available informationg. Risk management is tailoredh. Risk management takes human and cultural factors into accounti. Risk management is transparent and inclusive.j. Risk management is dynamic, iterative and responsive to changek. Risk management facilitates continual improvement of the

organization

11

SNI ISO/IEC 31000

12

SNI ISO/IEC 31000

13

4 Context of the organization

5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation

10 Improvement

4.1 Understanding the organization and its context

5.1 Leadership and commitment

6.1 Actions to address risks and opportunities

7.1 Resources 8.1 Operational planning and control

9.1 Monitoring, measurement, analysis and evaluation

10.1 Nonconformity and corrective action

4.2 Understanding the needs and expectations of interested parties

5.2 Policy 6.2 Information security objectives and plans to achieve them

7.2 Competence

8.2 Information security risk assessment

9.2 Internal audit

10.2 Continual improvement

4.3 Determining the scope of the management system

7.3 Awareness

8.3 Information security risk treatment

9.3 Management review

4.4 Information security management system

7.4 Communication

7.5 Documented information

14

Management System Standard (MSS) – Annex SL

4 Context of the organization

5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation

10 Improvement

4.1 Understanding the organization and its context

5.1 Leadership and commitment

6.1 Actions to address risks and opportunities

7.1 Resources 8.1 Operational planning and control

9.1 Monitoring, measurement, analysis and evaluation

10.1 Nonconformity and corrective action

4.2 Understanding the needs and expectations of interested parties

5.2 Policy 6.2 Information security objectives and plans to achieve them

7.2 Competence

8.2 Information security risk assessment

9.2 Internal audit

10.2 Continual improvement

4.3 Determining the scope of the information security management system

7.3 Awareness

8.3 Information security risk treatment

9.3 Management review

4.4 Information security management system

7.4 Communication

7.5 Documented information

15

MSS series: ISO 9000, 27000, 14000, 20000 (?)

Seri SNI ISO/IEC 27000 SMKI

16

Seri SNI ISO/IEC 27000 SMKI

17

Perbaikan ISO27001 versi 2013 disbanding 2005

Perbaikan ISO27001 versi 2013 dibanding v2005

Hubungan antar Kerangka

COBIT 5

Panduan Umum Tata Kelola TIK Nas+

Kuesioner Evaluasi Pengendalian Intern TIK

Internal Control Framework COSO

SNI ISO 38500

PP60/2008 Sistem Pengendalian Intern

PemerintahTata

Kel

ola

Tata

Kel

ola

TIM

anaj

emen

TI

SNI ISO 27001SNI ISO 20000

19

Hubungan antar Kerangka Keamanan

COBIT 5

Panduan Umum Tata Kelola TIK Nas+

Kuesioner Evaluasi Pengendalian Intern TIK

Internal Control Framework COSO

SNI ISO 38500

PP60/2008 Sistem Pengendalian Intern

Pemerintah

Tata

Kel

ola

Man

ajem

enPe

rang

kat

SNI ISO 20000

20

RSNI ISO 27013

SNI ISO 27014Governance of Information Security

SNI ISO 15408Common Criteria

SNI ISO 27001Information Security Management System

SNI ISO/IEC 27014:2013 Tata Kelola Keamanan Informasi

21

22

Seri SNI lain – Kriteria Evaluasi Keamanan TI

• SNI ISO/IEC 15408-1:2014 Teknologi informasi – Teknik keamanan – Kriteria evaluasi keamanan teknologi informasi – Bagian 1: Pengantar dan model umum (ISO/IEC 15408–1:2009, IDT)

• SNI ISO/IEC 15408-2:2014 Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi Bagian 2: Komponen fungsional keamanan (ISO/IEC 15408-2:2008, IDT)

• SNI ISO/IEC 15408-3:2014 Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi - Bagian 3: Komponen jaminan keamanan (ISO/IEC 15408-3:2008, IDT)

• ISO/IEC 18045: Information technology – Security techniques – A framework for IT Security assurance – Methodology for IT Security Evaluation

• ISO/IEC TR 15446 Information technology — Security techniques — Guide for the production of Protection Profiles and Security Targets

ITU-T Workshop - Geneva - February 2009 23

SC 27/WG 3 Security Evaluation Criteria

IT Security Evaluation Criteria (CC) (SNI ISO/IEC 15408-x:2013)

Evaluation Methodology (CEM) (IS 18045)

PP/ STGuide

(TR 15446)

Protection Profile Registration Procedures

(IS 15292)

A Framework forIT SecurityAssurance(TR 15443)

Security Assessment ofOperational Systems

(TR 19791)

Security Evaluation of Biometrics

(FDIS 19792)

Verification of Cryptographic Protocols

(WD 29128)

SSE-CMM(IS 21827)

Secure System Engineering Principles and

Techniques (NWIP)

Responsible VulnerabilityDisclosure

(WD 29147)

Test Requirements for Cryptographic Modules

(IS 24759)

Security Requirements for Cryptographic Modules

(IS 19790)

Common Criteria Model

Helmut Kurth, How Useful are Product Security Certifications for Users of the Product, June 2005

Evaluation Assurance Levels (EAL)

1. Functionally tested

2. Structurally tested

3. Methodically tested and checked

4. Methodically designed, tested, and reviewed

5. Semi-formally designed and tested

6. Semi-formally verified design and tested

7. Formally verified design and tested

Bentuk Uang ElektronikFitur Koin Cek Saldo

Bentuk Pre-build data yang mewakili suatu denominal tertentu

Pre-build data yang digunakan sebagai bukti kepemilikan akun

Nilai dalam bentuk floating point sederhana

Model matematikaKeuntungan • Keamanan nilai uang

tinggi• Penggunaan tidak

terbatas pada ketersediaan pecahan

• Mudah untuk diimplementasikan

Kelemahan • Ukuran data yang meningkat seiring peningkatan nilai uang

• Penggunaan dibatasi oleh jumlah bukti dan nilai uang yang dimiliki

• Nilai uang dapat digandakan dengan mudah

Sumber: Dany Eka Saputra

Analisis Keamanan Bentuk E-Cash

Obyektif Keamanan Koin Cek Saldo

Anonymity rentan rentan kuat

Double Spending/Forgery

kuat rentan rentan

Non-Repudiation kuat kuat rentan

Sumber: Dany Eka Saputra

Imam Santosa © LPPM ITB 2011

Terima Kasih

INSTITUT TEKNOLOGI BANDUNG

29