KEAMANAN SISTEM KEAMANAN SISTEM INFORMASIINFORMASI
Prepared By : Afen Pranahttp://afenprana.wordpress.com
06
MEMBANGUN PROGRAM KEAMANAN
2
Upon completion of this chapter,you should be able to:
Recognize & understandthe organizational approaches to infosec
List & describe the functional componentsof the infosec program
Determine how to plan & staffan organization’s infosec program
based on its size
Evaluate the internal & external factorsthat influence the activities & organization
of an infosec program
morePrepared By : Prepared By : AfenAfen PranaPrana
3
Daftar dan MembuatHak jabatan yg jelas dan fungsi
Yg dilakukan dalam program infosec
Membuat komponen2security education, training,
& awareness program& memahami bagaimana organisasi menulis
Dan mengatur program ini
Prepared By : Prepared By : AfenAfen PranaPrana
4
Bbrp organisasi menggunakan program keamananUntuk menggambarkan keseluruhan
personil, perencanaan, kebijakan, & inisiatifYg direlasikan pada infosec
Program InfoSec : disini digunakanUntuk menggambarkan struktur & organisasi
Yg berisi resiko pada aset informasi organisasi
Prepared By : Prepared By : AfenAfen PranaPrana
5
Bbrp variables menggambarkan bagaimanastruktur suatu program infosec yaitu :
Kultur Organisasi
Size
Security personnel budget
Security capital budget
Prepared By : Prepared By : AfenAfen PranaPrana
6
“…Ketika organisasi mendapatkan ukuran yg besar, departemen keamanan mereka tidak dapat mengikuti
permintaan yg meningkat terus pd infrastrukturorganisasi kompleks. Security membelanjakan per user
& per mesin yg memundurkan perkembangan organisasisecara eksponensial
Ketika itu diimplementasikan prosedur keamanan ygefektif.”
Prepared By : Prepared By : AfenAfen PranaPrana
7
Departemen InfosecDalam organisasi yg besar
Cenderung untuk membentuk & membentuk ulangkelompok internal
Untuk tantangan jangka panjangBahkan waktu mereka menangani
operasi keamanan sehari-hari.
Fungsi kemungkinan besar akanDipisahkan kedalam kelompok-kelompok
Prepared By : Prepared By : AfenAfen PranaPrana
8
Pada organisasi yg sangat besarDengan lebih dari 10,000 komputer,
Anggaran security sering sekali tumbuh lebih cepat dibandinganggaran IT
Dengan anggaran besar pun,Rata-rata jumlah yg dibelanjakan
atas security per userMasih lebih kecil dibanding jenis organisasi yg lain
Dimana organisasi kecil membelanjakanLebih dari $5,000 per user atas security,
Organisasi yg sangat besar membelanjakan sekitar1/18 dari belanja tsbt, kira-kira $300 per user
Prepared By : Prepared By : AfenAfen PranaPrana
9
Organisasi yg sangat besar, bagaimanapun,
Melakukan pekerjaan baik dalam kebijakan dan area sumber daya manajemen,
Walaupun hanya 1/3 organisasiMenangani insiden menurut rencana IR
Prepared By : Prepared By : AfenAfen PranaPrana
10
Dalam organisasi yg besardengan 1,000 hingga 10,000 komputer,
Pendekatan pada security sering sekali telah mendewasakan,Perencanaan integrasi & kebijakan
Kedalam kultur organisasi
Patut disayangkan, organisasi yg besarTidak selalu mengambil sumber daya yg besar
kedalam securityMempertimbangkan angka2 yg sangat besar
Ttg komputer & melibatkan para user
Cenderung untuk membelanjakanSecara proporsional lebih sedikit atas security
Prepared By : Prepared By : AfenAfen PranaPrana
11
Pendekatan keamanan dalam organisasi yg besarmemisahkan 4 fungsi area :
1. Fungsi yg dilakukan olehUnit bisnis non-technology diluar IT
2. Fungsi yg dilakukan olehKelompok IT diluar area infosec
3. Fungsi yg dilakukan dalamdepartemen infosec sbg customer service
4. Fungsi yg dilakukan dalamdepartemen infosec sbg pemenuhan
Prepared By : Prepared By : AfenAfen PranaPrana
12
Tanggung jawab CISO’sUntuk melihat fungsi infosec
Cukup dilakukan disuatutempat didalam organisasi
Penyebaran personil keamanan yg full-time Tergantung pd sejumlah faktor,
Mencakup kepekaan info untuk dilindungi,Peraturan industri,
& profitabilitas umum
Dana yg lebihSuatu perusahaan dapat mendedikasikan
Untuk anggaran personil,Kemungkinan besar
Untuk memelihara staff infosec yg besar
Prepared By : Prepared By : AfenAfen PranaPrana
13Prepared By : Prepared By : AfenAfen PranaPrana
14Prepared By : Prepared By : AfenAfen PranaPrana
15
Organisasi Medium-sized 100-1,000 komputer ...
Mempunyai total anggaran kecil
Mempunyai ukuran staff keamanan yg sama Sebagai organisasi yg kecil, tapi kebutuhan
lebih besar
Harus bersandar atas bantuanDari staff IT untuk perencanaan & praktek
Kemampuan menetapkan set kebijakan,Insident yg ditangani dalam cara reguler,
& alokasi sumber daya yg efektif,Secara keseluruhan
Prepared By : Prepared By : AfenAfen PranaPrana
16
Organisasi Medium-sized 100-1,000 komputer
Mungkin cukup besar utk menerapkanPendekatan multi-tiered
Untuk security dengan lebih sedikit kelompok ygdidedikasikan
& fungsi lebih yg ditugaskan untuk ke masing2 kelompok
Organisasi Medium-sizedCenderung untuk mengabaikan
bbrp fungsi keamanan
Prepared By : Prepared By : AfenAfen PranaPrana
17Prepared By : Prepared By : AfenAfen PranaPrana
18
Organisasi yg kecil 10-100 komputersederhana, sentralisasiModel IT organisasi
Membelanjakan lebih tidak sebandingatas security
InfoSec dalam organisasi kecilSeringsekali tanggung jawab tunggal
more ...
Prepared By : Prepared By : AfenAfen PranaPrana
19
Seperti halnya organisasi memilikijalan yg sederhana
Ttg kebijakan formal, perencanaan atau ukurannya
Commonly outsource their Web presenceor electronic commerce operations
Pelatihan keamanan & kesadaranBiasanya diselenggarakan
Atas basis 1-on-1
more ...
Prepared By : Prepared By : AfenAfen PranaPrana
20
Kebijakan issue-specific
Ancaman dari orang dalammungkin lebih sedikit dimana setiap karyawanSaling mengetahui semua karyawan yg lainnya
Prepared By : Prepared By : AfenAfen PranaPrana
21Prepared By : Prepared By : AfenAfen PranaPrana
22
Dalam organisasi yg besar,InfoSec sering sekali ditempatkan dalam departemen IT,
Dipimpin oleh CISOYg melaporkan secara langsung
ke executive, atau CIO
Sangat alami,Suatu program InfoSec
Kadang kadang berselisih dengan tujuan dan sasaran hasilttg departemen IT secara keseluruhannya
Prepared By : Prepared By : AfenAfen PranaPrana
23
Sebab tujuan dan sasaran hasilCIO & CISO
Tidak sulit untuk memahami untuk memisahkan infosec daridivisi IT
TantangannyaAdalah untuk mendesign suatu struktur laporan
Untuk program InfoSecYg menyeimbangkan kebutuhan
dari tiap-tiap masyarakat
Prepared By : Prepared By : AfenAfen PranaPrana
24Prepared By : Prepared By : AfenAfen PranaPrana
25Prepared By : Prepared By : AfenAfen PranaPrana
26Prepared By : Prepared By : AfenAfen PranaPrana
27Prepared By : Prepared By : AfenAfen PranaPrana
28Prepared By : Prepared By : AfenAfen PranaPrana
29Prepared By : Prepared By : AfenAfen PranaPrana
30
Opsi lain:
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance melalui IT
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations
Prepared By : Prepared By : AfenAfen PranaPrana
31
Komponen Program Keamanan
Kebutuhan InfoSec organisasiadalah unik dengan kultur, ukuran
& budget organization
Menentukan tingkatan apa dalammenjalankan program infosec atas
Rencana strategis organisasi; Khususnya, atas rencana statement visi dan misi
CIO & CISOPerlu menggunakan 2 dokumen ini
Untuk merumuskan statement misi untukProgram infosec
Prepared By : Prepared By : AfenAfen PranaPrana
32
Posisi InfoSec dapat diklasifikasikanKedalam 1 - 3 tipe :
1. Menetapkan,2. Membangun, &
3. Mengelola
Prepared By : Prepared By : AfenAfen PranaPrana
33
Menetapkan
Menyediakan kebijakan, petunjuk dan standarmelaksanakan konsoltasi & penilaian resiko
memperkuat product & technical architecturesorang2 senior dengan memiliki pengetahuan yg luas,
Membangun
secara teknis nyatamenciptakan & menginstal solusi security
Pengelolaan
Mengoperasikan & mengurus tools security & fungsi monitoring security
Bekerja berkesinambungan untuk meningkatkan prosesPrepared By : Prepared By : AfenAfen PranaPrana
34
Organisasi khususMemiliki sejumlah individu
Dengan tanggung jawab infosec
Walaupun sebutan dapat digunakan berbeda, Kebanyakan fungsi pekerjaan berkait
dengan salah satu di bawah ini :
Chief infosec Officer (CISO)Security managers
Security administrators & analystsSecurity technicians
Security staffPrepared By : Prepared By : AfenAfen PranaPrana
35Prepared By : Prepared By : AfenAfen PranaPrana
36
Help desk merupakan bagian pentingDari tim infosec,
Meningkatkan kemampuanUntuk mengidentifikasikan masalah potensial
Ketika seorang user menghubungi help deskDengan keluhan komputernya, Koneksi jaringan, atau Internet,
Masalah user tersebut dapat menjadisuatu masalah yg besar,
Seperti serangan hacker, serangan DoS atau virus
Karena teknisi help desk Melaksanakan tugas khusus dalam infosec,
Mereka membutuhkan pelatihan khususPrepared By : Prepared By : AfenAfen PranaPrana
37
Security Education, Training,& Awareness Programs
Di design untuk mengurangiPelanggaran keamanan
Awareness, training, & education programsMenawarkan 2 manfaat utama:
1. Meningkatkan perilaku karyawan
2. Memungkinkan organisasiUntuk menjaga karyawannya yg dapat dipertanggung
jawabkan pada tindakan yg mereka lakukan
Prepared By : Prepared By : AfenAfen PranaPrana
38
Program SETA terdiri dari 3 unsur:
1. security education
2. security training
3. security awareness
Prepared By : Prepared By : AfenAfen PranaPrana
39
Tujuan SETA adalahUntuk meningkatkan keamanan ...
dengan membangun pengetahuan yg mendalam,Jika dibutuhkan,
Untuk design, implementasi, atau operasiProgram security
Pada organisasi dan sistem
dengan mengembangkan skills & pengetahuanSedemikian sehingga pengguna komputer
Dapat melaksanakan pekerjaan merekaSelagi menggunakan sistem IT lebih ‘secure’
Dengan meningkatkan kesadaran yg dibutuhkan untuk melindungisumber daya sistem
Prepared By : Prepared By : AfenAfen PranaPrana
40
Perbandingan Framework SETA
Prepared By : Prepared By : AfenAfen PranaPrana
41
Security training melibatkanTersedianya informasi yg rinci
& catatan instruksiYg memberi skill ke user
Untuk melaksanakan tugas-tugas mereka secara benar
Prepared By : Prepared By : AfenAfen PranaPrana
42
Dua metode pada kebiasaan training
1. Latar belakang fungsional
General user Managerial userTechnical user
2. Tingkat terampil/Skill
BaruMenengahLanjutan
Prepared By : Prepared By : AfenAfen PranaPrana
43
Menggunakan metoda pelatihan yg salah dapat :
Merintangi transfer pengetahuan
Mengakibatkan pengeluaran yg tidak perlu & kekecewaan, pekerja dilatih kurang baik.
Prepared By : Prepared By : AfenAfen PranaPrana
44
Program training yg baik :
Menggunakan teknologi pengetahuan yg terakhirdan mempraktek-kan yg terbaik
MenggunakanKursus publik yg tersentralisasi
& on-site training
Task-oriented modules& training sessions
Prepared By : Prepared By : AfenAfen PranaPrana
45
Pemilihan metode pelatihanTidak selalu didasari padaHasil terbaik para peserta
Faktor-faktor lain, Seperti budget, scheduling,
& kebutuhan organisasiSering menjadi nomor satu
Prepared By : Prepared By : AfenAfen PranaPrana
46
Training delivery methods:
One-on-One
Formal Class
Computer-Based Training (CBT)
Distance Learning/Web Seminars
User Support Group
On-the-Job Training
Self-Study (Noncomputerized)Prepared By : Prepared By : AfenAfen PranaPrana
47
Where can you find trainers?
Local training program
Continuing education department
External training agency
Professional trainer, consultant,or someone from accredited institution
to conduct on-site training
In-house trainingusing organization’s own employees
Prepared By : Prepared By : AfenAfen PranaPrana
48
While each organizationdevelops its own strategy,
the following 7-step methodologygenerally applies:
Step 1: Identify program scope, goals, & objectivesStep 2: Identify training staff
Step 3: Identify target audiencesStep 4: Motivate management & employees
Step 5: Administer the programStep 6: Maintain the programStep 7: Evaluate the program
Prepared By : Prepared By : AfenAfen PranaPrana
49
Security awareness program:one of least frequently implemented,but most effective security methods
Security awareness programs:
set the stage for trainingby changing organizational attitudesto realize the importance of security
& the adverse consequences of its failure
remind usersof the procedures to be followed
Prepared By : Prepared By : AfenAfen PranaPrana
50
SETA best practices
When developing an awareness program:
Focus on people
Refrain from using technical jargon
Use every available venue
Define learning objectives, state them clearly,& provide sufficient detail & coverage
Keep things light
more ... Prepared By : Prepared By : AfenAfen PranaPrana
51
Don’t overload the users
Help users understand their roles in InfoSec
Take advantageof in-house communications media
Make the awareness program formal;plan & document all actions
Provide good information early,rather than perfect information late
Prepared By : Prepared By : AfenAfen PranaPrana
52
10 Commandmentsof InfoSec Awareness Training
I. InfoSec is a people,rather than a technical, issue
II. If you want them to understand,speak their language
III. If they cannot see it, they will not learn it
IV. Make your point so that you can identify it& so can they
V. Never lose your sense of humor
more ... Prepared By : Prepared By : AfenAfen PranaPrana
53
VI. Make your point, support it, & conclude it
VII. Always let the recipients knowhow the behavior that you request
will affect them
VIII. Ride the tame horses
IX. Formalize your training methodology
X. Always be timely,even if it means slipping schedules
to include urgent information
Prepared By : Prepared By : AfenAfen PranaPrana
54
Security awareness & security trainingare designed to modifyany employee behavior
that endangers the securityof the organization’s information
Security training & awareness activitiescan be undermined, however,
if managementdoes not set a good example
Prepared By : Prepared By : AfenAfen PranaPrana
55
Effective training & awareness programsmake employees accountable
for their actions
Dissemination & enforcementof policy become easier
when training & awareness programsare in place
Demonstrating due care & due diligencecan help indemnify the institution
against lawsuits
Prepared By : Prepared By : AfenAfen PranaPrana
56
Awareness can take on different formsfor particular audiences
A security awareness programcan use many methodsto deliver its message
Effective security awareness programsneed to be designedwith the recognition
that people tend to practicea tuning out process (acclimation)
Awareness techniques should becreative & frequently changed
Prepared By : Prepared By : AfenAfen PranaPrana
57
Komponen Security awarenessDari yang murah hingga sangat mahal
Security awareness components Meliputi:
VideosPosters & banners
Lectures & conferencesComputer-based training
NewslettersBrochures & flyers
Trinkets (coffee cups, pens, pencils, T-shirts)Bulletin boards
Prepared By : Prepared By : AfenAfen PranaPrana
58
Security newsletter isa cost-effective way
to disseminate security information
In the form of paper, e-mail, or intranet
Goal: keep infosecuppermost in users’ minds
& stimulate them to care about security
Prepared By : Prepared By : AfenAfen PranaPrana
59
Newsletters might include:
Threats to the organization’s info assets
Schedules for upcomingsecurity classes & presentations
Addition of new security personnel
Summaries of key policies
Summaries of key news articles
Announcements relevant to infosec
How-to’sPrepared By : Prepared By : AfenAfen PranaPrana
60
Security poster seriescan be a simple & inexpensive wayto keep security on people’s minds
Professional posterscan be quite expensive,
so in-house developmentmay be best solution
Prepared By : Prepared By : AfenAfen PranaPrana
61
Keys to a good poster series:
Varying the content& keeping posters updated
Keeping them simple,but visually interesting
Membuat pesan yg jelas
Menyediakan informasiAtas pemberitaan pelanggaran
Prepared By : Prepared By : AfenAfen PranaPrana
62Prepared By : Prepared By : AfenAfen PranaPrana
63
I like some other posters better.
(see www.despair.com)
Prepared By : Prepared By : AfenAfen PranaPrana
64
Trinkets (perhiasan kecil) may notcost much on a per-unit basis,
but they can be expensiveto distribute throughout an organization
Several types of common trinkets:
Pens & pencilsMouse padsCoffee mugsPlastic cups
HatsT-shirts
Prepared By : Prepared By : AfenAfen PranaPrana
65Prepared By : Prepared By : AfenAfen PranaPrana
66
Organizations can establishWeb pages or sites
dedicated topromoting infosec awareness
As with other SETA awareness methods,the challenge lies
in updating the messagesfrequently enoughto keep them fresh
Prepared By : Prepared By : AfenAfen PranaPrana
67
Some tipson creating & maintainingan educational Web site:
See what’s already out there
Plan ahead
Keep page loading time to a minimum
Seek feedback
Assume nothing & check everything
Spend time promoting your sitePrepared By : Prepared By : AfenAfen PranaPrana
68
Another meansof renewing the infosec message
is to have a guest speakeror even a mini-conference
dedicated to the topic of infosec
Perhaps in association withNational Computer Security Day:
November 30
Prepared By : Prepared By : AfenAfen PranaPrana
69
Summary
Organizing for Security
Placing InfoSec Within An Organization
Components of the Security Program
InfoSec Roles & Titles
Implementing SecurityEducation, Training, & Awareness Programs
Prepared By : Prepared By : AfenAfen PranaPrana