1

Sosialisasi SNI ISO/IEC 15408 Kriteria Evaluasi Keamanan Teknologi Informasi Common Criteria Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM Ketua WG Tata Kelola dan Layanan TI PT35-01 Teknologi Informasi

Makassar 7 Mei 2014

Current:

• Director of Certification – CRISC & CGEIT, ISACA Indonesia Chapter • ISACA Academic Advocate at ITB • SME for Information Security Standard for ISO at ISACA HQ • Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung • Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01

Program Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo. Past: • Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008) • Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April

2009 – May 2011 Professional Certification:

• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering, the University of Texas at Austin. 2000

• IRCA Information Security Management System Lead Auditor Course, 2004 • ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005 • Brainbench Computer Forensic, 2006 • (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007 • ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007 Award:

• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior Information Security Professional. http://isc2.org/ISLA

2

Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM

Bloom’s Taxonomy of Educational Objectives

Apply

Comprehend

Remember list, recite

explain, paraphrase

calculate, solve,

determine, apply

Analyze

compare, contrast, classify,

categorize, derive, model

Synthesize

create, construct, design,

improve, produce, propose

Evaluate

judge, critique, justify,

verify, assess, recommend

Kategori Kontrol berbasis Risiko

4 Source: Transforming Cybersecurity: Using COBIT 5, ISACA, 2013

Kerangka dan Standar – tinjauan

SNI ISO

38500

COSO

PP60/

2008 COBIT ITIL v2 ITIL v3

SNI ISO

20000

SNI

ISO

2700x

SNI

ISO

900x

Common

Criteria

SNI ISO

15408

board

level

managem

ent

technic

al

Kerangka dan Standar Keamanan Informasi

SNI ISO

38500

COSO

PP60/

2008

COBIT for

Information

Security

SNI ISO 27014:2014

Tata Kelola

Keamanan

Informasi SNI ISO

2700x

Common Criteria

SNI ISO 15408

board

level

managem

ent

technic

al

Seri SNI 15408 – Kriteria Evaluasi Keamanan TI ISO/IEC 15408-1:2009 Evaluation criteria for IT security - Part 1: Introduction and

general model

SNI ISO/IEC 15408-1:2013 Teknologi informasi - Teknik keamanan - Kriteria evaluasi

keamanan teknologi informasi - Bagian 1: Pengantar dan model umum

ISO/IEC 15408-2:2008 Evaluation criteria for IT security - Part 2: Security functional

components

SNI ISO/IEC 15408-2:2013 Teknologi informasi - Teknik keamanan - Kriteria evaluasi

keamanan teknologi informasi - Bagian 2: Komponen fungsional keamanan

ISO/IEC 15408-3:2008 Evaluation criteria for IT security - Part 3: Security assurance

components

SNI ISO/IEC 15408-3:2013

Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi -

Bagian 3: Komponen jaminan keamanan

7

Yang perlu diusulkan Seri SNI lain – Kriteria Evaluasi Keamanan TI

• ISO/IEC 15443-1:2012 Information technology – Security techniques – A framework for

IT Security assurance – Part 1: Introduction and concepts

• ISO/IEC 15443-2:2012 Information technology – Security techniques – A framework for

IT Security assurance – Part 2: Analysis

• ISO/IEC 18045: Information technology – Security techniques – A framework for IT

Security assurance – Methodology for IT Security Evaluation

• ISO/IEC TR 15446 Information technology — Security techniques — Guide for the

production of Protection Profiles and Security Targets

8

ITU-T Workshop - Geneva - February 2009 9

SC 27/WG 3 Security Evaluation Criteria

IT Security Evaluation Criteria (CC)

(SNI ISO/IEC 15408-x:2013)

Evaluation Methodology

(CEM) (IS 18045)

PP/ ST

Guide

(TR 15446)

Protection Profile

Registration Procedures

(IS 15292)

A Framework for

IT Security

Assurance

(TR 15443) Security Assessment of

Operational Systems

(TR 19791)

Security Evaluation of

Biometrics

(FDIS 19792)

Verification of

Cryptographic Protocols

(WD 29128)

SSE-CMM

(IS 21827)

Secure System

Engineering Principles and

Techniques (NWIP)

Responsible Vulnerability

Disclosure

(WD 29147)

Test Requirements for

Cryptographic Modules

(IS 24759)

Security Requirements for

Cryptographic Modules

(IS 19790)

Common Criteria Model

Helmut Kurth, How Useful are Product Security

Certifications for Users of the Product, June 2005

Evaluation Assurance Levels

1. Functionally tested

2. Structurally tested

3. Methodically tested and checked

4. Methodically designed, tested, and reviewed

5. Semi-formally designed and tested

6. Semi-formally verified design and tested

7. Formally verified design and tested

Diskusi

13