Date post: | 17-Jul-2015 |
Category: |
Engineering |
Upload: | sarwono-sutikno-drengcisacisspcism |
View: | 228 times |
Download: | 8 times |
1
SosialisasiSNI ISO/IEC 15408Kriteria Evaluasi Keamanan Teknologi InformasiCommon Criteria
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISMKetua WG Tata Kelola dan Layanan TI PT35-01 Teknologi Informasi
Makassar 7 Mei 2014
Current:
• Director of Certification – CRISC & CGEIT, ISACA Indonesia Chapter• ISACA Academic Advocate at ITB• SME for Information Security Standard for ISO at ISACA HQ• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01
Program Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo. Past:• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April
2009 – May 2011
Professional Certification:
• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering, the University of Texas at Austin. 2000
• IRCA Information Security Management System Lead Auditor Course, 2004• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005• Brainbench Computer Forensic, 2006• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007Award:
• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior Information Security Professional. http://isc2.org/ISLA
2
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
Bloom’s Taxonomy of Educational Objectives
Apply
Comprehend
Rememberlist, recite
explain, paraphrase
calculate, solve,
determine, apply
Analyze
compare, contrast, classify,
categorize, derive, model
Synthesize
create, construct, design,
improve, produce, propose
Evaluate
judge, critique, justify,
verify, assess, recommend
Kategori Kontrol berbasis Risiko
4Source: Transforming Cybersecurity: Using COBIT 5, ISACA, 2013
Kerangka dan Standar – tinjauan
SNI ISO
38500
COSO
PP60/
2008 COBITITIL v2 ITIL v3
SNI ISO
20000
SNI
ISO
2700x
SNI
ISO
900x
Common
Criteria
SNI ISO
15408
board
level
managem
ent
technic
al
Kerangka dan Standar Keamanan Informasi
SNI ISO
38500
COSO
PP60/
2008
COBIT for
Information
Security
SNI ISO 27014:2014
Tata Kelola
Keamanan
Informasi SNI ISO
2700x
Common Criteria
SNI ISO 15408
board
level
managem
ent
technic
al
Seri SNI 15408 – Kriteria Evaluasi Keamanan TIISO/IEC 15408-1:2009 Evaluation criteria for IT security - Part 1: Introduction and
general model
SNI ISO/IEC 15408-1:2013 Teknologi informasi - Teknik keamanan - Kriteria evaluasi
keamanan teknologi informasi - Bagian 1: Pengantar dan model umum
ISO/IEC 15408-2:2008 Evaluation criteria for IT security - Part 2: Security functional
components
SNI ISO/IEC 15408-2:2013 Teknologi informasi - Teknik keamanan - Kriteria evaluasi
keamanan teknologi informasi - Bagian 2: Komponen fungsional keamanan
ISO/IEC 15408-3:2008 Evaluation criteria for IT security - Part 3: Security assurance
components
SNI ISO/IEC 15408-3:2013
Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi -
Bagian 3: Komponen jaminan keamanan
7
Yang perlu diusulkanSeri SNI lain – Kriteria Evaluasi Keamanan TI
• ISO/IEC 15443-1:2012 Information technology – Security techniques – A framework for
IT Security assurance – Part 1: Introduction and concepts
• ISO/IEC 15443-2:2012 Information technology – Security techniques – A framework for
IT Security assurance – Part 2: Analysis
• ISO/IEC 18045: Information technology – Security techniques – A framework for IT
Security assurance – Methodology for IT Security Evaluation
• ISO/IEC TR 15446 Information technology — Security techniques — Guide for the
production of Protection Profiles and Security Targets
8
ITU-T Workshop - Geneva - February 2009 9
SC 27/WG 3Security Evaluation Criteria
IT Security Evaluation Criteria (CC)
(SNI ISO/IEC 15408-x:2013)
Evaluation Methodology
(CEM) (IS 18045)
PP/ ST
Guide
(TR 15446)
Protection Profile
Registration Procedures
(IS 15292)
A Framework for
IT Security
Assurance
(TR 15443)Security Assessment of
Operational Systems
(TR 19791)
Security Evaluation of
Biometrics
(FDIS 19792)
Verification of
Cryptographic Protocols
(WD 29128)
SSE-CMM
(IS 21827)
Secure System
Engineering Principles and
Techniques (NWIP)
Responsible Vulnerability
Disclosure
(WD 29147)
Test Requirements for
Cryptographic Modules
(IS 24759)
Security Requirements for
Cryptographic Modules
(IS 19790)
Common Criteria Model
Helmut Kurth, How Useful are Product Security
Certifications for Users of the Product, June 2005
Evaluation Assurance Levels
1. Functionally tested
2. Structurally tested
3. Methodically tested and checked
4. Methodically designed, tested, and reviewed
5. Semi-formally designed and tested
6. Semi-formally verified design and tested
7. Formally verified design and tested
Diskusi
13