1. Tata Kelola Keamanan InformasiAlip Priyono VP IT Strategy & GovernancePT Telekomunikasi Indonesia, Tbk.Bandung, 10 Oktober 2012

2. Background & HistoryTELKOM Information Security Governance Compliance and ConformanceDiscussion 3. Business Model for Information SecuritySumber : Adapted by ISACA 2010 from The University of SouthernCalifornia, Marshall School of Business, Institute for CriticalInformation Infrastructure Protection, USA. Elements of the Security program : Organization, Process, People, and Technology. Dynamic interconnections : Culture, Governing, Architecture, Emergence, Enabling &Support, Human Factors. 4. Information Security IssueManagement Challenge or Technical Issues?Information Security must 80% is Management80% is Management be seen as a management InfoSec PolicyInfoSec Policyand business challenge, not InfoSec ResponsibilityInfoSec Responsibilitysimply as technical issue to InfoSec Awareness/TrainingInfoSec Awareness/Trainingbe handed over experts. Tokeep your business secure, Business Continuity PlanningBusiness Continuity Planningyou must understand boththe problems and thesolutions. 20% is Technical Issue20% is Technical Issue Systems, Tools, Architectures, etcSystems, Tools, Architectures, etc Sumber : Kick-off ISMS IP Connectivity, CIO TELKOM. 5. Background & HistoryTELKOM Information Security Governance Compliance and ConformanceDiscussion 6. TELKOM IT Governance COSO COBITIT Governance FrameWork ISO 17799/27002ITILsourceKD.40/2006KD.57/2006 7. Information Security Management AdoptionContinuous Improvement ISMS has been adopted in the corporate security. KD.57/2006 Some area have been certified by ISO 27001:2005 : IP Connectivity by TUV Rheinland Data Center TELKOM Sigma by SGS TELKOMSEL by SGS Payment Gateway Services (also with PCI-DSS) by TUV Rheinland Charging Flexi Trendy by BVQI DELIMA (in progress) 8. How to Govern the PeoplePeople PeopleCommunication Training Periodic Awareness Security Survey Periodic Awareness Security Survey Training on Security Policy ImplementationTraining on Security Policy Implementation Security Policy (KD.57/2006) Socialization Security Policy (KD.57/2006) Socialization Training on ISO 27001:2005 ImplementorTraining on ISO 27001:2005 Implementor Security Campaign Security Campaign Training on ISO 27001:2005 Internal AuditTraining on ISO 27001:2005 Internal Audit Management Intents Management Intents IRCA Lead Auditor ISO 27001:2005 CertificationIRCA Lead Auditor ISO 27001:2005 Certification Management Review Management Review Executive Training on ISO 27001:2005Executive Training on ISO 27001:2005ISMS Award ISMS Award2012 2012 Semula beban menjadi spirit prestasi yg bisa dikompetisikan. 9. Process on Security Governance ProcessProcessDevelopment, AcquisitionOperation, Maintenance Requirement Periodic AccessPeriodic AccessRequirement ReviewReviewAdvisory Board Advisory Board Policy & Policy &Backup & Restore Backup & Restore (System/Busines(System/Busines Procedures Procedures Management Management ssAnalyst)Analyst)Intents IntentsDRP DRP Bispro Bispro Secure SDLCSecure SDLCConfiguration Configuration ReviewReview UAT, D2P UAT, D2PSegregation of Segregation ofDuties Duties 10. Technology TechnologyTechnology AcquisitionRequirements & Requirements & Specs define toSpecs define to support the latestsupport the latestsecurity technology security technology as long as needed byas long as needed bythe business. the business.Controlling update Controlling updateand patch and patchPeriodic review & Periodic review &vulnerability test vulnerability test 11. Background & HistoryTELKOM Information Security Governance Compliance and ConformanceDiscussion 12. SE Menkominfo SURAT EDARAN MENTERI KOMUNIKASI DAN INFORMATIKA No.05/SE/M.KOMINFO/2011PENERAPAN TATA KELOLA KEAMANAN INFORMASI BAGI PENYELENGGARA PELAYANAN PUBLIK TELKOM has adapt IT SecurityGovernance in the Policy (since 2006), Implementation ISMS & ITGC has beenaudited periodically by external, Critical (core) areas have been ISO27001:2005 certified. 13. Periodic Security Assessment 1. Awareness Campaign2. Internal Control Survey