8/3/2019 PAI B Semi Final 3 Checklist
1/17
NRP Name 1. Clauses 2. Control Name 3. Control Objectives
CONTOH 10.5 Backup
Objective: To maintain the integrity and availability of
information and information processing
facilities.
Routine procedures should be established to
implement the agreed back-up policy and strategy
(see
also 14.1) for taking back-up copies of data and
rehearsing their timely restoration.
10.5.1 Backup Information
Back-up copies of information and software should betaken and tested regularly in accordance with agreed
policy
9.1 Secure areas Objective: To prevent unauthorized physical access,
damage, and interference to the organizations
premises and information.
Critical or sensitive information processing facilities
should be housed in secure areas, protected by
defined security perimeters, with appropriate
security barriers and entry controls. They should be
physically protected from unauthorized access,damage, and interference.
The protection provided should be commensurate
with the identified risks.
1 5206100037 LUCI DWI AGUSTIN
9.1.1 Physical security perimeter Security perimeters (barriers such as walls, card
controlled entry gates or manned reception desks)
should be used to protect areas that contain
information and information processing facilities.
2 5206100064 DIMAS PRAYOGO
9.1.2 Physical entry controls Secure areas should be protected by appropriate
entry controls to ensure that only authorized
3 5206100065 RAMA DHANIAREZA9.1.3 Securing offices, rooms and
facilities
Physical security for offices, rooms, and facilities
should be designed and applied.
4 5206100081 INDAH SRI WAHYUNI
9.1.4 Protecting against external and
environmental threats
Physical protection against damage from fire, flood,
earthquake, explosion, civil unrest, and other
forms of natural or man-made disaster should be
designed and applied.
5 5207100002MOCHAMAD ARIEF
RAMADHANA
9.1.6 Public access, delivery and
loading areas
Access points such as delivery and loading areas and
other points where unauthorized persons may
enter the premises should be controlled and, if
possible, isolated from information processing
facilities to avoid unauthorized access.
8/3/2019 PAI B Semi Final 3 Checklist
2/17
9.2 Equipment security Objective: To prevent loss, damage, theft or
compromise of assets and interruption to the
organizations activities.
Equipment should be protected from physical and
environmental threats.
Protection of equipment (including that used off-
site, and the removal of property) is necessary to
reduce the risk of unauthorized access to
information and to protect against loss or damage.
This
should also consider equipment siting and disposal.
Special controls may be required to protect
against physical threats, and to safeguard
supporting facilities, such as the electrical supply
and
6 5207100005 M RIZAL AVIF KHAN
9.2.1 Equipment siting and protection Equipment should be sited or protected to reduce the
risks from environmental threats and hazards,
7 5207100006 ABDUL WAHAB
9.2.2 Supporting utilities Equipment should be protected from power failures
and other disruptions caused by failures in
supporting utilities.
8 5207100007 CHODIJAH DYANINGTYAS
9.2.3 Cabling security Power and telecommunications cabling carrying data
or supporting information services should be
protected from interception or damage.
9 5207100011 FARIKHAH FARKHANI9.2.4 Equipment maintenance Equipment should be correctly maintained to ensure
its continued availability and integrity.
10 5207100016 SYIFA INDI ADDINI
9.2.5 Security of equipment off-
premises
Security should be applied to off-site equipment
taking into account the different risks of working
11 5207100018 GELAR SATYA PRADANA
9.2.6 Secure disposal or re-use of
equipment
All items of equipment containing storage media
should be checked to ensure that any sensitive data
and licensed software has been removed or securely
overwritten prior to disposal.
12 5207100022 AULIA FEBRIYANTI9.2.7 Removal of property Equipment, information or software should not be
taken off-site without prior authorization
10.1 Operational procedures and
responsibilities
Objective: To ensure the correct and secure
operation of information processing facilities.
Responsibilities and procedures for the management
and operation of all information processing
facilities should be established. This includes the
development of appropriate operating procedures.
Segregation of duties should be implemented, where
appropriate, to reduce the risk of negligent or
deliberate system misuse.
13 5207100024 SYAIKHUL HAADI
10.1.1 Documented operating
procedures
Operating procedures should be documented,
maintained, and made available to all users who need
them.
14 5207100025 FAZA NAILUL MAZIYA
10.1.2 Change management Changes to information processing facilities and
systems should be controlled.
15 5207100030 KHAIRU RAHMAN
10.1.3 Segregation of duties Duties and areas of responsibility should be
segregated to reduce opportunities for unauthorized
or unintentional modification or misuse of the
16 5207100032BUDI CHANDRA
DEKARALOS
10.1.4 Separation of development, test
and operational facilities
Development, test, and operational facilities should
be separated to reduce the risks of unauthorised
access or changes to the operational system.
10.3 System planning and acceptance Objective: To minimize the risk of systems failures.
Advance planning and preparation are required to
ensure the availability of adequate capacity and
resources to deliver the required system
performance.Projections of future capacity requirements should
be made, to reduce the risk of system overload.
The operational requirements of new systems
should be established, documented, and tested prior
to
their acceptance and use.
17 5207100041 FASRIAN EKA FITRIANI
10.3.1 Capacity management The use of resources should be monitored, tuned, and
projections made of future capacity
requirements to ensure the required system
18 5207100047 ANGGIK LIGIA Y P
10.3.2 System acceptance Acceptance criteria for new information systems,
upgrades, and new versions should be establishedand suitable tests of the system(s) carried out during
development and prior to acceptance.
8/3/2019 PAI B Semi Final 3 Checklist
3/17
10.4 Protection against malicious and
mobile code
Objective: To protect the integrity of software and
information.
Precautions are required to prevent and detect the
introduction of malicious code and unauthorized
mobile code.
Software and information processing facilities are
vulnerable to the introduction of malicious code,
such as computer viruses, network worms, Trojan
horses, and logic bombs. Users should be made
aware of the dangers of malicious code.
Managers should, where appropriate, introduce
controls to
prevent, detect, and remove malicious code and
control mobile code.
19 5207100048 ANITA SAFITRI
10.4.1 Controls against malicious code Detection, prevention, and recovery controls to
protect against malicious code and appropriate user
awareness procedures should be implemented.
20 5207100051 TIRTA MUTIARA SARI
10.4.2 Controls against mobile code Where the use of mobile code is authorized, the
configuration should ensure that the authorised
mobile code operates according to a clearly defined
security policy, and unauthorized mobile code
should be prevented from executing.
10.6 Network security management Objective: To ensure the protection of information
in networks and the protection of the supporting
infrastructure.
The secure management of networks, which may
span organizational boundaries, requires careful
consideration to dataflow, legal implications,
monitoring, and protection.
Additional controls may also be required to protect
sensitive information passing over public
networks.
21 5207100055 SINGGIH SETYO JATMIKO
10.6.1 Network controls Networks should be adequately managed and
controlled, in order to be protected from threats, and
to
maintain security for the systems and applications
using the network, including information in transit.
22 5207100058 NYOMAN BAGUS PRASETIA
10.6.2 Security of network services Security features, service levels, and management
requirements of all network services should be
identified and included in any network services
agreement, whether these services are provided
inhouse
10.1 Monitoring Objective: To detect unauthorized information
processing activities.
Systems should be monitored and information
security events should be recorded. Operator logs
and
fault logging should be used to ensure information
system problems are identified.
An organization should comply with all relevant legal
requirements applicable to its monitoring and
logging activities.
System monitoring should be used to check the
effectiveness of controls adopted and to verify
23 5207100062 NURAISA NOVIA HIDAYATI
10.10.1 Audit logging Audit logs recording user activities, exceptions, and
information security events should be produced
and kept for an agreed period to assist in future
investigations and access control monitoring.
24 5207100068NOVIARDI PUTRA
NUGROHO
10.10.2 Monitoring system use Procedures for monitoring use of information
processing facilities should be established and the
results of the monitoring activities reviewed regularly.
25 5207100069 PUTU AGUNG SATRYAWAN
10.10.3 Protection of log information Logging facilities and log information should be
protected against tampering and unauthorized access.
26 5207100072 HADI SUYITNO10.10.4 Administrator and operator logs System administrator and system operator activities
should be lo ed.
27 5207100074 NANDA GAGAH LAKSANA10.10.5 Fault logging Faults should be logged, analysed, and appropriate
action taken.
28 5207100076 GLEND STEVEN MAATITA
10.10.6 Clock synchronization The clocks of all relevant information processing
systems within an organization or security domain
should be synchronized with an agreed accurate time
source.
8/3/2019 PAI B Semi Final 3 Checklist
4/17
11.1 Business requirement for access
control
Objective: To control access to information.
Access to information, information processing
facilities, and business processes should be
controlled
on the basis of business and security requirements.
Access control rules should take account of policies
for information dissemination and authorization.
29 5207100087 RAHMI ROMADHONA P
11.1.1 Access control policy An access control policy should be established,
documented, and reviewed based on business and
securit re uirements for access.11.2 User access management Objective: To ensure authorized user access and to
prevent unauthorized access to information
systems.Formal procedures should be in place to control the
allocation of access rights to information systems
and services.
The procedures should cover all stages in the life-
cycle of user access, from the initial registration of
new users to the final de-registration of users who
no longer require access to information systems and
services. Special attention should be given, where
appropriate, to the need to control the allocation of
privileged access rights, which allow users to
override system controls.
30 5207100092 ARIEF RAKHMAN
11.2.1 User registration There should be a formal user registration and de-
registration procedure in place for granting and
revoking access to all information systems and
31 5207100093 FITRIANNISA UMAMI11.2.2 Privilege management The allocation and use of privileges should be
restricted and controlled
32 5207100095 MUH EKA WIJAYA11.2.3 User password management The allocation of passwords should be controlled
through a formal management process.
33 5207100096 GUSVIANTOKO DALI P11.2.4 Review of user access rights Management should review users access rights at
regular intervals using a formal process.
11.3 User responsibilities Objective: To prevent unauthorized user access, and
compromise or theft of information and
information processing facilities.
The co-operation of authorized users is essential for
effective security.
Users should be made aware of their responsibilities
for maintaining effective access controls,
particularly regarding the use of passwords and the
security of user equipment.
A clear desk and clear screen policy should be
implemented to reduce the risk of unauthorized
access
or damage to papers, media, and information
34 5207100098 GOEIJ YONG SUN
11.3.1 Password use Users should be required to follow good security
ractices in the selection and use of asswords.
35 5207100099 ADITYA OKTALIFRYAN11.3.2 Unattended user equipment Users should ensure that unattended equipment has
appropriate protection.
11.4 Network access control Objective: To prevent unauthorized access to
networked services.
Access to both internal and external networked
services should be controlled.
User access to networks and network services
should not compromise the security of the network
services by ensuring:
a) appropriate interfaces are in place between the
organizations network and networks owned by
other organizations, and public networks;
b) appropriate authentication mechanisms areapplied for users and equipment;
c) control of user access to information services in
36 5207100113 M TRINOFERIANTO
11.4.1 Policy on use of network services Users should only be provided with access to the
services that they have been specifically authorized
to use.
37 5207100115DARWIN PRASETYA EKA
GUNAWAN
11.4.2 User authentication for external
connections
Appropriate authentication methods should be used
to control access by remote users.
38 5208100105 AUSTIANINGRUM F
11.4.3 Equipment identification in the
network
Automatic equipment identification should be
considered as a means to authenticate connections
from
39 5208100106 MAYA SAGITA W 11.4.4 Remote diagnostic andconfi uration ort rotection
Physical and logical access to diagnostic andconfi uration orts should be controlled
40 5208100107 NURUL FATMAWATI
11.4.5 Segregation in networks Groups of information services, users, and
information systems should be segregated on
networks.
8/3/2019 PAI B Semi Final 3 Checklist
5/17
41 5208100108 OKI NIDIANITA HADI
11.4.6 Network connection control For shared networks, especially those extending
across the organizations boundaries, the capability of
users to connect to the network should be restricted,
in line with the access control policy and
requirements of the business applications (see 11.1).
42 5208100114 TATA ARANSTA IMAS P
11.4.7 Network routing control Routing controls should be implemented for networks
to ensure that computer connections and
information flows do not breach the access control
policy of the business applications.
11.5 Operating system access control Objective: To prevent unauthorized access tooperating systems.
Security facilities should be used to restrict access to
operating systems to authorized users. The
facilities should be capable of the following:
a) authenticating authorized users, in accordance
with a defined access control policy;
b) recording successful and failed system
authentication attempts;
c) recording the use of special system privileges;
d) issuing alarms when system security policies are
breached;
e) providing appropriate means for authentication;
f) where appropriate, restricting the connection time
43 5208100133 DEWI NURYATI
11.5.1 Secure log-on procedure Access to operating systems should be controlled by a
secure log-on procedure.
44 5208100135 KHIKMATUL MAULA
11.5.2 User identification and
authentication
All users should have a unique identifier (user ID) for
their personal use only, and a suitable
authentication technique should be chosen to
45 5208100140 LAEILA M11.5.3 Password management system Systems for managing passwords should be
interactive and should ensure quality passwords.
46 5207100111 PERMANA NURDYAHSARI
11.5.4 Use of system utilities The use of utility programs that might be capable of
overriding system and application controls should
be restricted and tightly controlled.
47 5208100130FERLYNA KUSUMA
WARDHANI
11.5.5 Session time-out Inactive sessions should shut down after a defined
eriod of inactivit .
48 5208100151 LUDFI EKA LESMANA
11.5.6 Limitation of connection time Restrictions on connection times should be used to
provide additional security for high-risk
applications.
8/3/2019 PAI B Semi Final 3 Checklist
6/17
Risk Identification Detail Controls Expected
5. Controls used Justification
(procedures, technical tool
or both applicable)
6. Evidence of Procedures
Ref.
7. Evidence of Technical
Controls Ref.
data loss caused by system crash,file damaged or fault transaction
a.) accurate and complete recordsof the back-up copies and
documented restoration
procedures should be produced;
b) the extent (e.g. full or
differential backup) and frequency
of backups should reflect the
business requirements of the
organization, the security
requirements of the information
involved, and the criticality of the
information to the continued
operation of theorganization;
c) the back-ups should be stored
in a remote location, at a
sufficient distance to escape any
damage from a disaster at the
main site;
d) back-up information should be
given an appropriate level of
physical and environmental
protection (see clause 9)
consistent with the standards
applied at the main site; the
controls applied to media at the
main site should be extended to
cover the back-up site;
e) back-up media should be
regularly tested to ensure that
1. . PT. ABG has formalizedthe backup and restore
procedure 2.
the backup should be taken
place every day after working
hours and automatically
scheduled by the system.
3. the backup process divided
into 2 types. The daily backup
should be done incrementally
while the monthly backup
should be delivered as full
backup 4. monthly backuptapes were stored in safe
deposit box in bank
5. backup tapes should be
tested for restoration process
every 3 months 6. the
backup and restoration
process were supported by
HP storageworks backup
drive, using HP Ultrium data
cartridge as backup media
and running by CA Arcserve
11 backup sotware
a. Ref. Number ofprocedure. Provide a copy
procedure b.
provide copy of tape
inventory stored in safe
deposit box within the
year 2009 c.
provide copy of forms
showing that the
restoration process has
been delivered
successfully within the
year 2009
a. capture pictures of datacenter showing the
backup drive, tapes and
their equipment
b. capture the backup
status report from
arcserve within the year
2009
8/3/2019 PAI B Semi Final 3 Checklist
7/17
8/3/2019 PAI B Semi Final 3 Checklist
8/17
8/3/2019 PAI B Semi Final 3 Checklist
9/17
8/3/2019 PAI B Semi Final 3 Checklist
10/17
8/3/2019 PAI B Semi Final 3 Checklist
11/17
8. Audit Findings9. Adequacy of controls
justification10. Recommendation 11. Action Planned 13. Deliverables and Timeline
a. backup tapes for august
and september 2009 were
not listed in safe deposit
box inventory. After
checking the backup
status report, we knew
that the full backup was
not delivered properly in
the appropriate month
b. auditor notified the
absence of restoration
test that should be taken
place in october and
december.
c. there was an incidentreported in november
2009 caused a damage in
ERP server due to system
crash. IT dept needed to
conduct a roll back
process to adjust the
transaction. Since the
restoration test was not
delivered at october and
unfortunately the data
stored in the media can
not be read properly. The
IT dept has nothing to dobut to input the missing
transaction from the
the backup and restore
controls mentioned in the
procedure are sufficient
but consistent and
continous implementation
need to be enforced
Monitoring is the
preventive action that can
be done by the IT
manager or other staf
appointed on behalf o the
management to overview
the implementation of
backup and restore
procedure. This
mechanism is needed to
ensure that the procedure
has been done timely and
appropriately. There
should be formal records
to prove that theimplementation has been
successully delivered,
when, and who is the
person responsible to the
action. These records will
help us to track back if
someday there were
faults or failure, so it
would not happen again in
the future
IT manager is responsible
person to monitor the
implementation of the
backup and restore
procedure. Each process
including schedule,
resources, deliverables
and person responsible
should be registered in
security internal control
quiestionairre form to
make it easily for tracking.
the action plan is effective to be done per
January 2nd, 2010
8/3/2019 PAI B Semi Final 3 Checklist
12/17
8/3/2019 PAI B Semi Final 3 Checklist
13/17
8/3/2019 PAI B Semi Final 3 Checklist
14/17
8/3/2019 PAI B Semi Final 3 Checklist
15/17
8/3/2019 PAI B Semi Final 3 Checklist
16/17
8/3/2019 PAI B Semi Final 3 Checklist
17/17