Kerangka untuk RPM Information Security Governance: COBIT 5 for Information Security


Published on

Presented by Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM in Panel Uji Publik RPM Tata Kelola Keamanan Informasi Indonesia Information Security Forum, 10 Oktober 2012

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kerangka untuk RPM Information Security Governance: COBIT 5 for Information Security

  1. 1. Kerangka untuk RPM Information Security Governance: COBIT 5 for Information Security Presented by Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM Panel Uji Publik RPM Tata Kelola Keamanan Informasi Indonesia Information Security Forum 10 Oktober 2012 Modifikasi dari bahan resmi ISACA © 2012 ISACA. All Rights Reserved.
  2. 2. Sarwono Sutikno, Dr.Eng., CISA, CISSP, CISM 2Lektor Kepala di Sekolah Teknik Elektro dan Informatika, ITBISACA Licensee Trainer for Introduction to COBIT 5, 31 May 2012(ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award - categorySenior Information Security ProfessionalISACA Academic Advocate sejak 2007Reviewer (atas nama ISACA): ISO/IEC WDTR 38502 Governance of IT - Framework and Model ISO/IEC WD 30120 IT Audit – Audit guidelines for Governance of IT ISO/IEC WD 27017 – Information technology – Security techniques – Information security Management -- Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002Anggota Panitia Teknis 35-01 BSN - KemKominfo: SNI ISO seri 27000 Keamanan Informasi SNI ISO seri 20000 Sistem Manajemen Layanan SNI ISO 38500 Tata Kelola Teknologi Informasi - Corporate governance of information technologySedang membuat: Silabus m.k Cyber Warfare Dynamic dan m.k Cyber Deterrence di S2 Asimetrik Warfare UnHan Kurikulum S2 Information Security Governance di STEI ITB, © 2012 ISACA. All Rights Reserved.
  3. 3. Pertanyaan ?• Prinsip Keamanan Informasi ?• “component” vs “service” ?• Accountable dan Responsible ?• Konteks KamInfo di pencapaian tujuan ?
  4. 4. Information Security Defined 4ISACA defines information security: Ensures that within the enterprise, information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability). Confidentiality means preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information. Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Availability means ensuring timely and reliable access to and use of information.
  5. 5. COBIT 5 for Information Security - Benefits 5Reduced complexity and increased cost-effectiveness due toimproved and easier integration of information security standards,good practices and/or sector-specific guidelinesIncreased user satisfaction with information security arrangementsand outcomesImproved integration of information security in the enterpriseInformed risk decisions and risk awarenessImproved prevention, detection and recoveryReduced (impact of) information security incidentsEnhanced support for innovation and competitivenessImproved management of costs related to the information securityfunctionBetter understanding of information security
  6. 6. RACI Charts APO13 Manage Security 6 © 2012 ISACA. All Rights Reserved.
  7. 7. RACI Charts DSS05 Manage Security services 7 © 2012 ISACA. All Rights Reserved.
  8. 8. Principle 1: Meeting Stakeholder Needs 8Stakeholder needs have to betransformed into an enterprises’actionable strategyThe COBIT 5 goals cascade translatesstakeholder needs into specific,practical and customized goals © 2012 ISACA. All Rights Reserved.
  9. 9. COBIT 5 Enabler: Systemic Model with Interacting Enablers 9Enablers:1. Principles, policies and frameworks2. Processes3. Organizational structures4. Culture, ethics and behavior5. Information6. Services, infrastructure and applications7. People, skills and competencies © 2012 ISACA. All Rights Reserved.
  10. 10. Enabler: 1 Principles, Policies and Frameworks 10
  11. 11. Policy Framework 11
  12. 12. Information Security Principles (ISACA, (ISC)2, ISF) 12Support the business: Focus on the business Deliver quality and value to stakeholders Comply with relevant legal and regulatory requirements Provide timely and accurate information Evaluate current and future information threats Promote continuous improvement in information securityDefend the business: risk- Adopt a risk-based approach Protect classified information Concentrate on critical business applications Develop systems securelyPromote responsible information security behaviour: Act in a professional and ethical manner security- Foster an information security-positive culture
  13. 13. Enabler: 2. Processes 13
  14. 14. EDM01
  15. 15. ContohInfoSeccontextEDM01
  16. 16. Enabler: 6. Services, Infrastructure and Applications
  17. 17. Information Security Services, Infrastructure and ApplicationsProvide a security architecture.Provide security awareness.Provide secure development (development in line withsecurity standards).Provide security assessments.Provide adequately secured and configured systems, inline with security requirements and security architecture.Provide user access and access rights in line withbusiness requirements.Provide adequate protection against malware, externalattacks and intrusion attempts.Provide adequate incident response.Provide security testing.Provide monitoring and alert services for security-relatedevents.
  18. 18. Discussion 18 Email: isaca- Milis: isaca-id@googlegroups.comLinkedIn group: ISACA-ID Indonesia © 2012 ISACA. All Rights Reserved.