Pertanyaan ?• Prinsip Keamanan Informasi ?• “component” vs “service” ?• Accountable dan Responsible ?• Konteks KamInfo di pencapaian tujuan ?
Information Security Defined 4ISACA defines information security: Ensures that within the enterprise, information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability). Confidentiality means preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information. Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Availability means ensuring timely and reliable access to and use of information.
COBIT 5 for Information Security - Benefits 5Reduced complexity and increased cost-effectiveness due toimproved and easier integration of information security standards,good practices and/or sector-specific guidelinesIncreased user satisfaction with information security arrangementsand outcomesImproved integration of information security in the enterpriseInformed risk decisions and risk awarenessImproved prevention, detection and recoveryReduced (impact of) information security incidentsEnhanced support for innovation and competitivenessImproved management of costs related to the information securityfunctionBetter understanding of information security
Information Security Principles (ISACA, (ISC)2, ISF) 12Support the business: Focus on the business Deliver quality and value to stakeholders Comply with relevant legal and regulatory requirements Provide timely and accurate information Evaluate current and future information threats Promote continuous improvement in information securityDefend the business: risk- Adopt a risk-based approach Protect classified information Concentrate on critical business applications Develop systems securelyPromote responsible information security behaviour: Act in a professional and ethical manner security- Foster an information security-positive culture
Enabler: 6. Services, Infrastructure and Applications
Information Security Services, Infrastructure and ApplicationsProvide a security architecture.Provide security awareness.Provide secure development (development in line withsecurity standards).Provide security assessments.Provide adequately secured and configured systems, inline with security requirements and security architecture.Provide user access and access rights in line withbusiness requirements.Provide adequate protection against malware, externalattacks and intrusion attempts.Provide adequate incident response.Provide security testing.Provide monitoring and alert services for security-relatedevents.