NGN integrated information security v3 DetikNas

344 views

Published on

credit to Prof. Zainal Hasibuan -DetikNas

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
344
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

NGN integrated information security v3 DetikNas

  1. 1. An Integrated Information Security Framework:From Tactical to Strategical ApproachIndonesia ICT CouncilProf. Zainal A. Hasibuan, Ph.DVice executive Chairman National ICT CouncilNGN Info Security & Intrusion Test Studio 2012Singapore, 4-5 July 2012
  2. 2. Overview• Motivation• The Importance of Information Security• Information Security Profiles• Security Governing Structure• Uninterrupted Security Alert• Issues and Challenges on InformationSecurity• Conclusions2
  3. 3. Motivation: Why InformationSecurity?
  4. 4. Cyber Space at Work and Daily Life• Daily Life– Digital activity– Online shopping– Onlinecommunication• Fix and MobileCommunication– Social Media– Etc.4• At Work– E-Business– E-Commerce– E-Education– E-Health– E-Government– G2C, G2B,B2G,G2E
  5. 5. Threats in Information Security5Computer Virus HackingWorm . . . . .Theft Cuts . . . . . BombInformation TechnologyLogical/CyberAttackPhysicalAttack
  6. 6. The Context of Information Threat• The current threat for every country is not only come fromphysical threat, but also from cyber threat, because thecyber threat potentially destroying the economy anddestabilize the countrys security.
  7. 7. The Importance ofInformation Security
  8. 8. Why We Need Information Security?• Extremely rely on information technology• Unacceptable loss (Tangible andIntangible)• The existence of various threats8
  9. 9. Secured Our Valuable AssetIntegrityAssetConfidentialityAvailabilityCIA9
  10. 10. Secured Our Being…• Individual Security• Family Security• Community Security• Country Security• Country Sovereignty• Regional Security• Global Security10
  11. 11. Information Security Profiles
  12. 12. Information Security Layers12DataApplicationHostInternal NetworkExternal NetworkSocietyCountryGlobal
  13. 13. Information Security Approach13Information SecurityAdministrative ApproachTechnologyApproach
  14. 14. Administrative Approach14Level/Document Policy Standard ProcedureStrategic VTactical VOperational V
  15. 15. Technology Approach• Data Technology• Application Technology• Host Technology• Internal Network Technology• External Network Technology15
  16. 16. Security Governing Structure
  17. 17. Integrated Information Security FrameworkAdministrative ApproachTechnology Approach17Security Strategic LevelSecurity Operational LevelcontrolcontrolSecurity Managerial LevelDirectDirectLegalTechnicalandProceduralOrganizationStructuresCapacityBuildingInternationalCooperationExecuteAvailabilityIntegrityConfidentiality
  18. 18. Information Security: Administrative and TechnologyApproachExternalNetworkDMZPenetrationTestingVPNLoggingAuditingVulnerabilityAnalysisNetworkPerimeterFirewallsPenetrationTestingProxyLoggingAuditingVulnerabilityAnalysisStateful PacketInspectionInternalNetworkIDSPenetrationTestingIPSLoggingAuditingVulnerabilityAnalysisHostAuthenticationPasswordHashingAntivirusIDSIPSLoggingAuditingPenetrationTestingVulnerabilityAnalysisApplicationSSOContentFilteringAuditingPenetrationTestingData ValidationVulnerabilityAnalysisDataEncryptionAccess ControlsPenetrationTestingBackupVulnerabilityAnalysis
  19. 19. Examples: Secured e-Government DevelopmentPhasesPotential e-GovernmentPrograms/ProjectsImpact AnalysisClassificationlevel of e-GovernmentsecuritySecure e-GovernmentDevelopment• Tangible andIntangible nationalimpact• Cost• Risk• etc• Level of control e-government• E-governmentsecurityimplementation
  20. 20. The Structure of National Security Organization20Steering CommitteeNational Cybersecurity BoardExecutive CommitteePublic-CERT Goverment-CERT Defense-CERT ... - CERTProgram CommitteeStrategicLevelTacticalleveOperationalPresident andMinistersPracticioners,Academicians,etc
  21. 21. Uninterrupted Security Alert:Indonesian Case
  22. 22. Information Security Awareness• Information Security Education– It should be integrated in the school curricula• Information Security Socialization– Well targeted community– Well targeted government agency• Information Security Research & Development– Keep abreast with the ICT development• Information Security Capacity Building• Information Security Institutional Building22
  23. 23. Policies and Regulations: ICT Security23Telecommunication ActInformation Transaction Electronic ActImplementation Of Telecommunications Government RegulationOrganizational structure of information security Ministerial RegulationIP-based network security Ministerial RegulationCA Supervisory Board ad hoc team Ministerial DecreeInformation security coordination team Ministerial DecreeWeb server securityWifi SecurityGuidelines for the use of ISO 2700National ActGovernment RegulationMinisterial RegulationMinisterial DecreeMinisterial Letter
  24. 24. Technical and Procedural• Indonesia National Standard (SNI ISO/IEC 27001:2009: InformationSecurity Management System): National Standardization Agency (BSN)has established an identical adoption of ISO 27001 become SNI ISO/IEC27001, This standard covers all types of organizations such as commercialenterprises, government, & nonprofit organization. This standard specifiesrequirements for establishing, implementing, operating, monitoring,assessment, improving & maintenance of Information Security.• Health and Safe Internet Program: This program contains educational andpublic awareness about the importance of information security. It is hopedthat through this program, community in ICT sector participate inmaintaining security in cyberspace.• Trust+: Trust Positive (Trust+) is negative content filtering technologybased which is developed by models and the workings of this system is toperform filtering of the top level domain, URL and Content, Keyword,Expression. Implementation Trust+ is performed in MCIT, telcooperatorsand ISPs.24
  25. 25. Security: Organizational Structures25MCITInfromation SecurityCoordination TeamDirectorate General ofApplications InformaticsDirectorate General of PostalDevices and InformaticsGovermentAgenciesDirectorate of InformationSecurityIndonesia Security IncidentResponse Team on InternetInfrastructure (ID-SIRTII)ID-CERT ID-ACAD-CSIRTCommunityStructural Adhoc
  26. 26. Security: Organizational Structures26Information SecurityCoordination TeamDirectorate ofInformationSecurityIndonesia Security Incident Response Team onInternet InfrastructureLegalBasisDecree of the Minister ofMCIT Number:133/KEP/M/KOMINFO/04/2010Regulation of theMinister of MCITNumber:17/PER/M.KOMINFO/10/2010Regulation of the Minister of MCIT Number:26/PER/M.KOMINFO/5/2007Tasks andFunctionsTo coordinate, developpolicy, develop technicalguidelines, conductingawareness campaigns,and conduct monitoringand submit reports on theimplementation ofinformation security inIndonesia.To formulate andimplement policies,preparation of norms,standards, proceduresand criteria, providingtechnical guidanceand evaluation in thefield of informationsecurity.Internet traffic monitoring for incident handlingpurposes;Managing log files to support lawenforcement;Educating public for securityawareness;Assisting institutions in managingsecurity;Providing training to constituency andstakeholders;Running laboratory for simulationpractices;Establishing external and internationalcollaborations.
  27. 27. Capacitiy Building• Indonesias National Work CompetenceStandards (SKKNI) Sector InformationSecurity: This standard is used toprovide guidance in identify andcategorize the positions and certificationof personnel who perform informationsecurity functions that support theorganizations which implementinginformation security.• Information Security Index (KAMIIndex): The purpose of this activity tomap the maturity level of informationsecurity in the public service providers inaccordance with SNI 27001.27
  28. 28. International Cooperation• Indonesia has become a Full Member of the AsiaPacific and APCERT FIRST (Forum for IncidentResponse and Security Team) of the world.• Indonesia also has become a Full Member andfounder of the OIC-CERT (Organisation of the IslamicConference-CERT).28
  29. 29. Issues and Challenges onInformation Security: IndonesianCase
  30. 30. 30The IndonesianArchipelago17,548 islands - 33 states - 497 districts – 5,263 municipalities – 62,806 villages237 million population - 2 million km2 area – 80,000 km coastline length583 dialects – 127 million labor force - 50 million students1,000 trillion USD GDP - 6.4% annual growth rate
  31. 31. Geographical Issues• Thousands of island• Many way-in and way-out– Land– Sea– Air– Telecommunication• Unequal development areas31
  32. 32. Indonesia Society• Consists of hundreds of ethnic and sub-ethnic• Consists of various cultures and locallanguages• Human resources development32
  33. 33. Government Organization• Very complex government structure• Central government• Local government with degree of autonomy– Provincial government– Regency government– City government33
  34. 34. ICT Infrastructure Development: Indonesia Connected34
  35. 35. Conclusions• Harmonize policies andregulations• Strengtheninginstitutions andorganizations• Develop humanresources• Funding Commitment35

×