Reinforcement of Information Privacy and Security Nowadays
Upcoming SlideShare
Loading in...5

Reinforcement of Information Privacy and Security Nowadays



Delivered in a guest lecture session conducted for Faculty of Communication Science, Padjadjaran University, West Java, Indonesia. It includes the topic on Indonesia's Laws #14 Year of 2008 on ...

Delivered in a guest lecture session conducted for Faculty of Communication Science, Padjadjaran University, West Java, Indonesia. It includes the topic on Indonesia's Laws #14 Year of 2008 on Disclosure of Public Information.



Total Views
Views on SlideShare
Embed Views



1 Embed 252 252



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Reinforcement of Information Privacy and Security Nowadays Reinforcement of Information Privacy and Security Nowadays Presentation Transcript

  • Image courtesy of Business Insider
  • INTRODUCTION Image courtesy of:
  • Presenter Profile • 16 years of working experience with exposure in IT advisory, consulting, audit, training and education and project management • Advisor at six companies • ISACA International Subject Matter Expert (COBIT 5 Configuration Management, COBIT 5 Enabling Information, Risk Scenarios with COBIT 5 for Risk, Big Data Privacy Risk and Control) • ISACA International Certification Exam and QAE Developer for CISA, CISM, CGEIT, and CRISC • Reviewer Panel at three international journals: AECT TechTrends, BJET and ISACA Journals • Have audited and consulted 30+ companies • More than 65 international certifications under his belt • Has been delivering and hosting 200+ sessions with 7,000+ attendees and 5000+ hours of training, lecture, conference, workshop, seminar across Indonesia and outside the country for 70+ organizations • Writes, reviews and edits 300+ articles, encyclopedia entries, manuscripts and white paper concerning ICT, management and business on more than 20 media, publications, organizations, journals and conferences. May 2014 3
  • First-off, Information Privacy May 2014 4 Image courtesy of
  • Getting Familiar with the Taxonomy May 2014 5 Courtesy of
  • Okay, Let’s Put it this Way Information Privacy is the relationship between collection and dissemination of: •Information •Technology •Personal and public expectations •Laws and regulations surrounding them May 2014 6
  • What does Privacy Mean Now? • In the past: Privacy is about secrecy. • These days: Privacy is all about control. People's relationship with privacy is socially complicated Agree or Disagree?  May 2014 7
  • Primary Concerns • The act of data collection: Legal versus Illegal • Improper access (Authentication) • Unauthorized use (Authorization) May 2014 8 Image courtesy of: City Caucus Image courtesy of:ngshire
  • Implications and Consequences May 2014 9 Image courtesy of
  • How Big Consumer Data is •In 1996 E-commerce revenue in 1996: US$600M •In 2015 E-commerce revenue expected to hit US$995B •Big Bang of Social Networks: 1 billion Facebook, 800 million Google+, 400 million Twitter, and 250 million LinkedIn users. May 2014 10
  • In Regards to Expectations • Individuals would expect reasonable measures on: • Technical • Physical • Administrative • Privacy (and Information Security) professionals in organizations handle compliance with privacy promises • No such thing as Perfect Privacy, just acceptable levels of risk May 2014 11
  • Wide Range of Information • Healthcare records • Criminal justice investigations • Financial institutions and transactions • Residence and geographic records • Invisible traces of our presence • Data trails • Credit Card Databases • Phone Company Databases • Customer Databases May 2014 12
  • Web Data Collection • Personal/profile • Other types of info • Device information • Cookies • Log information • User communications • Location • Software • Application • Behavior May 2014 13 Image courtesy of NBCNews
  • Government • Edward Snowden, Hero or Traitor (?) Company • Data and information collection • Revenue lost and recovery costs • Security awareness • Protect users’ data and information (from hacking, cracking and phreaking activities) • Safeguard the service-remote storage service “Cloud” • Image/Credibility • Legal charge/fine Costs for Information Privacy May 2014 14 Image courtesy of Wikipedia
  • Consumer • Time to learn (learning curve) • Credibility/Reputation • Opportunity/revenue loss • Recovery costs Costs of Information Privacy (cont’d) May 2014 15 Image courtesy of
  • Challenges in the Future • What is “private” information by now? • Make information more accessible • Evolve systems to prevent breaches May 2014 16 Image courtesy of
  • Moving Forward to Information Security May 2014 17 Image courtesy of
  • ISACA Says… Information shall be protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when required (availability). Explicitly, it says to us on what to do: • Confidentiality: preserving authorized restrictions on access and disclosure to protect privacy and proprietary information • Integrity: guarding against improper modification or destruction, and ensuring information non-repudiation and authenticity • Availability: making sure timely and reliable access and use of information May 2014 18
  • Information Security Principles According to Information Systems Security Certification Consortium A. Support the business • Focus on the business functions and processes • Deliver quality and value to stakeholders • Comply to law and regulation requirements • Provide timely and accurate information • Evaluate existing and future information threats • Improve information security continuously May 2014 19
  • Information Security Principles (cont’d) B. Secure the organization • Adopt a risk-based approach • Protect classified information • Focus on critical business processes • Develop systems securely C. Promote information security • Attain responsible behavior • Act in professional and ethical manner • Foster information security positive culture May 2014 20
  • Information Security Standards International wide named ‘ISO/IEC 27001’ Best practice recommendations for initiating, developing, implementing, and maintaining Information Security Management Systems (ISMS) with: • Risk Assessment • Security Policy • Asset Management • Physical/Environmental Security • Access Control • And many others May 2014 21
  • Constraints and Challenges May 2014 22
  • Business Priorities as Interpreted by IT May 2014 23 Courtesy of DataCenterJournal
  • What Takes Priority with IT Teams? May 2014 24 Courtesy of DataCenterJournal
  • How to Overcome? May 2014 25 Image courtesy of
  • How it Applies Country to Country “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.” —Universal Declaration of Human Rights, Article 12 May 2014 26
  • Laws by Countries • The U.S. • HIPAA • Electronic Communications Privacy Act • PATROIT Act • The Children’s Online Privacy Protection Act • European Union (EU) • Data Protection Directive • European Data Protection Regulation May 2014 27
  • For Indonesia? We Have UU #14 Year of 2008 Keterbukaan Informasi Publik (Disclosure of Public Information) “Setiap Badan Publik berkewajiban membuka akses bagi setiap pemohon informasi publik untuk memperoleh informasi publik, kecuali beberapa informasi tertentu” • 8 years of development and 64 clauses that regulates: 1. Menjamin hak warga negara untuk mengetahui rencana pembuatan kebijakan publik, program kebijakan publik, dan proses pengambilan keputusan publik, serta alasan pengambilan suatu keputusan publik; 2. Mendorong partisipasi masyarakat dalam proses pengambilan kebijakan publik; 3. Meningkatkan peran aktif masyarakat dalam pengambilan kebijakan publik dan pengelolaan Badan Publik yang baik; May 2014 28
  • UU No. 14 Year of 2008 (cont’d) 4. Mewujudkan penyelenggaraan negara yang baik, yaitu yang transparan, efektif dan efisien, akuntabel serta dapat dipertanggungjawabkan; 5. Mengetahui alasan kebijakan publik yang memengaruhi hajat hidup orang banyak; 6. Mengembangkan ilmu pengetahuan dan mencerdaskan kehidupan bangsa; 7. Meningkatkan pengelolaan dan pelayanan informasi di lingkungan Badan Publik untuk menghasilkan layanan informasi yang berkualitas. May 2014 29
  • UU #14 Year of 2008 (cont’d) Definition of undisclosed information : 1. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat menghambat proses penegakan hukum; 2. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat mengganggu kepentingan perlindungan hak atas kekayaan intelektual dan perlindungan dari persaingan usaha tidak sehat; 3. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat membahayakan pertahanan dan keamanan negara; 4. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat mengungkapkan kekayaan alam Indonesia; May 2014 30
  • UU #14 Year of 2008 (cont’d) 5. Informasi Publik yang apabila dibuka dan diberikan dapat merugikan ketahanan ekonomi nasional; 6. Informasi Publik yang apabila dibuka dan diberikan dapat merugikan kepentingan hubungan luar negeri; 7. Informasi Publik yang apabila dibuka dapat mengungkapkan isi akta otentik yang bersifat pribadi dan kemauan terakhir ataupun wasiat seseorang; 8. Informasi Publik yang apabila dibuka dan diberikan dapat mengungkap rahasia pribadi; 9. Memorandum atau surat-surat antar Badan Publik atau intra Badan Publik, kecuali atas putusan Komisi Informasi atau pengadilan; 10. Informasi yang tidak boleh diungkapkan berdasarkan Undang-Undang. May 2014 31
  • State-Owned Companies Must Provide • Nama dan tempat kedudukan, maksud dan tujuan serta jenis kegiatan usaha, jangka waktu pendirian, dan permodalan, • Nama lengkap pemegang saham, anggota direksi, dan anggota Dewan Komisaris perseroan; • Laporan tahunan, laporan keuangan, neraca laporan laba rugi, dan laporan tanggung jawab sosial perusahaan yang telah diaudit; • Hasil penilaian oleh auditor eksternal, lembaga pemeringkat kredit dan lembaga pemeringkat lainnya; • Sistem dan alokasi dana remunerasi anggota komisaris/dewan pengawas dan direksi; • Mekanisme penetapan direksi dan komisaris/dewan pengawas; May 2014 32
  • State-Owned Companies Must Provide (cont’d) • Kasus hukum yang berdasarkan Undang-Undang terbuka sebagai Informasi Publik; • Pedoman pelaksanaan tata kelola perusahaan yang baik berdasarkan prinsip-prinsip transparansi, akuntabilitas, pertanggungjawaban, kemandirian, dan kewajaran; • Pengumuman penerbitan efek yang bersifat utang; • Penggantian akuntan yang mengaudit perusahaan; • Perubahan tahun fiskal perusahaan; • Kegiatan penugasan pemerintah dan/atau kewajiban pelayanan umum atau subsidi; • Mekanisme pengadaan barang dan jasa; • Informasi lain yang ditentukan oleh Undang-Undang yang berkaitan dengan BUMN dan BUMD May 2014 33
  • By Utilizing Such Framework and or Standard Reduce complexity of activities and processes Deliver better understanding of information security Attain cost-effectiveness in managing privacy and security Enhance user satisfaction with the arrangements and outcomes Improve integration of information security May 2014 34
  • By Utilizing Such Framework and or Standard (cont’d) Inform risk decisions and risk awareness Enhance prevention, detection and recovery Reduce probability and impact of security incidents Leverage support for organization innovation and competitiveness May 2014 35
  • ISACAFramework on Information Security May 2014 36 ISMS: Information Security Management Systems R: Responsible; A: Accountable; C: Coordinate; I: Informed
  • Lessons Learned on IP and IS May 2014 37 Image courtesy of
  • Highlight these and Give Them A Boom! Having IS policies, procedures, and technologies in place to prevent and deal with Information Privacy issues is a MUST. Negligence in IS and maintaining PII can have damaging effects on the customer satisfaction and employee relationship. May 2014 38
  • For Individuals, Here is the Takeaways • One user, one device (PC, notebook, mobile) • One user, one account (email, social media, social network and others) • Password safety, complexity and routines • Do periodic back-up and put it off-site • If shared, be mindful to be at your own risk • Your information, your privacy • Your privacy, your security May 2014 39
  • May 2014 40 Image: