2. Current:
• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter
• ISACA Academic Advocate at ITB
• SME for Information Security Standard for ISO at ISACA HQ
• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung
• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01
Program Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo.
Past:
• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)
• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April
2009 – May 2011
Professional Certification:
• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of
Engineering, the University of Texas at Austin. 2000
• IRCA Information Security Management System Lead Auditor Course, 2004
• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005
• Brainbench Computer Forensic, 2006
• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007
• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007
Award:
• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior
Information Security Professional. http://isc2.org/ISLA
2
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
3.
4.
5. Presentation: KamInfo.ID5
5
KEAMANAN INFORMASI VERSIISACA
Information security is a business enabler that is strictly bound to
stakeholder trust, either by addressing business risk or by creating value
for an enterprise, such as competitive advantage.
At a time when the significance of information and related technologies is
increasing in every aspect of business and public life, the need to mitigate
information risk, which includes protecting information and related IT
assets from ever-changing threats, is constantly intensifying.
ISACA defines information security as something that:
Ensures that information is readily available (availability),
when required, and protected against disclosure to
unauthorised users (confidentiality) and improper
modification (integrity).
6. Presentation: KamInfo.ID6
6
KEAMANAN INFORMASI
......... pemerintah negara Indonesia yang melindungi segenap
bangsa Indonesia dan seluruh tumpah darah Indonesia dan untuk
memajukan kesejahteraan umum,
mencerdaskan kehidupan bangsa, dan ikut
melaksanakan ketertiban dunia yang berdasarkan kemerdekaan,
perdamaian abadi dan keadilan sosial........
Pemanfaatan INFORMASI sebagai darah nadi
kehidupan bangsa
dalam perspektif Pertumbuhan Ekonomi
untuk Kesejahteraan Rakyat
7. Presentation: KamInfo.ID7
7
KEAMANAN NASIONAL
......... pemerintah negara Indonesia yang melindungi segenap
bangsa Indonesia dan seluruh tumpah darah Indonesia dan untuk
memajukan kesejahteraan umum,
mencerdaskan kehidupan bangsa, dan ikut
melaksanakan ketertiban dunia yang berdasarkan kemerdekaan,
perdamaian abadi dan keadilan sosial........
Pemanfaatan INFORMASI sebagai darah nadi kehidupan bangsa
dalam perspektif Pertumbuhan Ekonomi
untuk Kesejahteraan Rakyat
10. Kerangka dan Standar – tinjauan
SNI ISO
38500
COSO
PP60/
2008 COBIT
ITIL v2 ITIL v3
SNI ISO
20000
SNI
ISO
2700x
SNI
ISO
900x
Common
Criteria
SNI ISO
15408
boardlevelmanagementtechnical
SNI ISO
27013
11. ISO/IEC JTC 1/SC 40 - IT Service Management and IT Governance
ISO/IEC 20000-1:2011
SNI ISO/IEC 20000-1:2013 Teknologi Informasi - Manajemen Layanan - Bagian 1: Persyaratan
sistem manajemen layanan IEEE Std 20000-1-2013
ISO/IEC 20000-2:2012
SNI ISO/IEC 20000-2:2013 Teknologi informasi - Manajemen layanan - Bagian 2: Pedoman
penerapan sistem manajemen layanan IEEE Std 20000-2-2013
ISO/IEC TR 20000-3:2012
SNI ISO/IEC TR 20000-3:2013 Teknologi informasi - Manajemen layanan - Bagian 3: Pedoman
pendefinisian lingkup dan kesesuaian dari SNI ISO/IEC 20000-1
ISO/IEC TR 20000-4:2010
SNI ISO/IEC TR 20000-4:2013 Teknologi informasi - Manajemen layanan - Bagian 4: Model referensi
proses
ISO/IEC TR 20000-5:2010 – replaced by ISO/IEC TR 20000-5:2013
SNI ISO/IEC TR 20000-5:2013 Teknologi informasi - Manajemen layanan - Bagian 5: Contoh acuan
perencanaan implementasi SNI ISO/IEC 20000-1
ISO/IEC TR 20000-9:2015 Information technology -- Service management -- Part 9: Guidance on
the application of ISO/IEC 20000-1 to cloud services
ISO/IEC TR 20000-10:2013 Information technology -- Service management -- Part 10: Concepts
and terminology
ISO/IEC 30121:2015 Information technology -- Governance of digital forensic risk framework
ISO/IEC 38500:2015 Information technology -- Governance of IT for the organization
ISO/IEC TS 38501:2015 Information technology -- Governance of IT -- Implementation guide
ISO/IEC TR 38502:2014 Information technology -- Governance of IT -- Framework and model 11
12. Customers
(and other
interested
parties)
Service
Requirements Services
Customers
(and other
interested
parties)
5. Design and transition of new or changed services
8. Resolution processes 7. Relationship processes
8.1 Incident and service request
management
8.2 Problem management
7.1 Business relationship
management
7.2 Supplier management
6. Service delivery processes
6.5 Capacity management
6.3 Service continuity &
availability management
6.1 Service level
management
6.2 Service reporting
6.6 Information security
management
6.4 Budgeting &
accounting for services
4.1 Management responsibility 4.2 Governance of processes
operated by other parties
4.5 Establish the SMS 4.3 Documentation management
4.4 Resource management
4. Service Management System (SMS)
9. Control processes
9.1 Configuration management
9.2 Change management
9.3 Release and deployment
management
13. Usulan pengganti seri SNI ISO 15504 Information technology -- Process assessment
ISO/IEC 33001:2015 Information technology -- Process assessment -- Concepts and
terminology 60.60 35.080
ISO/IEC 33002:2015 Information technology -- Process assessment -- Requirements for
performing process assessment 60.60 35.080
ISO/IEC 33003:2015 Information technology -- Process assessment -- Requirements for
process measurement frameworks 60.60 35.080
ISO/IEC 33004:2015 Information technology -- Process assessment -- Requirements for
process reference, process assessment and maturity models 60.60 35.080
ISO/IEC TR 33014:2013 Information technology -- Process assessment -- Guide for
process improvement 60.60 35.080
ISO/IEC NP 33016 Information technology -- Process assessment -- Process assessment
body of knowledge 10.99
ISO/IEC 33020:2015 Information technology -- Process assessment -- Process
measurement framework for assessment of process capability 60.60 35.080
ISO/IEC CD 33050-4 Information technology -- Process assessment -- Part 4: A process
reference model for information security management 30.20 35.080
ISO/IEC FDIS 33063 Information technology -- Process assessment -- Process
assessment model for software testing 50.00 35.080
ISO/IEC CD 33070-4 Information technology -- Process assessment -- Part 4: A process
assessment model for information security management
13
15. Month 200X Page 15
Process assessment Action plan
•Assessment of the audited processes and Actions plan to reach level .
•Extend assessment througth the overall organisation to be able to
compare same referential with same objectives and continuity of
processes
Lvl 5 : Value
Lvl 4 : Service
Lvl 3 : Proactiv
Lvl 2 : Reactiv
Lvl 1 : Chaos
Incident
Management
Change
Management
Problem
Management
Service Level
Management
Service Desk
Problem Management
Implementation
Knowledge
Improvement
Communications Process
RFC Process
OLAs Implementation
Catalogues of Services
Improvement
16. Trying to Run Before Walking
Reactive
Proactive
Analyze trends
Set thresholds
Predict problems
Measure appli-
cation availability
Automate
Mature problem,
configuration,
change, asset
and performance
mgt processes
Fight fires
Inventory
Desktop SW
distribution
Initiate
problem mgt
process
Alert and
event mgt
Measure component
availability (up/down)
IT as a service
provider
Define services,
classes, pricing
Understand costs
Guarantee SLAs
Measure & report
service availability
Integrate processes
Capacity
mgt
Service
Value
IT as strategic
business partner
IT and business
metric linkage
IT/business
collaboration
improves business
process
Real-time
infrastructure
Business planning
Level 2
Level 3
Level 4
Chaotic
Ad hoc
Undocumented
Unpredictable
Multiple help
desks
Minimal IT
operations
User call
notification
Level 1
Tool Leverage
Manage IT as a Business
Service Delivery Process Engineering
Operational Process Engineering
Service and Account Management
Level 5
17. Usulan seri SNI ISO 27k Information technology – Security technique (1/2)
ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security
management systems -- Overview and vocabulary
ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security
management systems -- Requirements 60.6035.040
ISO/IEC 27001:2013/Cor 1:2014 60.60 35.040
ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for
information security controls 60.6035.040
ISO/IEC 27002:2013/Cor 1:2014 60.60 35.040
ISO/IEC 27003:2010 Information technology -- Security techniques -- Information security
management system implementation guidance 90.9235.040
ISO/IEC 27004:2009 Information technology -- Security techniques -- Information security
management -- Measurement 90.9235.040
ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk
management 90.9235.040
ISO/IEC 27006:2011 Information technology -- Security techniques -- Requirements for bodies
providing audit and certification of information security management systems
ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for information
security management systems auditing 90.9235.040
ISO/IEC TR 27008:2011 Information technology -- Security techniques -- Guidelines for auditors
on information security controls 90.9235.040
ISO/IEC 27010:2012 Information technology -- Security techniques -- Information security
management for inter-sector and inter-organizational communications 90.9235.040
ISO/IEC 27011:2008 Information technology -- Security techniques -- Information security
management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO/IEC 27013:2012 Information technology -- Security techniques -- Guidance on the
integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information
security 60.6035.040
ISO/IEC TR 27015:2012 Information technology -- Security techniques -- Information security
management guidelines for financial services 60.6003.060 35.040
ISO/IEC TR 27016:2014 Information technology -- Security techniques -- Information security
management -- Organizational economics 60.6035.040 17
18. Usulan seri SNI ISO 27k Information technology – Security technique (2/2)
ISO/IEC 27018:2014 Information technology -- Security techniques -- Code of practice for protection of
personally identifiable information (PII) in public clouds acting as PII processors 60.60 35.040
ISO/IEC TR 27019:2013 Information technology -- Security techniques -- Information security
management guidelines based on ISO/IEC 27002 for process control systems specific to the
energy utility industry 90.92 35.040 35.240.99
ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and
communication technology readiness for business continuity 60.60 35.040
ISO/IEC 27032:2012 Information technology -- Security techniques -- Guidelines for cybersecurity
60.60 35.040
ISO/IEC 27033-1:2009 Information technology -- Security techniques -- Network security -- Part 1:
Overview and concepts 90.92 35.040
ISO/IEC 27033-2:2012 Information technology -- Security techniques -- Network security -- Part 2:
Guidelines for the design and implementation of network security 60.60 35.040
ISO/IEC 27033-3:2010 Information technology -- Security techniques -- Network security -- Part 3:
Reference networking scenarios -- Threats, design techniques and control issues 90.93 35.040
ISO/IEC 27033-4:2014 Information technology -- Security techniques -- Network security -- Part 4:
Securing communications between networks using security gateways 60.60 35.040
ISO/IEC 27033-5:2013 Information technology -- Security techniques -- Network security -- Part 5:
Securing communications across networks using Virtual Private Networks (VPNs) 60.60 35.040
ISO/IEC 27034-1:2011 Information technology -- Security techniques -- Application security -- Part 1:
Overview and concepts 60.60 35.040
ISO/IEC 27034-1:2011/Cor 1:2014 60.60 35.040
ISO/IEC 27035:2011 Information technology -- Security techniques -- Information security incident
management
ISO/IEC 27036-1:2014 Information technology -- Security techniques -- Information security for
supplier relationships -- Part 1: Overview and concepts 60.60 35.040
ISO/IEC 27036-2:2014 Information technology -- Security techniques -- Information security for
supplier relationships -- Part 2: Requirements 60.60 35.040
ISO/IEC 27036-3:2013 Information technology -- Security techniques -- Information security for
supplier relationships -- Part 3: Guidelines for information and communication technology supply
chain security
ISO/IEC 27037:2012 Information technology -- Security techniques -- Guidelines for identification,
collection, acquisition and preservation of digital evidence 60.60 35.040
ISO/IEC 27038:2014 Information technology -- Security techniques -- Specification for digital redaction
ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and
operations of intrusion detection systems (IDPS) 60.60 35.040
ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security 60.60 35.040
ISO/IEC 27043:2015 Information technology -- Security techniques -- Incident investigation principles
and processes 60.60 35.040
18
21. Usulan dari ISO/TC 184/SC 4 - Industrial data
Page 21
1. ISO/TS 8000-1:2011, Data quality — Part 1: Overview
2. ISO 8000-2:2012, Data quality — Part 2: Vocabulary
3. ISO/TS 8000-100:2009, Data quality — Part 100: Master data: Exchange of
characteristic data: Overview
4. ISO 8000-102:2009, Data quality — Part 102: Master data: Exchange of characteristic
data: Vocabulary
5. ISO 8000-110:2009, Data quality — Part 110: Master data: Exchange of characteristic
data: Syntax, semantic encoding, and conformance to data specification
6. ISO/TS 8000-120:2009, Data quality — Part 120: Master data: Exchange of
characteristic data: Provenance
7. ISO/TS 8000-130:2009, Data quality — Part 130: Master data: Exchange of
characteristic data: Accuracy
8. ISO/TS 8000-140:2009, Data quality — Part 140: Master data: Exchange of
characteristic data: Completeness
9. ISO/TS 8000-150:2011, Data quality — Part 150: Master data: Quality management
framework
22. Seri ISO 8000 Data Quality
Page 22
ISO 8000 ontology
Part 1 : Scope , Justification and principles
Part 3 Taxonomy : ISO 8000 parts & other standards relationships
Part 8 Information and Data Quality Measuring
Part 9 Information data
quality relationship with
other standards
Part 20 Data Quality: Provenance
Part 30 Data Quality Accuracy
Part 40 Data Quality Completeness
Part 50 Data Quality
management framework
Part 60 Information &
Data Quality Process
Assessment
Part 100 Master data:
Exchange of characteristic
data: Overview
Part 10 Data Quality Syntax, semantic encoding,
and conformance to data specification
Part 120 Master data:
Exchange of characteristic
data: Provenance
Part 130 Master data:
Exchange of characteristic
data: Accuracy
Part 140 Master data:
Exchange of characteristic
data: Completeness
Part 150 Master Data
Quality management
framework
Part 311 Guidance for
the application of PDQ-S
Part 2 Vocabulary
Characteristics or Data quality dimensions
RequirementsSyntax SemanticsPragmatics Measurements
methods
Management
methods
Introduction
Vocab. / Onto
General concepts & definitions
Specialized concepts & definitions
Management framework
Usage guides
Part 110 Master data:
Exchange of characteristic
data: Overview