The document discusses cybersecurity risks and controls. It begins by defining cybersecurity and noting that 46% of the world's population is connected to the internet. It then discusses common threat vectors and the industries most targeted by espionage. The document emphasizes the importance of cybersecurity management and outlines standard guidance documents. It describes the key elements of effective cybersecurity as including policies, governance, personnel security, and controls related to assets, access, operations, networks, software and more. Finally, it discusses integrating security across an organization's infrastructure.

1. Resume: The Complete Guide
to Cybersecurity Risks and
Controls
Rd. R. Agung T.
EL5261 – Manajemen Resiko Keamanan Informasi
Anne Kohnke,Dan Shoemaker,Ken Sigler",The Complete Guide to Cybersecurity Risks and Controls,CRC Press Taylor and Prancis Group,2016

2. The increasing prevalence and severity of malicious cyberenabled
activities… Constitute an unusual and extraordinary threat to the
national security, foreign policy and economy of the United States.
I hereby declare a national emergency to deal with this threat.
Barack Obama, President of the United States, 2015
4/14/2018

3. What is Cybersecurity?
• The state of being protected
against the criminal or
unauthorized use of electronic
data, or the measures taken to
achieve this (Oxford English
Dictionary)
• 46% populasi dunia terhubung
ke jaringan internet [1]
THREAT VECTORS BY INDUSTRY
The vectors by which industries are compromised.
Source: Verizon 2015 Data Breach Investigations Report
[1] Cybersecurity: Threats, Challenges, and Opportunities by ACS
4/14/2018

4. TOP 10 Espionage Targeted
Industries
The most targeted industries in 2015.
Source: Verizon 2015 Data Breach Investigations Report
EASY HACKS, EASY BREACHES
Source: Verizon 2016 Data Breach
Investigations Report
4/14/2018

5. China 37.01
US 17.88
UK 10.21
India 7.43
Spain 6.03
Korea 4.53
Russian Federation 4.45
Germany 4.29
Australia 4.18
Taiwan 4
Top sources of mitigated DDoS attacks on Akamai’s network.
Source: Akamai State of the Internet Report, Q2 2015
4/14/2018

6. Why Cybersecurity Management is
Important?
• World Wide Web
sudah mulai popular
pada pertengahan
1990-an
• Sindrom “Six Blind
Men and an
Elephant”
4/14/2018

7. Cybersecurity Controls
• Accurately identify and authenticate all entities seeking access
to a system
• Authorize access to only those objects that the entity’s level of
trust permits
• Monitor and control activities during the time that the entity is
granted access
• Ensure against unauthorized access, or manipulation of data
• Ensure against unauthorized manipulation of system objects
4/14/2018

8. the Disiplines of Cybersecurity
• The confusion about what
constitutes the proper elements of
the field originates in the fact that
the profession of cybersecurity
could potentially comprise concepts
from a number of disciplines. Some
content from all of these disciplines
might reasonably fall within
legitimate boundaries. That
includes such diverse areas as
shown in Figure
4/14/2018

9. Standard Guidance
• International Organization for Standardization (ISO) 27000
Information Security Standard.
• The second is the National Institute for Standards and
Technology (NIST) and its Federal Information Processing
Standards (FIPS) 200 Framework, as implemented by NIST 800-
53
• The third and perhaps more influential are the Information
System Audit and Control Association (ISACA) and its Control
Objectives for IT (COBIT) Model
4/14/2018

10. Standard Guidance
• COBIT and ISO 27000 are primarily oriented toward
conventional business IT in their practical use. NIST 800-53
satisfies the requirements of the Federal Information Security
Management Act (FISMA), and is used in all healthcare
organizations to substantiate meaningful use with their
electronic health records systems.
4/14/2018

11. Control or Countermeasure
1. Policy
2. Governance
control
3. Personnel security
4. Physical and
environmental
security
5. Asset management
6. Access control
7. Security of
operations
8. Network security
9. Computer security
10.Software
development and
maintenance
security
11.Acquisition
12.Incident
management
13.Compliance
14.Continuity
15.Elements of
human factors
such as training
and education
4/14/2018

12. IT Governance
• Top-down effectively describes
the strategic approach and
purposes of information
governance
4/14/2018

13. Security and Control
• Every organization has a basic need to understand the status of
its own IT systems and to decide the level of security and control
they should provide. Neither aspect of this issue—understanding
or deciding on the required level of control—is straightforward.
Furthermore, it is hard to get an objective view of what should
be measured and how.
4/14/2018

14. Security and Control
4/14/2018

15. Important Resources
• Most important is the need for them to be measurable. They
need to focus on the resources most important to the process and
be driven by generic business needs including:
– Cost efciency
– Productivity
– Defects
– Cycle time
– Quality and innovation
– Computing performance
– Stakeholder satisfaction
– Staff competency
– Benchmark comparisons
4/14/2018

16. Control Framework Assumptions
• In order to effectively and
efficiently achieve those
outcomes—for example, the
desired information—the process
has to be rationally and optimally
managed. And to satisfy business
objectives, the information must
directly support the business need.
Thus, the following dozen generic
requirements tend to appear in
most frameworks
1. Security
requirements
2. Quality
requirements
3. Confidentiality
4. Integrity
5. Availability
6. Cost
7. Service delivery
8. Fiduciary
responsibility
9. Effectiveness and
efficiency of operations
10. Reliability of
information
11. Compliance with
laws and regulations
12. Definition of
concepts
4/14/2018

17. IT Security control frameworks
overview
4/14/2018

18. • Effective information security governance should result in six
outcomes to include (Information Systems Audit and Control
Association [ISACA], 2012) the following:
– Strategic alignment
– Risk management
– Business process management/value delivery
– Resource management
– Performance management
– Integration
4/14/2018

19. Information Security Governance
• The organization’s executive management team is then
responsible for ensuring the needed infrastructure, resources,
and organizational function are made available to carry out the
directives of the board and any governmental regulatory agency
that is required
• CISO or Chief Information Security Officer have responsibility
and authority over the full scope and breadth of information
security activity.
• CISO develops, oversees, and manages the information security
program and initiatives to include strategic, personnel,
infrastructure, policy enforcement, emergency planning, security
training and awareness.
4/14/2018

20. What is Control?
• Controls are a security mechanism, policy, or procedure that can
successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve security within an organization. The
main focus of control formulation and development should be on
the security of hardware, telecommunications, and software.
Moreover, the level of control implementation chosen should
protect sensitive information in one of the following three states:
data at rest, data in transit, and data in process.
4/14/2018

21. Seven distinct outcomes of safeguarded
information
4/14/2018

22. Information Security Integrated
• Integrating information security into organizational
infrastructure requires a carefully coordinated set of activities to
ensure that fundamental requirements for information security
are addressed and risk to the organization from information
systems is managed efficiently and cost effectively.
4/14/2018

23. Kesimpulan
4/14/2018

24. Sumber:
4/14/2018

25. Terima Kasih…
4/14/2018