This document discusses key concepts related to information security management systems (ISMS), including:
1. The ISMS family of standards led by ISO/IEC 27001 which provides a framework for organizations to develop and implement systems to manage the security of information assets.
2. Fundamental principles of an ISMS including risk assessment, security controls, prevention and detection of incidents, and continual reassessment.
3. Key concepts of ISMS including information, information security, and management as they relate to protecting information assets and achieving business objectives.
Perbandingan standar Sistem Manejemen Keamanan Informasi dgn Sistem Manajemen Anti Penyuapan dgn Sistem Manajemen Mutu dgn Sistem Manajemen Organisasi Pendidikan, Jika sudah menerapkan salah satu Sistem Manajemen maka untuk menerapkan yang lain sedikit sekali usaha tambahannya. Perubahan Manajemen Risiko adalah yang paling awal. Semoga bermanfaat.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Perbandingan standar Sistem Manejemen Keamanan Informasi dgn Sistem Manajemen Anti Penyuapan dgn Sistem Manajemen Mutu dgn Sistem Manajemen Organisasi Pendidikan, Jika sudah menerapkan salah satu Sistem Manajemen maka untuk menerapkan yang lain sedikit sekali usaha tambahannya. Perubahan Manajemen Risiko adalah yang paling awal. Semoga bermanfaat.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
Michael Brophy's ISO 27001 Information Security Management Systems Trends and Developments presentation. The presentation was delivered at our Information Security Breakfast Seminar (Nov 2011)
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
Michael Brophy's ISO 27001 Information Security Management Systems Trends and Developments presentation. The presentation was delivered at our Information Security Breakfast Seminar (Nov 2011)
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
Module 6: Standards for Information Security Management
Information Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of
Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business
Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
Because of the ongoing increase in consumer data collection, breaches have also been increasing.
In this regards the information security, data privacy, and cybersecurity standards provide some guidelines and requirements on how to better manage and deal with such breaches.
Amongst others, the webinar covers:
• ISO 27032:2012 – A Framework for Cybersecurity Risks
• ISO/IEC 27000-series, Standards, 27001 vs 27002
• ISO 27002:2022 and 27001:2022 Updates
Presenters:
Danny Manimbo
Danny Manimbo is a Principal with Schellman, based in Denver, Colorado. As a member of Schellman’s West Coast/Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice and the development and oversight of Schellman's SOC practice line, as well as specialty practices such as HIPAA. Danny has been with Schellman for nine years and has over 11 years of experience in providing data security audit and compliance services.
Erik Tomasi
Erik Tomasi is the Managing Partner at EMTsec, a security consulting firm based in Miami and New York. He leads the firm’s consulting division and manages client relationships across several industry sectors. Mr. Tomasi is considered an expert in information security, risk management, and technology management.
Sawyer Miller
Sawyer is a Senior Manager who oversees the ISO practice for risk3sixty, an Atlanta-based Security, Privacy, and Compliance firm helping clients implement business-first information security and compliance programs.
Date: June 22, 2022
Tags: ISO, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27032, Data protection, Data Privacy, Cybersecurity, Information Security
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/whitepaper/no-iso-27001-certified-companies-among-largest-data-breaches-2014-2015
https://pecb.com/whitepaper/isoiec-270022013-information-technology---security-techniques-code-of-practice-for-information-security-controls
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/fE3DqISAfQY
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
As we approach the new year, the importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential.
Amongst others, the webinar covers:
• ISO/IEC 27001 and ISO/IEC 27035 and their key components
• Key Components of a Resilient Cybersecurity Strategy
• Best practices for building a resilient cybersecurity strategy in 2024
Presenters:
Rinske Geerlings
Rinske is an internationally known consultant, speaker and certified Business Continuity, Information Security & Risk Management trainer.
She was awarded Alumnus of the Year 2012 of Delft University, Australian Business Woman of the Year 2010-13 by BPW, Risk Consultant of the Year 2017 (RMIA/Australasia) and Outstanding Security Consultant 2019 Finalist (OSPAs)
Rinske has consulted to the Department of Prime Minister & Cabinet, 15 Central Banks, APEC, BBC, Shell, Fuji Xerox, NIB Health Funds, ASIC, Departments of Defense, Immigration, Health, Industry, Education, Foreign Affairs and 100s of other public and private organizations across 5 continents.
She has been changing the way organizations ‘plan for the unexpected’. Her facilitation skills enable organizations to achieve their own results and simplify their processes. She applies a fresh, energetic, fun, practical, easy-to-apply, innovative approach to BCM, Security, and Risk.
Her 'alter ego' includes being a lead singer in SophieG Music and contributing to the global charity playing for Change, which provides music education to children in disadvantaged regions.
Loris Mansiamina
A Senior GRC Professional consultant for Small, Medium and large companies. Over 10 years, Loris has been assisting clients in both public and private sectors about various matters relating to Gouvernance, Risk Management and Compliance (GRC), Digital transformation, cyber security program management, ISO 27k & ISO 20k implementation, COBIT & ITIL implementation, etc.
Date: December 19, 2023
Tags: ISO, ISO/IEC 27001, ISO/IEC 27035, Cybersecurity, Information Security
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
ISO/IEC 27035 Information Security Incident Management - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/yT8gxRZD_4c
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE360 BSI
This 4 day training program combines advanced technology and relevant practical experience to develop your IT security policies & create a robust IT infrastructure.
Participants will develop key skills and core competencies that will allow them to meet the ever-changing security demands of the 21st century.
Course Participants will:
- Master the tools & techniques for effective information & network security.
- Discover how to create a complete & sustainable IT security architecture.
- Gain knowledge on how to develop sound security policy together with your security architecture.
- Learn how to perform an IT governance assessment using CoBIT 5.0
- Learn how to perform smart security risk assessment within your organization.
- Gain valuable insights on implementing a proactive & robust security management system.
- Learn how to detect & prevent information security breaches due to inadequate IT security awareness within the organization.
Contact kris@360bsi.com to register.
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...360 BSI
This 4 day intensive training workshop addresses the latest concerns on IT infrastructure and cybersecurity. This course covers effective strategies, techniques, systems, policies, and procedures to establish stronger cybersecurity and cybercrime controls, reduce operational risk, and improve online working whilst covering international best practices, ISO standards, compliance, audit, and industry regulations.
Course Participants will:
- Develop strategies and ways of working to improve detection of cyber security treats and improve information compliance
- Understand the security-related international information compliance and regulations, including industry specific standards
- Expand the expertise of personnel involved in developing skills and knowledge in the latest techniques, processes, and systems on cyber security, which will enable teams to become more effective
- Align cybersecurity, cybercrime and information compliance within the organization with related initiatives, including HR training and legal departments
- Help managers gain more confidence in cyber security awareness and understand information compliance in their industries
- Improve the overall process for secure working and reducing risk when dealing with different kinds of information such as confidential and sensitive data
Contact kris@360bsi.com to register.
Enrol now in our upcoming Virtual classroom ISO27001:2013 Lead Auditor course 24 to 28 August 2020.
Only a few seats remaining. contact desmond.muchetu@bureauveritas.com
Pengembangan Kebijakan dan
Strategi Pengamanan Data
Digital dalam Perguruan Tinggi
Sarwono Sutikno
Webinar Keamanan Data Digital, SPI IT
Seri ISO 27001 SMKI
(Sistem Manajemen Keamanan Informasi)
Sarwono Sutikno
Webinar Keamanan Data Digital, SPI ITB
Rabu, 3 Agustus 2022
v2
Seri ISO 27001 Sistem Manajemen Keamanan Informasi
A. Sumber terbuka https://www.iso27001security.com/
B. ISO/IEC 27000:2018 Information technology — Security techniques
— Information security management systems — Overview and
vocabulary
C. ISO/IEC FDIS 27001 Information security, cybersecurity and privacy
protection — Information security management systems —
Requirements
D. ISO/IEC 27002:2022 Information security, cybersecurity and privacy
protection — Information security controls
Rangkuman
• Indeks KAMI (KeAManan Informasi) adalah ukuran untuk mencapai
batas dasar ISO 27001 Persyaratan SMKI;
• Seri ISO 27001 SMKI yang utama:
• ISO 27000 Gambaran umum dan kosakata
• ISO 27001 Persyaratan
• ISO 27002 Kendali Keamanan Informasi
• Wajib dijalankan:
• Plan: Klausul 4 Konteks organisasi s/d Klausul 7 Dukungan ISO 27001
• Do: Klausul 8 Operasi ISO 27001
• Check: Klausul 9 Evaluasi Kinerja ISO 27001
• Act: Klausul 10 Peningkatan ISO 27001
Tata Kelola Informasi & Teknologi (I&T),
dan Aset Informasi
Webinar
Peran Teknologi Informasi dan Audit Internal dalam Akselerasi Inovasi di
Perguruan Tinggi
Sarwono Sutikno, Dr.Eng,CISA,CISSP,CISM,CSX-F
INSITUT TEKNOLOGI BANDUNG
Senin, 29 Juni 2020
• Become familiar with the internal audit profession and The Institute of
Internal Auditors (IIA).
• Understand the mandatory IPPF guidance:
• The Mission of Internal Audit,
• the Core Principles for the Professional Practice of Internal Auditing,
• the Definition of Internal Auditing,
• the Code of Ethics, and
• the International Standards for the Professional Practice of Internal
Auditing (Standards).
• Understand the strongly recommended IPPF guidance:
• Implementation Guidance and Supplemental Guidance.
• Understand the attributes of a well-executed risk management model
(process)
• COSO Internal Control Framework
• Describe internal auditors’ compliance and fraud-related responsibilities
related to protecting the organization from regulatory violations.
• Be familiar with selected computer-assisted audit techniques, including
generalized audit software.
• Understand the planning, fieldwork, and reporting processes of an audit
• Learn the elements of a finding and the proper presentation in an audit
report
• Understand quality assurance, how it operates, and why it is important to
the internal audit function.
Pemahaman Keamanan Informasi terkait Internal Control, konteks pencapaian tujuan organisasi. Jangan sampai karena tidak boleh diketahui oleh suatu unit maka unit lain tidak boleh akses, sehingga ketersediaan untuk Penambangan Data untuk mendapatkan insight terhambat. Aset Informasi tidak dapat dimanfaatkan untuk pencapaian tujuan
Segala bentuk pemberian kepada pegawai negeri atau penyelenggara negara dinamakan gratifikasi. Sejak disahkannya Undang-Undang Nomor 20 Tahun 2001 tentang Perubahan atas Undang-Undang Nomor 31 Tahun 1999 tentang Pemberantasan Tindak Pidana Korupsi, mereka berkewajiban untuk menolak setiap penerimaan gratifikasi yang berhubungan dengan jabatan dan berlawanan dengan tugas atau kewajiban penerima. Apabila karena kondisi tertentu tidak bisa menolak, maka melaporkan penerimaan tersebut kepada KPK merupakan upaya kedua untuk membebaskan dari ancaman hukuman.
§ Rancang bangun portable hacking station menggunakan Raspberry pi telah
berhasil dilakukan sehingga menghasilkan sebuah alat yang dapat dipergunakan untuk melakukan kegiatan etical hacking yang efektif dan efisien.
§ Pengujian dilakukan dengan melakukan simulasi hacking menggunakan portable hacking station sehingga dapat diverifikasi kesesuaiannya dengan kebutuhan spesifikasi yang telah ditetapkan. Alat ini berhasil melakukan wireless security testing, yaitu dengan mendapatkan password Wifi dengan skema MITM pada AP yang tidak terproteksi terhadap serangan deauthentication attack.
§ Tinjauan keamanan dari portable hacking station dibuat berdasarkan standar
ISO/IEC 15408 Common Criteria for IT Security Evaluation part 1 – 3 versi 3.1:2017, dan ISO/IEC TR 15446 Guide for the production of Protection Profiles and Security Targets dalam bentuk dokumen Security Target.
▷ Apa yang perlu diatur agar tata kelola dan manajemen Keamanan SPBE dapat mendukung pencapaian tujuan SPBE?
▷ Bagaimana cara menghitung efektivitas pengaturan untuk Sistem Tata Kelola
Keamanan SPBE?
▷ Kecukupan pengaturan tata kelola dan manajemen yang diperlukan untuk Keamanan SPBE.
▷ Ketersediaan sistem manajemen kinerja Keamanan SPBE untuk mengukur keefektifan pengaturan.
Indeks Presepsi Korupsi Indonesia 20 thn Reformasi - TII. Semoga IPK Indonesia tetap naik dengan usaha kita bersama rakyat termasuk mahasiswa dan STM serta semua pemuda-pemudi harapan bangsa. BERANI JUJUR HEBAT
Pemilihan Umum 2019 tinggal hitungan hari. sebelum nyoblos, yuk baca dulu laporan utama di majalah Integrito yang bertajuk "Menuju Catatatan Sejarah".
Silahkan unduh versi PDF di link ini :
https://www.kpk.go.id/id/publikasi/kajian-dan-penelitian/majalah-integrito/832-menuju-catatan-sejarah
Jangan lupa untuk pilih yang jujur :)
salam antikorupsi!
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
2. 2
Current: Penasihat KPK 2017-2021
Past:
• Anggota Pembina Yayasan Pendidikan Internal Audit
• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter
• ISACA Academic Advocate at ITB
• SME for Information Security Standard for ISO at ISACA HQ
• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung
• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01 Program
Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo.
• Lead Asesor Lembaga Sertifikasi SMKI KAN-BSN
• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)
• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April 2009 –
May 2011
Professional Certification:
• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering, the University
of Texas at Austin. 2000
• IRCA Information Security Management System Lead Auditor Course, 2004
• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005
• Brainbench Computer Forensic, 2006
• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007
• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007
Award:
• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior Information
Security Professional. http://isc2.org/ISLA
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
3. KESEPAKATANDISKUSI
• Mohon maaf jika gaya/kebiasaan saya di ITB muncul dalam diskusi ini
• Niatnya agar Indonesia lebih berdaulat
• Boleh buka laptop dan akses internet
• Seluruh peserta harus bicara, bertanya, berpendapat, guyon sebagai pembuka
kreatifitas
• Sarwono Sutikno hanya fasilitator dan sedang belajar
• Semoga saya dan semua insan Indonesia menjadi orang merdeka !!!
• Semoga setiap insan Indonesia menjadi khalifah dalam arti tidak ada yang dapat
membatasi potensi seorang insan kecuali impian dirinya dan tuhannya.
Agar efektif berdiskusi
5. AGENDA
0. VUCA
1. Control, Control Objective, Risk
2. Sistem Manajemen Keamanan Informasi – ISO 27001
3. Sistem Manajemen Anti Penyuapan – ISO 37001
4. IA-CM (Internal Audit Capability Model)
6. AGENDA
0. VUCA
1. Control, Control Objective, Risk
2. Sistem Manajemen Keamanan Informasi – ISO 27001
3. Sistem Manajemen Anti Penyuapan – ISO 37001
4. IA-CM (Internal Audit Capability Model)
7.
8. AGENDA
0. VUCA
1. Control, Control Objective, Risk
2. Sistem Manajemen Keamanan Informasi – ISO 27001
3. Sistem Manajemen Anti Penyuapan – ISO 37001
4. IA-CM (Internal Audit Capability Model)
15. BATASANRISIKO
specific item being reviewed
2.67
review objective
statement describing what is to be achieved as a result of a review (2.65)
2.68
risk
effect of uncertainty on objectives
[SOURCE: ISO Guide 73:2009, 1.1, modified]
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (2.25), its consequence (2.14), or likelihood (2.45).
Note 3 to entry: Risk is often characterized by reference to potential events (2.25) and consequences (2.14), or a
combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences (2.14) of an event (2.25)
(including changes in circumstances) and the associated likelihood (2.45) of occurrence.
Note 5 to entry: In the context of information security (2.33) management systems (2.46), information security
(2.33) risks can be expressed as effect of uncertainty on information security (2.33) objectives (2.56).
Note 6 to entry: Information security (2.33) risk is associated with the potential that threats (2.83) will exploit
vulnerabilities (2.89) of an information asset or group of information assets and thereby cause harm to an
organization (2.57).
2.69
20. COBIT 5
SNI ISO 38500
Internal Control
Framework COSO
HUBUNGANANTAR KERANGKA
PP60/2008
Sistem Pengendalian Intern
Pemerintah
TataKelola
TataKelolaTI
ManajemenTI
Panduan Umum Tata Kelola TIK Nas
+
Kuesioner Evaluasi Pengendalian Intern TIK
SNI ISO 27001SNI ISO 20000
SNI ISO 15408
21.
22. AGENDA
0. VUCA
1. Control, Control Objective, Risk
2. Sistem Manajemen Keamanan Informasi – ISO 27001
3. Sistem Manajemen Anti Penyuapan – ISO 37001
4. IA-CM (Internal Audit Capability Model)
23. 0.1OVERVIEW
Through the use of the ISMS family of standards,
organizations can develop and implement a framework
for managing the security of their information assets
including financial information, intellectual property, and
employee details, or information entrusted to them by
customers or third parties.
24. 0.2ISMSFAMILYOFSTANDARDS
• ISO/IEC 27000, Information security management systems — Overview and vocabulary
• ISO/IEC 27001, Information security management systems — Requirements
• ISO/IEC 27002, Code of practice for information security controls
• ISO/IEC 27003, Information security management system implementation guidance
• ISO/IEC 27004, Information security management — Measurement
• ISO/IEC 27005, Information security risk management
• ISO/IEC 27006, Requirements for bodies providing audit and certification of information security
management systems
• ISO/IEC 27007, Guidelines for information security management systems auditing
25. • ISO/IEC TR 27008, Guidelines for auditors on information security controls
• ISO/IEC 27009, Sector-specific application of ISO/IEC 27001 — Requirements
• ISO/IEC 27010, Information security management for inter-sector and inter-organizational
communications
• ISO/IEC 27011, Information security management guidelines for telecommunications organizations
based on ISO/IEC 27002
• ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
• ISO/IEC 27014, Governance of information security
• ISO/IEC TR 27015, Information security management guidelines for financial services
• ISO/IEC TR 27016, Information security management — Organizational economics
• ISO/IEC 27017, Code of practice for information security controls based on ISO/IEC 27002 for cloud
services
• ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors
• ISO/IEC 27019, Information security management guidelines based on ISO/IEC 27002 for process
control systems specific to the energy utility industry
26. General
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems,
networks and people are important assets for achieving
organization objectives;
c) face a range of risks that may affect the functioning of assets;
and
d) address their perceived risk exposure by implementing
information security controls.
27. 3.2.1FUNDAMENTALPRINCIPLESOFANISMS
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;
e) risk assessments determining appropriate controls to reach acceptable levels of risk;
f) security incorporated as an essential element of information networks and systems;
g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management;
i) continual reassessment of information security and making of modifications as
appropriate
28. 3.2.2INFORMATION
Information is an asset that, like other important business assets, is
essential to an organization’s business and consequently needs to
be suitably protected.
Information can be stored in many forms, including: digital form
(e.g. data files stored on electronic or optical media), material form
(e.g. on paper), as well as unrepresented information in the form
of knowledge of the employees.
Information may be transmitted by various means including:
courier, electronic or verbal communication. Whatever form
information takes, or the means by which the information is
transmitted, it always needs appropriate protection.
29. 3.2.3INFORMATIONSECURITY
Information security ensures the confidentiality,
availability and integrity of information.
Information security involves the application and
management of appropriate controls that involves
consideration of a wide range of threats, with the aim of
ensuring sustained business success and continuity, and
minimizing consequences of information security
incidents.
30. Information security is achieved through the implementation of an
applicable set of controls, selected through the chosen risk
management process and managed using an ISMS, including
policies, processes, procedures, organizational structures, software
and hardware to protect the identified information assets.
These controls need to be specified, implemented, monitored,
reviewed and improved where necessary, to ensure that the
specific information security and business objectives of the
organization are met.
Relevant information security controls are expected to be
seamlessly integrated with an organization’s business processes.
31. 3.2.4 Management
Management involves activities to direct, control, and continually improve the
organization within appropriate structures.
Management activities include the act, manner, or practice of organizing,
handling, directing, supervising, and controlling resources.
Management structures extend from one person in a small organization to
management hierarchies consisting of many individuals in large organizations.
In terms of an ISMS, management involves the supervision and making of
decisions necessary to achieve business objectives through the protection of the
organization’s information assets.
32. 3.2.5 Management system
A management system uses a framework of resources to achieve an organization’s
objectives.
The management system includes organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources.
In terms of information security, a management system allows an organization to:
a) satisfy the information security requirements of customers and other stakeholders;
b) improve an organization’s plans and activities;
c) meet the organization’s information security objectives;
d) comply with regulations, legislation and industry mandates; and
e) manage information assets in an organized way that facilitates continual improvement
and adjustment to current organizational goals.
33. 3.3 Process approach
Organizations need to identify and manage many activities in order
to function effectively and efficiently.
Any activity using resources needs to be managed to enable the
transformation of inputs into outputs using a set of interrelated or
interacting activities; this is also known as a process.
The output from one process can directly form the input to
another process and generally this transformation is carried out
under planned and controlled conditions.
The application of a system of processes within an organization,
together with the identification and interactions of these
processes, and their management, can be referred to as a “process
approach”.
34. 3.4 Why an ISMS is important
Risks associated with an organization’s information assets need to be addressed.
Achieving information security requires the management of risk, and encompasses
risks from physical, human and technology related threats associated with all forms
of information within or used by the organization.
The adoption of an ISMS is expected to be a strategic decision for an organization
and it is necessary that this decision is seamlessly integrated, scaled and updated in
accordance with the needs of the organization.
35. BENEFITSOFSUCCESSFULISMS
a) achieve greater assurance that its information assets are
adequately protected against threats on a continual basis;
b) maintain a structured and comprehensive framework for
identifying and assessing information security risks, selecting
and applying applicable controls, and measuring and improving
their effectiveness;
c) continually improve its control environment; and
d) effectively achieve legal and regulatory compliance.
36. 3.5 Establishing, monitoring, maintaining and improving an ISMS
Overview
a) identify information assets and their associated information security
requirements (see 3.5.2);
b) assess information security risks (see 3.5.3) and treat information security risks
(see 3.5.4);
c) select and implement relevant controls to manage unacceptable risks (see 3.5.5);
d) monitor, maintain and improve the effectiveness of controls associated with the
organization’s information assets (see 3.5.6).
37. KEAMANAN INFORMASI VERSIISACA
Information security is a business enabler that is strictly bound to
stakeholder trust, either by addressing business risk or by creating value
for an enterprise, such as competitive advantage.
At a time when the significance of information and related technologies is
increasing in every aspect of business and public life, the need to mitigate
information risk, which includes protecting information and related IT
assets from ever-changing threats, is constantly intensifying.
ISACA defines information security as something that:
Ensures that information is readily available (availability), when
required, and protected against disclosure to unauthorised users
(confidentiality) and improper modification (integrity).
38. Presentation: KamInfo.ID18
18
KEAMANAN INFORMASI
......... pemerintah negara Indonesia yang melindungi segenap
bangsa Indonesia dan seluruh tumpah darah Indonesia dan untuk
memajukan kesejahteraan umum,
mencerdaskan kehidupan bangsa, dan ikut
melaksanakan ketertiban dunia yang berdasarkan kemerdekaan,
perdamaian abadi dan keadilan sosial........
Pemanfaatan INFORMASI sebagai darah nadi
kehidupan bangsa
dalam perspektif Pertumbuhan Ekonomi
untuk Kesejahteraan Rakyat
40. AGENDA
0. VUCA
1. Control, Control Objective, Risk
2. Sistem Manajemen Keamanan Informasi – ISO 27001
3. Sistem Manajemen Anti Penyuapan – ISO 37001
4. IA-CM (Internal Audit Capability Model)
42. AGENDA
0. VUCA
1. Control, Control Objective, Risk
2. Sistem Manajemen Keamanan Informasi – ISO 27001
3. Sistem Manajemen Anti Penyuapan – ISO 37001
4. IA-CM (Internal Audit Capability Model)