ID IGF 2016 - Infrastruktur 3 - Security Governance Framework
•
0 likes•334 views
Presented by Setiadi Yazid (UI) ID IGF 2016 Sesi Infrastruktur 3 - Kerangka Keamanan Siber Indonesia Jakarta, 15 November 2016
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (20)
Similar to ID IGF 2016 - Infrastruktur 3 - Security Governance Framework
Similar to ID IGF 2016 - Infrastruktur 3 - Security Governance Framework (20)
More from IGF Indonesia
More from IGF Indonesia (20)
Recently uploaded
Recently uploaded (16)
ID IGF 2016 - Infrastruktur 3 - Security Governance Framework
- 1. Security Governance Framework ensuring preparedness for the protection of CNI and implementing a strong cyber defense measures Setiadi Yazid – Universitas Indonesia
- 2. National Infrastructure (UK) Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: major detrimental impact on the availability, integrity or delivery of essential services – including those services, whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or significant impact on national security, national defence, or the functioning of the state”.
- 3. US Executive Order (2013) • Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary regardless of an organization’s size, threat exposure, or cybersecurity sophistication today.
- 4. Objek Khusus • Obyek Vital, yaitu kawasan, tempat, bangunan dan usaha yg menyangkut harkat hidup orang banyak, kepentingan dan atau sumber pendapatan besar negara yg memiliki potensi kerawanan dan dapat menggoyahkan stabilitas ekonomi, politik dan keamanan bila terjadi gangguan keamanan • Objek Wisata, yaitu tempat-tempat dan atau kegiatan-kegiatan tertentu yang dikunjungi orang sehubungan dengan nilai-nilai sosial budaya atau kondisi alamnya. • Obyek Khusus Tertentu, seperti : Kantor bank/lembaga keuangan,Rumah sakit • Obyek Vital Nasional adalah kawasan/lokasi, bangunan/instalasi dan/atau usaha yg menyangkut hajat hidup orang banyak, kepentingan negara dan/atau sumber pendapatan negara yg bersifat strategis. Status obyek vital nasional harus ditetapkan berdasarkan keputusan menteri dan/atau kepala lembaga pemerintah non departemen. (Kepres Nomor 63 Tahun 2004 Pasal 3 )
- 5. BSA survey 2015 • Is there a national cybersecurity strategy in place? • Indonesia is in the early stages of developing a national cybersecurity strategy. • Is there a critical infrastructure protection (CIP) strategy or plan in place? • There is no critical infrastructure protection plan in place in Indonesia.
- 6. Infrastructure Inter dependencies Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. (NIST 2014)
- 7. What is Secure? Time to Breach Is GREATER than Time to Detect + Time to Respond
- 8. Critical Infrastructure Framework • Core Functions (concurrent and continuous): Identify, Protect, Detect, Respond, Recover • Implementation Tiers: from reactive, risk- informed, repeatable to adaptive (tier 4) • Framework Profile based on core functions categories to describe states of cyber security activities (Framework for Improving Critical Infrastructure Cyber Security, version 1.0, NIST 2014)
- 9. Core Functions • Identify: asset mgmt, business Environment, governance, Risk Assessment, Risk Mgmt • Protect: access control, awareness/training, data security, Information protection process & procedures, Maintenance, Protective technology • Detect: Anomalies and events, Security continous monitoring, detection process • Respond: response planning, communication, analysis, mitigation, improvements • Recover: recovery planning, improvements, communications (breakdowns comply to Cobit, NIST 800-53, ISO 27001)
- 10. PROTECT (breakdown example) • Technical: – Firewalls, Application White Listing, IDS, Access Control • Non Technical – Security Policies and Procedures • Standards – Access permissions are managed, incorporating the principles of least privilege and separation of duties according to NIST SP 800-53, ISO 27001:2013
- 11. Security Index (M, S) • Maturity level: reactive, adhoc, supported by management, optimized and supported by policies • Protection level: casual incidents, hacker, hacktivist/terrorist, sophisticated national attack
- 12. Indonesia Security instruments • ID-SIRTII • ID-CERT • Lemsaneg • Kominfo • Dephan • Kepolisian • Community/society: mastel, apjii, isp • Academia
- 13. Identify Protect Detect Respond Recover ID-SIRTII ID-CERT Lemsaneg Dephan Kepolisian End user Academia ISP Distribution of Tasks
- 14. Security Planning Steps • Set Goals and Objectives, “catastrophic levels”, “critical infrastructures”, “attack graph/scenarios” • Identify Critical Infrastructures and dependencies • Assess and Analyze Current Security level • Risk assessment • Define Target Security Level • Prioritize GAPS • ACTION PLAN (NIPP 2013/NIST 2014)
- 15. Conclusions • Protecting CNI is a HUGE task, everybody should be responsible. • Indonesia’s Security instruments should start working together toward a common goal • National security awareness should be increased • Regulation should be established ASAP • A small body e.g. BCN can be the coordinator