SlideShare a Scribd company logo

Personal Data Protection in Indonesia

Eryk Budi Pratama
Eryk Budi Pratama

Personal Data Protection from regulation and technical perspectives. Presented at Universitas Negeri Makassar Webinar

Law
1 of 26
11 PERSONAL DATA PROTECTION Eryk B. Pratama, S.Kom, M.M, M.Kom Data Privacy & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid) https://medium.com/@proferyk & https://slideshare.net/proferyk Universitas Negeri Makassar Regulation and Technical Aspects
Agenda 01 Setting-up the Context 02 Regulation Aspects 03 Technical Aspects 04 Cyber Hygiene Implementation
A perspective on data breaches - Indonesia Setting-up the Context https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor- bukalapak-dijual-di-forum-hacker https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12- juta-pengguna-bhinnekacom?page=all https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes- vulnerability-of-personal-data.html https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data- protection-in-spotlight.html Key Information Security Controls ▪ System configuration ▪ Access management ▪ Third party risk ▪ Human risks (Carelessness)
A perspective on misuse of data - Indonesia Setting-up the Context https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi- bocor-denny-siregar-bakal-gugat-telkomsel https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor- denny-siregar-bakal-gugat-telkomsel
Case Study – Personal Data Breach via Vulnerable Web Application
Data Privacy vs Data Protection Ethics & Regulation Information Security Control
Bring it in one page Setting-up the Context Regulation Technical Aspects EU General Data Protection Regulation (GDPR) US California Consumer Protection Act (CCPA) RUU Perlindungan Data Pribadi (RUU PDP) Pre-Breach Identity & Access Management Data Loss/Leakage Prevention Privilege Access Management Cyber Hygiene During & Post Breach Incident Management Crisis Management PP 71 2019 - PSTE Peraturan Kominfo No 20 2016 - Data Pribadi pada PSE
Regulation Aspects
RUU Perlindungan Data Pribadi Regulation Aspects Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 20 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
Data Owner – Pemilik Data Pribadi Regulation Aspects Hak Pemilik Data Pribadi Pasal Deskripsi Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi. Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi. Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan. Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan ketentuan perundang-undangan. Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya. Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis terkait profil seseorang (profiling). Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
Data Controller – Pengendali Data Pribadi Regulation Aspects Kewajiban Data Controller Pasal Deskripsi Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data ▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan pemrosesan Data Pribadi Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan: ▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi ▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang harus dilindungi dalam pemrosesan Data Pribadi Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik Data Pribadi. (Explisit / Implicit Consent) Pasal 38 Pasal 39 Penghapusan dan pemusnahan data pribadi
Data Masking Regulation Aspects Encryption Tokenization Anonymization Pseudonymization Source: https://teskalabs.com/blog/data-privacy-pseudonymization-anonymization-encryption Pseudonymized Anonymized
Data Masking - Tokenization Regulation Aspects Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/ No sensitive data is stored in the production database
Technical Aspects
Information Security Complexity – Reference Architecture Technical Aspects Source: https://www.opensecurityarchitecture.org/cms/library/patternlandscape
Information Security Complexity - Example Technical Aspects Source: https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
From Simply Managing Identities to Managing Complex Relationships Technical Aspects – Identity & Access Management Identity Access Management Identity Relationship Management Source: Forrester Research
Simplifying the complexity Technical Aspects – Identity & Access Management Authoritative/Trusted Source Middleware / Identity Management Solution Target System HR Data IDM Solution Active Directory Email Server ERP Others Applications Provisioning Reconciliation Create,Update,Revoke
Access Management Basic Process Technical Aspects – Identity & Access Management Receive Request Verification Provide Rights Log and Track Access ▪ Change requests ▪ Services requests ▪ HR requests ▪ App / Script requests ▪ Valid user ? ▪ Valid request ? ▪ Request access ? ▪ Remove access ? ▪ Provide access ▪ Remove access ▪ Restrict access ▪ Check and monitor identity status ▪ Violations to Incident Management Process Business Rules, Policies, Procedures, Controls ISMS
Data Loss/Leakage Prevention Solution Technical Aspects – Data Loss Prevention A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different forms: Data in Motion Data at Rest Data in Use Data that is transmitted or moved, both through electronic or non-electronic means. Data that is actively traveling on a network, such as email or web traffic. Data that resides on a stable medium, including servers, network shares, databases, individual computers, and portable media. Data that has been obtained and are being processed or actively used. Typically, referring to data on end-user computing device or host systems. Structured Data Unstructured Data Semi-structured Data Data commonly stored in databases or applications Exists in filesystems or documents Examples of such data format types include email Data Type
Incident Management Definition Technical Aspects – Incident Management What is an IT incident? An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In short, an incident is anything that interrupts business continuity. What is IT incident management? Incident management is the process of managing IT service disruptions and restoring services within agreed service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and ends with a service desk team member resolving that issue. Analyst Incident Responder Digital Forensic Incident Escalation Layer 1 (L1) Layer 2 (L2) Layer 3 (L3) Incident Classification MediumHigh Low Incident Prioritization Critical High Medium Low
Cyber Hygiene Implementation
Implement Cyber Hygiene as Foundational Action Key Takeaways What is Cyber Hygiene? Cyber hygiene refers to steps taken by users to maintain the health of their computers and devices and improve online security to prevent the theft or corruption of data. Cyber Hygiene Practices 1. Keep an inventory of the hardware and software on your network 2. Install reputable antivirus and malware software 3. Conduct cybersecurity education and awareness activities 4. Update and patch software regularly 5. Regularly back up your data and keep multiple copies 6. Limit the number of employees who have administrative privileges 7. Establish an incident response plan. 8. Establish network security and monitoring 9. Perform regular vulnerability assessment and secure configuration review 10.Implement some controls to protect and recover data if a breach occurs Keep update with regulation and cyber threat
Cyber Hygiene in Public Environment Key Takeaways Check Legitimate WIFI ID/SSID Be careful with piggyback/tailgating Don’t click malicious pop-up and URL Use VPN (if possible)
Staying Safe when Online Key Takeaways Use secured personal device Activate pop-up/Ad blocker Activate private / incognito mode Use VPN (if possible) Use strong/complex password Make Online Purchases From Secure Sites Be Careful on What You Access & Download
Thank You ☺ https://medium.com/@proferyk https://www.slideshare.net/proferyk IT Advisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)

Recommended

Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Eryk Budi Pratama
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Eryk Budi Pratama
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
PECB
 

Recommended

Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Eryk Budi Pratama
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Eryk Budi Pratama
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
PECB
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
Coi Xay
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data Classification
Watchful Software
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Perlindungan Data Pribadi di Indonesia
Perlindungan Data Pribadi di IndonesiaPerlindungan Data Pribadi di Indonesia
Perlindungan Data Pribadi di Indonesia
Ismail Fahmi
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
ControlCase
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
SteveNgigi2
 

More Related Content

What's hot

Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data Classification
Watchful Software
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Perlindungan Data Pribadi di Indonesia
Perlindungan Data Pribadi di IndonesiaPerlindungan Data Pribadi di Indonesia
Perlindungan Data Pribadi di Indonesia
Ismail Fahmi
 

What's hot (20)

Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Data protection
Data protectionData protection
Data protection
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data Classification
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Perlindungan Data Pribadi di Indonesia
Perlindungan Data Pribadi di IndonesiaPerlindungan Data Pribadi di Indonesia
Perlindungan Data Pribadi di Indonesia
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 

Similar to Personal Data Protection in Indonesia

DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
SteveNgigi2
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
Samuel Loomis
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
Ahsin Yousaf
 

Similar to Personal Data Protection in Indonesia (20)

Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
Asset Security
Asset Security Asset Security
Asset Security
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsEthyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Data security
Data securityData security
Data security
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Unit 5 v2
Unit 5 v2Unit 5 v2
Unit 5 v2
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 

More from Eryk Budi Pratama

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Eryk Budi Pratama
 

More from Eryk Budi Pratama (20)

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL Indonesia
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
 
Guardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & AnalyticsGuardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & Analytics
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
 
Industry 4.0 : How to Build Relevant IT Skills
Industry 4.0 : How to Build Relevant IT SkillsIndustry 4.0 : How to Build Relevant IT Skills
Industry 4.0 : How to Build Relevant IT Skills
 
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationWeb Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
 
Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
 
IT Operating Model - Fundamental
IT Operating Model - FundamentalIT Operating Model - Fundamental
IT Operating Model - Fundamental
 
Software Development Methodology - Unified Process
Software Development Methodology - Unified ProcessSoftware Development Methodology - Unified Process
Software Development Methodology - Unified Process
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability Assessment
 

Recently uploaded

Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
yogita9398
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理
一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理
一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理
e9733fc35af6
 
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
trryfxkn
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
Fir La
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
F La
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
Airst S
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 

Recently uploaded (20)

Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
 
Common Legal Risks in Hiring and Firing Practices.pdf
Common Legal Risks in Hiring and Firing Practices.pdfCommon Legal Risks in Hiring and Firing Practices.pdf
Common Legal Risks in Hiring and Firing Practices.pdf
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理
一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理
一比一原版(UCB毕业证书)英国伯明翰大学学院毕业证如何办理
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Mischief Rule of Interpretation of statutes
Mischief Rule of Interpretation of statutesMischief Rule of Interpretation of statutes
Mischief Rule of Interpretation of statutes
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 

Personal Data Protection in Indonesia

  • 1. 11 PERSONAL DATA PROTECTION Eryk B. Pratama, S.Kom, M.M, M.Kom Data Privacy & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid) https://medium.com/@proferyk & https://slideshare.net/proferyk Universitas Negeri Makassar Regulation and Technical Aspects
  • 2. Agenda 01 Setting-up the Context 02 Regulation Aspects 03 Technical Aspects 04 Cyber Hygiene Implementation
  • 3. A perspective on data breaches - Indonesia Setting-up the Context https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor- bukalapak-dijual-di-forum-hacker https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12- juta-pengguna-bhinnekacom?page=all https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes- vulnerability-of-personal-data.html https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data- protection-in-spotlight.html Key Information Security Controls ▪ System configuration ▪ Access management ▪ Third party risk ▪ Human risks (Carelessness)
  • 4. A perspective on misuse of data - Indonesia Setting-up the Context https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi- bocor-denny-siregar-bakal-gugat-telkomsel https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor- denny-siregar-bakal-gugat-telkomsel
  • 5. Case Study – Personal Data Breach via Vulnerable Web Application
  • 6. Data Privacy vs Data Protection Ethics & Regulation Information Security Control
  • 7. Bring it in one page Setting-up the Context Regulation Technical Aspects EU General Data Protection Regulation (GDPR) US California Consumer Protection Act (CCPA) RUU Perlindungan Data Pribadi (RUU PDP) Pre-Breach Identity & Access Management Data Loss/Leakage Prevention Privilege Access Management Cyber Hygiene During & Post Breach Incident Management Crisis Management PP 71 2019 - PSTE Peraturan Kominfo No 20 2016 - Data Pribadi pada PSE
  • 9. RUU Perlindungan Data Pribadi Regulation Aspects Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 20 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
  • 10. Data Owner – Pemilik Data Pribadi Regulation Aspects Hak Pemilik Data Pribadi Pasal Deskripsi Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi. Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi. Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan. Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan ketentuan perundang-undangan. Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya. Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis terkait profil seseorang (profiling). Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
  • 11. Data Controller – Pengendali Data Pribadi Regulation Aspects Kewajiban Data Controller Pasal Deskripsi Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data ▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan pemrosesan Data Pribadi Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan: ▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi ▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang harus dilindungi dalam pemrosesan Data Pribadi Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik Data Pribadi. (Explisit / Implicit Consent) Pasal 38 Pasal 39 Penghapusan dan pemusnahan data pribadi
  • 12. Data Masking Regulation Aspects Encryption Tokenization Anonymization Pseudonymization Source: https://teskalabs.com/blog/data-privacy-pseudonymization-anonymization-encryption Pseudonymized Anonymized
  • 13. Data Masking - Tokenization Regulation Aspects Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/ No sensitive data is stored in the production database
  • 15. Information Security Complexity – Reference Architecture Technical Aspects Source: https://www.opensecurityarchitecture.org/cms/library/patternlandscape
  • 16. Information Security Complexity - Example Technical Aspects Source: https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
  • 17. From Simply Managing Identities to Managing Complex Relationships Technical Aspects – Identity & Access Management Identity Access Management Identity Relationship Management Source: Forrester Research
  • 18. Simplifying the complexity Technical Aspects – Identity & Access Management Authoritative/Trusted Source Middleware / Identity Management Solution Target System HR Data IDM Solution Active Directory Email Server ERP Others Applications Provisioning Reconciliation Create,Update,Revoke
  • 19. Access Management Basic Process Technical Aspects – Identity & Access Management Receive Request Verification Provide Rights Log and Track Access ▪ Change requests ▪ Services requests ▪ HR requests ▪ App / Script requests ▪ Valid user ? ▪ Valid request ? ▪ Request access ? ▪ Remove access ? ▪ Provide access ▪ Remove access ▪ Restrict access ▪ Check and monitor identity status ▪ Violations to Incident Management Process Business Rules, Policies, Procedures, Controls ISMS
  • 20. Data Loss/Leakage Prevention Solution Technical Aspects – Data Loss Prevention A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different forms: Data in Motion Data at Rest Data in Use Data that is transmitted or moved, both through electronic or non-electronic means. Data that is actively traveling on a network, such as email or web traffic. Data that resides on a stable medium, including servers, network shares, databases, individual computers, and portable media. Data that has been obtained and are being processed or actively used. Typically, referring to data on end-user computing device or host systems. Structured Data Unstructured Data Semi-structured Data Data commonly stored in databases or applications Exists in filesystems or documents Examples of such data format types include email Data Type
  • 21. Incident Management Definition Technical Aspects – Incident Management What is an IT incident? An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In short, an incident is anything that interrupts business continuity. What is IT incident management? Incident management is the process of managing IT service disruptions and restoring services within agreed service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and ends with a service desk team member resolving that issue. Analyst Incident Responder Digital Forensic Incident Escalation Layer 1 (L1) Layer 2 (L2) Layer 3 (L3) Incident Classification MediumHigh Low Incident Prioritization Critical High Medium Low
  • 23. Implement Cyber Hygiene as Foundational Action Key Takeaways What is Cyber Hygiene? Cyber hygiene refers to steps taken by users to maintain the health of their computers and devices and improve online security to prevent the theft or corruption of data. Cyber Hygiene Practices 1. Keep an inventory of the hardware and software on your network 2. Install reputable antivirus and malware software 3. Conduct cybersecurity education and awareness activities 4. Update and patch software regularly 5. Regularly back up your data and keep multiple copies 6. Limit the number of employees who have administrative privileges 7. Establish an incident response plan. 8. Establish network security and monitoring 9. Perform regular vulnerability assessment and secure configuration review 10.Implement some controls to protect and recover data if a breach occurs Keep update with regulation and cyber threat
  • 24. Cyber Hygiene in Public Environment Key Takeaways Check Legitimate WIFI ID/SSID Be careful with piggyback/tailgating Don’t click malicious pop-up and URL Use VPN (if possible)
  • 25. Staying Safe when Online Key Takeaways Use secured personal device Activate pop-up/Ad blocker Activate private / incognito mode Use VPN (if possible) Use strong/complex password Make Online Purchases From Secure Sites Be Careful on What You Access & Download
  • 26. Thank You ☺ https://medium.com/@proferyk https://www.slideshare.net/proferyk IT Advisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)