The document discusses Tata Kelola Keamanan Informasi (Information Security Governance) at PT Telekomunikasi Indonesia, Tbk. It outlines the background and history of TELKOM's information security governance. It discusses key elements like organization, process, people, and technology. It also discusses TELKOM's compliance with frameworks like COSO, COBIT, ITIL, and standards like ISO 27001. It provides details on how TELKOM has implemented information security management practices across the organization through certification, training, and processes to govern security of systems, assets, and people.

1. Tata Kelola Keamanan Informasi
Alip Priyono
VP IT Strategy & Governance
PT Telekomunikasi Indonesia,
Tbk.
Bandung, 10 Oktober 2012

2. Background & History
TELKOM Information Security Governance
Compliance and Conformance
Discussion

3. Business Model for Information Security
Sumber : Adapted by ISACA 2010 from The University of Southern
California, Marshall School of Business, Institute for Critical
Information Infrastructure Protection, USA.
• Elements of the Security program : Organization, Process, People, and Technology.
• Dynamic interconnections : Culture, Governing, Architecture, Emergence, Enabling &
Support, Human Factors.

4. Information Security Issue
Management Challenge or Technical Issues?
Information Security must
80% is Management
80% is Management be seen as a management
InfoSec Policy
InfoSec Policy and business challenge, not
InfoSec Responsibility
InfoSec Responsibility simply as technical issue to
InfoSec Awareness/Training
InfoSec Awareness/Training
be handed over experts. To
keep your business secure,
Business Continuity Planning
Business Continuity Planning
you must understand both
the problems and the
solutions.
20% is Technical Issue
20% is Technical Issue
Systems, Tools, Architectures, etc
Systems, Tools, Architectures, etc
Sumber : Kick-off ISMS IP Connectivity, CIO TELKOM.

5. Background & History
TELKOM Information Security Governance
Compliance and Conformance
Discussion

6. TELKOM IT Governance
COSO COBIT
IT Governance FrameWork ISO 17799/27002 ITIL
source
KD.40/2006 KD.57/2006

7. Information Security Management Adoption
Continuous Improvement
ISMS has been adopted in
the corporate security.
KD.57/2006
• Some area have been certified by ISO 27001:2005 :
– IP Connectivity by TUV Rheinland
– Data Center TELKOM Sigma by SGS
– TELKOMSEL by SGS
– Payment Gateway Services (also with PCI-DSS) by TUV Rheinland
– Charging Flexi Trendy by BVQI
– DELIMA (in progress)

8. How to Govern the People
People
People
Communication Training
•• Periodic Awareness Security Survey
Periodic Awareness Security Survey •• Training on Security Policy Implementation
Training on Security Policy Implementation
•• Security Policy (KD.57/2006) Socialization
Security Policy (KD.57/2006) Socialization •• Training on ISO 27001:2005 Implementor
Training on ISO 27001:2005 Implementor
•• Security Campaign
Security Campaign •• Training on ISO 27001:2005 Internal Audit
Training on ISO 27001:2005 Internal Audit
•• Management Intents
Management Intents •• IRCA Lead Auditor ISO 27001:2005 Certification
IRCA Lead Auditor ISO 27001:2005 Certification
•• Management Review
Management Review •• Executive Training on ISO 27001:2005
Executive Training on ISO 27001:2005
ISMS Award
ISMS Award
2012
2012
“Semula beban menjadi spirit prestasi yg bisa dikompetisikan”.

9. Process on Security Governance
Process
Process
Development, Acquisition Operation, Maintenance
Requirement Periodic Access
Periodic Access
Requirement
Review
Review
Advisory Board
Advisory Board • •Policy &
Policy &
Backup & Restore
Backup & Restore
(System/Busines
(System/Busines • •Procedures
Procedures
• •Management
Management
ssAnalyst)
Analyst) Intents
Intents
DRP
DRP • •Bispro
Bispro
Secure SDLC
Secure SDLC
Configuration
Configuration
Review
Review
UAT, D2P
UAT, D2P
Segregation of
Segregation of
Duties
Duties

10. Technology
Technology
Technology
Acquisition
Requirements &
Requirements &
Specs define to
Specs define to
support the latest
support the latest
security technology
security technology
as long as needed by
as long as needed by
the business.
the business.
Controlling update
Controlling update
and patch
and patch
Periodic review &
Periodic review &
vulnerability test
vulnerability test

11. Background & History
TELKOM Information Security Governance
Compliance and Conformance
Discussion

12. SE Menkominfo
SURAT EDARAN
MENTERI KOMUNIKASI DAN INFORMATIKA
No.05/SE/M.KOMINFO/2011
PENERAPAN TATA KELOLA KEAMANAN INFORMASI
BAGI PENYELENGGARA PELAYANAN PUBLIK
• TELKOM has adapt IT Security
Governance in the Policy (since 2006),
• Implementation ISMS & ITGC has been
audited periodically by external,
• Critical (core) areas have been ISO
27001:2005 certified.

13. Periodic Security Assessment
1. Awareness Campaign
2. Internal Control Survey