Pemaparan Software Security System di Telkom Sigma oleh Teddy Setiawan (Associate Director Finance Non Banking Solution-Telkom Indonesia)
disampaikan pada Diskusi Publik Tata Kelola Pengamanan Perangkat Lunak
Hotel Sahid Jaya Jakarta, 7 November 2013
Model Spiral adalah model pengembangan perangkat lunak yang menggabungkan prototyping dan waterfall dengan penekanan pada analisis risiko setiap tahapan. Model ini bersifat iteratif dimana perubahan dapat diselesaikan secara sistematis berdasarkan kebutuhan pengguna untuk menghasilkan software secara cepat dan tepat.
Soal uts/ pts semester genap mapel pbo kelas xi rpl tahun 2021Saprudin Eskom
1. Dokumen tersebut berisi soal ujian tengah semester mata pelajaran Pemrograman Berorientasi Objek untuk kelas XI semester 4 di SMK Negeri 1 Pandeglang. Soal berbentuk pilihan ganda sebanyak 40 pertanyaan.
Praktikum ini bertujuan untuk mengukur gaya yang diberikan medan magnet pada kawat berarus dan intensitas medan listrik dalam koil. Peralatan yang digunakan antara lain solenoid tanpa inti, sumber tegangan DC, plat pengimbang, dan amperemeter. Langkahnya adalah mengatur plat pengimbang di dalam solenoid, mengukur gaya dengan menambahkan benang, dan menghitung gaya teori dan praktek dengan variasi arus listrik.
Dokumen tersebut membahas tentang Power House dan Switch Yard pada PLTA. Power House adalah bangunan tempat mesin pembangkit listrik berada, sedangkan Switch Yard adalah area tempat transformator mengubah tegangan listrik sebelum didistribusikan. Keduanya merupakan komponen penting pada sistem pembangkitan dan distribusi listrik PLTA.
Oracle BI Multi-user Development: MDS XML versus MUDEStewart Bryson
Oracle Business Intelligence 11g provides the ability to develop a metadata repository as a collection of XML documents instead of a single binary RPD file. Included in this functionality is the ability to configure the OBIEE Admin Tool to interact with third-party Source Control Management (SCM) systems as a way of version-controlling the repository development process.
In this presentation, we will explore MDS XML functionality in the OBIEE Admin Tool, including how to generate the MDS XML files from an existing RPD file and configure the repository to work with Git as a sample SCM system. We will also explore how this new feature extends the capabilities of multi-user development for Oracle BI repositories, and how it compares to other pre-existing development options.
Model Spiral adalah model pengembangan perangkat lunak yang menggabungkan prototyping dan waterfall dengan penekanan pada analisis risiko setiap tahapan. Model ini bersifat iteratif dimana perubahan dapat diselesaikan secara sistematis berdasarkan kebutuhan pengguna untuk menghasilkan software secara cepat dan tepat.
Soal uts/ pts semester genap mapel pbo kelas xi rpl tahun 2021Saprudin Eskom
1. Dokumen tersebut berisi soal ujian tengah semester mata pelajaran Pemrograman Berorientasi Objek untuk kelas XI semester 4 di SMK Negeri 1 Pandeglang. Soal berbentuk pilihan ganda sebanyak 40 pertanyaan.
Praktikum ini bertujuan untuk mengukur gaya yang diberikan medan magnet pada kawat berarus dan intensitas medan listrik dalam koil. Peralatan yang digunakan antara lain solenoid tanpa inti, sumber tegangan DC, plat pengimbang, dan amperemeter. Langkahnya adalah mengatur plat pengimbang di dalam solenoid, mengukur gaya dengan menambahkan benang, dan menghitung gaya teori dan praktek dengan variasi arus listrik.
Dokumen tersebut membahas tentang Power House dan Switch Yard pada PLTA. Power House adalah bangunan tempat mesin pembangkit listrik berada, sedangkan Switch Yard adalah area tempat transformator mengubah tegangan listrik sebelum didistribusikan. Keduanya merupakan komponen penting pada sistem pembangkitan dan distribusi listrik PLTA.
Oracle BI Multi-user Development: MDS XML versus MUDEStewart Bryson
Oracle Business Intelligence 11g provides the ability to develop a metadata repository as a collection of XML documents instead of a single binary RPD file. Included in this functionality is the ability to configure the OBIEE Admin Tool to interact with third-party Source Control Management (SCM) systems as a way of version-controlling the repository development process.
In this presentation, we will explore MDS XML functionality in the OBIEE Admin Tool, including how to generate the MDS XML files from an existing RPD file and configure the repository to work with Git as a sample SCM system. We will also explore how this new feature extends the capabilities of multi-user development for Oracle BI repositories, and how it compares to other pre-existing development options.
Dokumen ini membahas tentang proteksi Jaringan Tegangan Rendah dan Gardu Distribusi PLN. Terdapat penjelasan mengenai diagram sistem pasokan listrik, jenis peralatan proteksi seperti Lightning Arrester dan FCO beserta prinsip kerjanya, konstruksi pemasangan, dan kerusakan. Juga ada contoh soal perhitungan rating peralatan proteksi.
Jaringan distribusi adalah suatu saluran/ jaringan yang menghubungkan dari sumber daya listrik besar (gardu induk) dengan para konsumen/pemakai listrik baik itu pabrik,industri,atau rumah tangga.
Jaringan distribusi itu terdiri dari :
Jaringan tegangan menengah (primer)
Jaringan tegangan rendah (sekunder)
Penjelasan tentang jaringan distribusi
Jenis-jenis jaringan distribusi
- Jaringan distribusi udara
- Jaringan distribusi bawah tanah
- Jaringan distribusi bawah laut
Model jaringan distribusi
Contoh jaringan distribu
Manajemen Proyek Perangkat Lunak (Pert9-10) : Manajemen RisikoMutmainnah Muchtar
Kuliah Manajemen Proyek Perangkat Lunak Jurusan Teknik Informatika UHO Kendari (Pert 9-10)
Materi:
Apa itu risiko?
Apa itu risiko proyek?
Manajemen Risiko Proyek Perangkat Lunak
Perhitungan risiko secara kualitatif dan kuantitatif
Analogi Proyek Perangkat Lunak sbg Kapal Titanic
The document discusses plastic electronics and how plastics can be made conductive. It begins by explaining how plastics were traditionally considered insulators but can become conductive through doping, which involves removing or adding electrons. This allows for conjugated double bonds that allow electron mobility. Common conductive plastics include polyacetylene and pentacene. Applications discussed include plastic LEDs, transistors, solar cells, and lasers. Plastic electronics offer advantages over silicon like lower costs, flexibility, and being easier to manufacture at ordinary temperatures and pressures. The summary highlights key applications and how doping makes plastics conductive.
Privacy Preserving Public Auditing for Data Storage Security in Cloud Girish Chandra
This document outlines the stages of a proposed privacy-preserving public auditing system for secure cloud storage. It introduces the need for such a system by describing challenges with cloud data integrity and existing solutions. The proposed system would allow a third party auditor to efficiently audit cloud data storage without accessing the actual data files, while preserving user data privacy. It would utilize public key cryptography and random masking techniques. The document claims this system would meet the goals of supporting privacy-preserving audits and handling multiple concurrent audit tasks through the use of techniques like bilinear aggregate signatures.
This document proposes a system to wirelessly charge electric vehicles using solar energy. The system would use solar panels to generate electricity, which would be stored in batteries and converted to AC power using an inverter. Coils placed in the vehicle and road would transmit the AC power wirelessly through electromagnetic induction to charge the vehicle battery as it drives. The objectives are to develop a renewable energy charging system and enable "charge as you drive" capability. Hardware components, a block diagram, voltage measurements between coils at different distances, and advantages/disadvantages are described.
Laporan ini membahas kegiatan kerja praktik selama 6 minggu di PT. Boer Technology, yang meliputi manajemen dan dukungan cloud server, pelatihan cloud system, serta riset dan pengembangan aplikasi cloud. Kegiatan utama meliputi migrasi layanan, instalasi perangkat keras dan lunak, serta pelatihan cloud system kepada klien.
This document discusses a batteryless phone that is powered by harvesting ambient light and radio frequency (RF) waves using a photo diode. The phone's only function is calling. It operates by using the RF waves to convert the harvested energy to direct current power. Solar cells in the phone work by using a P-N junction diode made of silicon or germanium to generate open spaces for light to fall on the P layer and excite electrons from the valence to conduction band. Advantages include conserving electricity, saving time, and low power consumption with no charging issues. Limitations are limited range, reliance on solar cell or ambient light, and lack of additional features. Future areas of development could include increasing the range, adding encryption and
Ringkasan dokumen tersebut adalah:
1) Dokumen tersebut membahas perancangan sistem termasuk perancangan output, input, dan jenis-jenis laporan serta format laporan yang dapat dihasilkan oleh sistem informasi.
2) Perancangan output berfokus pada menghasilkan informasi yang berkualitas untuk pengambilan keputusan, sedangkan perancangan input membahas format pengumpulan data seperti formulir kertas dan elektronik.
3) Jenis lap
This document discusses floating power stations. It provides an introduction to floating power stations, noting their ability to supply electricity to districts or facilities temporarily needing power. It then covers the history, design considerations, workings, recent developments, advantages, and disadvantages of floating power stations. In conclusion, it states that floating power stations can have positive environmental impacts by absorbing and utilizing natural energy.
Business Process Modelling Notation - overviewFaqih Zulfikar
1. Memodelkan proses bisnis sangat bermanfaat bagi organisasi untuk merancang perbaikan proses bisnis. 2. BPMN adalah salah satu standar notasi yang paling dikenal untuk memodelkan proses bisnis. 3. Notasi utama BPMN meliputi pool dan lane, activity, flow, event, gateway, dan data.
Sistem transmisi listrik merupakan sistem yang berfungsi untuk mengalirkan listrik dari pembangkit ke gardu listrik utama (main substation). Umumnya, pembangkit listrik dan substation terpisah dengan jarak yang cukup jauh.
This document describes a voice-controlled DC motor system using a microphone, computer, microcontroller, motor driver IC and DC motor. The system allows for real-time voice commands to control the direction of a DC motor. Speech is acquired using a microphone and processed using Dragon Pro software to generate commands. The commands are sent to a microcontroller via USART data transfer and MATLAB code executes the motor movement. This system provides hands-free hardware control and could help users with disabilities.
Atribut dari Kelas Kapsul
- private double panjang
- private double lebar
- private double tinggi
Method dari Kelas Kapsul
- private double luas(double p, double l)
Accessor Method dari Kelas Kapsul
- public double getPanjang()
- public double getLebar()
Mutator Method dari Kelas Kapsul
- public void setPanjang(double panjang)
- public void setLebar(double lebar)
Objek pada kelas Enkapsulasi
- Kapsul pp
Integrate Security into DevOps - SecDevOpsUlf Mattsson
1.Security Controls Must Be Programmable and Automated Wherever Possible
2.Implement a Simple Risk and Threat Model for All Applications
3.Scan Custom Code, Applications and APIs
4.Scan for OSS Issues in Development
5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code
6.Measure System Integrity and Ensure Correct Configuration at Load
7.Use Whitelisting on Production Systems, Including Container-Based Implementations
8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response
9.Lock Down Production Infrastructure and Services
10.Tokenization and Payment Processing
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
The document discusses security challenges related to data in the smart grid. It notes that smart grid data will be more expansive in volume and variety compared to current utility data. Specifically:
- Smart grid data will include more diagnostic information collected at higher frequencies from devices like meters, homes and vehicles.
- Not all smart grid data needs to be treated the same - it can be logically segmented based on attributes like lifetime, sensitivity and intended use by applications.
- Following practices like compartmentalizing data access and storage can help make smart grid systems more secure, efficient and compliant with regulations by enabling controlled access and easier anomaly detection.
Dokumen ini membahas tentang proteksi Jaringan Tegangan Rendah dan Gardu Distribusi PLN. Terdapat penjelasan mengenai diagram sistem pasokan listrik, jenis peralatan proteksi seperti Lightning Arrester dan FCO beserta prinsip kerjanya, konstruksi pemasangan, dan kerusakan. Juga ada contoh soal perhitungan rating peralatan proteksi.
Jaringan distribusi adalah suatu saluran/ jaringan yang menghubungkan dari sumber daya listrik besar (gardu induk) dengan para konsumen/pemakai listrik baik itu pabrik,industri,atau rumah tangga.
Jaringan distribusi itu terdiri dari :
Jaringan tegangan menengah (primer)
Jaringan tegangan rendah (sekunder)
Penjelasan tentang jaringan distribusi
Jenis-jenis jaringan distribusi
- Jaringan distribusi udara
- Jaringan distribusi bawah tanah
- Jaringan distribusi bawah laut
Model jaringan distribusi
Contoh jaringan distribu
Manajemen Proyek Perangkat Lunak (Pert9-10) : Manajemen RisikoMutmainnah Muchtar
Kuliah Manajemen Proyek Perangkat Lunak Jurusan Teknik Informatika UHO Kendari (Pert 9-10)
Materi:
Apa itu risiko?
Apa itu risiko proyek?
Manajemen Risiko Proyek Perangkat Lunak
Perhitungan risiko secara kualitatif dan kuantitatif
Analogi Proyek Perangkat Lunak sbg Kapal Titanic
The document discusses plastic electronics and how plastics can be made conductive. It begins by explaining how plastics were traditionally considered insulators but can become conductive through doping, which involves removing or adding electrons. This allows for conjugated double bonds that allow electron mobility. Common conductive plastics include polyacetylene and pentacene. Applications discussed include plastic LEDs, transistors, solar cells, and lasers. Plastic electronics offer advantages over silicon like lower costs, flexibility, and being easier to manufacture at ordinary temperatures and pressures. The summary highlights key applications and how doping makes plastics conductive.
Privacy Preserving Public Auditing for Data Storage Security in Cloud Girish Chandra
This document outlines the stages of a proposed privacy-preserving public auditing system for secure cloud storage. It introduces the need for such a system by describing challenges with cloud data integrity and existing solutions. The proposed system would allow a third party auditor to efficiently audit cloud data storage without accessing the actual data files, while preserving user data privacy. It would utilize public key cryptography and random masking techniques. The document claims this system would meet the goals of supporting privacy-preserving audits and handling multiple concurrent audit tasks through the use of techniques like bilinear aggregate signatures.
This document proposes a system to wirelessly charge electric vehicles using solar energy. The system would use solar panels to generate electricity, which would be stored in batteries and converted to AC power using an inverter. Coils placed in the vehicle and road would transmit the AC power wirelessly through electromagnetic induction to charge the vehicle battery as it drives. The objectives are to develop a renewable energy charging system and enable "charge as you drive" capability. Hardware components, a block diagram, voltage measurements between coils at different distances, and advantages/disadvantages are described.
Laporan ini membahas kegiatan kerja praktik selama 6 minggu di PT. Boer Technology, yang meliputi manajemen dan dukungan cloud server, pelatihan cloud system, serta riset dan pengembangan aplikasi cloud. Kegiatan utama meliputi migrasi layanan, instalasi perangkat keras dan lunak, serta pelatihan cloud system kepada klien.
This document discusses a batteryless phone that is powered by harvesting ambient light and radio frequency (RF) waves using a photo diode. The phone's only function is calling. It operates by using the RF waves to convert the harvested energy to direct current power. Solar cells in the phone work by using a P-N junction diode made of silicon or germanium to generate open spaces for light to fall on the P layer and excite electrons from the valence to conduction band. Advantages include conserving electricity, saving time, and low power consumption with no charging issues. Limitations are limited range, reliance on solar cell or ambient light, and lack of additional features. Future areas of development could include increasing the range, adding encryption and
Ringkasan dokumen tersebut adalah:
1) Dokumen tersebut membahas perancangan sistem termasuk perancangan output, input, dan jenis-jenis laporan serta format laporan yang dapat dihasilkan oleh sistem informasi.
2) Perancangan output berfokus pada menghasilkan informasi yang berkualitas untuk pengambilan keputusan, sedangkan perancangan input membahas format pengumpulan data seperti formulir kertas dan elektronik.
3) Jenis lap
This document discusses floating power stations. It provides an introduction to floating power stations, noting their ability to supply electricity to districts or facilities temporarily needing power. It then covers the history, design considerations, workings, recent developments, advantages, and disadvantages of floating power stations. In conclusion, it states that floating power stations can have positive environmental impacts by absorbing and utilizing natural energy.
Business Process Modelling Notation - overviewFaqih Zulfikar
1. Memodelkan proses bisnis sangat bermanfaat bagi organisasi untuk merancang perbaikan proses bisnis. 2. BPMN adalah salah satu standar notasi yang paling dikenal untuk memodelkan proses bisnis. 3. Notasi utama BPMN meliputi pool dan lane, activity, flow, event, gateway, dan data.
Sistem transmisi listrik merupakan sistem yang berfungsi untuk mengalirkan listrik dari pembangkit ke gardu listrik utama (main substation). Umumnya, pembangkit listrik dan substation terpisah dengan jarak yang cukup jauh.
This document describes a voice-controlled DC motor system using a microphone, computer, microcontroller, motor driver IC and DC motor. The system allows for real-time voice commands to control the direction of a DC motor. Speech is acquired using a microphone and processed using Dragon Pro software to generate commands. The commands are sent to a microcontroller via USART data transfer and MATLAB code executes the motor movement. This system provides hands-free hardware control and could help users with disabilities.
Atribut dari Kelas Kapsul
- private double panjang
- private double lebar
- private double tinggi
Method dari Kelas Kapsul
- private double luas(double p, double l)
Accessor Method dari Kelas Kapsul
- public double getPanjang()
- public double getLebar()
Mutator Method dari Kelas Kapsul
- public void setPanjang(double panjang)
- public void setLebar(double lebar)
Objek pada kelas Enkapsulasi
- Kapsul pp
Integrate Security into DevOps - SecDevOpsUlf Mattsson
1.Security Controls Must Be Programmable and Automated Wherever Possible
2.Implement a Simple Risk and Threat Model for All Applications
3.Scan Custom Code, Applications and APIs
4.Scan for OSS Issues in Development
5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code
6.Measure System Integrity and Ensure Correct Configuration at Load
7.Use Whitelisting on Production Systems, Including Container-Based Implementations
8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response
9.Lock Down Production Infrastructure and Services
10.Tokenization and Payment Processing
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
The document discusses security challenges related to data in the smart grid. It notes that smart grid data will be more expansive in volume and variety compared to current utility data. Specifically:
- Smart grid data will include more diagnostic information collected at higher frequencies from devices like meters, homes and vehicles.
- Not all smart grid data needs to be treated the same - it can be logically segmented based on attributes like lifetime, sensitivity and intended use by applications.
- Following practices like compartmentalizing data access and storage can help make smart grid systems more secure, efficient and compliant with regulations by enabling controlled access and easier anomaly detection.
CLOUD BASED ACCESS CONTROL MODEL FOR SELECTIVE ENCRYPTION OF DOCUMENTS WITH T...IJNSA Journal
Cloud computing refers to a type of networked computing whereby an application can be run on connected servers instead of local servers. Cloud can be used to store data, share resources and also to provide services. Technically, there is very little difference between public and private cloud architecture. However, the security and privacy of the data is a very big issue when sensitive data is being entrusted to third party cloud service providers. Thus encryption with a fine grained access control is inevitable to enforce security in clouds. Several techniques implementing attribute based encryption for fine grained access control have been proposed. Under such approaches, the key management overhead is a little bit high in terms of computational complexity. Also, secret sharing mechanisms have added complexity. Moreover, they lack mechanisms to handle existence of traitors. Our proposed approach addresses these requirements and reduces the overhead of the key management as well as secret sharing by using efficient algorithms and protocols. Also, a traitor tracing technique is introduced into the cloud computing two layer encryption environment.
CLOUD BASED ACCESS CONTROL MODEL FOR SELECTIVE ENCRYPTION OF DOCUMENTS WITH T...IJNSA Journal
This document proposes a cloud-based access control model for selectively encrypting documents with traitor detection. It aims to address the high computational overhead of key management and secret sharing in existing attribute-based encryption approaches for cloud data security. The proposed model uses efficient algorithms and protocols like aggregate equality oblivious commitment-based envelope protocol and fast access control vector broadcast group key management to reduce overhead. It also introduces a traitor tracing technique to identify any traitors in the two-layer encryption environment for cloud computing.
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
This document discusses a multi-factor authentication system for improving data security. It proposes using passwords, one-time passwords via QR codes, and encryption/decryption of stored data. The system uses three stages of verification: login with username and password, verification with a randomly generated OTP QR code, and encrypting uploaded data and decrypting downloaded data with keys. By adding multiple layers of authentication and encrypting data, the system aims to minimize unauthorized access to secure systems and stored information.
A New Research and Design for Grid Portal Security Systemijfcstjournal
The document discusses security issues in grid portal systems and proposes a new grid portal security system design. It analyzes grid portal security demands and focuses on user login security, resource scheduling security, data transmission safety, and data operation security. The design includes a four-layer security architecture with centralized management and autonomous node control. It also details designs for user login authentication processes, secure resource scheduling and data transmission, and protecting data manipulation through encryption. The proposed security system aims to provide strong authentication, access control, and data protection to allow safe use of grid resources and services.
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...NetworkCollaborators
This document discusses the need for automation and programmability in network security as networks become more complex due to trends like cloud computing, mobility, and the Internet of Things. It outlines some of the challenges facing service providers in securing their networks and customers. It then describes different approaches service providers are taking to automate security using NFV and SDN technologies. Finally, it discusses how to secure the various components of an automated NFV architecture including the controller, infrastructure, network services, applications, management/orchestration, APIs, and communications.
This document discusses the need for automation and programmability in network security as networks become more complex due to trends like cloud computing, mobility, and the Internet of Things. It outlines some of the challenges facing service providers like increasing threats and changing customer expectations. It then describes how service providers are approaching network functions virtualization and automation in different ways, either led by use cases, infrastructure, or orchestration. Lastly, it discusses how Cisco is addressing security across virtualized infrastructure, applications, orchestration, communications and more through techniques like encryption, authentication, and integrating network security solutions.
Global Azure Bootcamp 2018 - Azure Security CenterScott Hoag
In this session, students will learn about Azure Security Center and Azure platform security.
Azure Security Center makes it easier than ever to protect your Microsoft Azure virtual machines and virtual networks (as well as Azure SQL Databases, Storage, and more), enabling you to move to the cloud with confidence.
The document discusses several topics related to security auditing and certification:
1. It outlines eight design principles for secure systems proposed by Salzter and Schroeder, focusing on least privilege, fails-safe defaults, and other techniques.
2. It describes the domains covered by the CISSP security certification, including access control, telecommunications, risk management, software development and more.
3. It lists qualifications needed to become a CISSP-certified security auditor, such as years of experience in two security domains and adhering to a code of ethics.
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
This document summarizes session #10 of a CISSP mentor program. It reviews topics in domains 4 and 5, including network scanning tools, wireless LANs, remote access, access control concepts, authentication methods, single sign-on, and identity lifecycle processes. Quizzes are given on domain 4 topics. Discussions also cover protocols like RADIUS, Diameter, Kerberos, and TACACS/TACACS+, as well as single sign-on implementations and access review procedures.
IRJET- Securing Cloud Data Under Key ExposureIRJET Journal
This document proposes a new auditing mechanism to improve the efficiency and security of attribute-based encryption for securing cloud data. The existing single attribute authority model results in long wait times for users to obtain secret keys. The proposed approach employs multiple attribute authorities that can share the work of key distribution to reduce wait times. A central authority generates keys for verified users, while each attribute is managed by its own authority. The mechanism can also detect incorrectly verified users to enhance security. Analysis shows the auditing mechanism improves cloud security performance compared to previous single authority schemes.
This document contains an outline for a CISA review course covering topics such as information security management, logical access controls, network security, and auditing frameworks. It includes sections on inventorying and classifying assets, access permissions, privacy issues, risks from external parties, and incident response. Self-assessment questions test on weaknesses like uncontrolled database passwords, the risks of single sign-on, uses of intrusion detection systems, and effective antivirus controls.
IRJET- Attribute based Access Control for Cloud Data StorageIRJET Journal
This document proposes a decentralized attribute-based encryption scheme for cloud data storage that provides fast encryption, outsourced decryption, and user revocation. The scheme divides encryption into an offline pre-processing phase and an online phase to make encryption faster. It also introduces outsourced decryption where a proxy server can partially decrypt ciphertexts without learning the plaintext. User revocation is supported without much additional computation online. The proposed scheme aims to make encryption and decryption more efficient for resource-constrained mobile devices interacting with cloud storage.
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...IJERA Editor
In this paper, SMCSaaS is proposed to secure email system based on Web Service and Cloud Computing
Model. The model offers end-to-end security, privacy, and non-repudiation of PKI without the associated
infrastructure complexity. The Proposed Model control risks in Cloud Computing like Insecure Application
Programming Interfaces, Malicious Insiders, Data Loss Shared Technology Vulnerabilities, or Leakage,
Account, Service, Traffic Hijacking and Unknown Risk Profile
This document provides an overview of the OWASP Testing Guide for vulnerability assessment and penetration testing (VAPT). It defines key terms like vulnerability, threat, control, and vulnerability assessment. It explains the security principles of confidentiality, integrity, and availability (CIA). It then describes common sources of vulnerabilities and outlines various testing methodologies for information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, and client-side testing. It stresses the importance of customizing the testing plan for different application types and remembering best practices like following protocols, capturing accurate details of the tested systems, informing clients, and filtering false positives.
IRJET - Providing High Securtiy for Encrypted Data in CloudIRJET Journal
This document proposes a scheme for providing high security for encrypted data stored in the cloud. It outlines a secure, easily integrated, and fine-grained mechanism for verifying query results over encrypted cloud data. The scheme allows an authorized user to verify the correctness of each file in a query result set, as well as detect if any qualified files were not returned. It constructs verification objects for outsourced encrypted files that can be used to verify results. Trapdoor, decryption, and verification keys are generated to control access and detect unauthorized access attempts. The scheme guarantees the authenticity of verification objects and ensures the cloud server learns nothing about requested objects.
Similar to Telkom Sigma Software Security System v1 (20)
Dokumen ini membahas tentang pentingnya keamanan informasi di sektor kesehatan. Informasi dan sistem informasi sangat dibutuhkan untuk perencanaan kesehatan, layanan kesehatan, rantai pasok farmasi dan kebutuhan medis lainnya, serta monitoring dan evaluasi pembangunan kesehatan. Untuk itu, dokumen ini menyarankan penerapan manajemen keamanan sistem informasi berdasarkan standar ISO, peningkatan kapasitas SDM dan infrastrukt
Dokumen tersebut membahas kebijakan dan standar keamanan informasi di sektor transportasi Kemenhub. Dokumen menjelaskan pentingnya keamanan informasi, ancaman terhadap sistem informasi, pengendalian sistem informasi, tujuan keamanan sistem informasi, kebijakan terkait keamanan informasi, sektor-sektor strategis transportasi beserta sistem informasinya, serta peranan Pusdatin Kemenhub dalam menjamin keamanan sistem informasi.
Dokumen tersebut membahas ancaman keamanan penerbangan khususnya terkait serangan siber, dan langkah-langkah pencegahan yang ditempuh Indonesia untuk meningkatkan keamanan penerbangan dari ancaman tersebut, seperti memperbaharui peraturan, meningkatkan pengawasan, dan kerja sama internasional.
Dokumen ini membahas tentang isu-isu strategis terkait keamanan informasi di subsektor ketenagalistrikan. Mencakup overview sistem TI Direktorat Jenderal Ketenagalistrikan yang mengelola aplikasi dan data penting seperti rencana kelistrikan nasional, program 35.000 MW, dan sertifikasi tenaga ahli. Dokumen ini juga menjelaskan perlunya mengamankan data-data strategis tersebut.
Dokumen tersebut merupakan laporan dari Kementerian Energi dan Sumber Daya Mineral Republik Indonesia yang membahas tentang kerangka regulasi, tugas, fungsi, kebijakan, sistem penyediaan dan pemanfaatan energi baru terbarukan dan konservasi energi, informasi layanan publik, serta aplikasi yang digunakan di lingkungan Direktorat Jenderal Energi Baru Terbarukan dan Konservasi Energi.
This document discusses IT governance and its importance for top-performing enterprises. It notes that successful enterprises understand both the risks and benefits of IT, and find ways to align IT strategy with business strategy. Top areas of focus for IT governance include strategic alignment, value delivery, resource management, risk management, and performance measurement. The goal of IT governance is to ensure IT is managed responsibly and supports business goals, enables new opportunities, and delivers services efficiently while risks are known and managed.
Dokumen tersebut membahas tentang dependabilitas pada perangkat lunak elektronik, termasuk ancaman keamanan, user sebagai titik terlemah, forensik digital, dan membangun sistem yang aman.
Dokumen tersebut membahas skema regulasi penyelenggaraan sistem dan transaksi elektronik berdasarkan UU ITE dan PP PSTE. Terdapat penjelasan tentang penyelenggara layanan publik dan non-publik, kewajiban hukum, ketentuan umum dan khusus, serta perbandingan dengan PM tentang pendaftaran sistem elektronik.
Dokumen tersebut membahas tentang sistem akreditasi dan sertifikasi di Indonesia. Ia menjelaskan dasar hukum akreditasi nasional dan peran Komite Akreditasi Nasional (KAN) dalam mengakreditasikan lembaga-lembaga uji kesesuaian seperti laboratorium, lembaga inspeksi, dan lembaga sertifikasi untuk mendukung kebijakan dan perdagangan nasional. Dokumen ini juga menyinggung kerja sama internasional KAN dalam pengakuan timbal balik
This document discusses current IT challenges including lights-out IT, mobile, cloud and social media, securing legacy technologies, and IT human resources. It also mentions the threat landscape and vulnerabilities as current issues. It suggests that standards may provide solutions to some of these problems.
Rangkuman dokumen tersebut adalah:
Peraturan Menteri ini mengatur penerapan sistem manajemen pengamanan informasi bagi penyelenggara sistem elektronik untuk pelayanan publik berdasarkan kategori risiko sistem. Sistem elektronik dikategorikan menjadi strategis, tinggi, dan rendah, dengan standar pengamanan yang berbeda. Penyelenggara sistem elektronik strategis dan tinggi wajib memiliki sertifikat, sedangkan rendah dapat
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
6. Firewall
1. Software Firewall
a. Pros; cheap, ease to configure
b. Cons; high consume resources, limited O/S version
2. Hardware Firewall
a. Pros; more features, independent
b. Cons; more expensive
6
7. Network Security Methods
1. Access restrictions over a network
a.
b.
c.
d.
Internet Password Authentication
Server-based Password Authentication
Server-based token Authentication
Firewall and Routing Control
2. Using the method and specific mechanisms
a. Encryption
b. Digital signature
c. Algorithm Checksum / Hash
3. Scheduled monitoring of the network
7
Information Security Domains, Supporting Protocols and Procedures
The University at Albany’s Information Security policy identifies ten domains which serve as a basis for protocol development and controls management. Examples of other domains include: Asset Classification, Access Control, and Incident Detection and Management. Protocols may be established for each Domain to provide direction and a framework for related companion documents.
Asset Classification
An enterprise-wide program designed to identify critical information and physical assets and develop a comprehensive approach to their protection and management.
Protocol: Asset Classification
Data Classification Standard
Category I Storage Guidelines
Risk Assessment and Analysis
Management processes conducted on a periodic basis to identify, report, and analyze reasonably foreseeable internal and external risks and vulnerabilities, likely threats, impacts, and potential losses using standard risk assessment methodologies for the purpose of recommending appropriate controls to mitigate unacceptable levels of exposure.
Identity Management
A comprehensive and unified approach to managing the identities of persons and processes issued by the University for the purpose of granting and controlling access to campus information resources. This includes exercising due care in the areas of identity assurance, issuance, authentication, authorization, revocation, and recovery of identity elements (NetIDs, tokens, etc.).
Protocol: Protection and Use of Faculty, Staff and Student Identifiers
Protection_of_Identifiers_Standards_Procedures.pdf
Protection and Use of Faculty, Staff and Student Identifiers Glossary
Access Control
Standards and procedures governed by the principle of “least privilege” and employing industry-accepted access control and authorization frameworks to ensure that external and internal computer applications and persons have only such access as is appropriate to information resources, and to facilities and devices containing and displaying information.
Protocol: Access to Electronic Records Held in Accounts Subsequent to Termination, Departure or Death
FORM:Request_Form_Access_to_UA_Personal_Account_and_Compliance_Agreement.pdf
FORM: Employee Access and Compliance Agreement
Third Party Management of UAlbany Website Agreement MOU
Infrastructure Management
Standards and procedures to create and maintain prioritized, reasonable, and appropriate safeguards and controls for the University’s information infrastructure (databases, storage media, workstations, PDAs, mobile and hand held devices, servers, network devices, wireless access points, firewalls, etc.), along with measures to insure compliance.
Protocol: Media Disposal, Destruction, and Redeployment
NIST Guidelines for Media Sanitization (table)
Media Sanitization, Disposal and Redeployment Procedures
OGS Memorandum from June 2005
Software Assurance
Consists of appropriate reviews and controls used to validate the performance and security of software before it is purchased or developed and put into production.
Incident Response
Establishes procedures and assigns responsibilities for detecting, reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of University business records, or attempts to deny or impede legitimate access to those records.
Protocol: Information Security Incident Response
Information Security Awareness Program
The Awareness Program promotes and promulgates best practices at all levels (including management), and informs and safeguards University staff.
Oversight of Service Providers
Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for sensitive information and require service providers by contract to implement and maintain such safeguards.
Documentation
Maintain, make appropriately available, and periodically review information security policies and procedures in written (which may be electronic) form; and keep written records of any action, activity or assessment that requires documentation.
The Elements of Security
Vulnerability (Kerentanan)
It is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
Threat (Ancaman)
Any potential danger to information or systems.
A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability.
The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat agent could be an intruder accessing the network through a port on the firewall
Risk (Resiko)
Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact.
Reducing vulnerability and/or threat reduces the risk.
E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
Exposure (Pencahayaan)
An exposure is an instance of being exposed to losses from a threat agent.
Vulnerability exposes an organization to possible damages.
E.g.:If password management is weak and password rules are not enforced, the company is exposed to the possibility of having users' passwords captured and used in an unauthorized manner.
Countermeasure or Safeguard
It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.
E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.
The Relation Between the Security Elements
Example: If a company has antivirus software but does not keep the virus signatures up-to-date, this is vulnerability. The company is vulnerable to virus attacks.
The threat is that a virus will show up in the environment and disrupt productivity.
The likelihood of a virus showing up in the environment and causing damage is the risk.
If a virus infiltrates the company's environment, then vulnerability has been exploited and the company is exposed to loss.
The countermeasures in this situation are to update the signatures and install the antivirus software on all computers
Network Topology [1/2]
1. Encryption Enkripsi yang pernah digunakan dalam proyek-proyek di telkomsigma biasanya menggunakan enkripsi dari Java Cryptography. - Enkripsi password: MD5 - Enkirpsi data: * Data signature: RSA With SHA1 (public-key cryptosystem) * Data: AES (Advanced Encryption Standard) Java Cryptography: http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html RSA-SHA1: http://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html AES (Advanced Encryption Standard): http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Network Topology [2/2]
1. Encryption :
Secara umum metode enkripsinya sama yaitu menggunakan standar JAVA (AES, 3DES, SHA, dsb). Namun yang membedakan adalah Key atau Seeds nya.
Setiap proyek juga selalu menerapkan enkripsi tersebut untuk data yang confidential. Minimal untuk nyimpan password. Kalau Web biasanya encryption menggunakan SSL (biasanya butuh sertifikat
security misal dari VeriSign).
Kasus Pertamina menerapkan double encryption saat pengiriman data. Key disimpan dalam SmartCard (Public dan Secret Key). Data utama di encrypt menggunakan AES. Kemudian public key diencrypt
menggunakan 3DES. 2 encrypted data ini dikirimkan ke server dengan menyertakan MD5 untuk verifikasi kebenaran data yang diterima.
2. Firewall
Biasanya metode yang digunakan untuk melindungi Area Server disamping firewall, biasanya dilakukan NAT (Network Address Translation) via Router juga DMZ.
NAT disini berfungsi untuk bridging Public IP ke Internal IP server (ada IP satu lagi diantara 2 IP tersebut). Sehingga pihak luar tidak tahu berapa IP sebenarnya didalam lingkungan Server.
Ada juga yang disebut DMZ (Demilitarized Zone) —> http://en.wikipedia.org/wiki/DMZ_(computing)
Network Security Methods
Access restrictions over a network
Internet Password Authentication
Server-based Password Authentication
Server-based token Authentication
Firewall and Routing Control
Using the method and specific mechanisms
Encryption
Digital signature
Algorithm Checksum / Hash
Scheduled monitoring of the network
Organizational Security Models
Some of the best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE).
COSO
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
Key concepts of the COSO framework
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regardingthe achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
COSO Internal Control Framework: the five components
According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:
Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and Separation of duties/segregation of duties.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring: Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.
ITIL is published in a series of books, each of which cover an IT management topic
Overview and Benefits
ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include:
reduced costs;
improved IT services through the use of proven best practice processes;
improved customer satisfaction through a more professional approach to service delivery;
standards and guidance;
improved productivity;
improved use of skills and experience; and
improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.
ITIL v3
The ITIL v3 which was published in May 2007, comprises 5 key volumes:
. Service Strategy
. Service Design
. Service Transition
. Service Operation
. Continual Service Improvement
COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
Overview
COBIT has 34 high level processes that cover 210 control objectives categorized in four domains:
Planning and Organization
Acquisition and Implementation
Delivery and Support
Monitoring
COBIT provides benefits to managers, IT users, and auditors
Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system.
IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance.
COBIT benefits auditors because it helps them identify IT control issues within a company's IT infrastructure. It also helps them corroborate their audit findings.
COBIT structure
Plan and Organize: The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company's goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
Acquire and Implement: The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company's current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
Delivery and Support: The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training.
Monitor and Evaluate: The Monitoring and Evaluation domain deals with a company's strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company's control processes by internal and external auditors.
ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)[edit]
Tracking the history of the ISO/IEC 27000-series of standards is somewhat of a challenge. This section provides the history of the ISO standard for information security management that began with BS 7799 and later resulted in ISO 17799 and eventually the ISO 27000 "family of standards" for Information Security Management Systems (ISMS). Like the other control and governance models, the ISO 27000 series provides a set of guidelines and best practices for information security management. The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year. The International Standards Organization (ISO) also develops standards for quality control, environmental protection, product usability, manufacturing, etc.
BS 7799
The BS 7799 is basically divided into 3 Parts
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.
It was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000.
ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007.
BS 7799 Part 2 of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled "Information Security Management Systems - Specification with guidance for use." It is focused on how to implement an Information security management system (ISMS)
The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000.
BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.
ISO 17799[edit]
Derived from BS 7799
It is an internationally recognized ISM standard that provide high level, conceptual recommendations on enterprise security
ISO 17799 has 2 parts
Part-I is an implementation guide with guidelines on how to build a comprehensive information security infrastructure.
Part-II is an auditing guide based on requirements that must be met for an organization to be deemed complaint with ISO 17799
ISO 17799 domains
Information security policy for the organization: Map of business objectives to security, management's support, security goals, and responsibilities.
Creation of information security infrastructure: Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing, and independent review.
Asset classification and control: Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.
Personnel security: Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.
Physical and environmental security: Protect the organization's assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.
Communications and operations management: Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.
Access control: Control access to assets based on business requirements, user management, authentication methods, and monitoring.
System development and maintenance: Implement security in all phases of a system's lifetime through development of security requirements, cryptography, integrity, and software development procedures.
Business continuity management: Counter disruptions of normal operations by using continuity planning and testing.
Compliance: Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.
ISO 27000 Series[edit]
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
The following are the currently published 27000-series standards:
ISO 27000 Overview and vocabulary overview and glossary of terms.
ISO 27001 Information security management systems -- Requirements. This is the specification/requirements for an information security management system (an ISMS) which replaced the old BS7799-2 standard
ISO 27002 Code of practice for information security management. This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1).
ISO 27003 Information security management system implementation guidance.This will be the official number of a new standard intended to offer guidance for the implementation of an ISMS (IS Management System) .
ISO 27004 Information security management -- Measurement. This standard covers information security system management measurement and metrics, including suggested ISO27002 aligned controls..
ISO 27005 Information security risk management.This is the methodology independent ISO standard for information security risk management..
ISO 27006 Requirements for bodies providing audit and certification of information security management systems. This standard provides guidelines for the accreditation of organizations offering ISMS certification.
Other 27000-series ISO publications:
ISO 27011 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO 27033 Network security -- Part 1: Overview and concepts
ISO 27799 Health informatics -- Information security management in health using ISO/IEC 27002
Although the list of ISO 27000-series standards for information security management continues to grow in number. ISO/IEC 27002 and ISO/IEC 27001 remain the most used standards, because they provide the most basic guidance for an enterprise information security program practices and processes and also because they are the most current versions of their popular predecessors (BS 7799 and ISO 17799).