Semakin banyak informasi perusahaan yang disimpan, dikelola dan di- sharing maka semakin besar pula resiko terjadinya kerusakan, kehilangan atau tereksposnya data ke pihak eksternal yang tidak diinginkan. Bagaimana data atau informasi tersebut dikelola, dipelihara dan diekspose, melatarbelakangi disusunnya ISO , standar untuk sistem manajemen keamanan informasi. Pembahasan 2. Apa itu Keamanan Informasi?
Keamanan informasi terdiri dari perlindungan terhadap aspek-aspek berikut: 1. Confidentiality kerahasiaan aspek yang menjamin kerahasiaan data atau informasi, memastikan bahwa informasi hanya dapat diakses oleh orang yang berwenang dan menjamin kerahasiaan data yang dikirim, diterima dan disimpan. Integrity integritas aspek yang menjamin bahwa data tidak dirubah tanpa ada ijin fihak yang berwenang authorized , menjaga keakuratan dan keutuhan informasi serta metode prosesnya untuk menjamin aspek integrity ini.
Availability ketersediaan aspek yang menjamin bahwa data akan tersedia saat dibutuhkan, memastikan user yang berhak dapat menggunakan informasi dan perangkat terkait aset yang berhubungan bilamana diperlukan. Keamanan informasi diperoleh dengan mengimplementasi seperangkat alat kontrol yang layak, yang dapat berupa kebijakan-kebijakan, praktek-praktek, prosedur-prosedur, struktur-struktur organisasi dan piranti lunak.
Gambar 2. Mengapa diperlukan keamanan informasi? Keamanan informasi memproteksi informasi dari ancaman yang luas untuk memastikan kelanjutan usaha, memperkecil rugi perusahaan dan memaksimalkan laba atas investasi dan kesempatan usaha. Manajemen sistem informasi memungkinkan data untuk terdistribusi secara elektronis, sehingga diperlukan sistem untuk memastikan data telah terkirim dan diterima oleh user yang benar. Kegagalan sistem keamanan lebih banyak disebabkan oleh faktor internal dibandingkan dengan faktor eksternal.
Hasil survey ISBS tahun menunjukkan bahwa terdapat banyak jaringan bisnis di Inggris UK telah mendapatkan serangan dari luar. Apa Isi dari ISO? Security Policy sangat diperlukan mengingat banyak ditemuinya masalah- masalah non teknis salah satunya penggunaan password oleh lebih dari satu orang.
Hal ini menunjukan tidak adanya kepatuhan dalam menerapkan sistem keamanan informasi. Harus dilakukan inventarisasi data-data perusahaan. Selanjutnya dibuat peraturan yang melibatkan semua departemen sehingga peraturan yang dibuat dapat diterima oleh semua pihak. Setelah itu rancangan peraturan tersebut diajukan ke pihak direksi. Setelah disetujui, peraturan tersebut dapat diterapkan. Security Policy meliputi berbagai aspek, yaitu : a. Information security infrastructure b. Mengontrol tata cara akses terhadap informasi dan sumber daya yang ada meliputi berbagai aspek, yaitu : a.
Access control. User Access Management. User Responsibilities. Network Access Control e. Application Access Control. Monitor system Access and use. Mobile Computing and Telenetworking. Communication and Operations Management manajemen komunikasi dan operasi , menyediakan perlindungan terhadap infrastruktur sistem informasi melalui perawatan dan pemeriksaan berkala, serta memastikan ketersediaan panduan sistem yang terdokumentasi dan dikomunikasikan guna menghindari kesalahan operasional.
Pengaturan tentang alur komunikasi dan operasi yang terjadi meliputi berbagai aspek, yaitu : a. Operational procedures and reponsibilities. Redesign the HR exit interview to ensure that information return or transfer is a coordinated process. This component of the standard outlines all the requirements for physical security perimeters and authorized entry controls; measures for protecting against external and environmental threats; equipment security, utilities, and cabling considerations; and secure disposal or removal of storage equipment media.
An organization's building and premises, equipment, and informationprocessing facilities must be fail proof to prevent unauthorized intrusions and access, and possible theft issues. This applies mostly to facilities management and IT, although risk management should also participate to provide environmental risk protection measures.
Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns in this section. Also address supporting utilities, power, and telecommunication networks. Finally, secure the disposal and removal of equipment that holds information so that information is truly deleted or "wiped" clean from the slate.
Procedures for system activities, change management controls, and segregation of duties are included in this component. Any organizational program will be more established when program administration, policies, procedures, and related processes are formally documented.
This component sets out to define operating procedures, instructions for the detailed execution thereof, and the management of audit trail and system log information. It applies to all facets of an information security program. Formally documenting program activities will allow an organization to keep track of the development, implementation, and associated documentation for the program.
Keep in mind that documentation does not magically appear through word processing programs. It takes resources, good writing skills, and an ability to change documentation when necessary.
Address the separation of development, test, and operational facilities to reduce the risk of unauthorized actions. Monitor and review thirdparty service delivery requirements to ensure that actions are carried out as mandated. Plan for, monitor, and update system resources, capacity management, and acceptance criteria, as necessary. Constantly monitor and prepare to protect against malicious and mobile code to guard the integrity of system software and information.
This especially pertains to intelligent cybercrime activities such as structured query language injections and application to mobile devices, which are increasingly becoming more sophisticated. This should also focus on incoming e-mails and downloadable attachments, as well as a review of webpages. Backup and restoration procedures must provide for the replication of information and methods for dispersal and testing, meeting business continuity requirements.
This should also address retention periods for archival information or those with long-term retention requirements. Address media preservation issues to ensure the longevity of media that have long-term retention requirements.
Although mobile devices have helped organizations stay better connected, employees must use more discretion when using them. Alert employees to proper etiquette for relaying information so they will not be overheard in elevators, airports, or on other public transportation.
Address electronic data interchange, e-commerce, online transactions, electronic signatures, electronic publishing systems, and electronic communication methods such as e-mail and IM.
Their secure use and associated procedures must demonstrate accuracy, integrity, and reliability. For organizations using e-commerce, this is not an option, as current regulations are pushing this into the forefront of IT agendas. Organizations should also monitor their systems and record security events through audit logs. Also address records retention policies for archival or evidence requirements. This component of the standard includes guidelines for establishing policies and rules for information and system access.
Practice standard methods for all users and system administrators to control access to and distribution of information. Policies should apply to users, equipment, and network services. Newer technologies, such as those that have passwords connected to fingerprint digital touch pads, come at a cost, but they should be evaluated as a password management tool. Any information system that an organization procures or develops must also include security requirements for valid data input, internal processing controls, and encryption protection methods.
Document the integrity, authenticity, and completeness of transactions through checks and balances. Retain and archive system documentation for configurations, implementations, audits, and older versions. This is further detailed in clause 12 of the standard. This component of the standard includes reporting requirements, response and escalation procedures, and business continuity management.
As organizations increasingly come under attack and suffer security breaches, they must have some formalized manner of responding to these events. Business continuity management addresses unexpected interruptions in business activities or counters those events that impede an organization's critical business functions.
This process should include:. A business continuity management framework also includes emergency or crisis management tasks, resumption plans, recovery and restoration procedures, and training programs. Testing the plan is an absolute must to determine its validity. Tests can include a variety of methods to simulate and rehearse real-life situations. Develop calling trees, hot- and cold-site configurations, and third-party contractors, depending on the organization's priority of critical business functions.
Report information security incidents or breaches as soon as possible to ensure that all relevant information can be remembered. This requires having feedback processes in place as well as establishing a list of contacts that are available around the clock to manage this process.
Procedures should be consistent and effective to ensure orderly responses to not only manage the immediate process but also to collect evidence for legal proceedings. This component of the standard provides standards for intellectual property rights, RM requirements, and compliance measures. These apply to everything from an organization's information processing systems to the granular data and transactional records contained within those systems.
There is an increased scrutiny on organizations to demonstrate compliance with applicable laws, regulations, and legislative requirements for all aspects of their business transactions. Adherence to rules and regulations are an integral part of the information security program and will contribute to demonstrating corporate accountability.
Address identification, categorization, retention, and stability of media for long-term retention requirements according to business and regulatory requirements.
Document retention periods and associated storage media as part of managing the organization's records. Address privacy and personal data requirements, which can vary from one country to the next. Address transborder data flow and movement, and associated encryption methods as related to import and export issues depending on federal laws and regulations. Follow up on and evaluate compliance with established policies and procedures to determine implementation effectiveness and possible shortcomings.
Clearly delineate audit controls and tools to determine areas for improvement. Again, it is critical to take time to document all information related to the development and establishment of compliance and audit, including decisions made, resources involved, and other source documentation cited.
New information security requirements are emerging as a result of organizations' negligence to protect sensitive data and impose adequate controls on employees using mobile technology to house such data. Information security issues are constantly in the media, as with the recent case when the U. Department of Veterans Affairs VA lost control of the personal information of 28 million veterans when a laptop containing the information was stolen from an employee's home.
The VA was criticized for its delay in disclosing the loss and notifying those affected. California Senate Bill SB is setting the precedent for reporting and disclosing data security breaches and declarations for privacy and financial security.
By completing this certification, the individual is at the Silver level of certification. If the paper is accepted, they will be certified as Gold level.
The Platinum level is the highest certification available and requires multiple Silver certifications.
0コメント