6 8-1 sasia information system control for system reliability
TRANSCRIPT
1
Information System Control for System Reliability part 1
Chapter 7
Romney 10ed
2
How security affects system reliability?
3
System reliability
Security
4
Security Akses sistem dan pengendalian data
Confidentiality Informasi sensitif tidak diungkapkan sembarangan apalagi oleh pihak yang tidak sah
Privacy Informasi personal tentang customer dikumpulkan, digunakan, diungkapkan dan dijaga semestinya
Processing integrity
Data diproses secara akurat, lengkap, pada waktu dan cara yang tepat
Availability Sistem tersedia utk memenuhi kewajiban operasional dan kontraktual
5
Three Fundamental Information Security Concept
6
1. Security is a management issue, not a technology issue
• Management perlu siapkan kebijakan sebelum menerapkan prosedur pengendalian
• Effective communication of policies• Design and employment of appropriate
control procedures• Monitoring & taking remedial action
• Kasus diskusi: Bagaimana mengamankan pabrik kertas dari ancaman kebakaran?
7
2. Time based model security
Hubungan antara preventive (limit), detective (identify) dan corrective (repair) control semua penting
Mengukur 3 variabel:Waktu yg dibutuhkan penyerang untuk menembus preventive control (P)
Waktu yg dibutuhkan untuk mendeteksi penyerangan (D)
Waktu untuk menanggapi (response) penyerang (C)
8
Kapan security procedures sebuah perusahaan dikatakan effective?
9
P > D + C
Effective!!!
10
3. Defense-in-depth
Pengendalian berlapis untuk menghindari kegagalan pada titik tertentu
ContohMengamankan kas secara fisik di rumah?
Mengamankan kas secara fisik dalam perjalanan?
Mengamankan data?
11
Types of preventive, detective and corrective controls to provide
information security
12
Preventive Control
Objective: prevent from happening
Authentication: verifying ID password, smart cards, biometrics
Authorization: restrict access authenticated user
Training: not sharing password, how to protect laptop, etc
Physical access: entry points to the building
13
Detective Control
Objective: monitoring effectiveness of preventive controlsLog analysis: audit trailIntrusion detection system: logs of network trafficManagerial reports: scorecard for monitoring effectiveness of existing security measureSecurity testing: vulnerability scans
14
Corrective Control
Objective: take corrective action on a timely basis
Computer emergency response team
CSO: chief security officer
Patch management: fixing known vulnerability and installing the latest updates to both security programs
15
Preventive Authentication control: password, biometrics
Physical access: lock, guards, etc
Detective Log analysis
Managerial reports
Security testing
Corrective Chief security officer
Computer emergency response teams
Patch management
16
How encryption contributes to security?How the two basic types of encryption system works?
17
Encryption
Lapisan final preventive control
Memperkuat authentication procedure
Verifikasi validitas transaksi e-bisnis
18
Encryption
Symmetric encryption system
Asymmetric encryption system
Encrypt = kunci ADecrypt = kunci A
Encrypt = kunci ADecrypt = kunci B
Public Key dan Private key
19
Apakah pengamanan sistem sudah memadai?
Waktu yang diperlukan penyusup menyerang sistem = 22 menitLama mendeteksi penyusup dan memanggil staff sekuriti = 15 menitWaktu yang diperlukan utk menganalisis penyusupan dan menerapkan corrective action: best case = 6 menit, worst case = 30 menit