1

Information System Control for System Reliability part 1

Chapter 7

Romney 10ed

2

How security affects system reliability?

3

System reliability

Security

4

Security Akses sistem dan pengendalian data

Confidentiality Informasi sensitif tidak diungkapkan sembarangan apalagi oleh pihak yang tidak sah

Privacy Informasi personal tentang customer dikumpulkan, digunakan, diungkapkan dan dijaga semestinya

Processing integrity

Data diproses secara akurat, lengkap, pada waktu dan cara yang tepat

Availability Sistem tersedia utk memenuhi kewajiban operasional dan kontraktual

5

Three Fundamental Information Security Concept

6

1. Security is a management issue, not a technology issue

• Management perlu siapkan kebijakan sebelum menerapkan prosedur pengendalian

• Effective communication of policies• Design and employment of appropriate

control procedures• Monitoring & taking remedial action

• Kasus diskusi: Bagaimana mengamankan pabrik kertas dari ancaman kebakaran?

7

2. Time based model security

Hubungan antara preventive (limit), detective (identify) dan corrective (repair) control semua penting

Mengukur 3 variabel:Waktu yg dibutuhkan penyerang untuk menembus preventive control (P)

Waktu yg dibutuhkan untuk mendeteksi penyerangan (D)

Waktu untuk menanggapi (response) penyerang (C)

8

Kapan security procedures sebuah perusahaan dikatakan effective?

9

P > D + C

Effective!!!

10

3. Defense-in-depth

Pengendalian berlapis untuk menghindari kegagalan pada titik tertentu

ContohMengamankan kas secara fisik di rumah?

Mengamankan kas secara fisik dalam perjalanan?

Mengamankan data?

11

Types of preventive, detective and corrective controls to provide

information security

12

Preventive Control

Objective: prevent from happening

Authentication: verifying ID password, smart cards, biometrics

Authorization: restrict access authenticated user

Training: not sharing password, how to protect laptop, etc

Physical access: entry points to the building

13

Detective Control

Objective: monitoring effectiveness of preventive controlsLog analysis: audit trailIntrusion detection system: logs of network trafficManagerial reports: scorecard for monitoring effectiveness of existing security measureSecurity testing: vulnerability scans

14

Corrective Control

Objective: take corrective action on a timely basis

Computer emergency response team

CSO: chief security officer

Patch management: fixing known vulnerability and installing the latest updates to both security programs

15

Preventive Authentication control: password, biometrics

Physical access: lock, guards, etc

Detective Log analysis

Managerial reports

Security testing

Corrective Chief security officer

Computer emergency response teams

Patch management

16

How encryption contributes to security?How the two basic types of encryption system works?

17

Encryption

Lapisan final preventive control

Memperkuat authentication procedure

Verifikasi validitas transaksi e-bisnis

18

Encryption

Symmetric encryption system

Asymmetric encryption system

Encrypt = kunci ADecrypt = kunci A

Encrypt = kunci ADecrypt = kunci B

Public Key dan Private key

19

Apakah pengamanan sistem sudah memadai?

Waktu yang diperlukan penyusup menyerang sistem = 22 menitLama mendeteksi penyusup dan memanggil staff sekuriti = 15 menitWaktu yang diperlukan utk menganalisis penyusupan dan menerapkan corrective action: best case = 6 menit, worst case = 30 menit