FORESEC CERTIFIED NETWORK SECURITY (FCNS)

FORESEC ACADEMY PROGRAMMES

FORESEC CERTIFIED IN NETWORKING SECURITY (FCNS)

FORESEC CERTIFIED IN COMPUTER HACKING (FCCH)

FORESEC CERTIFIED IN DISASTER RECOVERY (FCDR)

FORESEC CERTIFIED IN COMPUTER FORENSIC (FCCF)

FORESEC ACADEMY Website : http://www.foresec-academy.com/
OUTPUT PERKULIAHAN

KEMAMPUAN AKADEMIK

SERTIFIKASI FCNS (FORESEC CERTIFIED NETWORK SECURITY)

SERTIFIKASI BIDANG IT

Jenis Sertifikasi :

1. SERTIFIKASI AKADEMIK yang memberikan gelar akademik, seperti

Sarjana, Master, Doktor.

2. SERTIFIKASI PROFESIONAL adalah suatu sertifikasi yang diberikan

berdasarkan keahlian tertentu untuk profesi tertentu yang biasanya
akan diujikan kembali setiap 1 tahun atau lebih tergantung lembaga
atau instansi yng mengeluarkan sertifikat tersebut.
BIAYA SERTIFIKASI

• BERAPA BIAYA SERTIFIKASI BIDANG IT ?

KONTRAK PERKULIAHAN

Presensi : 15%

Tugas : 10%

UTS : 20%

Responsi : 25%

UAS : 30%
MATERI I SEMESTER

• Introduction To The Management Of Information Security

• Planning For Security
• Planning For Contingencies
• Security Policy
• Developing Security Programs
• Security Management Models and Practices
• Risk Management: Identifying and Assessing Risk
• Risk Management: Assessing and Controlling Risk
• Law and Ethics
BOOK REFERENCES

• Budi Rahardjo, “Keamanan Sistem Informasi Berbasis Internet”, PT

Insan Infonesia - Bandung & PT INDOCISC – Jakarta, 1998-2005
• Michael E Whitman and Herbert J Mattord, “Principles of
Information Security”, Vikas Publishing House, New Delhi, 2003
• Micki Krause, Harold F. Tipton, “ Handbook of Information Security
Management”, Vol 1-3 CRC Press LLC, 2004
• Simson Garfinkel, “PGP: Pretty Good Privacy ,” O’Reilly &
Associates, Inc., 1995
Schoology.com
Langkah Pendaftaran
Masukan Access Code Sesuai Kelas
Buat User dan verifikasi via email
Menu Login
Halaman Utama
Masuk Ke Grup Kelas
Halaman Grup Kelas
Download Materi

1
Upload File atau Tugas

2
Upload File atau Tugas
Mengirim File atau Tugas
Menambahkan File atau Tugas
Menambahkan File atau Tugas
Introduction To The Management Of
Information Security

A. WHAT IS SECURITY?
B. CIA TRIANGLE
C. NSTISSC SECURITY MODEL
D. WHAT IS MANAGEMENT?
E. PRINCIPLES OF INFORMATION SECURITY MANAGEMENT
Introduction

• Pemanfaatan teknologi informasi sudah menjadi sebuah komoditi

yang sangat penting
• Keamanan komputer berkembang menjadi keamanan informasi
• Keamanan informasi merupakan tanggung jawab setiap anggota
organisasi, tetapi manajer ikut berperan penting dalam hal
keamanan.
• Seringkali sulit untuk membujuk management perusahaan atau
pemilik sistem informasi untuk melakukan investasi di bidang
keamanan
Introduction

• Menurut G. J. Simons, keamanan informasi adalah bagaimana kita

dapat mencegah penipuan (cheating) atau, paling tidak,
mendeteksi adanya penipuan di sebuah sistem yang berbasis
informasi, dimana informasinya sendiri tidak memiliki arti fisik.
• Keamanan itu tidak dapat muncul demikian saja namun harus
direncanakan.
• Meskipun sering terlihat sebagai besaran yang tidak dapat
langsung diukur dengan uang (intangible), keamanan sebuah
sistem informasi sebetulnya dapat diukur dengan besaran yang
dapat diukur dengan uang (tangible).
Introduction

• Contoh kegiatan pengukuran yang dapat dilakukan :

 Hitung kerugian apabila sistem informasi anda tidak bekerja selama 1
jam, selama 1 hari, 1 minggu, dan 1 bulan.
 Hitung kerugian apabila ada kesalahan informasi (data) pada sistem
informasi anda
 Hitung kerugian apabila ada data yang hilang, misalnya berapa
kerugian yang diderita apabila daftar pelanggan dan invoice hilang
dari system anda.
 Apakah nama baik perusahaan anda merupakan sebuah hal yang harus
dilindungi?
Communities of Interest

A community of interest is a group of individuals who are united by

similar interests or values within an organization and who share a
common goal of helping the organization to meet its objectives.

• There are communities of interest that develop and evolve:

 Information security managers and professionals,
 Information technology managers and professionals
 Non-technical business managers and professionals
Information security managers and
professionals

• The roles of information security professionals are aligned with

the goals and mission of the information security community of
interest. These job functions and organizational roles focus on
protecting the organization’s information systems and stored
information from attacks
Information technology managers and
professionals

• The community of interest made up of IT managers and skilled

professionals in systems design, programming, networks, and
other related disciplines has many of the same objectives as the
information security community.
• These job functions and organizational roles focus on support
business objectives by supplying appropriate information
technology
Non-technical business managers and professionals

• This large group is almost always made up of subsets of other

interests as well, including executive management, production
management, human resources, accounting, and legal, to name
just a few.
• The IT community often categorizes these groups as users of
information technology systems, while the information security
community categorizes them as security subjects.
• These job functions and organizational roles focus on policy and
resources
Components of Information Security
A. What Is Security ?

• Security means The quality or state of being secure—to be free

from danger (Merriam-Webster)
• A successful organization should have the following multiple
layers of security in place to protect its operations :
 Physical security, to protect physical items, objects, or areas
from unauthorized access and misuse
 Personnel security, to protect the individual or group of
individuals who are authorized to access the organization and its
operations
What Is Security ?

 Operations security, to protect the details of a particular

operation or series of activities
 Communications security, to protect communications media,
technology, and content
 Network security, to protect networking components,
connections, and contents
 Information security, to protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing, or transmission. It is achieved via the application of
policy, education, training and awareness, and technology
What Is Information Security (InfoSec) ?

• InfoSec means protecting information and information systems

from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide :
 Confidentiality (Kerahasiaan),
 Integrity (Integritas), and;
 Availability (Ketersediaan).
B. CIA Triangle
Commite on National Security System (CNSS)

• CNSS adalah organisasi antar pemerintah Amerika Serikat yang

menetapkan kebijakan untuk keamanan sistem keamanan AS yang
berbasis CIA.
• CNSS mendefinisikan keamanan informasi sebagai perlindungan
informasi dan unsur-unsur penting, termasuk sistem dan perangkat
keras yang digunakan untuk menyimpan, dan mengirimkan
informasi
C. Information Systems Security Committee
(NSTISSC)

• The National Security Telecommunications and Information

Systems Security Committee (NSTISSC) dibentuk mengacu pada
National Security Directive 42 (Keputusan Presiden AS), sebagai
Kebijakan Nasional untuk Keamanan Nasional Keamanan
Telekomunikasi dan Sistem Informasi pada tanggal 5 Juli 1990
• Pada tanggal 16 Oktober 2001, Presiden George W. Bush
menandatangani Executive Order 13231, Perlindungan
Infrastruktur Kritis di Era Informasi, kembali menunjuk Komite
Nasional Telekomunikasi dan Informasi Keamanan Sistem
Keamanan (NSTISSC) sebagai Komite Sistem Keamanan Nasional.
NSTISSC Security Model (4011)
Computer Security Aspect

• Sedangkan menurut Garfinkel (1995), computer security

melingkupi empat aspek utama, yaitu Privacy, Integrity,
Authentication, dan Availability.
• Selain keempat hal di atas, masih ada dua aspek lain yang juga
sering dibahas dalam kaitannya dengan electronic commerce,
yaitu access control dan non-repudiation.
Privacy/Confidentiality

• Confidentiality of information ensures that only those with

sufficient privileges may access certain information.
• Privacy lebih kearah data-data yang sifatnya privat sedangkan,
• confidentiality biasanya berhubungan dengan data yang diberikan
ke pihak lain untuk keperluan tertentu
• Contoh confidential information adalah data-data yang sifatnya
pribadi (seperti nama, tempat tanggal lahir, social security
number, agama, status perkawinan, penyakit yang pernah
diderita, nomor kartu kredit, dsb)
Privacy/Confidentiality

• To protect the confidentiality of information, a number of

measures are used:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users
Privacy/Confidentiality

• Threat ?
 Hackers
 Masqueraders
 Unauthorized users
 Unprotected download of files
 LANS
 Trojan horses
Confidentiality model

 Bell-LaPadula (No write down & No read up)

is a state machine model used for enforcing access control in
government and military applications.
It was developed by David Elliott Bell and Leonard J. LaPadula,
subsequent to strong guidance from Roger R. Schell to formalize
the U.S. Department of Defense (DoD) multilevel security (MLS)
policy.
Confidentiality model

 Health Insurance Portability and Accountability Act (HIPPA)

Privasi dibidang kesehatan merupakan topik yang sangat serius di
Amerika Serikat.
(HIPPA) mulai digunakan di tahun 2002.
Rumah sakit, perusahaan asuransi, dan institusi lain yang
berhubungan dengan kesehatan harus menjamin keamanan dan
privacy dari data-data pasien.
Confidentiality model

 TCSEC (Orange Book)

Trusted Computer System Evaluation Criteria (TCSEC) is a United
States Government Department of Defense (DoD) standard that
sets basic requirements for assessing the effectiveness of
computer security controls built into a computer system.
The TCSEC was used to evaluate, classify and select computer
systems being considered for the processing, storage and
retrieval of sensitive or classified information.
 Trusted Network Interpretation/TNI (Red Book)
Integrity

• Integrity is the quality or state of being whole, complete, and

uncorrupted
• Aspek ini menekankan bahwa informasi tidak boleh diubah tanpa
seijin pemilik informasi
• Enkripsi dan digital signature, digunakan untuk mengatasi
masalah ini.
Integrity model

 Biba/low water mark (No write up & No read down)

Availability

• Availability is the characteristic of information that enables user

access to information without interference or obstruction
Authentication

• Authentication occurs when a control provides proof that a user

possesses the identity that he or she claims
• Aspek ini berhubungan dengan metoda untuk menyatakan bahwa
informasi betul-betul asli, orang yang mengakses atau memberikan
informasi adalah betul-betul orang yang dimaksud, atau server yang kita
hubungi adalah betul-betul server yang asli
• Masalah pertama, membuktikan keaslian dokumen
• Masalah kedua biasanya berhubungan dengan access control, yaitu
berkaitan dengan pembatasan orang yang dapat mengakses informasi
Authentication

• What you have (misalnya kartu ATM)

• What you know (misalnya PIN atau password)
• What you are (misalnya sidik jari, biometric)
D. What Is Management?

• Management is the process of achieving objectives using a given

set of resources
• A manager is “someone who works with and through other people
by coordinating their work activities in order to accomplish
organizational goals.”
Managerial Roles

• A manager has many roles to play within organizations, including

the following:
 Informational role: Collecting, processing, and using
information to achieve the objective
 Interpersonal role: Interacting with superiors, subordinates,
outside stakeholders, and other
 Decisional role: Selecting from alternative approaches and
resolving conflicts, dilemmas, or challenges
Differences Between Leadership and
Management

• The leader influences employees so that they are willing to

accomplish objectives.
• He or she is expected to lead by example and demonstrate
personal traits that instill a desire in others to follow
• Leadership provides purpose, direction, and motivation to those
that follow
• A manager administers the resources of the organization,
budgets, authorizes expenditure
Characteristics of a Leader

Used by US military
• Bearing – appearance and how one carries oneself
• Courage – proceeding in the face of adversity
• Decisiveness – making and expressing decisions in a clear and
authoritative manner
• Dependability – performing and completing tasks in a reliable and
predictable manner
• Endurance – withstanding mental, physical, and emotional hardship
• Enthusiasm – displaying sincere interest in and exuberance for the
accomplishment of tasks
Characteristics of a Leader

Used by US military
• Initiative – identifying and accomplishing tasks in the absence of
specific guidance
• Integrity – being of sound moral fiber and good ethical worth
• Judgment – using sound personal decision making to determine
effective and appropriate solutions
• Justice – being impartial and fair in exercising authority
• Knowledge – possessing a base of information gained through
experience or education
Characteristics of a Leader

Used by US military
• Loyalty – expressing open support and faithfulness to one’s
organization and fellow employees
• Tact – dealing with a situation without undue personal bias or
creating offense
• Unselfishness – performing duties by placing the welfare of others
and the accomplishment of the mission first
Action plan for improvement of leadership
abilities:
• Know yourself and seek self-improvement.
• Be technically and tactically proficient.
• Seek responsibility and take responsibility for your actions.
• Make sound and timely decisions.
• Set the example.
• Know your [subordinates] and look out for their wellbeing.
• Keep your subordinates informed.
• Develop a sense of responsibility in your subordinates.
• Ensure the task is understood, supervised, and accomplished.
• Build the team.
• Employ your [team] in accordance with its capabilities.
Leadership quality and types

As a leader you must :

 BE a person of strong and honorable character; committed to
professional ethics; an example of individual values; and able to
resolve complex ethical dilemmas.
 KNOW the details of your situation, the standards to which you
work, yourself, human nature, and your team.
 DO by providing purpose, direction, and motivation to your
teams.
Characteristics of Management

Two well-known approaches to management:

 Traditional management theory using principles of Planning,
Organizing, Staffing, Directing, and Controlling (POSDC)
 Popular management theory using principles of management into
Planning, Organizing, Leading, and Controlling (POLC)
Characteristics of Management
Planning

The process that develops, creates, and implements strategies for the
accomplishment of objectives is called planning
• Three levels of planning:
 Strategic planning occurs at the highest levels of the organization
and for a longer period of time, usually five or more years.
 Tactical planning focuses on production planning and integrates
organizational resources at a level below the entire enterprise and
for an intermediate duration (such as one to five years).
 Operational planning focuses on the day-to-day operation of local
resources, and occurs in the short or immediate term.
Organization

structuring of resources to support the accomplishment of

objectivesis called Organizing
Organizing tasks requires determining what is to be done, in what
order, by whom, by which methods, and according to what
timeline.
Leadership

• leadership encourages the implementation of the planning and

organizing functions. Includes supervising employee behavior,
performance, attendance, and attitude
• Leadership generally addresses the direction and motivation of
the human resource
Control

• Monitoring progress toward completion, and

• Making necessary adjustments to achieve the desired objectives.
• Controlling function determines what must be monitored as well
as using specific control tools to gather and evaluate information
Control Tools

• There are four categories of control tools:

 Information control tools.
 Financial control tools (ROI, CBA,..)
 Operational control tools (PERT, Gantt, Process Flow)
 Behavioral control tools (Human Resources)
Controlling Process
Solving Problems

Step 1: Recognize and Define the Problem

Step 2: Gather Facts and Make Assumptions
Step 3: Develop Possible Solutions
Step 4: Analyze and Compare the Possible Solutions
Step 5: Select, Implement, and Evaluate a Solution
Feasibility Analyses

• To review economic feasibility, you compare the costs and benefits of

possible solutions.
• To review technological feasibility, you address the organization’s
ability to acquire the technology needed to implement a candidate
solution.
• To review behavioral feasibility, you assess a candidate solution
according to the likelihood that subordinates will adopt and support a
solution, rather than resisting it.
• To review operational feasibility, you assess the organization’s ability to
integrate a candidate solution into its current business processes
E. Principles Of Information Security
Management
• Because information security management is charged with taking
responsibility for a specialized program, certain characteristics of its
management are unique to this community of interest.
• The extended characteristics of information security are known as the
six Ps :
 Planning
 Policy
 Programs
 Protection
 People
 Project Management
InfoSec Planning

• Included in the InfoSec planning model are activities necessary to

support the design, creation, and implementation of information
security strategies as they exist within the IT planning
environment
Several types of InfoSec plans exist:

• Incident response
• Business continuity
• Disaster recovery
• Policy
• Personnel
• Technology rollout
• Risk management and
• Security program including education, training and awareness
InfoSec Policy

The set of organizational guidelines that dictates certain behavior

within the organization is called policy.
• In InfoSec, there are three general categories of policy:
 General program policy (Enterprise Security Policy)
 An issue-specific security policy (ISSP) ex : email use, internet
use
 System-specific policies (SSSPs) ex : Access control list (ACLs)
for a device
Programs

• Specific entities managed in the information security domain.

• A Security Education Training and Awareness (SETA) program is
one such entity.
• Other programs that may emerge include a physical security
program, complete with fire, physical access, gates, guards, and
so on.
Protection

• The protection function is executed via a set of risk management

activities, including risk assessment and control, as well as
protection mechanisms, technologies, and tools.
• Each of these mechanisms represents some aspect of the
management of specific controls in the overall information
security plan.
People

• People are the most critical link in the information security

program
• This aspect of InfoSec includes security personnel and the security
of personnel, as well as aspects of the SETA program mentioned
earlier.
Project Management

• The final component is the application of thorough project

management discipline to all elements of the information
security program.
• This effort involves identifying and controlling the resources
applied to the project, as well as measuring progress and
adjusting the process as progress is made toward the goal.