Overview IS

Security & Mgmnt

Risk
IS Security & Risk Managmt / Rini A
References
1. National Institute of Standards and Technology.
Generally Accepted Principles and Practices for
Securing Information Technology Systems. Special
Publication 800-14. September 1996.
2. National Institute of Standards and Technology. Risk
Management Guide for Information Technology
Systems. Special Publication 800-30. July 2002.
3. Dr Jacqueline Jeynes PhD MBA, Risk Management:
10 Principles, 2002
4. Information Security and Risk Management (ISC)-
ISACA
5. IT Security handbook, The World Bank Group,2003
 What is “Risk”?
• Risk is the probability of a vulnerability being
exploited in the current environment, leading to a
degree of loss of confidentiality, integrity, or
availability, of an asset. (Microsoft)

3
 Golden and Silver Rules of RM

All risk is owned!

Risk that is not
assigned is owned by
the organization’s
Director 4
Who Wants to Help You?

5
Pengertian Risiko
Menurut Emmaett J. Vaughan dan Curtis M. Elliott
• Kans kerugian – the change of loss
• Kemungkinan kerugian – the possibility of loss
• Ketidakpastian – uncertainty
• Penyimpangan kenyataan dari hasil yang
diharapkan – the dispersion of actual from
expected result
• Probabilitas bahwa suatu hasil berbeda dari
yang diharapkan – the probability of any
outcome different from the one expected
Definisi Risiko
• Berbagai kemungkinan penyimpangan negatif dari hasil yang
diinginkan atau diharapkan atau risiko sebagai suatu
kemungkinan kerugian
• Menyangkut situasi di mana terdapat suatu kemungikan
terjadinya hasil yang tidak menguntungkan – unfavorable
outcome
• Potensi terjadinya suatu peristiwa – events yang dapat
menimbulkan kerugian
Derajat Risiko
• Derajat risiko – degree of risk adalah ukuran risiko lebih besar
atau risiko lebih kecil. Jika suatu risiko diartikan sebagai
ketidakpastian, maka risiko terbesar akan terjadi bila terdapat
dua kemungkinan hasil yang masing-masing mempunyai
kemungkinan yang sama untuk terjadi
Klasifikasi Risiko
• Risiko yang dapat diukur dan risiko yang tidak dapat diukur
• Risiko financial dan risiko non financial
• Risiko statis dan risiko dinamis
• Risiko fundamental dan risiko khusus
• Risiko murni dan risiko spekulatif
Klasifikasi Risiko Murni
a. Risiko personal
b. Risiko properti
c. Risiko liabilitas
d. Risiko karena kesalahan pihak lain
 What is Risk Management?

• The total process of identifying, controlling, and minimizing

information system related risks to a level commensurate with
the value of the assets protected
• The goal of a risk management program is to protect the
organization and its ability to perform its mission from IT-related
risk

11
Pengertian Manajemen Risiko
• Proses pengelolaan risiko yang mencakup identifikasi,
evaluasi dan pengendalian risiko yang dapat
mengancam kelangsungan usaha atau aktivitas
perusahaan
• Suatu pendekatan terstruktur/metodologi dalam
mengelola ketidakpastian yang berkaitan dengan
ancaman; suatu rangkaian aktivitas manusia
termasuk: Penilaian risiko, pengembangan strategi
untuk mengelolanya dan mitigasi risiko dengan
menggunakan pemberdayaan /pengelolaan
sumberdaya
Risiko Dalam Manajemen
Risiko
Klasifikasikan ke dalam :
• Risiko operasional
• Risiko hazard
• Risiko Finansial
• Risiko strategic
Basel II memberi arahan dalam
manajemen risiko operasional
• Apa yang dimaksud dengan risiko operasional ?
• Apa yang termasuk ke dalam lingkup risiko operasional ?
• Mengidentifikasi risiko operasional : Apa yang akan jadi
masalah ?
• Mengukur risiko operasional : Berapa kira-kira kerugian yang
dapat timbul ?
• Pencegahan kerugian operasional : Menetapkan sistem dan
dokumentasi yang standar.
• Mitigasi dampak
• Pengalihan risiko : Berapa risiko yang bersedia ditanggung
sendiri, di-hedging atau diasuransikan ?
• Alokasi modal untuk menutupi risiko operasional
PeristiwaYang Menimbulkan
Risiko Operasional
• Frekuensi; seberapa sering suatu peristiwa terjadi
• Dampak; seberapa besar jumlah kerugian yang timbul akibat
peristiwa yang terjadi
Kategori peristiwa risiko
operasional
• Frekuensi rendah/dampak rendah
• Frekuensi rendah/dampak tinggi
• Frekuensi tinggi/dampak rendah
• Frekuensi tinggi/dampak tinggi
Fokus Manajemen Risiko
Operasional
• Frekuensi rendah/dampak tinggi
• Frekuensi tinggi/dampak rendah
FRAMEWORK RISK MANAGEMENT
OUTLINE
I. Introduction
II. Generally Accepted System Security Principles
III. Common IT Security Practices
IV. Risk Management
V. Common IT Security Practices (continuation)
I. Introduction
1. Principles
2. Practices
3. Relationship of Principles and Practices
II. Generally Accepted System
Security Principles 1of 2
1. Computer Security Supports the Mission of Organization.
2. Computer Security is an Integral Element of Sound
Management.
3. Computer Security should be Cost-Effective.
4. System Owners have Security Responsibility Outside their
own Organization.
II. Generally Accepted System
Security Principles 2 of 2
5. Computer Security Responsibilities and Accountability
should be made Explicit.
6. Computer Security requires a Comprehensive and
Integrated Approach.
7. Computer Security should be Periodically Reassessed.
8. Computer Security is constrained by Societal Factors.
III. Common IT Security
Practices
1. Policy
 Program Policy
 Issue-Specific Policy
 System-Specific Policy
 All Policies
2. Program Management.
 Central Security Program
 System-Level Program
3. Risk Management.
 Risk Assessment
 Risk Mitigation
 Evaluation and Assessment
IV. Risk Management
1. Risk Assessment
 9 Steps Methodology
2. Risk Mitigation
 Approach for Control Implementation
 Control Categories
 Cost Benefit Analysis
 Residual Risk
3. Evaluation and Assessment
 Good Security Practice
 Keys for Success
V. Common IT Security
Practices (continuation) 1 of 3
4. Life Cycle Planning
 Security Plan
 Initiation Phase
 Development/Acquisition Phase
 Implementation Phase
 Operation/Maintenance Phase
 Disposal Phase
5. Personnel/User Issues.
 Staffing
 User Administration
V. Common IT Security
Practices (continuation) 2 of 3
6. Preparing for Contingencies and Disasters.
 Business Plan
 Identify Resources
 Develop Scenarios
 Develop Strategies
 Test and Revise Plan
7. Computer Security Incident Handling
 Uses of a Capability
 Characteristics
8. Awareness and Training.
9. Security Consideration in Computer Support and
Operations.
10. Physical and Environmental Security
V. Common IT Security
Practices (continuation) 3 of 3
11. Identification and Authentication
 Identification
 Authentication
 Passwords
 Advanced Authentication
12. Logical Access Control
 Access Criteria
 Access Control Mechanism
13. Audit Trails
 Contents of Audit Trail Records
 Audit Trail Security
 Audit Trail Reviews
 Keystroke Monitoring
14. Cryptography
References
1. National Institute of Standards and Technology.
Generally Accepted Principles and Practices for
Securing Information Technology Systems. Special
Publication 800-14. September 1996.

2. National Institute of Standards and Technology. Risk

Management Guide for Information Technology
Systems. Special Publication 800-30. July 2002.
I. Introduction
 Sharing information electronically
 Common understanding
 Securing information technology (IT) resources
 The content of this lecture provides :
 A baseline to establish and review the IT security programs.
 A foundation that can be referenced when conducting multi-
organizational business as well as internal business.
 The basic security requirements most IT systems should contain.
1.1 Principles
 The System Security Principles are the intrinsic
expectations that must be met to secure IT systems.
 The Principles address computer security from a very
high-level viewpoint.
 The Principles are encompassing broad areas :
 Accountability
 Cost effectiveness
 Integration
 The Principles are to be used when :
 Developing computer security programs and policy.
 Creating new systems, practices or policies.
1.2 Practices
 The common IT security practices that are in general use today.
 The Practices :
 Guide organizations on
o the type of controls,
o objectives and
o procedures
 that comprise an effective IT security program.
 Show what should be done
o to enhance an existing computer security program
o to measure an existing computer security program
o to aid in the development of a new program
 Provide a common ground for determining the security of an organization
 Build confidence when conducting multi-organizational business.
 The Practices should be augmented with additional practices
based on each organization’s unique needs.
1.3 Relationship of Principles
and Practices
 The nature of the relationship between the principles and the
practices varies :
 In some cases, practices are derived from one or more principles,
 In other cases practices are constrained by principles.
 The principles provide the foundation for a sound computer
security program.
II. Generally Accepted System
Security Principles
 The principles are generally accepted.
 The principles are most commonly being used at the present time
to secure IT resources.
 The principles are not new to the security profession.
 It is based on the premise that most everyone applies these when
developing or maintaining an IT system.
 The eight principles contained in this lecture provide an anchor on
which the IT community should base their IT security programs.
 These principles are intended to guide IT personnel when creating
new systems, practices, or policies.
 They are not designed to produce specific answers.
 The principles should be applied as a whole, pragmatically and
reasonably.
2.1 Computer Security Supports the
Mission of the Organization 1 of 4
 The purpose of computer security is to protect an
organization’s valuable resources :
 Information
 Hardware
 Software
 Through selection and application of appropriate
safeguards, security helps the organization’s mission
by protecting :
 Physical resources
 Financial resources
 Reputation
 Legal position
 Employees
 Other tangible and intangible assets.
2.1 Computer Security Supports the
Mission of the Organization 2 of 4
 Security is sometimes viewed as thwarting the
mission of the organization by :
 Imposing poorly selected, bothersome rules
 Imposing poorly selected, bothersome procedure
 On users, managers, and systems.
 Well chosen security rules and procedures do not
exist for their own sake, but :
 Protect important assets
 Support the overall organizational mission.
 For example :
 Security ought to increase the firm’s ability to make profit.
 Security ought to help improve the service provided to the citizen.
2.1 Computer Security Supports the
Mission of the Organization 3 of 4
 How to act on this?
 Managers need to understand :
 Their organizational mission
 How each information system supports that mission.
 After a system’s role has been defined, the security
requirements implicit in that role can be defined.
 Security can then be explicitly stated in terms of the
organization’s mission.
2.1 Computer Security Supports the
Mission of the Organization 4 of 4
 The roles and functions of a system may not be restricted to a
single organization.
 In an interorganizational system, each organization benefits
from securing the system.
 For example :
 For electronic commerce to be successful, each participant requires
security controls to protect their resources.
2.2 Computer Security is an Integral
Element of Sound Management 1 of 2
 Information and IT systems are often critical assets
that support the mission of an organization.
 Protecting them can be as important as protecting
other organizational resources :
 Money
 Physical assets
 Employees
 It does not completely eliminate the possibility that
these assets will be harmed.
 Organization managers have to decide what level of
risk they are willing to accept, taking into account the
cost of security controls.
2.2 Computer Security is an Integral
Element of Sound Management 2 of 2
 The management of information and computers may
transcend organizational boundaries.
 When an organization’s information and IT systems
are linked with external systems, management’s
responsibilities extend beyond the organization.
 This requires that management :
 Know what general level or type of security is employed on the
external system(s)
 Seek assurance that the external system provides adequate
security for their organization’s need.
2.3 Computer Security Should
be Cost-Effective 1 of 4
 The costs and benefits of security should be carefully
examined in both monetary and non monetary terms
to ensure that the cost of controls does not exceed
expected benefits.
 Security should be appropriate and proportionate to :
 The value of reliance on the IT systems.
 The degree of reliance on the IT systems.
 The severity of potential harm.
 The probability of potential harm.
 The extent of potential harm.
 Requirements for security vary, depending upon the
particular IT system.
2.3 Computer Security Should
be Cost-Effective 2 of 4
 Security is a smart business practice.
 By investing in security measures, an organization can reduce :
 The frequency of computer security-related losses.
 The severity of computer security-related losses.
 For example :
 An organization may estimate that it is experiencing significant losses per
year in inventory through fraudulent manipulation of its IT system.
 Security measures, such as an improved access control system, may
significantly reduce the loss.
2.3 Computer Security Should
be Cost-Effective 3 of 4
 A sound security program can :
 Thwart hackers.
 Reduce the frequency of viruses.
 Elimination of these kinds of threats can :
 Reduce unfavorable publicity.
 Increase morale.
 Increase productivity.
 Security benefits do have both :
 Direct costs
 Indirect costs
2.3 Computer Security Should
be Cost-Effective 4 of 4
 Direct costs :
 Purchasing security measures.
 Installing security measures.
 Administering security measures.
 Security measures :
 Access control software.
 Fire suppression systems.
 etc.
 Indirect costs :
 Affect on system performance.
 Affect on employee morale.
 Affect on retraining requirements.
 In some cases, these additional costs may well exceed the initial cost of
the control.
 Solutions to security problems should not be chosen if they cost more, in
monetary or non monetary terms, directly or indirectly, than simply
tolerating the problem.
2.4 System Owners have Security Responsibility
outside their own Organizations

 If a system has external users, its owners have a

responsibility to share appropriate knowledge about :
 The existence of security measures.
 The general extent of security measures.
 So that other users can be confident that the system
is adequately secure.
 It implies that system owners should inform their
clients or users about the nature of the security.
 Moreover, organization managers should act in a
timely, coordinated manner to prevent and to
respond to breaches of security to help prevent
damage to others.
2.5 Computer Security Responsibilities and
Accountability should be made Explicit 1 of 2

 The responsibility and accountability of :

 Owners of IT systems
 Providers of IT systems
 Users of IT systems
 Other parties
 Concerned with the security of IT systems should be explicit.
 Responsibility means :
 Obligations
 Expected behavior
 Accountability generally refers to the ability to hold people
responsible for their actions.
 Explicit means that people and other entities (such as corporations or
governments) have responsibility and accountability related to IT
systems which may be shared.
2.5 Computer Security Responsibilities and
Accountability should be made Explicit 2 of 2

 Other parties may include but is not limited to :

 Executive management
 Programmers
 Maintenance providers
 Information system managers : software managers, operation
managers, and network managers
 Software development managers
 Managers charged with security of information systems
 Internal and external information system auditors.
 Depending on the size of the organization, the
computer security program may be large or small.
 Even small organizations can prepare a document that
states organization policy and makes explicit computer
security responsibilities.
2.6 Computer Security Requires a Comprehensive
and Integrated Approach 1 of 3

 An effective computer security requires a comprehensive approach

that considers a variety of areas :
 Within the computer security field
 Outside of the computer security field.
 This comprehensive approach extends throughout the entire
information life cycle.
 To work effectively, security controls often depend upon the proper
functioning of other controls.
 Many such interdependencies exist.
 If appropriately chosen :
 Managerial controls
 Operational controls
 Technical controls
 Can work together synergistically.
Next week --- Framework Risk
Mgmnt--
Terima Kasih