Keamanan Sistem Informasi

Program (ISMS)

JURUSAN SISTEM INFORMASI

FAKULTAS ILMU KOMPUTER
Pengenalan
• Beberapa organisasi menggunakan security
program
– Untuk menggambarkan keseluruhan
personel, perencanaan, policy, dan inisiasi
yang berkaitan dengan INFOSEC
• Information security program
– Disini digunakan untuk menggambarkan
struktur dan upaya sebuah organisasi
yang berisikan resiko terahadap aset
informasi organisasi tersebut
Pacu Putra, B.CS., M.Comp.Sc. 2
• Beberapa variabel yang mempengaruhi
struktur program INFOSEC sebuah
organisasi:
– Organizational culture
– Size
– Security personnel budget
– Security capital budget

Pacu Putra, B.CS., M.Comp.Sc. 3

Security in large organization
• Information security departments in large
organizations cenderung untuk
membentuk dan membentuk ulang grup
internal agar dapat mencapai tantangan
jangka panjang, meskipun dihandle
dengan day-to-day operation
• Lain halnya dengan organisasi yang lebih
kecil, mereka membuat beberapa grup
kecil, atau bahkan hanya memiliki satu
specialist grup
Pacu Putra, B.CS., M.Comp.Sc. 4
Staffing in very large Organization

Pacu Putra, B.CS., M.Comp.Sc. 5

Staffing in Large Organization

Pacu Putra, B.CS., M.Comp.Sc. 6

Staffing in Medium Organization

Pacu Putra, B.CS., M.Comp.Sc. 7

Pacu Putra, B.CS., M.Comp.Sc. 8
• Project Leader
• System Analyst
• Programmer

Pacu Putra, B.CS., M.Comp.Sc. 9

Implementing SETA Program
• SETA program:
– Dibuat untuk mengurangi kejadian yang melanggar
keamanan (security)
• Program SETA terdiri dari 3 elemen:
– security education
– security training
– security awareness
• Terdapat dua manfaat utama dari SETA:
– Memperbaiki perilaku (behavior) pegawai
– Mengizinkan organisasi untuk memegang tanggung
jawab pegawai terhadap apa yang mereka lakukan

Pacu Putra, B.CS., M.Comp.Sc. 10

Tujuan SETA
• The purpose of SETA is to enhance security:
– By building in-depth knowledge, as
needed, to design, implement, or operate
security programs for organizations and
systems
– By developing skills and knowledge so
that computer users can perform their
jobs while using IT systems more securely
– By improving awareness of the need to
protect system resources
Pacu Putra, B.CS., M.Comp.Sc. 11
SETA Framework

Pacu Putra, B.CS., M.Comp.Sc. 12

Security Training
• Security training melibatkan pemberitahuan informasi secara
detain dan instruksi agar dapat memberikan skill kepada user
agar mereka dapat melakukan tugasnya dengan aman
(secure)
• Terdapat dua metode kostumisasi training:
• Functional background:
– General user
– Managerial user
– Technical user
• Skill level:
– Novice
– Intermediate
– Advanced

Pacu Putra, B.CS., M.Comp.Sc. 13

Training Technique
• Salah menggunakan Metode, dapat:
– Mengganggu penyampaian pengetahuan
– Mengarah kepada pemborosan biaya dan
kegagalan, peserta training yang sangat buruk
• Good training programs:
– Gunakan teknologi pembelajaran terupdate dan
terbaik
– Hindari berkaitan dengan training pada umumnya
– Hindari penggunaan kuota
– Gunakan modul pelatihan yang singkat dan task-
oriented dan sesi yang konsisten
Pacu Putra, B.CS., M.Comp.Sc. 14
Security Awareness
• Security awareness program:
– Hal yang paling jarang diimplementasikan,
tetapi merupakan security method yang paling
efektif
• Security awareness programs:
– Buat tahap pelatihan dengan mengubah
kebiasaan dalam organisasi demi mewujudkan
kepentingan keamanan dan konsekuensi
kerugian dari kegagalan
– Mengingatkan pegawai megenai prosedur
yang harus diikuti
Pacu Putra, B.CS., M.Comp.Sc. 15
• When developing an awareness program:
– Focus on people
– Refrain from using technical jargon
– Use every available venue
– Define learning objectives, state them clearly, and provide
sufficient detail and coverage
– Keep things light
– Don’t overload the users
– Help users understand their roles in InfoSec
– Take advantage of in-house communications media
– Make the awareness program formal; plan and document all
actions
– Provide good information early, rather than perfect information
late

Pacu Putra, B.CS., M.Comp.Sc. 16

Awareness Training
• Information security is a people, rather than a
technical, issue
• If you want them to understand, speak their language
• If they cannot see it, they will not learn it
• Make your point so that you can identify it and so can
they
• Never lose your sense of humor
• Make your point, support it, and conclude it
• Always let the recipients know how the behavior that
you request will affect them
• Ride the tame horses
• Formalize your training methodology
• Always be timely, even if it means slipping schedules
to include urgent information
Pacu Putra, B.CS., M.Comp.Sc. 17
Employee Behavior & Awareness
• Security awareness and training dibuat
untuk memperbaiki tingkah laku pegawai
yang mengancam keamanan informasi
dari organisasi
• Kegiatan Security training and awareness
dapat menjadi rusak, jika pihak
management tidak memberikan contoh
yang baik

Pacu Putra, B.CS., M.Comp.Sc. 18

Awareness Technique
• Awareness dapat berbeda bentuk untuk
khalayak umum
• Security awareness program dapat
menggunakan erbagai macam metode dalam
menyampaikan pesan atau informasi
• Program Security Awareness yang efektif harus
di desain menjadi sebuah pengakuan bahwa
orang cenderung utuk berlatih (acclimation)
• Awareness techniques harus kreatif dan sering
berubah

Pacu Putra, B.CS., M.Comp.Sc. 19

Developing awareness
• Beberapa komponen security awareness bersifat no cost
– little, beberapa yang lain bersifat sangat mahal
• Komponen Security awareness antara lain:
– Videos
– Posters and banners
– Lectures and conferences
– Computer-based training
– Newsletters
– Brochures and flyers
– Trinkets (coffee cups, pens, pencils, T-shirts)
– Bulletin boards

Pacu Putra, B.CS., M.Comp.Sc. 20

Security Newspaper
• Security newsletter: cost-effective way to
disseminate security information
– In the form of hard copy, e-mail, or intranet
– Topics can include threats to the organization’s
information assets, schedules for upcoming security
classes, and the addition of new security personnel
• Goal:
– keep information security uppermost in users’ minds
and stimulate them to care about security

Pacu Putra, B.CS., M.Comp.Sc. 21

Cont’d
• Newsletters might include:
– Summaries of key policies
– Summaries of key news articles
– A calendar of security events, including
training sessions, presentations, and
other activities
– Announcements relevant to information
security
– How-to’s

Pacu Putra, B.CS., M.Comp.Sc. 22

Security Poster
• Security poster series can be a simple and
inexpensive way to keep security on people’s
minds
• Professional posters can be quite expensive, so
in-house development may be best solution
• Keys to a good poster series:
– Varying the content and keeping posters updated
– Keeping them simple, but visually interesting
– Making the message clear
– Providing information on reporting violations

Pacu Putra, B.CS., M.Comp.Sc. 23

Security Poster

Pacu Putra, B.CS., M.Comp.Sc. 24

Trinket Program
• Trinkets may not cost much on a per-unit basis,
but they can be expensive to distribute
throughout an organization
• Several types of trinkets are commonly used:
– Pens and pencils
– Mouse pads
– Coffee mugs
– Plastic cups
– Hats
– T-shirts

Pacu Putra, B.CS., M.Comp.Sc. 25

Pacu Putra, B.CS., M.Comp.Sc. 26
Information Security Awareness Website

• Organizations can establish Web pages or

sites dedicated to promoting information
security awareness
• As with other SETA awareness methods,
the challenge lies in updating the
messages frequently enough to keep them
fresh

Pacu Putra, B.CS., M.Comp.Sc. 27

• Some tips on creating and maintaining an
educational Web site are provided here:
• See what’s already out there
• Plan ahead
• Keep page loading time to a minimum
• Seek feedback
• Assume nothing and check everything
• Spend time promoting your site

Pacu Putra, B.CS., M.Comp.Sc. 28

Security Awareness Conference
• Another means of renewing the
information security message is to have a
guest speaker or even a mini-conference
dedicated to the topic

Pacu Putra, B.CS., M.Comp.Sc. 29

THANK YOU

Pacu Putra, B.CS., M.Comp.Sc. 30