View
532
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Defining IS Security Management Aspects for Special Organisation that Combating Money Laundry Crime
Citation preview
1
Information Security System Management
The Challenges in Implementing IT Governance Practices in PPATK
© Richardus Eko Indrajit 2
Fenomena dan Tantangan Globalisasi
Bisnis lintas negara berbasis elektronik Produk dan jasa dalam format dan kemasan digital Akselerasi kecepatan transaksi dalam mode 24/7 Konvergensi proses manual dan otomatis Model pertukaran dan pembayaran multi mata uang Interaksi jejaring institusi usaha yang kompleks Fenomena komoditisasi beragam entitas perdagangan Tata kelola sumber daya pada ekosistem global
OPPORTUNITIES or THREATS ???
© Richardus Eko Indrajit 3
Kasus ““Sederhana””
Seorang warga negara Mongolia membeli artikel elektronik pengarang India melalui situs e-commerce milik pengusaha Indonesia yang ditaruh pada sebuah server di Hong Kong dimana pembayarannya dilakukan secara elektronik ketika yang bersangkutan transit di airport Singapura menggunakan kartu kredit yang dikeluarkan bank Australia dalam mata uang Amerika yang kelak akan didebet langsung dari salah satu rekening tabungannya di Swiss…
© Richardus Eko Indrajit 4
Platform Kerangka Transaksi
Ecommerce Ebusiness Eprocurement
Etrading Epayment Edocuments
Emoney Emarket Econsumers
Proses Digitalisasi Perdagangan
© Richardus Eko Indrajit 5
Konvergensi Jasa Keuangan
BANK
INSURANCE
MULTI FINANCE
STOCK EXCHANGE
Real Estate
Consumer Goods Manufacture
Telecom.
Utility
Services
Transport. Agriculture
Mining
Education Government
Infrastructure
Entertainment Media
Retail R&D
OTHERs
© Richardus Eko Indrajit 6
OTHERs
Jasa Keuangan sebagai Infrastruktur Bisnis
BANK
INSURANCE
MULTI FINANCE
STOCK EXCHANGE
Healthcare Telecom Utility Retail Manufacture Education Transport.
Agriculture Trade Government Defense Food Entertainment Hich-Tech
Media Hospitality Services Consumers Aerospace Real Estate Pharmacy
© Richardus Eko Indrajit 7
Kejahatan Keuangan melalui Teknologi
What Does FBI Say About Companies: – 91% have detected employee abuse – 70% indicate the Internet as a frequent attack point – 64% have suffered financial losses – 40% have detected attacks from outside – 36% have reported security incidents
Source: FBI Computer Crime and Security Survey 2001
© Richardus Eko Indrajit 8
““Money Laundry”” dalam Sistem Global
Entitas bisnis maya Transaksi elektronik fiktif Penyedia jasa keuangan virtual Produk atau jasa berbasis file Dokumen dalam format digital Uang dalam wujud informasi Ragam model usaha inovatif
TIPOLOGI
SU
PER K
OM
PLEKS
NP Complete Algorithm
© Richardus Eko Indrajit 9
Tantangan Besar PPATK
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Bank A Bank B
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing`
Bank C
Service Provider
Service Provider
Service Provider
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Bank A Bank B
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing`
Bank C
Service Provider
Service Provider
Service Provider
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Bank A Bank B
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing`
Bank C
Service Provider
Service Provider
Service Provider
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Bank A Bank B
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing
Money Units
Credit Units
Invest Units
Insure Units
Branch Network
ATM NW
E-Bank
CC
Phone
Centralized Processing`
Bank C
Service Provider
Service Provider
Service Provider
Informasi
>>> Entitas >>> Frekuensi >>> Volume >>> Ragam >>> Kompleksitas >>> Digital >>> Kecepatan
© Richardus Eko Indrajit 10
Mandat bagi PPATK
UU No.15, 2002 UU No.25, 2003
Peraturan BI No.4/8/PBI/2002
Peraturan Dirjen Bea Cukai
No.01/PBC/2005
““Mencegah dan memberantas tindak pidana pencucian uang…””
Keputusan Kepala PPATK
No.21/KEP.PPATK/2003
Keppres RI No.81/2003 dan
No.82/2003
Keppres RI No.1/2004 dan
No.3/2004 UU No.7, 2006 Resolution UNCAC 2003
Konvensi PBB 2003 dsb.
© Richardus Eko Indrajit 11
Tugas Dasar PPATK (pasal 26)
Mengumpulan, menyimpan, menganalisis dan mengavaluasi informasi Memantau catatan pembukuan PJK Membuat pedoman tata cara pelaporan transaksi keuangan
mencurigakan Memberikan nasihat dan bantuan tentang informasi yang
diperoleh Membuat pedoman dan publikasi kepada PJK tentang
kewajibannya Memberikan rekomendasi kepada pemerintah Melaporkan hasil analisis transaksi keuangan Membuat dan memberikan laporan secara berkala Memberikan informasi kepada publik
© Richardus Eko Indrajit 12
Model Organisasi PPATK
PPATK merupakan sebuah organisasi berbasis informasi vis a vis pengetahuan – Informasi merupakan aset sangat berharga karena
merupakan sumber dasar dari pengetahuan dan pengambilan keputusan.
– Kualitas informasi yang dimiliki akan sangat menentukan kinerja PPATK.
– Segala permasalahan terkait dengan pengumpulan, penyimpanan, pengorganisasian, pengolahan, pemilahan, pengambilan, dan penyebaran informasi adalah merupakan isu organisasi penting yang harus ditemukan jawabannya.
– ““As INFORMATION becomes a part of the problem, INFORMATION MANAGEMENT is a part of the solution…””
© Richardus Eko Indrajit 13
Kategorisasi Informasi Source : Internal vs. Eksternal Nature : Formal vs. Informal Period : Berkala vs. Ad-Hoc Content : Umum vs. Detail Format : Terstruktur vs. Non-Terstruktur Type : Kertas vs. File Digital Context : Static vs. Dynamic
Risk on Information Quality !!! GATHER – STORE – ORGANISE – PROCESS - ACCESS – TRANSFER – DISTRIBUTE
© Richardus Eko Indrajit 14
Kejahatan Teknologi Informasi
IT as a Tool
IT as a Storage Device IT as a Target
© Richardus Eko Indrajit 15
Resiko terhadap Kualitas Informasi
Risk
Vulnerabilities Threats
Controls
Security Requirements
Asset Values
Assets
Protect against
Exploit
Reduce
Expose
Have Met by
Impact on Organisation
© Richardus Eko Indrajit 16
Contoh Ancaman
Virus Worm Denial of Service Phising SQL Injection Sniffing Social Engineering
Etc.
© Richardus Eko Indrajit 17
Kebutuhan Information Governance
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
© Richardus Eko Indrajit 18
Pentingnya Standar
Standar Kualitas Keamanan Informasi (BS7799/ISO17799) – Aset informasi memenuhi kriteria C-I-A yang
dipersyaratkan oleh organisasi
Standar Tata Kelola Teknologi Informasi (CobiTTM) – Nilai keberadaan informasi selaras dengan
kebutuhan dinamis organisasi
Sistem Manajemen Keamanan Informasi (ISO27001:2005) – Ancaman terhadap kualitas informasi dan dampaknya
dapat diminimalisasi melalui sistem manajemen yang baik
© Richardus Eko Indrajit 19
Tata Kelola Keamanan Kualitas Informasi
BS7799/ISO17799
Access Controls
Asset Classification
Controls
Information Security Policy
Security Organisation
Personnel Security
Physical Security Communication
& Operations Mgmt
System Development &
Maint.
Bus. Continuity Planning
Compliance
Information
Integrity Confidentiality
Availability
1
2
3
4
5
6
7
8
9
10
© Richardus Eko Indrajit 20
Status Implementasi BS7799/ISO17799
© Richardus Eko Indrajit 21
#1. Security Policy
Information Security Policy To provide management direction and support for information security.
© Richardus Eko Indrajit 22
#2. Security Organisation
Information Security Infrastructure – To manage information security within the
organization.
Security of Third Party Access – To maintain the security of organizational information
processing facilities and information assets accessed by third parties.
Outsourcing – To maintain the security of information when the
responsibility for information processing has been outsourced to another organization.
© Richardus Eko Indrajit 23
#3. Asset Classification & Controls
Accountability for Assets – To maintain appropriate protection of organizational
assets.
Information Classification – To ensure that information assets receive an appropriate
level of protection.
© Richardus Eko Indrajit 24
#4. Personnel Security
Security in Job Definition and Resourcing – To reduce the risk of human error, theft, fraud or
misuse of facilities.
User Training – To ensure that users are aware if information security threats and
concern, and are equipped to support organizational security policy in the course of their normal work.
Responding to Security Incidents and Malfunctions – To minimize the damage from security incidents and malfunctions,
and to monitor and learn from such incidents.
© Richardus Eko Indrajit 25
#5. Physical Policy
Secure Areas – To prevent unauthorized access, damage and
interference to business premises and information.
Equipment Security – To prevent loss, damage or compromise of assets and
interruption to business activities.
General Controls – To prevent compromise or theft of information and
information processing facilities.
© Richardus Eko Indrajit 26
#6. Communications & Operations Mgmt
Operational Procedures and Responsibilities – To ensure the correct and secure operation of information
processing facilities.
System Planning and Acceptance – To minimize the risk of system failures.
Protection Against Malicious Software – To protect the integrity of software and information.
Housekeeping – To maintain the integrity and availability of information processing
and communication services
© Richardus Eko Indrajit 27
#6. Communications (cont.)
Network Management – To ensure the safeguarding of information in networks
and the protection of the supporting infrastructure.
Media Handling and Security – To prevent damage to assets and interruptions to
business activities.
Exchanges of Information and Software – To prevent loss, modification or misuse of information
exchanged between organizations.
© Richardus Eko Indrajit 28
#7. Access Controls
Business Requirement for Access Control – To control access to information.
User Access Management – To prevent unauthorized access to information systems.
User Responsibilities – To prevent unauthorized user access.
Network Access Control – Protection of networked services.
© Richardus Eko Indrajit 29
#7. Access Controls (cont.)
Operating System Access Control – To prevent unauthorized computer access.
Application Access Control – To prevent unauthorized access to information held in information
systems.
Monitoring System Access and Use – To detect unauthorized activities.
Mobile Computing and Teleworking – To ensure information security when using mobile computing and
teleworking facilities.
© Richardus Eko Indrajit 30
#8. System Development & Maintenance
Security Requirements of Systems – To ensure that security is built into information
systems .
Security in Application Systems – To prevent loss, modification or misuse of user data in
application systems.
Cryptographic Controls – To protect the confidentiality, authenticity or integrity of
information.
© Richardus Eko Indrajit 31
#8. System Development (cont.)
Security of System Files – To ensure that IT projects and support activities are
conducted in a secure manner.
Security in Development and Support Process – To maintain the security of application system software and
information.
© Richardus Eko Indrajit 32
#9. Business Continuity Planning
Aspects of Business Continuity Management – To counteract interruptions to business activities
and to protect critical business processes from the effects of major failures or disasters.
© Richardus Eko Indrajit 33
#10. Compliance
Compliance with Legal Requirements – To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual obligations and of any security requirements.
Reviews of Security Policy and Technical Compliance – To ensure compliance of new systems with organization security
policies and standards.
System Audit Considerations – To maximize the effectiveness of and to minimize interference to/from
the system audit process.
© Richardus Eko Indrajit 34
Proses Utama dalam Organisasi: CobiT
© Richardus Eko Indrajit 35
deals with information being relevant and pertinent to the organisation process as well as being delivered in a timely, correct, consistent and usable manner.
Quality #1 - Effectiveness
© Richardus Eko Indrajit 36
concerns the provision of information through the optimal (most productive and economical) usage of resources.
Quality #2 - Efficiency
© Richardus Eko Indrajit 37
concerns the protection of sensitive information from unauthorised disclosure.
Quality #3 - Confidentiality
© Richardus Eko Indrajit 38
relates to the accuracy and completeness of information as well as its validity in accordance with organisation’’ set of values and expectations.
Quality #4 - Integrity
© Richardus Eko Indrajit 39
relates to information being available when required by the organisation process, and hence also concerns the safeguarding of resources.
Quality #5 - Availability
© Richardus Eko Indrajit 40
deals with complying with those laws, regulations, and contractual arrangements to which the organisation process is subject, i.e., externally imposed organisation criteria.
Quality #6 - Compliance
© Richardus Eko Indrajit 41
relates to systems providing management with appropriate information for it to use in operating the entity, in providing reporting to users of the financial information, and in providing information to regulatory bodies with regard to compliance with laws and regulations.
Quality #7 - Reliability
© Richardus Eko Indrajit 42
PDCA sebagai Tulang Punggung Keberhasilan – ISMS scope (inc. details & justification for any exclusions) – Approach to risk assessment (to produce
comparable & reproducible results) – Selection of controls (criteria for accepting risks) – Statement of Applicability (currently implemented) – Reviewing risks – Management commitment – ISMS internal audits – Results of effectiveness and measurements
(summarised statement on ‘measures of effectiveness’) – Update risk treatment plans, procedures and controls
ISO27001:2005
© Richardus Eko Indrajit 43
Model Manajemen Resiko
© Richardus Eko Indrajit 44
Kajian Keamanan terhadap Informasi
© Richardus Eko Indrajit 45
Pentingnya Struktur Kerja yang Kokoh
Proses pengelolaan terhadap informasi akan merupakan sebuah kebutuhan yang ““wajib”” hukumnya (trend: Information Audit).
Proses harus terinstitutionalisasi di dalam organisasi melalui pembentukan tim kerja (atau struktur) yang bertanggung jawab terhadap aspek tersebut.
Pelaksaan kedua hal di atas merupakan bagian dari mitigasi resiko terhadap kualitas informasi yang menjadi kunci kinerja organisasi semacam PPATK.
Adanya ““kerawanan”” pada sistem yang dimiliki pasti telah diketahui dan menjadi target/sasaran empuk bagi pihak-pihak yang tidak ingin kegiatan pencegahan dan pemberantasan pencucian uang dapat berhasil dilaksanakan.
© Richardus Eko Indrajit 46
Best Practice dalam Implementasi
47
Terima Kasih Diskusi dan Tanya Jawab