Hasil Pencarian  ::  Simpan CSV :: Kembali

"Layanan cloud merupakan sumber daya infrastruktur yang efisien, fleksibel dan memiliki skalabilitas serta performa yang lebih baik. PT. Bank XYZ saat ini menggunakan layanan infrastruktur public cloud untuk 22 aplikasi non-transaksional namun menyimpan data pribadi nasabah. Meningkatnya tren serangan siber mendorong Bank XYZ untuk menetapkan indikator kinerja kunci zero incident data breach yang menjadi acuan dalam melakukan pengamanan informasi pada Bank XYZ. Namun, pada kenyataannya terdapat temuan kerentanan pada aplikasi Bank XYZ yang terletak di public cloud dan kebocoran kredensial akses public cloud yang menyebabkan terjadinya penyalahgunaan resource cloud. Kedua masalah ini dapat memberikan dampak terjadinya insiden kebocoran data yang pada akhirnya menimbulkan kerugian finansial dan reputasi bagi Bank XYZ. Salah satu penyebab utama dari masalah ini adalah belum adanya tata kelola keamanan informasi public cloud yang mendefinisikan secara jelas penentuan wewenang dan tanggung jawab perusahaan maupun penyedia layanan cloud. Oleh karena itu penelitian ini bertujuan untuk melakukan perancangan tata kelola keamanan informasi public cloud pada Bank XYZ. Framework yang digunakan dalam menyusun rancangan tata kelola keamanan informasi yaitu ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27017:2015. Selain itu ketentuan regulator POJK No.11/OJK.03/2022 dan Undang-Undang Perlindungan Data Pribadi (UU PDP) No.27 Tahun 2022 juga menjadi landasan teori dalam penyusunan tata kelola keamanan informasi public cloud. Pelaksanaan penelitian ini dilakukan dengan metode kualitatif yaitu melalui wawancara, Focus Group Discussion (FGD), dan analisis dokumen internal dan ketentuan terkait dengan tata kelola cloud. Wawancara, FGD, dan analisis dokumen yang dilakukan pada penelitian ini menghasilkan daftar risiko dan kontrol risiko yang harus diterapkan dalam pengamanan public cloud, yang kemudian digunakan sebagai dasar dalam menyusun rancangan tata kelola keamanan informasi public cloud pada Bank XYZ. Luaran dari penelitian ini adalah rancangan tata kelola keamanan informasi public cloud pada Bank XYZ.

---

Cloud services offer efficient, more scalability, better performance, and adaptable infrastructure resources. PT. Bank XYZ presently uses public cloud infrastructure services for 22 non-transactional applications that store customer data. The increasing cyber-attack trend has driven Bank XYZ to set a key performance indicator of a zero-incident data breach as the reference for securing information at Bank XYZ. However, system vulnerabilities were detected in the Bank XYZ application that uses public cloud infrastructure and leaks of cloud access credentials, leading to misuse of cloud resources. This problem may impact the occurrence of data leakage incidents that end up causing financial and reputational losses to Bank XYZ. One of the main causes of this problem is the absence of public cloud information security governance that clearly defines the authority and responsibility of companies and cloud service providers. Therefore, this research aims to establish public cloud information security governance for Bank XYZ. ISO/IEC 27001:2022, ISO/IEC 27002:2022, and ISO/IEC 27017:2015 were utilized to create the public cloud information security governance design. Regulatory compliance, such as POJK No.11/OJK.03/2022 and personal data protection law (UU PDP) No.27 of 2022, also provides a theoretical basis for developing public cloud information security governance. This study utilized qualitative approaches such as interviews, Focus Group Discussions (FGD), and an analysis of internal documentation and cloud governance compliance. The interviews, focus groups, and document analysis conducted for this study result in a list of risk controls that must be used in the public cloud, which is then used to establish public cloud information security governance for Bank XYZ. The outcome of this research is the design of Bank XYZ's public cloud information security governance."

"Teknologi komputasi cloud merupakan sebuah pool besar yang terdiri dari sumber daya komputasi yang di virtualisasikan, sehingga pengguna dapat mengakses dan menggunakannya. Cloud telah diadaptasi oleh banyak perusahaan besar di bidang IT, seperti Google, IBM, Amazon dan masih banyak lagi. Oleh karena itu, keamanan pada teknologi cloud menjadi prioritas utama, sehingga bisa terhindar dari serangan cyber. Advanced Persistent Threat (APT) merupakan sebuah serangan cyber yang bertujuan untuk mendapatkan akses terhadap sistem atau jaringan, sehingga bisa melakukan pencurian data. Berbeda dengan teknik pencurian data biasa yang bersifat "smash and grab", APT akan tetap berada pada sistem target dalam periode waktu tertentu, sehingga penyerang bisa mengakses dan mengambil data target secara terus menerus, tanpa bisa terdeteksi. Hal ini membuat APT menjadi salah satu ancaman cyber yang sulit untuk dicegah, khususnya pada cloud environment. Metode keamanan analitik menjadi salah satu solusi yang bisa digunakan untuk bisa mengatasi serangan APT pada cloud environment, hal ini dikarenakan data yang dihasilkan semakin banyak, dan infrastruktur dari cloud juga mempunyai kapasitas yang besar untuk bisa menangani banyak nya data yang dihasilkan, sehingga metode keamanan lama yang sering diterapkan menjadi tidak lagi efisien. Salah satu metode keamanan analitik yang dapat diterapkan pada teknologi cloud adalah dengan menggunakan Security Information Event Management (SIEM) yang disediakan oleh banyak vendor seperti IBM dengan IBM QRadar. Hasilnya didapatkan bahwa kinerja tingkat deteksi SIEM dengan IBM Qradar terhadap ancaman serangan APT tidak optimal dengan pendeteksian hanya sebesar 57,1% dan yang terdeteksi sebagai kategori penyerangan sebesar 42,9% dari total 4 serangan yang dilancarkan. Hal ini dikarenakan IBM Qradar memerlukan beberapa ekstensi tambahan, sehingga membutuhkan resource komputasi yang lebih besar agar bisa meningkatkan kemampuan deteksi terhadap serangan APT.

---

Cloud computing technology is a large pool of virtualized computing resources, so that users can access and use them. Cloud has been adapted by many large companies in the IT field, such as Google, IBM, Amazon and many more. Therefore, security in cloud technology is a top priority, so that it can avoid cyber attacks. Advanced Persistent Threat (APT) is a cyber attack that aims to gain access to a system or network, so that it can carry out data theft. Unlike the usual "smash and grab" data theft technique, the APT will remain on the target system for a certain period of time, so that attackers can access and retrieve target data continuously, without being detected. This makes APT one of the most difficult cyber threats to prevent, especially in cloud environments. Analytical security methods are one of the solutions that can be used to overcome APT attacks in the cloud environment, this is because more and more data is generated, and the infrastructure of the cloud also has a large capacity to be able to handle a lot of data generated, so the old security method which are often applied become inefficient. One of the analytical security methods that can be applied to cloud technology is to use Security Information Event Management (SIEM) that have been provided by many vendors such as IBM with IBM Qradar. The result shows that the performance of SIEM detection rate with IBM Qradar against APT attack is not optimal with only 57.1% detection rate and 42.9% detected as an attack category out of a total of 4 attacks launched. This is because IBM Qradar needs some additional extension, thus requiring more additional computing resources in order to increase the detection rate ability against APT attack."

"This book analyses the various security threats in cloud computing. A host-based IDS (HIDS) using signature verification is developed and implemented for the concerned security issues. Further, owing to the vulnerability of distributed denial of service (DDoS) attacks in cloud computing, a network based IDS (NIDS) is developed and implemented against such attacks. The performance of these IDS is verified in the Cloud scenario as well against the standard data set. Finally, a simple data storage and security model is developed and implemented for the Cloud computing scenario. The contents of this book will be of interest to researchers and professionals alike."

"Collaboration with cloud computing discusses the risks associated with implementing these technologies across the enterprise and provides you with expert guidance on how to manage risk through policy changes and technical solutions.Drawing upon years of practical experience and using numerous examples and case studies, author Ric Messier discusses :- The evolving nature of information security- The risks, rewards, and security considerations when implementing SaaS, cloud computing and VoIP- Social media and security risks in the enterprise- The risks and rewards of allowing remote connectivity and accessibility to the enterprise network"

"It may seem a strange place to start, but a good beginning here is the Boston Marathon bombings in April, 2013 and the days that followed. In particular, the Friday when officials shut down the city of Boston and neighboring communities. Businesses all over the city were forced to shut down while the manhunt took place over the course of the day on Friday. While retail establishments were really out of luck because no one on the streets meant no one in the stores, other businesses were able to continue to operate because of a number of technologies that allowed remote workers to get access to their files, the systems they needed and their phone systems. Any business that implemented a full Unified Communications (UC) solution could have employees also communicating with instant messaging and know who was on-line because of the presence capabilities. Additionally, news of the events spread quickly and less because of news outlets who were, quite rightly, not allowed to provide specifics about many of the activities"-- Provided by publisher."

"Penelitian ini bertujuan untuk mengetahui tingkat penerapan tata kelola teknologi informasi pada PT. XYZ, yang merupakan perusahaan e-commerce Business-to-Business B2B. Penilaian tingkat penerapan tata kelola teknologi informasi dilakukan dengan menggunakan kerangka Control Objectives for Information and Related Technology COBIT 5. Penilaian tata kelola dibagi menjadi 5 domain proses yaitu Evaluate, Direct, Monitor EDM, Align, Plan, Organize APO, Build, Acquire, Implement BAI, Deliver, Service, Support DSS, dan Monitor, Evaluate, Assess MEA. Kemudian dilakukan penilaian atas tingkat kapabilitas terkait proses-proses tersebut. Berdasarkan hasil penelitian pada PT. XYZ, rata ndash; rata tingkat kapabilitas adalah sebesar 2,87. Angka ini menunjukan bahwa tata kelola teknologi informasi yang diterapkan oleh PT. XYZ berada pada level 2 yang merupakan proses managed. Artinya proses yang sudah berjalan diterapkan dengan teratur, penerapan tata kelola teknologi informasi sudah direncanakan, diawasi, dan disesuaikan dengan kebutuhan PT.XYZ.

---

The purpose of this research to assess the implementations level of information technology governance on PT. XYZ as a business to business B2B e-commerce company. This research was conducted by using the framework of Control Objectives for Information and Related Technology COBIT 5. The assesment divides governance process to 5 domains Evaluate, Direct, Monitor EDM, Align, Plan, Organize APO, Build, Acquire, Implement BAI, Deliver, Service, Support DSS, and Monitor, Evaluate, Assess MEA. Each domains was identified by using the capability levels. Based on this study PT. XYZ achieves capability level on 2,87. This number indicate that the implementation level of IT governance control by PT. XYZ was on level 2, known as managed process. The implementation of information technology governance has been planned, monitored, and adjusted to company objective."

"ABSTRAKBank XYZ berkomitmen memberikan layanan perbankan terdepan kepada nasabah dan perkembangan teknologi digital yang mendorong bank untuk bertumbuh lebih cepat melalui pengembangan layanan digital banking untuk meningkatkan pertumbuhan nasabah baru dan meningkatkan kemudahan transaksi perbankan. Dengan bertambahnya pemanfaatan teknologi informasi melalui penerapan layanan digital banking terbaru, maka bertambah juga ancaman terhadap keamanan informasi yang perlu diantisipasi untuk memastikan prinsip kerahasiaan, integritas, dan ketersediaan suatu informasi. Penelitian ini bertujuan untuk mengetahui kemungkinan risiko-risiko terhadap layanan digital banking dan merancang suatu kebijakan keamanan informasi sebagai bagian dari alat kontrol terhadap risiko keamanan informasi pada digital banking. Penelitian ini merupakan penelitian studi kasus dengan metode kualitatif dengan melakukan analisis melalui observasi secara langsung dan juga pada dokumen internal bank yang terkait dengan layanan digital banking terbaru. Penelitian ini membahas aktivitas manajemen risiko dan menentukan kontrol keamanan informasi yang tepat berdasarkan standar ISO 27001:2013. Penelitian ini menghasilkan suatu rancangan kebijakan keamanan informasi mencakup 64 kontrol keamanan dari 114 kontrol yang ada pada Annex A ISO 27001:2013 dan berdasarkan penilaian risiko pada delapan aset informasi dan juga 23 aset pendukung layanan digital banking terbaru dari Bank XYZ. Kontrol keamanan pada ISO 27001:2013 sesuai dengan kebutuhan penerapan keamanan informasi pada Bank XYZ karena dapat mencakup seluruh kerentanan yang ada pada aset digital banking. Rancangan kebijakan ini dapat digunakan bagi Bank untuk pembuatan standar dan prosedur keamanan informasi terkait layanan digital banking.

---

ABSTRACT

XYZ Bank committed to provide leading banking services to customers and the development of digital technology that encourages banks to grow faster through the development of digital banking services to increase new customer growth and also improve the ease of banking transactions. With the increasing use of information technology in the application of digital banking services, it also increased the threats to the information assets that need to be anticipated to ensure the confidentiality, integrity, and availability of the information. This research aims to determine the possibility of digital banking services risks and design an information security policy as part of the information security risk control. This is a case study research with a qualitative analysis method through direct observation and also on the bank's internal documents related to digital banking services. This research discusses the risk management activities and determines the appropriate information security controls based on the standard from ISO 27001: 2013. The research produced a draft of an information security policy that includes 64 security controls from 114 security controls in Annex A of ISO 27001: 2013 and based on risk assessment from eight information assets and 23 supporting assets of digital banking services from XYZ Bank. Security controls on ISO 27001: 2013 match the requirements for implementing information security at XYZ Bank because it can cover all assets' vulnerabilities that exist in digital banking. The policy can be used as a reference to create standards and procedures related to the information security of digital banking services."

"In this era of digital age where considerable business activities are powered by digital and telecommunication technologies, deriving customer loyalty and satisfaction through delivering high quality services, driven by complex and sophisticated Information Technology (IT) systems, is one of the main services objectives of the Bank towards its customers. From customer services perspective, "availability" is a degree of how closed the Bank is to its customers so that they can "consume" the Bank"s services easily and in preference to its competitors. "Reliability" is the degree of how adequate and responsive the Bank is in meeting its customers" needs. "Confidentiality" is the trust the customers have in the Bank in that their confidential information will not fall into the wrong hands.

Information Technology is one of the means that Bank uses to achieve quality service objectives. Reliance on IT requires an understanding of the importance of IT Security within the IT environments. As business advantages are derived from the use of IT to deliver quality services, critical IT security issues related to the use of IT should be understood and addressed. Safeguarding and protecting security Information systems and assets are prominent issues that all responsible IT users must address. Information is the most valuable assets of the Bank. Adequate resources must be allocated to carry out the safeguarding of Bank"s information assets through enforcing a defined IT Security Policies, Standards and Procedures.

Compliance with international and national standards designed to facilitate the Interchange of data between Banks should be considered by the Bank"s management as part of the strategy for IT Security which helps to enforce and strengthen IT security within an organization."

"Sebagai perusahaan yang bergerak di bidang telekomunikasi, PT. XYZ harus memastikan bahwa mereka memiliki kemampuan yang memadai untuk melindungi data sensitif perusahaan dan pelanggannya. Meskipun berbagai sistem dan proses keamanan informasi sudah tersedia, sumber daya manusia masih merupakan mata rantai terlemah dalam keamanan siber. Metode bekerja Work From Home pada era New Normal membuat ancaman siber semakin besar. Pada dasarnya, Information Security Awareness (ISA) menunjukkan apakah pengguna menyadari tujuan dari keamanan informasi atau tidak. Dengan menggunakan skenario simulasi phishing assessment, penelitian ini menguji tingkat ISA karyawan PT. XYZ dan bagaimana edukasi ISA dapat meningkatkan tingkat kesadaran mereka. Hasil simulasidibandingkan antara sebelum dan sesudah mereka menerima edukasi ISA dalam skala prosentase. Hasil penelitian menunjukkan adanya dampak yang positif setelah edukasi diberikan. Karyawan yang mengklik URL phishing sebelum edukasi mencapai 31% berkurang menjadi 11% setelah edukasi. Sementara itu, karyawan yang terkena phishing menurun dari 24% menjadi 4%.

---

As a company that is operating in the telecommunication sector, PT. XYZ must ensure that they have adequate capabilities to protect their company’s and customers’ sensitive data. Although various information security systems and processes are already in place, human resources still are the weakest link in cyber security. The new method of Work From Home in the New Normal era makes the threat even larger. Basically, Information Security Awareness (ISA) denotes whether or not users are aware of information security objectives. Using a phishing scenario, this study examined the level of ISA of PT. XYZ employees and how ISA training might improve their awareness

level. The simulation outcomes were compared to the results before and after they received ISA education on a percentage scale. The results showed that there was a positive impact after ISA education was given. Employees who clicked on phishing URLs before training reached 31% reduced to 11% after training. Meanwhile, employees affected by phishing decreased from 24% to 4%."