Information Systems Security

dokumen-dokumen yang mirip
Business Process Reengineering Methodology. Arrianto Mukti Wibowo


Software Quality Assurace 9/18/ :50 PM 1

Teknik Informatika S1

Pengembangan. Chapter Objectives. Chapter Objectives. Systems Approach to Problem Solving 11/23/2011

Teknik Informatika S1

Software Proses. Model Proses Perangkat Lunak. Pengembangan Perangkat Lunak. Framework activities 3/20/2018. System Development Life Cycle (SDLC)

PENGENDALIAN SISTEM INFORMASI BERDASARKAN KOMPUTER

MANAJEMEN PROYEK FRAMEWORK

ABSTRAKSI. Kata Kunci: ITIL V3, ITIL v3 Service Strategy, Service Asset, Service Structure, Service Provider Type, Service Unit, Bisnis Unit

BAB VIII Control Objective for Information and related Technology (COBIT)

Administrasi Basis Data. Yoannita

Kendali dan Audit Sistem Informasi. Catatan: diolah dari berbagai sumber Oleh: mardhani riasetiawan

TATA KELOLA TEKNOLOGI INFORMASI

ABSTRAK. Kata Kunci : COBIT 4.1, DS, delivery and support. iii Universitas Kristen Maranatha

11/1/2009. Framework 1 : Linked System. Manajemen

ABSTRAK. Kata kunci: Analisis, Kontrol, System Development Management Control, dan Sistem Informasi. v Universitas Kristen Maranatha

ABSTRAK. Kata kunci : Input Control, IS Audit, R&D Organization

THE SOFTWARE PROCESS

ABSTRAKSI. Kata Kunci : Layanan Operasi, ITIL v3, proses bisnis, teknologi informasi.

ABSTRAK. Kata Kunci: COBIT 5, APO (Align, Plan, Organize), IT Department, Petrochina International Companies. Universitas Kristen Maranatha

PENGENDALIAN SISTEM INFORMASI BERDASARKAN KOMPUTER DIANA RAHMAWATI

Tulis yang Anda lewati, Lewati yang Anda tulis..

SISTEM MANAJEMEN INTEGRASI/TERPADU

Keamanan Sistem Informasi

Life Cycle Testing Approach

Customer Request/Complaint. Send jobs by SMS Technical Spv. Confirmasi Solve by SMS. Monitoring worktime

REKAYASA PERANGKAT LUNAK 1

BAB II LANDASAN TEORI

Manajemen Mutu Proyek (Manajemen Kualitas)

PENGENALAN. Perancangan Perangkat Lunak. (Software Engineering) Bertalya Program Pascasarjana Univesitas Gunadarma

ABSTRAK. Kata Kunci : Layanan TI, Service Design, Customer, Model Sullivan, Portofolio Aplikasi, SWOT.

PENGEMBANGAN PERANGKAT LUNAK WAKTU-NYATA SIMULASI SISTEM PEMBANGKIT KENDALI ELEVATOR N PADA ENGINEERING FLIGHT SIMULATOR

Penerapan ISO 27001:2013 Sistem Manajemen Keamanan Informasi DCN & DCO GSIT BCA

ANALISIS TATA KELOLA TEKNOLOGI INFORMASI PT. SURVEYOR INDONESIA MENGGUNAKAN KERANGKA KERJA COBIT (STUDI KASUS : PROSES DS 13 - MENGELOLA OPERASI)

Inggang Perwangsa Nuralam, SE., MBA

REQUIREMENT ENGINEERING

E-Business. Konsep Dasar ILKOM. Asep Wahyudin, M.T. (2398) Ilmu Komputer FPMIFA - Universitas Pendidikan Indonesia

LAMPIRAN A Kuesioner I : Management Awareness

ABSTRAK. Kata Kunci: Konfigurasi, FreeRADIUS, Modul, Web.

KEAMANAN SISTEM INFORMASI

ABSTRAK. Kata kunci: IPOS, Sistem Informasi, Analisis, Quality Assurance Control Manajemen, Kontrol Oleh Ron Weber. Universitas Kristen Maranatha

Sistem Informasi (Arsitektur dan Manajemen SI) Based on : Management Information System, Second Edition, Effy Oz

ABSTRAK. Kata kunci: Analisis, NOSS A, COBIT 5, DSS. vi Universitas Kristen Maranatha

The Process. A Layered Technology. Software Engineering. By: U. Abd. Rohim, MT. U. Abd. Rohim Rekayasa Perangkat Lunak The Process RPL

Metodologi Testing. Policy - Strategi - Taktik

Proses Pengembangan Sistem

Software Development Life Cycle (SDLC)

3. The Software Process

DASAR-DASAR AUDIT SI Pertemuan - 01

INDUSTRIAL ENGINEERING

PENGUKURAN TINGKAT KEMATANGAN SISTEM OTOMASI PADA PERPUSTAKAAN UNIVERSITAS KRISTEN PETRA DENGAN MENGGUNAKAN CMMI

ABSTRACT. Keywords: ISO 9001:2008

Bab II Tinjauan Pustaka

Review Slide. Testing & Implementasi

Defri Kurniawan, M.Kom

Entry Meeting Bimtek Kapabilitas APIP Ittama Setjen DPR RI. 8 Desember 2017

Bab 2 Tinjauan Pustaka

Manajemen Sumber Daya Teknologi Informasi TEAM DOSEN TATA KELOLA TI

BAB 3 1. METODOLOGI PENELITIAN

BAB I PENDAHULUAN Latar Belakang

SISTEM INFORMASI GEOGRAFIS (SIG) DALAM BIDANG KESEHATAN MASYARAKAT

Sistem Informasi STMIK Amikom Purwokerto 1, 2 1,2 ABSTRAK

ABSTRAK. Kata Kunci: frase COBIT 5, APO12, Manajemen, Risiko, Manajemen Risiko. Universitas Kristen Maranatha

Integrasi Sistem Manajemen. Ihda Taftazani

ABSTRAK. Kata kunci: Kontrol Menejemen, Operasi Menejemen, E-Procurement, PT Pos Indonesia

Adam Hendra Brata Teknik Informatika FILKOM UB Semester Genap 2015/2016

ANALISIS DAN PERANCANGAN SISTEM (APS) Pengantar APS

BAB 2 LANDASAN TEORI

Project Integration Management. Inda Annisa Fauzani Indri Mahadiraka Rumamby

ABSTRAK. vii. Kata Kunci: Penilaian, Evaluasi, Audit, SCAMPI C, P-CMM, Practice Characterization, Strength, Weakness.

REQUIREMENT ENGINEERING Bab - 1

PENGEMBANGAN SISTEM ERP MODUL PROJECT MANAGEMENT PADA CLIENT PT. JIVA VENTURES (STUDI KASUS : PT. BEST PLANTATION INTERNATIONAL)

SOFTWARE PROCESS & METHOD

14. PENGUJIAN PERANGKAT LUNAK Dasar-dasar Pengujian 14.2 Teknik Pengujian 14.3 Strategi Pengujian dan V&V

GARIS-GARIS BESAR PROGRAM PENGAJARAN PROGRAM STUDI: S1 SISTEM INFORMASI Semester : 7

BAB I Project Integration Management

ABSTRAK. Kata Kunci : ISO27001:2005, keamanan fisik dan lingkungan, manejemen komunikasi dan operasi, pengendalian akses, PT.Pos Indonesia.

Minggu 01 Sistem Informasi

UTS SUSULAN AUDIT SISTEM Standar Pengelolaan di Dunia IT

1. Perbaikan Berkesinambungan. Kaizen Benchmarking

DESIGNING STANDARD OPERATING PROCEDURS (SOP)

KONSEP MANAJEMEN PROYEK

Audit SI/TI Berbasis Cobit

SISTEM INFORMASI MANAJEMEN LANJUTAN. Dea Arri Rajasa, SE., S.Kom

TINJAUAN MENYELURUH SISTEM INFORMASI AKUNTANSI

ABSTRACT. Keywords: Organization, Information System Modeling, Enterprise Architecture, Zachman Framework, Implementation of information technology

METODOLOGI PENGEMBANGAN SOFTWARE

TESIS Karya tulis sebagai salah satu syarat untuk memperoleh gelar Magister dari Institut Teknologi Bandung. Oleh

DAFTAR ISTILAH SISTEM APLIKASI PERBANKAN

IMPLEMENTASI METODE ALGORITMA GENETIKA PADA APLIKASI OTOMASI PENJADWALAN PERKULIAHAN ANDRE ARSYAN JORDIE

Manajemen Proyek. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 1 Slide 1

PENGAUDITAN BERBASIS TEKNOLOGI INFORMASI DALAM SISTEM INFORMASI AKUNTANSI TERKOMPUTERISASI OLEH: FELICIA ASARI TANDIONO

PENGGUNAAN FRAMEWORK ITIL DALAM AUDIT PERUSAHAAN TELKOMSEL

Model Audit Sistem Informasi Akademik Proses Penyampaian dan Dukungan Pelayanan (Studi Kasus : Universitas Widyatama)

PENERAPAN COBIT FRAMEWORK UNTUK MENILAI PENGELOLAAN TEKNOLOGI INFORMASI DAN TINGKAT KEPUASAN PELAYANAN (STUDI KASUS PADA KLINIK XYZ YOGYAKARTA)

Ilustrasi 1: Teknologi Kamera

Transkripsi:

University of Indonesia Information Systems Security Arrianto Mukti Wibowo, M.Sc., Faculty of Computer Science University of Indonesia amwibowo@cs.ui.ac.id

University of Indonesia System & Application Development

Tujuan Mempelajari berbagai aspek keamanan dan kontrol-kontrol yang terkait pada pengembangan sistem informasi.

Topik Complexity of functionality, data, database management security, systems development life cycle, application development methodology, software change control, malicious code

Information Security and the Life Cycle Model The earlier in the process a component is introduced, the better chance for success. Information security is no different. Information security controls conception, development, implementation, testing, and maintenance. Info sec. controls should be part of the feasibility phase.

Validasi & Verifikasi Validasi Are we bulilding the right thing? Substantiation that a software, within its domain of applicability, possesses a satisfactory range of accuracy consistent with the intended application of the software (software vs. actual) Verifikasi Are we building it right? Misalnya: perecanaan & pelaksanaan pengujian, penempatan kendali/kontrol, dsb.

Pertanyaan Apa yang anda lihat sebagai celah keamanan pada tahap ini? Apa yang dapat membahayakan / mengancam sistem?

Testing Issues Testing of the software modules or unit testing should be addressed when the modules are being designed. Personnel SEPARATE from the programmers should conduct this testing. Testing should check modules using normal and valid input data, and also check for incorrect types, out of range values, and other bounds. Use TEST DATA, out of range values, and incorrect module types

Software maintenance phase Request control Change control Release control

Request Control Kendali terhadap permohonan dari user untuk perubahan Mencakup: Pembuatan prioritas permohonan Estimasi biaya perbaikan/ perubahan Memvalidasi user interface kepada user

Change Control Permasalahan yang ditangani antara lain: Merekonstruksi problem Menganalisa permasalahan Melakukan perbaikan/perubahan Pengujian Melakukan kontrol kualitas Hal lain yang perlu diperhatikan: Pendokumentasian perbaikan Apakah ada dampak pada modul lainnya yang terkait? Akreditasi dan sertifikasi ulang, jika perlu

Release Control Apa (modul mana) yang akhirnya dimasukkan dalam software versi rilis Pengarsipan rilis software User acceptance testing Pendistribusian software rilis terbaru tsb Configuration management

Pertanyaan Apa yang anda lihat sebagai celah keamanan pada tahap ini? Apa yang dapat membahayakan / mengancam sistem?

Configuration Management In order to manage evolving changes to software products and formally track and issue new versions of software, configuration management is employed. Configuration Management is the discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaing integrity and tractability throughout the cycle.

Configuration Procedure 1. identify and document the functional and physical characteristics of each configuration item (configuration identification) 2. control changes to the configuration items and issue versions of configuration items from the software library (configuration control) 3. record the processing of changes (configuration status accounting) 4. control the quality of the configuration management procedures (configuration audit)

Software Capability Maturity Model (CMM) The software CMM is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. A process (according to Software Engineering Institute / SEI), is a set of activities, methods, practices, and transformations that people use to develop and maintain systems and associated products. The software CMM was first developed by the SEI in 1986. The SEI defines five maturity levels that server as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes.

Level CMM Level 1 initiating-competent people and heroics ; processes are informal and ad hoc Level 2 repeatable-project management processes ; project management practices are institutionalized Level 3 defined-engineering processes and organizational support ; technical practices are integrated with management practices institutionalized. Level 4 managed product and process improvement ; product and process are quantitatively controlled Level 5 optimizing-continuous process improvement ; process improvement is institutionalized

Generic Maturity Model - Dimensions UNDERSTANDING AND AWARENESS TRAINING AND COMMUNICATION PROCESS AND PRACTICES TECHNIQUES AND AUTOMATION COMPLIANCE EXPERTISE 1 recognition sporadic communication on the issues ad hoc approaches to process and practices 2 awareness communication on the overall issue and need similar/common processes emerge; largely intuitive common tools are emerging inconsistent monitoring in isolated areas 3 understand need to act informal training supports individual initiative existing practices defined, standardised and documented; sharing of the better practices currently available techniques are used; minimum practices are enforced; tool-set becomes standardised inconsistent monitoring globally; measurement processes emerge; IT Balanced Scorecard ideas are being adopted; occasional intuitive application of root cause analysis involvement of IT specialists 4 understand full requirements formal training supports a managed program process ownership and responsibilities assigned; process is sound and complete; internal best practices applied; mature techniques applied; standard tools enforced; limited, tactical use of technology IT Balanced Scorecards implemented in some areas with exceptions noted by management; root cause analysis being standardised involvement of all internal domain experts 5 advanced forwardlooking understanding training and communications supports external best practices and use of leading edge concepts/techniques best external practices applied sophisticated techniques are deployed; extensive, optimised use of technology global application of IT Balance Scorecard and exceptions are globally and consistently noted by management; root cause analysis consistently applied use of external experts and industry leaders for guidance

Pertanyaan Apa yang anda lihat sebagai celah keamanan pada tahap ini? Apa yang dapat membahayakan / mengancam sistem?

Application Controls The goal is to enforce the organizations security policy and procedures and to maintain the confidentiality, integrity, and availability. Users running applications require the availability of the system. A service level agreement guarantees the quality of a service to a subscriber by an ISP

Application Control Types

Application controls examples Line count & record count Field check: apakah tipe datanya benar Sign check Validity check: lookup to existing data, e.g. customer ID Limit check: misalnya tidak mungkin kurang/melebihi angka tertentu Range check: pasti punya batas atas dan bawah, misalnya tanggal Reasonableness test: logical correctness of the input. Misalnya kenaikan gaji $1500 merupakan hal yang wajar bagi eksekutif dg gaji $13000, tapi aneh buat seorang janitor dengan gaji $1000

Prompting Preformatting Completeness check Closed loop verification, misalnya dalam mengecek nomor bank account dengan nama orangnya Error message

Database Security Views OLAP Aggregation Inference

View Tiap user memiliki hak akes data tertentu dan terbatas

On-Line Transaction Processing Security Kalau suatu proses terhenti karena suatu hal, OLTP bisa berusaha merestart proses Jika tidak bisa, maka transaksi akan di-rollback, sehingga tidak ada pencatatan sebagian Anomali ini dicatat di log komputer Contoh: pemindahbukuan dari satu nasabah ke nasabah lainnya Two-phase commit OLTP: memastikan transaksi pada satu database akan tercermin pula pada database lainnya, sebelum transaksi dianggap selesai

Aggregation Def: Act of combining information from separate sources. The combination of the information forms new information, which the subject does not have the nececssary rights to access. The combined information has a sensivity that is greater than the individual parts

Aggregation example Suppose the DB-Admin has a secret data The quick brown fox jumps over the fence And divided the sentence into several components: A The B quick C brown fox D jumps E over F the fence User X is allowed to read A, C, F If user X is intelligent, X can guess!

Inference Def: Ability to derive information that is not explicitly available Contoh: Seorang perwira rendah data entry tidak punya akses ke data pergerakan pasukan tempur Tapi punya data mengenai bahan makanan spesifik untuk pasukan tempur (apa dan musti didrop di mana) yang berkemah. Dia bisa menduga pergerakan pasukan tempur

2026 © DocPlayer.info Pengaturan dan alat privasi | Ketentuan | Tanggapan