SlideShare une entreprise Scribd logo

Chuan weihoo_IISF2011

Directorate of Information Security | Ditjen Aptika
Directorate of Information Security | Ditjen Aptika
BusinessTechnologie
1  sur  14
Télécharger pour lire hors ligne
Critical Infrastructure Protection (CIP) Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE Volunteer Speaker, (ISC)² Click Architect at Business Continuity & Security Security to edit Master title style Governance, BritishTelecom Global Services www.isc2.org #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Agenda • Introduction • Current State Of Play • Back To Basics • Practical Approach • Minimum Controls • Q&A Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
CIP – Introduction* Click to edit Master title style Entertaining, funny or scary ??? * Source from Youtube.com #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Current State Of Play – Recent Failures Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Current State Of Play – Past Failures Click to edit Master title style Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character - Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted for his job. Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras. With the power gone, the dinosaurs began escaping from their pens and started killing people. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
…Possible causes • Lack of segregation of duties? • Complacency? …contended self-satisfaction • Lack of visibility? • Lack of privileged access management? • Single-point-of-failure (SPOF) • Ineffective patch management? Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Back To Basics • CIP – The preparedness and response to serious incidents that involves critical infrastructure (CI) e.g. airports, service providers (electric power, water, telecommunication, etc) – Some CI are SCADA (supervisory control and data acquisition), computer systems that monitor and control industrial, infrastructure, Click to edit Master title style or facility-based processes. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Practical Approach • “Outside-in” versus “Inside-out” Physical Physical Asset (sub- Technology Asset Logical Technology components) Logical Click to edit Master title style Procedural Procedural #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Outside-in • Explore all possible threats to the asset; no breakdown of the asset • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Solution tends to be overly engineered and can be costly. Might fail to address some peculiar threats. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Inside-out • Identify the asset; classification and categorization • Explore all possible threats to each categorization • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Engineered solutions are targeted to the respective threats and vulnerabilities of each categorization. A more comprehensive approach. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Minimum Controls • Executive management support • Thorough understanding/knowledge – Business – IT (full inventory - everything) – Operations (supported by IT) • Regular comprehensive review – Identify SPOF Click to edit Master title style • Continuous self assessment – Applicable control for tomorrow’s threats #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
…Management wise • So what should we do? – Top-down; get the executive management to push down the compliance need (must-do even when it is difficult to reach the right people) – Bottom-up, work the ground to get the co-operation of the key stakeholders (lots of PR) – Acquire the necessary training (training, certification) – Define detail SOP (framework, standards e.g. ISO/IEC27001:2005) – Governance review committee (you chair the committee, using Click to edit Master title style reference from a reputable source) – Put in measurements (measureable): • Key risk indicators • Key performance indicators #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Key Messages • There’s no silver bullet to the problem, only mitigating controls to minimize the risk. • Know where are your asset; information & infrastructure (was and is). • Review and enhance your existing design and plans. • Review and enhance your existing controls to protect your Click to edit Master title style information asset. • Continue to educate the end-users and raise awareness (most critical). #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Thank you! Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Recommandé

Tolly Group Report: IBM Security Network IPS GX7800 Appliance
Tolly Group Report: IBM Security Network IPS GX7800 ApplianceTolly Group Report: IBM Security Network IPS GX7800 Appliance
Tolly Group Report: IBM Security Network IPS GX7800 Appliance
Joao Perez
 
Fuller.david
Fuller.davidFuller.david
Fuller.david
NASAPMC
 
Evaluating thin client_security
Evaluating thin client_securityEvaluating thin client_security
Evaluating thin client_security
Nick Turunov
 
Turner.john
Turner.johnTurner.john
Turner.john
NASAPMC
 
Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...
Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...
Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...
Ne3LS_Network
 
Saltzman.john
Saltzman.johnSaltzman.john
Saltzman.john
NASAPMC
 
More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...
InSync Conference
 
Skema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi Nasional
Skema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi NasionalSkema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi Nasional
Skema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi Nasional
Directorate of Information Security | Ditjen Aptika
 

Recommandé

Tolly Group Report: IBM Security Network IPS GX7800 Appliance
Tolly Group Report: IBM Security Network IPS GX7800 ApplianceTolly Group Report: IBM Security Network IPS GX7800 Appliance
Tolly Group Report: IBM Security Network IPS GX7800 Appliance
Joao Perez
 
Fuller.david
Fuller.davidFuller.david
Fuller.david
NASAPMC
 
Evaluating thin client_security
Evaluating thin client_securityEvaluating thin client_security
Evaluating thin client_security
Nick Turunov
 
Turner.john
Turner.johnTurner.john
Turner.john
NASAPMC
 
Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...
Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...
Jerzy Jurewicz & Boulos_Analysis of safety aspects associated with the plasma...
Ne3LS_Network
 
Saltzman.john
Saltzman.johnSaltzman.john
Saltzman.john
NASAPMC
 
More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...
InSync Conference
 
Skema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi Nasional
Skema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi NasionalSkema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi Nasional
Skema Akreditasi-Sertifikasi ISO 27001 Komite Akreditasi Nasional
Directorate of Information Security | Ditjen Aptika
 
Developing a Legal Framework for Privacy
Developing a Legal Framework for PrivacyDeveloping a Legal Framework for Privacy
Developing a Legal Framework for Privacy
Directorate of Information Security | Ditjen Aptika
 
Telkom sigma keminfo materi
Telkom sigma keminfo materiTelkom sigma keminfo materi
Telkom sigma keminfo materi
Directorate of Information Security | Ditjen Aptika
 
Tasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-Government
Tasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-GovernmentTasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-Government
Tasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-Government
Directorate of Information Security | Ditjen Aptika
 
04. SAKTTI Introduction
04. SAKTTI Introduction04. SAKTTI Introduction
04. SAKTTI Introduction
Directorate of Information Security | Ditjen Aptika
 
Protecting Data Privacy
Protecting Data PrivacyProtecting Data Privacy
Protecting Data Privacy
Directorate of Information Security | Ditjen Aptika
 
02. R U Sure U R Secure
02. R U Sure U R Secure02. R U Sure U R Secure
02. R U Sure U R Secure
Directorate of Information Security | Ditjen Aptika
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_
Directorate of Information Security | Ditjen Aptika
 
Rusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDF
Rusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDFRusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDF
Rusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDF
Directorate of Information Security | Ditjen Aptika
 
Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012
Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012
Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012
Directorate of Information Security | Ditjen Aptika
 
Personal security
Personal securityPersonal security
Personal security
Directorate of Information Security | Ditjen Aptika
 
DR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk Indonesia
DR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk IndonesiaDR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk Indonesia
DR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk Indonesia
Directorate of Information Security | Ditjen Aptika
 
Global informationsecurityissue_ZainalHasibuan
Global informationsecurityissue_ZainalHasibuanGlobal informationsecurityissue_ZainalHasibuan
Global informationsecurityissue_ZainalHasibuan
Directorate of Information Security | Ditjen Aptika
 
Sovereignty in Cyberspace
Sovereignty in CyberspaceSovereignty in Cyberspace
Sovereignty in Cyberspace
Directorate of Information Security | Ditjen Aptika
 
Security Development Life Cycle
Security Development Life CycleSecurity Development Life Cycle
Security Development Life Cycle
Directorate of Information Security | Ditjen Aptika
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Summary report cc brti
Summary report cc brtiSummary report cc brti
Summary report cc brti
Directorate of Information Security | Ditjen Aptika
 
Information Security Governance
Information Security GovernanceInformation Security Governance
Information Security Governance
Directorate of Information Security | Ditjen Aptika
 
Sertifikat Digital - Kasubdit Teknologi Keamanan Informasi
Sertifikat Digital - Kasubdit Teknologi Keamanan InformasiSertifikat Digital - Kasubdit Teknologi Keamanan Informasi
Sertifikat Digital - Kasubdit Teknologi Keamanan Informasi
Directorate of Information Security | Ditjen Aptika
 
RPM SMPI
RPM SMPIRPM SMPI
RPM SMPI
Directorate of Information Security | Ditjen Aptika
 
Persyaratan perangkat lunak 20141118_18november2014
Persyaratan perangkat lunak 20141118_18november2014Persyaratan perangkat lunak 20141118_18november2014
Persyaratan perangkat lunak 20141118_18november2014
Directorate of Information Security | Ditjen Aptika
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
TISA
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 

Contenu connexe

En vedette

En vedette (20)

Developing a Legal Framework for Privacy
Developing a Legal Framework for PrivacyDeveloping a Legal Framework for Privacy
Developing a Legal Framework for Privacy
 
Telkom sigma keminfo materi
Telkom sigma keminfo materiTelkom sigma keminfo materi
Telkom sigma keminfo materi
 
Tasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-Government
Tasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-GovernmentTasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-Government
Tasdik Kinanto - Interoperabilitas Dokumen Perkantoran dalam e-Government
 
04. SAKTTI Introduction
04. SAKTTI Introduction04. SAKTTI Introduction
04. SAKTTI Introduction
 
Protecting Data Privacy
Protecting Data PrivacyProtecting Data Privacy
Protecting Data Privacy
 
02. R U Sure U R Secure
02. R U Sure U R Secure02. R U Sure U R Secure
02. R U Sure U R Secure
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_
 
Rusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDF
Rusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDFRusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDF
Rusmanto - Pengantar PDF dan Aplikasi Open Source terkait PDF
 
Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012
Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012
Budaya keamanan informasi dari perspektif psikologi ia-14 mar2012
 
Personal security
Personal securityPersonal security
Personal security
 
DR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk Indonesia
DR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk IndonesiaDR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk Indonesia
DR. Taufik Hasan - Aplikasi Pendukung Interoperabilitas Dokumen untuk Indonesia
 
Global informationsecurityissue_ZainalHasibuan
Global informationsecurityissue_ZainalHasibuanGlobal informationsecurityissue_ZainalHasibuan
Global informationsecurityissue_ZainalHasibuan
 
Sovereignty in Cyberspace
Sovereignty in CyberspaceSovereignty in Cyberspace
Sovereignty in Cyberspace
 
Security Development Life Cycle
Security Development Life CycleSecurity Development Life Cycle
Security Development Life Cycle
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
Summary report cc brti
Summary report cc brtiSummary report cc brti
Summary report cc brti
 
Information Security Governance
Information Security GovernanceInformation Security Governance
Information Security Governance
 
Sertifikat Digital - Kasubdit Teknologi Keamanan Informasi
Sertifikat Digital - Kasubdit Teknologi Keamanan InformasiSertifikat Digital - Kasubdit Teknologi Keamanan Informasi
Sertifikat Digital - Kasubdit Teknologi Keamanan Informasi
 
RPM SMPI
RPM SMPIRPM SMPI
RPM SMPI
 
Persyaratan perangkat lunak 20141118_18november2014
Persyaratan perangkat lunak 20141118_18november2014Persyaratan perangkat lunak 20141118_18november2014
Persyaratan perangkat lunak 20141118_18november2014
 

Similaire à Chuan weihoo_IISF2011

Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
TISA
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
The quality attribute of upgradability
The quality attribute of upgradabilityThe quality attribute of upgradability
The quality attribute of upgradability
Len Bass
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
Microsoft Singapore
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
Seema Sheth-Voss
 
Refactoring for Software Architecture Smells
Refactoring for Software Architecture SmellsRefactoring for Software Architecture Smells
Refactoring for Software Architecture Smells
Ganesh Samarthyam
 
Roger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsRoger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The Internets
Nathan Winters
 

Similaire à Chuan weihoo_IISF2011 (20)

Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Cisco Localisation Toolkit
Cisco Localisation ToolkitCisco Localisation Toolkit
Cisco Localisation Toolkit
 
Stress testing using SQLIOSIM and SQLIO
Stress testing using SQLIOSIM and SQLIOStress testing using SQLIOSIM and SQLIO
Stress testing using SQLIOSIM and SQLIO
 
Self-adaptive Systems : An Introduction
Self-adaptive Systems : An Introduction Self-adaptive Systems : An Introduction
Self-adaptive Systems : An Introduction
 
Security model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishoreSecurity model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishore
 
The quality attribute of upgradability
The quality attribute of upgradabilityThe quality attribute of upgradability
The quality attribute of upgradability
 
Benno Zollner - Reshaping IT
Benno Zollner - Reshaping ITBenno Zollner - Reshaping IT
Benno Zollner - Reshaping IT
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
 
Architecture
ArchitectureArchitecture
Architecture
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
 
Application Repackaging Best Practices for Novell ZENworks 10 Configuration M...
Application Repackaging Best Practices for Novell ZENworks 10 Configuration M...Application Repackaging Best Practices for Novell ZENworks 10 Configuration M...
Application Repackaging Best Practices for Novell ZENworks 10 Configuration M...
 
Model-driven prototyping for corporate software specification
Model-driven prototyping for corporate software specification Model-driven prototyping for corporate software specification
Model-driven prototyping for corporate software specification
 
Smalltalk in Enterprise Applications
Smalltalk in Enterprise ApplicationsSmalltalk in Enterprise Applications
Smalltalk in Enterprise Applications
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get There
 
Refactoring for Software Architecture Smells
Refactoring for Software Architecture SmellsRefactoring for Software Architecture Smells
Refactoring for Software Architecture Smells
 
New Vvma Presentation
New Vvma PresentationNew Vvma Presentation
New Vvma Presentation
 
Roger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsRoger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The Internets
 

Plus de Directorate of Information Security | Ditjen Aptika

Plus de Directorate of Information Security | Ditjen Aptika (20)

Sosialisasi Keamanan Informasi_Sektor Kesehatan
Sosialisasi Keamanan Informasi_Sektor KesehatanSosialisasi Keamanan Informasi_Sektor Kesehatan
Sosialisasi Keamanan Informasi_Sektor Kesehatan
 
Sosialisasi Keamanan Informasi_Penyelenggaraan Telekomunikasi
Sosialisasi Keamanan Informasi_Penyelenggaraan TelekomunikasiSosialisasi Keamanan Informasi_Penyelenggaraan Telekomunikasi
Sosialisasi Keamanan Informasi_Penyelenggaraan Telekomunikasi
 
Sosialisasi Keamanan Informasi_Sektor Tranportasi
Sosialisasi Keamanan Informasi_Sektor TranportasiSosialisasi Keamanan Informasi_Sektor Tranportasi
Sosialisasi Keamanan Informasi_Sektor Tranportasi
 
Sosialisasi Keamanan Informasi_Bidang Perhubungan Udara
Sosialisasi Keamanan Informasi_Bidang Perhubungan UdaraSosialisasi Keamanan Informasi_Bidang Perhubungan Udara
Sosialisasi Keamanan Informasi_Bidang Perhubungan Udara
 
Sosialisasi Keamanan Informasi_Bidang Mineral dan Batubara
Sosialisasi Keamanan Informasi_Bidang Mineral dan BatubaraSosialisasi Keamanan Informasi_Bidang Mineral dan Batubara
Sosialisasi Keamanan Informasi_Bidang Mineral dan Batubara
 
Sosialisasi Keamanan Informasi_Bidang Ketenagalistrikan
Sosialisasi Keamanan Informasi_Bidang KetenagalistrikanSosialisasi Keamanan Informasi_Bidang Ketenagalistrikan
Sosialisasi Keamanan Informasi_Bidang Ketenagalistrikan
 
Sosialisasi Keamanan Informasi_Bidang Energi Baru, Terbarukan dan Konservasi ...
Sosialisasi Keamanan Informasi_Bidang Energi Baru, Terbarukan dan Konservasi ...Sosialisasi Keamanan Informasi_Bidang Energi Baru, Terbarukan dan Konservasi ...
Sosialisasi Keamanan Informasi_Bidang Energi Baru, Terbarukan dan Konservasi ...
 
Fetri Miftach_Uji publik rpm tata kelola
Fetri Miftach_Uji publik rpm tata kelolaFetri Miftach_Uji publik rpm tata kelola
Fetri Miftach_Uji publik rpm tata kelola
 
Hasyim Gautama_Tata kelola tik 20151118
Hasyim Gautama_Tata kelola tik 20151118Hasyim Gautama_Tata kelola tik 20151118
Hasyim Gautama_Tata kelola tik 20151118
 
Standar rujukan keamanan informasi sub sektor perangkat telekomunikasi
Standar rujukan keamanan informasi sub sektor perangkat telekomunikasiStandar rujukan keamanan informasi sub sektor perangkat telekomunikasi
Standar rujukan keamanan informasi sub sektor perangkat telekomunikasi
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made WiryawanDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_Junior Lazuardi
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_Junior LazuardiDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_Junior Lazuardi
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_Junior Lazuardi
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim GautamaDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
 
Teguh arifiyadi ls skse
Teguh arifiyadi ls skseTeguh arifiyadi ls skse
Teguh arifiyadi ls skse
 
Konny sagala skema kelaikan se
Konny sagala skema kelaikan seKonny sagala skema kelaikan se
Konny sagala skema kelaikan se
 
Intan rahayu tata cara sertifikasi kelaikan sistem elektronik
Intan rahayu tata cara sertifikasi kelaikan sistem elektronikIntan rahayu tata cara sertifikasi kelaikan sistem elektronik
Intan rahayu tata cara sertifikasi kelaikan sistem elektronik
 
Uji Publik RPM SMPI Fetri Miftah
Uji Publik RPM SMPI Fetri MiftahUji Publik RPM SMPI Fetri Miftah
Uji Publik RPM SMPI Fetri Miftah
 
RPM SMPI 20150805 Hasim Gautama
RPM SMPI 20150805 Hasim GautamaRPM SMPI 20150805 Hasim Gautama
RPM SMPI 20150805 Hasim Gautama
 
SNI ISO 27001 Anwar Siregar
SNI ISO 27001 Anwar SiregarSNI ISO 27001 Anwar Siregar
SNI ISO 27001 Anwar Siregar
 
Pengamanan Jaringan dengan Honeynet-Charles Lim
Pengamanan Jaringan dengan Honeynet-Charles LimPengamanan Jaringan dengan Honeynet-Charles Lim
Pengamanan Jaringan dengan Honeynet-Charles Lim
 

Dernier

Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Sheetaleventcompany
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 
JAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
JAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLJAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
JAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 

Dernier (20)

PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
JAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
JAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLJAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
JAYNAGAR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 

Chuan weihoo_IISF2011

  • 1. Critical Infrastructure Protection (CIP) Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE Volunteer Speaker, (ISC)² Click Architect at Business Continuity & Security Security to edit Master title style Governance, BritishTelecom Global Services www.isc2.org #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 2. Agenda • Introduction • Current State Of Play • Back To Basics • Practical Approach • Minimum Controls • Q&A Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 3. CIP – Introduction* Click to edit Master title style Entertaining, funny or scary ??? * Source from Youtube.com #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 4. Current State Of Play – Recent Failures Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 5. Current State Of Play – Past Failures Click to edit Master title style Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character - Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted for his job. Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras. With the power gone, the dinosaurs began escaping from their pens and started killing people. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 6. …Possible causes • Lack of segregation of duties? • Complacency? …contended self-satisfaction • Lack of visibility? • Lack of privileged access management? • Single-point-of-failure (SPOF) • Ineffective patch management? Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 7. Back To Basics • CIP – The preparedness and response to serious incidents that involves critical infrastructure (CI) e.g. airports, service providers (electric power, water, telecommunication, etc) – Some CI are SCADA (supervisory control and data acquisition), computer systems that monitor and control industrial, infrastructure, Click to edit Master title style or facility-based processes. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 8. Practical Approach • “Outside-in” versus “Inside-out” Physical Physical Asset (sub- Technology Asset Logical Technology components) Logical Click to edit Master title style Procedural Procedural #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 9. Outside-in • Explore all possible threats to the asset; no breakdown of the asset • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Solution tends to be overly engineered and can be costly. Might fail to address some peculiar threats. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 10. Inside-out • Identify the asset; classification and categorization • Explore all possible threats to each categorization • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Engineered solutions are targeted to the respective threats and vulnerabilities of each categorization. A more comprehensive approach. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 11. Minimum Controls • Executive management support • Thorough understanding/knowledge – Business – IT (full inventory - everything) – Operations (supported by IT) • Regular comprehensive review – Identify SPOF Click to edit Master title style • Continuous self assessment – Applicable control for tomorrow’s threats #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 12. …Management wise • So what should we do? – Top-down; get the executive management to push down the compliance need (must-do even when it is difficult to reach the right people) – Bottom-up, work the ground to get the co-operation of the key stakeholders (lots of PR) – Acquire the necessary training (training, certification) – Define detail SOP (framework, standards e.g. ISO/IEC27001:2005) – Governance review committee (you chair the committee, using Click to edit Master title style reference from a reputable source) – Put in measurements (measureable): • Key risk indicators • Key performance indicators #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 13. Key Messages • There’s no silver bullet to the problem, only mitigating controls to minimize the risk. • Know where are your asset; information & infrastructure (was and is). • Review and enhance your existing design and plans. • Review and enhance your existing controls to protect your Click to edit Master title style information asset. • Continue to educate the end-users and raise awareness (most critical). #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • 14. Thank you! Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved