Penyusunan Kebijakan Pengamanan dan Pengelolaan Infrastruktur Operasi Keamanan Siber Menggunakan NIST CSF 2.0 dan ISO/IEC 27001:2022

Authors

  • Hafizh Ghozie Afiansyah Badan Siber dan Sandi Negara
  • Nur Annisa Kadarwati Febriyani Badan Siber dan Sandi Negara

DOI:

https://doi.org/10.56706/ik.v17i3.81

Abstract

Penelitian ini membahas mengenai pengelolaan dan perlindungan terhadap aset teknologi informasi organisasi terutama untuk operasi keamanan siber dari ancaman siber yang semakin meningkat. Operasi keamanan siber terdiri dari enam kategori kegiatan yang melibatkan perencanaan, pengelolaan, dan pengaturan terhadap aset teknologi informasi. Salah satu standar yang dapat diterapkan dalam pengelolaan dan pengamanan infrastruktur operasi keamanan siber adalah ISO/IEC 27001:2022. Penelitian ini menguraikan integrasi konsep govern pada NIST CSF 2.0 dengan ISO/IEC 27001:2022 untuk merancang kebijakan tata kelola dan manajemen infrastruktur operasi keamanan siber. Kerangka kebijakan ini mencakup tujuan organisasi, penjelasan kegiatan pengelolaan dan pengamanan infrastruktur, rincian kegiatan, ketentuan penerapan, pemantauan, evaluasi, audit internal, ulasan manajemen, perbaikan berkelanjutan, serta dampak dan sanksi jika kebijakan tidak dilaksanakan dengan baik. Penelitian ini bertujuan agar organisasi dapat lebih efektif dalam menghadapi ancaman siber dan memastikan layanan operasi keamanan siber berjalan optimal

References

E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, “Challenges and performance metrics for security operations center analysts: a systematic review,” Journal of Cyber Security Technology, vol. 4, no. 3, pp. 125–152, Jul. 2020, doi: 10.1080/23742917.2019.1698178.

Badan Siber dan Sandi Negara, “LANSKAP KEAMANAN SIBER INDONESIA 2022,” Jakarta, 2023.

National Institute of Standards and Technology, “Security and privacy controls for federal information systems and organizations,” NIST Special Publication 800-53, 2020.

A. Wirth, “The Economics of Cybersecurity,” Biomed Instrum Technol , vol. 51, no. s6, pp. 52–59, 2017, doi: https://doi.org/10.2345/0899-8205-51.s6.52.

A. Yuswanto and B. Wibowo, “Pembangunan Pusat Pengendalian Operasional Keamanan Informasi (Pusdalops Kami) guna Meningkatkan Pelayanan E-Gov dari Ancaman Kejahatan Siber.” [Online]. Available: https://sijaki.jakarta.go.id

B. Fachriandi and T. Dirgahayu, “Kepedulian Keamanan Informasi di Pemerintahan: Praktik Manajemen dan Dampaknya,” Jurnal Manajemen Informatika (JAMIKA) , vol. 11, no. 1, pp. 72–87, 2021, doi: 10.34010/jamika.v11i1.

H. Jauhary, G. Eldisa Pratiwi, A. Zamzami Salim, P. Studi Teknik Informatika, and U. Jakarta, “Penerapan ISO27001 dalam Menjaga dan Meminimalisir Risiko Keamanan Informasi : Literatur Review,” Media Jurnal Informatika, vol. 14, no. 1, 2022, doi: 10.35194/mji.v%vi%i.1581.

W. Wu, K. Shi, C.-H. Wu, and J. Liu, “Research on the Impact of Information Security Certification and Concealment on Financial Performance,” Journal of Global Information Management, vol. 30, no. 3, pp. 1–16, Sep. 2021, doi: 10.4018/jgim.20220701.oa2.

M. Antunes, M. Maximiano, R. Gomes, and D. Pinto, “Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal,” Journal of Cybersecurity and Privacy, vol. 1, no. 2, pp. 219–238, Apr. 2021, doi: 10.3390/jcp1020012.

A. Chodakowska, S. Kańduła, and J. Przybylska, “Cybersecurity in the Local Government Sector in Poland: More Work Needs to be Done,” Lex Localis, vol. 20, no. 1, pp. 161–192, Jan. 2022, doi: 10.4335/20.1.161-192(2022).

NIST, The NIST Cybersecurity Framework 2.0. 2023. doi: https://doi.org/10.6028/NIST.CSWP.29.ipd.

Iso, “Information security, cybersecurity and privacy protection-Information security management systems-Requirements,” 2022.

“Security and Privacy Controls for Information Systems and Organizations,” Gaithersburg, MD, Sep. 2020. doi: 10.6028/NIST.SP.800-53r5.

V. J. R. Winkler, Securing the Cloud: Cloud computer Security techniques and tactics. Elsevier, 2011.

P. Tubío Figueira, C. López Bravo, and J. L. Rivas López, “Improving information security risk analysis by including threat-occurrence predictive models,” Comput Secur, vol. 88, Jan. 2020, doi: 10.1016/j.cose.2019.101609.

E. Yunizal, J. Santoso, and K. Surendro, “A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis,” IOP Conf Ser Mater Sci Eng, vol. 1077, no. 1, p. 012002, Feb. 2021, doi: 10.1088/1757-899x/1077/1/012002.

D. G. S. Barani, W. Hayuhardhika, N. Putra, and B. S. Prakoso, “Analisis Tingkat Kesiapan Keamanan Informasi Menggunakan Indeks KAMI (Keamanan Informasi) 4.0 (Studi Kasus : Dinas Komunikasi dan Informatika Provinsi Jawa Timur),” 2020. [Online]. Available: http://j-ptiik.ub.ac.id

E. Rizky Pratama, “EVALUASI TATA KELOLA SISTEM KEAMANAN TEKNOLOGI INFORMASI MENGGUNAKAN INDEKS KAMI DAN ISO 27001 (STUDI KASUS KOMINFO PROVINSI JAWA TIMUR).”

P. Sundari, “SNI ISO/IEC 27001 dan Indeks KAMI: Manajemen Risiko PUSDATIN (PUPR),” Ultima InfoSys : Jurnal Ilmu Sistem Informasi, vol. 12, no. 1, p. 35, 2021.

W. Yeoh, S. Wang, A. Popovič, and N. H. Chowdhury, “A systematic synthesis of critical success factors for cybersecurity,” Comput Secur, vol. 118, Jul. 2022, doi: 10.1016/j.cose.2022.102724.

G. Culot, G. Nassimbeni, M. Podrecca, and M. Sartor, “The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda,” TQM Journal, vol. 33, no. 7. Emerald Group Holdings Ltd., pp. 76–105, Mar. 16, 2021. doi: 10.1108/TQM-09-2020-0202.

M. Bouziani, M. Merbah, M. Tiskar, A. Et-tahir, and A. Chaouch, “When can we talk about implementing an Information Security Management System, according to ISO 27001?,” 2022.

A. Calder and S. G. Watkins, “A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard,” in Information Security Risk Management for ISO 27001/ISO 27002, third edition, IT Governance Publishing, Sep. 2019, pp. 87–93. doi: 10.2307/j.ctvndv9kx.11.

M. Waruwu and A. Indrati, “IDN Media Information Security Management System Maturity Measurement Analysis Using ISO 27001:2013 and KAMI Index Version 4.0,” International Research Journal of Advanced Engineering and Science, vol. 6, no. 3, pp. 36–40, 2021.

Presiden RI, PERATURAN PRESIDEN REPUBLIK INDONESIA NOMOR 47 TAHUN 2023 TENTANG STRATEGI KEAMANAN SIBER NASIONAL DAN MANAJEMEN KRISIS SIBER. 2023.

M. Saadat and M. U. Abbasi, “Information Security Policy Development: the Mechanism to Ensure Security Over Information Technology Systems,” Global International Relations Review, vol. IV, no. IV, pp. 32–42, Dec. 2021, doi: 10.31703/girr.2021(iv-iv).04.

N. Kobayashi, A. Nakamoto, M. Kawase, M. Ioki, and S. Shirasaka, “A Proposal of Information Security Policy Agreement Method for Merger and Acquisition Using Assurance Case and ISO 27001,” in Proceedings - 2019 8th International Congress on Advanced Applied Informatics, IIAI-AAI 2019, Institute of Electrical and Electronics Engineers Inc., Jul. 2019, pp. 727–733. doi: 10.1109/IIAI-AAI.2019.00150.

A. Amiruddin, H. G. Afiansyah, and H. A. Nugroho, “Cyber-Risk Management Planning Using NIST CSF v1.1, NIST SP 800-53 Rev. 5, and CIS Controls v8,” in 2021 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS, Jakarta: IEEE, Oct. 2021.

A. Tahir, Kebijakan Publik dan Good Governancy. 2018.

Downloads

Submitted

07-09-2023

Accepted

31-10-2023

Published

27-12-2023

Issue

Section

Articles