Archive for 24 April 2007

Study Security Domain in Data Security Aspect of Enterprise

 

Study Security Domain in Data Security Aspect of Enterprise

Imran1*, Budi Rahardjo1

1Bandung Institute of Technology, Jalan Ganesa 10, Bandung 40132, Indonesia

The growth of information technology (IT) is compare diametrical with the increasing of threat to the confidentiality, integrity, and availability (CIA) of data and information. In managing data which abundance is asset which utilized in routine activity in reaching target, enterprise have to know what data to be protected because each data have a different security level, therefore the data classification have to implemented. Data classification conducted by determining level of data according to value of data, the impact of risk if the data loss and other aspect according as to business process of the enterprise. This research are use seven main process, first process is the preparation process that identify the asset of the enterprise and preparation for data classification, the second process is the risk analysis that using reference from National Institute of Standards and Technology (NIST) special publication 800-30 to classified the data according to the level that define, the third process is classifying the data according their level, the fourth is securing each of level data classification with the Clack Wilson model, the fifth process is analyst with Cost to Benefit Analysis (CBA) method, the sixth process is recommended it to the enterprise and finally monitoring and evaluating each process.

Keywords : data classification, IT, CIA, NIST, CBA.

1. General

In the globalization era, competition between institution profit or non profit it pattern in a straight frame. To keep the exist of the enterprise, data must to get attention because is one of the most valuable asset. An enterprise can realize vision with actualisation mission that support by accurate data, complete and up to date and keep the confidentiality, integrity and availability. Data security must get especial attention in an enterprise, with safety data can support the activity and problem about data can be anticipated.

This research of data security use approach data classification that is grouped data into some level according to value of the data, risk if the data is lose and business process of the enterprise. Some standard that uses in this research are NIST Special publication 800-30 for risk analysis and Clark Wilson Model for security action to each classification level.

2. Data Security

There are three aspect that needed to implemented security program for securing data and information, there are confidentiality, integrity and availability from an enterprise resources(1).

2.1 Confidentiality

Confidentiality have to define with a procedure that through identify and authentication user process. A good Identification from user of the system is ascertaining effectiveness of policy that define access authority to the data item.

2.2 Integrity

Data integrity has to get protection from illegal distorting which intended. The important think of integrity is to process or protect used program of illegal data modification.

2.3 Availability

Availability is the assurance that a computer system is accessible by authorized users whenever needed. Two facets of availability are typically discussed:

1. Denial of service, it is an activity which using computing cervices and load system resources. It is make the user that have an authority can not use the system resources. For example: Internet worm load about 10% from network computer system that make system can not give response other user.

2. Loss of data processing capabilities as a result of natural disasters (e.g., fires, floods, storms, or earthquakes) or human actions (e.g., bombs or strikes).

3. Shifting security perspectives

Management have to shifting security perspectives to reach and support a security level that directly support mission of enterprise. Special approach, reactive, strategic and adaptive are needed to realize it.

Table 1. Shifting security perspectives(2).

tabel

4. Data Classification

Today’s enterprise face a glut of data, ranging from financial reports, personnel files, research results and customer records to engineering and development code. Enterprise data stores ranging in tens to hundreds of terabytes, and filled with millions of different files are constantly growing. With the growth in data ranging in the order of 50% per year, it is increasingly difficult to know what data is available, what data is critical to the business and how best to manage overall information assets. The problem is that most companies do not correlate information with their business process, often resulting in a poor utilization of storage resources.

Benefit of Data Classification

At its core, the data classification process allows companies to organize their information in a way that corresponds to business needs. This ability provides quantifiable benefits that

can be categorized into four main categories:

a. Meeting Requirements of Regulatory Compliance

Data classification is used to obeying the low, like information privacy that needed protection. Many enterprise look to Data Classification as a means of meeting the requirements of compliance audits

b. Enhanced Risk Mitigation and Security

Another benefit of data classification are enhanced risk mitigation and security because it support confidentiality, integrity, and availability that can protecting the data. Implementation of a data classification can be base to securing data that prevent data disclosure.

Companies may wish to mitigate legal risks by ensuring adequate response times in the face of legal discovery challenges. A proper Data Classification implementation can be fundamental in keeping track of data that may be used to avert a potential lawsuit or assist in its defense.

Combining universal classification with flexible, policy-based data movement offers solutions in many areas:

1. Intelligent policy-driven archiving to meet regulatory, compliance and other corporate governance needs.

2. Flexible, bi-directional data movement between tiers based on age and other important data attributes.

3. Improved backup procedures that match the value of the data to the backup strategy to help eliminate backup-window problems.

c. Better Utilization and Increased Hardware Cost Savings

Data classification offers cost savings by allowing less important data to be migrated from expensive primary storage, to less expensive secondary storage systems. While many enterprises own and operate different tiers of storage, the use of such tiered storage is typically governed by application and physical connectivity, rather than the actual value of the data embodied therein. Proper implementation of a data classification implementation allows efficient use of a tiered storage infrastructure by matching the value of the data to that of the underlying storage infrastructure – allowing less valuable data to reside on less expensive disks.

d. Increased Performance and Efficiency

Studies show that with unstructured data, almost 80% of data retained by an enterprise is never touched. Yet this data may be kept on high performance storage arrays, backed up nightly, and replicated to remote sites.

Low value data often consumes a large part of an enterprise high value storage resources that could be better employed storing mission and performance critical information.

In addition, better data management can improve the overall responsiveness and performance of enterprise applications and storage resources.

Data Classification can increase the effective performance of data security measures, such as encryption. The problem with encryption is that it demands processing overhead, which slows performance for the user. Without data classification, an encryption process would simply encrypt everything, often affecting users far more than necessary. Through a data classification initiative, a company can identify and encrypt only the relevant data saving time and processing power.

The following definitions explaining some level classifications of data at governance area that grouped of lowest level to highest level.

1 Unclassified. Information is assumed not sensitive and not secret so that not necessarily concealed and its spreading not necessarily be limited.

2 Sensitive but unsecured. Information is considered to be small secret, but will not give damage impact if it is overspread.

3 Confidential. Information is assumed to measures up to confidential. Illegal disclosure from this information can result some problems to level of security and safety a state.

4 Secret. Information refers from secret character. Illegal disclosure from this information can cause at serious problem to level of national security and safety a state.

5 Top secret. This is level which is highest from classification of information. Illegal disclosure from top secret information can cause fatal problem to level of state security and safety.

At private sector, generally applies classification terminology following :

1 Public. This information not in secret. Information at this category not necessarily to be overspread, but if having to disclosed shouldn’t give negative or serious impact to company.

2 Sensitive. Information at sensitive level requires one level of higher level protection. This information need to be protected against loss of secrecy and integrity as result of distorting that is illegal.

3 Private. Information of This category measures up to private, what applied just for importance enterprise. Disclosure of the information can have a negative effect to enterprise and also employee. For example, salary level and medical information of patient.

4 Confidential. Information of confidential category is assumed hardly sensitive and addressed to be used for the sake of internal of enterprise. Disclosure that is null and void can affect negative and is serious to enterprise. For example, information about new product development, trading secret and cooperation negotiations assumed confidential.

5. Cycle Scheme Data Security and Data Classification

siklusku

Fig. 1. Cycle scheme data security and data classification.

5.1 Preparation Phase

Enterprise have to create a team or at least choose a person to be information security officer (ISO) that responsible to implementation of process data security and data classification. Before implementation of the program is started, ISO have to ask some important problems and get the answer of it[1].

Before the actual implementation of the data classification program can begin, the Information Security Officer (ISO) — whom for the purposes of this discussion is the assumed project manager — must ask some very important questions, and get the answers.

Is there an executive sponsor for this project?

Although not absolutely essential, obtaining an executive sponsor and champion for the project could be a critical success factor. Executive backing by someone well respected in the organization who can articulate the ISO’s position to other executives and department heads will help remove barriers, and obtain much needed funding and buy-in from others across the corporation. Without an executive sponsor, the ISO will have a difficult time gaining access to executives or other influencers who can help sell the concept of data ownership and classification.

What are you trying to protect, and from what?

The ISO should develop a threat and risk analysis matrix to determine what the threats are to corporate information, the relative risks associated with those threats, and what data or information are subject to those threats. This matrix provides input to the business impact analysis, and forms the beginning of the plans for determining the actual classifications of data.

Are there any regulatory requirements to consider?

Regulatory requirements will have an impact on any data classification scheme, if not on the classifications themselves, at least on the controls used to protect or provide access to regulated information. The ISO should be familiar with these laws and regulations, and use them as input to the business case justification for data classification, as well as input to the business impact analysis and other planning processes.

Has the business accepted ownership responsibilities for the data?

The business, not IT, owns the data. Decisions regarding who has what access, what classification the data should be assigned, etc. are decisions that rest solely with the business data owner. IT provides the technology and processes to implement the decisions of the data owners, but should not be involved in the decision making process. The executive sponsor can be a tremendous help in selling this concept to the organization.

Too many organizations still rely on IT for these types of decisions. The business manager must realize that the data is his data, not IT’s; IT is merely the custodian of the data. Decisions regarding access, classification, ownership, etc. resides in the business units. This concept must be sold first, if data classification is to be successful.

Are adequate resources available to do the initial project?

Establishing the data classification processes and procedures, performing the business impact analysis, conducting training, etc. requires an up-front commitment of a team of people from across the organization if the project is to be successful. The ISO cannot and should not do it alone. Again, the executive sponsor can.

5.2 Define policy

One of the important aspect in defining data classification plan is policy of data security. The policy give ISO authority to start the project, find executive sponsorship, obtaining fund and other support.

Policy of enterprise to data security focus on:

· Define information as an asset of the business unit

· Declare local business managers as the owners of information

· Establish Information Systems as the custodians of corporate information

· Clearly define roles and responsibilities of those involved in the ownership and information

· Define the classifications and criteria that must be met for each

· Determine the minimum range of controls to be established for each classification

5.3 Risk Analysis

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected

There are 9 main steps in conducting risk analysis which can be seen at the following flowchart(5):

penilaian resiko

Fig. 2. Risk assessment activity.

5.3 Define Data to each level

After each data are specified of its risk level, then we :

· makes matrix that showing risk level each data;

· determines level classification each data as according to matrix result of risk assessment;

· gives label each data according to owner and its level.

5.4 Security Action

The most important think in security action is by securing each level according their level. The highest classification is getting high security level. The medium classification is getting medium security level and so on until the lowest level.

5.5 Cost to Benefit Analysis

§ Exposure Factor (EF). It is representing the loss that influenced an even of threat to a specific asset.

§ Single Loss Expectancy (SLE). It is money value that given to a single event. Formula as following :

. aset value x EF = SLE

§ Annualized Rate of Occurrence (ARO). It is a number that represented estimate of frequency threat even.

§ Annualized Loss Expectancy (ALE). It is an estimate of monetary loss of year which resulted by threat. Formula as following :

SLE x ARO =ALE

5.6 Recommended to Enterprise

Documentation of process which has been done, made in the form of draft to be recommended to enterprise which is referable in doing implementation of scheme of data security architecture as according to its level classification.

5.7 Monitoring and evaluation

To control of continuity data classification system, we need to be applied observation of going concern process. Internal department/unit control and organizes this activity to ascertain accomplishment with policy and procedure is specified. Owner of information periodical re-evaluates data to ensure that its classification still according, ascertains access right according to its responsibility and work and security and safety control in each level classification evaluated to ascertain concordance with has been defined.

6 Conclusion

Cycle scheme data security and data classification can be made reference by enterprise in process to securing data at each level with the result that business activity of enterprise can run without barrier because data have been guaranteed it security. This Process have to conducted and evaluated continuity because mission of enterprise and data with managed possibility will experience change according to policy of the enterprise.

The problem in this research is how to get data sample to test and implementation of data security and classification cycle planning, so that conclusion of classification with data at each level has not been done. Alternatively, writer tries to define data as according to scientific order and approach in interpreting a data.

References

[1] Tipton, Harold F. and Krause, Micki (2004), Information Security Management Handbook, CRC Press LLC, Fifth Edition.

[2] Caralli, Richard A.(2004), Managing for Enterprise Security, Networked Systems Survivability Program.

[3] Carlson, Tom (2001), Information Security Management Understanding ISO 17799, CISSP Lucent Technologies Worldwide Services.

[4] Peltier, Thomas R; Peltier, Justin; Blackley John (2005), Information Security Fundamentals, CRC Press LLC.

[5] Stoneburner, Gary; Goguen, Alice and Feringa, Alexis (2002), Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology.

[6] Simpson, Nik (2006), Building a Scalable Enterprise-Class Data Classification System, http://www.scentric.com/pdf/Data_Classification_Systems.pdf.

[7] _________(2005), Information Technology – Security Techniques – Information Security Management System – Requirements, International Standard ISO/IEC 27001, first edition.


* Imran. E-mail : barinox77@yahoo.com

24 April 2007 at 8:09 am 8 komentar

Ranking Maskapai Penerbangan

Berikut adalah ranking maskapai penerbangan didasarkan tingkat pemenuhan
standar keamanan. Sumber Kementerian Perhubungan RI.

Untuk jenis pesawat berbadan lebar.

Kategori 1
(memenuhi syarat penerbangan sipil)

-tidak ada-

Kategori 2
(memenuhi syarat minimal keselamatan penerbangan sipil namun ada beberapa
syarat yg belum dilaksanakan)

1. Garuda Indonesia
2. Merpati Nusantara Airlines
3. Mandala Airlines
4. Trigana Air Service
5. Pelita Air Service
6. Indonesia Air Asia
7. Lion Air
8. Wing Air
9. Riau Airllines
10. PT. Express Transp AntarBenua (charter)
11. Sriwijaya Air
12. PT. Travel Express Aviation Service
13. PT. Republik Express Airlines

Kategori 3
(memenuhi standar minimal penerbangan sipil namun ada beberapa syarat yg belum dilaksanakan dan berpotensi mengurangi keselamatan)

1. Kartika Airlines
2. Batavia Airlines
3. Trans Wisata Air
4. Tri MG Intra Asia Airlines
5. PT. Manunggal Air Service (cargo)
6. Adam Air
7. Jatayu Airlines

Untuk jenis pesawat kecil :

Kategori 1
(memenuhi syarat penerbangan sipil)

-tidak ada-

Kategori 2
(memenuhi syarat minimal keselamatan penerbangan sipil namun ada beberapa
syarat yg belum dilaksanakan)

1. Pelita Air Service
2. Airfast Indonesia
3. Trigana Air Service
4. PT. Travira Utama
5. PT. Derazona Air Service
6. PT. National Utility Helicopter
7. Deraya Air taxi
8. PT. SMAC
9. PT. Indonesia Air Transport
10. PT. Gatari Air Service
11. PT. Intan Angkasa Air Service
12. PT. Air Pacific Utama
13. PT. Trans Wisata Prima Aviation
14. PT. Pura Wisata Baruna
15. PT. Penerbangan Angkasa Semesta
16. PT. Aviastar Mandiri
17. Balai Kalibrasi Penerbangan
18. PT. Ekspress Transp AntarBenua
19. PT. Sampoerna Air Nusantara
20. PT. Eastindo

Kategori 3
(memenuhi standar minimal penerbangan sipil namun ada beberapa syarat yg belum dilaksanakan dan berpotensi mengurangi keselamatan)

1. PT. Helizona (non aktif)
2. PT. Sayap Garuda Indah
3. Survei Udara Penas
4. PT. Gemania Trisila Air
5. PT. Dirgantara Air Service
6. PT. Kura-kura Aviation
7. PT. Asco Nusa Air
8. PT. Atlas DeltaSatya
9. PT. Asi Pudjiastuti
10. PT. Dabi Air Nusantara
11. PT. Air Transport Service
12. PT. Aliansi Upataraksa Indonesia
12. PT. Alfa Trans Dirgantara
14. PT. Prodexim

Ranking diterbitkan 22 Mar 2007.

Salam

Om Ino

24 April 2007 at 7:01 am Tinggalkan komentar

Tim Sukses Calon Presiden Terima Dana Rokhmin

Tim Sukses Calon Presiden Terima Dana Rokhmin
Amien Rais mengakui, sementara tim sukses Yudhoyono membantah.

JAKARTA — Dana nonbujeter Departemen Kelautan dan Perikanan semasa dipimpin Rokhmin Dahuri ternyata juga mengalir ke sejumlah calon presiden pada Pemilu 2004. Aliran dana itu, berdasarkan berita acara pemeriksaan penyidik Komisi Pemberantasan Korupsi, berlangsung pada Januari-Juli 2004.

Amien Rais, misalnya. Mantan Ketua Umum Partai Amanat Nasional itu menerima dana Departemen Kelautan Rp 200 juta. “(Pada) suatu sore, tanggalnya saya lupa. Pak Rokhmin sendiri yang memberikan bantuan untuk kampanye PAN,” kata Amien, yang mengaku tak sempat menanyakan asal-usul uang tersebut. “Ijab kabulnya untuk membantu kampanye PAN,” ujar bekas calon presiden itu kepada Tempo Jumat lalu.

Sementara itu, bantahan datang dari mantan Ketua Bidang Komunikasi Mega Centre Arie Djunaidi. Menurut dia, tak ada aliran dana Departemen Kelautan ke kantong anggota tim pemenangan calon presiden Megawati Soekarnoputri. “Saya pastikan tidak ada,” ujar Arie.

Dalam berita acara pemeriksaan Rokhmin disebutkan, dana nonbujeter itu mengalir ke Mega Centre melalui sejumlah orang, seperti Arief Budimanta sebesar Rp 50 juta, Steven Rp 200 juta, dan Suminta Rp 50 juta. Menurut Arie, kalau memang aliran itu benar adanya, jumlahnya terlalu kecil. “Sedikit sekali, ya,” ujarnya.

Aktivis Muhammadiyah, Iman Addaruqutni, yang tercantum sebagai anggota tim sukses Susilo Bambang Yudhoyono, membantah jika disebut kebagian aliran dana Departemen Kelautan. Ketua Umum Partai Matahari Bangsa itu menegaskan, “Saya tidak pernah menerima.”

Dalam berita acara pemeriksaan Rokhmin, Iman disebutkan sebagai anggota tim sukses SBY yang telah dua kali menerima duit. Pertama, Rp 25 juta pada 14 Januari 2004. Kedua, Rp 200 juta pada 10 Juni 2004. Menurut Iman, “Itu seratus persen salah.”

Politikus Partai Keadilan Sejahtera, Fachri Hamzah, tidak mengelak disebut sebagai menerima dana departemen tersebut. “Itu dulu, sebelum saya menjadi anggota DPR,” kata Fachri sambil menyebutkan dana digunakan untuk operasionalisasi sebuah yayasan yang ia pimpin. Fachri lupa jumlahnya. Tapi dalam berita acara pemeriksaan tertulis, pada 8 Februari 2004 dan 9 Juni 2004, Fachri menerima masing-masing Rp 50 juta.

Ketua Majelis Permusyawaratan Rakyat Hidayat Nur Wahid disebut-sebut menerima dana Departemen Kelautan sewaktu dirinya menjadi Presiden Partai Keadilan. Partai itu kini berubah nama menjadi Partai Keadilan Sejahtera. “Itu informasi sepihak, perlu dicek lagi,” katanya.

Ketika Tempo menyebutkan penerimaan dana itu berlangsung pada 29 Desember 2003 dan 2 Maret 2004, masing-masing Rp 100 juta dan Rp 200 juta, Hidayat menjawab, “Tidak ada catatan di bendahara bahwa ada dana dari Pak Rokhmin ataupun Departemen Kelautan.”

Ketua Umum Pimpinan Pusat Muslimat Nahdlatul Ulama Khofifah Indar Parawansa mengakui lembaganya memperoleh bantuan. “Besarnya Rp 30 juta, untuk keperluan Kongres Muslimat NU,” katanya kepada Tempo kemarin.

Dia menegaskan dana Departemen Kelautan tak cuma dari Rokhmin Dahuri, tapi juga dari Freddy Numberi, Menteri Kelautan dan Perikanan saat ini. Dana Departemen sewaktu dipegang Rokhmin dipakai oleh Muslimat NU DKI Jakarta sebesar Rp 50 juta. “Dana itu untuk perayaan Hari Jadi Muslimat NU,” katanya.

Menteri Freddy, yang dikonfirmasi oleh Tempo, mengatakan tidak mengetahui duit yang disumbangkan berasal dari dana nonbujeter Departemen Kelautan.

Saat ini kasus Rokhmin tengah bergulir di Pengadilan Tindak Pidana Korupsi. Rangkaian sidang mulai memasuki agenda pembuktian dengan pemeriksaan sejumlah saksi. Aliran dana Departemen Kelautan menjelang Pemilu 2004 sebagian terpampang pada tabel di bawah ini. IMRON ROSYID | GUNANTO | ERWIN DARYANTO |

Sumber: Koran Tempo – Senin, 23 April 2007

++++++++++

Untuk berita aktual seputar pemberantasan korupsi dan tata kelola
pemerintahan yang baik (good governance) klik
http://www.transparansi.or.id/

Salam

Om Ino

24 April 2007 at 6:47 am 1 komentar


Blog Stats

  • 68.174 hits
April 2007
S S R K J S M
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Top Clicks

  • Tidak ada