4. It is stated that Good change control often results in better operating performance.

Please explain this statement and describe the characteristics of good change control.

Good change control often results in better operating performance because there are
fewer problems to fix. Companies with good change management and change control
processes also experience lower costs when security incidents do happen. Indeed, the
ability to quickly identify unauthorized changes and sanction those responsible for
intentionally circumventing the change control and change management process is one of
the most important characteristics that distinguishes top-performing organizations from
all others.

Therefore, it is not surprising that two of COBIT 5s key processes deal with managing
change (BAI06) and the procedures for testing and transitioning to new solutions
(BAI07). Characteristics of a well-designed change control and change management
process include:

Documentation of all change requests, identifying the nature of the change,

its rationale, date of the request, and outcome of the request.

Documented approval of all change requests by appropriate levels of

management. Itis especially important that senior management review and
approve major changes to processes and systems in order to ensure that the
\proposed change is consistent with the organizations long-term strategic plans.

Testing of all changes in a separate system, not the one used for daily business
processes. This reduces the risk that bugs in modifications do not disrupt
normal business.

Conversion controls to ensure that data is accurately and completely

transferred from the old to the new system. Internal auditors should review the
conversion process.

Updating of all documentation (program instructions, system descriptions,
procedures manuals, etc.) to reflect the newly implemented changes.

A special process for timely review, approval, and documentation of emergency

changes as soon after the crisis as is practical. All emergency changes need to
be logged to provide an audit trail. A large number or marked increase in the
number of emer- gency changes is a potential red flag of other problems (poor
configuration management procedures, lack of preventive maintenance, or
political game-playing to avoid the normal change control process).

Development and documentation of backout plans to facilitate reverting to

previous configurations if the new change creates unexpected problems.
 Careful monitoring and review of user rights and privileges during the change
process to ensure that proper segregation of duties is maintained.

5. Please explain various components in Detective and Corrective controls.

Four types of detective controls : log analysis, intrusion detection systems,

penetration testing, and continuous monitoring.

LOG ANALYSIS

Most systems come with extensive capabilities for logging who accesses the system and
what specific actions each user performed. These logs form an audit trail of system
access. Like any other audit trail, logs are of value only if they are routinely examined.
Log analysis is the process of examining logs to identify evidence of possible attacks.
It is especially important to analyze logs of failed attempts to log on to a system
and failed attempts to obtain access to specific information resources

Log analysis is the term used for analysis of computer-generated records for helping
organizations, businesses or networks in proactively and reactively mitigating different
risks. Most organizations and businesses are required to do data logging and log
analysis as part of their security and compliance regulations. Log analysis helps in
reducing problem diagnosis, resolution time and in effective management of applications
and infrastructure.

INTRUSION DETECTION SYSTEMS

Network intrusion detection systems (IDSs) consist of a set of sensors and a central
monitoring unit that create logs of network traffic that was permitted to pass the
firewall and then analyze those logs for signs of attempted or successful intrusions

PENETRATION TESTING

COBIT 5 control processes MEA01 and MEA02 state the need to periodically test the
effectiveness of business processes and internal controls (including security procedures).
We already discussed the use of vulnerability scanners to identify potential weaknesses in
system configuration. Penetration testing provides a more rigorous way to test the
effectiveness of an organizations information security. A penetration test is an
authorized attempt by either an internal audit team or an external security consulting firm
to break into the organizations information system
1. Apa itu Penetration Testing ?
Penetration Testing ad suatu kegiatan dimana seseorang mencoba mensimulasikan
serangan yang bisa dilakukan terhadap jaringan organisasi / perusahaan tertentu untuk
menemukan kelemahan yang ada pada sistem jaringan tersebut. Orang yang
melakukan kegiatan ini disebut penetration tester (disingkat pentester). Penetration
Testing mempunyai standar resmi sebagai acuan dalam pelaksanaannya. Standar ini
bisa dilihat di pentest-standard.org.

2. Kenapa Penetration Testing diperlukan ?

Nah kenapa kegiatan pentest diperlukan ? Perusahaan-perusahaan besar yang
menyimpan data-data sensitif (seperti Bank) tentu tidak ingin jaringannya dibobol oleh
orang tidak bertanggung jawab yang kemudian bisa mengambil alih kontrol jaringan
dan menimbulkan kerugian yang sangat besar. Oleh karena alasan itu perusahaan
menginvestasikan dana untuk memperkuat sistem jaringannya. Salah satu metode
paling efektif adalah melakukan pentest. Dengan melakukan pentest, celah-celah
keamanan yang ada dapat diketahui dan dengan demikian dapat diperbaiki
secepatnya. Seorang pentestermensimulasikan serangan yang dapat dilakukan,
menjelaskan resiko yang bisa terjadi, dan melakukan perbaikan sistem tanpa merusak
infrastruktur jaringan perusahaan tersebut.

CONTINUOUS MONITORING

COBIT 5 management practice APO01.08 stresses the importance of continuously

monitoring both employee compliance with the organizations information security
policies and overall performance of business processes. Such monitoring is an important
detective control that can timely identify potential problems.

We now discuss three particularly important corrective controls :

(1) establishment of a computer incident response team (CIRT),

(2) designation of a specific individual, typically referred to as the Chief

Information

(3) establishment and implementation of a well-designed patch management

system.
Pengendalian korektif (corrective control) memecahkan masalah yang ditemukan oleh
pengendalian untuk pemeriksaan. Pengendalian ini mencakup prosedur yang dilaksanakan
untuk mengidentifikasi penyebab masalah, memperbaiki kesalahan atau kesulitan yang
ditimbulkan, dan mengubah sistem agar masalah di masa mendatang dapat
diminimalisasikan atau dihilangkan.
Contoh dari pengendalian ini termasuk pemeliharaan kopi cadangan (backup copies) atas
transaksi dan file utama, dan mengikuti prosedur untuk memperbaiki kesalahan
memasukkan data, seperti juga kesalahan dalam menyerahkan kembali transaksi untuk
proses lebih lanjut.

COMPUTER INCIDENT RESPONSE TEAM (CIRT)

Tim : teknisi, non tenisis gunanya merespon insiden.

A key component to being able to respond to security incidents promptly and

effectively is the establishment of a computer incident response team (CIRT).
The CIRT should include not only technical specialists but also senior operations
management, because some potential responses to security incidents have
significant economic consequences. For example, it may be necessary to
temporarily shut down an e-commerce server. The decision to do so is too impor-
tant to leave to the discretion of IT security staff; only operations management
possesses the breadth of knowledge to properly evaluate the costs and benefits of
such an action, and only it should have the authority to make that decision.
Apa itu CIRT ?

CIRT atau dengan kepanjangannya Computer Incident Response Team adalah sebuah tim yang diseleksi
dengan hati-hati dan berisi orang-orang yang ahli dalam menangani insiden (khususnya insiden pada aset
informasi), sehingga suatu insiden dapat dengan cepat dideteksi, diinvestigasi, dan diatasi.

Hal-hal yang dilakukan oleh CIRT :

1. Menjadi single point of contact (sebagai penghubung bila terjadi insiden informasi).
2. Melakukan identifikasi / menganalisa dari suatu serangan
3. Menentukan kebijakan / prediksi cara mengatasi bila terjadi serangan.
4. Melakukan penelitian.
5. Membagi pengetahuan.
6. Memberikan kesadaran bersama.
7. Memberikan respon bila terjadi serangan.

CHIEF INFORMATION SECURITY OFFICER (CISO)

COBIT 5 identifies organizational structure as a critical enabler to achieve

effective controls and security. It is especially important that organizations assign
responsibility for information security to someone at an appropriate senior level of
management. One way to satisfy this objective is to create the position of CISO,
who should be independent of other information systems functions and should
report to either the chief operating officer (COO) or the chief executive officer
(CEO). The CISO must understand the companys technology environment and
work with the chief information officer (CIO) to design, implement, and promote
sound security policies and procedures. The CISO should also be an impartial
assessor and evaluator of the IT environment. Accordingly, the CISO should have
responsibility for ensuring that vulnerability and risk assessments are performed
regularly and that security audits are carried out periodically. The CISO also needs
to work closely with the person in charge of physical security, because
unauthorized physical access can allow an intruder to bypass the most elaborate
logical access controls.
Definisi atau Pengertian CISO (Chief Information Security Officer artinya
adalah seseorang yang bisa menjaga keamanan informasi organisasi ataupun
perusahaan baik secara fisik orpun digital. Tetapi di era sekarang ini, hampir
semua informasi & data yg dimiliki sebuah organisasi hampir semuanya berbentuk
digital. Menyoal keamanan informasi, CISO dipusingkan untuk mengatasi berbagai
risiko & ancaman yg datang.

Di Indonesia, hingga saat ini belum ada seorang CISO pada organisasi. CISO yang dimaksud
adalah posisi seorang yang bertanggung jawab terhadap keamanan informasi dengan tingkat
setara direktur atau bisa dikatakan Direktur Keamanan Informasi, dengan posisi tersebut seorang
CISO dapat melapor langsung kepada CEO.

Head of Compliance PT Sigma Cipta Caraka, Erry Setiawan mengutarakan, sejauh ini di Indonesia
baru ada satu perusahaan yang mengatakan membutuhkan CISO. Hal ini karena keamanan
informasi perusahaan sangat critical. Bisnis perusahaan tersebut berangkat dari keamanan
informasi, sehingga jika mengalami kebocoran informasi, bisnisnya akan habis.

PATCH MANAGEMENT

The ever-increasing size and complexity of software programs almost guarantees

that they contain numerous vulnerabilities. To understand why, consider that many
programs contain millions of lines of code. Even if that code is 99.99% free of
bugs, that means that for every million lines of code there are likely 100
possible problems that could represent a vulner- ability. That is why both attackers
and security consulting firms are constantly testing for vulnerabilities in widely
used software. Once a vulnerability has been identified, it is impor- tant to take
timely steps to remediate it

because it will not be long before an exploit, which is a program designed to take
advantage of a known vulnerability, is created. Although it takes considerable skill
to create an exploit, once it is published on the Internet it can be easily used by
anyone.

The widespread availability of many exploits and their ease of use make it
important for organizations to take steps to quickly correct known vulnerabilities
in software they use. A patch is code released by software developers that fixes a
particular vulnerability. Patch management is the process for regularly applying
patches and updates to all software used by the organization. This is not as
straightforward as it sounds. Patches represent modifica- tions to already complex
software. Consequently, patches sometimes create new problems because of
unanticipated side effects. Therefore, organizations need to carefully test the effect
of patches prior to deploying them; otherwise, they run the risk of crashing
important applications. Further complicating matters is the fact that there are likely
to be multiple patches released each year for each software program used by an
organization. Thus, orga- nizations may face the task of applying hundreds of
patches to thousands of machines every year. This is one area where IPSs hold
great promise. If an IPS can be quickly updated with the information needed to
respond to new vulnerabilities and block new exploits, the orga- nization can use
the IPS to buy the time needed to thoroughly test patches before applying them.

Contoh ada cacat dalam sistem

Meskipun bertujuan untuk memperbaiki program, patch terkadang mendatangkan

masalah baru misalnya terganggunya fungsi lainnya. Patch management adalah proses
dalam menggunakan rencana dan strategi untuk memilih patch apa yang akan digunakan
terhadap sistem apa pada waktu tertentu.

Selain itu, manajemen patch dalam perusahaan memiliki berbagai macam tantangan [1]
seperti di bawah ini.

1) Kurangnya standardisasi pada software, hardware, maupun services.

2) Pelanggan menginginkan kebijakan manajemen patch yang berbeda untuk memenuhi

kebutuhannya.
3) Jumlah tenaga kerja dan biaya yang tidak efektif.