Hello, Privacymu Buddies!

Information Security Governance is an integral component of corporate governance, offering strategic direction, ensuring the attainment of corporate objectives, managing risks, responsibly utilizing organizational resources and overseeing the outcomes of security programs.

Every company must guarantee the security of its information, preventing any compromise. Moreover, avoiding contracts that could harm the company or organization is equally crucial.

The rapid advancement of information technology over the past decade has resulted in its pervasive presence across various sectors, including business, government, finance, education, military, and health activities, making it indispensable for Privacymu Buddies.

As reliance on information technology continues to grow across all aspects, encountering the impact and consequences of cybercrime becomes more prevalent.

Numerous challenges in preventing cybercrime revolve around the need for widespread understanding and awareness of legal regulations concerning cybercrime, risks arising from the cross-border nature of cybersecurity, emerging technologies and systems, and the proliferation of new cybercrimes.

Moreover, criminal tools like the Gh0st Rat and DarkComet are commonly employed to steal banking data. These free tools, easily accessible, also serve to conceal the attacker's origin. Hence, the use of such free tools should be exercised judiciously!

The malware targets businesses, consulting services companies, the service sector, government entities, and high technology. Several information security governance frameworks have been developed and extensively adopted globally, particularly in the United States and Europe. Let's delve deeply into this article's explanation of information security governance!

The Urgency of Information Security Governance in Companies

Information security governance is a responsible effort and practice undertaken by a company to provide strategic direction, ensure that corporate objectives can be achieved, manage risks appropriately and verify that the company's resources are used responsibly.

The urgency of implementing information security governance is to protect the most valuable assets in a company or organization. Identifying security assets against company information is a critical success factor for the efficient and effective implementation of information security in the company.

The Ministry of Communication and Information Technology of the Republic of Indonesia, in the Guidelines for the Implementation of Information Security Governance for Public Service Providers, groups several important assets that must be protected, including:

1. Data and information: technical documents, company procurement and contract documents, salary data, customer data, employee data, management documentation systems and network configurations, penetration test results, business continuity plans, operational procedure training materials, and audit results.
2. Software: software in applications, development tools, operating systems, and software tools (antivirus, audit tools).
3. Hardware: laptops, servers, PCs, data storage media.
4. Communication network devices: modems, routers, switches, firewalls, and cables.
5. Supporting facilities: workspace, server room/data center room, electronic access door, disaster recovery center (DRC) room, generator, UPS, A/C/ CCTV, fire extinguisher.
6. Human resources: permanent employees, contract employees, prospective employees, vendors, partners, and other third parties who provide services, services, and products that support the business of public service providers.

Information Security Governance Framework

Rastogi and von Solms explain that information security governance consists of structure, guidance, relationships and processes in providing a framework for implementing information security governance.

Previously, there were terms COBIT and ISO/IEC 17799. COBIT, or Control Objectives for Information and Related Technology, is a standard guide to information technology management practices and documentation for managing information technology that can help auditors, management, and users.

ISO / IEC 17799 is an Information Security Management system) that has been refined for use by companies in securing their data.

Read Also : International Standard Organization (ISO) 27001: Standar Penting sebagai Pedoman Pelindungan Data Pribadi

Here are the frameworks for information security governance:

1. A practical guide to implement and control Information Security Governance

This type of framework focuses on selecting metrics and indicators to track the evolution of information security and measuring the level of information security maturity within a company or organization. The approach in this framework pays attention to balance scorecard (corporate management strategy), IT and security governance best practices, such as COBIT and ISO/IEC 17799.

2. Business Software Alliance

The business software alliance adopts ISO/IEC 17799 best practices and procedures (later incorporated in the ISO/IEC 27000 series). This framework serves as a framework in which each management role knows its function, how to achieve objectives and measure and audit the activities carried out.

3. Information security policy: An organizational-level process model

The framework focuses on the policy side of information security governance using data collection methodologies from security experts and several interviews and questionnaires with security professionals. The result is a model of information security policy to be implemented in an iterative cycle. The framework considers the impact of external and internal influences, as well as the role of corporate governance. Also, there is a great emphasis on training and policy awareness.

4. Information Security Governance

The framework prioritizes that information security frameworks should be able to distinguish between the governance and management sides. Provide more detail about ISG and security management information as part of corporate governance and explain each individual's duties, roles and responsibilities within the company.

5. The Information Systems Audit and Control Association (ISACA)

The framework uses ISACA utilizing a generic model to address Information Security within an enterprise

6. ISO/IEC Standards

ISO/IEC standards use ISO/IEC 27000 dedicated to enterprise security management information systems to develop and implement frameworks for managing the security of information assets and prepare to be applied to their information protection. This standard guides protecting information assets through defining, achieving, maintaining, and improving information security.

7. IT Governance Institute (ITGI)

Focusing on information technology governance and has developed COBIT.

8. The National Institute of Standards and Technology (NIST)

NIST is an agency of the United States Department of Commerce that has published many guidelines related to information security.

9. Software Engineering Institute

The Software Engineering Institute of Carnegie Mellon University has published a guide to enterprise security and what are the characteristics of effective information security governance.

That explains the article "Corporate Security Asset Protection: Getting to Know Information Security Governance."

Writer:
Gracia

Sources:
Ayodya Dewangga Sasotya Rahmadita. 2016. Kerangka untuk Tata Kelola Keamanan Informasi di Sektor publik. Makalah.