Security Information Management

Security Information System

Security
The Telkom Information
Way System
The Telkom Way
& ID-SIRTII
The Telkom Way

Herdy Harman
PT Telekomunikasi Indonesia, Tbk

Presented on Sosialisasi ID-SIRTII

Semarang, 28 May 2009
1
Agenda

TELKOM in Brief

Background
 Implementation on Security Information
Management
 Internal Policies and Procedures

TELKOM Implementation Approach

 TELKOM Best Practices
 TELKOM IS Security

National Policy
 Law and Regulations
 Equipment Security
 Implementation Approach
 ID-SIRTII Mechanism

2
 TELKOM is an infocom service
provider in Indonesia, owned
by the government of
Indonesia (51.2%) and
public shareholders
(48.8%).
TELKOM listed on the Jakarta
Stock Exchange (JSE), London
Stock Exchange (LSE) and New
York Stock Exchange (NYSE) in
November 14, 1995.

PT Telekomunikasi Indonesia Tbk.

As at year-end 2007, TELKOM’s
public shareholders comprised
of foreign investors (46.2%
mostly US investors) and local
investors (2.6%).
(TELKOM) is the largest
publicly listed company
in Indonesia (17.2 % market
capitalization at Jakarta Stock
Exchange).

3
 History …

Restructuring Transforming
2007 ….
2002
Implementation of Focus On New Wave
Business
duopoly
(10 Strategic
Initiatives)
2001
• Cross ownership
1995 termination with
Go Public & listed on Indosat
JSX , SSX, NYSE & LSX • TELKOM acquired 35% 2003 - 2006
interest in Telkomsel Transformation from
1974 from Indosat Asset-based Company
1991 1999 to Customer-Centric
Separated PN
Govt transformed Company
Telekomunikasi into • Telecommunication
PERUMTEL into
PERUMTEL and industry reforms
PT. TELKOM
PT INTI based on Act No 36
• Terminated the
1948 exclusive rights of
Taken over by 1965
Separated PTT into 2 TELKOM to provide
Indonesia Govt
companies: (PN Pos & fixed-line services
under name PTT
Giro, and PN Restructuring, from Began terminating KSO
1884 Telekomunikasi)
12 WITELS into 7 DIVREs Agreement (2001)

Established by and entered KSO
Agreement in 5 DIVREs
Dutch Govt (1995)

4
Core Business …

FixedPhone
Fixed Phone Cellular
Cellular Multimedia
Multimedia

Divisions
Divisions: :
Regional1-7,
1-7,Fixed
Fixed  Division
Division: :MM
MM
Regional
TLKM
TLKM 65%65% Division&&
Division
WirelessNetwork,
Wireless Network,  Metra,
Metra,Indonusa,
Indonusa,
LongDistance
Long Distance SingTel
SingTel35%
35%
Infomedia
Subsidiaries
Subsidiaries
Infomedia
Subsidiaries
Subsidiaries

No.11mobile
No. mobile
Marketleader
Market leaderwith
with MarketChallenger
Market Challenger
operatorwith
operator withmore
more Market
Market
morethan
more than90%
90% withsignificant
with significant Position
than50%
than 50%market
market Position
marketshare
market share growth
growth
share
share

5
 ICT Market Profile

Status: Q1 2008

6
Implementation on Security Information Management

Means of achieving targets

Targets
Access control, user
identification &
authentication, Preserving the
encryption, digital
signature, message
Confidentiality,
authentication, backups, Integrity/ authenticity
capacity planning, & Availability
regular maintenance,
virus protection
of information
software, information
handling procedures,
physical security etc

7
Policies and Procedures

Information Security Policy

– To provide management direction and support for
information security in accordance with business
requirements and relevant laws and regulations.

Internal Organization
– To manage information security within the organization.

Responsibilities for Assets

– Owners should be identified for all assets and the
responsibility for the maintenance of appropriate controls
should be assigned. The implementation of specific
controls may be delegated by the owner as appropriate
but the owner remains responsible for the proper
protection of the assets.

8
TELKOM Best practices repository for IT process & Governance

How IT is organized to
respond to the requirements

IT IT Business
Resources Processes Focus
•• SecurityPolicy
Security Policy
•• OrganizationalSecurity
Security
Organizational

Effectiveness
Effectiveness


Data
Data •• Assetmanagement
Asset management
•• HRMSecurity
HRM Security

Efficiency
Efficiency


Application
Application •• Physical&&Environmental
Physical EnvironmentalSecurity
Security

Confidentiality
Confidentiality
systems
systems Comm.&Operation
&Operationmanagement
management
•• Comm.

Integrity
Integrity
•• AccessControl
Control


Infrastructure
Infrastructure Access
•• SystemAcqusition,
System Acqusition,Devl
Devl&&Mtance
Mtance

Availability
Availability


People
People •• Incidentmanagement
Incident management


Compliance
Compliance
•• BCP
BCP
•• Compliance
Compliance

Informationreliability
Information reliability

IT GOVERNANCE INTERNAL POLICY IT GENCON/SOX

9
Process of Incident Handling

PREVENTION INCIDENT

Access NW & IP Mgt &

Standardization Help Desk
Firewall Consolidation &
Standardization Company
Monitoring Level
Disaster Recovery NW Development
Integrated Virus Protection
IT Infrastructure Management
System Reporting

ID SIRTII
Nation
Analysis & Investigate
Level
Legal Enforcement
10
Law and Regulations

The Act No.36/1999

Telecommunication

Government Regulation No.52/2000

Telecommunication Practices

The Act No.11/2008

Electronic Information and Transaction

ICT Ministry Decree No.26/PER/M.KOMINFO/2007

Indonesian Security Incident Response Team on Internet Infrastructure

Indonesia Security Incidents Response Team on Internet Infrastructure

11
Equipment Security as Implementation Approach

• To prevent loss, damage, theft, or compromise of assets and

interruption to the organization’s activities.

• Generic Implementation

CodeRed
The Internet Attack Server

CodeRed
Attack!!

Sensor •••

12
 Implementation Approach

NAPs •••
Internet IXPs
ID-SIRTII

•••
Monitoring
Traffic
Legend :

••• ISPs
•••
Sensor

Collecting
Server Log Files

Monitoring Hot Spots Internet Kiosks Public Access

Traffic

Collecting
Log Files

Recording Recording Recording

User’s ID User’s ID User’s ID
13
 Mechanism

AnalyseIncident
Analyse IncidentIndication
Indication ResponseIncident
Response IncidentManagement
Management

Provide
Collect and
Stakeholders
Manage Log Files Analyse Alert Receive
with Log Files
from ISPs Patterns Related Formal
Record
and Institutions Requests
Detect regarding from
Provide
Monitor Internet Indication Incident National
Stakeholders with
Traffic on IXPs Signals Occurrences Authorities
Traffic Patterns
and NAPs
Record

Develop training programs and research laboratories for societies

Engage national and international collaborations with related parties

Support stakeholders with technical information services and support

Source : ID-SIRTII
14
Security is everyone responsibility…

15