You are on page 1of 15

Security Information Management

Security Information System


Security
The Telkom Information
Way System
The Telkom Way
& ID-SIRTII
The Telkom Way

Herdy Harman
PT Telekomunikasi Indonesia, Tbk

Presented on Sosialisasi ID-SIRTII


Semarang, 28 May 2009
1
Agenda
 TELKOM in Brief
 Background
 Implementation on Security Information
Management
 Internal Policies and Procedures

 TELKOM Implementation Approach


 TELKOM Best Practices
 TELKOM IS Security

 National Policy
 Law and Regulations
 Equipment Security
 Implementation Approach
 ID-SIRTII Mechanism

2
TELKOM is an infocom service TELKOM listed on the Jakarta
provider in Indonesia, owned Stock Exchange (JSE), London
by the government of Stock Exchange (LSE) and New
Indonesia (51.2%) and York Stock Exchange (NYSE) in
public shareholders November 14, 1995.
(48.8%).

PT Telekomunikasi Indonesia Tbk.


(TELKOM) is the largest
publicly listed company
As at year-end 2007, TELKOM’s in Indonesia (17.2 % market
public shareholders comprised capitalization at Jakarta Stock
of foreign investors (46.2% Exchange).
mostly US investors) and local
investors (2.6%).

3
History …

Restructuring Transforming
2007 ….
2002
Implementation of Focus On New Wave
Business
duopoly
(10 Strategic
Initiatives)
2001
• Cross ownership
1995 termination with
Go Public & listed on Indosat
JSX , SSX, NYSE & LSX • TELKOM acquired 35% 2003 - 2006
interest in Telkomsel Transformation from
1974 from Indosat Asset-based Company
1991 1999 to Customer-Centric
Separated PN
Govt transformed Company
Telekomunikasi into • Telecommunication
PERUMTEL into
PERUMTEL and industry reforms
PT. TELKOM
PT INTI based on Act No 36
• Terminated the
1948 exclusive rights of
Taken over by 1965
Separated PTT into 2 TELKOM to provide
Indonesia Govt
companies: (PN Pos & fixed-line services
under name PTT
Giro, and PN Restructuring, from Began terminating KSO
1884 Telekomunikasi) 12 WITELS into 7 DIVREs Agreement (2001)
Established by and entered KSO
Agreement in 5 DIVREs
Dutch Govt (1995)

4
Core Business …

FixedPhone
Fixed Phone Cellular
Cellular Multimedia
Multimedia

Divisions
Divisions: :
Regional1-7,
1-7,Fixed
Fixed  Division
Division: :MM
MM
Regional
TLKM
TLKM 65%65% Division&&
Division
WirelessNetwork,
Wireless Network,  Metra,
Metra,Indonusa,
Indonusa,
LongDistance
Long Distance SingTel
SingTel35%
35%
Infomedia
Subsidiaries
Subsidiaries
Infomedia
Subsidiaries
Subsidiaries

No.11mobile
No. mobile
Marketleader
Market leaderwith
with MarketChallenger
Market Challenger
operatorwith
operator withmore
more Market
Market
morethan
more than90%
90% withsignificant
with significant Position
than50%
than 50%market
market Position
marketshare
market share growth
growth
share
share

5
ICT Market Profile

Status: Q1 2008

6
Implementation on Security Information Management

Means of achieving targets


Targets
Access control, user
identification &
authentication, Preserving the
encryption, digital
signature, message
Confidentiality,
authentication, backups, Integrity/ authenticity
capacity planning, & Availability
regular maintenance,
virus protection
of information
software, information
handling procedures,
physical security etc

7
Policies and Procedures

 Information Security Policy


– To provide management direction and support for
information security in accordance with business
requirements and relevant laws and regulations.

 Internal Organization
– To manage information security within the organization.

 Responsibilities for Assets


– Owners should be identified for all assets and the
responsibility for the maintenance of appropriate controls
should be assigned. The implementation of specific
controls may be delegated by the owner as appropriate
but the owner remains responsible for the proper
protection of the assets.

8
TELKOM Best practices repository for IT process & Governance

How IT is organized to
respond to the requirements

IT IT Business
Resources Processes Focus
•• SecurityPolicy
Security Policy
•• OrganizationalSecurity
Security
Organizational  Effectiveness
Effectiveness
 Data
Data •• Assetmanagement
Asset management
•• HRMSecurity
HRM Security  Efficiency
Efficiency
 Application
Application •• Physical&&Environmental
Physical EnvironmentalSecurity
Security  Confidentiality
Confidentiality
systems
systems Comm.&Operation
&Operationmanagement
management
•• Comm.  Integrity
Integrity
•• AccessControl
Control
 Infrastructure
Infrastructure Access
•• SystemAcqusition,
System Acqusition,Devl
Devl&&Mtance
Mtance  Availability
Availability
 People
People •• Incidentmanagement
Incident management
 Compliance
Compliance
•• BCP
BCP
•• Compliance
Compliance  Informationreliability
Information reliability

IT GOVERNANCE INTERNAL POLICY IT GENCON/SOX


9
Process of Incident Handling

PREVENTION INCIDENT

Access NW & IP Mgt &


Standardization Help Desk
Firewall Consolidation &
Standardization Company
Monitoring Level
Disaster Recovery NW Development
Integrated Virus Protection
IT Infrastructure Management
System Reporting

ID SIRTII
Nation
Analysis & Investigate
Level
Legal Enforcement
10
Law and Regulations

 The Act No.36/1999


Telecommunication

 Government Regulation No.52/2000


Telecommunication Practices

 The Act No.11/2008


Electronic Information and Transaction

 ICT Ministry Decree No.26/PER/M.KOMINFO/2007


Indonesian Security Incident Response Team on Internet Infrastructure

Indonesia Security Incidents Response Team on Internet Infrastructure

11
Equipment Security as Implementation Approach

• To prevent loss, damage, theft, or compromise of assets and


interruption to the organization’s activities.

• Generic Implementation

CodeRed
The Internet Attack Server

CodeRed
Attack!!

Sensor •••

12
Implementation Approach

NAPs •••
Internet IXPs
ID-SIRTII

•••
Monitoring
Traffic
Legend :

••• ISPs
•••
Sensor

Collecting
Server Log Files

Monitoring Hot Spots Internet Kiosks Public Access


Traffic

Collecting
Log Files

Recording Recording Recording


User’s ID User’s ID User’s ID
13
Mechanism

AnalyseIncident
Analyse IncidentIndication
Indication ResponseIncident
Response IncidentManagement
Management

Provide
Collect and
Stakeholders
Manage Log Files Analyse Alert Receive
with Log Files
from ISPs Patterns Related Formal
Record
and Institutions Requests
Detect regarding from
Provide
Monitor Internet Indication Incident National
Stakeholders with
Traffic on IXPs Signals Occurrences Authorities
Traffic Patterns
and NAPs
Record

Develop training programs and research laboratories for societies

Engage national and international collaborations with related parties

Support stakeholders with technical information services and support

Source : ID-SIRTII
14
Security is everyone responsibility…

15