Posts Tagged ‘Security’
Quality Assurance

International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements
WEBTRUST FOR CERTIFICATION AUTHORITIES PRINCIPLES AND CRITERIA
ENGAGEMENT APPLICABILITY MATRIX
WebTrust for Certification Authorities – Engagement Applicability Matrix (April 1st, 2023)
The WebTrust for Certification Authorities – Engagement Applicability Matrix provides information about the relevant assurance requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities assurance schemes.
WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES
Framework for third party assurance providers to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)
Principles and Criteria for Certification Authorities - Version 2.2.2
Principles and Criteria for Certification Authorities - Version 2.2.1
Kewajiban dan Sanksi Penyelenggara Sistem Elektronik (PSE)
Pasal 15 UU ITE: Penyelenggara sistem elektronik (PSE) harus andal dan aman
Pasal 100 ayat 1: Pelanggar mendapat sanksi administratif
Pasal 24 Ayat 1 PP 71 Tahun 2019 tentang PSE: PSE wajib memiliki dan menjalankan prosedur pengamanan sistem elektronik dalam menghindari gangguan, kegagalan dan kerugian
Pasal 26 Ayat 1: PSE wajib menjaga kerahasiaan, keutuhan, keautentikan, keteraksesan, ketersediaan dan dapat ditelusurinya suatu informasi elektronik dan/atau dokumen elektronik sesuai dengan ketentuan peraturan perundang-undangan.
Interesting, need to learn more about PDP. Security
IT Security Awareness
Awareness semacam IT security atau safety ini terjadi dimana-mana. Harusnya tidak perlu lama-lama ya. Satu jam sudah cukup. Lalu bagaimana kalau harus dikemas menjadi satu hari. Ini menjadi tidak mudah. Apalagi kalau harus kemas menjadi satu minggu. Apalagi kalau menjadi satu SKS (4-6 bulan), dan menjadi satu MSc sendiri dalam waktu 2 tahun, dan bahkan PhD dalam waktu 4-6 tahun. Menarik.
Phishing
Ransomware
Password Housekeeping
Multi Factor Authentication
PDP Personal Data Protection
Perlindungan Data Pribadi (PDP) surprisingly the acronym is same for both Indonesia and English version. I know this since as early as 2020 I think. But this as keyword is evolving. Super interesting. Especially in Digital jargon era.
Kroll (formerly Kroll Associates) is an American corporate investigation and risk consulting firm established in 1972 and based in New York City
Testing and Assurance Industry
Interesting, I found many classification with what so called software testing industry.
First, some classify like this:
SIT: System Integration Test
– Functional Test (Automated & Manual)
– Vulnerability Assessment and Penetration Testing (VAPT)
UAT:
– Functional Test (Manual Test)
– Performance Test
Industrial Test (Staging Environment)
– Functional Test
– Performance Test
– Stress Test
– Load Test
– VAPT Aplikasi
While other classify like this:
Functional Test:
– Unit Test
– Vendor Integration Test
– System Integration Test
– User Acceptance Test
– Regression Test
Performance Test: (Non-functional test)
– Load Test
– Stress Test
– Endurance / Soak Test
– Spike Test
– Configuration Test
Specialized/Security Test:
– Penetration Test, Vulnerability Test
IT Security Products
I think IT Security is one of most complicated product in the IT domain. First it an antimonopoly style, unlike the software or infra that can create a very big company, security product tend to be locally customized -think like various antivirus company nowadays. Second it also has big internal professional services team, unlike the software that can be act as principals. The third factor, the naming of product is very much not standardized, they can claim that their product has specific capabilities.
For example for Multi-factor authentication, Zero trust security philosophy
Cyberark PAM (Privileged Access Management (PAM) / Privileged Identity Management)
Duo mobile Two-Factor Authentication & Endpoint Security (part of Cisco 2018)
Twofactor, agentbased: Okta, Gemalto, RSA
Agentless: silverfort
Okta: identity and access management, Okta’s services are built on top of the Amazon Web Services cloud.
Information Security
Client concern on price (e.g instead buying package (software + hardware) they prefer to buy separate item.
Client concern on its unique characteristics (e.g 70% is inhouse development software)
Extended detection and response (XDR) delivers visibility into data across networks, clouds, endpoints, and applications while applying analytics and automation to detect, analyze, hunt, and remediate today’s and tomorrow’s threats
EDR: Endpoint Detection and Response
NTA: Network Traffic Analysis
SIEM: Security Information and Event Management
SOAR (security orchestration, automation, and response) technology. SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts. However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.
EPP: Endpoint protection platform
Cloud Access Security Broker (CASB) acts as an intermediary between cloud providers and cloud consumers to enforce an organization’s security policies for cloud application access and usage.
A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.
ServiceNow is a Platform-as-a-service provider, providing technical management support, such as IT service management, to the IT operations of large corporations, including providing help desk functionality. ServiceNow develop a cloud computing platform to help companies manage digital workflows for enterprise operations
IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors.
High availability (HA) is a characteristic of a system which aims to ensure an agreed level of operational performance, usually uptime, for a higher than normal period.
High-availability clusters (also known as HA clusters , fail-over clusters or Metroclusters Active/Active) are groups of computers that support server applications that can be reliably utilized with a minimum amount of down-time.
High availability of virtual machines (VM) is a critical requirement for enterprises for running their key workloads
Virtual Machine HA (VM HA) implements high availability at the hypervisor level by replicating and restarting full virtual machines, while Application HA implements high availability at the application level by replicating only application data and restarting the application
Nutanix, Inc. is a cloud computing company that sells hyper-converged infrastructure (HCI) software, cloud services (such as Desktops as a service, Disaster Recovery as a service, and cloud monitoring), and software-defined storage
Hyper-converged infrastructure (HCI) is a software-defined IT infrastructure that virtualizes all of the elements of conventional “hardware-defined” systems. HCI includes, at a minimum, virtualized computing (a hypervisor), software-defined storage and virtualized networking (software-defined networking). HCI typically runs on commercial off-the-shelf (COTS) servers. The primary difference between converged infrastructure (CI) and hyper-converged infrastructure is that in HCI, both the storage area network and the underlying storage abstractions are implemented virtually in software (at or via the hypervisor) rather than physically, in hardware. Because all of the software-defined elements are implemented within the context of the hypervisor, management of all resources can be federated (shared) across all instances of a hyper-converged infrastructure.
Hyper-converged infrastructure (HCI) combines common datacenter hardware using locally attached storage resources with intelligent software to create flexible building blocks that replace legacy infrastructure consisting of separate servers, storage networks, and storage arrays.
Access Control: Identity and Access Management
Customer (or consumer) identity and access management (CIAM) is a subset of the larger concept of identity access management (IAM). IAM itself a concept within Role Base Access Control (RBAC). Several most popular CIAM products such as Ping Identity, WSO2 Identity Server, 1Password, LastPass, and Okta, including ForgeRock Access Management, ForgeRock Identity Gateway.
ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts
ISO/IEC 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements
ISO/IEC DIS 24760-3 A Framework for Identity Management—Part 3: Practice
ISO/IEC 29115 Entity Authentication Assurance
ISO/IEC 29146 A framework for access management
ISO/IEC CD 29003 Identity Proofing and Verification
ISO/IEC 29100 Privacy framework
ISO/IEC 29101 Privacy Architecture
ISO/IEC 29134 Privacy Impact Assessment Methodology