Anjar Priandoyo

Catatan Setiap Hari

Posts Tagged ‘Security

Quality Assurance

leave a comment »

International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements

WEBTRUST FOR CERTIFICATION AUTHORITIES PRINCIPLES AND CRITERIA
ENGAGEMENT APPLICABILITY MATRIX

WebTrust for Certification Authorities – Engagement Applicability Matrix (April 1st, 2023)
The WebTrust for Certification Authorities – Engagement Applicability Matrix provides information about the relevant assurance requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities assurance schemes.
WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES
Framework for third party assurance providers to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)

Principles and Criteria for Certification Authorities - Version 2.2.2
Principles and Criteria for Certification Authorities - Version 2.2.1

https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria

Written by Anjar Priandoyo

Mei 26, 2023 at 4:02 pm

Ditulis dalam Business

Tagged with

Digital Trust

leave a comment »

WEForum, ISACA, interesting concept. Digital Trust

Written by Anjar Priandoyo

Mei 23, 2023 at 10:56 am

Ditulis dalam Business

Tagged with

Kewajiban dan Sanksi Penyelenggara Sistem Elektronik (PSE)

leave a comment »

Pasal 15 UU ITE: Penyelenggara sistem elektronik (PSE) harus andal dan aman
Pasal 100 ayat 1: Pelanggar mendapat sanksi administratif

Pasal 24 Ayat 1 PP 71 Tahun 2019 tentang PSE: PSE wajib memiliki dan menjalankan prosedur pengamanan sistem elektronik dalam menghindari gangguan, kegagalan dan kerugian

Pasal 26 Ayat 1: PSE wajib menjaga kerahasiaan, keutuhan, keautentikan, keteraksesan, ketersediaan dan dapat ditelusurinya suatu informasi elektronik dan/atau dokumen elektronik sesuai dengan ketentuan peraturan perundang-undangan.

Interesting, need to learn more about PDP. Security

Written by Anjar Priandoyo

Mei 22, 2023 at 11:09 am

Ditulis dalam Business

Tagged with

IT Security Awareness

leave a comment »

Awareness semacam IT security atau safety ini terjadi dimana-mana. Harusnya tidak perlu lama-lama ya. Satu jam sudah cukup. Lalu bagaimana kalau harus dikemas menjadi satu hari. Ini menjadi tidak mudah. Apalagi kalau harus kemas menjadi satu minggu. Apalagi kalau menjadi satu SKS (4-6 bulan), dan menjadi satu MSc sendiri dalam waktu 2 tahun, dan bahkan PhD dalam waktu 4-6 tahun. Menarik.

Phishing
Ransomware
Password Housekeeping
Multi Factor Authentication

Written by Anjar Priandoyo

Mei 17, 2023 at 10:41 am

Ditulis dalam Business

Tagged with

PDP Personal Data Protection

leave a comment »

Perlindungan Data Pribadi (PDP) surprisingly the acronym is same for both Indonesia and English version. I know this since as early as 2020 I think. But this as keyword is evolving. Super interesting. Especially in Digital jargon era.

Kroll (formerly Kroll Associates) is an American corporate investigation and risk consulting firm established in 1972 and based in New York City

Written by Anjar Priandoyo

Mei 16, 2023 at 11:49 am

Ditulis dalam Business

Tagged with ,

KBUMN Digital Transformation & Cyber Security

leave a comment »

KBUMN Digital Transformation and Cyber Security

Written by Anjar Priandoyo

Mei 30, 2022 at 8:14 am

Ditulis dalam Science

Tagged with ,

Testing and Assurance Industry

leave a comment »

Interesting, I found many classification with what so called software testing industry.

First, some classify like this:

SIT: System Integration Test
– Functional Test (Automated & Manual)
– Vulnerability Assessment and Penetration Testing (VAPT)

UAT:
– Functional Test (Manual Test)
– Performance Test

Industrial Test (Staging Environment)
– Functional Test
– Performance Test
– Stress Test
– Load Test
– VAPT Aplikasi

While other classify like this:
Functional Test:
– Unit Test
– Vendor Integration Test
– System Integration Test
– User Acceptance Test
– Regression Test

Performance Test: (Non-functional test)
– Load Test
– Stress Test
– Endurance / Soak Test
– Spike Test
– Configuration Test

Specialized/Security Test:
– Penetration Test, Vulnerability Test

Written by Anjar Priandoyo

Agustus 4, 2020 at 8:50 am

Ditulis dalam Science

Tagged with ,

IT Security Products

leave a comment »

I think IT Security is one of most complicated product in the IT domain. First it an antimonopoly style, unlike the software or infra that can create a very big company, security product tend to be locally customized -think like various antivirus company nowadays. Second it also has big internal professional services team, unlike the software that can be act as principals. The third factor, the naming of product is very much not standardized, they can claim that their product has specific capabilities.

For example for Multi-factor authentication, Zero trust security philosophy

Cyberark PAM (Privileged Access Management (PAM) / Privileged Identity Management)
Duo mobile Two-Factor Authentication & Endpoint Security (part of Cisco 2018)

Twofactor, agentbased: Okta, Gemalto, RSA
Agentless: silverfort

Okta: identity and access management, Okta’s services are built on top of the Amazon Web Services cloud.

ref

Written by Anjar Priandoyo

Juli 17, 2020 at 4:21 pm

Ditulis dalam Science

Tagged with

Information Security

leave a comment »

Client concern on price (e.g instead buying package (software + hardware) they prefer to buy separate item.
Client concern on its unique characteristics (e.g 70% is inhouse development software)

Extended detection and response (XDR) delivers visibility into data across networks, clouds, endpoints, and applications while applying analytics and automation to detect, analyze, hunt, and remediate today’s and tomorrow’s threats

EDR: Endpoint Detection and Response
NTA: Network Traffic Analysis
SIEM: Security Information and Event Management

SOAR (security orchestration, automation, and response) technology. SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts. However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.

EPP: Endpoint protection platform

Cloud Access Security Broker (CASB) acts as an intermediary between cloud providers and cloud consumers to enforce an organization’s security policies for cloud application access and usage.

A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

ServiceNow is a Platform-as-a-service provider, providing technical management support, such as IT service management, to the IT operations of large corporations, including providing help desk functionality. ServiceNow develop a cloud computing platform to help companies manage digital workflows for enterprise operations

IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors.

High availability (HA) is a characteristic of a system which aims to ensure an agreed level of operational performance, usually uptime, for a higher than normal period.

High-availability clusters (also known as HA clusters , fail-over clusters or Metroclusters Active/Active) are groups of computers that support server applications that can be reliably utilized with a minimum amount of down-time.

High availability of virtual machines (VM) is a critical requirement for enterprises for running their key workloads

Virtual Machine HA (VM HA) implements high availability at the hypervisor level by replicating and restarting full virtual machines, while Application HA implements high availability at the application level by replicating only application data and restarting the application

Nutanix, Inc. is a cloud computing company that sells hyper-converged infrastructure (HCI) software, cloud services (such as Desktops as a service, Disaster Recovery as a service, and cloud monitoring), and software-defined storage

Hyper-converged infrastructure (HCI) is a software-defined IT infrastructure that virtualizes all of the elements of conventional “hardware-defined” systems. HCI includes, at a minimum, virtualized computing (a hypervisor), software-defined storage and virtualized networking (software-defined networking). HCI typically runs on commercial off-the-shelf (COTS) servers. The primary difference between converged infrastructure (CI) and hyper-converged infrastructure is that in HCI, both the storage area network and the underlying storage abstractions are implemented virtually in software (at or via the hypervisor) rather than physically, in hardware. Because all of the software-defined elements are implemented within the context of the hypervisor, management of all resources can be federated (shared) across all instances of a hyper-converged infrastructure.

Hyper-converged infrastructure (HCI) combines common datacenter hardware using locally attached storage resources with intelligent software to create flexible building blocks that replace legacy infrastructure consisting of separate servers, storage networks, and storage arrays.

Written by Anjar Priandoyo

Mei 15, 2020 at 11:52 am

Ditulis dalam Science

Tagged with

Access Control: Identity and Access Management

leave a comment »

Customer (or consumer) identity and access management (CIAM) is a subset of the larger concept of identity access management (IAM). IAM itself a concept within Role Base Access Control (RBAC). Several most popular CIAM products such as Ping Identity, WSO2 Identity Server, 1Password, LastPass, and Okta, including ForgeRock Access Management, ForgeRock Identity Gateway.

ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts
ISO/IEC 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements
ISO/IEC DIS 24760-3 A Framework for Identity Management—Part 3: Practice
ISO/IEC 29115 Entity Authentication Assurance
ISO/IEC 29146 A framework for access management
ISO/IEC CD 29003 Identity Proofing and Verification
ISO/IEC 29100 Privacy framework
ISO/IEC 29101 Privacy Architecture
ISO/IEC 29134 Privacy Impact Assessment Methodology

ref, ref, ref, ref, ref

Written by Anjar Priandoyo

Mei 4, 2020 at 4:26 pm

Ditulis dalam Science

Tagged with