Keamanan Komputer
Security Policy
-Aurelio Rahmadian-
Objektif
Tingkat Keamanan yang Dibutuhkan
 Acceptable Use Policy
 Authentication
 Security Policy
 Disaster Recovery Plan

Tingkat Keamanan yang Dibutuhkan

Tergantung…
◦ jenis bisnis/usaha yang dijalankan oleh
perusahaan
◦ jenis data yang disimpan di jaringan
◦ filosofi manajemen dari perusahaan
Tingkat Keamanan yang Dibutuhkan
Acceptable Use Policy
Acceptable Use/Usage Policy (AUP)
 Fair Use Policy
 Terms of Service (ToS)
 Terms of Use
 Terms and Conditions

Acceptable Use Policy
Merupakan sejumlah aturan yang
diterapkan oleh pemilik atau manajer dari
jaringan, website, atau sistem komputer
yang fungsinya untuk membatasi
bagaimana objek tersebut digunakan
 User harus menyetujui untuk mematuhi
aturan tersebut untuk menggunakan
layanan

Acceptable Use Policy
“AUP documents are written for corporations,
businesses, universities, schools, internet
service providers, and website owners, often
to reduce the potential for legal action that
may be taken by a user, and often with little
prospect of enforcement.”
-wikipedia-
Acceptable Use Policy
https://community.ja.net/library/acceptable
-use-policy
 http://www.freeservers.com/policies/acce
ptable_use.html
 http://info.yahoo.com/legal/us/yahoo/utos/
utos-173.html
 http://www.google.com/intl/en/policies/ter
ms/

Acceptable Use Policy

Using our Services
◦ Don’t misuse our Services. For example, don’t interfere with our
Services or try to access them using a method other than the
interface and the instructions that we provide.You may use our
Services only as permitted by law, including applicable export
and re-export control laws and regulations. We may suspend or
stop providing our Services to you if you do not comply with
our terms or policies or if we are investigating suspected
misconduct.
◦ Using our Services does not give you ownership of any
intellectual property rights in our Services or the content you
access. You may not use content from our Services unless you
obtain permission from its owner or are otherwise permitted by
law. These terms do not grant you the right to use any branding
or logos used in our Services. Don’t remove, obscure, or alter
any legal notices displayed in or along with our Services.
-Google Terms-
Authentication

Username
Authentication

Username
◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
Use your life as a template
Use your pastime
Keep it succinct
Use compound words
Use your favorite TV show
Try leetspeak
Make your pet's name your user name
Play with your name
Use unique characters
Use a name generator
Jumble it Up
Authentication

Username
◦ Avoid using names that could be a problem or
a risk
 Your full or last name
 Obscene words—somebody could become
offended
 Your street address
 Do not make an excessively long username
 Do not use your email name as a user name
Authentication

Password
◦ Contain both upper and lower case
characters (e.g., a-z, A-Z)
◦ Have digits and punctuation characters as well
as letters e.g., 0-9, !@#$%^&*()_+|~=\`{}[]:";'<>?,./)
◦ Are at least eight alphanumeric characters
long
◦ Are not a word in any language, slang, dialect,
jargon, etc.
◦ Are not based on personal information,
names of family, etc.
Authentication

Password
◦ Passwords should never be written down or
stored on-line
◦ Try to create passwords that can be easily
remembered, one way to do this is create a
password based on a song title, affirmation, or
other phrase
◦ For example, the phrase might be: "This May
Be One Way To Remember" and the
password could be: "TmB1w2R!" or
"Tmb1W>r~" or some other variation
25 password yang paling
mudah ditebak dan terburuk
di internet (2013)
-SplashData (Software company, CA)-
Security Policy
Inti dari pengamanan sebuah sistem,
organisasi, ataupun objek lainnya yang
berbentuk tujuan pengamanan dan prioritas
yang tertulis
 Mencakup pembatasan perilaku anggota,
pembatasan akses fungsi, program, data, serta
pembatasan yang berhubungan dengan
mekanisme seperti pintu, kunci, dll.
 Perlu dibentuk sebelum kebutuhan teknis

Security Policy

Menulis security policy merupakan langkah
pertama, implementasinya merupakan
langkah yang lebih besar
◦ Conduct Security Awareness Seminars, workshops, quizzes
◦ Prepare Do's & Don'ts of Security Policy, distribute and
display them
◦ Create posters, stickers, t-shirts, mugs, mouse pads, all
with security messages
◦ Run slogan competitions
◦ Give wide publicity to any security breaches in (other)
companies
◦ And of course, perform security audits
Security Policy – E-mail Policy

Confidentiality of information:
◦ E-mail should not be used for confidential information exchange
◦ Sender will be totally responsible for the content of the
information
◦ Noe sensitive information like password, PIN, credit card details
should ever be sent by e-mail

Appropriate use:
◦ Use of e-mail will be restricted for business use only
◦ E-mail should not be used for sending spam mail
◦ E-mail should not be used to transmit chain mails, greetings,
graphics, etc.
◦ E-mails should not be automatically forwarded to addresses
outside the company
◦ Size of the e-mail should be restricted within approved limits
Security Policy – Email Policy

Management authority:
◦ Management could use its right to monitor
the e-mails
◦ Management could store the e-mails for
retreival at a later date for any legal purpose
◦ Any encryption done to e-mail attachments
should be with the company approval and the
encryption key should be stored for retreival
when necessary
Security Policy - Other









Acceptable use policy
Authentication standards
Rules for network access
Policy for disposal of materials
Virus protection standards
Online security resources
Server room security
Anti-theft devices for server hardware
Securing removable media
Disaster Recovery Plan
Merupakan sekumpulan proses atau
prosedur yang terdokumentasi untuk
memulihkan dan melindungi infrastruktur
IT saat terjadi bencana
 Hal yang tertulis mencakup aksi-aksi yang
perlu dilakukan sebelum bencana, saat
bencana berlangsung, serta setelah terjadi
bencana

Disaster Recovery Plan

Bencana dapat berupa bencana alam
maupun bencana yang diakibatkan manusia
Bencana alam
Perbuatan manusia
Longsor
Terorisme
Badai
Kecelakaan nuklir
Sambaran petir
Putusnya aliran listrik
Kebakaran liar
Kebakaran (urban)
Tsunami
Kebocoran bahan berbahaya
Letusan gunung berapi
Kerusuhan
Disaster Recovery Plan

Risk assessment
◦ Identifikasi bisnis proses dan resource yang
berhubungan dengan infrastruktur IT
◦ Identifikasi ancaman yang ada terhadap bisnis
proses dan resource IT
◦ Tentukan strategi untuk eliminasi atau mitigasi
resiko yang disebabkan oleh ancaman
Disaster Recovery Plan

Information asset management
◦ Apa saja aset yang dimiliki?
◦ Dimana aset tersebut?
◦ Siapa yang memiliki akses terhadap aset dan
tahukah tanggung jawab mereka?
◦ Ketika terjadi masalah, apa yang perlu
dilakukan?

Inventaris
Disaster Recovery Plan
How will you “reconnect” when
nothing works?
Disaster Recovery Plan

Basic Plan
◦
◦
◦
◦
Provides general guidance
Predicts Disasters
Has defined simple crisis protocols
Identifies leadership and authorities
Disaster Recovery Plan

Developing a DRP:
◦
◦
◦
◦
◦
◦
Conduct a Risk Assessment
Identify Recovery Strategies
Develop Recovery Procedures
Purchase Products and Services
Test the Plan and Train Users
Maintain the Plan
Disaster Recovery Plan

Identify processes & resources:
◦
◦
◦
◦
Work procedures
Applications supporting the procedures
Where input comes from and output goes
Alternate procedures when application
unavailable
◦ Tolerance to interruption
◦ Supporting infrastructure hardware and
software
Disaster Recovery Plan
◦
◦
◦
◦
Determine risks that can be eliminated
Determine maximum recovery response time
Determine backup frequency
Determine minimum emergency
configurations
Disaster Recovery Plan
Disaster Recovery Plan

Contoh rencana pemulihan data (tahap
pencegahan):
◦ Melakukan backup secara rutin ke magnetic
tape yang disimpan off-site
◦ Melakukan backup secara rutin ke electronic
“tape vault” melalui jaringan
◦ Remote mirroring data ke beberapa tempat
penyimpanan melalui jaringan
Disaster Recovery Plan

Some of DRP benefits:
◦
◦
◦
◦
◦
◦
◦
Providing a sense of security
Minimizing risk of delays
Guaranteeing the reliability of standby systems
Providing a standard for testing the plan
Minimizing decision-making during a disaster
Reducing potential legal liabilities
Lowering unnecessarily stressful work
environment