RSS Feed

Metodology & Framework IT Audit

Posted on

Metodologi IT Audit:

CobiT

www.isaca.org
  • Dikembangkan oleh ISACA, (mungkin) cocok untuk self assesement tapi kurang cocok untuk mengembangkan buku petunjuk keamanan sistem
  • Membantu dalam implementasi sistem kontrol di sistem IT
  • Dokumentasi detail kurang
  • Tidak begitu user-friendly

Cobit

BS 7799 – Code of Practice (CoP)

www.bsi.org.uk/disc/
  • Dikembangkan oleh UK, BSI: British Standard
  • Security baseline controls:
    • 10 control categories
    • 32 control groups
    • 109 security controls
    • 10 security key controls
  • Kategori kontrol:
    • System access control
    • Systems development & maintenance
    • Business continuity planning
    • Compliance
    • Information security policy
    • Security organisation
    • Assets classification & control
    • Personnel security
    • Physical & environmental security
    • Computer & network management
  • Digunakan untuk selfassasement: konsep keamanan dan kesehatan sistem
  • Tidak ada metodologi evaluasi dan tidak diterangkan bagaimana assemen terhadap keamanan sistem
  • Sangat user-friendly sangat mudah digunakan (menurut yang sudah pernah menggunakan)

BSI -IT baseline protection manual

www.bsi.bund.de/gshb/english/menue.htm

Determination of Protection Requirement●IT Baseline Protection Manual (IT- Grundschutzhandbuch)

●Dikembangkan oleh GISA: German Information Security Agency

● Digunakan: evaluasi konsep keamanan & manual

● Metodologi evaluasi tidak dijelaskan

● Mudah digunakan dan sangat detail sekali

● Tidak cocok untuk analisis resiko

● Representasi tdk dalam grafik yg mudah dibaca

● IT security measures

  • 7 areas
  • 34 modules (building blocks)

● Safeguards catalogue

  • 6 categories of security measures

● Threats catalogue

  • 5 categories of threats

● Security Measures (example):

  • Protection for generic components
  • Infrastructure
  • Non-networked systems
  • LANs
  • Data transfer systems
  • Telecommunications
  • Other IT components

● Komponen generik:

  • Organisation
  • Personnel
  • Contingency Planning
  • Data Protection

● Infrastruktur:

  • Buildings, Cabling, Rooms, Office, Server Room, Storage Media Archives, Technical Infrastructure Room, Protective cabinets, Home working place

ITSEC

www.itsec.gov.uk

ITSEC_1ITSEC_2

  • ITSEC: IT Security Evaluation Criteria
  • Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book)
  • Based on systematic, documented approach for security evaluations of systems & products
  • Common Criteria (CC)
  • Developed by USA, EC: based on ITSEC
  • ISO International Standard
  • Evaluation steps:
    • Definition of functionality
    • Assurance: confidence in functionality


 

Komparasi MetodologiKomparasi Metodologi

 

Source: IT Audit&Forensic

About サクラ

People call me Eri, so feel free to call me Eri ^^ よろしく!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: