{"title":"使用CIS CSC、NIST CSF和COBIT 2019框架的网络安全审计","authors":"Viny Fadila, Nurul Mutiah, Renny Puspita Sari","doi":"10.24114/cess.v8i2.43257","DOIUrl":null,"url":null,"abstract":"Tingginya penggunaan teknologi dan informasi saat ini mengakibatkan peningkatan risiko dan ancaman keamanan data dan informasi. Dinas Komunikasi dan Informatika Kota Pontianak, dinas pemerintahan yang memanfaatkan dan menggunakan banyak teknologi informasi. Untuk mengetahui sejauh mana kemampuan Dinas Komunikasi dan Informatika Kota Pontianak dalam mengelola keamanan siber, maka diperlukan audit keamanan siber. Audit dapat dilakukan dengan menggabungkan framework CIS CSC (Center for Internet Security Critical Security Controls) untuk membatasi focus area keamanan siber aset TI serta menggunakan NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) dan COBIT 2019 (Control Objective for Information Technologies) untuk melakukan perhitungan level kapabilitas. Perhitungan level kapabilitas menggunakan metode CPM (COBIT Performance Model). Hasil perhitungan level kapabilitas keamanan siber Dinas Komunikasi dan Informatika Kota Pontianak pada Identify (ID) mencapai level 3.9, Protect (PR) mencapai level 3.4, Detect (DE) mencapai level 2.5, dan Respond (RS) mencapai level 4. Terdapat 19 rekomendasi aktivitas untuk dilakukan agar mencapai level keamanan siber yang diinginkan, kemudian dilakukan pemetaan aktivitas rekomendasi ke dalam action priority matrix, 10 aktivitas masuk ke dalam kuadran Quick Wins, dan 9 aktivitas yang masuk ke dalam kuadran Major Projects. The frequent use of technology and information today impacts the increased risk and threats to data and information security. Department of Information and Communications of Pontianak is the department that utilizes and uses a lot of information technology. To find out how far the Pontianak City Communication and Informatics Office is capable of managing cyber security, a cyber security audit is needed. Audits can be conducted by combining the CIS CSC (Center for Internet Security Critical Security Controls) framework to define the cybersecurity focus areas of IT assets and using the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and COBIT 2019 (Control Objective for Information Technologies) to calculate the capability level. Capability level calculation uses the CPM (COBIT Performance Model) method. The results of calculating the level of cyber security capability of the Pontianak City Communication and Informatics Service for Identification (ID) reaches level 3.9, Protect (PR) reaches level 3.4, Detect (DE) reaches level 2.5, and Respond (RS) reaches level 4. There are 19 activity recommendations to be carried out in order to achieve the desired level of cybersecurity, then capture recommendation activities into the action priority matrix, 10 activities included in the Quick Wins quadrant, and 9 activities entered into the Major Projects quadrant.","PeriodicalId":53361,"journal":{"name":"CESS Journal of Computer Engineering System and Science","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Cyber Security Audit using CIS CSC, NIST CSF and COBIT 2019 Framework\",\"authors\":\"Viny Fadila, Nurul Mutiah, Renny Puspita Sari\",\"doi\":\"10.24114/cess.v8i2.43257\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Tingginya penggunaan teknologi dan informasi saat ini mengakibatkan peningkatan risiko dan ancaman keamanan data dan informasi. Dinas Komunikasi dan Informatika Kota Pontianak, dinas pemerintahan yang memanfaatkan dan menggunakan banyak teknologi informasi. Untuk mengetahui sejauh mana kemampuan Dinas Komunikasi dan Informatika Kota Pontianak dalam mengelola keamanan siber, maka diperlukan audit keamanan siber. Audit dapat dilakukan dengan menggabungkan framework CIS CSC (Center for Internet Security Critical Security Controls) untuk membatasi focus area keamanan siber aset TI serta menggunakan NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) dan COBIT 2019 (Control Objective for Information Technologies) untuk melakukan perhitungan level kapabilitas. Perhitungan level kapabilitas menggunakan metode CPM (COBIT Performance Model). Hasil perhitungan level kapabilitas keamanan siber Dinas Komunikasi dan Informatika Kota Pontianak pada Identify (ID) mencapai level 3.9, Protect (PR) mencapai level 3.4, Detect (DE) mencapai level 2.5, dan Respond (RS) mencapai level 4. Terdapat 19 rekomendasi aktivitas untuk dilakukan agar mencapai level keamanan siber yang diinginkan, kemudian dilakukan pemetaan aktivitas rekomendasi ke dalam action priority matrix, 10 aktivitas masuk ke dalam kuadran Quick Wins, dan 9 aktivitas yang masuk ke dalam kuadran Major Projects. The frequent use of technology and information today impacts the increased risk and threats to data and information security. Department of Information and Communications of Pontianak is the department that utilizes and uses a lot of information technology. To find out how far the Pontianak City Communication and Informatics Office is capable of managing cyber security, a cyber security audit is needed. Audits can be conducted by combining the CIS CSC (Center for Internet Security Critical Security Controls) framework to define the cybersecurity focus areas of IT assets and using the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and COBIT 2019 (Control Objective for Information Technologies) to calculate the capability level. Capability level calculation uses the CPM (COBIT Performance Model) method. The results of calculating the level of cyber security capability of the Pontianak City Communication and Informatics Service for Identification (ID) reaches level 3.9, Protect (PR) reaches level 3.4, Detect (DE) reaches level 2.5, and Respond (RS) reaches level 4. There are 19 activity recommendations to be carried out in order to achieve the desired level of cybersecurity, then capture recommendation activities into the action priority matrix, 10 activities included in the Quick Wins quadrant, and 9 activities entered into the Major Projects quadrant.\",\"PeriodicalId\":53361,\"journal\":{\"name\":\"CESS Journal of Computer Engineering System and Science\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"CESS Journal of Computer Engineering System and Science\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.24114/cess.v8i2.43257\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"CESS Journal of Computer Engineering System and Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.24114/cess.v8i2.43257","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Cyber Security Audit using CIS CSC, NIST CSF and COBIT 2019 Framework
Tingginya penggunaan teknologi dan informasi saat ini mengakibatkan peningkatan risiko dan ancaman keamanan data dan informasi. Dinas Komunikasi dan Informatika Kota Pontianak, dinas pemerintahan yang memanfaatkan dan menggunakan banyak teknologi informasi. Untuk mengetahui sejauh mana kemampuan Dinas Komunikasi dan Informatika Kota Pontianak dalam mengelola keamanan siber, maka diperlukan audit keamanan siber. Audit dapat dilakukan dengan menggabungkan framework CIS CSC (Center for Internet Security Critical Security Controls) untuk membatasi focus area keamanan siber aset TI serta menggunakan NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) dan COBIT 2019 (Control Objective for Information Technologies) untuk melakukan perhitungan level kapabilitas. Perhitungan level kapabilitas menggunakan metode CPM (COBIT Performance Model). Hasil perhitungan level kapabilitas keamanan siber Dinas Komunikasi dan Informatika Kota Pontianak pada Identify (ID) mencapai level 3.9, Protect (PR) mencapai level 3.4, Detect (DE) mencapai level 2.5, dan Respond (RS) mencapai level 4. Terdapat 19 rekomendasi aktivitas untuk dilakukan agar mencapai level keamanan siber yang diinginkan, kemudian dilakukan pemetaan aktivitas rekomendasi ke dalam action priority matrix, 10 aktivitas masuk ke dalam kuadran Quick Wins, dan 9 aktivitas yang masuk ke dalam kuadran Major Projects. The frequent use of technology and information today impacts the increased risk and threats to data and information security. Department of Information and Communications of Pontianak is the department that utilizes and uses a lot of information technology. To find out how far the Pontianak City Communication and Informatics Office is capable of managing cyber security, a cyber security audit is needed. Audits can be conducted by combining the CIS CSC (Center for Internet Security Critical Security Controls) framework to define the cybersecurity focus areas of IT assets and using the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and COBIT 2019 (Control Objective for Information Technologies) to calculate the capability level. Capability level calculation uses the CPM (COBIT Performance Model) method. The results of calculating the level of cyber security capability of the Pontianak City Communication and Informatics Service for Identification (ID) reaches level 3.9, Protect (PR) reaches level 3.4, Detect (DE) reaches level 2.5, and Respond (RS) reaches level 4. There are 19 activity recommendations to be carried out in order to achieve the desired level of cybersecurity, then capture recommendation activities into the action priority matrix, 10 activities included in the Quick Wins quadrant, and 9 activities entered into the Major Projects quadrant.