Technology has grown significantly that it has become a necessity in daily routine especially internet. As a vital part of technology in this era, internet holds an important role of connecting people, information, and devices worldwide. Most of the time business, communication, and even control are being executed through the internet. It has extravagantly been helpful in so many ways. However, things aren’t always as good as it seems.

As there are plenty of advantages of the technology, there are also the “dark side” of its utilization. Internet or as we known as cyber world has no boundaries of what going through and exploring every and each connection of it. In this digital era, internet is the vehicle of the good and the bad which can travel through IoT, Cloud, Artificial Intelligence (AI), Social Media, and any cyber space.

Based on Indonesia Cyber Security Report 2018 by ID-SIRTII, total of cyber-attack in 2017 reached 205,5 million attacks, increasing by 66%. Moreover, according to Tempo.co, Indonesia is prone to cyber-attacks up to year 2025. This means that cyber security needs to be enhanced, strengthen, and reinforced in order to keep information secured. Cyber security shall be a concern not only for individuals, but also enterprises and even government agencies.

“Cyber security is a shared responsibility, and greater collaboration internally between government and private sector companies is needed to share information, best practices, as well as potential threats. Banks, airports, hospitals, small-to-medium businesses, even utilities services, all need to be protected from cyber-attacks.” (Vice President, Booz Allen Hamilton Singapore and President Director PT BAHI Indonesia)

Encounter and preventive measures needs to be determined and planned accordingly. A Cyber Security System shall be built upon and implemented well in every organization. This system encompasses the protection of information, database, infrastructure, and network.

Why should an organization build a Cyber Security System? There are several reasons that have been concluded from various sources, namely such as:

Lack of human resources with the capabilities

No standardized policy and procedure

Low supervision and awareness

Lack of Security Control

As a standard for cyber security system, ISO/IEC 27001 is the international standard for Information Security Management System that can be implemented in organization. This standard is integrated with other IT Management System and able to be adapted into any kind of organization. Aside from implementing a standard, assessment shall be performed on a regular basis, for instance Vulnerability Assessment, Penetration Testing, or IT Audit. These kind of measures are part of a Cyber Security System.

ISO/IEC 27001:2013 as the latest version, consists of 14 domains, 35 objectives, and 114 controls. The domains’ objectives (control objectives) are described as follows:

1) Information Security Policies

The objective is to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

2) Organization of Information Security

The objectives are to establish a management framework to initiate and control the implementation and operation of information security within the organization, and to ensure the security of teleworking and use of mobile devices.

3) Human Resources Security

The objectives are ensuring that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered; that employees and contractors are aware of and fulfill their information security responsibilities, and protecting the organization’s interest as part of the process of changing or terminating employment.

4) Asset Management

The objectives are identifying organizational assets and define appropriate protection responsibilities, ensuring that information receive an appropriate level of protection in accordance with its importance to the organization, and preventing unauthorized disclosure, modification, removal or destruction of information stored on media.

5) Access Control

The objectives are to limit access to information and information processing facilities, ensure authorized user access and to prevent unauthorized access to system and services, make users accountable for safeguarding their authentication information, and prevent unauthorized access to system and applications.

6) Cryptography

The objective is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

7) Physical and Environmental Security

The objectives are to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities and also loss, damage, theft or compromise of assets and interruption to the organization’s operations.

8) Operations Security

The objectives are to ensure correct and secure operations of information processing facilities, to ensure that information and information processing facilities are protected against malware, to protect against loss of data, to record events and generate evidence, to ensure the integrity of operational systems, to prevent exploitation of technical vulnerabilities, and to minimize the impact of audit activities on operational systems.

9) Communications Security

The objectives are to ensure the protection of information in networks and its supporting information processing facilities and to maintain the security of information transferred within an organization and with any external entity.

10) System Acquisition, Development and Maintenance

The objectives are to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks, to ensure that information security is designed and implemented within the development lifecycle of information systems, and to ensure the protection of data used for testing.

11) Supplier Relationships

The objectives are to ensure protection of the organization’s assets that is accessible by suppliers and to maintain an agreed level of information security and services delivery in line with supplier agreements.

12) Supplier Relationships

The objective is to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weakness.

13) Information Security Aspects of Business Continuity Management

The objectives are information security continuity shall be embedded in the organization’s business continuity management systems and to ensure availability of information processing facilities.

14) Compliance

The objectives are to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements and to ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

From all 14 domains, the most suitable controls for organization that are generated from the Statement of Applicability (SOA) shall be fulfilled as mandatory requirements. This SOA comes from Gap Analysis between current state (as-is) of organization and future targeted state (to-be).

Aside from implementing a standard, assessment shall be performed on a regular basis, for instance Vulnerability Assessment, Penetration Testing, or IT Audit. These kind of measures are part of a Cyber Security System.

An important note for all organization implementing a Cyber Security System is that it may be run and maintained by your IT organization but it is all individuals’ responsibility to implement it.