Penerapan Kerangka Kerja NIST Cybersecurity dan CIS Controls sebagai Manajemen Risiko Keamanan Siber

Authors

  • Vicky Mahendra Computer Science Department, BINUS Graduate Program – Master of Computer Science, Bina Nusantara University, Jakarta 11480, Indonesia
  • Benfano Soewito Computer Science Department, BINUS Graduate Program – Master of Computer Science, Bina Nusantara University, Jakarta 11480, Indonesia

DOI:

https://doi.org/10.33633/tc.v22i3.8491

Keywords:

Kerangka Kerja NIST Cybersecurity, Kerangka Kerja CIS Controls, Keamanan Siber, Manajemen Risiko

Abstract

Menurut laporan dari Check Point Reasearch, terjadi peningkatan sebesar 38% dalam serangan siber global pada tahun 2022 bila dibandingkan dengan tahun 2021. Untuk menghadapi serangan siber global ini, maka perlu disiapkan manajemen risiko dalam menghadapi serangan siber tersebut. Saat ini Kementerian Pekerjaan Umum dan Perumahan Rakyat (PUPR) belum memiliki panduan dalam manajemen risiko. Kementerian PUPR dapat memanfaatkan beberapa kerangka kerja keamanan siber yang telah tersedia, seperti kerangka kerja NIST Cybersecurity dan kerangka kerja CIS Controls yang juga sering disebut Critical Security Controls sebagai langkah dalam manajemen risiko keamanan siber. Penelitian ini dilakukan pada salah satu aplikasi yang sedang berjalan pada Kementerian PUPR. Penelitian ini dimulai dengan pengumpulan data, penilaian kondisi saat ini, identifikasi kondisi saat ini, identifikasi kondisi yang diinginkan, analisis kesenjangan, memberikan rekomendasi dan membuat usulan rencana aksi. Hasil penelitian didapatkan bahwa identifikasi kondisi saat ini mendapatkan skor rata-rata 2.77. Kondisi yang diinginkan/dicapai aplikasi didapat skor rata-rata 3.00. Dari hasil tersebut, terdapat kesenjangan sebesar 0.23. Setelah analisis kesenjangan didapatkan 32 rekomendasi dan mengusulkan rencana aksi dengan isu-isu prioritas tinggi dan sedang. Manajemen risiko menggunakan kerangka kerja NIST Cybersecurity dan CIS Controls terbukti dapat mengukur kematangan keamanan siber pada infrastruktur aplikasi sehingga dapat mengurangi kemungkinan terjadinya serangan siber.

References

A. Refsdal, B. Solhaug, and K. Stølen, “Cyber-risk Management,” 2015, pp. 33–47. doi: 10.1007/978-3-319-23570-7_5.

J. Wu, J. Li, and X. Ji, “Security for cyberspace: challenges and opportunities,” Frontiers of Information Technology & Electronic Engineering, vol. 19, no. 12, pp. 1459–1461, Dec. 2018, doi: 10.1631/FITEE.1840000.

Y. Supriyadi and C. W. Hardani, “Information System Risk Scenario Using COBIT 5 for Risk And NIST SP 800-30 Rev. 1 A Case Study,” in 2018 3rd International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE), 2018, pp. 287–291. doi: 10.1109/ICITISEE.2018.8721034.

I. F. Ashari, V. Oktarina, R. G. Sadewo, and S. Damanhuri, “Analysis of Cross Site Request Forgery (CSRF) Attacks on West Lampung Regency Websites Using OWASP ZAP Tools,” Jurnal Sisfokom (Sistem Informasi dan Komputer), vol. 11, no. 2, pp. 276–281, Aug. 2022, doi: 10.32736/sisfokom.v11i2.1393.

M. Falch, H. Olesen, K. E. Skouby, R. Tadayoni, and I. Williams, “Cybersecurity Strategies for SMEs in the Nordic Baltic Region,” Journal of Cyber Security and Mobility, Jan. 2023, doi: 10.13052/jcsm2245-1439.1161.

Check Point Research, “Check Point Research Reports a 38% Increase in 2022 Global Cyberattack,” 2023. Accessed: Mar. 07, 2023. [Online]. Available: https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/

IBM, “Cost of a data breach 2022: A million-dollar race to detect and respond,” 2023. Accessed: Mar. 07, 2023. [Online]. Available: https://www.ibm.com/reports/data-breach

Badan Siber dan Sandi Negara, “Lanskap Keamanan Siber Indonesia Tahun 2022,” 2023.

A. Alexei and A. Alexei, “Cyber Security Threat Analysis In Higher Education Institutions As A Result Of Distance Learning,” Article in International Journal of Scientific & Technology Research, vol. 10, pp. 128–133, 2021.

T. Weil and S. Murugesan, “IT Risk and Resilience—Cybersecurity Response to COVID-19,” IT Prof, vol. 22, no. 3, pp. 4–10, May 2020, doi: 10.1109/MITP.2020.2988330.

F. Hanifah, A. Budiyono, and A. Widjajarto, “Analisa Kerentanan Pada Vulnerable Docker Menggunakan Alienvault Dan Docker Bench For Security Dengan Acuan Framework CIS Control,” in e-Proceeding of Engineering , 2021, pp. 8880–8885.

S. Nikhil et al., “Demonstration of the Cybersecurity Framework through Real-World Cyber Attack,” in 2019 Resilience Week (RWS), 2019. doi: 10.1109/RWS47064.2019.8971822.

S. J. Mierzwa, S. RamaRao, J. Ah Yun, and B. G. Jeong, “Proposal for the Development and Addition of a Cybersecurity Assessment Section into Technology Involving Global Public Health,” The The International Journal of Cybersecurity Intelligence and Cybercrime, vol. 3, no. 2, pp. 48–61, Nov. 2020, doi: 10.52306/03020420BABW2272.

A. Hassanzadeh et al., “A Review of Cybersecurity Incidents in the Water Sector,” ASCE Journal of Environmental Engineering 2020, Jan. 2020, doi: 10.1061/(ASCE)EE.1943-7870.0001686.

B. Filkins, D. Wylie, and J. Dely, “SANS 2019 State of OT/ICS Cybersecurity Survey,” 2019. Accessed: Mar. 16, 2023. [Online]. Available: https://www.sans.org/white-papers/38995/

A. Belalcazar, M. Ron, J. Diaz, and L. Molinari, “Towards a strategic resilience of applications through the NIST cybersecurity framework and the strategic alignment model (SAM),” in Proceedings - 2017 International Conference on Information Systems and Computer Science, INCISCOS 2017, Institute of Electrical and Electronics Engineers Inc., Mar. 2018, pp. 181–187. doi: 10.1109/INCISCOS.2017.29.

The Center for Internet Security (CIS), “CIS Critical Security Controls v8 Mapping to NIST CSF,” 2021. Accessed: Mar. 01, 2023. [Online]. Available: https://www.cisecurity.org/insights/white-papers/cis-controls-v8-mapping-to-nist-csf

R. Kwon, T. Ashley, J. Castleberry, P. McKenzie, and S. N. Gupta Gourisetti, “Cyber threat dictionary using MITRE ATTCK matrix and NIST cybersecurity framework mapping,” in 2020 Resilience Week, RWS 2020, Institute of Electrical and Electronics Engineers Inc., Oct. 2020, pp. 106–112. doi: 10.1109/RWS50334.2020.9241271.

G. Kabanda, “A Cybersecurity Culture Framework and Its Impact on Zimbabwean Organizations,” Asian Journal of Management, Engineering & Computer Sciences (AJMECS), vol. 3, no. 4, pp. 17–34, 2018.

L. A. Gordon, M. P. Loeb, and L. Zhou, “Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model,” J Cybersecur, vol. 6, no. 1, Jan. 2020, doi: 10.1093/cybsec/tyaa005.

B. Adi. Pratomo, Awaludin. Marwan, Satriyo. Wibowo, M. Thabib. Kariadi, and Siti. Faridah, “Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Indonesian Translation),” Gaithersburg, MD, Feb. 2022. doi: 10.6028/NIST.CSWP.04162018id.

L. Ajmi, Hadeel, N. Alqahtani, A. Ur Rahman, and M. Mahmud, “A Novel Cybersecurity Framework for Countermeasure of SME’s in Saudi Arabia,” in 2nd International Conference on Computer Applications and Information Security, ICCAIS 2019, Institute of Electrical and Electronics Engineers Inc., May 2019. doi: 10.1109/CAIS.2019.8769470.

Center for Internet Security (Inc), “CIS Critical Security Controls® CIS Critical Security Controls,” 2021. [Online]. Available: www.cisecurity.org/controls/

D. P. Prastika, J. Triyono, and U. Lestari, “Audit dan Implementasi CIS Benchmark Pada Sistem Operasi Linux Debian Server (Studi Kasus: Server Laboratorium Jaringan Dan Komputer 6, Institut Sains & Teknologi Akprind Yogyakarta),” Jurnal JARKOM , vol. 6, no. 1, pp. 1–12, 2019.

D. Woods, I. Agrafiotis, J. R. C. Nurse, and S. Creese, “Mapping the coverage of security controls in cyber insurance proposal forms,” Journal of Internet Services and Applications, vol. 8, no. 1, Dec. 2017, doi: 10.1186/s13174-017-0059-y.

S. Groš, “A Critical View on CIS Controls,” in 2021 16th International Conference on Telecommunications (ConTEL), Oct. 2021, pp. 122–128. doi: 10.23919/ConTEL52528.2021.9495982.

Center for Internet Security (Inc), “CIS Controls Cloud Companion Guide v8 CIS Controls Cloud Companion Guide,” 2022. [Online]. Available: http://www.cisecurity.

T. Casey, K. Fiftal, K. Landfield, J. Miller, D. Morgan, and B. Willis, “The Cybersecurity Framework in Action: An Intel Use Case,” 2015.

W. Alkalabi, L. Simpson, and H. Morarji, “Barriers and Incentives to Cybersecurity Threat Information Sharing in Developing Countries: A Case Study of Saudi Arabia,” in 2021 Australasian Computer Science Week Multiconference, New York, NY, USA: ACM, Feb. 2021, pp. 1–8. doi: 10.1145/3437378.3437391.

Downloads

Published

2023-08-24