Author: alextjokro

Activity Log Review: Is It Necessary?

Posted on by alextjokro

The Importance of Activity Log Review in Information Security 

In the era of digitalization, or Industry 4.0, nearly all company activities have been automated using IT applications and systems. This brings positive impacts such as efficiency and accuracy in business processes. However, on the other hand, increased digitalization also elevates the risk of cybercrime. According to data from the Indonesian National Police, 3,429 cybercrime cases were recorded from January to August 2019. 

Cybercrime not only originates from external parties but can also occur due to negligence or actions by internal company employees. To mitigate these risks, the Ministry of Communication and Informatics of the Republic of Indonesia mandates electronic system operators to implement ISO/IEC 27001, as regulated in KOMINFO Ministerial Regulation Number 4 of 2016 concerning Information Security Management Systems. 

Activity Log Monitoring in ISO/IEC 27001 

One of the primary steps in preventing cybercrime, according to ISO/IEC 27001, is to monitor system activity logs, as stipulated in Annex 12.4. Activity logs record all system activities, such as user access, system changes, and incident detection. By regularly monitoring logs, companies can analyze activity trends and identify potential threats before major incidents occur. 

Log monitoring can be performed periodically according to organizational needs, for example, once a month or once every three months, depending on the level of risk faced. For instance, a company can detect failed access attempts or discover suspicious firewall activity carried out by unknown users. 

Organizational Steps in Activity Log Monitoring 

For optimal activity log monitoring, organizations need to implement the following steps: 

1. Establish schedules and procedures for activity log monitoring. 

2. Protect logs from unauthorized changes, ensuring the security of activity records that include:  

  • User ID and system access. 
  • User login and logout times. 
  • Successful and failed access attempts. 
  • System configuration changes. 
  • Operating system utility usage. 
  • Protection system activities (firewall, antivirus, etc.). 

3. Appoint specific employees or functions responsible for activity log monitoring. 

4. Investigate suspicious activities. 

5. Configure information security alert tools to detect account changes or login failures. 

6. Retain log documentation for at least 1 year, with easy access to logs within a 3-month period, in accordance with PCI DSS Requirements. 

7. Conduct periodic monitoring of the log collection process to ensure the system functions optimally. 

Conclusion 

Performing activity log monitoring is a strategic step in maintaining corporate information security. By implementing effective log monitoring policies, organizations can ensure the confidentiality, integrity, and availability of information and IT systems. 

IT GRC Team
Robere & Associates (Indonesia)

The Importance of Password Security in the Digital World

Posted on by alextjokro

Why Is Password Security Crucial? 

With the advancement of technology and communication, the use of digital devices in daily life has significantly increased. According to Mastercard research, individuals, on average, possess ten digital accounts used across various devices and applications. Each day, a person enters a password approximately eight times to access their accounts. 

A password is one of the primary methods for maintaining security within the realm of information technology. Unfortunately, many users still employ easily guessable passwords, such as birthdates (25%), pet names (18%), or family names (13%). Furthermore, 84% of users only change their passwords occasionally, while only 16% consistently remember them. This habit increases the risk of hacking, potentially compromising users’ personal data and creating vulnerabilities for online crime. 

Threats of Hacking and Data Breaches 

Cyberattacks on large corporations often lead to customer data breaches, including phone numbers, email addresses, and other personal information. One instance of a breach in Indonesia was the KreditPlus data leak in August 2020. A report from the cybersecurity firm Cyble revealed that approximately 890,000 KreditPlus customer data records were allegedly leaked and sold on the hacking forum Raidforums. The leaked data included names, emails, passwords, home addresses, phone numbers, employment details, and even family card (KK) information. Additionally, password security can be compromised when users access public networks without additional protection. 

Best Practices in Maintaining Password Security 

ISO/IEC 27001:2013 Annex 9.4.3 governs how secure password management should be implemented to protect sensitive data. Here are some essential steps in managing password security: 

  • Do not store passwords in unencrypted plain text format. 
  • Avoid sharing passwords via email, chat, or other electronic communication media. 
  • Do not write down easily guessable password hints, such as family names or birthdates. 
  • Avoid using the “Remember Password” feature on browsers or applications. 
  • Immediately change default passwords after initial use. 
  • Use a combination of uppercase letters, lowercase letters, numbers, and special characters in your password. 
  • Ensure passwords are a minimum of eight characters long. 
  • Avoid using the same password for work and personal accounts. 
  • Utilize multi-factor authentication (MFA) such as OTP or SMS for additional security. 

Conclusion 

While no security system is perfect, proper password management can significantly reduce the risk of hacking. Users are encouraged to be more aware of the importance of regularly changing passwords and implementing Multi-Factor Authentication (MFA) for added protection. 

Have you ensured the password security of your digital accounts? 

Syifa Aulia Sari
IT GRC Consultant
Robere & Associates (Indonesia)

Ensuring Business Resilience with a Business Continuity Plan (BCP)

Posted on by alextjokro

The Impact of Pandemics on Business Continuity Since the COVID-19 pandemic swept across the globe in 2020, various industry sectors have faced significant challenges in their operations. With restricted workplace activities, many companies encountered substantial business disruption risks. Some even had to halt partial or entire operational processes due to resource limitations and supply chain disruptions. To ensure business runs smoothly amidst a crisis, companies need to develop a Business Continuity Plan (BCP) as an anticipatory measure against uncertainty. With meticulous planning, organizations can maintain business continuity without compromising workforce safety. 

What is a Business Continuity Plan (BCP)?

According to ISO 22301, a Business Continuity Plan (BCP) is documented information that guides an organization in responding to disruptions and ensuring operational continuity until recovery. The primary objective of developing a BCP during a pandemic is to ensure business operations continue without jeopardizing employee health and safety.

Below are key steps for developing an effective BCP: 

1. Establishing a Crisis Management Team

The first step is to establish a Crisis Management Team responsible for managing the business amidst the pandemic. This team is led by a director or chief executive, with members from various departments such as operations, finance, and HR. The main tasks of the Crisis Management Team include: 

  • Identifying the most crucial business aspects. 

  • Developing appropriate emergency policies. 

  • Coordinating with stakeholders for risk mitigation. 

2. Identifying Critical Business Aspects

Companies must determine the most vital processes, assets, and resources for maintaining business operations. Several crucial aspects include: 

  • Core functions that cannot be halted, such as customer service and banking operations. 

  • Critical infrastructure like servers, data centers, and financial systems. 

  • The need for Personal Protective Equipment (PPE) for employees to ensure their safety in the workplace. 

3. Developing Emergency Policies

In a pandemic situation, several emergency policies that can be implemented include:

  • Work from Home (WFH) to reduce exposure risk.

  • Shift working systems to limit the number of employees in the office.

  • Restrictions on business travel in accordance with local government regulations. 

4. Establishing Effective Communication Channels

Communication is a key factor in business continuity during a crisis. All stakeholders, both internal and external, must receive the latest information regarding changes in company policies or operations.

Some effective communication strategies include: 

  • Utilizing digital platforms for remote coordination. 

  • Transparency in communicating policies to employees and business partners. 

  • Collaborating with medical personnel or authorities for health risk mitigation. 

5. Conducting BCP Simulations and Evaluations

Companies must conduct test implementations of their BCP to ensure the effectiveness of the strategies developed. These simulations help in: 

  • Identifying weaknesses in the plan. 

  • Refining risk mitigation strategies based on occurring scenarios. 

  • Optimizing the company’s response to potential disruptions. 

6. Developing Business Recovery Strategies

After a crisis subsides, companies must have a recovery strategy to return to normal operations. Several steps that can be taken include: 

  • Maintaining good relationships with customers and suppliers. 

  • Identifying alternative suppliers in case of supply chain disruptions. 

  • Protecting and recovering company assets, including important data and documents. 

Conclusion

Facing crises like a pandemic requires a well-structured business strategy. With a robust Business Continuity Plan (BCP), companies can ensure operational continuity, protect their workforce, and mitigate detrimental financial impacts.

Has your company developed an effective Business Continuity Plan? 

Muhammad Arief Nurhidayat
Business Development Manager
Robere & Associates (Indonesia)

Information Security Management System (ISMS): Data Protection and Business Security

Posted on by alextjokro

The Importance of an Information Security Management System (ISMS) in the Digital Business Landscape 

In today’s era of digital transformation, business and technology are almost inseparable. The rapid advancement of technology has become a significant driver for businesses to expand their operations. Without Information Technology, organizations cannot function effectively and efficiently, as the information generated from information systems is crucial for making informed policies and decisions. Discussions about information technology are intrinsically linked to the internet, which acts as an intermediary, facilitating easy access to information. The internet effectively removes barriers of space and time, enabling the seamless dissemination of information without delay, making distance and time no longer primary obstacles in this age. 

Cyber Threats and Information Security Challenges 

The internet was first introduced by the World Wide Web over 30 years ago, and the number of internet users worldwide is astounding. A 2018 survey by We Are Social stated that 55 percent of the global population were active internet users. With a global population of 7.655 billion, this means over 4.176 billion people use the internet. This indicates the internet’s immense role in daily life. 

In Indonesia, according to a survey by the Indonesian Internet Service Providers Association (APJII) at the end of 2017, 54.68 percent of the Indonesian population were active internet users. If the total population of Indonesia is 262 million, then at least 143.26 million people were active internet users. This number has continuously increased from previous years, with 110.2 million internet users in 2015 and 132.7 million in 2016, as shown in Figure 1.1. 

Figure 1.1: Indonesian Internet User Penetration 2017 (APJII Data: 2017) 

 

This data highlights the increasing reliance of individuals, businesses, and all stakeholders on accessing data and information anywhere, anytime. This dependency aims to obtain information that supports increased company effectiveness and efficiency, and helps achieve business objectives. Conversely, as technology and information evolve, threats to information management also escalate. The growth in internet users mentioned above is regrettable because it is not paralleled by an awareness of internet security. This makes systems highly vulnerable to malware threats through existing weaknesses. 

In 2017, known as the era of the Internet of Things (IoT), information security systems were shaken by the WannaCry ransomware malware attack. Between January and December 2018, the most frequent information security incidents were Web Defacement, followed by Malware, Spam, IP Brute Force, Phishing, and others (BSSN- ISSN 2655-8467 Volume 1 Tahun 2018). According to the Security Report by the National Cyber and Crypto Agency (BSSN) in 2018, there were 513,863 cyberattacks in Indonesia, most of which were malware activities, accounting for 12,895,554 incidents. 

This reality underscores the urgency of enhancing information security. Work processes involving internet networks are highly susceptible to malware attacks from malicious parties. To protect company information, these risks must be managed and minimized. 

Companies must implement malware control and malware protection. To prevent malware incidents within a company, it is advisable not to open spam emails from unknown sources or senders. Suspicious emails that may damage computers due to containing viruses, malware, or similar threats will typically be moved to a spam folder. If an opened email contains file attachments, it is best not to download them, or if the sender is unrecognized, the email should be blocked. 

Implementing ISO/IEC 27001:2013 for Information Security 

In accordance with ISO/IEC 27001:2013, companies must safeguard information security from various potential threats. One way to do this is by installing antivirus software on computer devices, which aligns with the implementation of Annex 12.2.1 concerning malware protection. If a company uses a wireless network system, it must ensure that it has technicians capable of securing the network in accordance with Annex 13.1.1 on network security. Companies must also ensure that they always lock routers and encrypt all information in accordance with Annex 10.1.1 on encryption controls. If necessary, always password-protect all computer data networks and hide all systems in accordance with Annex 9.4.3 on password usage. 

Overall, companies must protect information security from various potential threats. Information security can be maintained by installing antivirus software on computer devices and securing networks. If a company uses a wireless network system, it must ensure that it has technicians capable of securing the network. Companies must also ensure that they always lock routers and encrypt all information. If necessary, always password-protect all computer data networks and hide all systems. By hiding data, at the very least, this can prevent potential internal company crime. 

One form of control that can be implemented to minimize external and internal risks and threats is the adoption of an Information Security Management System (ISMS), referencing ISO/IEC 27001:2013. According to ISO/IEC 27001:2013, ISMS is defined as part of an overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, improve, and maintain information security, as well as to preserve the confidentiality, integrity, and availability of information, and to manage and control information security risks within an organization or company. 

Conclusion: Why ISMS is Crucial for Business Continuity 

By implementing ISO/IEC 27001:2013, companies can protect and maintain the confidentiality, integrity, and availability of information, and manage and control information security risks within the organization or company. ISO/IEC 27001:2013 provides assurance to clients and business partners that the company has a robust information security management system in line with international standards. If a company has implemented an Information Security Management System (ISMS), it will be able to control information assets from threats and attacks, indirectly guaranteeing the continuity of business operations. 

Syifa Aulia Sari
IT GRC Consultant
Robere & Associates (Indonesia)

The Relationship Between the RACI Matrix and Risk Management Systems

Posted on by alextjokro

The implementation of Risk Management is closely linked to communication and consultation processes. These processes are crucial factors supporting the smooth progression of risk management from stage to stage. It’s undeniable that communication and consultation with various stakeholders can influence decisions, both in establishing the framework and executing risk management processes. Consequently, a breakdown in communication and consultation can lead to new risks. 

Discussing communication failures in risk management implementation, we can refer to a significant case in 2001: the Enron bankruptcy. Enron failed to provide information consistent with reality, preventing the Enron risk management team from identifying the risks they would face. Accurate and up-to-date data from a company is vital for identifying impending risks; without such information, a company can only predict risks based on historical data, which may not always be accurate. 

In connection with the above, this article will discuss a method that can be used to clearly structure and identify an effective workflow for communication and consultation in implementing a Risk Management System: the RACI Matrix. This method helps organizations identify parties involved in Risk Management System communication and consultation processes, typically categorized into four roles: Responsible (R), Accountable (A), Consulted (C), and Informed (I). As a guide for constructing a RACI Matrix, several stages can be followed: 

  1. Identify Stakeholders in the Risk Management System 
    Before creating a RACI Matrix, it’s essential to determine all parties with an interest in the Risk Management System. Examples include

    • Board of Commissioners 
    • Board of Directors 
    • Department Managers / Division Heads 
    • Department Staff / Risk Owners 
    • External Stakeholders (Customers, Shareholders, Government, Risk Consultants, etc.) 
  2. Identify Stages to be Performed in the Risk Management System 
    After identifying stakeholders, it’s necessary to pinpoint the stages involved in implementing the Risk Management System. Examples include: 

    • Establishing Scope, Context, and Criteria 
    • Risk Identification 
    • Risk Analysis 
    • Risk Evaluation 
    • Risk Treatment 
    • Risk Monitoring and Review 
    • Risk Recording and Reporting 

    For improvement, the more detailed the description for each stage in the Risk Management System, the clearer the roles of the stakeholders involved in executing those stages will be. 

  3. Constructing the RACI Matrix 
    The RACI Matrix is developed based on the roles of stakeholders concerning the stages performed in operating the Risk Management System. As mentioned earlier, these roles are divided into: 

    • Responsible (R): The party tasked with executing a specific stage within the Risk Management System process. Examples include Department Staff / Risk Owners. 
    • Accountable (A): The party ultimately responsible for the outcome of a Risk Management System-related stage and the decision-maker for any issues that arise. Examples include leaders in respective Work Units / Departments / Divisions (Department Managers / Division Heads). 
    • Consulted (C): The party possessing expertise related to the Risk Management System. Examples include the Enterprise Risk Management (ERM) Department, Risk Analysts, Risk Consultants. 
    • Informed (I): The party who receives information regarding the results of the Risk Management System implementation stages. Examples include the Board of Commissioners, Company Directors, and External Stakeholders. 

    An example of a RACI Matrix format can be seen in Table 1.1 below:  Table 1.1: RACI Matriks

  4. Additional Information for the RACI Matrix
    Once the RACI Matrix has been developed, additional details can be added, such as: 

    • The type of information delivered as an output from each stage of the Risk Management System. Examples include Risk Identification Reports, Risk Management System Evaluation Reports, etc. 
    • The method of delivering the results of the Risk Management System stages. Examples include Monthly Meetings, Yearly Meetings, Management Review Meetings, Email, Letters, etc. 
    • The frequency of delivering the results of the Risk Management System stages. Examples include monthly, semi-annually, annually, every 3 months, etc. 

Fundamentally, the RACI Matrix is a method aimed at enhancing the effectiveness of the Risk Management System implemented by an organization. The expectation is that if an organization or company develops a well-structured RACI Matrix, it will achieve: 

  • No overlap in duties and responsibilities when implementing the Risk Management System. 
  • Quicker decision-making and problem resolution. 
  • Clearer internal and external information distribution. 
  • Transparency regarding information in operating the Risk Management System. 

Hilman Badhi Adikara
Non-IT GRC Consultant
Robere & Associates (Indonesia)

 

The Importance of Customer Satisfaction Surveys in Enhancing Customer Loyalty and Business Competitiveness

Posted on by alextjokro

Customer satisfaction is a crucial factor in the sustainability of any company. As end-users of products or services, customers play a vital role in shaping the direction of business growth. Therefore, conducting customer satisfaction surveys is a reflection of a company’s commitment to ensuring that customer needs and expectations are properly met.

Benefits of Customer Satisfaction Surveys for Companies

Customer satisfaction surveys offer numerous benefits, including:

  1. Assessing Product and Service Quality
    These surveys allow companies to gauge how well their products or services meet customer expectations. Understanding customer satisfaction levels helps identify areas for improvement.

  2. Identifying Areas for Improvement
    Surveys serve as evaluation tools to enhance the quality of products and services. By gathering customer feedback, companies can implement more targeted and market-relevant improvements.

  3. Analyzing Customer Behavior
    Survey data helps companies understand customer behavior patterns, preferences, habits, and the factors that influence purchasing decisions. This insight can be used to develop more effective marketing strategies.

  4. Enhancing Competitive Advantage
    Customer satisfaction surveys also enable companies to benchmark their products and services against competitors. By understanding competitive strengths and weaknesses, businesses can develop more strategic approaches and expand market share.

Methods for Conducting Customer Satisfaction Surveys

There are several methods that companies can use to conduct customer satisfaction surveys, such as:

  1. Distributing Survey Forms to Customers
    This is the simplest way to collect customer feedback. Surveys can be distributed in written form or through digital platforms such as email, social media, or company websites.

  2. Customer Business Meetings
    Holding direct meetings with customers allows companies to receive real-time feedback. These sessions also provide an opportunity to engage in discussions and offer tailored solutions.

  3. Lost Customer Analysis
    This method involves contacting customers who have stopped using the company’s products or services to understand why they switched to competitors. The data gathered is valuable for service improvement and customer retention efforts.

The Importance of Customer Satisfaction Surveys in Quality Management Systems

Customer satisfaction surveys are also a requirement in the implementation of quality management systems such as ISO 9001. Conducting these surveys regularly allows companies to:

  • Evaluate the effectiveness of products and services

  • Identify and proactively address customer complaints

  • Ensure continuous quality improvement

  • Build long-term customer relationships

Conclusion

Conducting customer satisfaction surveys is more than a mere formality—it is a strategic business approach to improving service quality, retaining customers, and outperforming competitors. By understanding customer needs and acting on survey results, companies can continue to grow and build stronger customer loyalty.

If you want to learn more about how to enhance customer satisfaction and implement data-driven business strategies, make sure to conduct regular customer satisfaction surveys and analyze the results thoroughly.

Consult with us