Digital companies should adopt ISO cyber security standard say IT experts

Fri, May 22, 2020
Data matters: A saleswoman holds up her mobile phone to show a home loan app. The government has proposed a bill on data protection in response to many reports of the misuse and theft of customer data. (JP/Dhoni Setiawan)

Calls for digital companies to implement stronger data protection measures are growing following recent reports of a data breach against Indonesia’s e-commerce unicorn Tokopedia.

Digital companies should adopt ISO cyber security standard say IT experts

Experts have argued that the data protection bill, which is currently being debated at the House of Representatives (DPR), should set a minimum-security standard for digital companies, as the current regulation does not stipulate the technicalities of data protection.

“If we take a look at Government Regulation (PP) No.71, the government did not regulate the technicalities of data protection,” IT expert Tony Seno Hartono said in an online discussion on April 20, referring to PP No.71/2019 on the implementation of electronic systems and transactions.

Tokopedia said its internal database had been breached by an unidentified party in March, resulting in a massive data leak of the personal information of more than 15 million users.

Communications and Information Minister Johnny G. Plate urged on May 15 companies to improve their cybersecurity systems following the breach, saying that the country’s digital economy was “under attack”.

While PP No.71/2019 does mandate digital service providers to “ensure the safety of information and internal communication systems,” Tony said it stopped short of setting a minimum safety standard for data protection.

He said digital companies should meet the requirements of the ISO27001 standard, which measures and evaluates information security management systems, in order to provide adequate data safety for their users.

“If a company meets the ISO standard, the chance for a data breach becomes extremely small. Even if there is a breach, we could trace the breach’s source and figure out what went wrong,” he said.

However, in order to be certified for the standard, a digital company must hire a third-party security auditor to analyze its security system, which is not possible for small start-ups.

“We are always striving to adopt the highest level of security. However, it’s very expensive for start-up companies to adopt ISO standards,” Indonesia E-Commerce Association’s (idEA) government relation manager Rofi Uddarojat said during the discussion.

Even if a company has received the certification or has an independent security auditor to routinely analyze its security system, Tony said many Indonesian companies did not improve their security systems in line with the audit results.

“From my experience, many institutions ignore [audit results]. If there’s a breach, I believe it’s not because the auditor missed the security gap but rather because their assessment was not followed up by the institutions,” he said.

During the discussion, Rofi also criticized the draft of a Communications and Information Ministry regulation that follows PP No.17/2019, for bureaucratizing data placement.

While the PP gives companies the option to choose whether to store their data inside the country or abroad, Article 6 of the ministry regulation requires private companies to obtain a permit from the minister to store their data abroad, according to the latest draft released on March 10.

“While we appreciate the PP for giving us the freedom to store our data inside the country or abroad, there seems to be an attempt at bureaucratization in the draft regulation,” Rofi said.

IT专家表示,数字公司应采用ISO网络安全标准

2020年5月22日星期五
数据很重要:一位女售货员举起手机展示房屋贷款应用。政府针对许多滥用和盗窃客户数据的报告提出了一项数据保护法案。 (JP /多尼·塞蒂亚万)

在最近有报道称印尼电子商务独角兽Tokopedia遭到数据泄露后,对数字公司实施更强有力的数据保护措施的呼声越来越高。

专家认为,目前正在众议院辩论的数据保护法案应为数字公司设定最低安全标准,因为当前法规并未规定数据保护的技术性。

IT专家托尼·塞诺·哈托诺(Tony Seno Hartono)在4月20日的在线讨论中表示,“如果我们看一下第71号政府法规(PP),政府就没有规范数据保护的技术,”提到第71/2019号PP关于电子系统和交易的实施。

Tokopedia表示,其内部数据库在3月份遭到一个身份不明的方的破坏,导致超过1500万用户的个人信息发生大规模数据泄露。

通信和信息部长Johnny G. Plate于5月15日敦促各公司改善其网络安全系统,称该国的数字经济正在“受到攻击”。

尽管第71/2019号PP确实要求数字服务提供商“确保信息和内部通信系统的安全”,但托尼表示,它没有为数据保护设定最低安全标准。

他说,数字公司应符合ISO27001标准的要求,该标准测量和评估信息安全管理系统,以便为其用户提供足够的数据安全。

“如果一家公司符合ISO标准,那么发生数据泄露的机会就非常小。即使发生违规,我们也可以追踪违规的来源并找出问题出在哪里,”他说。

但是,为了获得该标准的认证,数字公司必须雇用第三方安全审核员来分析其安全系统,这对于小型初创公司是不可能的。

“我们一直在努力采用最高级别的安全性。但是,对于初创公司而言,采用ISO标准非常昂贵,”印度尼西亚电子商务协会(idEA)政府关系经理Rofi Uddarojat在讨论中说。

托尼表示,即使一家公司已经获得认证或拥有独立的安全审核员来定期分析其安全系统,但许多印尼公司并未根据审核结果改进其安全系统。

“根据我的经验,许多机构都忽略了[审计结果]。如果存在违规行为,我相信这不是因为审计师没有漏掉安全漏洞,而是因为机构没有对他们的评估进行跟进,”他说。

在讨论中,Rofi还批评了遵循PP No.17 / 2019的通信和信息部法规​​草案,以使数据放置官僚化。

根据3月份发布的最新草案,尽管PP给公司提供了选择将数据存储在国内还是国外的选项,但该部法规的第6条要求私营公司从部长那里获得许可,将数据存储在国外。 10。

罗菲说:“尽管我们感谢PP给我们提供了在国内或国外存储数据的自由,但似乎在规章草案中试图进行官僚化。”

如侵联删未允勿转:认证生态网 » Digital companies should adopt ISO cyber security standard say IT experts

赞 (1) 打赏

相关推荐

    暂无内容!

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏