Digital companies should adopt ISO cyber security standard say IT experts-认证生态网

Fri, May 22, 2020
Data matters: A saleswoman holds up her mobile phone to show a home loan app. The government has proposed a bill on data protection in response to many reports of the misuse and theft of customer data. (JP/Dhoni Setiawan)

Calls for digital companies to implement stronger data protection measures are growing following recent reports of a data breach against Indonesia’s e-commerce unicorn Tokopedia.

Digital companies should adopt ISO cyber security standard say IT experts

Experts have argued that the data protection bill, which is currently being debated at the House of Representatives (DPR), should set a minimum-security standard for digital companies, as the current regulation does not stipulate the technicalities of data protection.

“If we take a look at Government Regulation (PP) No.71, the government did not regulate the technicalities of data protection,” IT expert Tony Seno Hartono said in an online discussion on April 20, referring to PP No.71/2019 on the implementation of electronic systems and transactions.

Tokopedia said its internal database had been breached by an unidentified party in March, resulting in a massive data leak of the personal information of more than 15 million users.

Communications and Information Minister Johnny G. Plate urged on May 15 companies to improve their cybersecurity systems following the breach, saying that the country’s digital economy was “under attack”.

While PP No.71/2019 does mandate digital service providers to “ensure the safety of information and internal communication systems,” Tony said it stopped short of setting a minimum safety standard for data protection.

He said digital companies should meet the requirements of the ISO27001 standard, which measures and evaluates information security management systems, in order to provide adequate data safety for their users.

“If a company meets the ISO standard, the chance for a data breach becomes extremely small. Even if there is a breach, we could trace the breach’s source and figure out what went wrong,” he said.

However, in order to be certified for the standard, a digital company must hire a third-party security auditor to analyze its security system, which is not possible for small start-ups.

“We are always striving to adopt the highest level of security. However, it’s very expensive for start-up companies to adopt ISO standards,” Indonesia E-Commerce Association’s (idEA) government relation manager Rofi Uddarojat said during the discussion.

Even if a company has received the certification or has an independent security auditor to routinely analyze its security system, Tony said many Indonesian companies did not improve their security systems in line with the audit results.

“From my experience, many institutions ignore [audit results]. If there’s a breach, I believe it’s not because the auditor missed the security gap but rather because their assessment was not followed up by the institutions,” he said.

During the discussion, Rofi also criticized the draft of a Communications and Information Ministry regulation that follows PP No.17/2019, for bureaucratizing data placement.

While the PP gives companies the option to choose whether to store their data inside the country or abroad, Article 6 of the ministry regulation requires private companies to obtain a permit from the minister to store their data abroad, according to the latest draft released on March 10.

“While we appreciate the PP for giving us the freedom to store our data inside the country or abroad, there seems to be an attempt at bureaucratization in the draft regulation,” Rofi said.

IT专家表示，数字公司应采用ISO网络安全标准

2020年5月22日星期五
数据很重要：一位女售货员举起手机展示房屋贷款应用。政府针对许多滥用和盗窃客户数据的报告提出了一项数据保护法案。（JP /多尼·塞蒂亚万）

在最近有报道称印尼电子商务独角兽Tokopedia遭到数据泄露后，对数字公司实施更强有力的数据保护措施的呼声越来越高。

专家认为，目前正在众议院辩论的数据保护法案应为数字公司设定最低安全标准，因为当前法规并未规定数据保护的技术性。

IT专家托尼·塞诺·哈托诺（Tony Seno Hartono）在4月20日的在线讨论中表示，“如果我们看一下第71号政府法规（PP），政府就没有规范数据保护的技术，”提到第71/2019号PP关于电子系统和交易的实施。

Tokopedia表示，其内部数据库在3月份遭到一个身份不明的方的破坏，导致超过1500万用户的个人信息发生大规模数据泄露。

通信和信息部长Johnny G. Plate于5月15日敦促各公司改善其网络安全系统，称该国的数字经济正在“受到攻击”。

尽管第71/2019号PP确实要求数字服务提供商“确保信息和内部通信系统的安全”，但托尼表示，它没有为数据保护设定最低安全标准。

他说，数字公司应符合ISO27001标准的要求，该标准测量和评估信息安全管理系统，以便为其用户提供足够的数据安全。

“如果一家公司符合ISO标准，那么发生数据泄露的机会就非常小。即使发生违规，我们也可以追踪违规的来源并找出问题出在哪里，”他说。

但是，为了获得该标准的认证，数字公司必须雇用第三方安全审核员来分析其安全系统，这对于小型初创公司是不可能的。

“我们一直在努力采用最高级别的安全性。但是，对于初创公司而言，采用ISO标准非常昂贵，”印度尼西亚电子商务协会（idEA）政府关系经理Rofi Uddarojat在讨论中说。