SISTEM

INFORMASI
MANAJEMEN
information system security

Fitri, S.M., [Link].

 DEFINITION OF INFORMATION SECURITY
According to Sarno and Iffano (2009), information security is an
effort to protect information assets from potential threats. Its
objectives include ensuring business continuity, reducing risks, and
optimizing return on investment.
According to ISO/IEC 17799:2005, information security is the
protection against various threats to ensure business continuity,
minimize risks, and enhance investments and business opportunities.
 Aspects of Information Security
Information security focuses on three fundamental elements:
Confidentiality: Ensuring that only authorized individuals have access to
certain information and preventing access by unauthorized parties.
Integrity: Ensuring that information remains complete, accurate, and
unaltered by unauthorized parties.
Availability: Ensuring that information is accessible to authorized users
whenever needed, without disruption or damage.
These three elements are interrelated and form the foundation for developing
information security programs.
Components and Strategies of
Information Security
Several strategies are implemented to secure information:
Physical Security: Protecting individuals, physical assets, and workplaces from
fire, unauthorized access, or natural disasters.
Personal Security: Focusing on the safety of personnel, often related to physical
security.
Operational Security: Ensuring the organization can operate without disruption.
Communication Security: Protecting communication media, technologies, and the
data they carry.
Network Security: Protecting organizational networks, devices, and data to
ensure secure operation.
All these components work together to protect both the information itself and the
systems used to store and transmit it.
Information Security Management (ISM)
Information security management is crucial to ensure that information is
properly handled and used for accurate decision-making. The ISM process
includes:
1. Identifying threats to the organization’s information resources.
2. Assessing risks associated with those threats.
3. Establishing information security policies.
4. Implementing controls to mitigate the identified risks.
This approach is known as risk management.
Information security benchmarks serve as standards for protection against
unauthorized disruptions. Compliance with these benchmarks ensures
adequate protection against threats.
Why Security is Important
Protects sensitive information
Maintains organizational reputation and commercial value
Supports effective decision-making and operational continuity
Reduces overall risk portfolio for the organization

Steps to Implement Information Security

Identify relevant threats and controls
Develop policies, procedures, and operational guidelines
Engage employees, partners, and external experts
Ensure systems are effective, efficient, and well-supported
Information Security Threats
Internal and External Threats
Internal threats: come from employees, temporary workers, consultants,
contractors, or business partners.
External threats: come from outside parties such as competitors or
cybercriminals.
Intentional and Accidental Threats
Intentional: attacks designed to cause harm (e.g., hacking, data theft).
Accidental: mistakes or human errors that lead to security issues (e.g., wrong data
handling).

Types of Common Threats

Virus → Self-replicating program that attaches to other files and causes damage.
Worm → Spreads automatically through networks or email without user action.
→
Trojan Horse Disguised as a legitimate program but contains harmful functions.
Adware → Displays unwanted advertisements that disrupt user activity.
Spyware → Collects user data secretly without permission.
Information Security Risks
1. Unauthorized Disclosure & Data Theft
Occurs when information or software is accessed by individuals without
proper permission, resulting in loss of data, money, or confidentiality.
2. Unauthorized Use
Happens when unauthorized individuals successfully use company systems
or resources for personal or harmful purposes.
3. Unauthorized Destruction & Denial of Service
Involves damage or destruction of hardware or software, preventing systems
from operating properly (e.g., DoS attacks).
4. Unauthorized Modification
Changes are made to data or software without detection, leading to
inaccurate output and potentially harmful decision-making.
Information Security Policy
An information security policy must be established to guide the entire security program.
Organizations typically implement security in gradual phases:
[Link] Phase
2. Form a team responsible for overseeing the security policy project.
[Link] Development Phase
4. Consult with all stakeholders affected by the policy.
[Link] & Approval Phase
6. Discuss requirements with management to obtain approval and direction.
[Link] & Education Phase
8. Conduct training programs to build awareness across organizational units.
[Link] Distribution Phase
10. Distribute the policy throughout the organization where it applies
These policies are communicated to employees through written documents and training
programs. Once established, security controls can then be implemented.
Control Information Security
Technical Controls
Technical controls are built into systems during the system development life cycle. Involving
internal auditors in the project team helps ensure these controls are properly designed. Most
technical controls rely on hardware and software technology.
Access Control
[Link] Identification
2. Users identify themselves using something they know (e.g., password) or their access location.
[Link] Authentication
[Link] using something users have (e.g., smart card) or something they are (e.g.,
fingerprint, voice pattern).
[Link] Authorization
[Link] what level of access the user is allowed (e.g., read-only vs modification rights).
Relationship Between Management
Information Systems (MIS) and Information
Security
MIS relies on accurate, reliable, and timely information to support decision-
making in organizations.
Information Security protects MIS data and infrastructure from unauthorized
access, misuse, modification, or destruction.
Without strong security, MIS output becomes inaccurate or unavailable,
leading to poor business decisions and operational failures.
Security controls ensure confidentiality, integrity, and availability of MIS
resources.
Thus, MIS and information security must work together to maintain effective,
trusted, and continuous business operations.
THANK YOU
Fitri, S.M., [Link].