PERLINDUNGAN DATA DAN INFORMASI PRIBADI MELALUI INDONESIAN DATA PROTECTION SYSTEM (IDPS)

Abstract The presence of cybercrime has been a threat to human life, making it difficult for governments to keep up with computer technology, particularly the internet. This is the result of rapid developments in information technology, so each development essentially has both a positive and negative impact. One negative effect is the misuse of data and personal information. The human world’s weaknesses are not notwithstanding the lack of regulation or no regulation on cybersecurity and personal data protection, resulting in confusion among members of society. Therefore, a system that addresses this problem requires, the Indonesian Data Protection System (IPDS) I a system  that guarantees and provides personal data and information management security/ it aims to know how to manage personal information data in Indonesia today, and to learn how formulations for data management and personal information via Indonesian Data Protection System (IPDS) as a cyber surveillance and data protection effort, the study adopted a normative juridical method with the State Approach. To this issue, the authors concluded, first, that it would require a rule relating to cybercrime as well as protection data and personal information in Indonesia. Second, there is a system that will address the problem of cybercrime especially in the field of data management and personal information of the Indonesian Data Protection System (IPDS). Keywords: Indonesian Data Protection System (IPDS); Cyber Crime; Personal Information and Data Protection;   Abstrak Adanya Kejahatan Siber (cybercrime) telah menjadi ancaman diberbagai kehidupan manusia, sehingga pemerintah sulit mengimbangi teknik kejahatan yang dilakukan dengan teknologi komputer, khususnya jaringan internet. Hal ini merupakan akibat dari pesatnya perkembangan teknologi informasi, sehingga setiap perkembangan pada hakikatnya membawa dampak yang positif maupun negatif. Salah satu dampak negatifnya adalah adanya penyalahgunaan data dan informasi pribadi. Kelemahan dunia siber tidak terlepas dari kurangnya pengaturan atau belum adanya regulasi mengenai kemanan siber dan perlindungan data pribadi, sehingga menimbulkan kerancauan ditengah-tengah anggota masyarakat. Oleh karena itu, dibutuhkan sebuah sistem yang mampu mengatasi masalah tersebut, sistem Indonesia Data Protection System (IDPS) adalah sebuah sistem yang menjamin serta memberikan keamanan pengelolaan data dan informasi pribadi. Penelitian ini bertujuan untuk mengetahui bagaimana Problematika Pengelolaan data informasi pribadi di Indonesia saat ini, dan untuk mengetahui bagaimana formulasi pengelolaan data dan informasi pribadi melalui Indonesian Data Protection System (IDPS) Sebagai Upaya Cyber Surveillance and Data Protection. Penelitian ini menggunakan metode yuridis normatif dengan pendekatan peraturan perundang-undangan (Statute Approach). Terhadap isu ini, penulis menyimpulkan, Pertama, dibutuhkan sebuah peraturan yang berkaitan dengan kejahatan dunia maya (cybercrime) dan juga perlindungan data dan informasi pribadi di Indonesia. Kedua, dibutuhkan sebuah sistem yang mampu mengatasi permasalahan kejahatan dunia maya khususnya dibidang pengelolaan data dan informasi pribadi yaitu Indonesian Data Protection System (IDPS). Kata Kunci: Indonesian Data Protection System; Kejahatan Sibern (Cybercrime); Perlindungan Data dan Informasi Pribadi; &nbsp

Information Security Behaviour Assessment In Software-As-A-Service Cloud Environment

This research aims at assessing the information security behaviour in Software as a Service (SaaS) cloud computing environment. Organisations are still struggling with information security breaches despite various technical protections to secure SaaS applications. This is due to the fact that human behaviour is the weakest link of the security chain. Security compromise causes substantial financial and nonfinancial losses to the organisations which jeopardise organisations' reputation. Technical protection alone is seemed insufficient to ensure information safety. Therefore, this research takes it from the soda-organisational perspective to strengthen information security. Many socio-organisational factors influence employees' security behavior in the organisation which gives impact to SaaS cloud adoption. Addressing these factors are significant to help successfully create a healthy security culture in the organisation. Nevertheless. human behaviour is subjective in nature. Their behaviour depends upon the way they think feel and act towards security issues which needs an in depth unders1anding towards their security behaviour. Hence, adapting the sequential exploratory mixed-method approach, through the theoretical lens of social cognitive theory, organisational culture theory as weJI as security control from extended deterrence theory, this study tlcvelops an information security behaviour model and validates the socio- organisational aspects of security behaviour. There were 396 useful data gathered from the survey. SPSS 20 and PLS-SEM software were utilised for descriptive and exploratory factor analysis respectively. The survey results indicate Lhat the security control management, personal values and behaviour were salient factors towards formation of good security behaviour. This research subsequently conducted a case study using the proposed model at one information technology department in a public university. The survey obtained 90 useful data. The case study revealed that organi sational security culture, personal values as well as behaviour have significant influence towards information security behaviour. There were slight differences in the quantitative results to which the follow-up interview with three infonnants supported the findings from the case study. It can be concluded that personal values and behavior clements arc the most significant factors which influence information security behaviour of employees working in SaaS cloud environment. However, the organisation culture and security control management factors are observed to be contextually dependent as these factors depend on how the organisation is run by the respective top management. This study contributes both theoretically and practically. The information security behaviour's body of knowledge is built up through conceptual model testing and accentuating new propositions. The infonnation security behaviour model was developed upon the integration of social cognitive theory, Wallach Organisational Culture Model as well as security control management from extended deterrence theory, and validated through a survey and a case study. The result helps the researcher to have better insight of employees' security behaviour in SaaS cloud environment in Malaysia generally and at the studied IT department specifically. The developed model. new accentuated propositions and other recommendations in this research may help other researchers to embark on related studies in the future

SFTSDH: Applying Spring Security Framework with TSD-Based OAuth2 to Protect Microservice Architecture APIs

The Internet of Medical Things (IoMT) combines medical devices and applications that use network technologies to connect healthcare information systems (HIS). IoMT is reforming the medical industry by adopting information and communication technologies (ICTs). Identity verification, secure collection, and exchange of medical data are essential in health applications. In this study, we implemented a hybrid security solution to secure the collection and management of personal health data using Spring Framework (SF), Services for Sensitive Data (TSD) as a service platform, and Hyper-Text-Transfer-Protocol (HTTP (H)) security methods. The adopted solution (SFTSDH = SF + TSD + H) instigated the following security features: identity brokering, OAuth2, multifactor authentication, and access control to protect the Microservices Architecture Application Programming Interfaces (APIs), following the General Data Protection Regulation (GDPR). Moreover, we extended the adopted security solution to develop a digital infrastructure to facilitate the research and innovation work in the electronic health (eHealth) section, focusing on solution validation with theoretical evaluation and experimental testing. We used a web engineering security methodology to achieve and explain the adopted security solution. As a case study, we designed and implemented electronic coaching (eCoaching) prototype system and deployed the same in the developed infrastructure to securely record and share personal health data. Furthermore, we compared the test results with related studies qualitatively for the efficient evaluation of the implemented security solution. The SFTSDH implementation and configuration in the prototype system have effectively secured the eCoach APIs from an attack in all the considered scenarios. The eCoach prototype with the SFTSDH solution effectively sustained a load of (≈) 1000 concurrent users in the developed digital health infrastructure. In addition, we performed a qualitative comparison among the following security solutions: SF security, third-party security, and SFTSDH, where SFTSDH showed a promising outcome.publishedVersio

Perceptions and Knowledge of Information Security Policy Compliance in Organizational Personnel

All internet connected organizations are becoming increasingly vulnerable to cyberattacks due to information security policy noncompliance of personnel. The problem is important to information technology (IT) firms, organizations with IT integration, and any consumer who has shared personal information online, because noncompliance is the single greatest threat to cybersecurity, which leads to expensive breaches that put private information in danger. Grounded in the protection motivation theory, the purpose of this quantitative study was to use multiple regression analysis to examine the relationship between perceived importance, organizational compliance, management involvement, seeking guidance, and rate of cybersecurity attack. The research question for this study was focused on the relationship between perceived importance of cybersecurity, senior management involvement, use of organizational ISPC, seeking of information or guidance on cybersecurity, and organizational security breach incidence. Data was collected from the United Kingdom’s 2021 Cyber Security Breaches Survey. Multiple linear regression analysis yielded that the four independent variables were not predictive of instances of cybersecurity breach or attack. The implications for positive social change include the potential to actively promote and publicly address cybersecurity as personal privacy increasing becomes a matter of public safety. One key recommendation is for IT leaders to pursue methodologically rigorous and uniform operationalization throughout IT research and practice, including the pursuit of replicable data of detailed resolution. The results of this study may potentially be used to reduce the risks for cybersecurity breaches, which ultimately contributes to social change by furthering the right of privacy and the protection of personal information

Perceptions and Knowledge of Information Security Policy Compliance in Organizational Personnel

All internet connected organizations are becoming increasingly vulnerable to cyberattacks due to information security policy noncompliance of personnel. The problem is important to information technology (IT) firms, organizations with IT integration, and any consumer who has shared personal information online, because noncompliance is the single greatest threat to cybersecurity, which leads to expensive breaches that put private information in danger. Grounded in the protection motivation theory, the purpose of this quantitative study was to use multiple regression analysis to examine the relationship between perceived importance, organizational compliance, management involvement, seeking guidance, and rate of cybersecurity attack. The research question for this study was focused on the relationship between perceived importance of cybersecurity, senior management involvement, use of organizational ISPC, seeking of information or guidance on cybersecurity, and organizational security breach incidence. Data was collected from the United Kingdom’s 2021 Cyber Security Breaches Survey. Multiple linear regression analysis yielded that the four independent variables were not predictive of instances of cybersecurity breach or attack. The implications for positive social change include the potential to actively promote and publicly address cybersecurity as personal privacy increasing becomes a matter of public safety. One key recommendation is for IT leaders to pursue methodologically rigorous and uniform operationalization throughout IT research and practice, including the pursuit of replicable data of detailed resolution. The results of this study may potentially be used to reduce the risks for cybersecurity breaches, which ultimately contributes to social change by furthering the right of privacy and the protection of personal information

Exploring the influence of organisational, environmental, and technological factors on information security policies and compliance at South African higher education institutions: Implications for biomedical research.

>Magister Scientiae - MScHeadline reports on data breaches worldwide have resulted in heightened concerns about information security vulnerability. In Africa, South Africa is ranked among the top ‘at-risk’ countries with information security vulnerabilities and is the most the most cybercrime-targeted country. Globally, such cyber vulnerability incidents greatly affect the education sector, due, in part, to the fact that it holds more Personal Identifiable Information (PII) than other sectors. PII refers to (but is not limited to) ID numbers, financial account numbers, and biomedical research data. In response to rising threats, South Africa has implemented a regulation called the Protection of Personal Information Act (POPIA), similar to the European Union General Data Protection Regulation (GDPR), which seeks to mitigate cybercrime and information security vulnerabilities. The extent to which African institutions, especially in South Africa, have embraced and responded to these two information security regulations remains vague, making it a crucial matter for biomedical researchers. This study aimed to assess whether the participating universities have proper and reliable information security practices, measures and management in place and whether they fall in line with both national (POPIA) and international (GDPR) regulations. In order to achieve this aim, the study undertook a qualitative exploratory analysis of information security management across three universities in South Africa. A Technology, Organizational, and Environmental (TOE) model was employed to investigate factors that may influence effective information security measures. A Purposeful sampling method was employed to interview participants from each university. From the technological standpoint, Bring Your Own Device (BYOD) policy, whereby on average, a student owns and connects between three to four internet-enabled devices to the network, has created difficulties for IT teams, particularly in the areas of authentication, explosive growth in bandwidth, and access control to security university servers. In order to develop robust solutions to mitigate these concerns, and which are not perceived by users as overly prohibitive, executive management should acknowledge that security and privacy issues are a universal problem and not solely an IT problem and equip the IT teams with the necessary tools and mechanisms to allow them to overcome commonplace challenges. At an organisational level, information security awareness training of all users within the university setting was identified as a key factor in protecting the integrity, confidentiality, and availability of information in highly networked environments. Furthermore, the University’s information security mission must not simply be a link on a website, it should be constantly re-enforced by informing users during, and after, the awareness training. In terms of environmental factors, specifically the GDPR and POPIA legislations, one of the most practical and cost-effective ways universities can achieve data compliance requirements is to help staff (both teaching and non-teaching), students, and other employees understand the business value of all information. Users which are more aware of sensitivity of data, risks to the data, and their responsibilities when handling, storing, processing, and distributing data during their day to day activities will behave in a manner that would makes compliance easier at the institutional level. Results obtained in this study helped to elucidate the current status, issues, and challenges which universities are facing in the area of information security management and compliance, particularly in the South African context. Findings from this study point to organizational factors being the most critical when compared to the technological and environmental contexts examined. Furthermore, several proposed information security policies were developed with a view to assist biomedical practitioners within the institutional setting in protecting sensitive biomedical data

Analysis of changes in personal data legislation since September 1, 2022

The paper analyzes regulatory and legal changes in the requirements for the organization of personal data by operators of personal data protection processes, which came into force on September 1, 2022. It is noted that a number of additional regulations are also going to come into force on March 1, 2023, although they are not considered in the paper. The new requirements contain a number of restrictions and tightening of existing protecting personal data processes, as well as a number of active innovations requiring the introduction of new processes aimed at improving the security of personal data and promptly identifying and investigating incidents. Each change and innovation are analyzed by a set of features, including the identification of the law rules, the study of new requirements and the formation of a conclusion about the essence of changes and the necessary set of actions aimed at ensuring the fulfillment of requirements. In total 14 fundamental and significant changes and additions to the requirements for the protection of personal data have been identified. The most time-consuming and costly for small businesses is the link to the state system for detecting, preventing and eliminating the consequences of computer attacks, which requires attracting additional funds and employees. Priority tasks to be solved by the personal data operators in order to ensure compliance with the new standards have been formulated. Those are the building up a team to investigate information security incidents, as well as creation of a system for managing information security incidents and the introduction of software products for solving this problem. Another important task is to train the specialists with the knowledge and competencies necessary to solve new problems and to develop the programs for the personal data management culture formation aimed at the general public

Secure Personal Data Administration in the Social Networks: The Case of Voluntary Sharing of Personal Data on the Facebook

In view of the changes taking place in society, social progress and the achievements of science and technology, the protection of fundamental rights must be strengthened. The aim of the article is to analyse the principles and peculiarities of safe management of the personal data in social networks. In this scientific article, methods of document analysis, scientific literature review, case study and generalization are used. Consumers themselves decide how much and what kind of information to publicize on the Facebook social network. In order to use the third-party applications, users at the time of authorization must confirm that they agree to give access to their personal data otherwise the service will not be provided. Personal data of the Facebook user comprise his/her public profile including user's photo, age, gender, and other public information; a list of friends; e-mail mail; time zone records; birthday; photos; hobbies, etc. Which personal data will be requested from the user depends on the third-party application. Analysis of the legal protection of personal data in the internet social networks reveals that it is limited to the international and European Union legal regulation on protection of the personal data in the online social networks. Users who make publicly available a large amount of personal information on the Facebook social network should decide on the issue if they want to share that information with third parties for the use of their services (applications). This article presents a model for user and third party application interaction, and an analysis of risks and recommendations to ensure the security of personal data of the user

Information security risk management in small-scale organisations : a case study of secondary schools’ computerised information systems

Threats to computerised information systems are always on the rise and compel organisations to invest a lot of money and time amongst other technical controls in an attempt to protect their critical information from inherent security risks. The computerisation of information systems in secondary schools has effectively exposed these organisations to a host of complex information security challenges that they have to deal with in addition to their core business of teaching and learning. Secondary schools handle large volumes of sensitive information pertaining to educators, learners, creditors and financial records that they are obliged to secure. Computerised information systems are vulnerable to both internal and external threats but ease of access sometimes manifest in security breaches, thereby undermining information security. Unfortunately, school managers and users of computerised information systems are ignorant of the risks to their information systems assets and the consequences of the compromises that might occur thereof. One way of educating school managers and users about the risks to their computerised information systems is through a risk management programme in which they actively participate. However, secondary schools do not have the full capacity to perform information security risk management exercises due to the unavailability of risk management experts and scarce financial resources to fund such programmes. This qualitative case study was conducted in two secondary schools that use computerised information systems to support everyday administrative operations. The main objective of this research study was to assist secondary schools that used computerised information systems to develop a set of guidelines they would use to effectively manage information security risks in their computerised information systems. This study educated school managers and computerised information systems users on how to conduct simple risk management exercises. The Operationally Critical Threats, Assets and Vulnerability Evaluation for small-scale organisations risk management method was used to evaluate the computerised information systems in the two schools and attain the goals of the research study. Data for this study were generated through participatory observation, physical inspections and interview techniques. Data were presented, analysed and interpreted qualitatively. This study found that learners‟ continuous assessment marks, financial information, educators‟ personal information, custom application software, server-computers and telecommunication equipment used for networking were the critical assets. The main threats to these critical assets were authorised and unauthorised systems users, malware, system crashes, access paths and incompatibilities in software. The risks posed by these threats were normally led to the unavailability of critical information systems assets, compromise of data integrity and confidentiality. This also led to the loss of productivity and finance, and damage to school reputation. The only form of protection mechanism enforced by secondary schools was physical security. To mitigate the pending risks, the study educated school managers and users in selecting, devising and implementing simple protection and mitigation strategies commensurate with their information systems, financial capabilities and their level of skills. This study also recommended that secondary schools remove all critical computers from open-flow school networks, encrypt all critical information, password-protect all computers holding critical information and train all users of information systems of personal security. The study will be instrumental in educating school managers and computerised information systems users in information security awareness and risk management in general.Science Engineering and TechnologyM. Sc. (Information Systems

Achieving Algorithmic Transparency and Managing Risks of Data Security when Making Decisions without Human Interference: Legal Approaches

Objective: to compare modern approaches in law to the use of program codes and algorithms in decision-making that meet the principles of transparency and openness, as well as the increasingly stringent requirements for ensuring the security of personal and other big data obtained and processed algorithmically.Methods: the main methods for researching the principle of transparency in algorithmic decision-making were formal-legal and comparative analysis of legal acts and international standards of information security, as well as the principles and legal constructions contained in them.Results: it was determined that the development of information security standardization, inclusion in legal acts of requirements for the development of information technologies that comply with the principles of transparency and openness of applied algorithms will minimize the risks associated with the unlawful processing of users' big data and obtaining information about their privacy. Proposals were identified, related to the implementation of algorithmic transparency in the field of data processing legal regulation. Recommendations were formulated, based on which the legislator can solve the problem of ensuring the openness of the logic of information technology algorithms with regard to modern standards of information security.Scientific novelty: it consists in the substantiation of new trends and relevant legal approaches, which allow revealing the logic of data processing by digital and information technologies, based on the characterization of European standards of the “privacy by design” concept in new digital and information technologies of decision-making and data protection, as well as on the new legal requirements for artificial intelligence systems, including the requirement to ensure algorithmic transparency, and criteria for personal data and users' big data processing. This said, data protection is understood as a system of legal, technical and organizational principles aimed at ensuring personal data confidentiality.Practical significance: it is due to the need to study the best Russian and international practices in protecting the privacy of users of digital and information technologies, as well as the need for legislative provision of requirements for the use of algorithms that meet the principles of transparency and openness of personal data processing, taking into account the need to ensure confidentiality at all stages of the life cycle of their processing, which will ensure the continuity of security management