Security and Fraud Risk

Setiawan is currently heading the IT Security at Tokopedia. His

main responsibilities are to grow the team and expand
Tokopedia's capabilities in protecting its critical assets effectively
while rendering the services to the users. He has been working for
more than 14 (fourteen) years as IT professional ranging from
Software Developer, System Administrator, Database
Administrator, Project Manager, and IT Security.

SETIAWAN HERMANTO Prior joining Tokopedia, he was a Senior Manager at EY’s

Cybersecurity – Risk Advisory Services practice and acting as
technical practice leader for cybersecurity team in Indonesia for
Head of IT Security over than 7 (seven) years. He has helped numerous clients
Tokopedia enhance their cybersecurity controls and capabilities through
rendered services such as penetration testing, third-party
security assessment, and cybersecurity transformation. The
engagements involve local and global teams.
 TABLE OF CONTENTS

01 SECURITY AND RISK TREND

Gartner released 7 security and risk trends for 2019.
Common challenges and how to address them

02 SECURITY ROADMAP
The common approach in improving security maturity
in the organization

03 FRAMEWORK AND PRINCIPLES

The common framework and principles in improving
security and fraud controls

04 KEY TAKEAWAYS
The summary points of today presentation
 01
SECURITY AND RISK TREND
Gartner released 7 security and risk trends for 2019.
Common challenges and how to address them
 Gartner Top 7 Security and Risk Trends for 2019

1. Leading SRM (Security and Risk Management) leaders are creating pragmatic risk appetite
statements linked to business outcomes to engage their stakeholders more effectively

2. There is renewed interest in implementing or maturing security operations centers (SOCs) with a
focus on threat detection and response

3. Leading organizations are utilizing a data security governance framework to prioritize data
security investments

4. “Passwordless” authentication is achieving market traction, driven by demand and the availability
of biometrics and strong hardware-based authentication methods

5. Security product vendors are increasingly offering premium services to help customers get more
immediate value and to assist in skills training

6. Leading organizations are investing in and maturing their cloud security competency as it
becomes the mainstream computing platform

7. The strategic CARTA (Continuous Adaptive Risk and Trust Assessment) approach to security is
starting to appear in more traditional security markets
 Cost of data breach

IBM Security and Ponemon Institute

release the 2019 Cost of a Data Breach
Report. Based on in-depth interviews
with more than 500 companies around
the world who have experienced a data
breach between July 2018 and April 2019,
the analysis in this research study takes
into account hundreds of cost factors,
from legal, regulatory and technical
activities, to loss of brand equity,
customer turnover, and the drain on
employee productivity.

reference:
https://databreachcalculator.mybluemix.
net/executive-summary
Challenges with legacy security technologies

NETWORK DEVICES APPLICATION

There will be more users Customers will have more Internal users will consume
outside of the enterprise unmanaged devices more apps delivered from
accessing services than connecting to services than outside of the enterprise
inside managed devices network than from the
inside
 Zero Trust implementation

Continuous monitor the

Design the optimal
user behaviour through
sensitive data flow to gain
robust security analytics
effective protection
solution

Map Enable
sensitive data flow security analytics

Activate
Identify Devise
security automation
sensitive data Zero Trust perimeter
and orchestration

Understand what to Apply and enforce adequate Establish effective security

protect, how sensitive the security controls around response using defined
data, and who use the data sensitive data, including playbook by embracing
strict access automation
 02
SECURITY ROADMAP
The common approach in
improving security maturity in the
organization
 What needs to do to start improving your security

CURRENT STATE ASSESSMENT FUTURE STATE ASSESSMENT

Understand the current state of your The management determines the future
company by reviewing available state of the company, translated into
documentations, activity logs, and security initiatives in a form of roadmap
interviewing relevant personnel. and detail activities to be done in
achieving the goals
 High level activities in doing current state
assessment

■ Obtain required information such as but not limited to

policy, procedure, and other documentations
■ Review the available documentations referring to the
NIST Cybersecurity Framework (CSF)
CURRENT STATE ASSESSMENT
■ Conduct interview sessions with relevant personnel to
acquire the current capabilities and controls
Understand the current state of your ■ Determine the current state level of each NIST CSF
company by reviewing available
function, category and subcategory, as current
documentations, activity logs, and
interviewing relevant personnel. organization’s maturity
■ Present and confirm the current state level or the
current maturity of the organization to relevant
personnel
High level activities in doing future state assessment

■ Assess conditions of expected future state level for

each function, category and subcategory
■ Develop roadmap and security initiatives including
detailed activities to be performed to reach expected
future state maturity level FUTURE STATE ASSESSMENT
■ Provide the list of required personnel to confirm
roadmap and detailed activities The management determines the future
■ Conduct workshop sessions with relevant personnel state of the company, translated into
to present roadmap and detailed activities and receive security initiatives in a form of roadmap
feedback and detail activities to be done in
achieving the goals
 Focus area of having security initiatives

The organization structure has to align with

the overall security initiatives. Thus, the
implementation and the operational of
expected activities can be performed
The policy and procedure has to be in effectively
place. The governed activities can lead to PEOPLE
effective and efficient activities performed
by relevant persons in the organisation

IMPLEMENTATION The priority of the technology

DOMAIN implementation has to refer to area which has
lower maturity and high impact if security
incident happens

PROCESS TECHNOLOGY
03
FRAMEWORK AND PRINCIPLES
The common framework and
principles in improving security
and fraud controls
“Security vulnerability and technology in
overall ease fraudulent activities”

一SETIAWAN HERMANTO
 The framework that can be used in improving cybersecurity and fraud controls

IDENTIFY PROTECT DETECT RESPOND RECOVER

Understanding relevant Outlining appropriate Defining the appropriate Including appropriate Identifies appropriate
risks to systems, people, safeguards to ensure activities to identify the activities to take action activities to maintain plans
assets, data, and delivery of critical occurrence of a regarding a detected for resilience and to restore
capabilities. Understanding infrastructure services. The cybersecurity and fraud cybersecurity incident. The any capabilities or services
the business context, the Protect Function supports event. The Detect Function Respond Function supports that were impaired due to a
resources that support the ability to limit or enables timely discovery of the ability to contain the cybersecurity incident. The
critical functions, and the contain the impact of a cybersecurity and fraud impact of a potential Recover Function supports
related relevant fraud and potential fraud and events. cybersecurity or fraud timely recovery to normal
cybersecurity risks. Identify cybersecurity event. incident operations to reduce the
Function enables an impact from a
organization to focus and cybersecurity or fraud
prioritize its efforts, incident
consistent with its risk
management strategy and
business needs
People, Process, and Technology elements in the framework

IDENTIFY PROTECT DETECT RESPOND RECOVER

PEOPLE PROCESS TECHNOLOGY

The actors who do the actions are The policy and procedure are defined to The implemented technology has to
defined and should meet the minimum regulate the performed activities, which address the high impact and should
competency to ensure the activities can can result effective and efficient promote automation in its orchestration
be performed accordingly collaboration among teams
Security and risk in product development

Design Build Test

During this phase, security and Security and fraud teams develop Security and fraud teams test the
fraud teams have to understand the test case scenarios which developed function or function to
the business requirements and could be leveraged during the ensure no vulnerability posed.
assess / identify security and testing and build the rules engine
fraud risks. The risk assessment for fraud. The result of testing (report) can
produces necessary controls be used as lesson learned to
(corrective, preventive, and Within this phase, the standards improve standards. Thus,
detective) are used as the guidance in the continuous improvement can be
development. No proper done to improve the application
The standards of controls which standards might pose quality effectively and efficiently.
have to be followed are unnecessary vulnerability which
distributed to relevant teams. can be leveraged by fraudsters or
attackers.
Access control principles

Validation process to check

whether the user has proper
authorization to perform the
activities inside the system

AUTHENTICATION AUTHORIZATION ACCOUNTING

Identification of users by Log of activities performed by the
validating the inputted users inside the system, including
username and password the authentication process and in
against the stored username particular the activities related to
and password data modification
 Access framework
PLAN ■ Identify the sensitive data to protect along with relevant team who access
■ Define and apply Authentication, Authorization, and Accounting principles in the
The identification of
necessary actions to system
run the operation ■ Group the privilege as best as possible (consider department, function, etc)
■ Devise Access Matrix and gain approval from relevant stakeholders

DO ■ Review submitted request referring to Access Matrix

■ Grant the access manually or automatically (via API)
The activities
performed during ■ Revoke the granted access when the user is not more eligible
the operational

CHECK ■ Review the granted access with Access Matrix

■ Document and report the review result
The review of
operational activities ■ Integrate with security analytics to orchestrate automation
to validate the
conformity

ACT ■ Follow up the recommendation

■ Define necessary actions to improve the process to uphold
The optimization of
performed activities continuous improvement
to gain effectiveness
 04
KEY TAKEAWAYS
The summary of information
given in this presentation
 Summary points of today

■ Understanding the context of the organization and identifying your “crown jewels” are mandatory
things to do before taking any actions to improve your security and fraud controls, otherwise,
ineffective controls might be gained

■ Every company has to be ready in any circumstances toward security or fraud incidents which
might be caused by internal or external party because it’s NOT about “if” but “when”

■ The organization is required to switch from reactive to proactive (active defense) mindset by
devising a roadmap used to guide the improvement in security and fraud, which comprises of
People, Process, and Technology facets

■ Any implementation related to security or fraud has to consider the risk assessment results to
acquire optimum benefit

■ The company should apply the most suitable approach or framework in every phase of product
development to mitigate the risks
THANKS!
Does anyone have any questions?

setiawan.hermanto@tokopedia.com
+62 819 0503 0358
tokopedia.com