Jakarta - Cybersecurity expert from Vaksinkom, Alfon Tanujaya, questioned the security standards implemented at the National Temporary Data Center (PDNS) 2 in Surabaya, which was attacked by ransomware. Alfon suspects that the data center managers did not follow the applicable security systems and procedures.
In managing the national data center, a partnership between Telkom (PT TelkomSigma), Lintasarta, Sigma, and NeutraDC was selected by the Ministry of Communication and Information Technology (Kemenkominfo) to provide cloud computing services for PDNS in 2024 through an open tender. PT TelkomSigma is known to manage Data Center 2 in Surabaya, which is part of the PDNS services.
"I don't know exactly, but it's clear that they did not follow good systems and procedures. The procedures are clear, there are ISOs, there are all the regulations. If someone manages a data center, they should know better, but the question is whether they want to follow them or not," said Alfons Tanujaya.
Alfons suspects two critical errors in the breach of PDNS 2, which disrupted public services. First, the government did not require appropriate security procedures during the tender process or vendor selection for PDN. Second, the vendor did not implement the appropriate security procedures because it was not included in the agreement with the government.
Alfons accused the vendor of neglecting their duty to maintain PDN security to the fullest extent. If true, he said, the vendor lacks social responsibility and good business ethics in this case. Therefore, an audit and further investigation into the PDNS 2 case is needed, starting from the tender process. Although it may not be legally wrong, Alfons believes that the vendor has social and business responsibilities.
Furthermore, Alfons suggested that the government and vendors should implement good and appropriate security principles, starting from data backup, disaster recovery, business continuity, and adhering strictly to ISO 27001.
Chairman of the Cybersecurity Research Institute Communication and Information System Security Research Center (CISSReC), Pratama Persadha, added that the government and vendors have been negligent in securing PDNS 2 and violated Law Number 27 of 2022 on Personal Data Protection.
Pratama stated that violations of this law could result in criminal, civil, and administrative sanctions.
"This can be done after we know what actually happened. Who was negligent, who is at fault in managing citizens' personal data because PDN contains personal data. There is immigration data, LKPP data, KIP scholarship data, halal certificate data, and more," said Pratama.
Pratama believes that an audit and further investigation into the PDN case is necessary. The police are also deemed to need to investigate the causes and parties that must be held legally accountable. Additionally, Pratama emphasized the importance of good governance.
"It is necessary to find out where the problem lies, whether it is just a governance issue or if there are other issues. For example, in procurement or failure to execute orders and so on. That is what I think needs to be investigated," said Pratama.
Komentar
Posting Komentar