IAEA-CN-260/119 DIAN SEPTIKASARI

1

HUMAN RESOURCE DEVELOPMENT PROGRAM ON IT SECURITY AT INDONESIA NUCLEAR REGULATORY AGENCY (BAPETEN) DIAN SEPTIKASARI INDONESIA NUCLEAR REGULATORY AGENCY (BAPETEN) Jakarta, Indonesia Email: d.septikasari@bapeten.go.id; d.septikasari@gmail.com Abstract

The paper is organized to provide an overview proposes human resource development program on it security in BAPETEN. The paper used IAEA NSS23-G (Implementing Guide Security of Nuclear Information) and best practice from NIST SP 800-50 (Building an Information Technology Security Awareness and Training Program) Information security on nuclear security refers to the system, program or set of rules in place to ensure the confidentiality, integrity and availability of information in any form. These are the main points of paper to propose the program: Analyze role and responsibly for all job classifications; Needs assessment for categorize IT security program; Design awareness and training program; Developing awareness and training material; Implementation awareness and training program; Monitoring, evaluation and feedback.

1. INTRODUCTION

The main task of BAPETEN is to conduct govermental activities in regulatory control of nuclear energy as mandated by applicable laws and regulations.

The use of nuclear energy in Indonesia is solely for the peaceful purpose and the welfare of the Indonesian people. Therefore, the regulatory control of nuclear energy is aimed to protect worker’s safety, public health and the environment. In addition, safety and security cultures should be promoted, maintained, and continuously enhanced.

Nuclear Energy Act UU No. 10 of 1997 explains the important supervisory function in protecting public health and the health of the environment: the creation of regulations, licensing and inspections. This supervisory function is the main activity carried out by BAPETEN.

Information technology is used to conduct governmental activities in regulatory control of nuclear energy, with the online licensing application it easier for the permit holders to be able to apply permission of nuclear energy. The inspection application is used by the inspector to conducts supervisory inspections and also ensure compliance of the users with the safety regulations and provisions relevant to the permit conditions. The detection and monitoring of radiation has also been done by utilizing information technology for the delivery and presentation of the data. BAPETEN is a government institution, where the organizational structure and employees has a different background study and levels understanding of IT, therefore it is necessary to conduct research on employees to know the level of understanding related to the use of IT, by knowing the level of understanding of IT employees, will facilitate in terms of guidance and development of human resources, especially knowledge in the field of IT to proposes human resource development program on it security in BAPETEN.

2. METHODOLOGY

a. NIST SP 800-50

Centralized Program Management Model (Centralized Policy, Strategy, and Implementation) in this model, responsibility and budget for the entire organization’s IT security awareness and training program is given to a central authority. All directives, strategy development, planning, and scheduling is coordinated through this “security awareness and training” authority.

IAEA-CN-260/119 DIAN SEPTIKASARI

Figure 2: Centralized Program Management Model

Because the awareness and training strategy is developed at the central authority, the needs assessment –which helps determine the strategy – is also conducted by the central authority. The central authority also develops the training plan as well as the awareness and training material. The method(s) of implementing the material throughout the organization is determined and accomplished by the central authority.

Typically, in such an organization, both the CIO and IT security program manager are organizationally located within this central authority. Communication between the central authority and the organizational units travels in both directions. The central authority communicates the agency’s policy directives regarding IT security awareness and training, the strategy for conducting the program, and the material and method(s) of implementation to the organizational units. The organizational units provide information requested by the central authority. For example, to meet its responsibilities, the central authority may collect data on the number of attendees at awareness sessions, the number of people trained on a particular topic, and the number of people yet to attend awareness and training sessions.

The organizational unit can also provide feedback on the effectiveness of awareness and training material and on the appropriateness of the method(s) used to implement the material. This allows the central authority to fine-tune, add or delete material, or modify the implementation method(s). This centralized program management model is often deployed by agencies that: • Are relatively small or have a high degree of structure and central management of most IT functions; • Have, at the headquarters level, the necessary resources, expertise, and knowledge of the mission(s)

and operations at the unit level; or • Have a high degree of similarity in mission and operational objectives across all of its components. b. NSS23-G

INFORMATION 2.2. Information is knowledge, irrespective of its form of existence or expression. It includes ideas, concepts, events, processes, thoughts, facts and patterns. Information can be recorded on material such as paper, film, magnetic or optical media, or held in electronic systems. Information can be represented and communicated by almost any means. In the nuclear domain, there is a vast amount of information in many forms. Information assets are the equipment or components (including media) that are used to store, process, control or transmit information. IDENTIFYING AND SECURING SENSITIVE INFORMATION 2.5. Sensitive information is information, the unauthorized disclosure (or modification, alteration, destruction or denial of use) of which could compromise nuclear security or otherwise assist in the carrying out of a malicious act against a nuclear facility, organization or transport. Such information may refer, for example, to the nuclear security arrangements at a facility, the systems, structures and components at a facility, the location and details of transport of nuclear material or other radioactive material, or details of an organization’s personnel.

IAEA-CN-260/119 DIAN SEPTIKASARI

3

INFORMATION SECURITY 2.10. Information security, as described in this publication, refers to the system, programme or set of rules in place to ensure the confidentiality, integrity and availability of information in any form. At a minimum, it includes: (a) Security of information in physical forms (e.g. paper and electronic media); (b) Security of computer systems, sometimes referred to as computer security, information technology

(IT) security or cybersecurity (additional IAEA guidance can be found in Computer Security at Nuclear Facilities);

(c) Security of information assets (e.g. information storage and processing equipment, communication systems and networks);

(d) Security of information about facility employees and third parties (e.g. contractors and vendors) that could compromise the security of the above;

(e) Security of intangible information (e.g. knowledge).

3. DISCUSSION a. Analyze role and responsibly for all job classifications;

Figure 3: BAPETEN Organizational Structure

1. Executive Secretary Act as CIO 2. Education and Training Center Act as center of education and training for human resource development include for IT security training 3. Planning Bureu IT Division is part of planning Bureu, centralized IT on BAPETEN

b. Needs assessment for categorize IT security program;

A needs assessment is a process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs. In conducting a needs assessment, it is important that key personnel be involved. As a minimum, the following roles should be addressed in terms of any special training needs: • Executive Management • Security Personnel

1

2

3

IAEA-CN-260/119 DIAN SEPTIKASARI

• System Owners • System Administrators and IT Support Personnel • Operational Managers and System Users

c. Design awareness and training program;

• Security Awareness is required for all employees, including contractor employees, involved in any IT utilization.

• Security Basics and Literacy is the transition stage between awareness and training, which is the basis for further training by providing basic knowledge of the terms and concepts of information security.

• Roles and Responsibilities Relative to IT Systems, training becomes the focus of providing specific knowledge, skills and abilities. At this level, the training is divided into 3 categories: beginning, intermediate, and advanced.

• Education and Experience focuses on developing the skills needed to advance the IT security profession.

d. Developing awareness and training material;

IT Division and Education collaborate with education and training center for developing material.

e. Implementation awareness and training program; Education and Training Center conduct information security training.

f. Monitoring, evaluation and feedback

After conducted information security training, IT Division and Education and Training Center do monitoring, evaluation and feedback to improve next information security training.

4. CONCLUSION

Categorize and leveling of information security training build from the assessment of information security training needs based on the sensitive information which is the responsibility of the employee related their daily jobs

5. RECOMEDATION The paper will be a reference for Education and Training Center to conduct training for BAPETEN human resources development programme related to information security

6. REFERENCES

[1] IAEA Nuclear Security Series No.12, Technical Guidance Education Programme in Nuclear Security [2] IAEA Nuclear Security Series No. 23-G, Implementing Guide Security of Nuclear Information [3] IAEA Nuclear Security Series No. 20, Nuclear Security Fundamentals [4] IAEA-TECDOC-1734, Establishing a National Nuclear Security Support Centre [5] NIST Special Publication 800-12 Revision 1, An Introduction to Information Security [6] NIST Special Publication 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity

Workforce Framework [7] NIST Special Publication 500-172, Computer Security Training Guidelines [8] NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and

Performance-Based Model [9] NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training

Program