While waiting to pitch to Claire this week, I was triggered to ponder (again).
“Why is Indonesia so often attacked by Ransomware or other cyber attacks?”

I googled it for fun, and the top answer immediately made me nod:
“The region’s growing strategic relevance makes it a prime target for cyberattacks. Cyber resilience is generally low, and countries have varying levels of cyber readiness,” said the Kearney report. And sadly, “there is a lack of strategic mindset, policy preparedness and institutional oversight relating to cybersecurity.”

Ouch, that last part is really true. Even though I’m not from the ministry of communication and information, as a central banker (er, or ex-central banker yes, because now I’m a student again 😅), I still find this sad. I’m still part of the public officials who are responsible, at least morally. That’s why I became curious and tried to explore what’s behind this situation.

The Kearney report also said that the cybersecurity industry in ASEAN still lacks local competence and a comprehensive framework. As a result, the value of risk is often underestimated, and the budget allocated is far from sufficient. Data shows that Indonesia’s spending on cybersecurity is only 0.02% of GDP-the lowest in Southeast Asia.

From there, it’s clear why ASEAN, especially Indonesia, is an easy target for cyber attacks. 😬

Uh, suddenly the pitching time came!

I was nervous too… I was given 3 minutes to pitch about what I’ve learned this semester, and what topic I’m going to raise as a project. But, honestly, I wasn’t too scared. The pitch actually felt like a retelling of what I’ve written on this blog. So, the decision to consistently write every week was never wrong!

And thank God, my proposed project was accepted!

If God permits, I will move forward with the topic of Data Management x Data Governance, which I narrowed down to Data Privacy. After much discussion, I decided to focus on “Practical Data Security Framework for Payment Service Providers (PJPs) in Indonesia.” I’ve been discussing this topic for the past few weeks, so it feels more solid to be the main project.

Yesterday’s pitch also gave me a lot of feedback from Cristian and Claire. Some important notes:

• Cristian: Will probably pair me with a supervisor who understands the technical side. I’ve clarified that I’m not from an IT background, so I don’t understand tech details. But Cristian said it’s really important to have a “broader view.” Technology is a global solution, but in Indonesia there are definitely bias factors-whether it’s political, cultural, or otherwise-that need to be considered.
• Claire: He emphasized the importance of knowing whether the relevant regulations are in place. “The ministry only regulates the amount, so there needs to be derivative regulations.” Claire also asked if I had imagined what the research would be like. Well, to be honest, I haven’t, because I want it to be compact and not complicated (understandably, time is short). But I think a discussion with my supervisor will help me strategize more clearly.
  After that, I immediately told my mentor at the office, and as usual, no-rest-no-rest club! He immediately pointed out the Board of Governors Regulation on Cybersecurity. Of course, this became my mandatory reading material for further study.

Stay tuned for the rest of the story in the next post! ✨

Reference:

https://www.researchgate.net/publication/328848243_A_unified_cybersecurity_framework_for_complex_environments

Hi there! It’s been a while since we caught up!
No one asked, but just so you know—I’m doing well! Although I’m feeling a bit under the weather today, probably because I just finished an intense 10-day study week. But hey, no time to rest; it’s time to start making progress again!

After doing some initial benchmarking to see how other central banks draft regulations on data management—specifically data security—it’s time to dive deeper into the key subtopics I plan to research:

1. Identifying Security Standards — this post will focus on this one
2. Designing a Framework
3. Audit and Monitoring Procedures
4. Reviewing the Best Technologies and Practices

Identifying Security Standards

What exactly are security standards for state organizations?
Simply put, they’re a set of guidelines and best practices designed to protect sensitive and confidential information. These standards help organizations:

• Mitigate risks,
• Reduce vulnerabilities,
• Ensure regulatory compliance,
• Maintain public trust, and
• Avoid legal consequences.

The key phrase here is “set of guidelines and best practices”—and that’s why I’m confident this topic is a great fit for my project. It aligns perfectly with this definition, which I found through my trusted friend: the internet search box.

Diving Into Initial Findings

While exploring security standards for state organizations, I came across a paper that outlines some valuable frameworks applicable to state-level operations (not just for my institution). Here are a few that stood out:

1. ECSS (European Cooperation for Space Standardization):
   Initially created for space systems, ECSS standards are helpful for early-phase security requirements. They emphasize defining security measures like access control, data integrity, and redundancy from the start.
2. IEEE (Institute of Electrical and Electronics Engineers):
   IEEE focuses on security as a non-functional requirement, addressing attributes like protection against unauthorized access, modification, or destruction of data. This includes encryption, integrity checks, and communication restrictions.
3. ISO (International Organization for Standardization):
   ISO offers a broader take on security, especially through standards like:
   • ISO 25010, which highlights information protection, system availability, and secure communication over public networks.
   • ISO 27034, which focuses on application security, advocating risk assessments and security controls tailored to the application’s required trust level.

To narrow down which standards are most relevant for state organizations, it’s crucial to consider the unique context, regulatory requirements, and security needs. Other resources like NIST (National Institute of Standards and Technology) publications could also come in handy for further exploration.

Next Steps?

While I’ve started looking at these standards, I’m holding off on diving too deep into specifics just yet. My next immediate task is to reflect on what I’ve learned during this first semester and decide if I can shape my dissertation topic around Data Governance—specifically focusing on consumer data protection by Payment Service Providers (PJP).

So stay tuned! I’ll share more updates next week.

Reference list:

The Complete List of Data Security , What are information security standards?, Cyber Security Standards

I’m a big believer in small steps. Making progress every day, even just a bit, keeps me going.

Right now, that means immersing myself in my future project for KIPP: ‘Data Security for State Institutions in Indonesia.’ Still, I’m grappling with exactly which aspect of data management I should focus on.

The backbone of my research is the Personal Data Protection Law (UU No. 27 Tahun 2022), which outlines several key security standards for managing personal data. Among these are:

1. Data Protection Impact Assessments – Requires data controllers to conduct risk assessments for large-scale data processing, automated decision-making, new technology, and any processing that restricts data subjects’ rights.
2. Operational Security Measures – Data controllers must ensure data protection through suitable technical measures and security levels aligned with the data’s risk level.
3. Monitoring and Unauthorized Access Prevention – Data controllers should safeguard data confidentiality, oversee third-party involvement, and maintain a robust security system.
4. Purpose-Limited Processing – Ensures data is processed accurately and responsibly to protect the rights of data subjects.
5. Transparency and Accountability – Guarantees open processing practices, provides data access to subjects, and clearly communicates processes in an accessible manner.

For my project, I’m zeroing in on points 2 and 3. I think my ‘future expertise’ could help organizations create a framework for data management practices by Payment Service Providers (we called is as PJP) in Indonesia. Plus, it would establish protocols for monitoring and preventing unauthorized access to meet PDP Law requirements.

Explaining the benchmarking research on BoE: To deepen my understanding, I’ve done some initial benchmarking on data privacy and security management with central banks, specifically the Bank of England, which has been my host during my time here. In the UK, the Information Commissioner’s Office (ICO) oversees Payment Service Providers, similar to how data privacy is regulated by Indonesia’s Ministry of Communication. However, considering recent data breaches back home, it’s clear we have some catching up to do.

Back to the topic! When it comes to PSP oversight and data security standards, BoE has laid out several significant steps:

1. Outsourcing and Third-Party Risk Management [link]:
   • Data Protection in Outsourcing Agreements: Banks and PSPs must define, document, and understand their responsibilities related to data transfers.
   • Rights to Access, Audit, and Information: Banks have the right to access and audit third-party service providers, ensuring their adherence to data security standards.
   • Sub-outsourcing: Banks must ensure that any subcontractors also meet data protection standards.
2. Operational Resilience [link]: BoE emphasizes that PSPs should have resilient systems capable of withstanding disruptions, including personal data breaches.
3. Privacy Policy Commitments [link]: BoE is committed to protecting individual privacy, ensuring personal data processing aligns with established principles.

This benchmarking exercise will be instrumental in shaping my project. I’m likely to cover the following aspects:

• Security Standards Identification
• Framework Design
• Audit and Monitoring Procedures
• Best Practices in Technology and Procedures

I think these steps could serve as practical guidelines not only for the office but also for PJP data protection practices across Indonesia.

“It’s better to make a bit of progress each day than to let things pile up,” is a quote I’d probably coin if I were someone important. But, alas, I’m not (yet). Still, I’m no fan of last-minute rushes either! I’m all about installments, step by step. That brings me to my latest deep dive: data management.

This week, I managed to squeeze in a quick chat with one of my seniors at work, who’s practically a data management guru. “I’m planning to bring up data management as a topic; any insights? Especially for state institutions, and ideally with some added value for our office.” Given his packed schedule—working in a department that’s practically open 25 hours a day—he got right to the point: “Have you checked out the PDP Act? We’re starting to draft derivative regulations that apply to Payment Service Providers (PJP).”

So, I looked it up, and suddenly it all seemed familiar! The PDP Act incorporates sections ‘adopted’ from the GDPR, the data protection law used across the EU. Naturally, my thoughts shifted to my research focus: Could this be the core of my study? Data Management, specifically Data Security, for citizens whose personal data is registered with PJPs in Indonesia—now that could be something impactful.

Hours went by, and my senior hadn’t replied. Maybe it was the seven-hour time difference, or maybe he got pulled back into office chaos. Either way, I decided not to wait around and started diving into references on my own to get things moving.

It seems I’m steering toward “Development of a Data Security Framework for Payment Service Providers (PJP) in Indonesia based on the PDP Law.” In further stages, I’m thinking of exploring:

1. Identification of Security Standards
2. Framework Design
3. Audit and Monitoring Procedures
4. Review of Leading Technologies and Best Practices

I think this won’t just stop at meeting campus or office needs but could become a practical guide with concrete steps for PJPs across Indonesia. Here’s to making steady progress, one day at a time!