Recommendations on Data Security

Subashini580 stated that every element in the cloud system should be analysed to attract potential consumers. Therefore, Indonesia ICT providers should make sure that their networks, servers, storage, and applications provide for the needs of the consumers. ICT providers should also have to make sure that those services have security protection to prevent any harm that could be caused by failure of the system or unauthorised access to the data.

From the research findings in Chapter 4, it can be concluded that most of the interviewees agreed that cloud computing is not a new technology. Most of the interviewees interpreted it as storage for data. This is similar to the perspective held by Zhang,581 that cloud computing is a use of existing technologies to create a new business model by adapting certain technologies to meet the economic requirements of the ICT business. Even though cloud computing is not new for ICT companies, they need to make sure that they comply with regulatory requirement. Therefore, they must make sure that they carry out proper preparation, including compliance with legal requirements, before implementing cloud computing as their business model. This section will present recommendations related to data security as the legal aspect in cloud computing.

Robinson582 _{defined security as the confidentiality and availability of data or} information, including encryption and privacy as an expression through legal and non- legal norms to protect the right of personal or private life.

It should be borne in mind that the interviews in this research were completed in October 2015. At that time, Indonesia was still looking forward to the promulgation of the data security and personal data protection regulations from the Ministry of Communication and Information Technology. Therefore, to provide protection on the security system and personal data, ICT companies in Indonesia referred to ISO/IEC 27001 until the 2016 regulations were published.

In April 2016, Indonesia promulgated Ministry Regulation 4/2016 which covered how companies, through risk management, were responsible to the public for the performance of electronic systems by giving adequate protection to confidentiality, integrity and availability of information. Interestingly, the Ministry Regulation stated that company should refer to ISO/IEC 27001 on information security. Therefore, being able to relate internal company policy with Ministry Regulation 4/2016 should not be an obstacle, since ICT companies were already aware of the implementation of ISO/IEC 27001 required by the regulation.

581_{Ibid. (n 155).} 582_{Ibid. (n 216).}

The interview findings revealed that, although the regulation was not promulgated until April 2016, all ICT companiesin this research had implemented data security management through ISO/IEC 27001. The rapid development of technology and the later adjustment of the regulation did not delay ICT companies in extending their businesses to meet customer requirements. Policy makers stated that they had made an approach to the government to cope with the lack of regulation to make sure that the business is in line with the draft regulation. Meanwhile, to cope with the lack of regulation, policy makers specified the agreement between each party in a contract, even though the contract is merely basic contract law.

Policy makers stated that there are some unclear regulations in Indonesia, which might lead to misperception that would delay the ICT businesses. Therefore, the following sections detail some recommendations in the field of data security. These recommendations will put forward legal reforms to clarify the law in Indonesia, with the aim of making regulation in data security more precise. This will prove beneficial to both employer, when developing policies, and employee, in providing a more robust framework leading to accurate application of the relevant law.

5.2.1 Standard guidance on security system compliance

The findings in Chapter 4 reveal that one of the interviewees (B2, SM) stated that the company has its own certification for the security system, called ISO. This is similar to the provision on the Indonesian Ministry Regulation 4/2016583 that emphasised the protection of security systems, ICT providers should refer to ISO/IEC 27001 as international guidance in ISMS. It is therefore crucial for ICT providers to make sure that they comply with the provisions of Ministry Regulation 4/2016 and ISO/IEC 27001. To comply with the regulation and ISO guidance, the company should have a standard risk management system in the company that consists of monitoring, auditing and reviewing the security system, and it should be updated regularly. The standard of the security system should be in the company policy and comply with by employees. To make sure that employees understand the updated security system, they need to read and sign an integrity pact to make sure that they are up-to-date with the current

security management system and know that they are responsible for the protection of confidentiality data in the company. The integrity pact is sign annually and the announcement is appearing in the internal company portal and it is emailed to all the employees.

However, aside from that, employers have a responsibility to offer a specific training in accordance to the business requirement in the company and employers are not required to make attendance at/ completion of training compulsory, unless the employers also taking part in the training.

5.2.2 Implication of ISO/IEC 27001 as guidance in the Indonesian Regulation

Ministry Regulation 4/2016 regarding ISMS has brought legal certainty for electronic operators in Indonesia, particularly in managing security systems and protecting personal data. For the ICT companies in this research, it is a privilege for them to have applied ISO/IEC 27001 as guidance in their security system, which is emphasised by the Regulation. The promulgation of Ministry Regulation 4/2016 will give confidence and legal certainty to ICT companies when expanding their business. However, since the government has set out guidance on security system under ISO/IEC 27001,584 if there is a new guidance on the security system, there should be continuous adjustment to the guidance. It is important to investigate whether to give ISO/IEC 27001 as a guidance in the regulation will be enough to cope with the future development of technology. If ISO/IEC 27001 isrevised with some additional guidance on the security system, the Indonesian Regulation will need to be amended, and to make an amendment will take some time. This can be seen in the promulgation of Ministry Regulation 4/2016 that took almost four years from the provision of Government Regulation 82/2012585 on electronic system andtransaction operation. This will raise another uncertainty for businesses to keep upgrading security systems to increase the performance of the business while the Regulation still refers to the pre-update security system.

584_{Ibid. (n 10), Article 7.} 585_{Ibid. (n 253), Article 14.}

5.2.3 Review of the promulgation of the Indonesian Regulation

It took four years to promulgate Ministry Regulation 4/2016 to update Law 11/2008 and Government Regulation 82/2012. The aim of Ministry Regulation 4/2016 was to give legal certainty on security systems, especially in the relation to protecting personal data. The Regulation referred to ISO/IEC 27001 as guidance as it is the latest up-to-date international security system when the Ministry regulation promulgated. However, ISO/IEC 27001 itself has made several improvements to cope with the development of technology.

ICT Companies has also had to make sure that they have the up-to-date security systems for the protection of personal data in their promises. These up-to-date security systems need to cover the protection for the data of the employees in the company, the company itself, and personal and sensitive data of the customer. The protections should be able to cope with the high changeability of the development of technology. Therefore, there should be a protection regulation that covers the aspect of security in general. Referring to specific guidance will make the regulation inflexible to the development of technology. Technology will always change rapidly, and regulation should be able to support the development of technology and the business.

The rigid and specific regulation will slow the business in providing itself with up-to- date technology. The influence of the regulator and other obstacles like the economic or political environment in Indonesia might be another reason for delaying the regulation. Future research should investigate whether the economic or political environment or other obstacles might cause delay in theIndonesian government promulgating regulation on data security. Policy maker B3, SM suggested that there should be synchronisation between business and economic aspects, information and technological aspects, and the law, to establish a comprehensive regulation in Indonesia. Therefore, investigating potential delays might help the Indonesian government to cope with the high-level aspects in the development of technology in Indonesia.