menu close EventsNewsContact Us search close
Global Site close
  • Americas
  • Asia Pacific
  • Europe
  • Middle East and Africa
ArgentinaArubaBahamasBarbadosBoliviaBrazilCanadaCayman IslandsChileColombiaCosta RicaCuracaoDominican RepublicEcuadorEl SalvadorGuatemalaHondurasMexicoPanamaParaguayPeruPuerto RicoSaint MartinSurinameUnited StatesUruguayVenezuela
AfghanistanAustraliaCambodiaChinaHawaiiHong KongIndiaIndonesiaJapanMacauMalaysiaMaldivesMongoliaMyanmarNepalNew ZealandPakistanPhilippinesSingaporeSouth KoreaSri LankaTaiwanThailandVietnam
AlbaniaAndorraArmeniaAustriaAzerbaijanBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGeorgiaGermanyGreeceHungaryIrelandItalyKazakhstanLatviaLiechtensteinLithuaniaLuxembourgMaltaMoldovaNetherlandsNorwayPolandPortugalRomaniaSerbiaSlovakiaSloveniaSpainSwedenSwitzerlandTajikistanTurkeyUkraineUnited KingdomUzbekistan
AlgeriaAngolaBahrainCôte d’IvoireEgyptGhanaIraqJordanKenyaKuwaitLebanonLiberiaMaliMauritiusMoroccoMozambiqueNigeriaOmanQatarSaudi ArabiaSenegalSierra LeoneSouth AfricaTanzaniaTogoTunisiaUgandaUnited Arab EmiratesYemenZimbabwe
Services
close Services
Tax
GRC
Services
Insights
About Us
close About Us
About Us
Careers
EventsNewsContact Us
search close
home Insights

Regulatory Brief: Strengthening BUMN Cybersecurity through SK-275

Cybersecurity
| 12/18/2024
Strengthening BUMN Cybersecurity

Read Time: 5 minutes

To address growing cybersecurity challenges, the Minister of State-Owned Enterprises (BUMN), Erick Thohir, has issued new regulations on digital governance, including SK-275 on the Implementation of Cybersecurity in the SOE Environment. This regulation lays out a structured approach to enhancing cybersecurity maturity across BUMN, with full compliance expected by 2025.

The Framework of SK-275

SK-275 adopts NIST and CIS as its primary references and introduces 15 priority cybersecurity controls categorized into five key areas including:

Category Control Objectives 
Identity

Establish and maintain an inventory of all company assets.

Establish and maintain an inventory of all accounts.

Establish and maintain an inventory of all service accounts.
Protect

Restrict administrator access rights to designated administrator accounts.

Implement and maintain anti-malware software

Manage access controls for remotely connected assets.
Detect

Collect audit logs.

Centralize audit logs.

Review audit logs.

Configure automatic anti-malware scans on removable media.
Respond

Disable inactive accounts.

Assign personnel to manage the company’s incident handling process.

Establish and maintain an incident response process.
Recover  

Perform automated backups.

Test backup recovery.

Alternative Measures: Risk Assessment

In cases where BUMN cannot fully implement the 15 controls, they must conduct a comprehensive risk assessment for any unimplemented minimum controls. This assessment should cover:

  • Risk Appetite: The level of risk the company is prepared to accept to achieve its goals.
  • Risk Treatment: Strategies to address identified risks effectively.
  • Risk Mitigation: Actions designed to reduce risks or their impact.

Reporting Obligations

BUMN are required to report their progress in implementing the established controls annually through the BUMN Annual Report to the Ministry of State-Owned Enterprises. This ensures ongoing accountability and alignment with the ministry's cybersecurity objectives.

Delivering Value Through Digital Trust

At Crowe, we believe organizations that pursue digital transformation should also be digitally trusted so they can obtain optimal benefits from their investment. Our result-oriented cybersecurity practice is designed to help our clients make better decisions by strengthening their cyber risk management.

Speak to our expert.
Crowe can provide specialized industry consulting services to help tackle the specific challenges you face.
CONTACT US