Khairunnisak Nur Isnaini,Siti Alvi Solikhatin

DOI: https://doi.org/10.26555/jifo.v14i2.a14434

2020-05-09

Jurnal Informatika

Abstract:The threat of physical security can be from human factors, natural disasters, and information technology itself. Therefore, to prevent threats, we need the right tools to control current activities, evaluate potential impacts, and make appropriate plans so that business processes at X University will not be affected. This research starts by analyzing the problems that arise, followed by collecting the data needed, discussing the results, and making conclusions and recommendations that can be given. The method uses quantitative descriptive research. The research instrument uses interviews and questionnaire techniques. COBIT 5 is used as a framework for measuring the performance that is being implemented and will be achieved. Maturity models are used to measure current and future activities. The goal to be achieved is that the organization can create a physical security environment by the CIA principle (confidentiality, integrity, & availability). Positioning results are at level 3, meaning that the process is currently running in two main standard operating procedures. However, this evaluation specifically on the DSS5.5.5 subdomain (Providing Service Support-Managing physical security for IT Assets) in COBIT 5, and the results are still below the level 3 standard (Established Process), at 2.9 points. So, the right suggestion is to keep activities safe, one of which is to improve facilities and infrastructure, one of which is the use of biometric control in data center management rooms or other rooms with limited access.

Fitri Wijayanti,Dana Indra Sensuse,Arief Anthadi Putera,Andy Syahrizal

DOI: https://doi.org/10.1109/ic2ie50715.2020.9274574

2020-09-15

Abstract:The DRC of the Ministry XYZ has suffered from a system breach. The DRC's problem will lead to a lack of system information security, availability, and an increasing threat to the whole system of Ministry XYZ. In 2019, the KAMI Index assessment of the Ministry XYZ stated that the level of maturity and completeness of the application of ISO 27001 standards of the XYZ Ministry were at the level of fulfillment of the basic framework. There is a gap between the assessment result and the operational problem within the DRC of Ministry XYZ due to the lack of an information security management system. Therefore, this study conducts the same KAMI Index assessment within the scope of the DRC only and aims to offer a recommendation based on ISO 27001 as the basis of the KAMI Index assessment. This study used discussion, observation, and KAMI Index assessment tools for collecting data and analyze the result. The assessment result of the DRC showed that the maturity level of the ISO 27001 standard on the DRC is on the application of the basic framework. The suggested recommendations to improve the information security management system of the DRC were mostly in the aspect of the information security framework and assets management.

Gliner Dias Alencar,Hermano Perrelli de Moura,Ivaldir Honório de Farias Júnior,José Gilson de Almeida Teixeira Filho

DOI: https://doi.org/10.48550/arXiv.1807.06184

2018-07-17

Cryptography and Security

Abstract:The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

Michelle Cantika Pontoan,Jay Idoan SIhotang,Erienika Lompoliu

DOI: https://doi.org/10.30812/matrik.v22i2.2474

2023-03-31

Abstract:The rapid development of information affects many aspects of human life. So that the field of information security becomes one aspect that must be considered. This study aims to measure the information security awareness and to improve daily operational activities of managing IT services effectively and efficiently. Salemba Adventist Academy has used the Wium Online Education Management System (WIOEM) online system, but in its implementation the security aspects of the system are not yet known. The Information Technology Infrastructure Library (ITIL) v3 framework which is globally recognized for managing information technology is broken down into five parts: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement. This study focuses on Service Operations with 4 attributes, namely: Security, Privacy, Risk, and Trust. The data collection method used by the researcher was through observation in the form of a questionnaire in taking the number of samples to several students by taking population samples using the Lemeshow method. After the data were collected, the results of the ITIL indicator questionnaire are calculated based on the data security level. The results show that the Security indicator is Level 1, the Privacy indicator is level 3, the Risk indicator is level 3, and the Trust indicator is level 4 on the Data Security Level scale. This shows that the WIOEM system can be used properly according to user expectations and meets several levels of data security according to ITIL v3 framework.

Inna Madiyaningsih,Kalamullah Ramli

DOI: https://doi.org/10.31943/gw.v14i2.476

2023-08-15

Gema Wiralodra

Abstract:Based on the report security year 2022 from company Z in the ICT sector, it was found that on the report firewall security, 96% of level threat is level critical, and 4% is level high. Report email security is session domain 27.3%; Session limits 15.35 %; Forti Guard AntiSpam-IP 3.11%, and the rest is receipt verification; directory filter and access control relay denied. With the challenge of current cyber-attacks, precious data assets need analysis to measure the the level of IT maturity that can ensure stakeholders' interest and maximize benefits and opportunities through technology information. We overcome limitations by analyzing IT maturity using COBIT 5. Research focused only on the APO13 and DSS05 process domains. A study was done to identify the problems based on results observation, checking, and use of a questionnaire in a direct manner. Measurement is done through method evaluation self and interviews deep with the IT team and all power expert who has COBIT certification 5. Analysis results show that the measurement level for the APO13 domain is 3, and for DSS05 is level 2. These results still need to be below the set level 4 target management; therefore, building a framework to monitor, track, and record security data in real time is necessary. With the build framework, Work can help lower the threat level from a critical level to a high level and increase the COBIT Maturity Level to APO13 and DSS05 according to organizational targets.

Elisabet Dela Marcela,Melissa Indah Fianty

DOI: https://doi.org/10.33022/ijcs.v12i4.3353

2023-08-30

Indonesian Journal of Computer Science

Abstract:The utilization of the Peoplesoft Campus Solution (MyUMN) technology, which has become excessively outdated, necessitates an evaluation, development, and rejuvenation of MyUMN to address any occurring issues with definitive solutions. An assessment of the Information Technology governance capability level is carried out using the COBIT 2019 framework. This research focuses on the following specific objectives: BAI03 (Managed Solutions Identification and Build), BAI06 (Managed IT Changes), and BAI07 (Managed IT Change Acceptance and Transitioning). The measurement results reveal that the capability levels for all three objectives are at level 2, while the targeted capability level is at level 4. Consequently, there exists a gap between these two levels. Recommendations encompass prioritizing the documentation of application development and conducting routine reviews of all completed change requests to ensure the alignment of change requests

Michael Schmid,Sebastian Pape

DOI: https://doi.org/10.1007/978-3-030-22312-0_16

2019-01-01

Abstract:Generally, measuring the information security maturity is the first step to build a knowledge information security management system in an organization. Unfortunately, it is not possible to measure information security directly. Thus, in order to get an estimate, one has to find reliable measurements. One way to assess information security is by applying a maturity model and assess the level of controls. This does not need to be equivalent to the level of security. Nevertheless, evaluating the level of information security maturity in companies has been a major challenge for years. Although many studies have been conducted to address these challenges, there is still a lack of research to properly analyze these assessments. The primary objective of this study is to show how to use the analytic hierarchy process (AHP) to compare the information security controls’ level of maturity within an industry in order to rank different companies. To validate the approach of this study, we used real information security data from a large international media and technology company.

Sayyidatul Abqoriyyah Melgis,Reni Aryani,Dewi Lestari,Mohamed Naeem Antharathara Abdulnazar

DOI: https://doi.org/10.29407/intensif.v8i1.21512

2024-02-10

Abstract:Since the needs for academic management are always changing, the creation of academic information systems must focus on user benefits and satisfaction in order to gauge how successful academic management systems are. This research uses the Delone and McLean IS Success Model which is known as one of the system success models, so the aims to ascertain the effects of system, information, and service quality, as well as usage rate, on benefits and user satisfaction SIAKAD system. Respondents were determined using the Slovin formula and taken using proportionate stratified random sampling techniques as many as 100 people. Descriptive analysis was carried out to explain respondents' perceptions and evaluate the success of the system using Three levels of communication were used to measure the success of the system: technical, semantic, and effectiveness levels. The Delone and Mclean IS Success Model's variable relationships were investigated using SEM-PLS analysis. Hypothesis testing results indicate that User Satisfaction is significantly impacted by Information; System; and Service Quality, then Information Quality also significantly affects Usage; and Net Benefits are significantly impacted by User Usage and Satisfaction; however, neither System Quality nor Service Quality significantly affects Use or Use on User Satisfaction.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Kaja Prislan,Anže Mihelič,Igor Bernik

DOI: https://doi.org/10.1371/journal.pone.0238739

IF: 3.7

2020-09-08

PLoS ONE

Abstract:Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.

Rokhman Fauzi,Rahmat Mulyana

DOI: https://doi.org/10.25124/ijies.v4i02.75

2020-07-30

International Journal of Innovation in Enterprise System

Abstract:The assessment of IT governance maturity is part of the assurance function. The assessment is carried out to ensure technology support in achieving business goals. In this context, companies should comply with regulations, as well as the need to continue to improve the quality of implementation of IT governance. The average value of PT X's IT governance maturity in Year 2 has increased from 3.21 to 3.26. There is an increase in the average score of 0.05 over one year. Success factors in implementing IT governance must be maintained and encouraged to continue the grow. This research was conducted to identify what organizational initiatives to increase the maturity and what the key factors are. Factors identification is done using evidence analysis method based on CSF references and attributes criteria. The results of the analysis obtained key factors that strengthen the maturity. The main factors are CSF2 providing IT infrastructure that supports the development and exchange of IT applications and services (21.72%), and CSF4 staff development to meet professional IT HR qualifications (17.39%). On the other hand, maturity attribute which gave the biggest contribution was ATR1 related to policies and procedures (34.6%), and ATR3 related to defining goals and actions (30.77%).

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan

DOI: https://doi.org/10.48550/arXiv.1203.6622

2012-03-29

Abstract:Security is a hot issue to be discussed, ranging from business activities, correspondence, banking and financial activities; it requires prudence and high precision. Since information security has a very important role in supporting activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter, more structured, high precision and measured forecasting.

Cryptography and Security,Software Engineering

Stanny Dewanty Rehatta,Augie David Manuputty

DOI: https://doi.org/10.33557/journalisi.v1i2.16

2019-09-02

Journal of Information Systems and Informatics

Abstract:BKDIKLATDA in Salatiga is an Personnel Institution located in the Salatiga City Government area, which is currently implementing IT as a supporter of business processes. One of the IT used is the Personnel Management Information System (SIMPEG). SIMPEG is a system specifically designed to provide personnel administration management information quickly, accurately and accurately, and has the function to manage staffing data and information in the working environment of the Salatiga Municipal Government. In this study COBIT 5 was used specifically the Monitor, Evaluate, Assessment (MEA) domain to observe, evaluate and evaluate the performance of IT governance on the application of SIMPEG in the Salatiga City BKDIKLATDA. MEA is a domain in COBIT 5 whose purpose is to observe, evaluate and assess all processes related to IT in a company or organization. The purpose of this study was to help the Salatiga City BKDIKLATDA to optimize the SIMPEG process performance and find out the level of maturity and the ability to apply SIMPEG in the Salatiga City BKDIKLATDA. The research methodology used in this study is mixed method. Mixed method is a research approach that combines or links qualitative and quantitative research methods. The results of this study are expected to optimize the effective and efficient performance process in the application of SIMPEG in the Salatiga City BKDIKLATDA so that in the future it will be even better.

Nurhadi Siswantoro,Dwi Priyanta,Steven Gautama,Muhammad Badrus Zaman,Trika Pitana,Hari Prastowo,F Ratu Balqis,Ardi Nugroho Yulianto

DOI: https://doi.org/10.1088/1755-1315/972/1/012033

2022-01-01

IOP Conference Series: Earth and Environmental Science

Abstract:Abstract One of the challenges experienced by companies nowadays is keeping their value of assets which will affect the value of the companies. The companies need to provide certainty to the stakeholders from both internal and external perspectives. These things are important for companies that have a high and large value asset. PT. X is one of the shipping lines in Indonesia and with the large task of shipping companies, it has a large number and high value of assets. Heavy equipment is of the assets that have supported the company’s main business process in the loading-unloading process. By now, there has never been an asset management maturity level on PT. X. Therefore, an evaluation of measurement of the heavy equipment maintenance management system is conducted based on the guidelines of ISO 55001: 2014. The results of the assessment showed that the maturity level of heavy equipment management is 2.7 and there are 13 sub-optimal sub-clauses that need improvement by the company.

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Fathoni,Novita Simbolon,Dinna Yunika Hardiyanti

DOI: https://doi.org/10.1088/1742-6596/1196/1/012033

2019-03-01

Journal of Physics: Conference Series

Abstract:Stakeholders in a company have a right knowing about optimizing information security management. It can affect a company's performances and reputation. Information is the biggest business driver in an organization or company. This research aims to measure the capability of the company which is implemented information security governance that impacts on enterprise risk. The Loan Debit Network Corporation system is the main system that supports the company's business process for corporate lending transactions management. The capability level measurement is based on COBIT 5.0 for Information security and ISO 27001: 2013 Guidelines as a value against the Information Security Governance component rating. It starts with aligning organizational goals from COBIT 5.0 perspectives to obtain five COBIT 5.0 IT processes. The current capability is at level 2.5. Improvement recommendation from level 2.8 to level 3 refers to best practice recommended by COBIT 5.0 for Information Security.

Rúsbel Domínguez-Domínguez,Omar A. Flores-Laguna,Jair del Valle-López

2023-06-20

Abstract:The purpose of this research was to know the degree of administrative knowledge, the degree of training of human resources, the degree of commitment of administrators and the degree of effectiveness of the administration for information security risk based on ISO/IEC 27001.The population consisted of 81 subjects (66 administrators and 15 ITD personnel). Those evaluated were employers of the administrative office of the university and also staff of the Information Technology Department (ITD). To make the comparisons, three groups of managers were formed according to classifications of administrative staff, the classification was as follows: (a) first-line manager, (b) middle management and (c) top management. About the results, it can be corroborated that administrative staff with a lower rank have more problems in making the best decisions in relation to the implementation of an ISMS, it should be noted that the first-line manager is the one who has more contact with the students and is the one who is less involved in the implementation of an ISMS. It can also be inferred that the institutionś planners are not fully trained in the institutionś information security efforts. This in turn prevents the generation of proposals for initiatives to implement an ISMS. With this shortcoming, it is possible that security breaches could be generated.

Cryptography and Security,Methodology

Rúsbel Domínguez Domínguez,Omar A. Flores Laguna,José A. Sánchez-Valdez

DOI: https://doi.org/10.48550/arXiv.2306.07367

2023-06-12

Cryptography and Security

Abstract:This research shows the analysis of multiple factors that inhibit the implementation of an Information Security Management System (ISMS). The research data were collected from 143 respondents from two universities in northeastern Mexico, in faculties of engineering in related areas. In this study, the Information Security Management System Measurement Instrument (IM-ISMS) was validated. A scale of 24 items was obtained, divided into four factors: organizational policies and regulations, privacy, integrity and authenticity. The results of this study agree with the results found by [10] in which they pre-sent a model that complies with ISO/IEC 27002:2013 controls and security and privacy criteria to improve the ISMS. [48], Mentioned that the implementation of controls based on ISO standards can meet the requirements for cybersecurity best practices.A scale of 24 items was obtained, divided into four factors: organizational policies and regulations, privacy, integrity and authenticity. This version of the instrument meets the criteria established for its validity (KMO, Bartlett's test of sphericity). An extraction was performed by the minimum residuals method, an oblique rotation was performed by the promax method, when performing the rotation 17 of the 24 items were grouped in the corresponding factor. The final reliability of the scale was calculated by the Omega coefficient, in all the dimensions the coefficients were greater than .70, therefore the re-liability of the instrument is good.

Risma Lukitowati,Kalamullah Ramli

DOI: https://doi.org/10.1166/jctn.2020.8823

2020-02-01

Journal of Computational and Theoretical Nanoscience

Abstract:The main purpose of information security is maintaining information assets that are owned by an organization, such as confidentiality, integrity, and availability (known as CIA). In maintaining information assets, a company usually manages information security by making and implementing an Information Security Management System (ISMS) policy. A widely used and applied ISMS policy in Indonesia is ISO/IEC 27001 (International Organization for Standardization/International Electrotechnical Commission). Indonesian telecommunications company PT ABC has implemented the ISO/IEC 27001:2013 standards and procedures. The company conducts an audit once a year to maintain the level of compliance with ISO/IEC 27001:2013. However, only a few people are involved in conducting audits, and it is still unknown how many employees are aware of the company’s information security. This research focused on assessing how much information security awareness exists within PT ABC. Questionnaires were distributed in two departments of the company: supply chain management and service delivery of the Jakarta operations network. This research also examined company documents and surveillance audits in 2018. The employees were grouped based on their length of employment. The results of the questionnaires, with an error margin of 6%, were further compared with the results of the surveillance audit. Our data show that most employees who have worked at the company for more than six years understood and implemented ISO 27001 controls. Meanwhile, companies still need to socialize ISO to employees who have worked at the company for just one to two years.

Prima Fithri,Hanalde Andre,Uyung Gatot Syafrawi Dinata,Eka Candra Lina,Cesar Welya Refdi,Wenny Surya Murtius

DOI: https://doi.org/10.25077/jwa.30.4.807-813.2023

2023-12-01

Abstract:Applying science and technology encourages innovation, increasing development productivity, independence and national competitiveness. Indonesia has a science and technology area named Science Techno Park (STP). Maturity measurement is an indicator of the level of an STP to apply science and technology for the welfare of society. There are three levels of maturity for STP, which are low (pratama), middle (madya), and high (utama). Before entering the best maturity level, STP must go through various kinds of preparation and fulfil the elements contained in it. The community service activity team at Universitas Andalas conducted a web seminar (webinar) to socialise the maturity assessment for STP Unand from the academic side. The webinar invited two experts on STP maturity measurement. One of the primary assessments is the number of products produced that are expected to come from the results of academic research. This activity can help STP Unand prepare to increase its maturity to a high level.