Risma Lukitowati,Kalamullah Ramli

DOI: https://doi.org/10.1166/jctn.2020.8823

2020-02-01

Journal of Computational and Theoretical Nanoscience

Abstract:The main purpose of information security is maintaining information assets that are owned by an organization, such as confidentiality, integrity, and availability (known as CIA). In maintaining information assets, a company usually manages information security by making and implementing an Information Security Management System (ISMS) policy. A widely used and applied ISMS policy in Indonesia is ISO/IEC 27001 (International Organization for Standardization/International Electrotechnical Commission). Indonesian telecommunications company PT ABC has implemented the ISO/IEC 27001:2013 standards and procedures. The company conducts an audit once a year to maintain the level of compliance with ISO/IEC 27001:2013. However, only a few people are involved in conducting audits, and it is still unknown how many employees are aware of the company’s information security. This research focused on assessing how much information security awareness exists within PT ABC. Questionnaires were distributed in two departments of the company: supply chain management and service delivery of the Jakarta operations network. This research also examined company documents and surveillance audits in 2018. The employees were grouped based on their length of employment. The results of the questionnaires, with an error margin of 6%, were further compared with the results of the surveillance audit. Our data show that most employees who have worked at the company for more than six years understood and implemented ISO 27001 controls. Meanwhile, companies still need to socialize ISO to employees who have worked at the company for just one to two years.

Endang Kurniawan,Imam Riadi,Amin Irmawan,Arusani

DOI: https://doi.org/10.48550/arXiv.2204.09511

2022-04-17

Abstract:This study aims to information security in academic information systems to provide recommendations for improvements in information security management by the expected maturity level based on ISO/IEC 27002:2013. By using a qualitative descriptive approach, data collection and validation techniques with triangulation techniques are interviews, observation, and documentation. The data were analyzed by using gap analysis and to measure the maturity level determined 15 objective control and 45 security controls scattered in 5 clauses, the result of the research found that the performance of academic information system maturity level at level 2. That is, the current level of maturity is below the expected maturity level, so it needs to be increased to the expected level.

Cryptography and Security

Inna Madiyaningsih,Kalamullah Ramli

DOI: https://doi.org/10.31943/gw.v14i2.476

2023-08-15

Gema Wiralodra

Abstract:Based on the report security year 2022 from company Z in the ICT sector, it was found that on the report firewall security, 96% of level threat is level critical, and 4% is level high. Report email security is session domain 27.3%; Session limits 15.35 %; Forti Guard AntiSpam-IP 3.11%, and the rest is receipt verification; directory filter and access control relay denied. With the challenge of current cyber-attacks, precious data assets need analysis to measure the the level of IT maturity that can ensure stakeholders' interest and maximize benefits and opportunities through technology information. We overcome limitations by analyzing IT maturity using COBIT 5. Research focused only on the APO13 and DSS05 process domains. A study was done to identify the problems based on results observation, checking, and use of a questionnaire in a direct manner. Measurement is done through method evaluation self and interviews deep with the IT team and all power expert who has COBIT certification 5. Analysis results show that the measurement level for the APO13 domain is 3, and for DSS05 is level 2. These results still need to be below the set level 4 target management; therefore, building a framework to monitor, track, and record security data in real time is necessary. With the build framework, Work can help lower the threat level from a critical level to a high level and increase the COBIT Maturity Level to APO13 and DSS05 according to organizational targets.

R Tatiara,A N Fajar,B Siregar,W Gunawan

DOI: https://doi.org/10.1088/1742-6596/978/1/012039

2018-03-01

Journal of Physics: Conference Series

Abstract:The purpose of this research is to determine multi factors that inhibiting the implementation of the ISMS based on ISO 2700. It is also to propose a follow-up recommendation on the factors that inhibit the implementation of the ISMS. Data collection is derived from questionnaires to 182 respondents from users in data center operation (DCO) at bca, Indonesian telecommunication international (telin), and data centre division at Indonesian Ministry of Health. We analysing data collection with multiple linear regression analysis and paired t-test. The results are multiple factors which inhibiting the implementation of the ISMS from the three organizations which has implement and operate the ISMS, ISMS documentation management, and continual improvement. From this research, we concluded that the processes of implementation in ISMS is the necessity of the role of all parties in succeeding the implementation of the ISMS continuously.

Amin Maruf Nuris,Aditya Maharani,Renanda Nia Rachmadita

DOI: https://doi.org/10.25170/metris.v22i02.2800

2022-02-10

Jurnal METRIS

Abstract:PT. Duta Media Cipta (DMC) is a control system and IT company based in the city of Surabaya, this company focuses on procurement, maintenance and repair services for ship equipment, both mechanical and electrical. As an information technology company, PT. DMC is committed to being a trusted IT and control system company. In working on the project, PT. DMC has not implemented risk management for every software development project it has worked on. Some of the risks that are often faced in working on software projects at PT. DMC are project risks such as technical, cost, and project scheduling which are sometimes not in accordance with the established plan and cause cost and time losses to the company. So in this study using ISO 31000 as a framework in analyzing potential risks. The application of risk assessment consists of 3 stages, namely risk identification, risk analysis, and risk evaluation. The results of this study found that there are 4 risks with 26 sub-risks, of which there are 6 sub-risks that are prioritized and require risk management.

Michelle Cantika Pontoan,Jay Idoan SIhotang,Erienika Lompoliu

DOI: https://doi.org/10.30812/matrik.v22i2.2474

2023-03-31

Abstract:The rapid development of information affects many aspects of human life. So that the field of information security becomes one aspect that must be considered. This study aims to measure the information security awareness and to improve daily operational activities of managing IT services effectively and efficiently. Salemba Adventist Academy has used the Wium Online Education Management System (WIOEM) online system, but in its implementation the security aspects of the system are not yet known. The Information Technology Infrastructure Library (ITIL) v3 framework which is globally recognized for managing information technology is broken down into five parts: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement. This study focuses on Service Operations with 4 attributes, namely: Security, Privacy, Risk, and Trust. The data collection method used by the researcher was through observation in the form of a questionnaire in taking the number of samples to several students by taking population samples using the Lemeshow method. After the data were collected, the results of the ITIL indicator questionnaire are calculated based on the data security level. The results show that the Security indicator is Level 1, the Privacy indicator is level 3, the Risk indicator is level 3, and the Trust indicator is level 4 on the Data Security Level scale. This shows that the WIOEM system can be used properly according to user expectations and meets several levels of data security according to ITIL v3 framework.

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan

DOI: https://doi.org/10.48550/arXiv.1203.6622

2012-03-29

Abstract:Security is a hot issue to be discussed, ranging from business activities, correspondence, banking and financial activities; it requires prudence and high precision. Since information security has a very important role in supporting activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter, more structured, high precision and measured forecasting.

Cryptography and Security,Software Engineering

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Kitsios,Chatzidimitriou,Kamariotou

DOI: https://doi.org/10.3390/su15075828

IF: 3.9

2023-03-28

Sustainability

Abstract:In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced.

environmental sciences,environmental studies,green & sustainable science & technology

Khairunnisak Nur Isnaini,Siti Alvi Solikhatin

DOI: https://doi.org/10.26555/jifo.v14i2.a14434

2020-05-09

Jurnal Informatika

Abstract:The threat of physical security can be from human factors, natural disasters, and information technology itself. Therefore, to prevent threats, we need the right tools to control current activities, evaluate potential impacts, and make appropriate plans so that business processes at X University will not be affected. This research starts by analyzing the problems that arise, followed by collecting the data needed, discussing the results, and making conclusions and recommendations that can be given. The method uses quantitative descriptive research. The research instrument uses interviews and questionnaire techniques. COBIT 5 is used as a framework for measuring the performance that is being implemented and will be achieved. Maturity models are used to measure current and future activities. The goal to be achieved is that the organization can create a physical security environment by the CIA principle (confidentiality, integrity, & availability). Positioning results are at level 3, meaning that the process is currently running in two main standard operating procedures. However, this evaluation specifically on the DSS5.5.5 subdomain (Providing Service Support-Managing physical security for IT Assets) in COBIT 5, and the results are still below the level 3 standard (Established Process), at 2.9 points. So, the right suggestion is to keep activities safe, one of which is to improve facilities and infrastructure, one of which is the use of biometric control in data center management rooms or other rooms with limited access.

Rúsbel Domínguez-Domínguez,Omar A. Flores-Laguna,Jair del Valle-López

2023-06-20

Abstract:The purpose of this research was to know the degree of administrative knowledge, the degree of training of human resources, the degree of commitment of administrators and the degree of effectiveness of the administration for information security risk based on ISO/IEC 27001.The population consisted of 81 subjects (66 administrators and 15 ITD personnel). Those evaluated were employers of the administrative office of the university and also staff of the Information Technology Department (ITD). To make the comparisons, three groups of managers were formed according to classifications of administrative staff, the classification was as follows: (a) first-line manager, (b) middle management and (c) top management. About the results, it can be corroborated that administrative staff with a lower rank have more problems in making the best decisions in relation to the implementation of an ISMS, it should be noted that the first-line manager is the one who has more contact with the students and is the one who is less involved in the implementation of an ISMS. It can also be inferred that the institutionś planners are not fully trained in the institutionś information security efforts. This in turn prevents the generation of proposals for initiatives to implement an ISMS. With this shortcoming, it is possible that security breaches could be generated.

Cryptography and Security,Methodology

Francis Anderson Kojongian,Mewati Ayub

DOI: https://doi.org/10.28932/jutisi.v7i1.3434

2021-04-24

Jurnal Teknik Informatika dan Sistem Informasi

Abstract:In order to achieve the company goals, in Universitas Kristen Maranatha, Information system becomes the main tool and Information Technology infrastructure become the backbone in running the company business model, along with the increasing of portfolio application, number of Information Technology services and the amount of human resources. Universitas Kristen Maranatha requires an international standard instrument to measure several domains, both Manage and Operation domains, holistically. By implementing frameworks such as COBIT 5 or COBIT 5 for IT RISK, ISO 31000: 2018, the company is able to measure planning effectiveness, strategic policies implementation, IT service management measured by Service Level Agreement, monitoring and evaluation. In this research, there are 7 domains implemented as follows: EDM01-Ensure Governance Framework Setting and Maintenance, EDM03- Ensure Risk Optimization, AP002- Manage Strategy, APO09- Manage Service Agreements, AP012-Manage Risk, BAI01-Manage Programmes and Projects, BAI05- Manage Organizational Change Enablement.

English Else

Samuel Cris Ayo,Bonaventure Ngala,Olasunkanmi Amzat,Robin Lal Khoshi,Samarappulige Isuru Madusanka

DOI: https://doi.org/10.48550/arXiv.1812.04659

2018-12-12

Abstract:Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising and determining acceptable risks. From the analysis, it was deduced that human being posed the greatest Information security risk through intentional/ unintentional human error. In conclusion, effective control techniques based on defence in-depth were devised to mitigate the impact of the identified risks from risk register.

Computers and Society,Cryptography and Security

Alva Hendi Muhammad,Joko Dwi Santoso,Ananda Fikri Akbar

DOI: https://doi.org/10.11591/ijeecs.v31.i1.pp271-280

2023-07-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:In recent years, cyber security has become an increasingly important aspect of the decision-making process of corporations. It is essential to make investments in cybersecurity at this point to guard against the frequent disruption of business operations posed by cyberattacks. In the context of small and medium-sized organizations, this study recommends using a multicriteria decision-making technique to evaluate information security aspects. The information security index is derived as the foundation for every one of these features. The best-worst method is carried out to establish the best and worst possible security investments. In order to validate these findings, a survey was distributed to a variety of professionals and business decisionmakers. The criteria for selection are laid forth in the form of categories labeled technology and organization, respectively. The findings are presented in a rating system with three tiers, with the highest level representing the absolute best of the results. In the final section of the study, we will examine potential future possibilities for research and policy.

Fathoni,Novita Simbolon,Dinna Yunika Hardiyanti

DOI: https://doi.org/10.1088/1742-6596/1196/1/012033

2019-03-01

Journal of Physics: Conference Series

Abstract:Stakeholders in a company have a right knowing about optimizing information security management. It can affect a company's performances and reputation. Information is the biggest business driver in an organization or company. This research aims to measure the capability of the company which is implemented information security governance that impacts on enterprise risk. The Loan Debit Network Corporation system is the main system that supports the company's business process for corporate lending transactions management. The capability level measurement is based on COBIT 5.0 for Information security and ISO 27001: 2013 Guidelines as a value against the Information Security Governance component rating. It starts with aligning organizational goals from COBIT 5.0 perspectives to obtain five COBIT 5.0 IT processes. The current capability is at level 2.5. Improvement recommendation from level 2.8 to level 3 refers to best practice recommended by COBIT 5.0 for Information Security.

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Putra Pamungkas Sukmana,Titan Parama Yoga,Chairul Habibi

DOI: https://doi.org/10.32627/aims.v6i2.816

2023-09-18

Jurnal Accounting Information System (AIMS)

Abstract:This research was conducted to know, analyze, and audit on information system risk management on Digo.id website. The framework used in this audit research is COBIT 5 and ISO 31000, using qualitative descriptive research methods, these methods are used to obtain results that can be a clear picture of how Risk Management is implemented by the company. The results showed that the Existing Capability is at level 1, while the Capability Target is at level 3 so the final result of this audit is that the company still has 2 Capability GAPs to achieve the Capability Target.

Jamaliah Said,Mohamad Azizal bin Abd Aziz1,Md. Mahmudul Alam

DOI: https://doi.org/10.31235/osf.io/y4zfa

2019-02-28

Abstract:This study is an attempt to assess the status of current practices of internal control system among different service schemes of public sector in Malaysia. This study collected primary data based on a set of questionnaire survey among the head of department of 109 departments and agencies under 24 federal ministries including the Prime Minister Department in Malaysia. The data were collected based on the opinion about ten factors of internal control practices in the department or agency by using seven-point Likert scale. The data are analysed under descriptive statistics and factor analysis. Further, the reliability of the data is tested by using Cronbach alpha test, and the validity of data is tested by checking the normality of data through Shapiro Wilk test and graphically. Overall, 86.2% of the respondents mentioned that they practice internal control system in their department. However, the priority of these ten factors of internal control differs among the services schemes. Overall the internal control system of the financial schemes group is strong, but their emphasis on the documentation is at the average level only. However, the internal control in the engineering, information system, education and medical & health schemes are below the overall average internal control score. The public sector in Malaysia needs to focuses more on internal control and its proper assessment system to become a reliable and efficient sector.

I Putu Agus Raditya Pramita,Gede Indrawan,Komang Setemen

DOI: https://doi.org/10.31763/businta.v7i2.639

2023-11-27

Bulletin of Social Informatics Theory and Application

Abstract:A hospital's operations, such as patient registration, medical management, financial management, and upgrading the services offered in the hospital, are managed and organized using an application system called a hospital management information system (HMIS). Because the lack of evaluation in the usage of HMIS has led to insufficient security in the HMIS, this research focuses on Saraswati Dental and Oral Hospital as the research site. Due to lax security measures, confidential data is readily accessible. The prevalence of duplicate data entry is an issue, and the success of HMIS performance implementation is still unknown. The COBIT 5 framework has been used to administer the HMIS at Saraswati Dental and Oral Hospital using the MEA (Monitor, Evaluate, Assess) and BAI (Build, Acquire, Implement) domains in response to these problems. This decision was made with the intention of aligning the application with the necessary features, monitoring system security, evaluating, and assessing the domain's alignment with the hospital's strategy in order to ascertain whether the current system still achieves the intended goals and maintains the controls required to satisfy the requirements. This study makes use of questionnaire, observation, and interview techniques. The capacity levels used in the COBIT 5 study were taken from ISO/IEC 15504-2-2003, and they were combined using straightforward mathematical calculations in accordance with the rules for computing capability values. Weaknesses or flaws in the security system that need to be fixed can be found by analyzing the capability levels in the MEA and BAI domains. The study's findings include suggestions for increasing the security system, which will enhance Saraswati Dental and Oral Hospital's HMIS performance and give users and patients with more beneficial outcomes

Yiyang Jia,Hanyan Wu,Dongxing Jiang

DOI: https://doi.org/10.1109/CyberC.2015.47

2015-01-01

Abstract:Security situation assessment is an effective way to analyze the situation of an information system, which helps administrator understand the current system risk status and make policy to response in time. However, the existing researches for security situation assessment mostly focus on network. The proposed methods for network are not so suitable for information systems. This paper proposes a hierarchical security situation analysis framework for information system, based on a classical NSSA [1] (network security situation analysis) model. The framework provides a standard flow for analyzing the security situation of information system. It consists a security situation analysis model of information system, an index system used in the model proposed, and a quantitative index fusion method to calculate a security situational value. We divided information system into 3 levels: sub-system level, composition level and index level. The collected information from the index level can be combined with grey model to determine the correlation degree between each major index and secondary index. Finally we calculate the whole system security situational value level by level. We use data from Tsinghua University information system to verify the proposed model and method. The result shows that this model can reflect the current security situation of information system comprehensively.