Fitri Wijayanti,Dana Indra Sensuse,Arief Anthadi Putera,Andy Syahrizal

DOI: https://doi.org/10.1109/ic2ie50715.2020.9274574

2020-09-15

Abstract:The DRC of the Ministry XYZ has suffered from a system breach. The DRC's problem will lead to a lack of system information security, availability, and an increasing threat to the whole system of Ministry XYZ. In 2019, the KAMI Index assessment of the Ministry XYZ stated that the level of maturity and completeness of the application of ISO 27001 standards of the XYZ Ministry were at the level of fulfillment of the basic framework. There is a gap between the assessment result and the operational problem within the DRC of Ministry XYZ due to the lack of an information security management system. Therefore, this study conducts the same KAMI Index assessment within the scope of the DRC only and aims to offer a recommendation based on ISO 27001 as the basis of the KAMI Index assessment. This study used discussion, observation, and KAMI Index assessment tools for collecting data and analyze the result. The assessment result of the DRC showed that the maturity level of the ISO 27001 standard on the DRC is on the application of the basic framework. The suggested recommendations to improve the information security management system of the DRC were mostly in the aspect of the information security framework and assets management.

Kanika Duggal,Seunghwan Myeong

DOI: https://doi.org/10.3390/su16209058

IF: 3.9

2024-10-20

Sustainability

Abstract:The extensive focus on information technology (IT) within organizations, along with the substantial significance of information security issues, has made information security a top priority for executives. The International Organization for Standardization 27001 (ISO-27001) policy outlines the requirements for an effective Information Security Management System (ISMS). Implementing an ISMS not only enhances the overall profitability of a firm, but it also has a significant impact in various scenarios. In this study, we examined how ISMS implementation can assist corporations financially, with a specific focus on the moderating effect of Indian national culture. We analyzed financial performance following ISMS and ISO-27001 implementation using sample data from 420 Indian small and medium-sized enterprises (SMEs). By analyzing 256 survey questionnaires from 420 SMEs, we found that national culture amplifies the strong interaction between ISMS implementation and SME performance in India. We found that ISMS implementation increased the profitability of recognized Indian firms, supporting study hypotheses. The findings provide valuable insights for SMEs seeking to enhance financial performance through ISMS implementation, emphasizing the moderating role of national culture in shaping these outcomes.

environmental sciences,environmental studies,green & sustainable science & technology

Risma Lukitowati,Kalamullah Ramli

DOI: https://doi.org/10.1166/jctn.2020.8823

2020-02-01

Journal of Computational and Theoretical Nanoscience

Abstract:The main purpose of information security is maintaining information assets that are owned by an organization, such as confidentiality, integrity, and availability (known as CIA). In maintaining information assets, a company usually manages information security by making and implementing an Information Security Management System (ISMS) policy. A widely used and applied ISMS policy in Indonesia is ISO/IEC 27001 (International Organization for Standardization/International Electrotechnical Commission). Indonesian telecommunications company PT ABC has implemented the ISO/IEC 27001:2013 standards and procedures. The company conducts an audit once a year to maintain the level of compliance with ISO/IEC 27001:2013. However, only a few people are involved in conducting audits, and it is still unknown how many employees are aware of the company’s information security. This research focused on assessing how much information security awareness exists within PT ABC. Questionnaires were distributed in two departments of the company: supply chain management and service delivery of the Jakarta operations network. This research also examined company documents and surveillance audits in 2018. The employees were grouped based on their length of employment. The results of the questionnaires, with an error margin of 6%, were further compared with the results of the surveillance audit. Our data show that most employees who have worked at the company for more than six years understood and implemented ISO 27001 controls. Meanwhile, companies still need to socialize ISO to employees who have worked at the company for just one to two years.

Adi Firman Ramadhan,Farzana Parveen Tajudeen,Noor Ismawati Jaafar

DOI: https://doi.org/10.1016/j.procs.2024.03.116

2024-05-01

Procedia Computer Science

Abstract:Data governance is crucial for organizations as it recognizes the value of data as an asset. This study focuses on identifying factors that influence the implementation of data governance in Indonesian public higher education institutions. Contingency theory serves as the theoretical lens of this study, and qualitative research methodology is employed. Findings reveal that both internal and external factors impact data governance implementation in universities. Future research should involve more participants to gain comprehensive insights, and exploring the impact of data governance implementation within university settings would provide valuable insights.

Rúsbel Domínguez Domínguez,Omar A. Flores Laguna,José A. Sánchez-Valdez

DOI: https://doi.org/10.48550/arXiv.2306.07367

2023-06-12

Cryptography and Security

Abstract:This research shows the analysis of multiple factors that inhibit the implementation of an Information Security Management System (ISMS). The research data were collected from 143 respondents from two universities in northeastern Mexico, in faculties of engineering in related areas. In this study, the Information Security Management System Measurement Instrument (IM-ISMS) was validated. A scale of 24 items was obtained, divided into four factors: organizational policies and regulations, privacy, integrity and authenticity. The results of this study agree with the results found by [10] in which they pre-sent a model that complies with ISO/IEC 27002:2013 controls and security and privacy criteria to improve the ISMS. [48], Mentioned that the implementation of controls based on ISO standards can meet the requirements for cybersecurity best practices.A scale of 24 items was obtained, divided into four factors: organizational policies and regulations, privacy, integrity and authenticity. This version of the instrument meets the criteria established for its validity (KMO, Bartlett's test of sphericity). An extraction was performed by the minimum residuals method, an oblique rotation was performed by the promax method, when performing the rotation 17 of the 24 items were grouped in the corresponding factor. The final reliability of the scale was calculated by the Omega coefficient, in all the dimensions the coefficients were greater than .70, therefore the re-liability of the instrument is good.

Rúsbel Domínguez-Domínguez,Omar A. Flores-Laguna,Jair del Valle-López

2023-06-20

Abstract:The purpose of this research was to know the degree of administrative knowledge, the degree of training of human resources, the degree of commitment of administrators and the degree of effectiveness of the administration for information security risk based on ISO/IEC 27001.The population consisted of 81 subjects (66 administrators and 15 ITD personnel). Those evaluated were employers of the administrative office of the university and also staff of the Information Technology Department (ITD). To make the comparisons, three groups of managers were formed according to classifications of administrative staff, the classification was as follows: (a) first-line manager, (b) middle management and (c) top management. About the results, it can be corroborated that administrative staff with a lower rank have more problems in making the best decisions in relation to the implementation of an ISMS, it should be noted that the first-line manager is the one who has more contact with the students and is the one who is less involved in the implementation of an ISMS. It can also be inferred that the institutionś planners are not fully trained in the institutionś information security efforts. This in turn prevents the generation of proposals for initiatives to implement an ISMS. With this shortcoming, it is possible that security breaches could be generated.

Cryptography and Security,Methodology

Khairunnisak Nur Isnaini,Siti Alvi Solikhatin

DOI: https://doi.org/10.26555/jifo.v14i2.a14434

2020-05-09

Jurnal Informatika

Abstract:The threat of physical security can be from human factors, natural disasters, and information technology itself. Therefore, to prevent threats, we need the right tools to control current activities, evaluate potential impacts, and make appropriate plans so that business processes at X University will not be affected. This research starts by analyzing the problems that arise, followed by collecting the data needed, discussing the results, and making conclusions and recommendations that can be given. The method uses quantitative descriptive research. The research instrument uses interviews and questionnaire techniques. COBIT 5 is used as a framework for measuring the performance that is being implemented and will be achieved. Maturity models are used to measure current and future activities. The goal to be achieved is that the organization can create a physical security environment by the CIA principle (confidentiality, integrity, & availability). Positioning results are at level 3, meaning that the process is currently running in two main standard operating procedures. However, this evaluation specifically on the DSS5.5.5 subdomain (Providing Service Support-Managing physical security for IT Assets) in COBIT 5, and the results are still below the level 3 standard (Established Process), at 2.9 points. So, the right suggestion is to keep activities safe, one of which is to improve facilities and infrastructure, one of which is the use of biometric control in data center management rooms or other rooms with limited access.

I Putu Agus Raditya Pramita,Gede Indrawan,Komang Setemen

DOI: https://doi.org/10.31763/businta.v7i2.639

2023-11-27

Bulletin of Social Informatics Theory and Application

Abstract:A hospital's operations, such as patient registration, medical management, financial management, and upgrading the services offered in the hospital, are managed and organized using an application system called a hospital management information system (HMIS). Because the lack of evaluation in the usage of HMIS has led to insufficient security in the HMIS, this research focuses on Saraswati Dental and Oral Hospital as the research site. Due to lax security measures, confidential data is readily accessible. The prevalence of duplicate data entry is an issue, and the success of HMIS performance implementation is still unknown. The COBIT 5 framework has been used to administer the HMIS at Saraswati Dental and Oral Hospital using the MEA (Monitor, Evaluate, Assess) and BAI (Build, Acquire, Implement) domains in response to these problems. This decision was made with the intention of aligning the application with the necessary features, monitoring system security, evaluating, and assessing the domain's alignment with the hospital's strategy in order to ascertain whether the current system still achieves the intended goals and maintains the controls required to satisfy the requirements. This study makes use of questionnaire, observation, and interview techniques. The capacity levels used in the COBIT 5 study were taken from ISO/IEC 15504-2-2003, and they were combined using straightforward mathematical calculations in accordance with the rules for computing capability values. Weaknesses or flaws in the security system that need to be fixed can be found by analyzing the capability levels in the MEA and BAI domains. The study's findings include suggestions for increasing the security system, which will enhance Saraswati Dental and Oral Hospital's HMIS performance and give users and patients with more beneficial outcomes

Farah Dila,Henry Eryanto,Suherdi

DOI: https://doi.org/10.21009/isc-beam.012.153

2024-09-16

Abstract:This study examines the implementation of the ISO 9001: 2015 Quality Management System at PT X, a construction consulting services company in Indonesia which has research objectives to find out and analyze the implementation process, supporting and inhibiting factors, and solutions to overcome obstacles in the implementation of the Quality Management System at the company. This research uses a qualitative research design and case study approach, using data collection techniques in the form of observation, interviews, and documentation. The results of this study found that the implementation of the ISO 9001: 2015 Quality Management System at PT X is influenced by several supporting and inhibiting factors, which are supported by the commitment and policies of top management, awareness of employees, company culture that emphasizes the importance of quality improvement, digitalization of infrastructure that is quite capable, and standardization of well-documented procedures. The inhibiting factors are the lack of human resources and inconsistency and not overall understanding and awareness of the importance of implementing a Quality Management System. This research is expected to be one of the input materials used for useful improvements to overcome obstacles in order to improve the quality and quality of the company in the future.

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan

DOI: https://doi.org/10.48550/arXiv.1203.6622

2012-03-29

Abstract:Security is a hot issue to be discussed, ranging from business activities, correspondence, banking and financial activities; it requires prudence and high precision. Since information security has a very important role in supporting activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter, more structured, high precision and measured forecasting.

Cryptography and Security,Software Engineering

Kitsios,Chatzidimitriou,Kamariotou

DOI: https://doi.org/10.3390/su15075828

IF: 3.9

2023-03-28

Sustainability

Abstract:In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced.

environmental sciences,environmental studies,green & sustainable science & technology

Ananda E S Setyadji,Arief R R Putrananda,Daffa H Permadi,Rais I Nustara,Reyhan B Pratama,Tegar A Masyhuda,Eva Hariyanti

DOI: https://doi.org/10.33387/jiko.v6i2.6182

2023-08-06

JIKO (Jurnal Informatika dan Komputer)

Abstract:Information Technology Governance is currently widely implemented in companies. One of the domains that can be of concern is risk management. The application of TKTI in this domain can help companies identify, evaluate, reduce, and manage risks related to their business to achieve company goals better. In this case, three frameworks can be considered, including NIST, ISO 27001, and Octave, but implementing these frameworks only sometimes goes as planned. This study aims to identify the factors that cause the ineffectiveness of implementing Information Technology Governance (ITG) in the risk management domain using the NIST, ISO 27001, and Octave frameworks. Through an analysis of existing literature and data processing, this study found that factors such as lack of understanding of the framework, lack of adequate resources, and implementation challenges play an essential role in ineffectiveness. This study concludes by providing valuable insights for organizations seeking to strengthen their risk management capabilities.

Alan Gillies

DOI: https://doi.org/10.1108/17542731111139455

2011-06-14

The TQM Journal

Abstract:Purpose The ISO27001 standard provides a model for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS)”. This paper seeks to consider the global adoption of the ISO27000 series of standards, and to compare them with the adoption rates for ISO9000 and ISO14000. The paper aims to compare the barriers to adoption for the different standards. Design/methodology/approach Previous studies suggest that ISO27001 adoption is slower than for the other standards. The uptake of ISO27001 has been slower than the related management system standards ISO9001 and ISO14001, with approximately half the certifications compared with ISO14001. In response to the issues raised in this analysis, the paper considers how an approach based on a maturity model can be used to help overcome these barriers, especially in smaller companies. Findings The 2008 survey of ISO27001‐certificated companies found that 50 per cent of the certificated organisations which responded had fewer than 200 employees, and were therefore in the SME category. Perhaps more surprisingly, around half of these had fewer than 50 employees The framework has used the ISO27002 code of practice to define the elements, which should be considered within the ISMS. Each element is then developed through a maturity model lifecycle to develop processes to the point where an ISO27001‐compliant ISMS can be implemented. Originality/value The principal contribution of the paper is a step‐by‐step framework designed to simplify the process for organisations working towards ISO27001 and offer significant benefits at milestones before systems are mature enough to achieve certification.

Puspita Kencana Sari,Putu Wuri Handayani,Achmad Nizar Hidayanto

DOI: https://doi.org/10.2196/49439

2023-08-24

Abstract:Background: The health information system (HIS) functions are getting wider with more diverse users. Information security in the health industry is crucial because it involves comprehensive and strategic information that might harm human life. The human factor is one of the biggest security threats to HIS. Objective: This study aims to investigate the information security behavior (ISB) of HIS users using a comprehensive assessment scale suited to the information security concerns in health care. Patients are increasingly being asked to submit their own data into HIS systems. As a result, this study examines the security behavior of health workers and patients, as well as their demographic variables. Methods: We used a quantitative approach using surveys of health workers and patients. We created a research instrument from 4 existing measurement scales to measure prosecurity and antisecurity behavior. We analyzed statistical differences to test the hypotheses, that is, the Kruskal-Wallis test and the Mann-Whitney test. The descriptive analysis was used to determine whether the group exhibited exemplary behavior when processing the survey results. A correlational test using the Spearman correlation coefficient was performed to establish the significance of the relationship between ISB and age as well as level of education. Results: We analyzed 421 responses from the survey. According to demographic factors, the hypotheses tested for full and partial security behavior reveal substantial differences. Education levels most significantly affect security behavior differences, followed by user type, gender, and age. The health workers' ISB is higher than that of the patients. Women are more likely than men to engage in prosecurity actions while avoiding antisecurity behaviors. The older the HIS user, the more likely it is that they will participate in prosecurity behavior and the less probable it is that they will engage in antisecurity behavior. According to this study, differences in prosecurity behavior are mostly impacted by education level. Higher education, on the other hand, does not guarantee improved ISB for HIS users. All demographic characteristics, particularly concerning user type, show discrepancies that are caused mainly by antisecurity behavior rather than prosecurity behavior. Conclusions: Since patients engage in antisecurity behavior more frequently than health workers and may pose security risks, health care facilities should start to consider information security education for patients. More comprehensive research on ISB in health care facilities is required to better understand the patient's perspective, which is currently understudied.

Amin Maruf Nuris,Aditya Maharani,Renanda Nia Rachmadita

DOI: https://doi.org/10.25170/metris.v22i02.2800

2022-02-10

Jurnal METRIS

Abstract:PT. Duta Media Cipta (DMC) is a control system and IT company based in the city of Surabaya, this company focuses on procurement, maintenance and repair services for ship equipment, both mechanical and electrical. As an information technology company, PT. DMC is committed to being a trusted IT and control system company. In working on the project, PT. DMC has not implemented risk management for every software development project it has worked on. Some of the risks that are often faced in working on software projects at PT. DMC are project risks such as technical, cost, and project scheduling which are sometimes not in accordance with the established plan and cause cost and time losses to the company. So in this study using ISO 31000 as a framework in analyzing potential risks. The application of risk assessment consists of 3 stages, namely risk identification, risk analysis, and risk evaluation. The results of this study found that there are 4 risks with 26 sub-risks, of which there are 6 sub-risks that are prioritized and require risk management.

Akhyari Nasir,Ruzaini Abdullah Arshah,Mohd Rashid Ab Hamid,Syahrul Fahmy,,,,

DOI: https://doi.org/10.30880/ijie.2022.14.03.017

2022-06-20

International Journal of Integrated Engineering

Abstract:This paper examines the factors determining a positive Information Security Culture (ISC) concept and the influence of ISC towards ISP compliance intention (INT) between IT and non-IT professionals in Malaysian public universities. Partial least square structural equation modelling, using PLS MGA, is used to assess the measurement and structural models, and to compare the results between the two groups. Results indicate all factors have significant contribution towards ISC in both groups, with two out of seven ISC factors have significant differences. This study has revealed that although both groups have the same ISC factors, IT and non-IT professionals have significant difference in terms of believe that Top Management Commitment and Information Security Knowledge are required for implementing apositive ISC. In addition, there is a significant difference between these two groups in terms of the influence of ISC towards ISP compliance intention. ISC has less influence towards INT for Non-IT professionals compared to IT professionals within the same ISC. These empirical findings would benefit in formulating better security strategies by providing appropriate efforts for different groups of employees in the organizations. This study also provides a total cyber security solution for improving information security culture and employees’ compliance towards Information Security Policy.

Joshua Nterful,Ibrahim Osman Adam,Muftawu Dzang Alhassan,Abdallah Abdul-Salam,Abubakar Gbambegu Umar

DOI: https://doi.org/10.1108/ics-11-2022-0174

2024-03-01

Information and Computer Security

Abstract:Purpose This paper aims to identify the critical success factors in improving information security in Ghanaian firms. Design/methodology/approach Through an exploratory study of both public and private Ghanaian organizations. The study relied on a research model based on the technology–organization–environment (TOE) framework and a survey instrument to collect data from 525 employees. The data was analyzed using partial least squares-structural equation modeling (PLS-SEM). Findings The findings confirm the role of the technological, organizational and environmental contexts as significant determinants in the implementation of information security in Ghanaian organizations. Results from PLS-SEM analysis demonstrated a positive correlation between the technology component of information security initiative, organization's internal efforts toward its acceptance and a successful implementation of information security in Ghanaian firms. Top management support and fund allocation among others will result in positive information security initiatives and positive attitudes toward securing the organization's information assets. Research limitations/implications The authors discussed the implications of the authors' findings for research, practice and policy. Social implications The results of this study will be useful for both governmental and non-governmental organizations in terms of best practices for increasing information security. Results from this study will aid organizations in developing countries to better understand their information security needs and identify the necessary procedures to address them. Originality/value This study contributes to filling the knowledge gap in organizational information security research and the TOE framework. Despite the TOE framework being one of the most influential theories in contemporary research of information system domains in an organizational context, there is not enough research linking the domains of information security and the TOE model.

Endang Kurniawan,Imam Riadi,Amin Irmawan,Arusani

DOI: https://doi.org/10.48550/arXiv.2204.09511

2022-04-17

Abstract:This study aims to information security in academic information systems to provide recommendations for improvements in information security management by the expected maturity level based on ISO/IEC 27002:2013. By using a qualitative descriptive approach, data collection and validation techniques with triangulation techniques are interviews, observation, and documentation. The data were analyzed by using gap analysis and to measure the maturity level determined 15 objective control and 45 security controls scattered in 5 clauses, the result of the research found that the performance of academic information system maturity level at level 2. That is, the current level of maturity is below the expected maturity level, so it needs to be increased to the expected level.

Cryptography and Security

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Bakri Caco,Hamsu Abdul Gani,Rifdan

DOI: https://doi.org/10.9734/ajess/2024/v50i21268

2024-01-29

Asian Journal of Education and Social Studies

Abstract:Introduction One of the essential characteristics of the era of globalization is the high level of competition that covers almost all lifelines, including in the world of science and technology. The development of science and technology is the basis and spearhead of the development of global information that heats the birth of a global culture that impacts changing patterns of human behavior. This study aims to analyze the strategy for implementing ISO 21001:2018-based service quality management standards at SMK Telkom Makassar. This research method uses a qualitative or naturalistic approach because it is carried out in natural conditions. Data analysis using qualitative analysis models; data collection, condensation, presentation, and conclusions. The result is that the implications of the implementation of SM2P2 based on ISO 9001: 2015 at SMK Telkom Makassar with three indicators: education equity, improving the quality of education, and expanding access to education. The conclusion is that efforts to improve the quality of education are closely related to the development of the competence of educators and education personnel, bureaucratic services, and school autonomy through the optimization of School-Based Management, accountability, and school image that can be accounted to the community. Therefore, the supervision factor needs attention as it should be.

English Else