Kematangan risiko keamanan informasi layanan TI menggunakan pendekatan NIST dan standar ISO 27001:2013 (Studi kasus: Bapenda Provinsi Jawa Tengah)
DOI:
https://doi.org/10.24246/aiti.v21i2.210-229Keywords:
maturity level, NIST, ISO-IEC 27001:2013, risk, ITAbstract
The application of Information Technology (IT) often poses risks, such as incorrect application processes, data theft and data corruption. With the increasing risk, greater control is needed. For this reason, it is necessary to see whether the running system is equipped with adequate control. The Regional Revenue Management Agency (BAPENDA) of Central Java Province has utilized IT in its activities. The absence of adequate information security standards impacts data or information that is less secure, both in terms of confidentiality, integrity, and availability. The aims and objectives of the research are to measure KAMI risk maturity, such as conducting an IT assessment managed by BAPENDA. For example, vehicle tax payment service application, Android (New Sakpole), and IT infrastructure. The results of KAMI Maturity Level at BAPENDA in security policy clauses were 0.76, organization KAMI 1.24, control asset classification 0.63, personnel security 1.12, incident management KAMI 1.21, business continuity management 0.51, physical and environmental security 1.61, system development and maintenance 2.94, access control 4.18, communications and operations management 4.58 and, compliance 2.07. Mapping asset identification with NIST-CSF obtained several assets: hardware, software, employee, and information/data. The results show that assets in BAPENDA have a high risk (High) Risk Avoidance, so they require mitigation using NIST controls and Annex ISO-IEC 27001:2013.
Downloads
Metrics
References
S. Almuhammadi and M. Alsaleh, “Information Security Maturity Model for Nist Cyber Security Framework,” Academy and Industry Research Collaboration Center (AIRCC), Feb. 2017, pp. 51–62. doi: 10.5121/csit.2017.70305. DOI: https://doi.org/10.5121/csit.2017.70305
C. T. Aditya Gunawan and Y. Suryanto, “Maturity Level Analysis of Digital Evidence Handling on Integrated Criminal Justice System based on NIST SP800-53 Revision 5 Using NIST Maturity,” Budapest International Research and Critics Institute (BIRCI-Journal), 2022, doi: 10.33258/birci.v5i2.4861. DOI: https://doi.org/10.33258/birci.v5i2.4861
F. Febrianto, “EVALUASI KEAMANAN INFORMASI MENGGUNAKAN ISO/IEC 27002: STUDI KASUS PADA STIMIK TUNAS BANGSA BANJARNEGARA.”
R. Cybersecurity, P. Resilience, J. S. Hiller, and R. S. Russell, “Modalities for Cyber Security and Privacy Resilience: The NIST Approach.”
D. Proença and J. Borbinha, “Information security management systems - A maturity model based on ISO/IEC 27001,” in Lecture Notes in Business Information Processing, Springer Verlag, 2018, pp. 102–114. doi: 10.1007/978-3-319-93931-5_8. DOI: https://doi.org/10.1007/978-3-319-93931-5_8
D. Dwi Prasetyowati, I. Gamayanto, and S. wibowo, “Evaluasi Manajemen Keamanan Informasi Menggunakan Indeks KAMI Berdasarkan ISO/IEC 27001:2013 pada Politeknik Ilmu Pelayaran Semarang Evaluation of Information Security Management Using KAMI Based on ISO / IEC 27001: 2013: The case of Politeknik Ilmu Pelayaran Semarang,” ◼ 65 Journal of Information System, vol. 4, no. 1, pp. 65–75, 2019. DOI: https://doi.org/10.33633/joins.v4i1.2429
M. Zammani, R. Razali, and D. Singh, “Organisational Information Security Management Maturity Model.” [Online]. Available: www.ijacsa.thesai.org
Y. Maleh, A. Sahid, and M. Belaissaoui, “A MATURITY FRAMEWORK FOR CYBERSECURITY GOVERNANCE IN ORGANIZATIONS,” EDPACS, vol. 63, no. 6, pp. 1–22, 2021, doi: 10.1080/07366981.2020.1815354. DOI: https://doi.org/10.1080/07366981.2020.1815354
J. Hochstetter-Diez, M. Diéguez-Rebolledo, J. Fenner-López, and C. Cachero, “AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity,” Applied Sciences (Switzerland), vol. 13, no. 14, Jul. 2023, doi: 10.3390/app13148339. DOI: https://doi.org/10.3390/app13148339
M. Syafrizal, “ISO 17799: Standar Sistem Manajemen Keamanan Informasi,” 2007.
A. Ibrahim, C. Valli, I. McAteer, and J. Chaudhry, “A security review of local government using NIST CSF: a case study,” Journal of Supercomputing, vol. 74, no. 10, pp. 5171–5186, Oct. 2018, doi: 10.1007/s11227-018-2479-2. DOI: https://doi.org/10.1007/s11227-018-2479-2
D. Sulistyowati, F. Handayani, and Y. Suryanto, “Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS.”
A. Chidukwani, S. Zander, and P. Koutsakis, “A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations,” IEEE Access, 2022, doi: 10.1109/ACCESS.2022.3197899. DOI: https://doi.org/10.1109/ACCESS.2022.3197899
A. Wibowo, “RISK ASSESSMENT RELATED TO PRIVACY INFORMATION ON ELECTRONIC MONEY SERVER-BASED USING ISO 27001 ISO 27005, ISO 27701,” J Theor Appl Inf Technol, vol. 15, no. 3, 2023, [Online]. Available: www.jatit.org
A. Hasan, A. Arief, J. Raya, and T. Selatan, “Pengukuran Tingkat Kematangan E-Goverment pada Pemerintah Daerah Kepulauan (Studi Kasus: Pemerintah Daerah Halmahera Selatan, Indonesia),” 2018.
A. Supriyanto, J. E. Istiyanto, and K. Mustofa, “MULTI-LAYER FRAMEWORK FOR SECURITY AND PRIVACY BASED RISK EVALUATION ON E-GOVERNMENT 1,” J Theor Appl Inf Technol, vol. 15, no. 5, 2019, [Online]. Available: www.jatit.org
A. CALDER and S. G. WATKINS, “THE ISO 27001 RISK ASSESSMENT,” in Information Security Risk Management for ISO 27001/ISO 27002, third edition, IT Governance Publishing, 2019, pp. 87–93. doi: 10.2307/j.ctvndv9kx.11. DOI: https://doi.org/10.2307/j.ctvndv9kx.11
I. Mantra, A. A. Rahman, and H. Saragih, “Maturity Framework Analysis ISO 27001: 2013 on Indonesian Higher Education,” 2020. [Online]. Available: www.sciencepubco.com/index.php/IJET DOI: https://doi.org/10.14419/ijet.v9i2.30581
A. Y. Eskaluspita, “ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University,” in IOP Conference Series: Materials Science and Engineering, IOP Publishing Ltd, Aug. 2020. doi: 10.1088/1757-899X/879/1/012074. DOI: https://doi.org/10.1088/1757-899X/879/1/012074
A. A. Nasser, A. A. Al-Khulaidi, and M. N. Aljober, “Measuring the Information Security Maturity of Enterprises under Uncertainty Using Fuzzy AHP,” International Journal of Information Technology and Computer Science, vol. 10, no. 4, pp. 10–25, Apr. 2018, doi: 10.5815/ijitcs.2018.04.02. DOI: https://doi.org/10.5815/ijitcs.2018.04.02
Y. Dwi Kristanto, D. Russasmita, and S. Padmi, “Analisis Data Kualitatif: Penerapan Analisis Jejaring untuk Analisis Tematik yang Cepat, Transparan, dan Teliti.”
A. R. Uin and A. Banjarmasin, “Analisis Data Kualitatif,” 2018.
A. Riyanti and H. E. Atmaja, “Analisis penggunaan aplikasi bpjstku mobile dalam upaya meningkatkan kemudahan masyarakat pekerja,” vol. 18, no. 1, pp. 2021–2029, [Online]. Available: http://journal.feb.unmul.ac.id/index.php/KINERJA
R. Damalia, A. Ambarwati, and E. Setiawan, “ANALISIS MANAJEMEN RISIKO IT SISTEM ADMINISTRASI BISNIS RETAIL MENGGUNAKAN METODE NIST SP 800-30 REVISI 1 IT RISK MANAGEMENT ANALYSIS BUSINESS ADMINISTRATION SYSTEM RETAIL USING NIST SP 800-30 REVISION 1,” Journal of Information Technology and Computer Science (INTECOMS), vol. 4, no. 2, p. 2021.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 AITI
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in AITI: Jurnal Teknologi Informasi is licensed under a Creative Commons Attribution 4.0 International License.