Seminar on Academic Writing for International Publication and Presentation – Pusat Pengembangan Bahasa UIN Suska Riau
Analyzing security risk of
information technology asset
using BS: ISO 27001
Angraini, S.Kom, M.Eng
Email : [email protected]
Department Information System
Faculty Of Science And Technology
Islamic State Of University Sultan Syarif Kasim Riau
Security news
9 April 2016
credit card was hacking when
shopping online in lazada
Cause user don’t log out in browser
2 Augustus 2016 Hacker was sell 200
million account email yahoo for 23
million rupiah
Cause weak user weak password
Source at www.inet.detik.com
Introduction
Organization has lose their crucial information if
they don’t care about security information
security willcock & lester (1996) , using
information technology has become important to
make a good achievement of business
Mcilwrath (2006), Losing information will make
businesses lose two to three percent of annual
profit
Security incident in indonesia
7.70%
3.87% 2.92%
11.07%
31.52%
spam
IPR ( Intellectual
Property Right )
Spam complaint
Network Incident (Deface, DdoS attack, etc)
Spoofing/Phishing
Malware
42.92%
Purpose of the research
Identify risks found in information
technology assets in organizations using
technology information
Knowing the security management of
information technology assets that have
been applied
Information Security Risk Research
Andric (2007) & Furnell (2006), associate preserve a
threat to make sure information still secure
(Ernawati, Suhardi, & Nugroho, 2012), assesment IT
risk management framework based ISO 31000.
(Khrisna & Computing, 2014), Risk management for
cloud computing integration with COBIT
(Carcary, 2012), Assignment for risk management with
capability maturity perspective
Methodology : Data collection
Survey with questionnaire
Survey done at computer center UIN SUSKA
Respondents were employees of computer center UIN
SUSKA
Document collection
Risk register
Information security plan
Log book using computers from all divisions at
organization
Network analysis from network traffic at organization
Methodology : Data analysis
Asset identification
Asset value calculation
Network
Server
Business impact analysis
Identification level of risk
Control of risk
Value of Asset information
technology
Asset
Confidentia Integrity
lity
Availability
Asset value
PC
2
2
2
6
Server
3
2
2
7
Network
2
2
2
6
Academic
information
system
2
2
2
6
Data user
3
2
2
7
Risk value
8
7
7
6
6
6
6
5
4
4
4
3.6
3
2.8
3
2.4
2
1
1
0.6
0.1
0.1
0.1
0.2
0
PC
Server
Network
Academic information system
Asset value
Threat value
BIA
Risk VAlue
Level of risk
No
Asset
Risk Value
Level of Risk
1
PC
0.6
Low
2
Server
2.8
Medium
3
Network
2.4
Medium
4
Academic information
system
3.6
High
5
Data user
5.25
High
Conclusion
Threat and vulnerability of information asset
due to increase risk level.
Manage data user most High level risk and
need
risk
information
technology
governance.
Risk governance will mitigate threat
information security technology
References
Alshboul, A. (2010). Information Systems Security Measures and
Countermeasures: Protecting Organizational Assets from Malicious
Attacks. Communications of the IBIMA, 2010, 1–9.
Barnard, L., & von Solms, R. (2000). A Formalized Approach to the
Effective Selection and Evaluation of Information Security Controls.
Computers & Security, 19(2), 185–194.
Furnell, S. (2006). Malicious or misinformed? Exploring a contributor
to the insider threat. Computer Fraud and Security, 2006(9), 8–12.
Landoll, D. J. (2011). A Complete Guide for Performing Security Risk
Assessments.
Willcocks, L., & Lester, S. (1996). Beyond the IT productivity paradox.
European Management Journal, 14(3), 279–290.
Angraini, S.Kom, M.Eng
Email : [email protected]
information technology asset
using BS: ISO 27001
Angraini, S.Kom, M.Eng
Email : [email protected]
Department Information System
Faculty Of Science And Technology
Islamic State Of University Sultan Syarif Kasim Riau
Security news
9 April 2016
credit card was hacking when
shopping online in lazada
Cause user don’t log out in browser
2 Augustus 2016 Hacker was sell 200
million account email yahoo for 23
million rupiah
Cause weak user weak password
Source at www.inet.detik.com
Introduction
Organization has lose their crucial information if
they don’t care about security information
security willcock & lester (1996) , using
information technology has become important to
make a good achievement of business
Mcilwrath (2006), Losing information will make
businesses lose two to three percent of annual
profit
Security incident in indonesia
7.70%
3.87% 2.92%
11.07%
31.52%
spam
IPR ( Intellectual
Property Right )
Spam complaint
Network Incident (Deface, DdoS attack, etc)
Spoofing/Phishing
Malware
42.92%
Purpose of the research
Identify risks found in information
technology assets in organizations using
technology information
Knowing the security management of
information technology assets that have
been applied
Information Security Risk Research
Andric (2007) & Furnell (2006), associate preserve a
threat to make sure information still secure
(Ernawati, Suhardi, & Nugroho, 2012), assesment IT
risk management framework based ISO 31000.
(Khrisna & Computing, 2014), Risk management for
cloud computing integration with COBIT
(Carcary, 2012), Assignment for risk management with
capability maturity perspective
Methodology : Data collection
Survey with questionnaire
Survey done at computer center UIN SUSKA
Respondents were employees of computer center UIN
SUSKA
Document collection
Risk register
Information security plan
Log book using computers from all divisions at
organization
Network analysis from network traffic at organization
Methodology : Data analysis
Asset identification
Asset value calculation
Network
Server
Business impact analysis
Identification level of risk
Control of risk
Value of Asset information
technology
Asset
Confidentia Integrity
lity
Availability
Asset value
PC
2
2
2
6
Server
3
2
2
7
Network
2
2
2
6
Academic
information
system
2
2
2
6
Data user
3
2
2
7
Risk value
8
7
7
6
6
6
6
5
4
4
4
3.6
3
2.8
3
2.4
2
1
1
0.6
0.1
0.1
0.1
0.2
0
PC
Server
Network
Academic information system
Asset value
Threat value
BIA
Risk VAlue
Level of risk
No
Asset
Risk Value
Level of Risk
1
PC
0.6
Low
2
Server
2.8
Medium
3
Network
2.4
Medium
4
Academic information
system
3.6
High
5
Data user
5.25
High
Conclusion
Threat and vulnerability of information asset
due to increase risk level.
Manage data user most High level risk and
need
risk
information
technology
governance.
Risk governance will mitigate threat
information security technology
References
Alshboul, A. (2010). Information Systems Security Measures and
Countermeasures: Protecting Organizational Assets from Malicious
Attacks. Communications of the IBIMA, 2010, 1–9.
Barnard, L., & von Solms, R. (2000). A Formalized Approach to the
Effective Selection and Evaluation of Information Security Controls.
Computers & Security, 19(2), 185–194.
Furnell, S. (2006). Malicious or misinformed? Exploring a contributor
to the insider threat. Computer Fraud and Security, 2006(9), 8–12.
Landoll, D. J. (2011). A Complete Guide for Performing Security Risk
Assessments.
Willcocks, L., & Lester, S. (1996). Beyond the IT productivity paradox.
European Management Journal, 14(3), 279–290.
Angraini, S.Kom, M.Eng
Email : [email protected]