INFORMATION SECURITY RISK MANAGEMENT DESIGN OF SUPERVISION MANAGEMENT INFORMATION SYSTEM AT XYZ MINISTRY USING NIST SP 800-30
Abstract
SIMWAS is an information system at the XYZ Ministry that is used to manage supervisory activities and follow up on supervisory results. SIMWAS is an important asset that contains all internal control business processes, but in practice, SIMWAS information security risks have not been managed properly. To overcome these problems, information security risk management is needed at SIMWAS. This study aims to design and analyze SIMWAS information security risk management using the NIST SP 800-30 framework. NIST SP 800-30 focuses on a particular infrastructure and its boundaries. Since the purpose is to perform a technical risk analysis of the core IT infrastructure, it is highly prescriptive. It has nine primary steps to conduct risk assessment. The NIST SP 800-30 framework is used to design and analyze SIMWAS information security risks by identifying threats, vulnerabilities, impacts, likelihoods, and recommendations for controls. SIMWAS information security risk assessment is carried out by analyzing data obtained from the results of interviews, observations, and document reviews. The results of this study show that SIMWAS information security has four low-level risks, eight moderate-level risks, and five high-level risks. Very low and low risk levels are acceptable according to the risk appetite of the business owner, but moderate, high, and very high-risk levels require risk avoidance, risk transfer and risk reduction. The XYZ Ministry need to carry out residual risk analysis and cost-benefit analysis from implementing controls in each risk scenarios.
Downloads
References
E. K. Szczepaniuk, H. Szczepaniuk, T. Rokicki, and B. Klepacki, “Information security assessment in public administration,” Comput Secur, vol. 90, Mar. 2020, doi: 10.1016/j.cose.2019.101709.
XYZ Ministry, XYZ Ministerial Regulation Number 2 of 2021 concerning the XYZ Ministry Strategic Plan for 2020-2024. 2021.
H. Rochmansjah, “Application of Good Governance Principles in Government: Perspective of Public Services,” 2019. [Online]. Available: http://ijsoc.goacademica.com
Presidential Regulation, Regulation of The President of The Republic of Indonesia Number 95 of 2018 Concerning Electronic-Based Government Systems. 2018.
Inspector General of the XYZ Ministry, Decree of the Inspector General number 11 of 2022 concerning the Grand Design of Digitizing Supervision of the XYZ Ministry for the 2022-2024 Fiscal Year. 2022.
Secretary General of the XYZ Ministry, Guidelines for the Secretary General of the XYZ Ministry Number 01 concerning Information Technology Governance of the XYZ Ministry. 2018.
Presiden Republik Indonesia, Peraturan Pemerintah Nomor 60 Tahun 2008 tentang Sistem Pengendalian Intern Pemerintah. 2008.
E. Bergström, M. Lundgren, and Å. Ericson, “Revisiting information security risk management challenges: a practice perspective,” Information and Computer Security, vol. 27, no. 3, pp. 358–372, Jun. 2019, doi: 10.1108/ICS-09-2018-0106.
Evan Wheeler, Security Risk Management Building an Information Security Risk Management Program from the Ground Up. USA: Syngress, 2011.
H. I. Kure and S. Islam, “Assets focus risk management framework for critical infrastructure cybersecurity risk management,” IET Cyber-Physical Systems: Theory & Applications, vol. 4, no. 4, pp. 332–340, Dec. 2019, doi: 10.1049/iet-cps.2018.5079.
E. J. Wibowo and K. Ramli, “Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute),” Journal of Information System), vol. 18, no. 2, pp. 1–17, 2022, doi: https://doi.org/10.21609/jsi.v18i2.1146.
J. Payette, E. Anegbe, E. Caceres, and S. Muegge, “Secure by Design: Cybersecurity Extensions to Project Management Maturity Models for Critical Infrastructure Projects,” 2015. [Online]. Available: www.timreview.ca
E. Supristiowadi and Y. G. Sucahyo, “Manajemen Risiko Keamanan Informasi Pada Sistem Aplikasi Keuangan Tingkat Instansi (SAKTI) Kementerian Keuangan,” INDONESIAN TREASURY REVIEW, vol. 3, no. 1, pp. 23–33, 2018, doi: https://doi.org/10.33105/itrev.v3i1.20.
M. al Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, “Risk assessment using NIST SP 800-30 revision 1 and ISO 27005 combination technique in profit-based organization: Case study of ZZZ information system application in ABC agency,” in Procedia Computer Science, Elsevier B.V., 2019, pp. 1206–1215. doi: 10.1016/j.procs.2019.11.234.
DI. Izatri, NI. Rohmah, and RS. Dewi, “Identifikasi Risiko pada Perpustakaan Daerah Gresik dengan NIST SP 800-30,” Jurnal Riset Komputer, vol. 7, no. 1, pp. 50–55, 2020.
V. Levy Cahyani, Aristoteles, A. Yani, and Tristiyanto, “Analisis Manajemen Risiko Sistem Informasi Balai Pengkajian Teknologi Pertanian Lampung Menggunakan Metode NIST SP 800-30,” Jurnal Pepadun, vol. 2, no. 1, pp. 13–20, 2021, doi: https://doi.org/10.23960/pepadun.v2i1.21.
M. S. Hardani and K. Ramli, “Perancangan Manajemen Risiko Keamanan Sistem Informasi Manajemen Sumber Daya dan Perangkat Pos dan Informatika (SIMS) Menggunakan Metode NIST 800-30,” JURIKOM (Jurnal Riset Komputer), vol. 9, no. 3, p. 591, Jun. 2022, doi: 10.30865/jurikom.v9i3.4181.
G. Stoneburner, A. Goguen, and A. Feringa, “Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology.”
J. W. Creswell and J. D. Creswell, Research Design Qualitative, Quantitative, and Mixed Methods Approaches, Fifth. Sage Publication, Inc, 2018.
J. Recker, Scientific Research in Information Systems A Beginner’s Guide Second Edition. Springer, 2021. doi: https://doi.org/10.1007/978-3-030-85436-2.
D. Gibson and A. Igonor, Managing Risk in Information Systems Third Edition. Jones & Bartlett Learning, 2022.
Copyright (c) 2023 Ricko Dwi Pambudi, Kalamullah Ramli
This work is licensed under a Creative Commons Attribution 4.0 International License.