DESIGN OF APPLICATION INFORMATION SECURITY SELF-ASSESSMENT USING VBA AND MSXML2.XMLHTTP CASE STUDY: DISKOMINFO KABUPATEN KAMPAR

Information security includes the issues that may threaten accountability, reliability, trustworthiness, privacy, authenticity, and trustworthiness of information in an agency. Data and information are very risky things in Information Security, and therefore it is important to do information security governance. The process of evaluating information security using the Index KAMI and ISO 27001: 2013 will be carried out in this study by recording data using Microsoft Excel which has been provided by the National Cyber and Crypto Agency (BSSN). To make it easier to conduct information security assessments and simplify the Excel display, Visual Basic for Applications (VBA) will be utilized as a medium for adding ISO 27001: 2013, then it will be connected using MSXML2.XMLHTTP. The results of the self-assessment carried out show that the Communication, Information, and Signaling Service of Kampar Regency has a level of completeness in implementing the ISO 27001 standard at the "Inadequate" level with a score of 151 only reaching level I+. Meanwhile, the results of the ISO 27001: 2013 Annex control evaluation show that there are still clauses that have not been fulfilled. Therefore, the Communication, Informatics, and Coding Office of Kampar Regency urgently needs improvement in order to fulfill the clauses of ISO 27001: 2013.

ISO 27001 is a framework for the use of information technology and the management of assets that help organizations ensure that information security is implemented effectively.[11].The international standard ISO / IEC 27001 is used to define, implement, operate, supervise, review, maintain and improve information security management system (ISMS) policies and documents based on organizational needs.ISO/IEC 27001:2013 defines 14 Main Clauses, and 114 controls [1].
There is a policy that has been established, as information security should be managed.The policy is the Minister of Communication and Information Technology Regulation No 4 of 2016 concerning Information Security Management System [12].In this regulation, it is stated that two types of guidelines can be used to secure information, namely, the SNI ISO/IEC 27001 standard or the Information Security Index (KAMI) framework prepared by the National Cyber and Crypto Agency ( BSSN) [13], [14].
The information security evaluation process uses the US Index and ISO 27001: 2013 with data recording using Microsoft Excel as a tool.To make it easier to assess information security using ISO 27001: 2013 on the Indeks KAMI Excel file that has been provided by the National Cyber and Crypto Agency (BSSN), it will utilize Visual Basic for Applications (VBA) Custom UI as a medium for adding ISO 27001: 2013.
Visual Basic for Application (VBA) is a programming language created by Microsoft and can be used to enhance the capabilities of Office applications, including Ms. Office Excel.By the use of VBA integrated with Microsoft Excel so that data can be recapitulated automatically, then later will be connected using MSXML2.XMLHTTP.
Based on the background described above, this research was carried out by designing the Information Security Self-Assessment application with a case study of the Communication, Informatics, and Coding Office of Kampar Regency using VBA custom UI and MSXML2.XMLHTTP to know the extent of information security readiness and maturity at the Communication, Informatics, and Coding Office of Kampar Regency to get ISO 27001: 2013 Certification and also provide a numerous of recommendations for improving information security management based on ISO 27001: 2013 which can be applied at the Communication, Informatics, and Coding Office of Kampar Regency.

RESEARCH METHODOLOGY
This research was conducted at the Communication, Informatics, and Coding Office of Kampar Regency.The subject of research was the Electronic Based Government System (SPBE) and the object of research was self-assessment using the Index KAMI and ISO 27001: 2013 as for the stages of this research can be seen in Figure 1.

Make Recommendations Control
Figure 1 Methodology Fahmi Rifai, et all, Design of Application Information Security… 1525 The following is an explanation of the research methodology carried out: (1) Performing Analysis and Design of the VBA Ribbon using the Custom UI Editor to simplify the appearance of the KAMI Index Excel and add a ribbon to carry out evaluations using ISO 27001:2013.(2) Making a connection to MSXML2.XMLHTTP which later Excel will be integrated directly into HTTP which can be accessed.(3) Conduct an Information Security Audit in which several stages are carried out at this stage such as data collection in the form of agency risk and asset data, then Data Validation and Analysis carried out to carry out a Checklist which aims to ensure the data provided is following its original state, then conducts a Self-Assessment Information security uses the KAMI Index, then the results of the KAMI Index assessment are then compared with the completeness of the controls in ISO 27001:2013.(4) Make recommendations, after evaluating ISO 27001:2013 it is known that there are deficiencies in the institution so the authors make recommendations based on the completeness of ISO 27001:2013 controls.

Information Security
Information security is maintaining the confidentiality, integrity, and availability of information [13].Information security, according to ISO/IEC 27002 (2005), is the Protection of information from any type of threat that aims at ensuring business continuity, risk minimization, and the maximization of return on investment, and business opportunities.[11].According to the Ministry of Communication and Information Technology (2008), Information security is a branch of information technology study that can be used to determine techniques and methods in protecting information and information systems related to access rights, use, destruction, change, distribution, and destruction without legal authority.The information security types are classified into the following sections: Physical security, Personal security, Operational security, Communication security, and Network security [11].The information security index KAMI is a tool to evaluate and analyze the level of readiness or maturity of the Information Security Management System (ISMS) [15] which will provide the results in the form of a description of the readiness condition (completeness and maturity) of the information security framework to agency leaders then [16].The Indeks KAMI framework has several parts including electronic system evaluation, governance, risk, framework, asset management, technology, and supplements [17], [18].In addition, to evaluate the Index KAMI, it can also analyze the similarity with aspects of the guidelines in the SNI ISO 27001: 2013 standard [19], [20].

SNI ISO/IEC 27001:2013
The International Organization for Standardization(ISO)/International Electrotechnical Commission(IEC) 27001 is a framework that provides guidelines for implementing an Information Security Management System (ISMS) [20]- [22] which can be used to make organizational policies, by taking the first step of identifying risks and examining the implementation that has been implemented, and used to determine, implement, operate, supervise, review, maintain and improve information security management system (ISMS) policies and documents based on organizational needs [10], [20], [23].
The ISO 27001: 2013 standard contains clauses that need to be fulfilled to organize a good Information Security Management System (ISMS) [23].SNI ISO / IEC 27001: 2013 has two parts, namely the PDCA (Plan -Do -Check -Act) section and the Annex Control section.The Control Annex of ISO 27001: 2013 has 14 clauses, security controls, 35 control objectives, and 114 controls for assessment [4], [13].The correlation between the Index KAMI and ISO 27001: 2013 can be seen in Figure 3, the areas used in the Index KAMI to evaluate or measure the level of control objectives in ISO 27001: 2013 into 5 evaluation areas [24].

Visual Basic for Applications (VBA)
Microsoft Visual Basic for Applications (VBA) is a derivative of the Visual Basic programming language developed by Microsoft and released in 1993.VBA is the result of an integrated combination of the programming environment (Visual Basic Editor) with a programming language (Visual Basic) that enables users to design and build Visual Basic programs in the main Microsoft Office application [25], as well as certain applications.VBA is designed to perform several tasks, such as creating alternative specifications of an application such as Microsoft Office or Microsoft Visual Studio [26], [27].

MSXML2.XMLHTTP
MSXML2.XMLHTTP was first introduced by Microsoft ActiveX in Microsoft Internet Explorer 5 as a control.The way MSXML2.XMLHTTP works to send and receive Hyper Text Transfer Protocol (HTTP) requests that are asynchronous and imprecise.HTTP asynchronously and imprecisely to the Web server, which responds with XML.Responses can be manipulated with scripts from the client or transformed with Extensible Stylesheet Language Transformation (XSLT).MSXML2.XMLHTTP makes it also a possibility to build responsive Web applications that don't need to refresh entire pages to display new data.MSXML2.XMLHTTP works by sending requests to a Web server from a client and returning XML data from the client [28].

RESULTS AND DISCUSSIONS
The Office, Communication, Information, and Signage of Kampar Regency have used the Indeks KAMI on electronic systems.The assessment used in index KAMI is an application for analyzing and evaluating the level of readiness (completeness and maturity) of information security implementation and measuring the success of implementation improvement ideas, with the achievement of completeness and maturity levels at the Department of Communication, Informatics and Coding of Kampar Regency.
The list of assets in the Communication, Informatics, and Coding Office of Kampar Regency, where assets are divided into several categories, namely hardware, data, websites, networks, facilities, and human resources.The list of assets at the Communication, Informatics, and Coding Office of Kampar Regency can be seen in Table 1.Meanwhile, risk identification is carried out to find out the threats that might occur later at the Communication, Informatics, and Coding Office of the Kampar Regency.The list of risks at the Communication, Informatics, and Coding Office of Kampar Regency can be seen in Table 2.

VBA Ribbon Custom UI Design
VBA is an object-oriented programming language from Microsoft that is mainly used with applications such as Microsoft Excel, Microsoft Word, and Microsoft PowerPoint in nowadays.Microsoft Excel is a data processing application with worksheets in the form of a spreadsheet or worksheet program.The use of VBA in Microsoft Excel is done to add ribbon features.The coding example of making an Excel Ribbon Using the Custom UI Editor is seen in Figure 4.The display of the VBA Ribbon coding results is in Figure 5 for the results of the Index KAMI VBA Ribbon design.The addition of custom ribbons in the Index KAMI section, namely Index KAMI Version 4.0, Change Record, Risk Security Governance, Asset Management Framework, Technology, Supplements, Respondent Identity, SE Category, and Dashboard.The custom ribbon can be seen in the Figure 6.

Applying MSXML2.XMLHTTP
After the custom ribbon is created on the Excel file, a connection will be applied to MSXML2.XMLHTTP.The use of MSXML2.XMLHTTP will perform HTTP Requests in VBA which will provide additional capabilities to Excel.An HTTP request can be used to interact with web services, APIs, or even websites, making it easier for users to access the Excel file.The coding of the HTTP request in Excel VBA can be seen in the figure 9.The data collection process is carried out using observation, interviews, and filling out the Index KAMI questionnaire by correspondents from the Communication, Informatics, and Coding Office of Kampar Regency who have duties and responsibilities based on the areas in the Index KAMI questions, then calculating the results of the questionnaire and analyzing and evaluating the level of completeness and maturity of information security using Index KAMI version 4.0.The results of the analysis are then assessed against the ISO 27001: 2013 Standard.After making a comparison, a recommendation process can be carried out, namely providing input on deficiencies that have not been carried out by the Communication, Informatics, and Coding Office of the Kampar Regency.

A. Evaluation Using the Indeks KAMI
Measurement of 5 information security areas shows the measurement results of parts I, II, III, IV, and V that the maturity level of information security at the Communication, Informatics, and Coding Office of Kampar Regency is at level 1 and 1+, namely Not Feasible.The description of the maturity level of the five areas that have been assessed can be seen in Table 3.The order of maturity levels from lowest to highest is I-V.The minimum limit that must be achieved to carry out ISO certification is III +, while for now the maturity level at the Communication, Informatics, and Coding Office of Kampar Regency is only limited to I-I +.The maturity level shows that the position of the Communication, Information, and Coding Office of Kampar Regency is as follows:  Level I -Initial Conditions  Level II -Basic Framework Implementation  Level III -Defined and Consistent  Level IV -Managed and Measured  Level V -Optimal From the description above, it can be seen that the level of maturity at the Communication, Information, and Sign Language Office of Kampar Regency is in the I -I + range, which means it is still in its initial condition.While the Dashboard of the evaluation results of the information security area and the radar chart of the level of completeness of the SNI / IEC 27001 standard can be seen in Figure 10. Figure 10 shows that the category level of electronic systems used by the Communication, Informatics, and Coding Office of Kampar Regency is in a high category, with a score of 17.Meanwhile, the level of completeness of the application of the ISO 27001 standard is at the "Inappropriate" level with a score level of 151 only reaching the I + level, this shows that the high level of dependence on Communication, Informatics, and Coding Office of Kampar Regency on electronic systems is not supported by adequate information security.Therefore, based on the results of the evaluation of the Index KAMI, the Communication, Informatics and Coding Office of Kampar Regency is in dire need an improvement.

B. Assessment of Conformance to ISO 27001:2013 Standard
The results of the Indeks KAMI analysis are then assessed for conformity to the ISO 27001: 2013 standard which aims to understand the condition of the information security management system regarding those managed by the Communication, Informatics, and Coding Office of Kampar Regency.The following are the results of the assessment of the suitability of the condition of the information security management system owned by the Communication, Informatics, and Coding Office of Kampar Regency against the ISO 27001: 2013 Standard.Table 4 shows that the results of the assessment using the ISO 27001: 2013 Annex Control show that there are still clauses that have not been fulfilled.Therefore, recommendations will be given in concerning the risk analysis carried out previously, with the recommendations made so that the clauses of ISO 27001: 2013 can be fulfilled to minimize unacceptable information security risks and improve the quality and ability to manage the Information Security Management System.

Recommendations
From the results of the evaluation of Indeks KAMI, some values are not sufficient to be certified by SNI ISO / IEC 27001: 2013, therefore researchers will make recommendations for the Communication, Informatics, and Coding Office of Kampar Regency, which in the future, these recommendations will be a reference for making security governance documents to improve information technology security at the Communication, Informatics, and Coding Office of Kampar Regency.The recommendations given are based on the SNI ISO / IEC 27001: 2013 standard, which is carried out by looking at the deficiencies that exist in each area and comparing them with the ISO 27001: 2013 Annex controls relating to that area.The following table presented seberal recommendations from each area sorted according to priority based on the lowest to the highest score obtained for each area.

DISCUSSION
Several studies have evaluated information security using the Index KAMI and ISO 27001: 2013.Based on established policies, information security should be managed.The policy is the Minister of Communication and Information Technology Regulation No. 4 of 2016 concerning Information Security Management Systems.In this regulation, it is stated that two types of guidelines can be used to secure information, namely the SNI ISO/IEC 27001 standard or the Information Security Index (KAMI) framework prepared by the National Cyber and Crypto Agency (BSSN).
The ISO/IEC 27001 international standard is used to define, implement, operate, supervise, review, maintain, and improve, the formation of security management system ( SMKI) policies and documents based on the needs of the organization (ISO/IEC 27001, 2013).Assessment using the Information Security Index (Index KAMI) is an application that is used as a tool to analyze, and evaluate the level of readiness (completeness and maturity) of information security implementation and measure the success of implemented improvement ideas, by achieving a certain level of completeness and maturity in an organization.
These studies only focus on evaluating the Index KAMI and then standardizing the fulfillment of ISO 27001: 2013.Where the Index KAMI evaluation tool is not intended to analyze the feasibility or effectiveness of existing forms of security, but rather as a tool to provide an overview of the state of readiness (completeness and maturity) of the information security framework to agency leaders.The Index KAMI can be used to evaluate the level of maturity, the level of completeness of the application of SNI ISO / IEC 27001 as well as a map of information system security governance areas in an agency and a comprehensive standard that assists institutions in achieving goals and generating value through effective information technology governance and management.
In this research, self-assessment is carried out using the Index KAMI and ISO 27001: 2013 to help an organization ensure that the information security implemented is effective so that it can provide recommendations based on the clauses of ISO 27001: 2013.The information security evaluation process uses the Index KAMI and ISO 27001: 2013 with Microsoft Excel data recording.To make it easier to assess information security using ISO 27001: 2013 on the Index KAMI Excel file, it will utilize Visual Basic for Applications (VBA) as a medium for adding ISO 27001: 2013.By using VBA which is integrated with Microsoft Excel so that data can be recapitulated automatically, it will be connected later using MSXML2.XMLHTTP.Meanwhile, previous research did not conduct a Conformity assessment of the ISO 27001: 2013 Standard, design the VBA Ribbon, and connect to MSXML2.XMLHTTP.

CONCLUSION
Designing a VBA ribbon using the Custom UI Editor can help Office applications create programs that automate repetitive processes and simplify the appearance of Excel.In addition, the use of MSXML2.XMLHTTP will perform an HTTP Request in VBA that will provide additional capabilities to Excel so that it is easier for users to access the Excel file.
The maturity level of information security at the Department of Communication, Informatics and Cybersecurity of Kampar Regency is at level 1 and 1+, namely Not Feasible with a score level of 151.Therefore, according to the evaluation results of the Index KAMI, the Communication, Informatics and Coding Office of Kampar Regency urgently needs improvement.
The condition of SPBE information security governance managed by the Department of Communication, Informatics and Coding of Kampar Regency is still very far from meeting the requirements of standard ISO 27001: 2013.This is evidenced by compliance which is still far from 100% and a risk profile that has not been mitigated.

Figure 3
Figure 3  The relationship between ISO 27001 and Indeks KAMI

Figure 4
Figure 4 VBA Ribbon Coding

Figure 5 VBA
Figure 5 VBA Ribbon of Index KAMI

Figure 6
Figure 6 Custom Ribbons in the Index KAMI Figure 7 for the results of the ISO 27001: 2013 VBA Ribbon design.

Figure 7 VBA
Figure 7 VBA Ribbon of ISO 27001:2013 The addition of a custom ribbon in the ISO 27001: 2013 section contains the ISO 27001: 2013 clauses menu and the results of the clause completeness assessment in the form of the Assessment Results menu.The custom ribbon can be seen in the Figure 8.

Figure 8
Figure 8 Custom Ribbon in the ISO 27001: 2013

Figure 9
Figure 9 The MSXML2.XMLHTTP coding 3.3.Implementing Self-Assessment and Conformance to ISO 27001:2013 StandardsThe data collection process is carried out using observation, interviews, and filling out the Index KAMI questionnaire by correspondents from the Communication, Informatics, and Coding Office of Kampar Regency who have duties and responsibilities based on the areas in the Index KAMI questions, then calculating the results of the questionnaire and analyzing and evaluating the level of completeness and maturity of information security using Index KAMI version 4.0.The results of the analysis are then assessed against the ISO 27001: 2013 Standard.After making a comparison, a recommendation process can be carried out, namely providing input on deficiencies that have not been carried out by the Communication, Informatics, and Coding Office of the Kampar Regency.

Figure 10
Figure 10 Results of Radar Diagram of the Completeness Level of Information Security Areas

Table 1
List of Assets

Table 3
Results of Measurement of Maturity Levels in 5 Areas of Information Security

Table 5
Recommendations for Information Security Governance Areas

Table 6
Recommendations for Information Security Risk Management Areas