Analyzing security risk of

information technology asset

using BS: ISO 27001

Angraini, S.Kom, M.Eng Email : angraini@uin-suska.ac.id

Security news



_{9 April 2016}



_{credit card was hacking when}

shopping online in lazada



_{Cause user don’t log out in browser}



_{2 Augustus 2016 Hacker was sell 200}

million account email yahoo for 23

million rupiah



_{Cause weak user weak password}

Introduction



_{Organization has lose their crucial information if}

they don’t care about security information



_{security willcock & lester (1996) , using}

information technology has become important to

make a good achievement of business



_{Mcilwrath (2006), Losing information will make}

Security incident in indonesia

IPR ( Intellectual Property Right )

Spam complaint

Network Incident (De-face, DdoS attack, etc)

Spoofing/Phishing

Purpose of the research



_Identify

_risks

_found

_in

_information

technology assets in organizations using

technology information



_{Knowing the security management of}

Information Security Risk Research

Andric (2007) & Furnell (2006), associate preserve a

threat to make sure information still secure

Andric (2007) & Furnell (2006), associate preserve a

threat to make sure information still secure

(Ernawati, Suhardi, & Nugroho, 2012), assesment IT

risk management framework based ISO 31000.

(Ernawati, Suhardi, & Nugroho, 2012), assesment IT

risk management framework based ISO 31000.

(Khrisna & Computing, 2014), Risk management for

cloud computing integration with COBIT

(Khrisna & Computing, 2014), Risk management for

cloud computing integration with COBIT

(Carcary, 2012), Assignment for risk management with

capability maturity perspective

Methodology : Data collection



_{Survey with questionnaire}



_{Survey done at computer center UIN SUSKA}



_{Respondents were employees of computer center UIN}

SUSKA



_{Document collection}



_{Risk register}



_{Information security plan}



_{Log book using computers from all divisions at}

organization

Methodology : Data analysis



_{Asset identification}



_{Asset value calculation}



_Network



_Server



_{Business impact analysis}

Value of Asset information

technology

Asset Confidentia

lity Integrity Availability Asset value

PC 2 2 2 6

Server 3 2 2 7

Network 2 2 2 6

Academic information system

2 2 2 6

Risk value

Level of risk

No Asset Risk Value Level of Risk

1 PC 0.6 Low

2 Server 2.8 Medium

3 Network 2.4 Medium

4 Academic information system

3.6 High

Conclusion



_{Threat and vulnerability of information asset}

due to increase risk level.



_{Manage data user most High level risk and}

need

risk

information

technology

governance.



_{Risk governance will mitigate threat}

References

 _{Alshboul, A. (2010). Information Systems Security Measures and} Countermeasures: Protecting Organizational Assets from Malicious Attacks. Communications of the IBIMA, 2010, 1–9.

 _{Barnard, L., & von Solms, R. (2000). A Formalized Approach to the} Effective Selection and Evaluation of Information Security Controls.

Computers & Security, 19(2), 185–194.

 _{Furnell, S. (2006). Malicious or misinformed? Exploring a contributor} to the insider threat. Computer Fraud and Security, 2006(9), 8–12.  _{Landoll, D. J. (2011). A Complete Guide for Performing Security Risk}

Assessments.

 _{Willcocks, L., & Lester, S. (1996). Beyond the IT productivity paradox.}