Analyzing security risk of
information technology asset
using BS: ISO 27001
Angraini, S.Kom, M.Eng Email : angraini@uin-suska.ac.id
Security news
9 April 2016
credit card was hacking when
shopping online in lazada
Cause user don’t log out in browser
2 Augustus 2016 Hacker was sell 200
million account email yahoo for 23
million rupiah
Cause weak user weak password
Introduction
Organization has lose their crucial information if
they don’t care about security information
security willcock & lester (1996) , using
information technology has become important to
make a good achievement of business
Mcilwrath (2006), Losing information will make
Security incident in indonesia
IPR ( Intellectual Property Right )
Spam complaint
Network Incident (De-face, DdoS attack, etc)
Spoofing/Phishing
Purpose of the research
Identify
risks
found
in
information
technology assets in organizations using
technology information
Knowing the security management of
Information Security Risk Research
Andric (2007) & Furnell (2006), associate preserve a
threat to make sure information still secure
Andric (2007) & Furnell (2006), associate preserve a
threat to make sure information still secure
(Ernawati, Suhardi, & Nugroho, 2012), assesment IT
risk management framework based ISO 31000.
(Ernawati, Suhardi, & Nugroho, 2012), assesment IT
risk management framework based ISO 31000.
(Khrisna & Computing, 2014), Risk management for
cloud computing integration with COBIT
(Khrisna & Computing, 2014), Risk management for
cloud computing integration with COBIT
(Carcary, 2012), Assignment for risk management with
capability maturity perspective
Methodology : Data collection
Survey with questionnaire
Survey done at computer center UIN SUSKA
Respondents were employees of computer center UIN
SUSKA
Document collection
Risk register
Information security plan
Log book using computers from all divisions at
organization
Methodology : Data analysis
Asset identification
Asset value calculation
Network
Server
Business impact analysis
Value of Asset information
technology
Asset Confidentia
lity Integrity Availability Asset value
PC 2 2 2 6
Server 3 2 2 7
Network 2 2 2 6
Academic information system
2 2 2 6
Risk value
Level of risk
No Asset Risk Value Level of Risk
1 PC 0.6 Low
2 Server 2.8 Medium
3 Network 2.4 Medium
4 Academic information system
3.6 High
Conclusion
Threat and vulnerability of information asset
due to increase risk level.
Manage data user most High level risk and
need
risk
information
technology
governance.
Risk governance will mitigate threat
References
Alshboul, A. (2010). Information Systems Security Measures and Countermeasures: Protecting Organizational Assets from Malicious Attacks. Communications of the IBIMA, 2010, 1–9.
Barnard, L., & von Solms, R. (2000). A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls.
Computers & Security, 19(2), 185–194.
Furnell, S. (2006). Malicious or misinformed? Exploring a contributor to the insider threat. Computer Fraud and Security, 2006(9), 8–12. Landoll, D. J. (2011). A Complete Guide for Performing Security Risk
Assessments.
Willcocks, L., & Lester, S. (1996). Beyond the IT productivity paradox.