Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute)
Keywords:
Security Risk Management, information security controls, Cyber Security Maturity, ISO/IEC 27005:2018, ISO/IEC 27002:2013
Abstract
Information security is an important concern for governments and industry due to the increase in cyber attacks during Covid-19. The government is obliged to maintain information security in implementing an Electronic-Based Government System following Presidential Regulation of the Republic of Indonesia Number 95 of 2018. To overcome this problem, the XYZ Institute needs an approach to implementing information security risk management and information security controls. This study aims to risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk control, and analysis of cyber security maturity gaps in the domain of governance, identification, protection, detection, and response. ISO/IEC 27005:2018 as guidance for conducting risk assessments. The code of practice for information security control uses the ISO/IEC 27002:2013 standard and assessing maturity using the cyber security maturity model version 1.10 developed by the National Cyber and Crypto Agency of the Republic of Indonesia. The results show that the cyber maturity value increased from 3.19 to 4.06 after implementing 12 new security controls.
Downloads
Download data is not yet available.
References
Bergström, E., Lundgren, M., and Ericson, Å. 2019. “Revisiting Information Security Risk Management Challenges: A Practice Perspective,” Information and Computer Security (27:3), Emerald Group Holdings Ltd., pp. 358–372. (https://doi.org/10.1108/ICS-09-2018-0106).
Fahrurozi, M., Tarigan, S. A., Tanjung, M. A., and Mutijarsa, K. 2020. “The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence),” in ICITEE 2020 - Proceedings of the 12th International Conference on Information Technology and Electrical Engineering, Institute of Electrical and Electronics Engineers Inc., October 6, pp. 86–91. (https://doi.org/10.1109/ICITEE49829.2020.9271748).
Fenz, S., Plieschnegger, S., and Hobel, H. 2016. “Mapping Information Security Standard ISO 27002 to an Ontological Structure,” Information and Computer Security (24:5), Emerald Group Publishing Ltd., pp. 452–473. (https://doi.org/10.1108/ICS-07-2015-0030).
García-Porras, C., Huamani-Pastor, S., and Armas-Aguirre, J. 2018. “Information Security Risk Management Model for Peruvian SMEs,” in Proceedings of the 2018 IEEE Sciences and Humanities International Research Conference (SHIRCON) : Lima, Peru, 20-22 November 2018. (https://doi.org/10.1109/SHIRCON.2018.8592994).
Ghazouani, M., Medromi, H., and Moussaid, L. 2017. “Design and Implementation of a Comprehensive Information Security Risk Management Tool Based on Multi-Agents Systems,” International Journal of Applied Information Systems (12:7), Foundation of Computer Science, pp. 1–8. (https://doi.org/10.5120/ijais2017451711).
International Standard ISO/IEC 27002. 2013. “Code of Practice for Information Security Controls, ISO/IEC 27002:2013(E).”
International Standard ISO/IEC 27005. 2018. “Information Security Risk Management, ISO/IEC 27005:2018(E).”
INTERPOL. (n.d.). “ASEAN Cyberthreat Assessment 2021 Key Cyberthreat Trends Outlook From The Asean Cybercrime Operations Desk.” (https://www.interpol.int/).
Karabacak, B., Yildirim, S. O., and Baykal, N. 2016. “A Vulnerability-Driven Cyber Security Maturity Model for Measuring National Critical Infrastructure Protection Preparedness,” International Journal of Critical Infrastructure Protection (15), Elsevier B.V., pp. 47–59. (https://doi.org/10.1016/j.ijcip.2016.10.001).
Presidential Regulation. (n.d.). “Regulation Of The President Of The Republic Of Indonesia Number 95 Of 2018 Concerning Electronic-Based Government Systems.” (https://peraturan.bpk.go.id/Home/Details/96913/perpres-no-95-tahun-2018).
Kure, H. I., and Islam, S. 2019. “Assets Focus Risk Management Framework for Critical Infrastructure Cybersecurity Risk Management,” IET Cyber-Physical Systems: Theory and Applications (4:4), Institution of Engineering and Technology, pp. 332–340. (https://doi.org/10.1049/iet-cps.2018.5079).
Mayer, J., and Fagundes, L. L. 2009. “A Model to Assess the Maturity Level of the Risk Management Process in Information Security,” in 2009 IFIP/IEEE International Symposium on Integrated Network Management-Workshops, IM 2009, pp. 61–70. (https://doi.org/10.1109/INMW.2009.5195935).
Monev, V. 2020. “Organisational Information Security Maturity Assessment Based on ISO 27001 and ISO 27002,” in International Conference on Information Technologies (InfoTech-2020) : Proceedings of the 34th Edition of the InfoTech Conference : 17th-18th September 2020, St. St. Constantine and Elena Resort, Varna, Bulgaria.
Patino, S., Solis, E. F., Yoo, S. G., and Arroyo, R. 2018. “ICT Risk Management Methodology Proposal for Governmental Entities Based on ISO/IEC 27005,” in 2018 5th International Conference on EDemocracy and EGovernment, ICEDEG 2018, Institute of Electrical and Electronics Engineers Inc., June 4, pp. 75–82. (https://doi.org/10.1109/ICEDEG.2018.8372361).
Payette, J., Anegbe, E., Caceres, E., and Muegge, S. 2015. “Secure by Design: Cybersecurity Extensions to Project Management Maturity Models for Critical Infrastructure Projects,” Technology Innovation Management Review (Vol. 5). (www.timreview.ca).
Putra, I. M. M., and Mutijarsa, K. 2021. “Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005,” in 3rd 2021 East Indonesia Conference on Computer and Information Technology, EIConCIT 2021, Institute of Electrical and Electronics Engineers Inc., April 9, pp. 14–19. (https://doi.org/10.1109/EIConCIT50028.2021.9431865).
Rabii, A., Assoul, S., Ouazzani Touhami, K., and Roudies, O. 2020. “Information and Cyber Security Maturity Models: A Systematic Literature Review,” Information and Computer Security, Emerald Group Holdings Ltd., pp. 627–644. (https://doi.org/10.1108/ICS-03-2019-0039).
Sensuse, D. I., Syahrizal, A., Aditya, F., and Nazri, M. 2020. “Information Security Risk Management Planning of Digital Certificate Management Case Study: Balai Sertifikasi Elektronik,” in 2020 5th International Conference on Informatics and Computing, ICIC 2020, Institute of Electrical and Electronics Engineers Inc., November 3. (https://doi.org/10.1109/ICIC50835.2020.9288593).
Wheeler, E. 2011. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, (1st ed.).
XYZ Institute. (n.d.). “The Application of Data Management.” (https://sub.xyzinstitute, accessed September 5, 2021).
Fahrurozi, M., Tarigan, S. A., Tanjung, M. A., and Mutijarsa, K. 2020. “The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence),” in ICITEE 2020 - Proceedings of the 12th International Conference on Information Technology and Electrical Engineering, Institute of Electrical and Electronics Engineers Inc., October 6, pp. 86–91. (https://doi.org/10.1109/ICITEE49829.2020.9271748).
Fenz, S., Plieschnegger, S., and Hobel, H. 2016. “Mapping Information Security Standard ISO 27002 to an Ontological Structure,” Information and Computer Security (24:5), Emerald Group Publishing Ltd., pp. 452–473. (https://doi.org/10.1108/ICS-07-2015-0030).
García-Porras, C., Huamani-Pastor, S., and Armas-Aguirre, J. 2018. “Information Security Risk Management Model for Peruvian SMEs,” in Proceedings of the 2018 IEEE Sciences and Humanities International Research Conference (SHIRCON) : Lima, Peru, 20-22 November 2018. (https://doi.org/10.1109/SHIRCON.2018.8592994).
Ghazouani, M., Medromi, H., and Moussaid, L. 2017. “Design and Implementation of a Comprehensive Information Security Risk Management Tool Based on Multi-Agents Systems,” International Journal of Applied Information Systems (12:7), Foundation of Computer Science, pp. 1–8. (https://doi.org/10.5120/ijais2017451711).
International Standard ISO/IEC 27002. 2013. “Code of Practice for Information Security Controls, ISO/IEC 27002:2013(E).”
International Standard ISO/IEC 27005. 2018. “Information Security Risk Management, ISO/IEC 27005:2018(E).”
INTERPOL. (n.d.). “ASEAN Cyberthreat Assessment 2021 Key Cyberthreat Trends Outlook From The Asean Cybercrime Operations Desk.” (https://www.interpol.int/).
Karabacak, B., Yildirim, S. O., and Baykal, N. 2016. “A Vulnerability-Driven Cyber Security Maturity Model for Measuring National Critical Infrastructure Protection Preparedness,” International Journal of Critical Infrastructure Protection (15), Elsevier B.V., pp. 47–59. (https://doi.org/10.1016/j.ijcip.2016.10.001).
Presidential Regulation. (n.d.). “Regulation Of The President Of The Republic Of Indonesia Number 95 Of 2018 Concerning Electronic-Based Government Systems.” (https://peraturan.bpk.go.id/Home/Details/96913/perpres-no-95-tahun-2018).
Kure, H. I., and Islam, S. 2019. “Assets Focus Risk Management Framework for Critical Infrastructure Cybersecurity Risk Management,” IET Cyber-Physical Systems: Theory and Applications (4:4), Institution of Engineering and Technology, pp. 332–340. (https://doi.org/10.1049/iet-cps.2018.5079).
Mayer, J., and Fagundes, L. L. 2009. “A Model to Assess the Maturity Level of the Risk Management Process in Information Security,” in 2009 IFIP/IEEE International Symposium on Integrated Network Management-Workshops, IM 2009, pp. 61–70. (https://doi.org/10.1109/INMW.2009.5195935).
Monev, V. 2020. “Organisational Information Security Maturity Assessment Based on ISO 27001 and ISO 27002,” in International Conference on Information Technologies (InfoTech-2020) : Proceedings of the 34th Edition of the InfoTech Conference : 17th-18th September 2020, St. St. Constantine and Elena Resort, Varna, Bulgaria.
Patino, S., Solis, E. F., Yoo, S. G., and Arroyo, R. 2018. “ICT Risk Management Methodology Proposal for Governmental Entities Based on ISO/IEC 27005,” in 2018 5th International Conference on EDemocracy and EGovernment, ICEDEG 2018, Institute of Electrical and Electronics Engineers Inc., June 4, pp. 75–82. (https://doi.org/10.1109/ICEDEG.2018.8372361).
Payette, J., Anegbe, E., Caceres, E., and Muegge, S. 2015. “Secure by Design: Cybersecurity Extensions to Project Management Maturity Models for Critical Infrastructure Projects,” Technology Innovation Management Review (Vol. 5). (www.timreview.ca).
Putra, I. M. M., and Mutijarsa, K. 2021. “Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005,” in 3rd 2021 East Indonesia Conference on Computer and Information Technology, EIConCIT 2021, Institute of Electrical and Electronics Engineers Inc., April 9, pp. 14–19. (https://doi.org/10.1109/EIConCIT50028.2021.9431865).
Rabii, A., Assoul, S., Ouazzani Touhami, K., and Roudies, O. 2020. “Information and Cyber Security Maturity Models: A Systematic Literature Review,” Information and Computer Security, Emerald Group Holdings Ltd., pp. 627–644. (https://doi.org/10.1108/ICS-03-2019-0039).
Sensuse, D. I., Syahrizal, A., Aditya, F., and Nazri, M. 2020. “Information Security Risk Management Planning of Digital Certificate Management Case Study: Balai Sertifikasi Elektronik,” in 2020 5th International Conference on Informatics and Computing, ICIC 2020, Institute of Electrical and Electronics Engineers Inc., November 3. (https://doi.org/10.1109/ICIC50835.2020.9288593).
Wheeler, E. 2011. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, (1st ed.).
XYZ Institute. (n.d.). “The Application of Data Management.” (https://sub.xyzinstitute, accessed September 5, 2021).
Published
2022-10-03
How to Cite
Joko Wibowo, E., & Kalamullah Ramli. (2022). Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute). Jurnal Sistem Informasi, 18(2), 1-17. https://doi.org/10.21609/jsi.v18i2.1146
Section
Articles
Copyright (c) 2022 Jurnal Sistem Informasi
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
