Risk Management Analysis of Information Security in an Academic Information System at a Public University in Indonesia: Implementation of ISO/IEC 27005:2018 and ISO/IEC 27001:2013 Security Controls

DOI: https://doi.org/10.30996/jitcs.12099
Keywords: risk management, ISO/IEC 27005, ISO/IEC 27001, academic information system

Abstract

An online academic information system is potentially exposed to various threats originating from both internal and external sources, which may compromise the institution's objectives if not managed effectively and appropriately. Academic portals often experience issues such as server downtime and unauthorized access attempts. However, there is no specific documentation dedicated to managing these issues. This study aims to analyze risk management in information security for the academic portal of Universitas Riau, Indonesia. The study employs the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27005:2018 standard and ISO/IEC 27001:2013 security controls, following four key stages: context establishment, risk assessment, risk treatment, and recommendations. The findings identify eight categories of information system assets, 30 identified threats, and 43 vulnerabilities, including two high-risk categories, 19 medium-risk categories, and 22 low-risk categories. Of the 43 vulnerabilities, 21 risks require risk modification, four require risk avoidance, and four require risk sharing. Fourteen risks, which can be managed through risk retention (acceptance of risk), fall under the category of risk acceptance. Furthermore, ISO/IEC 27001 suggests that implementing control recommendations can minimize and effectively address these risks. Nevertheless, this study focuses primarily on information security risks and does not extensively cover related areas such as data privacy, regulatory compliance, or operational risks. Future research could explore the effectiveness of training programs and awareness campaigns in reducing human-related risks, such as phishing and social engineering attacks.

Downloads

Download data is not yet available.

Author Biographies

Sonya Meitarice, Universitas Riau

Department of Information Systems

Lidya Febyana, Universitas Riau

Department of Information Systems

Aidil Fitriansyah, Universitas Riau

Department of Informatics Management

Riki Ario Nugroho, Universitas Riau

Department of Information Systems

References

Amirinnisa, M., & Bisma, R. (2023). Analysis of Information Security Risk Assessment Based on Iso 27005 for Preparation for Iso 27001 Certification in The Government of Madiun City. Journal of Emerging Information Systems and Business Intelligence, 4(4), 47-58. Retrieved from https://ejournal.unesa.ac.id/index.php/JEISBI/article/view/56250

Appiah-Otoo, I., & Song, N. (2021). The impact of ICT on economic growth-Comparing rich and poor countries. Telecommunications Policy, 45(2). doi:https://doi.org/10.1016/j.telpol.2020.102082

Asriyanik, A., & Prajoko, P. (2018). Manajemen Risiko Keamanan Informasi Menggunakan ISO 27005:2011 pada Sistem Informasi Akademik (SIAK) Universitas Muhammadiyah Sukabumi (UMMI). JuTISI (Jurnal Teknik Informatika dan Sistem Informasi), 4(2), 319 – 329. Retrieved from https://journal.maranatha.edu/index.php/jutisi/article/view/1499

Dioubate, B. M., Daud, W., & Norhayate, W. (2022). Cyber Security Risk Management Frameworks Implementation in Malaysian Higher Education Institutions. International journal of academic research in business and social sciences, 12(4), 1356–1371. doi:https://doi.org/10.6007/IJARBSS/v12-i4/12300

Fahrurozi, M., Tarigan, S. A., Tanjung, M. A., & Mutijarsa, K. (2020). The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence). 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE). 12. Yogyakarta, Indonesia: IEEE. doi:https://doi.org/10.1109/ICITEE49829.2020.9271748

Ibrahim, H. I., Mohamad, W. M., & Shah, K. A. (2020). Investigating Information and Communication Technology (ICT) Usage, Knowledge Sharing and Innovative Behavior among Engineers in Electrical and Electronic MNCs in Malaysia. Jurnal pengurusan, 58, 133 – 143. Retrieved from https://www.ukm.my/jurnalpengurusan/wp-content/uploads/2022/10/jp_58-11.pdf

International Organization for Standardization. (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. Retrieved from ISO - International Organization for Standardization: https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1

International Organization for Standardization. (2018). ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management. Retrieved from ISO - International Organization for Standardization: https://www.iso.org/standard/75281.html

Isnaini, K., Sari, G. J., & Kuncoro, A. P. (2023). Analisis Risiko Keamanan Informasi Menggunakan ISO 27005:2019 pada Aplikasi Sistem Pelayanan Desa. Jurnal Eksplora Informatika, 13(1), 37-45. doi:https://doi.org/10.30864/eksplora.v13i1.696

Jorgenson, D. W., & Vu, K. M. (2016). The ICT revolution, world economic growth, and policy issues. Telecommunications Policy, 40(5), 383-397. doi:https://doi.org/10.1016/j.telpol.2016.01.002

Kaur, K., Gupta, I., & Singh, A. K. (2017). Data Leakage Prevention: E-Mail Protection via Gateway. Journal of Physics: Conference Series, 933. doi:https://doi.org/10.1088/1742-6596/933/1/012013

Klipper, S. (2011). Information Security Risk Management: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Wiesbaden, Germany: Vieweg+Teubner Verlag. doi:https://doi.org/10.1007/978-3-8348-9870-8_3

Leasa, Z. V., & Prassida, G. F. (2024). Manajemen Risiko pada Sistem Informasi Akademik Universitas XYZ menggunakan ISO 27005:2018. Jurnal Teknologi Dan Sistem Informasi Bisnis, 6(4), 649-656. doi:https://doi.org/10.47233/jteksis.v6i4.1459

Rambe, R., Gandhi, A., & Sabariah, M. K. (2023). Implementasi Manajemen Risiko pada Aplikasi XYZ dengan Pendekatan SNI ISO/IEC 27005:2018. Proceedings of Engineering. 10, pp. 3903-3909. Bandung, Indonesia: Universitas Telkom. Retrieved from https://openlibrarypublications.telkomuniversity.ac.id/index.php/engineering/article/view/20846

Sahira, S., Fauzi, R., & Santosa, I. (2020). Analysis of Risk Management in E-Office Application Managed by PT. Telkom Indonesia Using ISO/IEC 27005:2018 Standard. Proceedings of Engineering. 7, pp. 6897-6909. Bandung, Indonesia: Universitas Telkom. Retrieved from https://openlibrarypublications.telkomuniversity.ac.id/index.php/engineering/article/view/12642

Sharif, M. H., & Mohammed, M. A. (2022). A literature review of financial losses statistics for cyber security and future trend. World Journal Of Advanced Research and Reviews, 15(1), 138–156. doi:https://doi.org/10.30574/wjarr.2022.15.1.0573

Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Cengage Learning. Retrieved from https://www.cengageasia.com/title/default/detail?isbn=9781337102063

Yustanti, W., Qoiriah, A., Bisma, R., & Prihanto, A. (2019). Strategi Identifikasi Resiko Keamanan Informasi Dengan Kerangka Kerja ISO 27005:2018. JIEET (Journal of Information Engineering and Educational Technology), 3(2), 51-56. doi:https://doi.org/10.26740/jieet.v3n2.p51-56

Published
2024-11-20
How to Cite
Meitarice, S., Febyana, L., Fitriansyah, A., Kurniawan, R., & Nugroho, R. A. (2024). Risk Management Analysis of Information Security in an Academic Information System at a Public University in Indonesia: Implementation of ISO/IEC 27005:2018 and ISO/IEC 27001:2013 Security Controls. Journal of Information Technology and Cyber Security. https://doi.org/10.30996/jitcs.12099
Issue
2024
Section
Research Article

Copyright (c) 2024 The Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

 

Copyright Notice based on COPE (Committee on Publication Ethics) for JITCS: Journal of Information Technology and Cyber Security

  1. Ownership and Copyright:

    1. JITCS: Journal of Information Technology and Cyber Security respects the intellectual property rights of authors. The copyright for individual articles published in JITCS is retained by the respective authors, unless otherwise specified.
    2. The articles published in JITCS are licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0), which permits use and distribution in any medium, provided the original work is properly cited, the use is non-commercial, and no modifications or adaptations are made.
    3. JITCS serves as the initial publisher of the articles, providing them with the first publication platform.

  2. Permissions and Usage:

    1. Distribution for Non-Commercial Purposes: Permitted: Users are allowed to distribute the article for non-commercial purposes, provided the original work is properly cited and no modifications or adaptations are made.
    2. Distribution for Commercial Purposes: Not Permitted: The article may not be distributed for any commercial purposes without obtaining prior written permission from the author(s).
    3. Inclusion in a Collective Work (e.g., Anthology) for Non-Commercial Purposes: Permitted: Users are allowed to include the article in a collective work, such as an anthology, as long as the use is non-commercial and the work remains unchanged.
    4. Inclusion in a Collective Work for Commercial Purposes: Not Permitted: The article may not be included in any collective work or anthology intended for commercial purposes without prior permission from the author(s).
    5. Creation and Distribution of Revised Versions, Adaptations, or Derivative Works (e.g., Translation) for Non-Commercial Purposes: Not Permitted: Users may not create or distribute revised versions, adaptations, or derivative works, including translations, for non-commercial purposes.
    6. Creation and Distribution of Revised Versions, Adaptations, or Derivative Works for Commercial Purposes: Not Permitted: Users may not create or distribute revised versions, adaptations, or derivative works, including translations, for commercial purposes.
    7. Text or Data Mining for Non-Commercial Purposes: Permitted: Users are permitted to engage in text or data mining of the article for non-commercial research purposes, provided the original work is properly attributed.
    8. Text or Data Mining for Commercial Purposes: Not Permitted: Users may not engage in text or data mining of the article for commercial purposes without obtaining explicit permission from the author(s).

  3. Attribution and Citation:

    1. Proper attribution and citation of the published work should be provided when using or referring to content from JITCS. This includes clearly indicating the authors, the title of the article, the journal name (JITCS), the volume/issue number, the publication year, and the article's DOI (Digital Object Identifier) when available.
    2. When adapting or modifying the published content, proper attribution to the original source should be given, and the adapted or modified content should be shared under the same CC BY-NC-ND 4.0 license.

  4. Plagiarism and Copyright Infringement:

    1. JITCS considers plagiarism and copyright infringement as serious ethical violations. Authors are responsible for ensuring that their submitted work is original and does not infringe upon the copyright or intellectual property rights of others.
    2. Any allegations of plagiarism or copyright infringement will be investigated promptly and thoroughly. If proven, appropriate actions, including rejection of the manuscript, retraction of the published article, or other corrective measures, will be taken.

  5. Open Access Licensing:

    1. JITCS supports open access publishing and encourages authors to consider publishing their work under the CC BY-NC-ND 4.0 license to promote the dissemination and use of knowledge in the field of information technology and cyber security.
    2. The specific terms and conditions of the CC BY-NC-ND 4.0 license will be clearly indicated on the published articles.

  6. Policy Review: This Copyright Notice will be periodically reviewed and updated to ensure its continued relevance and compliance with copyright laws, ethical standards, and open access principles in scholarly publishing. Any updates or revisions to the notice will be communicated to the relevant stakeholders.

By adhering to this Copyright Notice, JITCS aims to protect the rights of authors, promote proper attribution and citation practices, and facilitate the responsible and legal use of the published content in accordance with the CC BY-NC-ND 4.0 license.