Risk Management Analysis of Information Security in an Academic Information System at a Public University in Indonesia: Implementation of ISO/IEC 27005:2018 and ISO/IEC 27001:2013 Security Controls

Authors

DOI:

https://doi.org/10.30996/jitcs.12099

Keywords:

risk management, ISO/IEC 27005, ISO/IEC 27001, academic information system

Abstract

An online academic information system is potentially exposed to various threats from internal and external sources, which may compromise the institution's objectives if not managed effectively and appropriately. Academic portals often experience issues such as server downtime and unauthorised access attempts. However, there is no specific documentation dedicated to managing these issues. This study aims to analyze risk management in information security for the academic portal of Universitas Riau, Indonesia. The study employs the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27005:2018 standard and ISO/IEC 27001:2013 security controls, following four key stages: context establishment, risk assessment, risk treatment, and recommendations. The findings identify eight categories of information system assets, 30 identified threats, and 43 vulnerabilities, including two high-risk categories, 19 medium-risk categories, and 22 low-risk categories. Of the 43 vulnerabilities, 21 risks required risk modification, four required risk avoidance, and four required risk sharing. Fourteen risks, which can be managed through risk retention (acceptance of risk), fall under the category of risk acceptance. Furthermore, ISO/IEC 27001 suggests that implementing control recommendations can minimize and effectively address these risks. Nevertheless, this study focuses primarily on information security risks and does not extensively cover related areas such as data privacy, regulatory compliance, or operational risks. Future research can explore the effectiveness of training programs and awareness campaigns in reducing human-related risks, such as phishing and social engineering attacks.

Downloads

Download data is not yet available.

Author Biographies

Sonya Meitarice, Universitas Riau

Department of Information Systems

Lidya Febyana, Universitas Riau

Department of Information Systems

Aidil Fitriansyah, Universitas Riau

Department of Informatics Management

Riki Ario Nugroho, Universitas Riau

Department of Information Systems

Downloads

Published

2024-11-20

How to Cite

Meitarice, S., Febyana, L., Fitriansyah, A., Kurniawan, R., & Nugroho, R. A. (2024). Risk Management Analysis of Information Security in an Academic Information System at a Public University in Indonesia: Implementation of ISO/IEC 27005:2018 and ISO/IEC 27001:2013 Security Controls. Journal of Information Technology and Cyber Security, 2(2), 58–75. https://doi.org/10.30996/jitcs.12099

Issue

Vol. 2 No. 2 (2024): July

Section

Research Article

License

 

Copyright Notice based on COPE (Committee on Publication Ethics) for JITCS: Journal of Information Technology and Cyber Security

  1. Ownership and Copyright:

    1. JITCS: Journal of Information Technology and Cyber Security respects the intellectual property rights of authors. The copyright for individual articles published in JITCS is retained by the respective authors, unless otherwise specified.
    2. The articles published in JITCS are licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0), which permits use and distribution in any medium, provided the original work is properly cited, the use is non-commercial, and no modifications or adaptations are made.
    3. JITCS serves as the initial publisher of the articles, providing them with the first publication platform.

  2. Permissions and Usage:

    1. Distribution for Non-Commercial Purposes: Permitted: Users are allowed to distribute the article for non-commercial purposes, provided the original work is properly cited and no modifications or adaptations are made.
    2. Distribution for Commercial Purposes: Not Permitted: The article may not be distributed for any commercial purposes without obtaining prior written permission from the author(s).
    3. Inclusion in a Collective Work (e.g., Anthology) for Non-Commercial Purposes: Permitted: Users are allowed to include the article in a collective work, such as an anthology, as long as the use is non-commercial and the work remains unchanged.
    4. Inclusion in a Collective Work for Commercial Purposes: Not Permitted: The article may not be included in any collective work or anthology intended for commercial purposes without prior permission from the author(s).
    5. Creation and Distribution of Revised Versions, Adaptations, or Derivative Works (e.g., Translation) for Non-Commercial Purposes: Not Permitted: Users may not create or distribute revised versions, adaptations, or derivative works, including translations, for non-commercial purposes.
    6. Creation and Distribution of Revised Versions, Adaptations, or Derivative Works for Commercial Purposes: Not Permitted: Users may not create or distribute revised versions, adaptations, or derivative works, including translations, for commercial purposes.
    7. Text or Data Mining for Non-Commercial Purposes: Permitted: Users are permitted to engage in text or data mining of the article for non-commercial research purposes, provided the original work is properly attributed.
    8. Text or Data Mining for Commercial Purposes: Not Permitted: Users may not engage in text or data mining of the article for commercial purposes without obtaining explicit permission from the author(s).

  3. Attribution and Citation:

    1. Proper attribution and citation of the published work should be provided when using or referring to content from JITCS. This includes clearly indicating the authors, the title of the article, the journal name (JITCS), the volume/issue number, the publication year, and the article's DOI (Digital Object Identifier) when available.
    2. When adapting or modifying the published content, proper attribution to the original source should be given, and the adapted or modified content should be shared under the same CC BY-NC-ND 4.0 license.

  4. Plagiarism and Copyright Infringement:

    1. JITCS considers plagiarism and copyright infringement as serious ethical violations. Authors are responsible for ensuring that their submitted work is original and does not infringe upon the copyright or intellectual property rights of others.
    2. Any allegations of plagiarism or copyright infringement will be investigated promptly and thoroughly. If proven, appropriate actions, including rejection of the manuscript, retraction of the published article, or other corrective measures, will be taken.

  5. Open Access Licensing:

    1. JITCS supports open access publishing and encourages authors to consider publishing their work under the CC BY-NC-ND 4.0 license to promote the dissemination and use of knowledge in the field of information technology and cyber security.
    2. The specific terms and conditions of the CC BY-NC-ND 4.0 license will be clearly indicated on the published articles.

  6. Policy Review: This Copyright Notice will be periodically reviewed and updated to ensure its continued relevance and compliance with copyright laws, ethical standards, and open access principles in scholarly publishing. Any updates or revisions to the notice will be communicated to the relevant stakeholders.

By adhering to this Copyright Notice, JITCS aims to protect the rights of authors, promote proper attribution and citation practices, and facilitate the responsible and legal use of the published content in accordance with the CC BY-NC-ND 4.0 license.