https://jurnal.untag-sby.ac.id/index.php/jitsc/issue/feedJournal of Information Technology and Cyber Security2024-11-21T05:07:47+00:00Sitisitimutrofin@untag-sby.ac.idOpen Journal Systemshttps://jurnal.untag-sby.ac.id/index.php/jitsc/article/view/12099Risk Management Analysis of Information Security in an Academic Information System at a Public University in Indonesia: Implementation of ISO/IEC 27005:2018 and ISO/IEC 27001:2013 Security Controls2024-11-21T05:07:47+00:00Sonya Meitaricesonya@lecturer.unri.ac.idLidya Febyanalidya.febyana5529@student.unri.ac.idAidil Fitriansyahaidil.fitriansyah@lecturer.unri.ac.idRahmad Kurniawanrahmadkurniawan@lecturer.unri.ac.idRiki Ario Nugrohoriki.ario@lecturer.unri.ac.id<p>An online academic information system is potentially exposed to various threats originating from both internal and external sources, which may compromise the institution's objectives if not managed effectively and appropriately. Academic portals often experience issues such as server downtime and unauthorized access attempts. However, there is no specific documentation dedicated to managing these issues. This study aims to analyze risk management in information security for the academic portal of Universitas Riau, Indonesia. The study employs the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27005:2018 standard and ISO/IEC 27001:2013 security controls, following four key stages: context establishment, risk assessment, risk treatment, and recommendations. The findings identify eight categories of information system assets, 30 identified threats, and 43 vulnerabilities, including two high-risk categories, 19 medium-risk categories, and 22 low-risk categories. Of the 43 vulnerabilities, 21 risks require risk modification, four require risk avoidance, and four require risk sharing. Fourteen risks, which can be managed through risk retention (acceptance of risk), fall under the category of risk acceptance. Furthermore, ISO/IEC 27001 suggests that implementing control recommendations can minimize and effectively address these risks. Nevertheless, this study focuses primarily on information security risks and does not extensively cover related areas such as data privacy, regulatory compliance, or operational risks. Future research could explore the effectiveness of training programs and awareness campaigns in reducing human-related risks, such as phishing and social engineering attacks.</p>2024-11-20T12:43:40+00:00##submission.copyrightStatement##