Information Security Assessment Using ISO/IEC 27001:2013 Standard on Government Institution

The purpose of this research is to determine the existing gap to achieve ISO/IEC 27001:2013 certification and determine the maturity level of the information system owned by X Government Institution. The information system of X Government Institution would be assessed based on 14 clauses contained in ISO/IEC 27001: 2013. The method used is qualitative method, data collection and data validation with triangulation technique (interview, observation, and documentation). Data analysis used gap analysis and to measure the maturity level of this research used CMMI (Capability Maturity Model for Integration). The result of the research showed that information security which had been applied by X Government Institution was at level 1 (Initial) which meant there was evidence that the institution was aware of problems that needed to be overcome, unstandardized process, and tended to handle the problem individually or by case.

Download Full-text

Penerapan Capability Maturity Model Integration Untuk Mengukur Tingkat Kematangan Organisasi Dalam Proses Pengembangan Perangkat Lunak (Studi Kasus: Direktorat Innovation Center Universitas Amikom Yogyakarta)

Respati ◽

10.35842/jtir.v15i1.330 ◽

2020 ◽

Vol 15 (1) ◽

pp. 43

Author(s):

Ita Permatahati ◽

Wing Wahyu Winarno ◽

Mei P Kurniawan

Keyword(s):

Software Development ◽

Development Process ◽

Model Integration ◽

Maturity Model ◽

Software Development Process ◽

Maturity Level ◽

Capability Maturity ◽

Level 1 ◽

A Company ◽

Level 2

INTISARIMenerapkan standarisasi pada suatu perusahaan yang bergerak dibidang pengembangan perangkat lunak merupakan salah satu cara untuk meningkatkan kualitasnya. CMMI merupakan salah satu standarisasi yang penulis pilih untuk mengetahui tingkat kematangan dari divisi Innovation CenterAmikom. CMMI yang digunakan ialah CMMI for Development versi 1.3 yang fokus terhadap tingkat kematangan di level 2 dengan 6 proses area. Penelitian ini mengambil 1 sample proyek di Innovation Center(IC) yaitu apliksai presensi berbasis mobile. Berdasarkan hasil dari pengukuran yang telah dilakukan, proses pengembangan lunak di IC berada di tingkat 1 (Initial) yang diketahui bahwa belum semua praktik yang ada di masing-masing 6 proses area diterapkan. Kata kunci— proses pengembangan perangkat lunak, CMMI, CMMI-DEV, Representasi Bertingkat, Tingkat Kematangan. ABSTRACTApplying standards to a company engaged in the development of devices is one way to improve its quality. CMMI is one of the standards chosen by the author to find out the level of maturity of the Innovation Center at Amikom. CMMI is used for CMMI for Development version 1.3 which focuses on the level of maturity at level 2 with 6 process areas. This study took 1 sample project at the Innovation Center (IC), a mobile-based presence application. Based on the results of the measurements that have been made, the development process at the IC is at level 1 (Initial) related to all the practices that exist in each of the 6 process areas that are applied.Kata kunci— software development process, CMMI, CMMI-DEV, Leveled Representation, Maturity Level.

Download Full-text

Analisis Sistem Manajemen Keamanan Informasi Menggunakan ISO/IEC 27001 : 2013 Serta Rekomendasi Model Sistem Menggunakan Data Flow Diagram pada Direktorat Sistem Informasi Perguruan Tinggi

JURNAL SISTEM INFORMASI BISNIS ◽

10.21456/vol6iss1pp38-45 ◽

2016 ◽

Vol 6 (1) ◽

pp. 38

Author(s):

Yuni Cintia Yuze ◽

Yudi Priyadi ◽

Candiwan .

Keyword(s):

Information Security ◽

Asset Management ◽

Management System ◽

Security Management ◽

Maturity Level ◽

Information Security Management ◽

Capability Maturity ◽

Information Security Management System ◽

Level 3 ◽

Iec 27001

The importance of information and the possible risk of disruption, therefore the universities need to designed and implemented of the information security. One of the standards that can be used to analyze the level of information security in the organization is ISO/IEC 27001 : 2013 and this standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The objective of this research is to measure the level of information security based on standard ISO/IEC 27001: 2013 and modeling systems for information security management. This research uses descriptive qualitative approach, data collection and validation techniques with tringulasi (interview, observation and documentation). Data was analyzed using gap analysis and to measure the level of maturity this research uses SSE-CMM (Systems Security Engineering Capability Maturity Model). Based on the research results, Maturity level clause Information Security Policy reaches level 1 (Performed-Informally), clause Asset Management reaches level 3 (Well-Defined), clause Access Control reaches level 3 (Well-Defined), clause Physical and Environmental Security reaches level 3 (Well-Defined), clause Operational Security reaches level 3 (Well-Defined), Communication Security clause reaches the level 2 (Planned and Tracked). Based on the results of maturity level discovery of some weakness in asset management in implementing the policy. Therefore, the modeling system using the flow map and CD / DFD focused on Asset Management System.

Download Full-text

Metric Based Security Assessment

Information Security and Ethics ◽

10.4018/978-1-59904-937-3.ch094 ◽

2008 ◽

pp. 1396-1415

Author(s):

James E. Goldman ◽

Vaughn R. Christie

Keyword(s):

Information Security ◽

Assessment Tool ◽

Maturity Model ◽

Security Assessment ◽

Self Assessment ◽

Security Metrics ◽

Capability Maturity ◽

Security Models ◽

Organization's Information Security ◽

Systems Security Engineering

This chapter introduces the Metrics Based Security Assessment (MBSA) as a means of measuring an organization’s information security maturity. It argues that the historical (i.e., first through third generations) approaches used to assess/ensure system security are not effective and thereby combines the strengths of two industry proven information security models, the ISO 17799 Standard and the Systems Security Engineering Capability Maturity Model (SSE-CMM), to overcome their inherent weaknesses. Furthermore, the authors trust that the use of information security metrics will enable information security practitioners to measure their information security efforts in a more consistent, reliable, and timely manner. Such a solution will allow a more reliable qualitative measurement of the return achieved through given information security investments. Ultimately, the MBSA will allow professionals an additional, more robust self-assessment tool in answering management questions similar to: “How secure are we?”

Download Full-text

Metrics Based Security Assessment

Information Security and Ethics ◽

10.4018/978-1-59140-286-7.ch013 ◽

2011 ◽

pp. 261-288 ◽

Cited By ~ 1

Author(s):

James E. Goldman ◽

Vaughn R. Christie

Keyword(s):

Information Security ◽

Assessment Tool ◽

Maturity Model ◽

Security Assessment ◽

Self Assessment ◽

Security Metrics ◽

Capability Maturity ◽

Security Models ◽

Organization's Information Security ◽

Systems Security Engineering

Download Full-text

Relationship between PDP maturity and ISO certification in the food industry

Gestão & Produção ◽

10.1590/0104-530x3929-19 ◽

2019 ◽

Vol 26 (4) ◽

Author(s):

Lígia de Oliveira Franzosi ◽

Carla Cristina Amodio Estorilio

Keyword(s):

Food Industry ◽

International Organization ◽

Maturity Model ◽

Maturity Level ◽

Capability Maturity ◽

The Status ◽

Development Processes ◽

Level 1 ◽

Level 2

Abstract Food companies have been seeking certification of their Product Development Processes (PDP) as a symbol of quality, however, few are prepared to obtain it. One of the hypotheses is that some companies are not mature enough to obtain this certification and maintain it in the long term. To guarantee the product quality, it is important that all the activities responsible for the PDP are aligned, integrated, measured and controlled, thus characterizing the PDP maturity. Therefore, the aim of this work is to analyze the PDP maturity level of the food industry to identify the compatibility with the situation of their Quality Certifications. For this, an adapted method of the Capability Maturity Model Integration (CMMI) is used to measure the company’s maturity, seeking also to identify the status of their certifications. Information was collected from five companies in the food industry, which presented consistency between their certifications and maturity levels; four are level 1 and have no certification and one is level 2 and is certified by the International Organization for Standardization (ISO)

Download Full-text

Analysis Security of SIA Based DSS05 on COBIT 5 Using Capability Maturity Model Integration (CMMI)

Scientific Journal of Informatics ◽

10.15294/sji.v6i2.17387 ◽

2019 ◽

Vol 6 (2) ◽

pp. 193-202

Author(s):

Eko Handoyo ◽

Rusydi Umar ◽

Imam Riadi

Keyword(s):

Information System ◽

Information Systems ◽

System Security ◽

Security Level ◽

Maturity Model ◽

Maturity Level ◽

Framework Analysis ◽

Information System Security ◽

Capability Maturity ◽

Academic Information

A secure academic information system is part of the college. The security of academic information systems is very important to maintain information optimally and safely. Along with the development of technology, academic information systems are often misused by some irresponsible parties that can cause threats. To prevent these things from happening, it is necessary to know the extent to which the security of the academic information system of universities is conducted by evaluating. So the research was conducted to determine the Maturity Level on the governance of the security of University Ahmad Dahlan academic information system by using the COBIT 5 framework on the DSS05 domain. The DSS05 domain on COBIT 5 is a good framework to be used in implementing and evaluating related to the security of academic information systems. Whereas to find out the achievement of evaluation of academic information system security level, CMMI method is needed. The combination of the COBIT 5 framework on the DSS05 domain using the CMMI method in academic information system security is able to provide a level of achievement in the form of a Maturity Level value. The results of the COBIT 5 framework analysis of the DSS05 domain use the CMMI method to get a Maturity level of 4,458 so that it determines the achievement of the evaluation of academic information systems at the tertiary level is Managed and Measurable. This level, universities are increasingly open to technological developments. Universities have applied the quantification concept in each process, and are always monitored and controlled for performance in the security of academic information systems.

Download Full-text

Analisis kesenjangan sistem manajemen keamanan informasi (SMKI) sebagai persiapan sertifikasi ISO/IEC 27001:2013 pada institusi pemerintah

Teknologi ◽

10.26594/teknologi.v11i1.2152 ◽

2021 ◽

Vol 11 (1) ◽

pp. 1-15

Author(s):

Sitta Rif’atul Musyarofah ◽

◽

Rahadian Bisma ◽

Keyword(s):

Information Security ◽

Organizational Context ◽

Gap Analysis ◽

Security Management ◽

City Government ◽

Security Requirements ◽

Information Security Management ◽

Information Security Management System ◽

Iec 27001 ◽

Government Institution

The Madiun City Communication and Informatics Service (Diskominfo) is a government institution that has the responsibility for managing information and communication technology in the Madiun city government. As a government institution to serving and providing information to the public, Diskominfo Madiun City is vulnerable to information security threats that can hinder its performance. Information Security Management System ISO / IEC 2701: 2013 is a system that expected to be able to provide effectiveness and efficiency of information security management at Diskominfo Madiun city. This research aims to determine the current conditions and how the readiness of Diskominfo Madiun City to achieve ISO/IEC 27001:2013 certification. From the results of the gap analysis, it can be seen that the percentage of readiness of Diskominfo Madiun City is 71%, with a readiness range between 19% - 100%. The highest level of readiness is 100% on the requirements of clause 4 concerning the organizational context and clause 10 concerning improvements, where all information security requirements have been met. While the lowest readiness percentage is 19% which is shown in the requirements of clause 6 regarding planning. The gap analysis method is used to determine how far the ISO/IEC 27001:2013 requirements are fulfilled. The results of the gap analysis show the extent of the readiness of Diskominfo Madiun City to carry out ISO/IEC 27001:2013 certification. The results of the research indicate that Diskominfo Madiun City must improve its readiness for ISO/IEC 27001:2013 certification by fulfill the requirements of the required information security documents based on ISO/IEC 27001:2013 standards.

Download Full-text

Phát triển Framework ứng dụng AI hỗ trợ tự động khai thác lỗ hổng bảo mật

Journal of Science and Technology on Information security ◽

10.54654/isj.v1i13.234 ◽

2022 ◽

Vol 1 (13) ◽

pp. 80-92

Author(s):

Nguyễn Mạnh Thiên ◽

Phạm Đăng Khoa ◽

Nguyễn Đức Vượng ◽

Nguyễn Việt Hùng

Keyword(s):

Information System ◽

Reinforcement Learning ◽

Information Security ◽

Vulnerability Assessment ◽

Large Scale ◽

Learning Technology ◽

Security Assessment ◽

Security Vulnerability ◽

Different Levels

Tóm tắt—Hiện nay, nhiệm vụ đánh giá an toàn thông tin cho các hệ thống thông tin có ý nghĩa quan trọng trong đảm bảo an toàn thông tin. Đánh giá/khai thác lỗ hổng bảo mật cần được thực hiện thường xuyên và ở nhiều cấp độ khác nhau đối với các hệ thống thông tin. Tuy nhiên, nhiệm vụ này đang gặp nhiều khó khăn trong triển khai diện rộng do thiếu hụt đội ngũ chuyên gia kiểm thử chất lượng ở các cấp độ khác nhau. Trong khuôn khổ bài báo này, chúng tôi trình bày nghiên cứu phát triển Framework có khả năng tự động trinh sát thông tin và tự động lựa chọn các mã để tiến hành khai thác mục tiêu dựa trên công nghệ học tăng cường (Reinforcement Learning). Bên cạnh đó Framework còn có khả năng cập nhật nhanh các phương pháp khai thác lỗ hổng bảo mật mới, hỗ trợ tốt cho các cán bộ phụ trách hệ thống thông tin nhưng không phải là chuyên gia bảo mật có thể tự động đánh giá hệ thống của mình, nhằm giảm thiểu nguy cơ từ các cuộc tấn công mạng. Abstract—Currently, security assessment is one of the most important proplem in information security. Vulnerability assessment/exploitation should be performed regularly with different levels of complexity for each information system. However, this task is facing many difficulties in large-scale deployment due to the lack of experienced testing experts. In this paper, we proposed a Framework that can automatically gather information and automatically select suitable module to exploit the target based on reinforcement learning technology. Furthermore, our framework has intergrated many scanning tools, exploited tools that help pentesters doing their work. It also can be easily updated new vulnerabilities exploit techniques.

Download Full-text

Investigating Process Maturity Modeling as an Advertising Process Improvement Paradigm

Marketing of Scientific and Research Organizations ◽

10.2478/minib-2019-0028 ◽

2019 ◽

Vol 32 (2) ◽

pp. 1-26

Author(s):

Daniel Adrian Doss ◽

Russ Henley ◽

Qiuqi Hong ◽

Trey Pickett

Keyword(s):

Process Improvement ◽

Ad Hoc ◽

Service Marketing ◽

Maturity Model ◽

Maturity Level ◽

Process Maturity ◽

Capability Maturity ◽

Product Marketing ◽

Marketing Firms ◽

First Maturity

Summary This article examined a variant of the Capability Maturity Model integrated (CMMi) through the lens of advertising process improvement. The population and sample were taken from a national array of U.S. marketing organizations. Using ANOVA, a 0.05 significance level, and a stratification of service marketing organizations versus product marketing organizations, the study showed a statistically significant difference (F(1, 304) = 4.03; p = 0.04; ω2 = 0.00) regarding the hypothesis representing the notion that processes were potentially sporadic, chaotic, and ad hoc. This notion corresponded to the first maturity level of the examined process maturity framework. With respect to the Likert-scale data representing the first maturity level, the successive means analysis showed that both service marketing firms (M = 2.99) and product marketing firms (M = 2.74) reported neutrality regarding whether processes were deemed sporadic, chaotic, and ad hoc. Thus, the respondents perceived no evidence of the first maturity level among the queried work settings. Future studies may examine different stratifications of marketing firms (e.g., for-profit versus non-profit; domestic versus international; and so on) to better explore the proposed advertising maturity model.

Download Full-text

Tingkat Ketahanan Sistem Informasi Administrasi Kependudukan (Studi pada Dinas Kependudukan dan Pencatatan Sipil Kota Yogyakarta)

Jurnal Ketahanan Nasional ◽

10.22146/jkn.26345 ◽

2017 ◽

Vol 23 (2) ◽

pp. 21

Author(s):

Aris Tundung ◽

Tri Kuntoro Priyambodo ◽

Armaidy Armawi

Keyword(s):

Information System ◽

Information Security ◽

Public Services ◽

Security Management ◽

Population Data ◽

Development Planning ◽

Maturity Level ◽

Information Security Management ◽

Civil Registration ◽

Yogyakarta City

ABSTRACTBureaucratic reforms aim to deliver excellence public services including civil registration service. The Law on Population Administration states that the use of the Population Administration Information System (SIAK) is one of the government's efforts to protect the secrecy, integrity and availability of population data related to its function as the basis for public services, development planning, budget allocation, democratic development, and law enforcement and criminal prevention. The study measures information technology resilience level by describing Yogyakarta City Civil Registry Service Office (Dindukcapil) information security management, the level of maturity and completeness of SIAK management, and SIAK success level. The study uses mixed method guided by ISO/IEC 27001document, Information Security (INFOSEC) Index form, and questionnaire prepared under the DeLone and McLane Models. Yogyakarta City Dindukcapil has not set up rules and documentation on information security management. The actions taken are reactive, not referring to overall risk without clear flow of authority and control. The study concludes the SIAK is "Highly Needed" by the Civil Registry Service Office of Yogyakarta City. The value of the information security management areas completeness level reaches 312 points out of maximum value 645 points. Those findings category SIAK security management into “Need Improvement" category. The maturity level of information security management range from "Maturity Level I/ Initial Condition" to "Maturity Level II+/ Basic Implementation". 77,3% users clarify “positive” perception and 1,2% users reveal “negative” judgement that made SIAK belongs to “Success” information system category.ABSTRAKReformasi birokrasi mengamanatkan peningkatan mutu dan kecepatan layanan publik pemerintah termasuk layanan administrasi kependudukan. Undang-undang tentang Administrasi Kependudukan menyebutkan penggunaan Sistem Informasi Administrasi Kependudukan (SIAK) merupakan salah satu usaha pemerintah untuk mengelola dan melindungi kerahasiaan, keutuhan dan ketersediaan data kependudukan terkait fungsinya sebagai dasar pelayanan publik, perencanaan pembangunan, alokasi anggaran, pembangunan demokrasi, dan penegakan hukum dan pencegahan kriminal. Penelitian dilakukan untuk mengetahui ketahanan sistem informasi SIAK melalui gambaran pengelolaan keamanan informasi Dindukcapil Kota Yogyakarta, tingkat kematangan dan kelengkapan pengelolaan SIAK, dan tingkat kesuksesan SIAK. Penelitian menggunakan metode campuran dengan menggunakan kisi-kisi ISO/IEC 27001, instrumen perhitungan dalam borang Indeks KAMI, dan kuesioner yang disusun berdasarkan Model DeLone dan McLane yang sudah diperbaharui yang mendiskusikan tentang Kualitas Informasi, Kualitas Sistem, Kualitas Pelayanan, Penggunaan, Kepuasan Pengguna, Manfaat Bersih (DeLone dan McLane, 2004: 32). Dindukcapil Kota Yogyakarta belum menyusun aturan dan dokumentasi pengelolaan keamanan informasi. Tindakan yang dilakukan bersifat reaktif, tidak mengacu pada keseluruhan risiko tanpa alur kewenangan dan pengawasan yang jelas. Peran SIAK termasuk dalam kategori “Tinggi” namun nilai kelengkapan penerapan standar pengelolaan keamanannya hanya mencapai 312 dari nilai total 645 sehingga pengelolaan keamanan SIAK masuk dalam kategori “Perlu Perbaikan”. Tingkat kematangan penerapan standar keamanan berkisar pada “Tingkat Kematangan I/ Kondisi Awal” sampai dengan “Tingkat Kematangan II+/ Penerapan Kerangka Kerja Dasar”. Tingkat kesuksesan SIAK termasuk dalam kategori “Sukses”, 77,3% pengguna memberikan pernyataan “positif” dan hanya 1,2% pengguna memberikan pernyataan “negatif”.

Download Full-text