Maturity Framework Analysis ISO 27001: 2013 on Indonesian Higher Education

  • Authors

    • IGN Mantra Perbanas Institute Jakarta
    • Aedah Abd. Rahman
    • Hoga Saragih
    2020-04-18
    https://doi.org/10.14419/ijet.v9i2.30581
  • Information Security Management System, Information Security Maturity, ISO 27001, 2013.
  • Abstract

    Information Security Management System (ISMS) implementation in Institution is an effort to minimize information security risks and threats such as information leakage, application damage, data loss and declining IT network performance. The several incidents related to information security have occurred in the implementation of the Academic System application in Indonesian higher education. This research was conducted to determine the maturity level of information security practices in Academic Information Systems at universities in Indonesia. The number of universities used as research samples were 35 institutions. Compliance with the application of ISO 27001:2013 standard is used as a reference to determine the maturity level of information system security practices. Meanwhile, to measure and calculate the level of maturity using the SSE-CMM model. In this research, the Information System Security Index obtained from the analysis results can be used as a tool to measure the maturity of information security that has been applied. There are six key areas examined in this study, namely the role and importance of ICT, information security governance, information security risk management, information security management framework, information asset management, and information security technology. The results showed the level of information security maturity at 35 universities was at level 2 Managed Process and level 3 Established Process. The composition is that 40% of universities are at level 3, and 60% are out of level 3. The value of the gap between the value of the current maturity level and the expected level of maturity is varied for each clause (domain). The smallest gap (1 level) is in clause A5: Information Security Policy, clause A9: Access Control, and clause A11: Physical and environmental security. The biggest gap (4 levels) is in clause A14: System acquisition, development and maintenance and clause A18: compliance.

     

     

     

  • References

    1. [1] Afrianto, Irawan, Taryana Suryana, dan Sufa'atin. 2015. Pengukuran dan Evaluasi Keamanan Informasi Menggunakan Indeks KAMI – SNI ISO/IEC 27001:2009 -Studi Kasus Perguruan Tinggi X. Bandung: Universitas Komputer Indonesia. https://doi.org/10.31937/si.v6i1.278.

      [2] Badan Standardisasi Nasional. 2009. SNI ISO/IEC 27001:2009 Teknologi Informasi – Teknik Keamanan – Sistem Manajemen Keamanan Informasi – Persyaratan. Jakarta: Badan Standardisasi Nasional – BSN

      [3] BSI UK (2014) ‘Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013’. United Kingdom: BSI.

      [4] Candiwan, M. Y. D., & Priyadi, Y. (2016). Analysis of Information Security Audit Using ISO 27001: 2013 & ISO 27002: 2013 at IT Division-X Company, In Bandung, Indonesia. International Journal of Basic and Applied Science, 4(04), 77-88.

      [5] ISACA. A Business Framework for the Governance and Management of Enterprise IT. United States of America: ISACA, 2012.

      [6] ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements. International organization for standardization

      [7] Jennings, M. D. (2000). Gap analysis: Concepts, methods, and recent results. Landscape Ecology, 15(1), 5–20. https://doi.org/10.1023/A:1008184408300.

      [8] Kurniawan, Endang & Riadi, Imam. Security Level Analysis of Academic Information Systems Based On Standard Iso 27002: 2013 Using SSE-CMM. International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 1, January 2018, 139-147

      [9] Kusuma, R. A. (2014) Audit Keamanan Sistem Informasi Berdasarkan Standar SNI-ISO 27001. Yogyakarta.

      [10] Nasser, A. A. (2017). Information security gap analysis based on ISO 27001: 2013 standard: A case study of the Yemeni Academy for Graduate Studies, Sana'a, Yemen. Int. J. Sci. Res. in Multidisciplinary Studies Vol, 3, 11.

      [11] Nurbojatmiko, A. Susanto and E. Shobariah, "Assessment of ISMS based on standard ISO/IEC 27001:2013 at DISKOMINFO Depok City," 2016 4th International Conference on Cyber and IT Service Management, Bandung, 2016, pp. 1-6. https://doi.org/10.1109/CITSM.2016.7577471.

      [12] Proença, D., & Borbinha, J. (2018, July). Information security management systems-a maturity model based on ISO/IEC 27001. In International Conference on Business Information Systems (pp. 102-114). Springer, Cham. https://doi.org/10.1007/978-3-319-93931-5_8.

      [13] Rukh, L., & Malik, A. A. (2017, April). Swiss army knife of software processes generic framework of ISO 27001 and its mapping on resource management. In 2017 International Conference on Communication Technologies (ComTech) (pp. 12-15). IEEE. https://doi.org/10.1109/COMTECH.2017.8065742.

      [14] Silanegara, Indra & Bayu Adhi Tama. 2015. Strategi Pemilhan Kontraktor Perangkat Lunak Dengan Memanfaatkan Pengetahuan Terhadap Capability Maturity Model Integration for development (CMMI for Dev).

      [15] Suwito M.H., Matsumoto S., Kawamoto J., Gollmann D., Sakurai K. (2016) An Analysis of IT Assessment Security Maturity in Higher Education Institution. In: Kim K., Joukov N. (eds) Information Science and Applications (ICISA) 2016. Lecture Notes in Electrical Engineering, vol 376. Springer, Singapore. https://doi.org/10.1007/978-981-10-0557-2_69.

  • Downloads

  • How to Cite

    Mantra, I., Abd. Rahman, A., & Saragih, H. (2020). Maturity Framework Analysis ISO 27001: 2013 on Indonesian Higher Education. International Journal of Engineering & Technology, 9(2), 429-436. https://doi.org/10.14419/ijet.v9i2.30581

    Received date: 2020-04-01

    Accepted date: 2020-04-10

    Published date: 2020-04-18