Education is a field that utilizes information technology to support academic and operational activities. One of the technologies widely used in the education sector is web-based applications. Web-based technologies are vulnerable to exploitation by attackers, which highlights the importance of ensuring strong security measures in web-based systems. As an educational organization, Udayana University utilizes a web-based application called OASE. OASE, being a web-based system, requires thorough security verification. Penetration testing is conducted to assess the security of OASE. This testing can be performed using the ISSAF and OSSTMM frameworks. The penetration testing based on the ISSAF framework consists of 9 steps, while the OSSTMM framework consists of 7 steps for assessment. The results of the OASE penetration testing revealed several system vulnerabilities. Throughout the ISSAF phases, only 4 vulnerabilities and 3 information-level vulnerabilities were identified in the final testing results of OASE. Recommendations for addressing these vulnerabilities are provided as follows. Implement a Web Application Firewall (WAF) to reduce the risk of common web attacks in the OASE web application. input and output validation to prevent the injection of malicious scripts addressing the stored XSS vulnerability. Update the server software regularly and directory permission checks to eliminate unnecessary information files and prevent unauthorized access. Configure a content security policy on the web server to ensure mitigation and prevent potential exploitation by attackers.

The proper use of information technology can improve the efficiency and effectiveness of an organization’s performance. The use of information technology in educational institutions also require good governance so as to ensure transparency, efficiency, and effectiveness of any business process that runs on the institutions. Audit is one of the ways that can be done to determine the company’s ability to execute business process in it so that the performance of the process in the company can run better and more effective, and it can also improve the performance of employees. The audit process conducted at Office X aims to evaluate the work program using the COBIT 5 framework as a guide because it already contains four main perspectives, namely the customer perspective, financial perspective, internal business process perspective, and the learning and growth perspective. Results of research conducted at Office X show that the capability level of the four processes in the audit which are APO07 (Manage human resources), BAI02 (Manage requirements definition), BAI04 (Manage availability and capacity), and EDM04 (Ensure resource optimization) achieved by the Office still stop at level 1 and there is still a difference of 4 levels from what is expected by the company so that there needs to be improvements to achieve the specified target level 5.

The application of technology in various fields makes mobility even higher, one of them is by making a website for exchange and manage information. However, with information disclosure causing security and protection issues to be considered. One of the website security techniques can be done by using the penetration testing method to know the vulnerability of the system. This study will implement tools with the Open Source Intelligence concept, namely Maltego as a medium for conducting security testing and using the OWASP version 4 framework as a standardization of steps taken when security test goes on. This study will focus on information gathering security testing of important factor of the X Company's website. The results of testing and analysis with the OWASP version 4 framework with the Testing for Information Gathering module show that the web application system used by X Company has information vulnerability of the used web server version, GET and POST requests, URL systematics, website framework, website builder component, and the outline of the website architecture. The researcher gave several recommendations related to the vulnerability of the website which later can be used by X Company website administrators to improve website security and protection.