I Gede Ary Suta Sanjaya; Gusti Made Arya Sasmita; Dewa Made Sri Arsa

Information Technology Risk Management Using ISO 31000 Based on ISSAF Framework Penetration Testing (Case Study: Election Commission of X City)

Full Text (PDF, 475KB), PP.30-40

Views: 0 Downloads: 0

Author(s)

I Gede Ary Suta Sanjaya ^1,* Gusti Made Arya Sasmita ¹ Dewa Made Sri Arsa ¹

1. Department of Information Technology, Faculty of Engineering, Universitas Udayana, Indonesia

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2020.04.03

Received: 3 Apr. 2020 / Revised: 25 Apr. 2020 / Accepted: 2 May 2020 / Published: 8 Aug. 2020

Index Terms

ISO 31000 Framework, ISSAF Framework, Penetration Testing, Risk Management, Website

Abstract

Election Commission of X City is an institution that serves as the organizer of elections in the X City, which has a website as a medium in the delivery of information to the public and as a medium for the management and structuring of voter data in the domicile of X City. As a website that stores sensitive data, it is necessary to have risk management aimed at improving the security aspects of the website of Election Commission of X City. The Information System Security Assessment Framework (ISSAF) is a penetration testing standard used to test website resilience, with nine stages of attack testing which has several advantages over existing security controls against threats and security gaps, and serves as a bridge between technical and managerial views of penetration testing by applying the necessary controls on both aspects. Penetration testing is carried out to find security holes on the website, which can then be used for assessment on ISO 31000 risk management which includes the stages of risk identification, risk analysis, and risk evaluation. The main findings of this study are testing a combination of penetration testing using the ISSAF framework and ISO 31000 risk management to obtain the security risks posed by a website. Based on this research, obtained the results that there are 18 security gaps from penetration testing, which based on ISO 31000 risk management assessment there are two types of security risks with high level, eight risks of medium level security vulnerabilities, and eight risks of security vulnerability with low levels. Some recommendations are given to overcome the risk of gaps found on the website.

Cite This Paper

I Gede Ary Suta Sanjaya, Gusti Made Arya Sasmita, Dewa Made Sri Arsa, "Information Technology Risk Management Using ISO 31000 Based on ISSAF Framework Penetration Testing (Case Study: Election Commission of X City)", International Journal of Computer Network and Information Security(IJCNIS), Vol.12, No.4, pp.30-40, 2020. DOI:10.5815/ijcnis.2020.04.03

Reference

[1]J. N. Goel and B. M. Mehtre, “Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology,” Procedia Comput. Sci., vol. 57, pp. 710–715, 2015.
[2]J. Doshi, “Comparison of Vulnerability Assessment and Penetration Testing,” no. June 2017, 2015.
[3]F. R. Mahtuf, P. Hatta, and E. S. Wihidiyat, “Pengembangan Laboratorium Virtual untuk Simulasi Uji Penetrasi Sistem Keamanan Jaringan,” JOINTECS (Journal Inf. Technol. Comput. Sci., vol. 4, no. 1, p. 17, 2019.
[4]U. Nugraha and R. Istambul, “Implementation of ISO 31000 for information technology risk management in the government environment,” Int. J. Innov. Creat. Chang., vol. 6, no. 5, pp. 219–231, 2019.
[5]I. Riadi, S. Sunardi, and E. Handoyo, “Security Analysis of Grr Rapid Response Network using COBIT 5 Framework,” Lontar Komput. J. Ilm. Teknol. Inf., vol. 10, no. 1, p. 29, 2019.
[6]M. Z. Hussain, M. Z. Hasan, M. Taimoor, and A. Chughtai, “Penetration Testing In System Administration,” Int. J. Sci. Technol. Res., vol. 6, no. 6, pp. 275–278, 2017.
[7]A. G. Bacuido, X. Yuan, B.-T. B. Chu, and M. Jones, “An overview of penetration testing,” Int. J. Digit. Crime Forensics, vol. 6, no. 4, pp. 50–74, 2014.
[8]M. Mirjalili, A. Nowroozi, and M. Alidoosti, “A Survey on Web Penetration Test,” Adv. Comput. Sci., vol. 3, no. 6, pp. 107–121, 2014.
[9]A. Wiradharma and A. Sasmita, “IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at the Information Gathering Stage ( Case Study : X Company ),” no. December, pp. 17–29, 2019.
[10]K. Nagendran, A. Adithyan, R. Chethana, P. Camillus, and K. B. Bala Sri Varshini, “Web application penetration testing,” Int. J. Innov. Technol. Explor. Eng., vol. 8, no. 10, pp. 1029–1035, 2019.
[11]E. Pratama and A. Wiradharma, “Open Source Intelligence Testing Using the OWASP Version 4 Framework at the Information Gathering Stage ( Case Study : X Company ),” Int. J. Comput. Netw. Inf. Secur., no. July, pp. 8–12, 2019.
[12]A. Lubis and A. Tarigan, “Security Assessment of Web ApplicationThrough Penetration System Techniques,” Jend. Gatot Subroto Km, vol. 4, no. 100, pp. 296–303, 2017.
[13]B. V. Tarigan, A. Kusyanti, and W. Yahya, “Analisis Perbandingan Penetration Testing Tool Untuk Aplikasi Web,” J. Pengemb. Teknol. Inf. dan Ilmu Komput., vol. 1, no. 3, pp. 206–214, 2017.
[14]N. Z. Firdaus and Suprapto, “Evaluasi Manajemen Risiko Teknologi Informasi Menggunakan COBIT 5 IT Risk ( Studi Kasus : PT . Petrokimia Gresik ),” J. Pengemb. Teknol. Inf. dan Ilmu Komput., vol. 2, no. 1, pp. 91–100, 2018.
[15]H. Očevčić, K. Nenadić, K. Šolić, and T. Keser, “The impact of information system risk management on the frequency and intensity of security incidents,” Int. J. Electr. Comput. Eng. Syst., vol. 8, no. 2, pp. 41–46, 2017.
[16]P. Sukapto, J. D. . Desena, P. K. Ariningsih, and S. Susanto, “Integration of Risk Engineering by ISO 31000 and Safety Engineering: A Case Study in a Production Floor of Sport Footwear Industry in Indonesia,” Int. J. Simulation, Syst. Sci. Technol., pp. 1–12, 2008.
[17]B. Ratore et al., Information System Security Assessment Framework (ISSAF) Draft 0.2.1B. OISSG, 2005.
[18]R. H. Hutagalung, L. E. Nugroho, and R. Hidayat, “Analisis Uji Penetrasi Menggunakan ISSAF,” Hacking Digit. Forensics Expo., pp. 32–40, 2017.
[19]C. Lalonde and O. Boiral, “Managing risks through ISO 31000: A critical analysis,” Risk Manag., vol. 14, no. 4, pp. 272–300, 2012.
[20]Nice and Imbar, “Analisis Risiko Teknologi Informasi pada Lembaga Penerbangan dan Antariksa Nasional (LAPAN) pada Website SWIFTS Menggunakan ISO 31000,” J. Inform. dan Sist. Inf. Univ. Ciputra, vol. 2, no. 2, 2016.
[21]H. T. I. Driantami, Suprapto, and A. R. Perdanakusuma, “Analisis Risiko Teknologi Informasi Menggunakan ISO 31000 ( Studi kasus : Sistem Penjualan PT Matahari Department Store Cabang Malang Town Square ),” J. Pengemb. Teknol. Inf. dan Ilmu Komput., vol. 2, no. 11, pp. 4991–4998, 2018.
[22]A. N. Rilyani, Y. AW Firdaus, and D. D. Jatmiko, “Analisis Risiko Teknologi Informasi Berbasis Risk Management Menggunakan ISO 31000,” e-Proceeding Eng., vol. 2, no. 2, pp. 1–8, 2015.

International Journal of Computer Network and Information Security (IJCNIS)