ANALYSIS OF RELIGIOUS COURT INFORMATION SECURITY RISK MANAGEMENT USING THE OCTAVE ALLEGRO METHOD (CASE STUDY OF KEDIRI CITY)

Ease of access can be pros and cons for all information system applications, because it increases the possibility of someone hacking the information system. Therefore, a risk assessment or risk assessment of information systems is needed to identify and understand the risks involved in accessing them. One of the risk assessment methods that analyzes the risk profile of information assets using the OCTAVE Allegro method. The purpose of this study was to determine the results of the analysis of security risk management on information systems at the Religious Courts of the City of Kediri. The recommendation process is a follow-up to the risk assessment in the form of controls in ISO/IEC 27002:2013 which focuses on clause 9. Access Control. This research uses a literature study approach . The literature review was carried out by looking for references to information security risk management analysis using the OCTAVE Allegro method, research material books and research journals to assist in the preparation of this research proposal. The theory taken from the reference mainly refers to the OCTAVE Allegro method. Based on the results of the research conducted, the researchers got 10 areas of attention that will be given control recommendations based on ISO/IEC 27002:2013

Rekomendasi Perancangan Sistem Manajemen Keamanan Informasi (SMKI) Menggunakan Metode AHP-TOPSIS Berdasarkan ISO/IEC 27001:2005 (Studi Kasus: PT PJB SERVICES)

PT. PJB Services adalah perusahaan yang didirikan untuk memenuhi kebutuhan lini bisnis dalam memberikan jasa operasi dan pemeliharaan unit pembangkit listrik. Pengelolaan keamanan informasi pada PT. PJB Services selama ini hanya didasarkan pada praktik dasar keamanan yang melalui proses peningkatan tanpa adanya dasar pedoman. Perusahaan cenderung melakukan peningkatan keamanan informasi berdasarkan trend yang berkembang saat itu atau saat terjadinya insiden yang berkaitan dengan keamanan informasi. Tanpa adanya pengelolaan keamanan informasi yang baik dan berkelanjutan pada perusahaan, maka perusahaan sangat rentan terdahap ancaman keamanan informasi yang ada. Berdasarkan hal tersebut, penelitian difokuskan kepada rekomendasi perancangan Sistem Manajemen Keamanan Informasi (SMKI) untuk PT PJB Services khususnya di Divisi Teknologi Informasi (TI). SMKI merupakan sebuah sistem manajemen yang berdasarkan pendekatan risiko aset informasi untuk memantapkan, menerapkan, menjalankan, memantau, meninjau ulang, memelihara dan meningkatkan keamanan informasi. Penelitian ini menggabungkan penggunaan AHP-TOPSIS dengan berdasar pada ISO/IEC 27001:2005 dalam pembuatan perancangan SMKI. Proses assessment menggunakan ISO/IEC 27001:2005, dari hasil audit akan didapatkan kontrol beserta cara penanganan berdasarkan beberapa kriteria dari resiko tersebut, setelah itu akan dilakukan proses rekomendasi menggunakan metode AHP-TOPSIS sehingga akan mendapatkan prioritas kontrol dalam penanganan keamanan informasi. Hasil dari penelitian ini, sebanyak 45 aset informasi dan 224 risiko yang dapat diidentifikasi. Prioritas kontrol yang direkomendasikan sesuai dari hasil penelitian ini adalah Security Policy, Organization of Information Security, Human Resource Policy, Physical and Environmental Security, Communications and Operations Management, Access Control, Information Security Incident Management, Asset Management, Information System Acquisition Development and Maintenance. =========================================================== PT. PJB Services is a company established to meet the needs of business lines in providing services operation and maintenance of power plant. Information security management at PT. PJB Services has been based solely on basic security practices through an improvement process in the absence of a guideline. Companies improve information security based on current trends or incidents related to information security. In the absence of good and sustainable corporate information security management, companies are vulnerable to existing information security threats. Based on that situation, this research focused on designing recommendation of Information Security Management System (ISMS) for PT PJB Services, especially in the Division of Information Technology (IT). The ISMS is a management system based on an information asset risk approach to consolidate, implement, monitor, review, maintain and enhance information security. This study combines the use of AHP-TOPSIS based on ISO / IEC 27001: 2005 in making ISMS design. The assessment process using ISO / IEC 27001: 2005, from the assessment results will be obtained control and how to handle based on several criteria of the risk, after that, the recommendation process will be done using AHP-TOPSIS method so it will get priority control in handling information security. The results of this study, 45 information assets and 224 risks that can be identified. The recommended priority controls from the results of this study are Security Policy, Organization of Information Security, Human Resource Policy, Physical and Environmental Security, Communications and Operations Management, Access Control, Information Security Incident Management, Asset Management, Information Systems Acquisition Development and Maintenance

Report on a review of selected general and application controls over the University of Northern Iowa’s tuition and fees system for the period May 24, 2007 through July 3, 2007

Report on a review of selected general and application controls over the University of Northern Iowa’s tuition and fees system for the period May 24, 2007 through July 3, 200

The RFID PIA – developed by industry, agreed by regulators

This chapter discusses the privacy impact assessment (PIA) framework endorsed by the European Commission on February 11th, 2011. This PIA, the first to receive the Commission's endorsement, was developed to deal with privacy challenges associated with the deployment of radio frequency identification (RFID) technology, a key building block of the Internet of Things. The goal of this chapter is to present the methodology and key constructs of the RFID PIA Framework in more detail than was possible in the official text. RFID operators can use this article as a support document when they conduct PIAs and need to interpret the PIA Framework. The chapter begins with a history of why and how the PIA Framework for RFID came about. It then proceeds with a description of the endorsed PIA process for RFID applications and explains in detail how this process is supposed to function. It provides examples discussed during the development of the PIA Framework. These examples reflect the rationale behind and evolution of the text's methods and definitions. The chapter also provides insight into the stakeholder debates and compromises that have important implications for PIAs in general.Series: Working Papers on Information Systems, Information Business and Operation

Security models for trusting network appliances

A significant characteristic of pervasive computing is the need for secure interactions between highly mobile entities and the services in their environment. Moreover,these decentralised systems are also characterised by partial views over the state of the global environment, implying that we cannot guarantee verification of the properties of the mobile entity entering an unfamiliar domain. Secure in this context encompasses both the need for cryptographic security and the need for trust, on the part of both parties, that the interaction is functioning as expected. In this paper we make a broad assumption that trust and cryptographic security can be considered as orthogonal concerns (i.e. cryptographic measures do not ensure transmission of correct information). We assume the existence of reliable encryption techniques and focus on the characteristics of a model that supports the management of the trust relationships between two devices during ad-hoc interactions

Stolen identity: regulating the illegal trade in personal data in the ‘data-based society’

In May 2006, the UK Information Commissioner’s Office (ICO) presented a report to Parliament entitled What Price Privacy? The report highlighted the extent of the illegal trade in personal data. Arguing that the risk of security breaches had increased largely as a result of the rise of the ‘data-based society’, the ICO called for a change in the legislation to permit jail sentences of up to two years in respect of offences under section 55 of the Data Protection Act 1998. In February 2007, the UK government stated its intention to adopt that recommendation. This paper examines the current UK policy approach to regulating the illegal flow of personal information, and the lead taken by the UK Information Commissioner. Reference is made to the ‘privacy toolbox’, where data protection legislation is combined with measures such as codes of practice and privacy impact assessments (PIAs). Comparisons are made with the work of overseas regulators. In addition, the current regulatory framework regarding section 55 offences is examined, with the author attending an ICO prosecution hearing in December 2006. The paper concludes by arguing that a greater emphasis needs to be placed on the assessment of privacy risks posed, in particular, by the expansion and proposed merger of government databases. Adoption of PIAs could help achieve this

Assessing Security Risk to a Network Using a Statistical Model of Attacker Community Competence

We propose a novel approach for statistical risk modeling of network attacks that lets an operator perform risk analysis using a data model and an impact model on top of an attack graph in combination with a statistical model of the attacker community exploitation skill. The data model describes how data flows between nodes in the network -- how it is copied and processed by softwares and hosts -- while the impact model models how exploitation of vulnerabilities affects the data flows with respect to the confidentiality, integrity and availability of the data. In addition, by assigning a loss value to a compromised data set, we can estimate the cost of a successful attack. The statistical model lets us incorporate real-time monitor data from a honeypot in the risk calculation. The exploitation skill distribution is inferred by first classifying each vulnerability into a required exploitation skill-level category, then mapping each skill-level into a distribution over the required exploitation skill, and last applying Bayesian inference over the attack data. The final security risk is thereafter computed by marginalizing over the exploitation skill

A formal model of trust lifecycle management

The rapid development of collaborative environments over the internet has highlighted new concerns over security and trust in such global computing systems. The global computing infrastructure poses an issue of uncertainty about the potential collaborators. Reaching a trusting decision in such environments encompasses both risk and trust assessments. While much work has been done in terms of modelling trust, the investigation of the management of trust lifecycle issues with consideration of both trust and risk is less examined. Our previous work addressed the dynamic aspects of trust lifecycle with a consideration of trust formation, exploitation, and evolution. In this paper we provide an approach for formalizing these aspects. As part of the formalization of the trust lifecycle,we introduce a notion of attraction to model the effect of new pieces of evidence on our opinion. The formalization described in this paper constitutes the basis of ongoing work to investigate the properties of the model