Analisa Risiko Pengelolaan Data, Keamanan Sistem, Dan Pengelolaan Vendor TI Di PT. X

Procurement Department in PT. X is a department from a manufacturing company based in Surabaya, it provides needs of all departments in PT. X. Information Technology in Procurement is completely utilized to support the company\u27s business activities and processes. However, this company has not done any risk assessment, that might causing the company does not know what impact that might occur that can choke Procurement\u27s performance. Therefore, a risk assessment is required to analyze the risk factors that could interfere Procurement\u27s business processes and provide a response to the most critical risks.This research is about to assess risks that might have happened in Information Technology and Procurement\u27s business processes. The steps in this risk assessment are using COBIT 4.1 standard to define the processes in the analysis, ISO 31000 as a framework in risk assessment steps, and Risk Rating Methodology OWASP as a reference for valuation and risk calculations. Based on the interview that has done, 14 risk factors have been found in PT. X Procurement. Some of them are data contracts is not stored in a database system, no written agreement regarding to devoted vendor PIC to handle related project, company does not have any contingency plan if there is a problem in the manufacture of goods/services by the vendor, Procurement has not performed IT risk assessment yet, so there is no analysis of the events might occur, no special documentation such as risk recording of each vendor, no uniformity of vendors progress report format so their points of information might not delivered completely, and no requirement for vendors to provide vendor reporting progress.The proposed response to the company are company should copy the contract and scan then store it into the system, identify and document the individuals involved in the project, providing a contingency plan in case either party to cancel the contract before the end of the contract period, make IT risk assessment, taking notes or special documentation related risk will each vendor, make format report for vendor reporting progress, and regularly schedule communication between Procurement and vendors to discuss the vendor progress