APPLICATION OF INFORMATION SYSTEMS RISK MANAGEMENT IN PTX
advertisement
International Journal of Civil Engineering and Technology (IJCIET) Volume 10, Issue 04, April 2019, pp. 137-146, Article ID: IJCIET_10_04_015 Available online at http://www.iaeme.com/ijciet/issues.asp?JType=IJCIET&VType=10&IType=04 ISSN Print: 0976-6308 and ISSN Online: 0976-6316 © IAEME Publication Scopus Indexed APPLICATION OF INFORMATION SYSTEMS RISK MANAGEMENT IN PTX Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah Information Systems Management Department, Binus Graduate Program, Bina Nusantara University, Jakarta, Indonesia 11530 ABSTRACT Nowadays, information systems have become a difficult part to separate in almost every business process in an institution or organization. Information becomes an important part of information systems that have to kept safe from harm because of threats leading to alteration, wrongful disclosure, non-availability, and loss. One of the companies that faced the challenge was PTX. PTX is a company engaged in the power plants sector which have the duty to provide electricity for the community. The aim of the research is to identify and analyze the possibility of security violations, realize the causes that make the system vulnerable and formulate mitigation strategies to control and minimize the risks. This research performs practical approach in real organization environment using eight steps activities from the OCTAVE Allegro framework. Using the OCTAVE Allegro method to carry out information system risk management at PTX, is resulting 10 (ten) critical information assets. Furthermore, Customer service are continued to be assessed. The study represents an information system risk management chronological approach for identifying the possibility of security violations and formulating mitigation strategies. Key words: Risk Management, Information Systems, OCTAVE Allegro, Information System Risk Management Cite this Article: Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah, Application of Information Systems Risk Management in Ptx, International Journal of Civil Engineering and Technology, 10(04), 2019, pp. 137–146 http://www.iaeme.com/IJCIET/issues.asp?JType=IJCIET&VType=10&IType=04 1. INTRODUCTION The development of technology and business is moving massively in every industrial sector in the agricultural, plantation, textile, raw materials, oil and gas, automotive, power generation, and other sectors at this time. The movement is inseparable from the role of technology, especially the information system to support every transaction, decision-making process, reporting and analysis, controlling, and security. http://www.iaeme.com/IJCIET/index.asp 137 editor@iaeme.com Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah Organizations are required to be able to develop information systems and information technology that support business operations. Therefore, organizations that willing to compete must be able to improve and manage the existing systems to deal with risks, challenges and threats from all competitors in each industry sector. Technological involvement in business can increase or damage business processes depending on the governance process implemented. The information systems security attention has grown in recent years with increasing complexity and the possibility of a series of disclosures [1]. All organizations have the potential to be exposed to unknown risks and can harm the organization. Some risks related to information systems include fire, viruses, hackers and others [2]. The other risks, organizations will suffer potentially severe losses due to external threats (e.g. theft of confidential information, website destruction), internal threats (e.g. fraud, user error) and other intangible effects (e.g. damage and loss of organizational reputation) [3]. At present, information systems have become a difficult part to separate in almost every business process in an institution or organization. Information becomes an important part of information systems that have to kept safe from harm because of threats leading to alteration, wrongful disclosure, non-availability, and loss. Threats comprise intentional changes, fraud, omissions, accidents, and errors. The primary objective of information security is to protect the stakeholders interest by providing confidentiality (information disclosure to the righteous persons), integrity (information is protected against unauthorized alteration), and availability (make sure the information systems are available and usable) [4]. Therefore, any kind of harm or threat to the information system can also interrupt the business process continuity of the institution. Information systems and their assets are vulnerable to physical and logical risks. The physical risks, which are related more with the hardware such as natural disasters, for example floods and earthquakes, as well as other possibility of harms such as fires, theft, power surges, unauthorized tampering, vandalism, and bombings. Logical risk refers to alteration, accidental or intentional destruction and unauthorized access of the information system and data [5]. Therefore, it is required to identify threats and analyze the risks to reduce the damage possibilities and improve organization security system. One of the companies that faced the challenge was PTX. PTX is a company engaged in the power plants sector which have the duty to provide electricity for the community. PTX assets amount to approximately 1,227 trillion Rupiah in the form of physical assets and not including non-physical assets. PTX has forty-seven (47) main office units engaged in various electricity sectors (including thousands of implementing units and implementing sub-units) and eleven (11) subsidiaries which have around fifty million customers. In order to improve the preparedness of the company to face of highly uncertainty of global, regional and local environment that has the potential to threaten resources and even the continuity of the company, PTX requires to improve preparedness to maintain the continuity of its business. The challenges and demands faced by the company in the future are increasingly high, and it can no longer be managed with the paradigm of crisis management (curative action), but must shift to the risk management (preventive action) paradigm. In addition, to keep the company business management based on prudent operation, every activity needs to be performed as a good corporate governance to increase value added for the company. The above conditions require all company managers to be aware of the risks faced. Other investors and stakeholders also considered PTX's reputation (one of them) determined by the implementation of risk management and the commitment of all company managers to risk management. But in reality, the implementation of risk management and its reports are still formalities, not based on real awareness to manage risk. In addition, so far there http://www.iaeme.com/IJCIET/index.asp 138 editor@iaeme.com Application of Information Systems Risk Management in Ptx has been no comprehensive information system risk management and there has been no alignment of the implementation of risk management among organizational elements (e.g. with Subsidiaries or between Units). Existing controls are also not identified. Mitigation is also less concrete or irrelevant to the risk. Communication and consultation with stakeholders also have not worked well in the risk management process. On the one hand, there are still many officials or employees who do not understand the importance of risk management. This is aggravated by the viewpoint that only the Risk Management Division is in charge of managing the company's risk. Based on the explanation of the problems described above, a special method called risk management is required to assess risk and determine preventive management steps to maintain the stability of the company both internally and externally, as a manifestation of the company's efforts to increase revenue and cost protection. Risk management is a method for identifying risks including threats to the continuity of a company's business and how to control these threats. The purpose of implementing the risk management method at PTX is to improve the quality of existing information systems and applications in order to minimize the risk of loss of company revenue and minimize projects that fail and identify major milestones of concern. In addition, these actions are expected to contribute so that the company's internal business processes develop along with good control on every process on an ongoing basis. 2. LITERATURE REVIEW Information systems are a collection of computer devices that connected to collect, process, store and also produce output in the form of information so that can be used to do business tasks [6]. Risk is probability of a threat that will affect a source of information [7]. Risk management process is a process of identifying a risk, which is projected through process of vulnerability analysis to the infrastructure and also assets information of an organization, and taking steps that aims to reduce risk into an acceptable level [8]. The information system risk management adopts the concept of risk sourced from financial management and replaces unreachable and infinite goals to fully secure information systems with goals that are reachable and measurable to reduce the risks faced by the system information into acceptable limits [9]. Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) is a collection of techniques, methods and tool for carrying out an assessment of information security risk assessment. This framework was developed through a program called CERT which was developed by Software Engineering Institute (SEI) of Carnegie Mellon University. The latest version of the OCTAVE framework is the OCTAVE-Allegro [10]. OCTAVE-Allegro describes how to assess risks in an organization or more specifically on an asset in an organization using eight steps and various worksheets and questionnaire sheets for guidelines. http://www.iaeme.com/IJCIET/index.asp 139 editor@iaeme.com Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah Figure 1. OCTAVE Allegro Roadmap [10] 3. RESEARCH METHODOLOGY The proposed model is based on OCTAVE Allegro, the most popular risk management framework currently in use. The aim of the framework is to measure and assess risk levels quantitatively. Thus, it will help the institution to understand security risks. In the OCTAVE Allegro framework, there are four different activity carried out through eight steps. Here are the activities: Organization develop risk measurement criteria in accordance with organizational drivers. Organization establish critical information assets profile and identify the assets’ containers. Organization identify threats and record them in a structured process. Organization identify and analyze the risks based on threat information and formulate mitigation strategies to control and minimize the risks. This research performs practical approach in real organization environment using eight steps activities from the OCTAVE Allegro framework. The aim of the research is to identify and analyze the possibility of security violations, realize the causes that make the system vulnerable and formulate mitigation strategies to control and minimize the risks. 4. RESULTS AND DISCUSSION Step 1: Establish Risk Measurement Criteria At this stage, interviews with representatives of the Information System and Technology Division (DIVSTI) PTX were conducted. From the results of interviews and discussions, information was obtained that PTX had criteria for possible levels and impact level criteria. Then adjust the impact area of the OCTAVE Allegro risk measurement criteria with the impact area of the PTX impact level criteria. http://www.iaeme.com/IJCIET/index.asp 140 editor@iaeme.com Application of Information Systems Risk Management in Ptx Table 1 The Impact Areas Prioritization PRIORITY IMPACT AREAS 5 Reputation & Customer Confidence 4 Financial 6 Productivity 3 Safety & Health 2 Fines & Legal Penalties 1 User Defined Step 2: Develop an Information Asset Profile In determining any critical information assets for PTX, it is necessary for focusing on the core process of PTX namely: 1. Manage power plant assets. 2. Manage back office transactions. 3. Manage project planning, implementation and evaluation processes. 4. Manage and monitor income. 5. Manage, monitor and evaluate transactions related to customers. 6. Provides information about the current conditions of the company. 7. Manage, monitor and evaluate targets and achieve of corporate performance. 8. Manage, monitor and evaluate targets and achieve individual performance. 9. Manage, monitor and evaluate audit planning, implementation and reporting. 10. Manage, monitor and evaluate the planning and implementation of the procurement of goods and services. The classified critical assets are: 1. Power plant assets. 2. Back office transactions. 3. Project. 4. Income. 5. Customer service. 6. Website content. 7. Target and achievement of corporate performance. 8. Target and achievement of individual performance. 9. Audit. 10. Procurement of goods and services. http://www.iaeme.com/IJCIET/index.asp 141 editor@iaeme.com Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah Table 2 Information Asset Profile of Customer service Critical Asset Customer service Customer service is chosen because it relates to the main actor, the customer itself, who is associated with PTX's core process. Customer service includes managing, Rationale for Selection monitoring and evaluating all transactions related to customers ranging from applications to new customers, billing, accounts receivable and credit supervision. Information System and Technology Division (DIVSTI) Security Requirement Confidentiality Owner Information about customer service has a high level of confidentiality and is very important because it is directly related to aspects of customer service. Integrity These assets consist of data sets related to customer service, such as application transactions for new customers, billing, accounts receivable and credit supervision. This information must be maintained for accuracy because it is used for billing and payment information that will be made by the customer. Availability Description This information must be available for service division, disconnection division, meter reading division, billing division, commercial division, energy transaction division, and so on. Most Important Security Requirement Integrity Customer service must be correct and up to date because it has a correlation and is widely used for various customer service needs, such as billing and repayment of payments. If this data is wrong from the start, it will affect many areas. Step 3: Identify Information Asset Containers Information Asset Containers is a container for storing, transmitting or processing information assets. The container can be classified based on 3 (three) categories, such as: Table 3 Information Asset Containers (Technical) – Customer service Information Asset Risk Environment Map (Technical) Internal Container Description Customer service is stored in the customer service application using the database centralization type. Customer service applications provide web interfaces for authorized personnel both for access and data manipulation. PTX intranet network. All transactions from and to customer profile data through this network. Owner(s) Information System and Technology Division (DIVSTI) External Container Description Internet. Electronic customer service data can be accessed via the internet. http://www.iaeme.com/IJCIET/index.asp 142 Owner(s) unknown editor@iaeme.com Application of Information Systems Risk Management in Ptx Table 4 Information Asset Containers (Physical) – Customer service Information Asset Risk Environment Map (Physical) Internal Container Description Owner(s) Files and reports related to customer service. service division External Container Description Owner(s) Printable files for customers. service division Table 5 Information Asset Containers (People) – Customer service Information Asset Risk Environment Map (People) Internal Personnel Name or Role / Responsibility Department / Unit Service Division Staff Sub Unit Rayon External Personnel Name or Role / Responsibility Department / Unit - Step 4: Identify Areas of Concern Table 6 Area of Concern - Customer service No Area of Concern 1 The errors possibility when inputting data by the service staff. 2 Distribution password of customer service application by staff who have access. Step 5: Identify Threat Scenarios Table 7 Threat Scenarios – Customer service Area of Concern Threat Scenario Actor Means 1 The errors possibility when inputting data by the service staff. Service division staff Staff is using customer service application Motives Accidentally occurs (human error possibility) Outcome Modification, Interruption Security Requirements Add a validation function to the fields entered by the staff. If necessary, do training to reduce errors. http://www.iaeme.com/IJCIET/index.asp 143 editor@iaeme.com Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah Table 7 Threat Scenarios – Customer service (cont.) Area of Concern Actor 2 Distribution password of customer service application by staff who have access. Means Motives Outcome Security Requirements Threat Scenario Staff from service division, disconnection division, meter reading division, billing division, commercial division, energy transaction division Staff has an access to customer service application Deliberate/accidental sharing password Disclosure Only authorized personnel have access rights. Step 6: Identify Risks Determine how the recorded threat scenarios can have impacts to the organization. Step 7: Analyze Risks Step 6 and step 7 are closely related steps in which each area of concern for any given asset information is considered as a possible consequence. In this step, the consequences are determined. Then, each of the impact area are assessed by completing the impact value whether high, medium and low for the organization. After that, multiply the impact area rank by the impact value multiply to calculate the impact area score. Table 8 The score calculation for the impact values of each impact areas Impact Areas Priority Low (1) Medium (2) High (3) Productivity 6 6 12 18 Reputation & Customer Confidence 5 5 10 15 Financial 4 4 8 12 Safety & Health 3 3 6 9 Fines & Legal Penalties 2 2 4 6 User Defined 1 1 2 3 Table 9 Risk analysis – Customer service Area of Concern Consequences The service division staff or DIVSTI staff have to re-input the data & it was wasted time. Reduce customer satisfaction due to errors in data input. The errors possibility when inputting data by the service staff. Severity Impact Area Value Score Productivity High 18 Reputation & Customer Confidence High 15 Financial High 12 Safety & Health Low 3 Fines & Legal Penalties Low 2 User Defined Low 1 Relative Risk Score 51 http://www.iaeme.com/IJCIET/index.asp 144 editor@iaeme.com Application of Information Systems Risk Management in Ptx Table 9 Risk analysis – Customer service (cont.) Distribution password of customer service application by staff who have access. Severity Impact Area Value Score Productivity High 18 Reputation & High 15 Customer Confidence Financial High 12 Safety & Health Low 3 Fines & Legal Med 4 Penalties User Defined Low 1 Relative Risk Score 53 Area of Concern Consequences Financial losses due to lack of data integrity and accuracy. Additional effort is needed for DIVSTI staff to tracing the modified data without authorization. Public and customer perceptions of PTX will be negative if customers’ sensitive information is disseminated. If the customer issues the matter to the law, it will cause fines and possible lawsuits for PTX. Step 8: Select Mitigation Approach The identified risks are sorted by risk score. Table 10 Relative Risk Matrix RISK SCORE 49 TO 63 35 TO 48 21 TO 34 Pool 1 Pool 2 Pool 3 Next activity is deciding the mitigation approach based on pool from Relative Risk Matrix. Table 11 Mitigation Approach POOL Mitigation Approach 1 Mitigate 2 Mitigate or Defer 3 Accept Table 12 Risk Mitigation – Customer service Area of Concern Relative Risk Score Pool Action Container Customer service application Staff from service division, disconnection division, meter reading division, billing division, commercial division, energy transaction division http://www.iaeme.com/IJCIET/index.asp The errors possibility when inputting data by the service staff. 51 Pool 1 Mitigate Control Add notification for validation entries in the input fields. Each field must be validated before execution to the next process / page. Immediately modify the invalid data if it is known that an error has occurred. 145 editor@iaeme.com Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah Table 12 Risk Mitigation – Customer service (cont.) Area of Concern Relative Risk Score Pool Action Container Customer service application Staff from service division, disconnection division, meter reading division, billing division, commercial division, energy transaction division Distribution password of customer service application by staff who have access. 53 Pool 1 Mitigate Control If the application is idle for more than five minutes, it automatically logs out. Password changes periodically. Use / activate the customer service application transaction log. All relevant staff must sign a non-disclosure agreement. Educating the related staff. 5. CONCLUSIONS Using the OCTAVE Allegro method to carry out information system risk management at PTX, is resulting 10 (ten) critical information assets. Furthermore, Customer service are continued to be assessed. According to the results of the assessment errors in data input & distribution password of customer service application, both of them get the highest priority in handling and need to mitigate with the mitigation strategies offered or the control actions. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] V. K. Maram, M. S. K. B, and B. H.S, “A Study of Risk Management of an Information System by Assessing Threat , Vulnerability and Countermeasure,” Int. J. Adv. Res. Comput. Sci. Softw. Eng., vol. 2, no. 12, pp. 51–53, 2012. N. Mathur, H. Mathur, and T. Pandya, “Risk Management in Information System of Organisation: A Conceptual Framework,” Int. J. Nov. Res. Comput. Sci. Softw. Eng., vol. 2, no. 1, pp. 82–88, 2015. P. Shedden, T. Ruighaver, and A. Ahmad, “Risk management standards – the perception of ease of use,” J. Inf. Syst. Secur., vol. 6, no. 3, pp. 23–41, 2010. S. Gupta and A. K. Saini, “Information System Security and Risk Management: Issues and Impact on Organizations,” Glob. J. Enterp. Inf. Syst., vol. 5, no. 1, pp. 31–35, 2013. A.-M. Suduc, M. Bizoi, and F. G. Filip, “Audit for Information Systems Security,” Inform. Econ. vol., vol. 14, no. 1, pp. 43–48, 2010. J. W. Satzinger, R. B. Jackson, and S. D. Burd, Systems Analysis and Design In a Changing World, Seventh Edition. Boston: Cengage Learning, 2016. R. K. Rainer Jr., B. Prince, and C. Cegielski, Introduction to Information Systems: Supporting and Transforming Business, Fifth Edition. John Wiley & Sons, 2014. M. E. Whitman and H. J. Mattord, Principles of Information Security, Fourth Edition. Boston: Cengage Learning, 2012. J. R. Vacca, Computer and Information Security, Second Edition. Morgan Kaufmann, 2013. R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE Allegro : Improving the Information Security Risk Assessment Process,” 2007. http://www.iaeme.com/IJCIET/index.asp 146 editor@iaeme.com
