Uploaded by IAEME PUBLICATION

APPLICATION OF INFORMATION SYSTEMS RISK MANAGEMENT IN PTX

advertisement
International Journal of Civil Engineering and Technology (IJCIET)
Volume 10, Issue 04, April 2019, pp. 137-146, Article ID: IJCIET_10_04_015
Available online at http://www.iaeme.com/ijciet/issues.asp?JType=IJCIET&VType=10&IType=04
ISSN Print: 0976-6308 and ISSN Online: 0976-6316
© IAEME Publication
Scopus Indexed
APPLICATION OF INFORMATION SYSTEMS
RISK MANAGEMENT IN PTX
Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah
Information Systems Management Department, Binus Graduate Program, Bina Nusantara
University, Jakarta, Indonesia 11530
ABSTRACT
Nowadays, information systems have become a difficult part to separate in almost
every business process in an institution or organization. Information becomes an
important part of information systems that have to kept safe from harm because of
threats leading to alteration, wrongful disclosure, non-availability, and loss. One of the
companies that faced the challenge was PTX. PTX is a company engaged in the power
plants sector which have the duty to provide electricity for the community. The aim of
the research is to identify and analyze the possibility of security violations, realize the
causes that make the system vulnerable and formulate mitigation strategies to control
and minimize the risks. This research performs practical approach in real organization
environment using eight steps activities from the OCTAVE Allegro framework. Using
the OCTAVE Allegro method to carry out information system risk management at PTX,
is resulting 10 (ten) critical information assets. Furthermore, Customer service are
continued to be assessed. The study represents an information system risk management
chronological approach for identifying the possibility of security violations and
formulating mitigation strategies.
Key words: Risk Management, Information Systems, OCTAVE Allegro, Information
System Risk Management
Cite this Article: Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah,
Application of Information Systems Risk Management in Ptx, International Journal of
Civil Engineering and Technology, 10(04), 2019, pp. 137–146
http://www.iaeme.com/IJCIET/issues.asp?JType=IJCIET&VType=10&IType=04
1. INTRODUCTION
The development of technology and business is moving massively in every industrial sector in
the agricultural, plantation, textile, raw materials, oil and gas, automotive, power generation,
and other sectors at this time. The movement is inseparable from the role of technology,
especially the information system to support every transaction, decision-making process,
reporting and analysis, controlling, and security.
http://www.iaeme.com/IJCIET/index.asp
137
[email protected]
Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah
Organizations are required to be able to develop information systems and information
technology that support business operations. Therefore, organizations that willing to compete
must be able to improve and manage the existing systems to deal with risks, challenges and
threats from all competitors in each industry sector. Technological involvement in business can
increase or damage business processes depending on the governance process implemented.
The information systems security attention has grown in recent years with increasing
complexity and the possibility of a series of disclosures [1]. All organizations have the potential
to be exposed to unknown risks and can harm the organization. Some risks related to
information systems include fire, viruses, hackers and others [2]. The other risks, organizations
will suffer potentially severe losses due to external threats (e.g. theft of confidential
information, website destruction), internal threats (e.g. fraud, user error) and other intangible
effects (e.g. damage and loss of organizational reputation) [3].
At present, information systems have become a difficult part to separate in almost every
business process in an institution or organization. Information becomes an important part of
information systems that have to kept safe from harm because of threats leading to alteration,
wrongful disclosure, non-availability, and loss. Threats comprise intentional changes, fraud,
omissions, accidents, and errors. The primary objective of information security is to protect the
stakeholders interest by providing confidentiality (information disclosure to the righteous
persons), integrity (information is protected against unauthorized alteration), and availability
(make sure the information systems are available and usable) [4]. Therefore, any kind of harm
or threat to the information system can also interrupt the business process continuity of the
institution.
Information systems and their assets are vulnerable to physical and logical risks. The
physical risks, which are related more with the hardware such as natural disasters, for example
floods and earthquakes, as well as other possibility of harms such as fires, theft, power surges,
unauthorized tampering, vandalism, and bombings. Logical risk refers to alteration, accidental
or intentional destruction and unauthorized access of the information system and data [5].
Therefore, it is required to identify threats and analyze the risks to reduce the damage
possibilities and improve organization security system.
One of the companies that faced the challenge was PTX. PTX is a company engaged in the
power plants sector which have the duty to provide electricity for the community. PTX assets
amount to approximately 1,227 trillion Rupiah in the form of physical assets and not including
non-physical assets. PTX has forty-seven (47) main office units engaged in various electricity
sectors (including thousands of implementing units and implementing sub-units) and eleven
(11) subsidiaries which have around fifty million customers.
In order to improve the preparedness of the company to face of highly uncertainty of global,
regional and local environment that has the potential to threaten resources and even the
continuity of the company, PTX requires to improve preparedness to maintain the continuity
of its business. The challenges and demands faced by the company in the future are increasingly
high, and it can no longer be managed with the paradigm of crisis management (curative
action), but must shift to the risk management (preventive action) paradigm. In addition, to
keep the company business management based on prudent operation, every activity needs to
be performed as a good corporate governance to increase value added for the company. The
above conditions require all company managers to be aware of the risks faced.
Other investors and stakeholders also considered PTX's reputation (one of them)
determined by the implementation of risk management and the commitment of all company
managers to risk management. But in reality, the implementation of risk management and its
reports are still formalities, not based on real awareness to manage risk. In addition, so far there
http://www.iaeme.com/IJCIET/index.asp
138
[email protected]
Application of Information Systems Risk Management in Ptx
has been no comprehensive information system risk management and there has been no
alignment of the implementation of risk management among organizational elements (e.g. with
Subsidiaries or between Units). Existing controls are also not identified. Mitigation is also less
concrete or irrelevant to the risk. Communication and consultation with stakeholders also have
not worked well in the risk management process. On the one hand, there are still many officials
or employees who do not understand the importance of risk management. This is aggravated
by the viewpoint that only the Risk Management Division is in charge of managing the
company's risk.
Based on the explanation of the problems described above, a special method called risk
management is required to assess risk and determine preventive management steps to maintain
the stability of the company both internally and externally, as a manifestation of the company's
efforts to increase revenue and cost protection. Risk management is a method for identifying
risks including threats to the continuity of a company's business and how to control these
threats. The purpose of implementing the risk management method at PTX is to improve the
quality of existing information systems and applications in order to minimize the risk of loss
of company revenue and minimize projects that fail and identify major milestones of concern.
In addition, these actions are expected to contribute so that the company's internal business
processes develop along with good control on every process on an ongoing basis.
2. LITERATURE REVIEW
Information systems are a collection of computer devices that connected to collect, process,
store and also produce output in the form of information so that can be used to do business
tasks [6].
Risk is probability of a threat that will affect a source of information [7].
Risk management process is a process of identifying a risk, which is projected through
process of vulnerability analysis to the infrastructure and also assets information of an
organization, and taking steps that aims to reduce risk into an acceptable level [8].
The information system risk management adopts the concept of risk sourced from financial
management and replaces unreachable and infinite goals to fully secure information systems
with goals that are reachable and measurable to reduce the risks faced by the system
information into acceptable limits [9].
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) is a
collection of techniques, methods and tool for carrying out an assessment of information
security risk assessment. This framework was developed through a program called CERT
which was developed by Software Engineering Institute (SEI) of Carnegie Mellon University.
The latest version of the OCTAVE framework is the OCTAVE-Allegro [10].
OCTAVE-Allegro describes how to assess risks in an organization or more specifically on
an asset in an organization using eight steps and various worksheets and questionnaire sheets
for guidelines.
http://www.iaeme.com/IJCIET/index.asp
139
[email protected]
Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah
Figure 1. OCTAVE Allegro Roadmap
[10]
3. RESEARCH METHODOLOGY
The proposed model is based on OCTAVE Allegro, the most popular risk management
framework currently in use. The aim of the framework is to measure and assess risk levels
quantitatively. Thus, it will help the institution to understand security risks.
In the OCTAVE Allegro framework, there are four different activity carried out through
eight steps. Here are the activities:
 Organization develop risk measurement criteria in accordance with organizational
drivers.
 Organization establish critical information assets profile and identify the assets’
containers.
 Organization identify threats and record them in a structured process.
 Organization identify and analyze the risks based on threat information and
formulate mitigation strategies to control and minimize the risks.
This research performs practical approach in real organization environment using eight
steps activities from the OCTAVE Allegro framework. The aim of the research is to identify
and analyze the possibility of security violations, realize the causes that make the system
vulnerable and formulate mitigation strategies to control and minimize the risks.
4. RESULTS AND DISCUSSION
Step 1: Establish Risk Measurement Criteria
At this stage, interviews with representatives of the Information System and Technology
Division (DIVSTI) PTX were conducted. From the results of interviews and discussions,
information was obtained that PTX had criteria for possible levels and impact level criteria.
Then adjust the impact area of the OCTAVE Allegro risk measurement criteria with the impact
area of the PTX impact level criteria.
http://www.iaeme.com/IJCIET/index.asp
140
[email protected]
Application of Information Systems Risk Management in Ptx
Table 1 The Impact Areas Prioritization
PRIORITY
IMPACT AREAS
5
Reputation & Customer Confidence
4
Financial
6
Productivity
3
Safety & Health
2
Fines & Legal Penalties
1
User Defined
Step 2: Develop an Information Asset Profile
In determining any critical information assets for PTX, it is necessary for focusing on the core
process of PTX namely:
1. Manage power plant assets.
2. Manage back office transactions.
3. Manage project planning, implementation and evaluation processes.
4. Manage and monitor income.
5. Manage, monitor and evaluate transactions related to customers.
6. Provides information about the current conditions of the company.
7. Manage, monitor and evaluate targets and achieve of corporate performance.
8. Manage, monitor and evaluate targets and achieve individual performance.
9. Manage, monitor and evaluate audit planning, implementation and reporting.
10. Manage, monitor and evaluate the planning and implementation of the procurement of
goods and services.
The classified critical assets are:
1. Power plant assets.
2. Back office transactions.
3. Project.
4. Income.
5. Customer service.
6. Website content.
7. Target and achievement of corporate performance.
8. Target and achievement of individual performance.
9. Audit.
10. Procurement of goods and services.
http://www.iaeme.com/IJCIET/index.asp
141
[email protected]
Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah
Table 2 Information Asset Profile of Customer service
Critical Asset
Customer service
Customer service is chosen because it relates to the main actor, the customer itself, who
is associated with PTX's core process. Customer service includes managing,
Rationale for Selection
monitoring and evaluating all transactions related to customers ranging from
applications to new customers, billing, accounts receivable and credit supervision.
Information System and Technology Division (DIVSTI)
Security
Requirement
Confidentiality
Owner
Information about customer service has a high level of confidentiality and is very
important because it is directly related to aspects of customer service.
Integrity
These assets consist of data sets related to customer service, such as application
transactions for new customers, billing, accounts receivable and credit supervision.
This information must be maintained for accuracy because it is used for billing and
payment information that will be made by the customer.
Availability
Description
This information must be available for service division, disconnection division, meter
reading division, billing division, commercial division, energy transaction division, and
so on.
Most Important Security
Requirement
Integrity
Customer service must be correct and up to date because it has a correlation and is
widely used for various customer service needs, such as billing and repayment of
payments. If this data is wrong from the start, it will affect many areas.
Step 3: Identify Information Asset Containers
Information Asset Containers is a container for storing, transmitting or processing information
assets. The container can be classified based on 3 (three) categories, such as:
Table 3 Information Asset Containers (Technical) – Customer service
Information Asset Risk Environment Map (Technical)
Internal
Container Description
Customer service is stored in the customer service application using the
database centralization type. Customer service applications provide web
interfaces for authorized personnel both for access and data
manipulation.
PTX intranet network. All transactions from and to customer profile
data through this network.
Owner(s)
Information System and
Technology Division
(DIVSTI)
External
Container Description
Internet. Electronic customer service data can be accessed via the
internet.
http://www.iaeme.com/IJCIET/index.asp
142
Owner(s)
unknown
[email protected]
Application of Information Systems Risk Management in Ptx
Table 4 Information Asset Containers (Physical) – Customer service
Information Asset Risk Environment Map (Physical)
Internal
Container Description
Owner(s)
Files and reports related to customer service.
service division
External
Container Description
Owner(s)
Printable files for customers.
service division
Table 5 Information Asset Containers (People) – Customer service
Information Asset Risk Environment Map (People)
Internal Personnel
Name or Role / Responsibility
Department / Unit
Service Division Staff
Sub Unit Rayon
External Personnel
Name or Role / Responsibility
Department / Unit
-
Step 4: Identify Areas of Concern
Table 6 Area of Concern - Customer service
No
Area of Concern
1
The errors possibility when inputting data by the service staff.
2 Distribution password of customer service application by staff who have access.
Step 5: Identify Threat Scenarios
Table 7 Threat Scenarios – Customer service
Area of Concern
Threat Scenario
Actor
Means
1
The errors possibility
when inputting data by the
service staff.
Service division staff
Staff is using customer service
application
Motives
Accidentally occurs (human error
possibility)
Outcome
Modification, Interruption
Security
Requirements
Add a validation function to the fields
entered by the staff. If necessary, do
training to reduce errors.
http://www.iaeme.com/IJCIET/index.asp
143
[email protected]
Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah
Table 7 Threat Scenarios – Customer service (cont.)
Area of Concern
Actor
2
Distribution password of
customer service
application by staff who
have access.
Means
Motives
Outcome
Security
Requirements
Threat Scenario
Staff from service division,
disconnection division, meter reading
division, billing division, commercial
division, energy transaction division
Staff has an access to customer
service application
Deliberate/accidental sharing
password
Disclosure
Only authorized personnel have
access rights.
Step 6: Identify Risks
Determine how the recorded threat scenarios can have impacts to the organization.
Step 7: Analyze Risks
Step 6 and step 7 are closely related steps in which each area of concern for any given asset
information is considered as a possible consequence.
In this step, the consequences are determined. Then, each of the impact area are assessed
by completing the impact value whether high, medium and low for the organization. After that,
multiply the impact area rank by the impact value multiply to calculate the impact area score.
Table 8 The score calculation for the impact values of each impact areas
Impact Areas
Priority Low (1) Medium (2) High (3)
Productivity
6
6
12
18
Reputation & Customer Confidence
5
5
10
15
Financial
4
4
8
12
Safety & Health
3
3
6
9
Fines & Legal Penalties
2
2
4
6
User Defined
1
1
2
3
Table 9 Risk analysis – Customer service
Area of Concern
Consequences
The service division staff or
DIVSTI staff have to re-input
the data & it was wasted time.
Reduce customer satisfaction
due to errors in data input.
The errors possibility when inputting data by the
service staff.
Severity
Impact Area
Value
Score
Productivity
High
18
Reputation & Customer Confidence
High
15
Financial
High
12
Safety & Health
Low
3
Fines & Legal Penalties
Low
2
User Defined
Low
1
Relative Risk Score
51
http://www.iaeme.com/IJCIET/index.asp
144
[email protected]
Application of Information Systems Risk Management in Ptx
Table 9 Risk analysis – Customer service (cont.)
Distribution password of customer
service application by staff who have
access.
Severity
Impact Area
Value
Score
Productivity
High
18
Reputation &
High
15
Customer Confidence
Financial
High
12
Safety & Health
Low
3
Fines & Legal
Med
4
Penalties
User Defined
Low
1
Relative Risk Score
53
Area of Concern
Consequences
Financial losses due to lack of data integrity
and accuracy. Additional effort is needed for
DIVSTI staff to tracing the modified data
without authorization.
Public and customer perceptions of PTX will
be negative if customers’ sensitive
information is disseminated. If the customer
issues the matter to the law, it will cause
fines and possible lawsuits for PTX.
Step 8: Select Mitigation Approach
The identified risks are sorted by risk score.
Table 10 Relative Risk Matrix
RISK SCORE
49 TO 63 35 TO 48
21 TO 34
Pool 1
Pool 2
Pool 3
Next activity is deciding the mitigation approach based on pool from Relative Risk Matrix.
Table 11 Mitigation Approach
POOL Mitigation Approach
1
Mitigate
2
Mitigate or Defer
3
Accept
Table 12 Risk Mitigation – Customer service
Area of Concern
Relative Risk Score
Pool
Action
Container
Customer service application
Staff from service division, disconnection
division, meter reading division, billing
division, commercial division, energy
transaction division
http://www.iaeme.com/IJCIET/index.asp
The errors possibility when inputting data by
the service staff.
51
Pool 1
Mitigate
Control
Add notification for validation entries in the
input fields.
Each field must be validated before
execution to the next process / page.
Immediately modify the invalid data if it is
known that an error has occurred.
145
[email protected]
Artika Arista, Lelya Novita Kusumawati and Franky Radiansyah
Table 12 Risk Mitigation – Customer service (cont.)
Area of Concern
Relative Risk Score
Pool
Action
Container
Customer service application
Staff from service division, disconnection
division, meter reading division, billing
division, commercial division, energy
transaction division
Distribution password of customer service
application by staff who have access.
53
Pool 1
Mitigate
Control
If the application is idle for more than five
minutes, it automatically logs out.
Password changes periodically.
Use / activate the customer service
application transaction log.
All relevant staff must sign a non-disclosure
agreement.
Educating the related staff.
5. CONCLUSIONS
Using the OCTAVE Allegro method to carry out information system risk management at PTX,
is resulting 10 (ten) critical information assets. Furthermore, Customer service are continued
to be assessed. According to the results of the assessment errors in data input & distribution
password of customer service application, both of them get the highest priority in handling and
need to mitigate with the mitigation strategies offered or the control actions.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
V. K. Maram, M. S. K. B, and B. H.S, “A Study of Risk Management of an Information
System by Assessing Threat , Vulnerability and Countermeasure,” Int. J. Adv. Res.
Comput. Sci. Softw. Eng., vol. 2, no. 12, pp. 51–53, 2012.
N. Mathur, H. Mathur, and T. Pandya, “Risk Management in Information System of
Organisation: A Conceptual Framework,” Int. J. Nov. Res. Comput. Sci. Softw. Eng., vol.
2, no. 1, pp. 82–88, 2015.
P. Shedden, T. Ruighaver, and A. Ahmad, “Risk management standards – the perception
of ease of use,” J. Inf. Syst. Secur., vol. 6, no. 3, pp. 23–41, 2010.
S. Gupta and A. K. Saini, “Information System Security and Risk Management: Issues and
Impact on Organizations,” Glob. J. Enterp. Inf. Syst., vol. 5, no. 1, pp. 31–35, 2013.
A.-M. Suduc, M. Bizoi, and F. G. Filip, “Audit for Information Systems Security,” Inform.
Econ. vol., vol. 14, no. 1, pp. 43–48, 2010.
J. W. Satzinger, R. B. Jackson, and S. D. Burd, Systems Analysis and Design In a Changing
World, Seventh Edition. Boston: Cengage Learning, 2016.
R. K. Rainer Jr., B. Prince, and C. Cegielski, Introduction to Information Systems:
Supporting and Transforming Business, Fifth Edition. John Wiley & Sons, 2014.
M. E. Whitman and H. J. Mattord, Principles of Information Security, Fourth Edition.
Boston: Cengage Learning, 2012.
J. R. Vacca, Computer and Information Security, Second Edition. Morgan Kaufmann,
2013.
R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE
Allegro : Improving the Information Security Risk Assessment Process,” 2007.
http://www.iaeme.com/IJCIET/index.asp
146
[email protected]
Download
Random flashcards
State Flags

50 Cards Education

Countries of Europe

44 Cards Education

Art History

20 Cards StudyJedi

Sign language alphabet

26 Cards StudyJedi

Create flashcards