INFORMATION SECURITY RISK MANAGEMENT DESIGN OF SUPERVISION MANAGEMENT INFORMATION SYSTEM AT XYZ MINISTRY USING NIST SP 800-30

Abstract

SIMWAS is an information system at the XYZ Ministry that is used to manage supervisory activities and follow up on supervisory results. SIMWAS is an important asset that contains all internal control business processes, but in practice, SIMWAS information security risks have not been managed properly. To overcome these problems, information security risk management is needed at SIMWAS. This study aims to design and analyze SIMWAS information security risk management using the NIST SP 800-30 framework. NIST SP 800-30 focuses on a particular infrastructure and its boundaries. Since the purpose is to perform a technical risk analysis of the core IT infrastructure, it is highly prescriptive. It has nine primary steps to conduct risk assessment. The NIST SP 800-30 framework is used to design and analyze SIMWAS information security risks by identifying threats, vulnerabilities, impacts, likelihoods, and recommendations for controls. SIMWAS information security risk assessment is carried out by analyzing data obtained from the results of interviews, observations, and document reviews. The results of this study show that SIMWAS information security has four low-level risks, eight moderate-level risks, and five high-level risks. Very low and low risk levels are acceptable according to the risk appetite of the business owner, but moderate, high, and very high-risk levels require risk avoidance, risk transfer and risk reduction. The XYZ Ministry need to carry out residual risk analysis and cost-benefit analysis from implementing controls in each risk scenarios.