Risk Risk Assessment and Development of Access Control Information Security Governance Based on ISO/IEC 27001:2013 At XYZ University

Abstract

The rapid development of information technology at this time also has an impact on the use of information technology in the university environment. XYZ University as a university that has quite a lot of students also applies information technology to support their distance learning. The role of information technology is quite crucial and important. Unfortunately, the issue of information security which is an important part of information technology often gets less attention. Its undeniable that the emergence of threats or weaknesses in information technology can disrupt the course of service activities using information technology. Therefore, it is necessary to manage information technology and risk-based document standard procedures as outlined in governance to manage emerging threats or weaknesses. ISO/IEC 27001:2013 is an framework of information security management system that can be used as a basis for managing information security. This study identifies assets, threats, weaknesses, risk analysis, BIA, risk assessment, and risk mapping based on clauses to produce recommendations for policy documents, procedures, and work instructions to improve information security control based on ISO 27001:2013 clauses. Considering its high risk value, this study produced several recommendations for security documents, namely 5 policy documents, 6 procedure guidelines, 8 work instructions, and 12 forms.