IT Security Governance Research Articles

Revolutionizing Hospital IT Security through ISO 27001 Launched in Indonesia

This study examines the security of the E-HOS System at RSUD Ibnu Sina Kab. Gresik, identifying critical threats and vulnerabilities, and offering mitigation strategies. Using qualitative methods, including interviews, observations, and documentation, data was collected from December 2022 to May 2023. The OCTAVE framework revealed 17 potential risk events, with user-related risks being the most significant, showing an RPN as high as 162 for access rights abuse. The study recommends implementing ISO 27001 controls—Access Control, Human Resource Security, and Communications Security—to enhance system security. These findings highlight the importance of robust IT security governance in healthcare settings. Highlight: Critical Risks: 17 events, highest risk in user access rights abuse. Methodology: Used OCTAVE framework, interviews, observations, documentation. Recommendations: Implement ISO 27001 controls: Access Control, HR Security, Communications Security. Keyword: E-HOS System, SIMRS security, OCTAVE method, risk assessment, ISO 27001

Measurement of IT Security Governance Capabilities Using COBIT 2019 at Indonesian Business Sector

IT governance implementation in companies has occurred in the enterprise sector up to the BUMN scale. As stated in the Regulation of the Minister of Foreign Affairs Number 2 of 2013, Article 2(1) binds the business world. In the corporate sector, there are IT security issues. The measurement process uses the COBIT 2019 framework. The measurements taken will provide an analysis of the capacity level and gaps. Data was collected using quantitative (questionnaire) and qualitative (documentary studies and interviews) methods. The three relevant subdomains to measure are APO12 – Risk Management, APO13 – Managed Security, and DSS05 – Managed Security Services. The results of the capacity measurement show that the APO12 subdomain is at level 2, APO13 is at level 2, and DSS05 is stopped at level 2. These results indicate that there is a gap in the DSS05 subdomain. The results obtained show recommendations for improvement and level increase, especially in the DSS05 subdomain. The enterprise sector needs improvements in endpoint security policies, access policies, and event logs in IT incidents.

Measuring IT security, compliance and data governance within small and medium-sized IT enterprises

Like many other industries, small and medium IT enterprises (IT SMEs) find themselves challenged by globalization and digital transformation. This paper highlights the implications and challenges for IT SMEs in the area of IT security, compliance, and data governance. It describes the secure and compliant integration of IT products and services of IT SMEs in order to enhance their relative competitive position against global players of the IT industry. The paper presents an approach that entails competence areas for IT security, compliance, and data governance and shows a web-based tool for surveying and measuring areas in order to derive actual readiness of IT SMEs in these areas. The paper concludes with an outlook on the expected findings and planned further developments of the approach and tool.

A Conceptual Framework of It Security Governance and Internal Controls

The Board and senior management use internal controls and IT risk governance to ensure that the corporation�s directives such as security policies, standards, procedures, guidelines, administrative rules and practices at all organizational levels are properly chosen and adapted to the organization, implemented and enforced. There were three research problems identified in this paper, lack of involvement of the board and senior management in understanding IS/IT security problems, unbalanced implementation of IS/IT security within the Formal, Technical and Informal components and lack of internal control applications over IS/IT security. This had led to the development of a conceptual framework of IT Security Governance and Internal Controls. Interviews were undertaken with eight Malaysian Publicly Listed Companies to identify the issues that relate to IS/IT Security Governance in Malaysia. The findings reported in the data analysis were consistent with the conceptual framework of IT Security Governance and Internal Controls.

Autonomic Framework for IT Security Governance

Autonomic Framework for IT Security Governance