DESIGN OF CAPABILITY ASSESSMENT MODEL FOR AN INFORMATION SECURITY (ISO 27005) AND ANTI-BRIBERY (ISO 37001) RISK MANAGEMENT USING 33020 (Study on Supply Chain Management)
The term risk management is made to describe an approach where the level of security of a company's information resources is compared to the risks it faces. Information security risk management (MRKI) that is applied to organizations can refer to many international standards that deal with MRKI...
Saved in:
| Main Author: | |
|---|---|
| Format: | Theses |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/36704 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | The term risk management is made to describe an approach where the level of security of a company's information resources is compared to the risks it faces. Information security risk management (MRKI) that is applied to organizations can refer to many international standards that deal with MRKI governance, such as ISO 27005, 31000, NIST SP 800-300, NIST SP 800-39 and Octave Framework. In this thesis, the MRKI framework that will be used is ISO 27005. The same framework will be used in Anti-Bribery Risk Management (MRAP).
ISO 27005 is a guide for an organization in carrying out MRKI activities in order to develop information security strategies and information security management systems. The risk management process in ISO 27005 includes the context definition process, risk assessment, risk treatment, risk acceptance, communication consultation, and evaluation monitoring (monitoring evaluation). The same process dimension will be used in the measurement of Anti-Bribery Risk Management (MRAP) which refers to the ISO 37001 standard. The process dimension is used as a reference in determining the base practices and work products model for assessing the capability of the MRKI and MRAP processes designed in this study. Whereas to find out that the application of MRKI and MRAP in the organization is in accordance with ISO 27005 standards, a model for the assessment of process capability is designed using a reference from ISO 33020.
The valuation model consists of two dimensions, namely the dimensions of capability and the dimensions of the process. The first dimension consists of the MRKI and MRAP processes to be assessed, namely the context definition process, risk assessment (risk assessment), risk treatment (risk treatment), acceptance of risk (risk acceptance), consultation communication (communication consultation), and monitoring evaluation (monitoring evaluation). The second dimension is capability which consists of the level of process capability, process attributes at each capability level, and measurement scale to assess the capability of the MRKI and MRAP processes.
The model for assessing the capability of information security risk management designed was tested at PT. PLN (Persero) as a case study locus. Data collection is done by interviewing and distributing research questionnaires. The research questionnaire was divided into 2 (two) types, namely the MRKI questionnaire for respondents of structural officials, IT Admin and IT Staff and MRAP questionnaires for the ranks of Procurement Planning officials, Procurement Executors, and HR. Interviews were also conducted to dig deeper into the condition of the organization and conduct crosschecking work produtcs obtained from the results of the questionnaire.
In the next stage, the results of the assessment of MRKI and MRAP capabilities in the business process for the procurement of goods and services will be valued according to the requirements at ISO 33020 as an international standard for capability assessment. The next step is to do a linkage analysis using the Spearman Rank Correlation to find out whether there is a connection between the capabilities of MRKI and MRAP. It is hoped that the results of this study will be able to support the policy making of business processes for the procurement of goods and services that are good in terms of information security and anti-bribery.
|
|---|