Published on International Journal of Engineering & Industry
Publication Date: June 18, 2019
Sapto Haryo, Reni Muktisari, Timbol Rahardianto & Edgar Sanubari
Atma Jaya Makassar University, Makassar, South Sulawesi
Fajar University, Makassar, South Sulawesi
Cokroaminoto Palopo University, Palopo, South Sulawesi
Bosowa University, Makassar, South Sulawesi
Journal Full Text PDF: Making Plans Based on Analysis and Risk Mitigation Assessment Information Technology.
Analysis and Risk Assessment will provide information on the risk profile, as well as the recommendations of security control, which can reduce the risk of information security threats in a company. The risk profile is obtained based on the identification of weaknesses, threats and trends, which is owned by the company. This study will take the research object is a logistics company. Logistics company with a core business of stevedoring services, managing critical information and sensitive, which should be protected by the application of security controls. Implement security controls on most of the logistics company, is done ad hoc, based on the temporary need or the budget available. This causes security controls are not able to reduce the risk effectively and efficiently. In the process of making a risk mitigation plan, which is based on the analysis and assessment of risk, evaluation and analysis phase. The evaluation is conducted to assess the suitability of the control of the weaknesses or vulnerabilities will be eliminated. The analysis technique used is the analysis of cost-effectiveness and cost-benefit. Evaluation and analysis of the recommendations of security control, would be a risk mitigation plan that is complete and comprehensive, as it will give priority to the implementation of security controls, in an effort to decrease the risk to the logistics company, effectively and efficiently. The evaluation is conducted to assess the suitability of the control of the weaknesses or vulnerabilities will be eliminated. The analysis technique used is the analysis of cost-effectiveness and cost-benefit. Evaluation and analysis of the recommendations of security control, would be a risk mitigation plan that is complete and comprehensive, as it will give priority to the implementation of security controls, in an effort to decrease the risk to the logistics company, effectively and efficiently. The evaluation is conducted to assess the suitability of the control of the weaknesses or vulnerabilities will be eliminated. The analysis technique used is the analysis of cost-effectiveness and cost-benefit. Evaluation and analysis of the recommendations of security control, would be a risk mitigation plan that is complete and comprehensive, as it will give priority to the implementation of security controls, in an effort to decrease the risk to the logistics company, effectively and efficiently.
Keywords: Risk management, Risk Assessment, Risk Mitigation.
Risk Information Technology (IT) is likely to occur and will give a negative impact to the company, such as the risk of information security violations. Information security violations at the logistics company, may cause the cessation of the course of business, so as to provide damages and loss of consumer confidence to the company.
Information security breach can not only be reduced by implementing physical security controls, with the latest technology, but needs to implement more controls on administrative and operational. Best control recommendations should be implemented, should be based on the results of process analysis and risk assessment. Analysis and risk assessment of information security (information security risk assessment) is the beginning of the process of risk management (risk management), which needs to be done to identify potential threats and risks. The risk assessment will provide an overview of information security needs of an organization or a company. It will then support in conducting information security governance.
With analysis and risk assessment, it will be obtained on controls based on the risk profile of which is owned by the company, and the process of risk mitigation, will perform evaluation and analysis against these recommendations, so it will find a large selection of security controls in accordance with the requirements of information security for the company, and security controls are implemented, can effectively and efficiently decrease the risk of information technology.
II. THEORY OF RISK MITIGATION IT
Gary Stonebumer , explained that the risk assessment stage, have obtained the degree of the potential risks faced. Further, they should do risk mitigation, which aims to undertake proactive measures to reduce and prevent these risks occur and disrupt the course of business. 
In guidelines issued by SOMAP org , entitled “Open Information Security Risk Management Handbook” (2006), Risk mitigation is done not only to reduce the risk, but also reduce the negative impact on business continuity management. Selection strategy that will set the stage risk mitigation, as follows: 
– The elimination of the risk (risk elimination / avoidance) is an attempt to define an action, which aims to eliminate certain risks occur. For example, if the company has not determined the emergency plan, in case of disaster on IT systems company, this will greatly impact the way business enterprises, so that measures risk mitigation is to formulate and establish corporate policies on DRP (disaster recovery plan) and BCP (business continuity plan).
– The reduction in risk (risk reduction) is an effort to reduce the impact, which can cause disruption of business continuity. For example in the backup process is routinely conducted, resulting backup file, but there is no guarantee that the backup file must have successfully restored properly. This is potentially the possibility of failure files are restored, so is the risk mitigation measures need to be tested regularly to the backup file, in order to reduce the risk of a failed backup file is used.
– The transfer of risk (risk transfer) is an effort to send the risks elsewhere. As an example of a company insuring the chance of loss that may be experienced by the company, in case of security threats on IT systems.
– Acceptance of risk (risk acceptance) is menerupa attitude to risk, especially residual risk that remains after risk mitigation.
Risk mitigation an advanced stage in the process of risk management after conducting a risk assessment, in which there is the prioritization of risk mitigation, evaluation, implementation and maintenance effort menanggulangan impact of risk, based on the identification by the risk assessment stage. To eliminate the overall risk, in practice it is highly unlikely, because they were the responsibility of management to make an approach in efforts to reduce the level of risk.
Risk mitigation will direct the leadership to balance operational and economic costs to be incurred as a proactive effort to protect assets owned, as will evaluation of information security control, which is needed in the risk mitigation efforts.
Information security controls are internal policies, procedures, practices and organizational structures designed to ensure the security of information, and are able to do prevention, detection and correction. While external security control device is in the form of hardware and software that is acquired from outside the organization, and implemented in the organization’s IT systems.
According to Ronald,  in Books CISSP Guide, using the information security controls, is expected to be able to reduce the risks involved, which will control the following functions:
– Control prevention (preventive control), which controls befungsi prevention of efforts violate information security policies and rules.
– Control detection (detective control): namely the control functions to alert their violations occurred as an attempt to break the information security policies or rules. Some detective control overlap with preventive control, since a control can be used as a preventive for the future, and the detective to current events.
– Controls correction (corrective control), the control function to perform recovery from the effects that have been caused by the occurrence of the risk.
Picture 1. handling of attack
An attack that took place, because of the potential threat, which can dihidari using defferent control. The attack can be identified by using detective control, and the attack occurred because of lack of security / weaknesses, which have a negative impact for the organization. Impact and vulnerability / these weaknesses can be avoided with preventive controls, and improved with corrective control.
Furthermore, the information security controls proposed in an effort to mitigate the risk, should be analyzed sides benefit from doing a cost-benefit analysis, so that the comparison of the value of the benefit to be provided, with a view cost or acceptable impact if implemented or not implemented security controls are for companies.
III. RISK MITIGATION MEASURES IT
In identifying information security risks, it requires a good understanding, of the existing IT system environment on the company, it is necessary to identify the characteristics of the system at the company.
There are six main process in conducting risk mitigation, which need to be carried out by the company in minimizing risk, these stages include, :
1. Priority action (prioritize action)
2. Recommended Control Evaluation (avaluate rekommended control options)
3. Conducting cost-benefit analysis (conduct cost-benefit analysis)
4. Selection Control (select control)
5. Responsibility Assignment (assign responsibility)
6. Building a security implementation plan (develop a safeguards implementation plan)
Below is an explanation of each step of risk mitigation:
1. prioritize Action, Is a process for making the determination of priorities, based on the level of risk assessment. In allocating the necessary resources, it takes priority will inform you about the level of risk based on the rank. The output of this process is a ranking of the actions (actions) that need to be done from a low to a high rank.
2. Evaluate Recommended Control Options, a process for evaluation in order to assess the level of fisibility and effectiveness in setting the security strategy, based on the priorities for action that have been determined in the previous process. The result of this process is feasible control information.
3. Conduct Cost-Benefit Analysis and Cost-effectiveness analysis, A cost-benefit analysis process, which will assess the value of benefits over costs, if implemented control or not. As well as the analysis of cost effectiveness, to determine the effectiveness of the proposed control, so it can be seen from the control priority.
4. Select Control, A control selection process, based on the results of cost-benefit analysis and cost effectiveness as well as the risk level risk assessment results.
5. assign Responsibility, Is the process of assigning it to someone who would have the potential and capability in implementing strategy that has been defined above komtrol. The result of this process is a list of some of the people entrusted with responsibility.
6. Develop a Safeguard Implementation Plan: An implementation plan process to determine which security controls have been. The result of this process is a safeguard implementation plan.
7. Selected Implement Control, is to implement process control, where there are possibilities can not eliminate the risk.
The results of the risk mitigation stage, is piluhan control who has analyzed the value of the benefits and effectiveness. Before the control is implemented, it should be made an information security plan, which may explain the information security strategy based on the results of risk assessment and risk mitigation. A discussion of information security planning stages, will be explained at a later stage.
IV. RESULTS ANALYSIS AND RISK ASSESSMENT IT
The risk assessment process has resulted in the identification of the level of risk based on the likelihood and impact.
Table 1. Results Identification of Risk Level
The result of the above, explaining that the company, information technology risk profile as described below.
Figure 2. Results Introduction to Risk
The risk profile of the above, is the result of the introduction of the risks involved in the risk assessment process, which would then be given control recommendations that can reduce information security risk level, which have been identified.
Table 2. Results Control Recommendation
Based on the above table, it can be any risks identified by the high-level, medium and low, will be proposed some security controls are expected to reduce the risk of successful rated level. The process of risk mitigation will conduct further evaluation and analysis of the recommendations, to then choose the most feasible and priorities for implementation.
V. RISK MITIGATION OF IT
risk mitigation contains a series of major processes, among others, include the prioritization, evaluation and cost-benefit analysis and cost-effectiveness, the selection control, assignment of responsibility, security plan development, and implementation of control.
Based on the level of risk that is obtained from the results of the risk assessment, then the priority actions that need to be done. Each action requires a control device used to reduce the risk. Of course, recommended security control, should be evaluated and analyzed first, to obtain the value of the benefits and the ability to lower risks, and can give priority in the implementation of the proposed control.
Figure 3. Priorities for Action
In this first stage, determined action to take to reduce the risk. Such actions will be prioritized based on the level of risk associated. Adapuan results of priority actions, based on risk level, as follows;
1. Companies develop policies and procedures for the classification of information Information security
2. Companies develop policies and procedures in case of disaster mitigation plan, the plan commonly called BCP / DRP (business continuity plan / data recovery plan)
3. Companies develop policies and guidelines in the selection and implementation of a reliable lightning rod
4. Companies develop policies and guidelines to select a location separate from DRC data center space
5. Companies develop policies and guidelines to keep the spread of the virus
6. Companies develop policies, standards and guidelines to regulate the implementation of the firewall in the DMZ area (demili- tarized zone)
7. The company carries out special tasks division
8. The company carries out the task or job rotation
9. Companies develop policies, standards and procedures, in recording, analysis and follow-up to the event or incident
10. Companies develop policies and procedures for supervisors to verify the data entered by the operator
11. The company establishes in writing the policies, standards, procedures and guidelines of information security field
12. Companies develop policies and standards in the construction and development of business applications in the enterprise
13. Companies develop policies and guidelines to encourage the behavior of computer users in the enterprise
14. Companies develop policies and procedures to carry out examination and routine maintenance of the device core and support
15. The company implements encryption technology to maintain the confidentiality of information
16. Companies conducting background checks on prospective employees, both on knowledge and skills in the use of technology
17. Companies develop policies and procedures to assess the capacity and system load
18. Companies develop policies and procedures to improve oversight of the daily employees who have authorization and authentication
The results of the priority actions recommended risk-based controls are handled, it may not be entirely feasible to be implemented by the company. The second phase will assess the feasibility with a view of conformity (compatibility) and effectiveness (degree of protection and the level of risk mitigation) on the recommendation of the control, and the involvement of internal and external parties in an effort to implement the information security controls.
Figure 4. Control evaluation
The evaluation was done based on the size of the specified control evaluation as follows:
Table 3. Evaluation Size Control
Table 4. Control Evaluation Results
The table above explains that there is a level assessment results of evaluation of the controls recommended above. The security controls have two levels above the suitability aspect, which means it has been in accordance with the vulnerabilities / weaknesses will be reduced. While aspects of the effectiveness of controls have also above the level of effectiveness, which means they can reduce the risk below the maximum risk. The results of this evaluation concludes that the recommendation is appropriate and effective controls to diimpelementasikan company.
The third stage is to do a cost-benefit analysis and cost-effectiveness. Cost-benefit analysis carried out in quantitative or qualitative measures, as follows: (1) identify the impact, if certain control diiimplementasi (tangible and intangible); (2) identify the impact, if not the control mengimpelemtasikan (tangible and intangible).
Figure 5. Cost-Benit Analysis and Cost-Effective
The results of the cost-benefit analysis is this:
• These controls, if implemented, will provide value to be incurred for the implementation of controls is smaller, in terms of tangible and intangible by the company, compared with the impact (risk value), if it is not implemented.
• It can be said that eighteen such controls “provide risk reduction”
• Provide risk reduction, if the minimum control reduces the risk by implementing a smaller cost than the cost (risk value) if it is not implemented, then this control could be elected to implement.
In the analysis phase-cost effectiveness of security controls, will be carried out by stages, as follows:
a. Identifying investment in the framework of the implementation of security controls that have been recommended in previous stages.
b. Calculating the value of priority, every investment, would be to calculate the value of priority, by comparing the effectiveness of security controls between each other, based on its ability to achieve three aspects of information security, namely confidentiality, integrity and availability.
Table 5. Cost Effective Results (phase 1)
Table 6. Cost Effective Results (phase 2)
c. Determine the ranking of investment priorities, Based on the above table, it will be a recapitulation of the value priritasnya
Table 7. Cost Effective Results (stage 3)
The above table, explaining the priority ranking of the recommended security control. This data is expected to be a material consideration in the planning of information security, will be known priority control implementation to be effective in achieving the goals and objectives of information security.
The fourth stage, the election is control. Selection of control has presented the results of the evaluation, which stated that all controls are in accordance with vulnerabilities / weaknesses will be reduced and can reduce the risk below the maximum risk. While the cost-benefit analysis, which states that eighteen controls recommended to reduce the minimum risk with implementation costs less than the cost (risk value) if it is not implemented.
Figure 6. Selection Control
Table 8. Election Results Control
The analysis of cost effectiveness given priority in implementing the controls, based effectivity achieve information security objectives (confidentiality, integrity, and availability). Based on the evaluation and analysis above, it can be concluded that the above selected eighteen controls to be implemented.
Further action following recommendations have to be implemented control is assigning people with specific job descriptions, as the person who will be responsible for the control devices to reduce and eliminate risiko.Selanjutnya would be made a full implementation plan and detailed security. The plan contains information about the results of the previous phases of risk mitigation, among other things:
a. Control options (selected planned control)
b. Priority action (prioritize action)
c. The resource requirements for implementation of control (required resources for implementing the selected planned control)
d. Assignment of personnel responsible (list of responsible team and staff).
Figure 7. Assignment and Implementation Plan
Table 9. Results Assignment and Implementation Plan
Security controls have ditelah selected, based on the evaluation process, the analysis of cost-benefit and cost-effectiveness, in this table are described resource requirements that must be held, as well as the team implementer of any security control, which is expected to provide an overview of the process of information security planning. Information security planning process will be explained in the next section.
The conclusion that can be drawn from the results of this research are:
1. The results of the analysis and risk assessment is terindentifikasinya level of risk, based on the identification of weaknesses, threats and trends, faced by the logistics company in general, as well as recommendations to reduce the risk of security controls.
2. Analysis and risk assessment at the logistics company, said that, in general, the logistics company has a high risk of losing the security of information, for the implementation of security controls have not stem from a risk mitigation plan that is built on the terms of analysis and comprehensive risk assessment.
3. At this stage of risk mitigation, the company will be able to perform evaluation and analysis against security controls recommended from the risk assessment process.
4. Evaluations conducted on the suitability and effectiveness, while analysis is performed using the technique cost-effectiveness analysis and cost-benefit.
5. Results of risk mitigation is done, explaining that the logistics company is the object of study, must pay attention to the priority implementation of security controls, consisting of eighteen controls, IT risk reduction efforts, which are caused by disorders of information security.