IJITEE, Vol. 5, No. 2, June 2021 ISSN 2550 – 0554 (Online) Andeka Rocky Tanaamah: Analysis of Information Technology … Analysis of Information Technology Security Management SWCU SIASAT Using ISO/IEC 27001:2013 Andeka Rocky Tanaamah 1 , Friska Juliana Indira 2 Abstract—IT security management is essential for organizations to notice the occurring risks and opportunities because they will profoundly affect the ongoing business processes within the organization. The Satya Wacana Academic Information System, more often called SIASAT, is an IT component playing an essential role in running core business processes at Satya Wacana Christian University under the control of the Information Systems and Technology Bureau. At this time, the implementation of SIASAT has been going well, but there are still some obstacles. Lack of human resources is one of the findings and one it becomes of the most significant risks as it affects the use of infrastructure and information security. This research was conducted using the international standard ISO/IEC 27001:2013, prioritizing information security by taking a planning clause focusing on risk assessment. From the results of this study, there were nine recommendations given. Some of which were the most important, i.e., creating separated standard operating procedure documents for SIASAT, which previously were still affiliated with the Academic Administration Bureau; distributing job descriptions; and providing clear and documented access rights for everyone. It is expected that this research can reduce the occurring risks and can be considered for establishing improvements to enhance academic services in the future. Keyword—Information Technology, Information System, Information Security Management, ISO/IEC 27001:2013. I. INTRODUCTION In the present day, the role of Information Technology (IT) in an organization in supporting business activities is crucial. Problems related to information security often receive less attention, while they are the most crucial part of the information technology application. The increased internal data transmission and utilization between organizations on an open network will increase the risks of the information being exposed [1]. Information security is defined as a process to protect information and information assets and keep the confidentiality, integrity, and availability of information [2]. Confidentiality is a term used to prevent information disclosure to unauthorized parties. Integrity means that the data cannot be modified. Availability means that information must be accessible whenever and wherever data is required by authorized users [3]. Today, information security is a leading problem for a business. A survey shows that such risks applying to public bodies and private companies, information in the form of paper and electronics, from failure to protect direct data or failure to dispose of archive information may arise from intentional or accidental actions [4]. Risk management is defined as the process of identifying vulnerability and threats in a framework of an organization. In addition, it will produce several measurements to minimize the impact on information resources [5]. One university that is already aware of the application of IT as an essential requirement in conducting academic activities is Satya Wacana Christian University (SWCU). Managed by Bureau of Technology and Information Systems (BTSI), which is under the Assistant Chancellor I of SWCU, this bureau is in charge of developing and serving the needs of academics in the fields of information technology, information system, multimedia (including developing teaching modules), and teaching facilities [6]. One of the information technologies implemented and utilized is the Satya Wacana Academic Information System, better known as SIASAT. It is a mobile web-based information system integrated by several services to facilitate and support academic activities in SWCU. Today, the SIASAT is one of the essential parts that must be used in academic activities both by lecturers and students. The services provided for lecturers are in the form of teaching schedules, guardianship, and grade inputs. Meanwhile, the services provided for students are re-registration, course registration, course requests, study cards, study results, class schedules, grade transcripts, semester billing information, undergraduate thesis or thesis registration, and book borrowing information. As a bureau providing information systems and information technology to all academic users, BTSI is responsible for data security and the managed information; one of them is in SIASAT. Along with its implementation, weaknesses and threats that arise in the system can disrupt the ongoing academic process. These threats can arise from the outside and within the system itself. Cases related to information security, such as loss of student data during the course registration process, are often encountered; of course, it is detrimental to students because it affects the lecture process for the next semester. Student accounts’ hacking, so that related students cannot enter into their accounts, is still common. Up to now, students often complain about servers that are often down during the course’s registration process. Previously, the Yemeni Academy for postgraduate studies (YAGS) employed the ISO/IEC 27001:2013 standard to determine the maturity level of information security. The results of the study indicate that the maturity level is at level 2. The gap value between the current maturity level with the expected maturity value was 3.19. It means that many control 1,2 Department of Information Systems, Faculty of Information Technology, Satya Wacana Christian University, Jln. Diponegoro No. 51-60, Salatiga, 50711, INDONESIA (phone: 0298-321212; fax: 0298-324197; e-mail: 1 atanaamah@uksw.edu, 2 682015002@student.uksw.edu) 68