Security and Risk Assessment of Academic Information System By Using NIST Framework (A Case Study Approach)

Abstract

Security audit and risk management can be done using standard framework. NIST is one of the framework which usually used to identify the security and risks on information system. The assessment is done to the security and risk in academic information system at Univeristas Sangga Buana (USB) Bandung that it is expected to minimize the risks occurs to the academic information system. The result of security audit on academic information system with NIST SP 800–26 framework shows the security on the system has the whole score as big as 72.43%. the score is obtained from the calculation of 3 categories tested namely Management Control, Operational Control, and Technical Control. Based on the data, the security of information system in USB belongs to level 3, Implemented Procedures and Controls. Risk management is done using some stages on NIST SP 800–30, with the help of Acunetix Scanning Application. Based on the result of scanning using Acunetix, academic information system at USB has 600 pieces of vulnerabilities. These vulnerabilities divided into 4 levels of vulnerability, namely 4 pieces of high level of vulnerabilities, 40 pieces of medium level of vulnerabilities, 13 pieces of low level of vulnerabilities, and 543 pieces of informational vulnerabilities