Analysis and Design of Information Security Management System Based on ISO 27001: 2013 Using ANNEX Control (Case Study: District of Government of Bandung City)

Received May 09, 2020 Revised Jun 02, 2020 Accepted Jun 29, 2020 The Department of Communication and Information (Diskominfo) of the Bandung City Government is an agency that has the responsibility of carrying out several parts of the Regional Government in the field of communication and informatics. Based on the composition of the regional service organization Bandung City Diskominfo has five fields and two UPTs which are part of the Bandung City Diskominfo. Bandung City Diskominfo in implementing work programs has IT as a supporter of business processes in government agencies. Based on the results of research conducted that IT management in Bandung City Government Diskominfo found several clauses that were still unfulfilled in this Diskominfo impact on the management of government information security institutions that can affect the performance of Bandung City Government. Therefore, there is a need for standardization that needs to be implemented as a guide that examines the direction in safeguarding information or assets that are considered sensitive to an organization. With the existence of these problems pushed to design information security recommendations based on ISO 27001: 2013 standards at Diskominfo. Also makes the design of IT information security systems that are focused on the control of Annex Information Security Policies, Human Resource Security, Operational Security, Communication Security and Asset Management so that business IT processes can run in accordance with the objectives of the organization. The results of this study are expected to help in securing IT information at the Bandung Diskominfo City and can also improve the goals of an organization.


INTRODUCTION
At present, the development of Information Technology (IT) has become a very important part of almost all fields of life. This development can support the organization in fulfilling all organizational activities which are processes to achieve goals. The latest fact is the increasing dependence of organizations on IT to achieve business strategies and needs is the main thing in the importance of success in an organization. The dependency has an impact on the growing need for IT services that continue to grow. IT services can increase the effectiveness and efficiency of organizational needs [1].
In the era of the millennial society at this time, the development of IT is not only limited to the industrial sector but has entered the government sector also has implemented IT management. This development has an impact on the main business processes, namely in the decision-making process carried out by management. With IT, the role of each managerial in decision making can provide decisions based on accurate, reliable information and can consider the risks that will occur [2], [3]. When viewed in terms of implementation, IT has produced positive things that can build into the ongoing needs of government, but on the other hand, there are also negative things that can reduce the performance of the government. Therefore, it must pay attention to any external factors that can influence the application of IT, to reduce the negative impact. IT risk management is a process of risk identification, risk assessment, and taking steps to reduce risk to an acceptable level. negativity can give can be bad for the performance of government agencies [4]± [7].
Initially, the Bandung Office of Communication and Information (Diskominfo) was one of the regional technical institutions in the form of the Bakominfo Communication and Information Agency. Based on the results of observations and interviews that have been carried out that IT management in Bandung City Government Diskominfo found several clauses that were still unfulfilled in this Diskominfo impact on the management of government information security institutions that can affect the performance of the Government of Bandung City. Therefore, there needs to be standardization that needs to be implemented as a guide that provides direction in safeguarding information or assets that are considered sensitive to an organization.
With the existence of these problems pushed to design information security recommendations based on ISO 27001: 2013 standards [8]± [10] at Diskominfo. It also makes the design of IT information security systems that are focused on the control of Annex Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operational Security, Communication Security, Acquisition, Development, and Maintenance of the System [10]. so that business IT processes can run in accordance with the objectives of the organization.

LITERATURE STUDY 2.1. Information System Security
Information System Security is an attempt to secure information assets from various threats and vulnerabilities that exist to ensure the continuity of business, and reduce the impact that will occur due to threats and vulnerabilities that occur. The following is a model of aspects of information system security. The following is an explanation of the aspects of information system security [ Aspects that maintain the confidentiality of information or data, to ensure that information can only be accessed by people who have the authority and guarantee the confidentiality of data.

Integrity
Aspects that guarantee the data will not be changed without permission from the party that has the authority (authorized), to maintain the integrity of the information and method of the process.

Availability
The aspect that provides that data will be available when needed, ensures that authorized users can use the information and related tools.

IT Risk Management
Risk management is a scientific approach to managing risk by anticipating possible losses, designing, and implementing procedures that can minimize the occurrence of losses or the financial impact of losses that occur [7]. Risk Management is an act of practice with risk management, using methods and tools to manage the risks of a project [4], [5]. Risk management is the total process used in identifying, controlling, and minimizing the impact of uncertain events [6].
In general, risk management will be followed by determining the priority of risks that can have an adverse impact on the organization or company, as well as priorities in handling them. The steps that can be taken by an organization or company in handling risk are as follows: 1. Accept Top Management decides to accept the risk if the magnitude of the impact and the level of inclination is still within the organizational tolerance limits.

Avoid
The organization decides not to carry out an activity or choose other alternative activities that produce the same output to avoid the risk.

Mitigate
The organization decides to reduce the impact and the likelihood of risks to the institution.

Transfer
The organization decides to transfer all or part of its responsibilities to third parties

SNI ISO / IEC 27001-Information Security Management System Requirements
SNI ISO / IEC 27001 issued in 2009 and is the Indonesian version of ISO / IEC 27001: 2005, contains specifications or requirements that must be met in building an Information Security Management System (ISMS). This standard is independent of IT products, requires the use of a risk-based management approach, and is designed to ensure that selected security controls are able to protect information assets from various risks [12].
This standard was developed using a process approach as a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. The process approach encourages users to emphasize the importance of [12]: 1. Understand the organization's information security requirements and the need for information security policies and objectives 2. Implement and operate controls to manage information security risks in the context of the organization's overall business risk 3. Monitoring the performance and effectiveness of ISMS 4. Continuous improvement is based on measuring the level of achievement of objectives The PLAN -DO -CHECK -ACT (PDCA) method is applied to the overall structure of ISMS [5]. In the PDCA model, the whole ISMS process can be mapped as shown in Table 1. Assess and measure the performance of the process against policies, targets, practices in implementing ISMS and report the results to management for review. 4 ACT (Maintaining and improving ISMS) Take corrective and preventive actions, based on evaluation results, internal audits and management reviews of ISMS

Control of ANNEX
Annex controls are controls that have been designed to ensure that selected information security controls are able to protect information assets from a variety of risks and provide a level of security for stakeholders. The following is an explanation of the controls used in related research: 1. A.8 Asset Management A guideline in providing appropriate protection of organizational assets and identifying these assets properly. 2. A.9 Access Control Is control in which there is a way to limit user access to information by regulating the authority of its access rights, including control in networking or in mobile-computing.

A.10 Cryptography
It is a sure use of cryptographic appropriate effective guidelines to protect the integrity of confidential information 4. A.11 Physical and Environmental Safeguards Is a guideline in preventing data loss / damage arising from the physical environment, including natural disasters and theft of data stored in storage media. 5. A.12 Operation Safety Is a maintenance of information security at large, in maintaining and maintaining the integrity of the information system against external parties. The aim is to prevent loss, damage, theft or compromise of assets and disruption to the organization's operations. 6. A.13 Communication Security Ensuring that communication security has provided more security, both communication technology and its contents. The aim is to ensure the protection of information in the network and supporting information processing facilities. 7. A.14 System Acquisition, Development and Maintenance Ensuring that information systems and applications that have just been implemented are able to be integrated through the validation of data / information.

RESEARCH METHODOLOGY 3.1. Conceptual Model
In this research, we need a conceptual model that provides a framework for thinking by describing methods in solving problems in a structured manner [13]. Based on the conceptual models that have been made, three elements describe the flow of research in the design and modeling of Information Security Management Systems in Bandung City Communication and Information. 1. The first element is related to the problem and the environment. Where the problem in Bandung City Diskominfo is the lack of human resources who understand the importance of information security, the absence of Company Operational Standards related to Information Security and the absence of management in securing information in the scope of service. 2. The second element contains Information Systems Research that illustrates some of the implementations needed to provide solutions to problems that exist in Diskominfo. Some of these stages started from the Initiation of the ISMS Project to the Design of the ISMS 3. The third element is a knowledge base consisting of concepts and methods. The concept will be applied in this study, while the method is a way to collect data conducted in this study consisting of interviews, observations, and literature studies.

Systematic Research
The problems contained in this study require regular problem-solving. Systematic problem solving will help the research carried out by having the stages to be passed in the research process. The following explanation of the research system can be seen in Figure 2.

. GAP Assessment
Gap assessment is an assessment process carried out divided into two parts, namely those that will conduct an assessment of the current conditions with ideal conditions in accordance with ISO 27001: 2013 guidelines which will help to know the extent of achieving the objectives at Diskominfo. This gap assessment is obtained by conducting research on each annex control contained at ISO 27001: 2013.

Assessment Results
The results of the gap assessment are the results of the requirements derived from the ISO 27001: 2013 gap assessment. This result represents the number of requirements that are met and not met from the total presentation of each annex control. The following are the results of the gap assessment. The following are the results of the gap assessment which can be seen in Table 2. 2. Identification of Findings that are not in accordance with the Terms The purpose of risk identification is to find out the list of clauses that are not fulfilled in accordance with the controls in ISO 27001: 2013. The following are the results of risk identification based on the assessment of information security gaps which can be seen in Table 3.

Risk Assessment
The process of risk assessment or assessment of risk is an assessment of the risks that have been and are happening in Bandung City Diskominfo. This process is expected to bring up the priority process of the agency according to the assets seen from various kinds of risks that have occurred and are taking place in Bandung's Diskominfo. In conducting this risk assessment researchers conducted several stages including searching for identification of risks, vulnerabilities, threats to make risk criteria, risk analysis that led to the determination of the ISO 27001 process that must be prioritized relating to solutions of risk resolution.

Identification of Assets
Asset identification is useful for determining assets associated with access control in Bandung City Diskominfo. Based on the results of observations made, the assets identified can be seen in Table 4.

Identification of Threats and Vulnerabilities
The threat identification stage is the stage of combining the information obtained when direct observation, interviews, or literature studies have been carried out by looking for any threats that will appear in the gap assessment that is not met can be seen from Table 5.

Risk Analysis
Risk analysis is the activity of analyzing risks to the likelihood and impact that has been determined and determining the level of risk based on the specified risk appetite.

Identification of Risk Levels
Risk criteria are a standard measure of how likely an impact or consequence will occur and how likely it is or the frequency of risk will occur. In making risk criteria, researchers use a 5 x 5 probability and impact table consisting of 5 probability levels and 5 impact levels can be seen in Figure 3. To find out the standards and criteria of probability and impact arising from each risk assessment researchers propose criteria the probability and impact after being verified by Diskominfo Kota Bandung can be seen in Table 6.  The absence of procedures related to secure log-on application that is used MEDIUM 2 Do not have procedures related to password management HIGH 3 There are no restrictions on the source code in the application HIGH 4 Internal cable security is still inadequate HIGH 5 There is still a lack of specific security related to equipment outside the office HIGH 6 The absence of clear desk and clear screen MEDIUM 7 Operational procedures have not been documented MEDIUM 8 Don't have anti-malware related policies MEDIUM 9 The absence of procedures regarding software installation controls in operational systems that have been implemented LOW 10 There are no restrictions on the installation of software MEDIUM 11 There are no restrictions on the software package HIGH 12 The absence of safe engineering principles MEDIUM

Designing People
People design is the result of design obtained based on risk assessment that discusses controls about the organization, competencies and abilities. The design of people carried out will produce recommendations for new organizational structures on competencies and abilities will produce recommendations for competency resources that must be possessed by each organizational structure based on the needs of the implementation process 1. Organizational Structure Design The design of the organizational structure is the result of recommendations given from the gaps that occur in the organizational structure contained in Bandung City Government Diskominfo. This recommendation will be carried out in the design process of the organizational structure that manages the strategy, manages the budget, secures information and manages relationships between third parties, then an additional description will be made. a. Head of Department 1) Plan and establish programs related to information security management systems for the Bandung City Government Diskominfo 2) Coordinate the implementation of information year 2) Carry out plans related to ISO 27001 certification in order to support the business activities of an organization that will increase the value of the risk of information security disruption i. Application Management Section 1) Arrange management of application access rights so that the Regional Apparatus cannot make application modifications j. Head of Information System Encryption and Security Section 1) Conduct staffing training on information security management to increase awareness of every employee of the importance of ISMS 2) Implementing ISMS management practices in the scope of Diskominfo.

Design Process
The process design is the result of design obtained based on the risk assessment that discusses the control of the regulations and documentation that has been owned by Diskominfo. The process design that is carried out will produce recommendations in the form of documentation such as policies, SOP (Standard Operational Procedure), as well as work instructions that can later make Diskominfo even better.

Technology Design
The design of technology is the result of design obtained based on the design of the risk assessment that has been analyzed. The design of technology carried out at risk assessment will produce recommendations for tools and applications used to support the needs of the implementation process.

Recommended Tools
The design of tools is carried out based on recommendations from risk assessments which are based on high risk categories carried out in Bandung City Diskominfo. On the results of the risk assessment, it can be concluded that in Bandung City Diskominfo there are no adequate supporting tools in conducting ISMS. Based on the research results, it is recommended to use the McAfee application because these tools are the cheapest in cost and available in free applications for use with features that can support maintaining forms to secure, detect, and remove computer viruses from computer systems.

CONCLUSION
Based on the results of gap analysis and risk assessment results that have been carried out in the study, it can be concluded that the solution that will be made is the design of people based on the design of the organizational structure and competence of human resources, while the process will be made policies and standard operational procedures to improve government agency documentation and the last solution technology that will support information security in terms of antivirus. This research resulted in the design of information security in the form of a description of the current security conditions as well as the proposed improvement of security in the future that can be used as a reference in making ISMS planning strategies to improve performance and support the achievement of business strategies in Bandung City Government Communication and Information.