Information Technology Risk Management Using ISO 31000 Based on the ISSAF Penetration Testing Framework

Abstract

Information security is critical for higher education institutions, which manage large amounts of sensitive data in the digital age. Data breach incidents in Indonesia's academic sector reached 2,217 in 2021. A university website with 36 web-based information system services was found to have been defaced.  SQL injection and XSS attacks, which can lead to data breaches, system manipulation, and disruption of academic services, are also common. These attacks underscore the importance of strong security measures to protect data and preserve the reputation of education. This research assesses the security risk of the XYZ University website using the ISSAF and ISO 31000. ISSAF was applied in four stages: information gathering, network mapping, vulnerability identification, and penetration testing with customization for university web systems. ISO 31000 was used to assess risk severity, resulting in classifications of two high, six medium, and twelve low risks. Security recommendations were developed to address the key risks and can be applied to other universities facing similar threats. The findings provide great insight for educational institutions to strengthen their cybersecurity. Implementing appropriate measures not only improves privacy, but also builds trust and reputation. Proactive information security is becoming a critical asset for the sustainability and credibility of higher education institutions in this vulnerable digital age