PERANCANGAN INSTRUMENT PENGUKURAN RISK ASSESSMENT SEBAGAI REKOMENDASI STRATEGI MITIGASI RESIKO DI SBUPE BANDUNG
TESIS Karya tulis sebagai salah satu syarat untuk memperoleh gelar Magister dari Institut Teknologi Bandung
Oleh
YUDI PRIYADI NIM: 23205030 Program Studi Teknik Elektro
INSTITUT TEKNOLOGI BANDUNG 2008
1
PERANCANGAN INSTRUMENT PENGUKURAN RISK ASSESSMENT SEBAGAI REKOMENDASI STRATEGI MITIGASI RESIKO DI SBUPE BANDUNG
Oleh
YUDI PRIYADI NIM: 23205030 Program Studi Teknik Elektro Institut Teknologi Bandung
Menyetujui, Tanggal 6 Maret 2008
Pembimbing,
___________________________ ( Dr. Ing. Ir. Suhardi )
2
ABSTRAK PERANCANGAN INSTRUMENT PENGUKURAN RISK ASSESSMENT SEBAGAI REKOMENDASI STRATEGI MITIGASI RESIKO DI SBUPE BANDUNG Oleh
YUDI PRIYADI NIM: 23205030
Manajemen resiko merupakan proses yang dilakukan oleh para manajer IT untuk menyeimbangkan kegiatan operasional dan pengeluaran biaya keuangan, dalam mencapai keuntungan dengan melindungi sistem IT dan data yang mendukung misi organisasinya. Kegiatan ini meliputi tiga proses, yaitu risk assessment, risk mitigation, dan Evaluation and Assessment. Terdapat dua jenis metode dasar analisis resiko dalam melakukan pertimbangannya yaitu: analisis resiko kuantitatif dan analisis resiko kualitatif. Analisis resiko kuantitatif, mencoba untuk memberikan nilai moneter secara obyektif pada suatu komponen, dari penaksiran resiko itu, dan untuk penilaian atas kerugian yang potensial. Sebaliknya, suatu analisis resiko yang kualitatif adalah analisis berbasis suatu skenario. Di dalam pembuatan rancangan instrument ini, dilakukan pengelompokkan asset yang terkait secara langsung dengan operasional Track and Trace system, yang menghasilkan beberapa tabel dari asset. Untuk pengelompokkan asset ini, datanya berasal dari studi lapangan dan dokumentasi peraturan organisasi, mengenai akuntansi yang sudah dijadikan tangible asset pada dokumentasi tersebut. Kemudian, dilakukan analisis resiko secara kualitatif dan kuantitatif yang merupakan bagian aktifitas penilaian resiko. Hasil dari rancangan ini berupa template isian yang dapat dijadikan rekomendasi pendukung strategi manajemen resiko. Sedangkan untuk pengujian rancangan, laporan ini menyajikan saran berupa langkah-langkahnya, yaitu dengan mengadopsi metodologi audit dari COBIT (Control Objectives for Information and related Technology) yang terdapat pada CISA Review Manual. Kata Kunci: Manajemen Resiko, Risk Assesment, Risk Mitigation, Evaluation and Assesment, analisis resiko, kualitatif kuantitatif, asset.
i
ABSTRACT DESIGN OF INSTRUMENTAL MEASUREMENT RISK ASSESSMENT AS RECOMMENDATION OF STRATEGY RISK MITIGATION IN SBUPE BANDUNG By
YUDI PRIYADI NIM: 23205030
Risk management represents process which is conducted by managers of IT to balance the operational activity and expenditure of financial expense, in order to reach the advantage by protecting system of IT and data that support its organizational mission. This activity consists of three processes, they are assessment risk, mitigation risk, and Evaluation and Assessment. There are two types of method of risk analysis in conducting its consideration, they are quantitative and qualitative risk analysis. In analyzing quantitative risk, managers try to assign value of monetary objectively at one particular component and to assess the potential of loss. On the contrary, the qualitative risk analysis is an analysis which is based on a scenario. In making of design of this instrument, it has been conducted the grouping of assets which is directly related to operational of Track and Trace system, which produce several tables from the assets. For grouping these assets, the data were taken from field study and documentation of organizational regulation. Concerning about documentation, the data has been the tangible asset which were taken from accounting department. Then, the risk analysis is conducted qualitatively and quantitatively which is part of activity of risk assessment. The result of this design is in the form of stuffing template which is able to be made as supporting recommendation of risk management strategy. Meanwhile, to examine the design, this report will present suggestion in the form of the steps to conduct the examination, that is by adopting audit methodology from COBIT (Control Objectives Information Technology related and for) that can be found on CISA Review Manual. Keywords: Risk Management, Risk Assessment, Risk Mitigation, Evaluation And Assessment, risk analysis, quantitative qualitative, asset.
ii
PEDOMAN PENGGUNAAN TESIS Tesis S2 yang tidak dipublikasikan terdaftar dan tersedia di Perpustakaan Institut Teknologi Bandung, dan terbuka untuk umum dengan ketentuan bahwa hak cipta ada pada pengarang dengan mengikuti aturan HaKI yang berlaku di Institut Teknologi Bandung. Referensi kepustakaan diperkenankan dicatat, tetapi pengutipan atau peringkasan hanya dapat dilakukan seizin pengarang dan harus disertai dengan kebiasaan ilmiah untuk menyebutkan sumbernya. Memperbanyak atau menerbitkan sebagian atau seluruh tesis haruslah seizin Direktur Program Pascasarjana, Institut Teknologi Bandung.
iii
PERSEMBAHAN
Walhamdulillahirabbil’aalamin…..
Dipersembahkan untuk Pramoedya agar menjadi lebih baik dari bapaknya ketika mencari ilmu untuk kehidupan dunia & akhirat kelak......
iv
KATA PENGANTAR Puji syukur penulis panjatkan kehadirat Allah S.W.T, karena atas rahmat dan hidayahNya maka laporan ini dapat diselesaikan. Tulisan yang berjudul “Perancangan Instrument Pengukuran Risk Assessment Sebagai Rekomendasi Strategi Mitigasi Resiko Di SBUPE Bandung”, merupakan salah satu syarat untuk mendapatkan gelar magister di Institut Teknologi Bandung. Penulis mengucapkan terima kasih atas bantuan yang diberikan, sehingga dapat terselesaikanya laporan ini, kepada: 1. Bapak Dr. Ing. Ir. Suhardi sebagai pembimbing tesis, banyak wawasan baru yang penulis dapatkan dari topik ini. Terima kasih, 2. Bapak Ir. Albarda, M.T. sebagai dosen wali akademik, 3. Bapak Ir. Yudi Satria Gondokaryono M.Sc, Ph.D, Bapak Ir. Tunggal Mardiono M.Sc., Bapak Ir. Budiman Dabarsyah MSEE, sebagai penguji dalam sidang tesis. Terima kasih, 4. Dosen-dosen Teknologi Informasi yang telah melakukan transfer ilmu, bimbingan dan wawasan selama perkuliahan. Terima kasih, 5. Sahabat-sahabat Teknologi Informasi 2005 untuk kebersamaan yang sangat manis & hangat selama perkuliahan. Terima kasih, 6. Staf dan karyawan LSS atas pelayanan administrasi yang sangat ramah dan bersahabat, 7. Ibuku Tien Martinah yang selalu berdoa untuk kebahagiaanku, 8. Pramoedya anakku dan Eli istriku yang menjadi inspirasi perbaikan hidup. Setelah masa perkuliahan ini selesai, semoga masa depan kita menjadi lebih baik. Amin... Penulis menyadari bahwa laporan tesis ini masih banyak kekurangannya, oleh karena itu penulis sangat mengharapkan saran, kritik atau caci maki agar pada laporan karya tulis selanjutnya dapat menjadi baik. Walhamdulillahirabbil’aalamin. Bandung, Maret 2008 Sang Penulis
v
DAFTAR ISI Halaman ABSTRAK........................................................................................................................... i ABSTRACT........................................................................................................................ ii PEDOMAN PENGGUNAAN TESIS ............................................................................... iii PERSEMBAHAN.............................................................................................................. iv KATA PENGANTAR ........................................................................................................ v DAFTAR ISI...................................................................................................................... vi DAFTAR GAMBAR ......................................................................................................... ix DAFTAR TABEL............................................................................................................... x DAFTAR LAMPIRAN..................................................................................................... xii BAB I PENDAHULUAN................................................................................................... 1 I.1
Latar Belakang................................................................................................1
I.2
Perumusan Masalah ........................................................................................3
I.3
Tujuan .............................................................................................................4
I.4
Batasan Masalah .............................................................................................4
I.5
Metodologi Penelitian.....................................................................................5
I.6
Sistematika Penulisan .....................................................................................7
BAB II TINJAUAN PUSTAKA ........................................................................................ 9 II.1
Manajemen Resiko Teknologi Informasi .......................................................9
II.1.1. Risk Assessment ............................................................................................ 9 II.1.1.1
System Characterization ........................................................................ 11
II.1.1.2
Threat Identification............................................................................... 14
II.1.1.3
Vulnerability Identification.................................................................... 15
II.1.1.4
Control Analysis .................................................................................... 19
II.1.1.5
Likelihood Determination...................................................................... 20
II.1.1.6
Impact Analysis ..................................................................................... 21
II.1.1.7
Risk Determination ................................................................................ 24
II.1.1.8
Control Recommendations..................................................................... 26
vi
II.1.1.9
Results Documentation .......................................................................... 27
II.1.2. Risk Mitigation ............................................................................................ 27 II.1.2.1
Risk Mitigation Options......................................................................... 28
II.1.2.2
Approach For Control Implementation.................................................. 29
II.1.3. Evaluation and Assessment.......................................................................... 32 II.2
Metode Analisis Resiko ................................................................................32
II.2.1 Analisis Resiko Kualitatif Dan Perhitungannya ......................................... 33 II.2.1.1
Identifikasi dan Valuasi Asset ............................................................... 34
II.2.1.2
Identifikasi dan Valuasi Vulnerability ................................................... 34
II.2.1.3
Threat Assesment................................................................................... 35
II.2.1.4
Estimasi Potential Impact ...................................................................... 35
II.2.1.5
Likelihood of Threat Occurrence........................................................... 36
II.2.1.6
Exposure Rating..................................................................................... 36
II.2.1.7
Pengukuran Resiko ................................................................................ 37
II.2.1.8
Safeguard ............................................................................................... 37
II.2.1.9
Residual Risk ......................................................................................... 38
II.2.2 Analisis Resiko Kuantitatif Dan Perhitungannya ....................................... 38 II.2.2.1
Prosedur Analisis Resiko ....................................................................... 38
II.2.2.2
Perhitungan Analisis Resiko .................................................................. 39
II.2.2.3
Pemberian Nilai Untuk Tangible Dan Intangible Asset ........................ 40
II.2.2.4
Cara Lain Memperkirakan Threat Dan Risk Untuk ALE ...................... 41
II.2.2.5
Data Referensi Analisis Resiko ............................................................. 42
BAB III ANALISIS STUDI KASUS SBUPE.................................................................. 46 III.1
Profile SBUPE ..............................................................................................46
III.2
Proses Bisnis .................................................................................................47
III.2.1. Proses Pencatatan......................................................................................... 49 III.2.2. Bukti Transaksi dan Pembuatan Dokumen.................................................. 51 III.2.3. Laporan ........................................................................................................ 53 III.2.4. Pengkodean .................................................................................................. 53 III.3
Aturan Bisnis ................................................................................................55
III.3.1. Keamanan Data............................................................................................ 55
vii
III.3.2. Validasi Data................................................................................................ 56 III.4
Identifikasi Asset ..........................................................................................56
BAB IV ANALISIS MANAJEMEN RESIKO TEKNOLOGI INFORMASI ................. 61 IV.1
Penerapan Alur Metode Analisis Resiko ......................................................61
IV.1.1 Penerapan Metode Kualitatif di SBUPE...................................................... 61 IV.1.2 Penerapan Metode Kuantitatif di SBUPE.................................................... 62 IV.2
Pengelompokkan Asset.................................................................................63
IV.3
Analisis Resiko Secara Kualitatif .................................................................64
IV.3.1 Identifikasi dan Valuasi Asset...................................................................... 65 IV.3.2 Threat Pada Track and Trace System .......................................................... 65 IV.3.3 Vulnerability Pada Track & Trace System .................................................. 69 IV.3.4 Resiko Pada Track & Trace System ............................................................ 73 IV.3.5 Pengukuran Resiko ...................................................................................... 75 IV.4
Analisis Resiko Secara Kuantitatif ...............................................................77
IV.4.1 Identifikasi dan Valuasi Asset...................................................................... 77 IV.4.2 Threat dan Vulnerability Assessment .......................................................... 78 IV.4.3 Analisis Cost dan benefit ............................................................................. 85 BAB V STRATEGI MITIGASI RESIKO........................................................................ 90 V.1
Risk Mitigation SBUPE................................................................................90
V.2
Alur Perancangan Instrument .......................................................................91
V.3
Strategi Mitigasi Resiko di SBUPE ..............................................................92
V.5
Saran Pengujian Rancangan..........................................................................93
BAB VI KESIMPULAN .................................................................................................. 95 VI.1
KESIMPULAN.............................................................................................95
VI.2
SARAN PENGEMBANGAN ......................................................................96
DAFTAR PUSTAKA ....................................................................................................... 97 LAMPIRAN 1 Panduan Kuesioner .................................................................................. 99 LAMPIRAN 2 Panduan Wawancara .............................................................................. 101
viii
DAFTAR GAMBAR Halaman Gambar I.1 Kerangka Berpikir ........................................................................................... 7 Gambar II.1 Proses Risk Assessment [2].......................................................................... 10 Gambar II.2 Proses Risk Mitigation [2]............................................................................ 31 Gambar II.3 CIA Triad [19].............................................................................................. 34 Gambar II.4 Konversi Tingkat Resiko [1] ........................................................................ 42 Gambar III.1 Struktur Organisasi SBUPE Bandung. [20]................................................ 46 Gambar III.2 CD Proses Bisnis SBUPE ........................................................................... 47 Gambar III.3 DFD Level 1 Proses Bisnis SBUPE............................................................ 48 Gambar IV.1 Alur Penerapan Metode Kualitatif.............................................................. 61 Gambar IV.2 Alur Penerapan Metode Kuantitatif............................................................ 62 Gambar V.1 Alur Proses Perancangan.............................................................................. 91
ix
DAFTAR TABEL Halaman Tabel II.1 Human threats [2]............................................................................................. 14 Tabel II.2 Vulnerability/Threats Pairs [2]......................................................................... 16 Tabel II.3 Security Criteria [2].......................................................................................... 19 Tabel II.4 Likelihood Definitions [2] [8].......................................................................... 21 Tabel II.5 Magnitude of Impact Definitions. [2] [8]......................................................... 23 Tabel II.6 Perbedaan kualitatif dan kuantitatif [8]........................................................... 24 Tabel II.7 Risk-Level Matrix [2] ...................................................................................... 25 Tabel II.8 Pengembangan Risk-Level Matrix [8] ............................................................. 25 Tabel II.9 Risk Scale and Necessary Actions [2] [8]........................................................ 26 Tabel II.10 Exposure Rating [8] ....................................................................................... 36 Tabel II.11 Estimasi Nilai EF ........................................................................................... 39 Tabel II.12 Data Utama [1].............................................................................................. 43 Tabel II.13 Hasil Survey Pendapat [1].............................................................................. 45 Tabel III.1 Dokumen Transaksi [20] ................................................................................ 52 Tabel III.2 Jenis-jenis laporan [20]................................................................................... 53 Tabel III.3 Pengkodean [20] ............................................................................................. 54 Tabel III.4 Validasi data ................................................................................................... 56 Tabel III.5 Posisi pekerjaan dan banyaknya karyawan [20] ............................................ 59 Tabel IV.1 Pengelompokkan Asset SBUPE ..................................................................... 64 Tabel IV.2 Identifikasi Asset dan Valuasi ........................................................................ 65 Tabel IV.3 Threat Assesment ........................................................................................... 67 Tabel IV.4 Daftar Vulnerability pada Asset Organisasi ................................................... 70 Tabel IV.5 Daftar Resiko di SBUPE ............................................................................... 74 Tabel IV.6 Pengukuran Resiko ......................................................................................... 76 Tabel IV.7 Identifikasi dan Valuasi Aset.......................................................................... 77 Tabel IV.8 Kemungkinan terjadi threat berdasarkan ARO .............................................. 78 Tabel IV.9 Exposure Rating ............................................................................................. 80
x
Tabel IV.10 Single Loss Expectancy................................................................................ 82 Tabel IV.11. Annualized Loss Expectancy ....................................................................... 84 Tabel IV.12 safeguard effectiveness ................................................................................. 86 Tabel IV.13 SLE dari implementasi ................................................................................. 87 Tabel IV.14 ALE dari implementasi................................................................................. 88 Tabel IV.15 Cost/benefit analysis..................................................................................... 89 Tabel V.1 Strategi Mitigasi Resiko................................................................................... 92 Tabel V.2 Pengujian Rancangan Strategi Majamen Resiko SBUPE................................ 94
xi
DAFTAR LAMPIRAN Halaman LAMPIRAN 1 Panduan Kuesioner .................................................................................. 99 LAMPIRAN 2 Panduan Wawancara .............................................................................. 101
xii
