Information security analysis on physical security in university x using maturity model

Information security is a direct process consists of physical security dominant and simple classification document[1]. The purpose of information security is to protect and preserve the value of an organization such as data and information[2]. The protection of information security can be done in several ways to ensure its integrity, confidentiality, and consistency. Also, to minimize the risk that can be happened anytime and endanger the process in the organization. The good reputation of an organization is judged by society from its commitment to integrity, confidentiality, and availability information[3]. A company's reputation is maintained certainly involves basic business needs, including the ability of the organization to maintain its function, ensure the operation runs smoothly by the needs of the information technology systems needed, maintain data collection and use, and safeguard its technological assets[1]. Threat [2] is an action or event that caused a disadvantage in terms of the fund, effort, good reputation, and bankruptcy. The threats that can interfere with a process business has happened from several factors, so the protection of information security is crucially needed. The form of threats consists of a hardware failure, software failure, human resource failure, nature failure, funding failure, external and internal failure. Threat [4] is an action or event that caused a disadvantage in terms of fund, effort, good reputation and bankruptcy. The threats that can interfere with a process business has happened from several factors, so the protection of information security is crucially needed. The form of threats consists of a hardware failure, software failure, human resource failure, nature failure, funding failure, external and internal failure. Failure of human resources can be intentionally causing damage, illegal access, or leaking organizational data to third parties[5]. One of the solutions that can be taken if this happens is the use of traditional computing even though there is no full guarantee if it is safe, at least it can make the thief a little hassle when it will steal data or information that does not involve the system[6] ABST R ACT


JURNAL INFORMATIKA
ISSN: 1978-0524 Vol. 14, No. 2, May 2020, pp. 76-84 Isnaini and Solikhatin (Information security analysis on physical security in university x using maturity model) A university must be able to ensure the safety and security of its organization because it is an important aspect of choosing an institution for its parents and students [7]. The threats mentioned above have also in some departments of University X, especially in physical security. According to [3] some things cause such threats to happened and can ruin the system such as unauthorized access, attack of hardware, wire management, displays, ergonomic side, networking, and human resources that use information technology. Now the fact is, there is no available room that specifically designed as a center of information technology, let alone customizes protection for it. According to [2] a central computer owned by University X should be controlled to prevent unauthorized usage. This activity can be done by adding a responsible task for each person to keep a central computer or information technology room safe. To make it worse, there is no standard procedure to handle unexpected damage such as an earthquake or wildfire. Another important physical threat found: there is no backup in the telecommunication network that causes such a disruption in accessing internet access. The impact is a failure of information processing in the system, e.g grade academic of students. Mentioned in [8] one of the alternatives that can be implemented is to provide a communication track via satellite, e.g using VSAT (Very Small Aperture Terminal) technology for the service provider. And also service providers can ensure that the fiber optic cable used is safe from all kinds of disturbances such as roadworks or government projects. so that the internet services provided can be maximized to university X.
Physical security threats can be in the form of access control systems, fire alarm systems, fire extinguishing systems, warning and evacuation management systems, engineering equipment monitoring and control systems, automatic systems and others-vasily. As stated by [9] that physical security strategies can be achieved through physical system components. The physical security component consists of prevention from conditional crime, system theory, and prevention from crime in the design environment. Physical security efforts can be done in various ways to create physical security scenarios that involve identification, analysis, and evaluation. Technical and organizational physical security is to measure prevention, cancellation, identification, warning, and feedback on the problem to support cybersecurity [10].
The security parameter in a system is highly important to the organization and is always aware of the threats and how to prevent it from damaging the assets. Security parameter consists of Physical Security, System Security, Application Security, dan Data Security. Physical security [11] is a term of security that focuses on the strategic ways of securing the user, staff or members of the organization, physical assets, and a working place from threats such as wildfire, unauthorized access, and natural disasters. The main goal of physical security is to protect information technology and prevent it from intentional or unintentional damage [8]. Physical security must be able to plan ways to protect all the assets of the organization, among others, in the form of ensuring that all personnel involved in the organization are safe and securing organizational assets in the event of a natural disaster [5]. Physical security is a security that covers the organization's building, available facilities, human resources, and other organizational assets so that it becomes important to be developed to achieve effective security in terms of resources, infrastructure, and systems [12]. Organizations can be innovative if they apply best practices for overall physical security [13].
Every organization has a parameter to measure the potential risk in terms of security. However, long-term use in the implementation of information technology can also pose potential threats that can cause risks during the implementation [14] . Security parameters in a system are very important for organizations which are always aware of threats and how to prevent them from damaging assets. The security parameters consist of Physical Security, System Security, Application Security, and Data Security. A physical security system is usually managed and operated by other security departments or organizations and some of them are created and supervised by the building owner [15]. University X now has implemented standard operating procedure but that hasn't reached all aspects of physical security that commonly be ignored its importance. It is known from the absence of the rules that restrict unauthorized people. Also, the staffs at University X are still unaware of the importance of physical security aspects. The aspects are company surroundings, premises, reception, server, workstation area, wireless access points, other equipment, access control, computer equipment, maintenance, wiretapping, remote access [8]. A standard operating procedure that has implemented is hardware usage in the internal campus, meanwhile, software management by certain departments hasn't been handled properly. The information security policy should cover all aspects. The goals are: to prevent illegal access to computer systems, to prevent data theft, to keep data integrity and to prevent damaging the information asset [16]. Isnaini and Solikhatin (Information security analysis on physical security in university x using maturity model) COBIT 5 is the best practice nowadays and is widely used as a measurement tool to design, to make and to evaluate activity related to information technology. COBIT is considered effective even though the mechanism is not easy because it has to go through various specific stages [17]. COBIT 5 provides complete package contents with areas that require further elaboration and renewal [18]. COBIT has the scope and objectives that can build objective controls for IT Auditors, help manage governance logically, and are a model of maturity for every process that runs [19]. COBIT which is used as an information technology management model implements internal controls and provides guidance for information technology resources including hardware, personnel, and others [20]. COBIT 5 can provide input in the form of recommendations from the information technology that is being applied and make improvements to management in the future [21]. According to [22] COBIT 5 is approvingly effective to manage rules, responsibility, and policy. COBIT 5 is functioned to assist the organization in measuring information technology to its utmost ability by keeping the advantage, risk management optimization, and using current resources. Maturity models are used to control information technology processes in an organization with the aim of determining current management positions and future management (expectations) [13]. Maturity model is a control tool so that the organization runs in accordance with the objectives. Information security maturity model is used to assess the scale of capabilities and maturity of an organization with the software used [23]. In addition, the maturity model is also used to find problems and determine the right way to solve them [24]. In summary, our paper's contributions are stated as follows: 1. We address the importance of security policy: in this case is limited to physical security, the personel security and the environment security to ensure that the resources are well managed and prevented from illegal access that may cause data destruction on both physical and digital 2. We offer that all organizations should be aware of physical security and have to establish the security policy as it is directly influenced their organization's sustainability 3. We also suggest that human resources need to get special briefing and have to be well-knowledged about the importance of physical security In this domain there are ways to evaluate procedures that are more intensive than information security [25]. This research focused on one sole domain in COBIT 5: DSS5.5 (Decision Support System of Manage Physical Security to IT Assets). The domain explains the detail of physical security and elements related to it: authentification, access right, logical access, and user responsibility.

A. Research Flow
The research flow is described below in

Preliminary study research
Preliminary study research begins with problem identification and potential errors that could happen and cause the new problem to appear in information security scope especially in the physical security of University X.

Data gathering
Data gathering is conducted in two ways: an interview and a questionnaire. The interview is addressed to the IT staff and the head of Lembaga Penjaminan Mutu. The questionnaire is addressed to 83 active employees including IT staff and the head of Lembaga Penjaminan Mutu. The scale for this questionnaire is a Likert scale. Respondent dividing is based on the RACI table which functions is to understand responsibility level in the organization structure. RACI is used to map objectives that will produce appropriate recommendations [28]. Generally, this is how the RACI

Result and discussion
Discussion is about data analysis begins from statistic analysis of reliability and questionnaire validity, current analysis and future condition analysis, and gap analysis.

Conclusion and suggestion
A summary is done based on the results from the previous part and then the suggestions which is relevant to the results are listed below.

B. Research Method
The research method used in this paper is descriptive quantitative. Quantitative research is research related to the quantification and analysis of variables to get results that involve numerical data analysis using statistical techniques [26]. Descriptive research is a research method that describes a situation that is happening according to the possibilities that exist systematically and the research instruments can be in the form of tests, questionnaires, interviews or observations [27].

A. General Description
Information technology used in University X is managed by two departments: Information Technology and Technical Computer Laboratory, and is being monitored by Lembaga Penjaminan Mutu. Lembaga Penjaminan Mutu in University X is functioned to maintain the quality of the two departments. If incidents happen the company has the right to evaluate and give suggestions according to applied standards. The details of the total number of employees are being described in Table 1. The current policy is made related to physical security and is being monitored by Lembaga Penjaminan Mutu. The policy is described in several standard operational procedures, details in Table  2. Based on Tabel 2. above, it is concluded that the standard policy hasn't covered all aspects of security: preliminary plan, implementation, and evaluation especially on things related to physical security.
According to Indrajit (2014) the current condition in University X is mapped in 3 parts: Security policy 1. Information security policy covers physical security that is not documented yet in each standard operational procedure specifically.

Personel security
A specific rule from the related party about non-disclosure agreement hasn't been arranged yet for all employees who use the information technology (system and network). The rules are aimed to minimize the risk of user errors, theft, and facility misused. ISSN: 1978-0524 Vol. 14, No. 2, May 2020 Isnaini and Solikhatin (Information security analysis on physical security in university x using maturity model)

Environment and physical security
The system and network department at University X haven't built a computer central area that is separated from other users, this is to restrict unauthorized users from accessing it. Besides, system and network users haven't fully aware yet about the importance of a clear desk and clear screen which is crucial for illegal access prevention and data destruction on both physical and digital.

B. Statistic and Analysis
This research used statistic data analysis to understand the accuracy of results: validity test and reliability test. The tool that is being used is a questionnaire and actual maturity level about physical security.
The validity test in this research is implemented on the bivariate person method. The result of this test is retrieved and stated that all questions are valid. The questionnaire result is approved because the coefficient value (r-value) is larger than the r table. The r table is 0.213 with total questions = 7 and α = 0.05. For more details, see Table 3. The questionnaire reliability is being tested with the Cronbach-alpha test. The result of the Cronbach-alpha test can be seen in Table 4. Listwise deletion based on all variables in the procedure

C. Current condition analysis
Capability level of current condition analysis is shown in Table 5. Table 5. Capability Level

Capability Level Description
Level 0 (Incomplete Process) Process is not carried out

Level 1 (Performed Process)
The process is carried out and reached out the goal Level 2 (Managed Process) The current implemented process is managed according to the needs and the right work product that is being well handled and maintained.

Level 3 (Established Process)
The current implemented process has achieved the expected results according to set procedure

Level 4 (Predictable Process)
The current implemented process is running according to a set limit to reach the expected results

Level 5 (Optimizing Process)
The process is predicted to continue improving to fulfill the business's goal: current goal and future goal relevantly 82 Vol. 14, No. 2, May 2020, pp. 76-84 Isnaini and Solikhatin (Information security analysis on physical security in university x using maturity model) The current condition in University X is described in the scheme of actual maturity level value in physical security, details in Fig. 3

Fig. 3. Actual maturity level value
Description of domain sub item DSS5.5, details in Table 6. Table 6. Actual maturity level value of domain sub item dss5.5

Items Score
Managing demand and giving access to the computer facility 3.4 Making sure the access profile is conformed with job description and responsibility 3.4 Monitoring all modes of log leading to information technology sites 3.3 Instructing all personnel to display the visible identification anytime 3.6 The rule of a visitor to be monitored anytime in the location 3.3 The restriction of access to sensitive information technology system sites 3.2 Training of awareness for physical security periodically 2.9 Average 3.36 According to Table 6, the capability level that is reached in University X is 3.36. The level is in Level 3: Established Process. This level shows that the process already run and conform according to set procedure. The process has identified the responsibility of each department that manages the physical security, though not entirely conducted.
The implementation does not yet cover all aspects of information security especially in terms of awareness from users that already been described in Table 6. In the table, we can see that user awareness about physical security is not in accordance with expectation and is below the average point of the measured subdomain. That can happen because the standard rules are not arranged yet, with no planning and evaluation of threats natural disasters that can happen and endanger physical security at University X.

D. Gap Analysis
Gap analysis of actual maturity value with the expectation value of the current process in University X especially in terms of information security login access and user identity is retrieved from the gap between expectation capability level and current capability level. The graphic value of the gap in using the information technology in University X is described in Fig. 4  Result of gap analysis is given in detail in Table 7. According to Table 7, the gap value is 0.64. Specifically, the result shows that the largest gap is in user awareness about physical security. The gap arises because the current standard operational is only focus on the usage of hardware, software, account, and awareness about threats to physical security at University X.

IV. Conclusion and Suggestions
The analysis and measurement of maturity level show the result of University X is in Level 3, Established Process. At this level, University X is rated to already conform to the standard operating procedure on its activities led by the Department of Information Technology and Computer Laboratory to reach the expected goal. But in certain conditions, weakness is found related to user awareness about physical security. And it's confirmed by the result of the maturity level in 2,9. Besides, the Disaster Recovery Plan isn't arranged yet in the Standard Operational Procedure framework and caused the handling process of incidents and risk management is difficult to conduct properly. Information security management in the physical security field has to improve its employee's capability in order to reduce the gap. This part is important so that the policy that has been arranged can be obeyed by all elements of University X optimally. And from that point on, suggestions are needed to reach the goal: 1) Human resources as information technology users get special training about information security specifically in physical security according to the set procedure designed by Lembaga Penjaminan Mutu; 2) The infrastructure and facilities can be added: fingerprint or specific biometric control in the data center and information technology management room; and 3) The policy or rule can be added: item of the standard operation of a current set procedure named Disaster Recovery Plan.