Information Technology Risk Control of University in a Work from Home Situations

The University is one of the educational institutions affected by the COVID-19 pandemic. Most of its activities, which are academic management, human resource management, information technology services, and so on were changed into WFH (Work from Home) supported by information technology. Utilization of information technology in supporting WFH can create various risks and needs to be controlled either preventive, detective, or corrective to minimize the impact. This research will focus on planning for university information technology risk control in working from home conditions by referring to the ISO 31000:2018 standard for risk management processes, COBIT 5 Generic Risk Scenario for defining risk scenarios, and DoD Instruction 8500.2 and NIST SP 800-53 in the identification of risk controls. The resulting solution is in the form of a risk treatment plan. This solution is expected to assist universities in identifying risks related to information technology and planning controls related to the implementation of work-from-home in their environment.


INTRODUCTION
Information Technology (IT) has become essential to various human activities. The use of IT usually poses risks that can impact the organization or company. Risk is the effect of uncertainty on objectives; an effect is a deviation from the expected -positive, negative, or both; objectives can have different aspects and categories, and can be applied at different levels [1]. Failures experienced by organizations in managing risk can be caused by a lack of understanding of the risks that occur and failure to identify appropriate risk response activities. In addition, failure to establish a risk management strategy and communicate the strategy may result in inadequate risk management. Risk management is a systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring the risk [2]. The Currently, Indonesia is hit by the Covid-19 pandemic, all levels of Indonesian society work together in handling Covid-19 from the central government level to the lowest level, namely in the family sphere. The Covid-19 outbreak has had a systemic impact on every level of society. The work sector, both formal and informal, such as education, and tourism, must work hard to adapt to the development of the Covid-19 infection. Therefore, Indonesia has adopted the employment sector policy by implementing the Work from Home (WFH) method [4]. In general, WFH means how employees work outside the office, it can be at home, at a cafe, at a villa, or anywhere it depends on the comfort of an employee when he is not in the office. WFH is usually used by employees when they are bored with the office atmosphere and want to feel a different atmosphere, more flexible and able to unify the work atmosphere and real life to increase productivity more [5]. With the WFH method, there are many risks faced by various parties, one of which is an organization or company such as data security issues, so it is advisable to send essential work data not using a regular network, disturbances in the environment around the house at work, difficulty in monitoring employees at work, etc.
During the Covid-19 pandemic, most of the activities at Telkom University, both teaching and learning activities, and organizational activities were carried out on a WFH (Work from Home) basis. That also applies to the School of Industrial and System Engineering (FRI) and the Directorate of Information Technology Center (PuTI), which mainly carry out their activities from home. Bring work activities to home can cause various risks to FRI, especially those related to the Academic Sector, Student Affairs, Finance and Human Resources (HR), and Laboratory Affairs, as well as PuTI in the Information Technology Infrastructure Section (IsTI) and Information Technology Product Development (DevTI).
Risks that occur at the Directorate of Information Technology Center (PuTI), among others, are the Information Technology Infrastructure Section (IsTI) there are obstacles related to the Virtual Private Network (VPN), namely the VPN application has not been updated by employees so that authentication fails so it cannot do remote access to devices in the office, as well as servers can experience problems due to increased user activity. In the Information Technology Product Development Section (DevTI), there are visual and functional bugs in the iGracias application, causing delays in all user activities involving the application.
The researcher uses the risk management process method ISO 31000:2018, COBIT 5 Generic Risk Scenario, NIST SP 800-53, and DoD Instruction 8500.2. ISO 31000:2018 is a revision of ISO 31000:2009 as a risk management standard. The risk management framework aims to assist organizations in integrating risk management into significant activities or activities and functions. The framework covers the integration, design, implementation, assessment, and improvement of risk management across all organizations. The organization should evaluate its risk management practices and processes evaluate and address gaps in the framework. In addition, the organization must also adjust the components of the framework that it will run to the needs of the organization [1].
The risk approach with COBIT 5 Generic Risk Scenario is used to input IT risk analysis activities related to key business impacts. The COBIT Generic Risk Scenario consists of (a) Risk scenario categories, providing a high-level description of the scenario categories with a total of 20 categories; (b) The risk scenario component, providing details about the type of threat, actor, event, asset/resource, and timing of each scenario category; (c) type of risk, there are three types of risk including the risk of benefit/value of IT empowerment, risk of IT programs and projects, and risk of IT operations and services; and (d) Example scenarios, given one or several small examples of scenarios from each scenario category with a total of 111 examples of risk scenarios, both positive and negative risks [7].
The first control recommendation in this study uses NIST SP 800-53, which aims to determine preventive measures against information systems or organizations designed to protect confidentiality and integrity and meet various security requirements that have been determined [8]. NIST SP 800-53 can help organizations create secure information systems and more effective risk management systems. NIST SP 800-53 provides 20 control families, as shown in Table 1. The second control recommendation used by the researcher is DoD Instruction 8500.2, which aims to implement policies, assign responsibilities, and establish procedures to implement an integrated layered network and information system protection [9]. DoD Instruction 8500.2 assists in implementing Information Assurance by defining controls that are divided into eight subject areas, as shown in Table 2.  [10], but so far have not been associated with the context of working from home, so this is an opportunity for us to start this research.

Data Collection Methods
This study uses a qualitative approach [11].

Research Methods
This research uses a risk management process based on ISO 31000:2018 that is currently adopted by the organization. The risk management process includes several stages: risk identification, risk analysis, risk evaluation, and risk treatment (see Figure 1). The risk treatment stage would not reach the preparation and implementation of the risk management plan because these stages and so on will be carried out by the organization. The risk identification stage will be based on the Generic Risk Scenario in COBIT 5 For Risk. The risk treatment stage will be based on NIST SP 800-53 and DoD Instruction 8500 standards.

Figure 1. Research Methods
The first stage in this research is risk identification. The risk identification stage is carried out to determine the possibility of a threat risk with the impact on the company or organization [1]. Risk identification aims to identify and describe risks that can interfere with achieving its goals. Relevant, precise, and up-to-date information is essential in identifying risks. Several factors that need to be considered in identifying risks include the causes and occurrences of risks, threats and risk opportunities, the emergence of risk indicators, consequences and impacts on objectives, and tangible and intangible sources of risk.

Iqbal Santosa, Rahmat Mulyana | 1013
The second stage is risk analysis. The risk analysis process measures risk by looking at two aspects, namely the possibility of how significant the impact is and the likelihood of the risk occurring (likelihood) [1]. Risk analysis aims to understand the nature and characteristics of risk. Risk analysis involves risk sources, impacts, likelihood, scenarios, controls, and effectiveness. Risk analysis can be carried out with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of the information, and the available resources.
In measuring risk, this research uses the likelihood and impact level from the Telkom University Risk List Report [12]. There are 5 levels of possible risk or likelihood, including level 1, Highly Unlikely, level 2 Unlikely, level 3 Possible, level 4 Likely, and level 5 Very Likely. The impact is divided into five impact categories, namely operational category, compliance category, reputation category, financial category, and HR category. The impact level also has five levels of impact, including level 1 (no impact), level 2 (minor), level 3 (moderate), level 4 (major), and level 5 (extreme).
The third stage is risk evaluation. The purpose of evaluating risk is to support decisions. Risk evaluation involves comparing the risk analysis results and established risk criteria to determine the additional actions required. Based on the evaluation results, it is also determined that actions against these risks based on risk appetite/risk are acceptable with a minimum total risk of 4. These actions are determined to determine whether the related risks must be handled or not. Then the level is determined whether the risk is low (green), medium (yellow), or high (red) based on the risk matrix by looking at the level of occurrence with the total level of impact.
The last stage is risk treatment. Risk treatment aims to select and implement options for addressing risk. Risk treatment uses the results of the risk evaluation. Some risk treatments can be used to manage emerging risks, including avoiding the risk, taking the risk to pursue an opportunity, removing the risk source, changing the likelihood or consequences, sharing the risk, and retaining the risk.

Risk Identification
The data used in this study is data obtained by researchers by conducting interviews with relevant stakeholders in FRI and the Directorate of PuTI. The following are the risk analysis results at FRI and the PuTI, as shown in Table 3.
The risk codes shown are based on code from COBIT Generic Risk Scenario.

Risk Analysis and Evaluation
When the risk identification process has been carried out, the next step is to carry out a risk analysis by measuring the low-high level of a risk that appears in FRI and PuTI during WFH by determining the level of risk events in Table 4. Based on Table 4, the process of risk analysis that has been carried out on FRI and PuTI obtained several levels of risk impact, which are grouped into 5 levels as listed in Table 5. Table 5. Impact Level

Impact Level Criteria No Impact
There is a small impact in the form of non-financial losses in the risk impact area, where the incident can still be handled through the applicable procedures and work processes Minor There is a small impact in the risk impact area where the incident can still be handled through the applicable procedures and work processes Moderate There is a significant impact on the risk impact area, but it can be handled through applicable procedures and work processes Major There is a significant and potentially systemic impact in the risk impact area that needs to be addressed quickly and appropriately Extreme There is a dangerous and systemic impact in the risk impact area that needs to be addressed quickly and appropriately Based on Table 4 and Table 5, the risk analysis process is carried out using a risk matrix to help determine prioritized risk decision-making, as listed in Table 6.  Table 6 is used to support the risk decision-making process or risk evaluation. This process uses data from the risk analysis that has been prepared. The way to rank the risk is to multiply the likelihood score by the impact. The results of these calculations obtain the results shown in Table 7. The risk calculation results shown in Table 7 show that there are several medium risks which are 1201, 1602, 1601, and 1901. There are also several low risks which are 0904 and 0503.

Risk Treatment
After finding the risk with the level of risk, then carry out risk treatment. In risk treatment, several treatment options are used in research, including accept, mitigate, and transfer. The treatment option is determined from the previous risk results based on risk appetite/acceptable risk, according to Table 8.

CONCLUSION
Based on the research results above, it can be concluded that the results of risk identification related to risks that occur around the FRI and the PuTI found six threats grouped into six risk scenarios. The identified risks are then analyzed and evaluated, resulting in low and medium risk levels so that the accept, mitigate, and transfer handling options are selected according to the analysis, evaluation, and validation of the relevant stakeholders. Proposed risk management is categorized based on risk control in COBIT 5 For Risk, NIST SP 800-53, and DoD Instruction 8500.