The Designing of Measurement Instrument for Information Technology Risk Assessment as a Risk Management Strategy Recommendation at SBUPE Bandung

Portal Express Strategic Business Unit, furthermore called SBUPE. In carry out its services, SBUPE is using Barcode at tracing and tracking system to identify and as media in data storage relate to delivered packets. Barcode is using to track and trace system at SBUPE, is used in logistic and currier services. So that obtained features at Barcode, also has adopted to that unit work pattern. SBUPE is faced to local courier service competition with global companies, which had successful to use goods shipment tracing technology with calculate the risk from its services treatment application. Until now, the track and trace system at SBUPE is not having instrument to do an information technology risk management, that is conducted process by IT managers to adjust operational activity and finance cost spending, in reach the profit with protect the IT system and data which support its organization mission. In this report has carried out a designing as tool, for provide a recommendation at that unit management level with to do risk mitigation, is directed to an incident handling. SBUPE can be applied the strategy based four quadrant that are: to do risk transfer to other (quadrant IV), to avoid a risk (quadrant III), to less negative effect of risk (quadrant II), to receive some or all of risk consequences (quadrant I). From designing results, has suggested doing incident handling process and information technology audit, in based data sources of reconciliation result among written documentation with situation when field study, as condition validity to do risk mitigation strategy.


Introduction
Information technology roles in business world is having important role for a company and its business managers.In strategic decision-making, information technology will affect the operational continuity, where it will be bring changes to that organization.The company and its manager are not having the same way to face an information technology risk.First difference, that risks are not considered openly.Second, just some tools or instruments to handle of appeared risk.Third, processes are obtained in organization has not reacted toward risk.[3].
In general, to prepare a safeguard toward every threat possibility, it is not economically activity.Therefore, an IT security programme, must be provided a process to estimate threat and to decision the choice would be made, what to choice or ignore a threat or to give reduction its safeguard.Its control measure installation based on a balance among cost of control and necessary to reduce or to lose a threats.Basically, as risk analysis is a risk-management approach, to help to identify a threat and to choice a security measure criteria which has resulted cost-effective.[12].
Using a centralized data table, have contents data reference and estimating technique, with some key variables to do determining risk and its loss, it can be used of management in security improvement.The assessment method for tangible and intangible assets will help to measure an information security, by to do risk calculating and measurement is using quantitatively risk analysis.[1].
Postal service industry (postal service, including courier service, express delivery, financial, and logistic) is a business will never loss a player, even continue to increase in along with economic growing.Delivering service business which has conducted by players in post service industry is very prospective due to its very wide scope, unlimited to specific commodity only.Logistic and courier services are needed to support trading and industry sectors activity, mainly for document and goods delivering.The necessary toward logistic and courier service is linear proportionate to industry growing.At present, logistic market potential in Indonesia is reaching 10% from gross national product.[14].
In according to Vice-president the Indonesia Express Service Company Association of West Java, just in Bandung the average courier operator number is growing about 5%-10%.[15].Following the document of Universal Postal Union (UPU, World Post Organization), the number of letter volume increasing in 1995 to 2000 in Asia Pacific about 1.4%, while the growing among 2000 to 2005 has estimated about 4.1% [16].In communication market case in physically letter, communication service for domestic scope is still dominated by government post operator.But, otherwise for international market or across nation, at present a communication service in physically letter has dominated by private operator (70%) [17].Therefore, government post In carry out its services, SBUPE is using Barcode at tracing and tracking system to identify and as media in data storage relate to delivered packets.Barcode is using to track and trace system at SBUPE, is used in logistic and currier services.So that obtained features at Barcode, also has adopted to that unit work pattern.Until now, the track and trace system at SBUPE is not having instrument to do risk management, that is conducted process by IT managers for adjust operational activity and finance cost spending, in reach the profit with protect the IT system and data which support its organization mission.

Risk Management of Information technology
Risk management is conducted process by IT managers for adjust operational activity and finance cost spending; in reach the profit with protect the IT system and data which support its organization mission.[2].Risk management is covering three processes, which are: Risk Assessment, Risk Mitigation, and Evaluation and Assessment.
Risk assessment is first process in risk management methodology.Organization is using risk assessment to determine potential threat and risk levels related with an IT system whole it's SDLC (System Development Life Cycle).This process output is helping to appropriated control identify direction to decrease or lose a risk as long as risk mitigation process.To determine the possibility a bad event in future, threats on IT system must be analyzed in together with potential vulnerability and control in place for IT system.
Generally, to lose the all of risks at scenario may be is not conducted, this case is responsibility to senior managements and their functional and business managers to use least-cost, to make an approach and apply more appropriate control to organization mission, so that its impact can be accepted or adjusted with organization human resources and its mission.Risk mitigation is used systematic methodology by senior managers to reduce risk from has been made mission.This thing can be reached by some choices, as Risk Assumption, Risk Avoidance, Risk Limitation, Risk Planning, Research and Acknowledgement, Risk Transference.The objective and mission of an organization has to balance in to choice whatever risk mitigations.If difficulty is occur to know the all risk, then priority must be given to threat and vulnerability which is having potential impact to mission.This thing, also conducted to protect an organization mission and its IT system, because every situation/surrounding and organization object, have uniqueness, used choice to reduce a risk and its implementation method can be adjusted.

Qualitative Risk Analysis
The measure of risk derived from combination among exposure rating, vulnerability level, and safeguard affectivity level.Simply, qualitatively risk measurement has conducted with give the high, medium and low scales.Risk measurement with that scale is having the shortage, which is high valued for risk with exposure, vulnerability, and safeguard, will have same results with risk to exposure, vulnerability, and safeguard in low valued.Therefore, to risk measurement level has given five scales that are: [8]  High = 5 Safeguard is using to identify mechanism, service, or procedure can to prevent or reduce threat occurs which can exposure vulnerability.Functionally, safeguard related with confidentiality, integrity, and available areas.Safeguard level is measured based for categories that are: [8]  Level 3 = high, if possibility a vulnerability had exposure by threat, with high can be reduced. Level 2 = medium, if possibility a vulnerability had exposure by threat, can be reduced moderately  Level 1 = low, if possibility a vulnerability had exposure by threat, it can be a little reduced only. Level 0 = none, nothing safeguard

Quantitative Risk Analysis
The steps to do quantitative risk analysis as follow.[1] 1. Risk estimating study is doing to determine risk factors.
2. Based risk factors in above, determine a value from which have asset risk (Tangible and Intangible Assets).3. Determine an approach based available procedure at company, in report of loss when to do security assessment in company.As its reference, can to use a data about ownership information in making adjustment from quantitatively estimating for risk analysis.

Risk Analysis of Information Technology
From some manners could be used to analysis of risk, two basic methods can be applied to SBUPE, that are qualitatively and quantitatively evaluations.Qualitatively evaluation is conducted based intuition, so that risk analysis approach is conducted very subjective, relatively.This method is not resulted the measurement which can be to calculate the bigger specification of its impact, therefore making cost benefit analysis about control recommendation is difficult to apply.So this basic method is needed much, for initial step of quantitatively risk analysis.
Together with this, is serving a conducted flow at SBUPE organization to know qualitatively risk level.

Figure 1: Flow of Qualitative Method Application
To do quantitatively risk analysis, it is need to determine a potential losses value with postponed process, property damage, or data.Then, it is also need carried out the estimating of occurrence possibility form risk failure, so that eventually it can be calculated the annual loss estimating.[10].
Study about identification, valuation asset (subjectively), threat, and vulnerability assessment has conducted at qualitatively risk analysis procedure.Further, at quantitative procedure has conducted the counting which dealt to costbenefit analysis with use value like a currency unit bigger.

Risk Mitigation Strategy
The SBUPE purpose and mission must be considered to choice whatever risk mitigation.If difficulty is happened to know the all of risks, so priority must be given to threat and vulnerability is having impact on mission.This case, also conducted in safeguard an organization mission and its IT system, because an organization object and situation/surrounding, have uniqueness, used choice to reduce risk and its implementation method can be adjusted.
In this report has conducted a designing like a tool, to serve recommendation to that unit management level with to do risk mitigation, dealt to incident handling.

lnstrument Designing Flow
In this instrument plan making, has conducted of asset classifying related directly to Track and Trace system operational at SBUPE, which has resulted some tables of asset.To this asset classifying its data derived from field study and Service regulation documents about accountancy which had become tangible asset by that unit.Then, has conducted quantitatively and qualitatively risk analysis constituted risk evaluation activity part.The result of this plan is as template of format could be created for risk Licensed Under Creative Commons Attribution CC BY management strategy supporting recommendation.While for its plan testing, this report is serving the suggested for its test steps that is with adopted audit methodology at CISA Review Manual.

SBUPE can be applied a strategy based four quadrants as follows:
 To do risk transfer to others (Quadrant IV) that is to move risk with use a choice, to replace a loss, as insurance purchase. To avoid a risk (Quadrant III) that is to avoid a risk with to making lose risk cause and its consequence.For example, to cancel specific function at system and to close its system, when obtained known risk. To decrease negative effect from risk (quadrant II) that is to organize risk with develops a risk mitigation plan, its implementation is prioritized and control in it's maintained. To accept a part or all of risk consequences (Quadrant I) that is to accept risk potential and to continue IT system operational or to apply a control to reduce a risk to be acceptable risk.
Together with this is tabulation (Table 1) from risk mitigation strategy with to do classifying based that four quadrants above.

Plan Testing Suggest
In this report, to its plan testing stage has served in a steps suggest would be conducted to do audit, based a standard methodology from CobiT.[13].
Audit process must be planned prior before it is applied.Audit planning has to clearly to explain the audit purpose, auditor authority, presence top-management approval, and audit method.
Based audit methodology as Control Objectives for Information and related Technology (CobiT), so to occur condition at SBUPE can adopt audit steps as in Table 2.

Conclusion
Based written discussion at this report, so has obtained some conclusions as follow:  In this instrument plan making, has conducted asset classifying related directly with Track and Trace system operational, so that it is resulted some tables of asset, had become as reference to do risk assessment. To classifying that asset above, its data derived from field study and organization regulation documentation, where it is needed to do qualitatively and quantitatively risk analysis, with result a occur safeguard at SBUPE to cost benefit analysis table. The result of plan to risk mitigation as format template to be recommendation in carry out of risk reducing, with divide to be four quadrant, so that threat and vulnerability classifying in carry out a risk mitigation strategy to be directed. While for plan testing, this report has served suggest as steps, with adopt audit methodology from COBIT (Control Objectives for Information and related technology) at CISA Review Manual. To make software application with reference a database can be used by company in generally, in to do risk management strategy.

Figure 2 :
Figure 2: Flow of Quantitative Method Application

Figure 3 :
Figure 3: Flow of Designing Process

I
Based discussion and conclusion, it is obtained some necessary suggest in its development as follows:  In furthermore research, has conducted the review to do incident handling process. In furthermore research, has conducted implementation to do information technology audit based Control Objectives for Information and related technology. It is needed data sources of reconciliation result among written documentation with situation when field study.

International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Index Copernicus Value (2013): 6.14 | Impact Factor (2013): 4.438 Volume 4 Issue 4, April 2015 www.ijsr.net
This complexity emerge is not business uniformity only, but also because some business kinds that is embraced have different characteristics.For example, in communication service field, PT.Portalindo has faced with competitor as Titipan Kilat, Pandu Siwi Sentosa and other local couriers or world class companies as DHL, TNT, FedEx and UPS, had successful to use a good shipment technology tracing and tracking with calculate risk from that service application.Pos Express strategy Business Unit, furthermore called SBUPE.

2319-7064 Index Copernicus Value (2013): 6.14 | Impact Factor (2013): 4.438 Volume 4 Issue 4, April 2015 www.ijsr.net
4. Estimating of Annualized rate of Occurrence (ARO) for every risk factor.5. Determine necessary countermeasures to anticipate each risk factors.6. Determine Annualized Loss Expectancy (ALE) to every risk factor.With note that: ARO for ALE after countermeasures implementations, have possibility is not always equal with zero.
7. To do analysis safeguard cost-benefit with calculate difference among ALE, before apply of countermeasures with ALE after apply of countermeasures.8.Based analysis on f and g steps, determine Return OnInvestment with use Internal rate of Return (IRR).To explanation IRR, can be seen at subchapter about quantitatively risk analysis counting.ISSN (Online):Licensed Under Creative Commons Attribution CC BY 9.The result is a brief serve at management for review.Used methodology can be same with request characteristic to engineering project capital.

Table 1 :
Risk Mitigation Strategy

Table 2 :
Plan Testing Risk Management Strategy at SBUPE