Information Security Risk Strategy at PT. X Using NIST SP 800-30

Information security is a vital aspect that must be considered in use of information technology devices by active users. PT. X runs a business that applies information technology related to distribution aspects through company resource planning. Information technology formed assets IT infrastructure, information systems, operating procedures, and network infrastructure. This asset has a potential threat that causes disruption resulting losses. This problem arises to cope through the response to the risk strategy. NIST SP 800-30 method has a flexible risk perspective for the organization and federation standards of American security. Research is divided into risk measurement as a risk, risk mitigation as risk planning, and risk evaluation embodied risk reports. Results of the research show the value of risk through the calculation of the likelihood and impact matrix of the highest threat is at a low level is 14, medium at 12, and high of 4 are categorized good enough.


Introduction
Information in the current era of globalization is increasingly developing, increasingly racing with technological developments that continue to run.Indications are more and more individuals and organizations are relying on IS/IT as part of their daily needs [1].So the safety factor is a quite serious concern as the main anticipation of safety in supporting information technology infrastructure and users [2].
Operational management through corporate governance infrastructure, of course there is also a security management infrastructure for access control that is still minimal monitored, making it possible at any time for a sudden threat that cannot be thought of through internal or even external threats [3] - [4].According to Sarno and Iffano, there is no standard reference on what standards will be used or chosen for companies in conducting information security risk management audits so based on view aspects according to the needs of investigators [5].Evaluation in the selection of strategies for managing information security, controls must have high reliability, in order to improve and minimize the risk of loss that may arise [1] - [6].
PT. X embodies information technology through IT infrastructure in carrying out company management operations.Management activities carried out by entering, processing, managing, and reporting supported by the IT system builders.Information part of the data that is formed is an important part in facing business competition.Referring to achieving the company's vision and mission so that operations do not hinder from disruption, so the information shall be guaranteed security against the risk of loss.PT.X has not yet implemented a risk strategy for its system builders, therefore it is necessary to carry out a risk strategy for information security.The risk strategy is expected to show the quantity of repair costs for development planning.
Analysis of risk strategies referring to risk management for research by Monika Evelin Johan, et al. determined by the NIST SP 800-30 method.The vulnerability process using the newly frozen NIST SP 800-26 and recommendations provided only the status of control measures [7] - [8].Research by Dian Ayu Permatasari, et al, which emphasizes the initial process in threatening risks.The analysis emphasizes the risk of the NIST SP 800-30 only at the risk screening stage.Vulnerability identification is still using NIST SP 800-26 which has just been frozen and the recommendation is not at the risk mitigation stage [9]- [8].The achievement of this research with an emphasis on the NIST SP 800-30 method through the latest published support for vulnerability testing using NIST SP 800-53A Revision 4 and following the standard process to the risk mitigation stage to see the amount of risk costs at PT. X.
The method that can be used to carry out a risk strategy in information management is NIST SP 800-30.The choice of the NIST SP 800-30 method is due to its shortcomings as a risk management stream [10].A framework that can determine information control risks complemented by information management recommendations.Aspect guarantees it in terms of security, confidentiality, integrity, data and data used for development, improvement, and evaluation evaluation [11].
Research with the NIST SP 800-30 method to see the level of risk of information security on the implementation of IS or IT at PT. X, which is expected to be a development life cycle carried out by the IT Division at PT. X.The NIST SP 800-30 method is equipped with a strategic control process in terms of financing processing that adapts to organizational conditions while adhering to guidelines.This research as the aim to determine the risk level of vulnerability information by using NIST SP 800-30, so as to develop risk control strategy steps with control recommendations equipped with financing to be used as a reference for improving information security at PT. X [3] - [12].

2.
Research Method This research method serves as a step in defining research in a process flow to ensure an orderly, systematic, and directed direction [13].The underlying process flow for implementing risk strategies follows from the NIST SP 800-30 guidelines.

Methodology Flow
The methodology flows through a defined stage process.The process flow is presented in Figure 1.

Figure 1. Methodology Flow
Figure 1 shows the research flow in the analysis of information security risk strategies at PT. X.The first stages of flow is the Planning Phase, through the process of formulating the problem at PT. X.This stage is to formulate problems in the field and the process of studying literature by looking for references, theoretical sources, supporting data in strengthening research studies.The second stage is data collection by conducting interview observation of documentation studies at PT. X. [9].The second stage is to visit and find out about current IT risk issues.The third stage is analyzing and the fourth stage is the completion phase which is part of the NIST SP 800-30 method [9] - [11].The NIST SP 800-30 stage is divided into three parts, including the assessment stage to assess risk, the risk mitigation stage as control, The risk evaluation stage is in preparing the final risk report, each of which has a detailed process.[10].
The first part of the risk assessment is identifying risks with eight processes including the first process of characterizing the system to find out the components that make up the system including hardware and software, the second process of identifying threats in detecting opportunities for threats that occur, the third process of identifying vulnerabilities through an assessment of the authorized party by the controller and IT supervisors, the fourth process of control analysis in determining the threat of vulnerability, the fifth process of determining likelihood as ensuring the probability of the likelihood that is vulnerable to threatening, the sixth process carries out an impact analysis to determine the resulting impact on the threat of vulnerability, the seventh process of determining risk as ensuring the level of risk to the vulnerability threat, and the last process carries out control recommendations which specified in the NIST SP 800-53 standard [10].
The second part is risk mitigation as the implementation of appropriate repair control.There are six processes in this part of the process, including prioritizing action as a risk level action rating for action, providing recommendations for control options referring to NIST SP 800-30, conducting cost-benefit analysis in determining control costs against the level of risk, selecting controls to select the appropriate control conditions, and the final process of assigning responsibility in dividing the parties responsible for implementing risk mitigation [10].The last part of the risk evaluation is the final process of the completion stage, as the implementation of a risk strategy for the implementation of risk control.This implementation is carried out in a determined period by considering the decision on the readiness for implementation that involves senior management [10].The final document defines the findings as a continuous development life cycle [10].

Data Collection
Primary data collection is carried out with parties who have the authority to maintain the IT establishment [11] - [4].IT controllers and Supervisors play an important role in collecting data at PT. X. Observation as secondary data collection to determine the findings of relevant indicators in the field [11] - [10].Conditions assessed in terms of organizational profile, performance areas, key notes, applied IT utilization, service integration, and organizational quality standards, assets, milestones, and form of assessment questions refers to NIST SP 800-30 [10].An example of a sample assessment question is presented in Table 1.Zeta information system is a system engaged in distribution in distributing business processes from production to consumers.
Supervisor IT Table 1 is a sample that refers to the questionnaire on the NIST SP 800-30.The data obtained from this result is intended as supporting material and consideration for the next process.The respondent's statement needs to be supported by objective relevant documentation.

2.3
Theoretical Framework NIST 800-30 risk theory, the implementation of the process risk management through the NIST SP 800-30 guideline, namely risk assessment by taking eight stages that must be passed, risk mitigation with 6 stages must be passed and risk evaluation (risk evaluation) by forming the composition of this final report [10].The allotment of supporting guidelines is in line with NIST SP 800-30, namely NIST SP 800-26 to determine vulnerability identification [10].Since 2015, NIST SP 800-26 replaced to NIST SP 800-53A Rev. 4 as the standard guide to assess the security and privacy controls in assessing the vulnerability identification.[14].This refers to the control recommendations updated also with NIST 800-53 Revision 4 for relevant adjustments to NIST SP 800-53A Rev. 4 related to security and privacy controls as a form of information security assessment in an organization [14].The model form guides this document following a harmonious approach to the complement of the ISO/IEC 30001 and 27005 standards [15] - [16].

3.
Literature Study Literature studies contain libraries that are used as references in research.Sources are obtained from books, the internet, or journals that have legitimacy.Some of the literature used are risk strategies, information security, the NIST SP 800-30 method, and method support guides.

Risk Strategies
Risk strategy is related to management or management in giving consideration of decisions to reduce disruption or damage that can cause losses as a form of security protection to balance financial costs [6].The risk strategy is managed in an ongoing manner, through mitigation assessment and evaluation activities [6].

Information Security
Information security is protecting data collection from various threats to ensure the continuity of an organization's business processes, minimizing risks and maximizing performance.Information security aspects determine the sustainability of an organization's business operational activities [17].Some elements of information security consist of 3 aspects (ISO 27000), including: a.
Confidentiality is the point where information is not readily available or may be closed to individuals, processes or entities that do not have access rights.[17] - [18].
JURNAL ILMIAH MERPATI VOL. 9, NO.Integrity is a matter that must be ensured that the information or data is maintained intact.This means that data should not be modified illegally [17] - [18].c.
Availability is available with a guarantee for each information system as serving its purpose, information must be available when needed [17] - [18].

NIST SP 800-30 Method
NIST SP 800-30 is a document standard method published by the National Institute of Standards and Technology as a framework method for determining risk strategies in its management.NIST SP 800-30 there are three main stages, namely risk assessment [10] - [19], risk mitigation and risk: a.
Risk Assessment is a stage of the process of determining risk.The form of processes carried out includes the characterization of the system, identification of threats, vulnerabilities identification, control analysis, determination of the likelihood, impact analysis, risk assessment, control recommendations [10].b.
Risk Mitigation, namely the stages of determining the plan for implementing security controls.Forms of the process including the priority of action, recommendations for control options, analysis of cost benefits, selection of controls, assignment of responsibilities [10].c.
Risk Evaluation, which is the result of a risk strategy with its management manifested in the report [10].

Supporting Guidelines
The method used has supporting guidelines in aligning the flow of research methods, including: a.
NIST SP 800-53A Revision 4 is a guideline as an assessment to identify the availability of security and privacy controls, this is provided by a questionnaire with the division of 18 groups [15].b.
NIST SP 800-53 Revision 4 is a supporting guideline as a recommendation for security and privacy control through recommendations tailored to the group [12].

Result and Discussion
The finding in this study include the process of implementing risk strategies by using NIST SP 800-30 method to providing recommendations for recommendations from the results of risk findings.

Risk Assessment
The discussion of the results taken from the methodological steps carried out in the company organization PT.X.The results are shown from the NIST SP 800-30 method process [10].elements related to the use of IT crucially in the form of hardware specifications to determine vital assets, network device architecture in terms of the existence of a data center that forms a network topology equipped with internet allocation details, the discovery of a software model applied to the organization, namely the zeta which is a distribution group business operation by PT.X part of enterprise resource planning which describes business processes, system architecture, information system forming specifications, has a physical security role in terms of tightening policy procedures, CCTV, fingerprint privileges.This finding serves as a sign for threats that can be defined as the identification of IT assets and the IT boundaries that are applied.
The second stage it's the identification of threats, namely the assessment includes events that have occurred as a potential assessment of inherent direct vulnerability and classification of potential threats consisting of 3 aspects of human, environmental and IT infrastructure which refers to the considerations of the NIST SP 800-30 guidelines [10].
The third stage is the analysis of the self-assessment to determine the threats that produce risks.The acquisition of risk arises through the results of a questionnaire assessment of federal and organizational information security and privacy control guides in Sp nist.800-53A Rev. 4 through the absence of potential controls in assessing vulnerability [15].Grouping by topic self-assessment code is seen in Table 2.
JURNAL ILMIAH MERPATI VOL. 9, NO. 3  The results of the process self-assessment will get the value of the control of vulnerability affected on the four main assets identified among IT infrastructure, Zeta application systems, PC Users, network infrastructure.The four assets are mapped according to the threat of access control.The fifth stage is the likelihood stage or assessment of trends or opportunities for the number of events to the assets.The assessment of the trend level is influenced by quantitative values which presented in Table 3.The results of the assessment of the level of a tendency towards the appearance of a threatening asset with the number of times the threat occurred.The overall results of the four assets or total likelihood level values which presented in Table 4. Indicators in determining the impact analysis are influenced by the level of impact analysis value.The impact analysis value level is a statement of the level of the impact definition conditions.The form of the impact analysis value level is presented in Table 5.The effect of threat impacts involves the organization's operations, organizational assets, and individuals.The effect of threat impacts involves the organization's operations, organizational assets, and other organizations.The effect of the impact of threats involves the operations of the organization, other organizations, individuals Medium 50 2 Involved The effect of threat impacts involves the organization's operations, organizational assets.

Low 10 1 Involved
The effect of threat impacts involves organizational operations that cannot be ignored 0 The effect of threat impacts involves organizational operations that can be ignored The results of the threatening impact level analysis produce the magnitude of the consequences that can occur to the asset.The assessment of the results of the impact level recap from the statement obtained the results which showed in Table 6.The level of impact results in the number of threats categorized as high with a total value of a statement of low details of 1, medium of 11, high of 18. the seventh stage of the risk determinations.The process of determining risk through a matrix scale guided by NIST SP 800-30 matrix values with a level 3 scale of the likelihood and impact level presented in Table 7.Low ( 1) Low ( 5) Low (10) The resulting matrix values get a mapping of likelihood values with impact values.The overall results of the matrix assessment are based on the four main assets, namely IT infrastructure, Zeta application systems, PC Users, network infrastructure.Determination of risk with a level 3 scale is followed by level adjustment with risk strategy corrective actions guided by NIST SP 800-30.The risk strategy model for the suitability of the risk level is presented in Table 8.The level of risk results in an amount of risk categorized sufficiently with a total value of a breakdown statement of 14, medium of 12, high of 4. The visualization in a graph of the amount of risk is presented in Figure 2 which uses a bar chart for each asset in the left image and a column graph for each level of risk in the image on the right.The eighth stage is the control recommendation process, namely the determination of adjusted supporting documents of NIST SP 800-53 Revision 4 [16].This support is to guide the recommendation requirements that refer to the NIST SP 800-30 method based on the NIST SP 800-53A assessing questionnaire Revision 4 [15].There are 18 groups of recommendations shown in Table 10 and the form of some of the appraisals taken 3 asset samples are described in Table 11 .The organization reviews and updates firewall rules for events in the log-system that trigger potential entrance threats to malware attacks with an agreed period

Risk Mitigation
Risk mitigation strategies to prepare coping plans for the acquisition of risk values from the risk assessment stage.The mitigation process has a part of the process including priority of action, recommendations for control options, analysis of cost benefits, selection of controls, assignment of responsibilities, develop a safeguard implementation plan.
The initial stage in risk mitigation, namely priority action, is a process of the level risk scale ranks from high, followed by medium, and finally low.Ranking as a profit objective gives more attention to risks that are threaten to be acted upon.
second stage, evaluate recommended control options, namely the choice of mitigation measures against the type of risk with a level risk scale.This option is adjusted for the NIST SP 800-30 guidelines, there are options as follows: a.
The Risk assumption is to accept potential risks by continuing to run the program or by implementing controls to reduce risk to an accepted level [10] - [20].b.
Risk avoidance, namely avoiding risk that eliminating the causes of risk and the consequences [10] - [20].c.
Risk limitation, namely limiting certain risks by implementing evaluation and monitoring that can minimize the adverse effects of the risks that occur [10] - [20].d.
Risk transference, which is, transferring risk using the services of a third party to compensate for losses arising from the risk [10] - [20].
The results of the recapitulation of mitigation options for the four assets and threats of 30 through the mitigation options are shown in Table 12.The result of a statement of mitigation options with a total of 30 risk threats.The highest is the value of risk limitation mitigation options with a value of 16 and mitigation options of 1. Mitigation options that will not be taken because the statement does not match the risk threat.The recapitulation of the depiction of the value statement in the mitigation options table is visualized in a graph with the amount of risk presented in Figure 3 which uses a bar graph for each asset, where the image is on the left and a pie chart for each mitigation option is located on the right.The third stage is to conduct a cost-benefit analysis is to do the cost-benefit of analysis in determining control costs to be incurred in order to minimize the risk of higher losses.The application of cost measures adjusted to the latest prices in the risk strategy implementation period.30 risk statements through mitigation control options to be overcome which have the same way or can be said to have an integrated control aspect, namely the control recommendation choice model in terms of financing.This unit of control is a cost-benefit analysis step in reducing large cost benefits to reduce the risks issued [3].
The fourth stage carries out the process of Select-control implementation of the selected control adjustments as the right implementation to run in the company PT.X through the standardization requirements of the NIST SP 800-53 Rev. 4. Select-control provides a statement for each item, this is considered a statement of review of the implementation of priority action items, aspects of mitigation options with the subsequent assignment of responsibility for managing risk reduction.
The fifth stage in the distribution of the party is hold in control has the authority that is responsible for implementing the risk strategy.These findings include President Directors, Managers, Controllers, and IT Supervisors.
Last stage in risk mitigation is Develop Safeguard Implementation Plan by compiling a list of implementations that will be proposed in the implementation of risk management as a risk strategy decision.
The form of results from the risk mitigation stage of the process of prioritizing actions, recommended evaluating control options, perform cost-benefit analysis of select control, assign

Evaluation Risk
The completion stage which is the final part of the NIST SP 800-30 method.This risk evaluation process, as a result of the preparation of the final document on the implementation of JURNAL ILMIAH MERPATI VOL. 9, NO. the risk control assessment strategy [10].This final document is formed from the findings of each stage of the NIST SP 800-30 method.The final report produced, determines the consideration of the implementation readiness decisions involving users of the IT system at PT. X.This information security risk strategy must ensure that it is relevant to the aspects of security, confidentiality, integrity, availability of data used for continuous development, improvement and evaluation [11] - [19].

Conclusion
Information on security risk strategies using the NIST SP 800-30 method in this study has been implemented quite well.The value process determines the vital assets that are threatened in the use of IT at PT. X. Acquisition of information technology assets that affect aspects of company information security.PT.X there are four assets including IT infrastructure, Zeta information systems, PC users, network infrastructure.The findings of this study are based on four identified assets, there are 30 threats which include 19, medium 17, and high 4 identified risk levels.The results of the dominant risk level on the low scale state that the risk value is quite good, seen from low level 14 high, but almost close to medium level 12, and far from high level 4. control recommendations given to risky threats are the implementation of improvement control through recapitulation.the results of 30 risk mitigation control, risk limitation 16, risk avoidance 13, and risk transfer 1 are categorized as good because they dominate the application of risk limitation from other controls.to defend from distraction.Mitigation controls to reduce the threat of risk by complementing the availability of appropriate security controls to avoid disruption or damage through control recommendations 3 DECEMBER 2021 p-ISSN: 2252-3006 e-ISSN: 2685-2411 Information Security Risk Strategy at PT. X Using NIST SP 800-30 (I G. N. M. Putra Eryawan) b.

Figure 2 .
Figure 2. Results of Determination of Asset Risk (Right) and Results of Total Level of Risk Determination (Left)

Table 3 .
Likelihood Level Values

Table 4 .
Level Values Recapitulation of Likelihood

Table 5 .
Values Level of Impact Analysis Information Security Risk Strategy at PT. X Using NIST SP 800-30 (I G. N. M. Putra Eryawan) organizations 3 Involved

Table 6 .
Level of Impact Recapitulation Value

Table 7 .
Risk Level Matrix

Table 8 .
Level of Risk Strategic Action deferred by the decision to accept the risk to be developedThe results for this risk level determination from calculation of the likelihood value matrix with the impact value.The results of each level of risk affect the control conditions of the risk strategy action.The results of the preparation of risk determination are recapitulated based on the findings of the four assets.The recapitulation form is presented in Information Security Risk Strategy at PT. X Using NIST SP 800-30 (I G. N. M. Putra Eryawan)

Table 9 Table 9 .
Level of Risk Recapitulation Value

Table 12 .
Recapitulation Table for Risk Level Mitigation Options

Table 13 .
responsibilities, which results in a develop arrangement of a safeguard implementation plan.Some examples of develop safeguard implementation plans are presented in Table13.Control Implementation Plan Information Security Risk Strategy at PT. X Using NIST SP 800-30 (I G. N. M. Putra Eryawan)