2019 System Security Awareness Planning Model Using The Octave Method

Octave Abstract Awareness of the security of information systems is an important thing to note. In this study, we will discuss planning models of awareness about information system security using Octave models or methods. The analytical method used is qualitative descriptive analysis. The results of the study show that the Octave model can increase awareness about the importance of security in an information system and companies that implement it will be able to improve their performance in the


INTRODUCTION
The use of Information Technology has now developed for support all activities in the organization. Information is the result of processing data obtained from Information System (IS) and Information Technology (IT). Information is an asset which is very valuable for survival commercial organization (company), college, government institutions that must be maintained availability, accuracy, and integrity [1]. Therefore the ability to provide information fast and accurate are essential for the organization [2]. The emergence of IT and SI innovations useful to support the size of the need for information. Along with its development, technology often used by several parties irresponsible that can cause the emergence of threats and risks from use technology [3].
Information system security issues often less attention from stakeholders and manager of information systems [4]. Sometimes security issues are often ignored. If disrupt the performance of the system, often security is reduced or eliminated [5]. On its application, often information system security starts to get attention when the threat already happens. Risk of loss and damage to information is a critical thing for the organization because information is an important asset in the organization which needs to be kept intact. Therefore Information system security is necessary carefully planned when designing the system. An ounce of prevention is worth a pound of cure (prevention is better than cure). Every organization has a variety of information related to the vision, mission, strategy, management, finance, procurement, assets, and information other support. Where is the majority confidential. Effectiveness and efficiency of IT usage also cause a level of risk of high information system security. Importance planning Security Management Standards Well structured information can be a reference and can be applied to protect information of various kinds of the threat of damage.
In this research will develop a new model using Octave methods in making better planning and implementation of security awareness in system information and technology in a company or organization.

METHODS
The threat is an action or event can harm the organization [6]. System security information aims to protect information and information systems from various risk threats. According to G. J. Simons [7], information system security is how we can prevent fraud (cheating) or, at least, detect it a fraud on an information-based system, where the information itself does not have physical meaning [8]. According to John D. Howard, system security information is a preventive measure from attack computer users or network accesses irresponsible [9]. Therefore, information system security is something that needs to be considered from the start of SI planning. Information is an asset important for the company. Information security contains several important aspects. The following is an explanation of the aspects of information system security, namely [1]: 1. Confidentiality Aspects that guarantee data confidentiality or information, ensuring that information only accessible to people who authorized and guarantees data confidentiality sent, received, and saved.

Integrity
Aspects that guarantee that data is not changed without permission from the authorities (authorized), maintain accuracy and information integrity and process method to guarantee this integrity aspect. Aspects that guarantee that the data will available when needed, ensuring the user the right to be able to use information and related devices (assets that are relating when needed). Operational Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methods are a system approach to security risk evaluation comprehensive, systematic, directed, and information can be done alone [10]. The OCTAVE method can be used to identify risks related to aspects of confidentiality, integrity, and availability of valuable assets and establish disaster mitigation to deal with risk. The OCTAVE method uses three phases approach in examining organizational problems and technology, gives a picture comprehensive information security needs for organizations [11]. Stages in the OCTAVE method in the figure in Figure 1 below:

Availability
The OCTAVE method includes the following stages: (1) Build Asset-Based Threat Profiles. In this phase evaluation of the organization. (2) Identify Infrastructure Vulnerabilities. In this phase evaluation of the infrastructure of information. (3) Develop Security Strategy and Plans. In the phase will produce identification risk and design disaster mitigation to handle these risks.
OCTAVE method Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) defines important components in a comprehensive, systematic, context-driven evaluation of information security risk. Using the OCTAVE method, organizations can make protection against CIA-based risk decision-based information (Confidentiality, Integrity, Authentication) for critical information technology assets [12]. OCTAVE is a methodology for identifying and evaluating information system security risks. The use of OCTAVE is intended to assist organizations in terms of: (a) Developing qualitative risk evaluation criteria that describe the organization's operational risk tolerance; (b) Identifying important assets to achieve the organization's mission; (c) Identifying vulnerabilities and threats to these assets; (d) Determine and conduct evaluations to deal with the consequences that occur to the organization if the threat occurs. The OCTAVE method has three variants namely OCTAVE, OCTAVE-S and OCTAVE Allegro. OCTAVE is a set of tools, techniques and methods for risk-based information system security planning and planning. OCTAVE Allegro is a simplified method that focuses on information assets. OCTAVE Allegro can be done by workshop-style and collaborative methods. OCTAVE Allegro consists of eight steps divided into four phases [13]. Step 1 -Build Risk Measurement Criteria This step has two activities, beginning with building organizational drivers used to evaluate the impact of risks on business mission and objectives, and recognizing the most important impact areas. Activity 1 is to make qualitative size definitions documented in the Risk Measurement Criteria Worksheets. Activity two gives priority impact area values using the Impact Area Ranking Worksheet.
Step 2 -Develop an Information Asset Profile Consisting of eight activities, beginning with the identification of information assets, then a structured risk assessment is carried out on critical assets. The activities of three and four gather information about important information assets followed by documenting the reasons for choosing critical information assets. Activities five and six make a description of critical information assets and then identify ownership of these critical information assets. Seven activities filled security needs for confidentiality, integrity and availability. Activity eight identifies the most important security needs for information assets Step 3 -Identifying Containers from Information Assets There is only one activity in step three, note the three important points related to the security and concepts of information asset containers, namely the way information assets are protected, the level of protection or security of information assets and vulnerabilities and threats to containers from information assets.
Step 4 -Identify the Problem Area Activities in step four are initiated by developing a risk profile of information assets by exchanging ideas to find components of threats from situations that might threaten information assets. Based on the Information Asset Risk Environment Maps and Information Asset Risk Worksheet documents, area of concern can be recorded. Guided by the Information Asset Risk Worksheet document, do a review of containers to make an Area of Concern and document each Area of Concern.
Step 5 -Identifying Threat Scenarios One activity in step five which is identifying additional threat scenarios in this activity can use Activity two complements Information Asset Risk Worksheets for each common threat scenario.
Step 6 -Identifying Risks Activity one in step 6 determines the threat scenario that has been documented in the Information Asset Risk Worksheet can have an impact on the organization Step 7 -Analyzing Risk Activities must be carried out referring to the documentation contained in the Information Asset Risk Worksheet. One activity starts with reviewing risk measurement criteria followed by a second activity calculating the value of relative risk that can be used to analyze risks and decide on the best strategy in dealing with risk.
Step 8 -Select the Reduction Approach The one activity in step eight is to rank each identified risk based on the risk value. This is done to assist in making risk mitigation status decisions. Activity two carries out a mitigation approach for each risk based on conditions unique to the organization.

RESULTS AND DISCUSSION
The stages of analysis and design carried out in developing a system security design information model are illustrated in Figure 4.   The standard that can be used to design guidelines for security policy documents in the form and scope of procedures for implementing the ISMS. An overview of the structure of documentation based on ISMS documentation shown in Figure 5. The ISMS documentation generally consists of 3 levels, namely:

Level 1: Policies and Standards
Is a document with the highest hierarchy, which is strategic in the form of policies, standards, targets, and plans related to the development, application, and improvement of the ISMS.

Level 2: Procedures, Guidelines, Implementation Guidelines
It is a document that contains procedures and guidelines developed by the organization and includes how to implement policies and the person in charge of implementing SMK 3.  The following is an explanation of the steps in the information system security design proposal model using the OCTAVE method approaches [  3. Stage 3: Based on the results in stage 2, an information system security planning document will be obtained based on 3 levels of documentation. The information system security planning model by combining two methods, namely the OCTAVE method as the initial stage to identify risks based on the threats and weaknesses of information assets standards can be used as a reference framework in developing guidelines for producing more detailed management information plans for risk of threats and weaknesses of information assets of a company [19]. 4. CONCLUSIONS Based on the results of the research conducted, the OCTAVE method can be used as an initial tool to classify assets, risks, and design risk mitigation. Based on the results of the classification carried out, the next step is planning a security strategy. Where in its design, conformity with the ISMS document is based on ISO 27001: 2005. So as to produce an ISMS document that is directed towards the need to secure important company assets. For recommendations for further research, the proposed model produced can be directly implemented in an organization as a reference framework in information system security planning.