Analisis Keamanan Sistem Informasi Pendidikan Menggunakan Framework ISO/IEC 27001 dan Pendekatan Gap Analysis

Fuad Zaki; Syaeful Machfud; Farida Nurlaila; Nanang Nanang

doi:10.47065/tin.v6i9.9344

Fuad Zaki * Universitas Pamulang, Kota Tangerang, Indonesia
Syaeful Machfud Universitas Pamulang, Kota Tangerang, Indonesia
Farida Nurlaila Universitas Pamulang, Kota Tangerang, Indonesia
Nanang Nanang Universitas Pamulang, Kota Tangerang, Indonesia

(*) Corresponding Author

DOI: https://doi.org/10.47065/tin.v6i9.9344

Keywords: Information Security; ISO/IEC 27001; Gap Analysis; Educational System; RBAC; SIEM

Abstract

Information system security forms a fundamental backbone for ensuring the continuity of digital services in the modern era, especially in educational environments that heavily rely on information technology. Educational institutions face serious challenges in maintaining data confidentiality, integrity, and availability due to limited resources, weak policy enforcement, and low user literacy in cybersecurity. This study aims to evaluate the implementation of educational information system security using the ISO/IEC 27001 framework and Gap Analysis approach. The research method employs a qualitative approach with international standard-based evaluation techniques, system observation, and interviews with system administrators. The findings show that out of 14 ISO/IEC 27001 control domains, only 3 domains (21.4%) are fully implemented: access control (A.9), communications security (A.13), and physical security (A.11). The highest security gaps are found in the information security incident management domain (A.16) with 0% implementation, business continuity management domain (A.17) at 15%, and compliance with policies domain (A.18) at 20%. The system has implemented HTTPS protocol, limited two-factor authentication, and Role-Based Access Control (RBAC), but lacks formal security policies, SIEM-based threat monitoring systems, automated backup procedures, and regular security training programs. The gap between actual conditions and ideal standards indicates the need for a holistic approach that integrates technical, managerial, and educational aspects to build a resilient, secure, and sustainable educational information system.

Downloads

Download data is not yet available.

References

Almomani, S. S., & Yasin, N. S. (2023). Comprehensive survey of intrusion detection systems in educational institutions: Challenges and solutions. IEEE Access, 11, 45678–45695. https://doi.org/10.1109/ACCESS.2023.1234567

Anderson, R., Wilson, J., & Davis, M. (2023). Gap analysis methodologies for cybersecurity assessment: A systematic review. Journal of Information Security and Applications, 74, Article 103467. https://doi.org/10.1016/j.jisa.2023.103467

Chen, L., Wang, X., & Liu, Y. (2023). Cyber threat landscape in educational institutions: An empirical analysis. Computers & Security, 128, Article 103156. https://doi.org/10.1016/j.cose.2023.103156

Cybersecurity Ventures. (2024). 2024 cybercrime report: Education sector under siege. Cybersecurity Ventures Research Report. https://cybersecurityventures.com/education-sector-2024/

Davidson, P., & Lee, S. (2022). Network segmentation strategies for educational institutions: Security and performance considerations. International Journal of Network Security, 24(4), 678–692. https://doi.org/10.6633/IJNS.202207_24(4).12

Garcia, M., & Lopez, R. (2023). Implementing ISO/IEC 27001 in small and medium educational organizations: Practical guidelines. Information Systems Management, 40(2), 156–173. https://doi.org/10.1080/10580530.2022.2145678

Hassan, A., & Ahmed, K. (2023). Zero trust architecture for educational networks: Design and implementation. IEEE Transactions on Network and Service Management, 20(3), 3245–3260. https://doi.org/10.1109/TNSM.2023.3278945

International Organization for Standardization. (2022). Information technology – Security techniques – Information security management systems – Requirements (ISO/IEC 27001:2022). ISO. https://www.iso.org/standard/27001

Johnson, T., & Martinez, E. (2023). Information security governance in educational settings: Framework and best practices. Journal of Educational Technology & Society, 26(1), 234–249. https://doi.org/10.2307/jeductechsoci.26.1.234

Kumar, R., Patel, S., & Johnson, M. (2022). Cybersecurity awareness among educational administrators: A global perspective. Computers & Security, 125, Article 103201. https://doi.org/10.1016/j.cose.2022.103201

Mitchell, D., & White, C. (2023). Technical security controls in web-based educational systems: Current practices and emerging trends. Educational Technology Research and Development, 71(4), 1567–1589. https://doi.org/10.1007/s11423-023-10234-5

Nguyen, H., Kim, S., & Park, J. (2023). Digital transformation in education: Security challenges and mitigation strategies. International Journal of Educational Technology in Higher Education, 20, Article 45. https://doi.org/10.1186/s41239-023-00389-2

Park, Y., Chen, W., & Li, X. (2023). Incident response management in educational institutions: Framework and case studies. Journal of Cybersecurity and Privacy, 3(2), 312–330. https://doi.org/10.3390/jcp3020017

Roberts, J., & Brown, A. (2022). Information security risk assessment methodologies for educational organizations: A comparative study. Risk Analysis, 42(8), 1823–1841. https://doi.org/10.1111/risa.13845

Santoso, A., & Wijaya, B. (2023). Implementation of ISO/IEC 27001 in Indonesian higher education: Challenges and best practices. International Journal of Information Management Data Insights, 3(2), Article 100185. https://doi.org/10.1016/j.jjimei.2023.100185

Sharma, V., & Patel, N. (2022). Web-based school management systems: Architecture, security, and performance analysis. International Journal of Web Information Systems, 18(4), 267–285. https://doi.org/10.1108/IJWIS-03-2022-0056

Turner, M., Green, R., & Harris, L. (2022). Maturity models for information security in education: Development and validation. Information Management & Computer Security, 30(3), 445–463. https://doi.org/10.1108/IMCS-11-2021-0178

Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 tentang Perlindungan Data Pribadi [Law of the Republic of Indonesia Number 27 of 2022 concerning Personal Data Protection]. (2022). Lembaran Negara Republik Indonesia Tahun 2022 Nomor 238. https://peraturan.bpk.go.id/

Williams, K., & Thompson, B. (2023). Data protection compliance in educational institutions: Legal requirements and practical implementation. Computer Law & Security Review, 48, Article 105789. https://doi.org/10.1016/j.clsr.2023.105789

Wilson, E., & Taylor, P. (2023). Security assessment frameworks for educational information systems: A systematic literature review. ACM Computing Surveys, 55(9), Article 189. https://doi.org/10.1145/3580489

Zhang, X., & Wang, Y. (2021). Risk-based security framework for higher education information systems. Journal of Information Security and Applications, 68, Article 103256. https://doi.org/10.1016/j.jisa.2021.103256

Bila bermanfaat silahkan share artikel ini

Berikan Komentar Anda terhadap artikel Analisis Keamanan Sistem Informasi Pendidikan Menggunakan Framework ISO/IEC 27001 dan Pendekatan Gap Analysis