Analysis Security of SIA Based DSS05 on COBIT 5 Using Capability Maturity Model Integration (CMMI)

A secure academic information system is part of the college. The security of academic information systems is very important to maintain information optimally and safely. Along with the development of technology, academic information systems are often misused by some irresponsible parties that can cause threats. To prevent these things from happening, it is necessary to know the extent to which the security of the academic information system of universities is conducted by evaluating. So the research was conducted to determine the Maturity Level on the governance of the security of University Ahmad Dahlan academic information system by using the COBIT 5 framework on the DSS05 domain. The DSS05 domain on COBIT 5 is a good framework to be used in implementing and evaluating related to the security of academic information systems. Whereas to find out the achievement of evaluation of academic information system security level, CMMI method is needed. The combination of the COBIT 5 framework on the DSS05 domain using the CMMI method in academic information system security is able to provide a level of achievement in the form of a Maturity Level value. The results of the COBIT 5 framework analysis of the DSS05 domain use the CMMI method to get a Maturity level of 4,458 so that it determines the achievement of the evaluation of academic information systems at the tertiary level is Managed and Measurable. This level, universities are increasingly open to technological developments. Universities have applied the quantification concept in each process, and are always monitored and controlled for performance in the security of academic information systems.


INTRODUCTION
Companies or institutions place information technology as a thing that can support the achievement of the company's strategic plan to achieve the goals of the company or institution's vision, mission and goals. Information technology will get effective results if it uses good governance in its use and is able to be evaluated and evaluated [1]. Information systems are systems that contain SPD networks (systems processing data), which are equipped with communication channels used in data organization systems [2]. There are various concepts of information systems, compatibility is one of the keys to the successful implementation and acceptance of information systems [3]. Along with the development of technology, it is often misused by some irresponsible parties that can cause threats [4]. Academic information systems must provide the security, privacy and integrity of data processed, so that the performance of academic information systems is also an important part that must be considered so that academic information systems can be used optimally and safely [5]. The application of information security systems aims to overcome all problems and constraints, both technically and nontechnically which can affect the performance of the system such as availability, confidentiality and integrity factors so that the level of information security can be assessed [6], as in Figure 1.

Figure 1 Information security aspects
The existence of a security problem triggers a procedure for controlling access rights to an information system [7]. A good information system security must apply the standard Deming cycle of quality [8]. The security of academic information systems can be audited with various standards such as COBIT, COSO, ITIL, CMM, BS779, ISO 9000. COBIT (Control Objectives for Information and related Technology) is a standard guide to information technology management practices and a set of best practices documentation for IT governance that can help auditors, management, and users to bridge the gap between business risk, control needs, and technical issues [8]. All organizations can adjust COBIT 5 for their various purposes, and are able to evaluate the organization in achieving its intended goals [9]. Domain DSS (Deliver, Service and Support) is related to system delivery and service support needed by the system, which includes service, security and continuity management, service support for users, and data management and operational facilities so that it is more integrated in the domain that provides services well [8]. DSS domains have sub-domain DSS05 wherein this sub-domain is a more intensive procedure for information security. The method that can be used in evaluating the achievement of evaluation is CMMI. Capability Maturity Model Integration (CMMI) is a model approach to assess the scale of capability and maturity of a software organization. The history of CMMI at the beginning was known as the Capability Maturity Model (CMM) which was built and developed by the Software Engineering Institute in Pittsburgh in 1987 [10].

C O N F I D E N T I A L I T Y INTEGRITY
This study aims to conduct an evaluation related to the security management of academic information systems that have been implemented at Ahmad Dahlan University. This study aims to obtain the value of the level of information system security of an institution, so that recommendations and innovations can be made for the security of information systems in these institutions.

METHODS
The combination of both is expected to be able to provide good results in evaluating the security of academic information systems at the college. As in Figure 2. The DSS05 sub-domain is managing security services where these sub-domains are grouped in 7 processes. The seven processes carry out some activities or statements of the 49 statements as follows [11]As in Figure 3.

Capability Maturity Model Integration (CMMI)
CMMI is a maturity method that can be used to improve processes within the institution. The purpose of using the CMMI within an institution is to improve the process of developing and improving the software product of the institution [12]. According to [13] CMMI has Capability Level. Capability Level is a model to describe how each core process runs within an institution. Capability Level has 6 levels for each core process,as in Figure 5.

RESULT AND DISCUSSION
Analysis of the implementation and measurement of the maturity level of the information system with the framework COBIT 5 sub-domain DSS05 and CMMI.

Observation of the Academic Information System Process
This process conducts interviews directly with the resource person who has authority in the security of the academic information system at BISOM. As time goes on the use of information systems also experiences, obstacles, problems and threats to information systems. The problems, obstacles and threats that often occur are as follows: 1) There are several systems that have not been well integrated.
2) When the online KRS happened the server was down.
3) It often happens to forget your username and password. 4) The process of data connection or transmission is slow. 5) Virus and malware attacks. The selection of respondent samples using purposive sampling technique, which is the selection of respondents 'samples determined by researchers on the grounds that identification of respondents' samples is done by referring to personal competencies that interact directly with IT governance [14]. Interviews get 2 respondents who are directly concerned with the field of information system security within the institution.

DSS05 Mapping Based on the COBIT Framework 5
This process is a compilation of DSS05 domain conformity activities with questions to be made in the questionnaire. because of the limitations of our writing, we only list one of the 7 DSS05 sub-domain processes, namely DSS05.01. The DSS05.01 process consists of 6 activities, as in Table 1.  4 Regularly review and evaluate information about potential malware threats.

5
Filter incoming traffic, such as e-mail and downloads, to protect against unsolicited information. 6 Conduct periodic training on malware in the use of e-mail and the Internet.

Preparation of Questionnaires with a combination of DSS05 and Capability Level
This process is carried out by questionnaires based on the standard on DSS05 Framework COBIT 5 by combining. To simplify the reading process, the color differences for each decision are made in Capability Level and Maturity Level as in Table 2. Where in this questionnaire there are 6 assessments for processes with capability level CMMI as in Table 3.

Calculation of Security SIA Maturity Level
This section will explain the results of the analysis of the implementation and measurement of the performance of the maturity level of academic information systems obtained from the results of questionnaires and interviews in accordance with the framework 5 COBIT domain DSS05. as described in Table 4.
After getting the index, we can get the current Maturity Level (present). This value is the accumulated value of the process that is running on the institution. as in Table  5. Manage network and connectivity security 5,00 Manage endpoint security 4,39

Manage user identity and logical access 4,88
Manage physical access to IT assets 4,64 Manage sensitive documents and output devices 3,10 Monitor the infrastructure for security-related events 4,20

Gap Maturity Level Calculation
Once the existing Maturity Level values are obtained and Maturity The recommendation level (target) has been determined, then the gap between the current condition and the target to be achieved will be analyzed and identified opportunities from the gap to be optimized, as in Table 6.

Gap Analysis Maturity Level
Based on Gap analysis obtained from the results of the target level to be achieved and the level achieved on DSS05, as in Graph 1, then here is some Gap Maturity Level Analysis. As in Table 7. Table 7 Gap Maturity Level Analysis

Maturity Level
Protect against malware Optimized Manage network and connectivity security Optimized

Manage endpoint security Managed and Measurable
Manage user identity and logical access Optimized Manage physical access to IT assets Optimized

Manage sensitive documents and output devices Define
Monitor the infrastructure for security-related events

Managed and Measurable
The overall value of Maturity Level on DSS05 will be calculated on average so that it will get the level of Maturity Level in the organization or institution as in Formula (2).

Compilation of IT Governance Recommendations
After Maturity Level has been determined, the recommendation preparation process will be carried out. Recommendations that can be given to improve the quality of information system security in the agency: 1) Protect against malware (DSS05.01) is on the Optimized level where in this level the BISKOM has been able to perform procedures well and is able to develop malware related ones. 2) Manage network and connectivity security (DSS05.02) is at the level of Optimized wherein at this level the BISKOM has been able to carry out procedures well and is able to carry out developments related to security of activities. 3) Manage endpoint security (DSS05.03) in the Managed and Measurable level where in this level the BISKOM has been able to carry out procedures well, only agencies must carry out routine evaluations, at least once a month on information systems that are feared to be potential new threats. 4) Manage user identity and logical access (DSS05.04) is on the Optimized level where in this level the BISKOM has been able to carry out procedures properly and is able to develop related access rights of each user. 5) Manage physical access to IT assets (DSS05.05) is on the Optimized level where in this level the BISKOM has been able to perform procedures well and is able to carry out development related to physical security. 6) Manage sensitive documents and output devices (DSS05.06) in the Define Process level, in this BISKOM has implemented physical security, accounting practices in terms of documents relating to the situation. 7) Monitor the infrastructure for security-related events (DSS05.07) is in the Managed and Measurable level where in this level the BISKOM of has been able to carry out procedures properly using intrusion detection tools, to monitor infrastructure.

CONCLUSION
Sub-domain DSS05 Manage security services is a good procedure to be used in the implementation and mega-audit related to the security of academic information systems and CMMI is a good assessment method in an institution's audit system. Based on the research conducted at the BISKOM received a Maturity Level of 4,458 thus stipulating that the current maturity level is on the Managed and Measurable level.