IT Infrastructure Security Risk Assessment using the Center for Internet Security Critical Security Control Framework: A Case Study at Insurance Company

Abstract

PT. XYZ is an insurance company that currently provides a variety of services using electronic systems in 80 service offices throughout Indonesia. At the end of 2019, the company experienced an IT security incident. The core application was hit by a malware attack that caused slow system performance and disruption of insurance operational services. These events have a negative impact on the company both operationally and to customers, so that it becomes a serious concern of management. Therefore, this research aims to see how companies develop infrastructure to ensure the reliability and improvement of IT security. The research methodology used is a qualitative approach by collecting data through documentation and interview studies. Based on the results of the assessment, there were 16 out of 20 controls that exceeded the threshold value. These results illustrate that the security of the IT infrastructure of PT. XYZ is very weak. Therefore, the company must carry out 13 recommendations for improvement that will be carried out in stages. This research is expected to be a lesson for other organizations especially insurance companies to improve the reliability and security of IT infrastructure.