Jurnal Infra

Procurement Department in PT. X is a department from a manufacturing company based in Surabaya, it provides needs of all departments in PT. X. Information Technology in Procurement is completely utilized to support the company's business activities and processes. However, this company has not done any risk assessment, that might causing the company does not know what impact that might occur that can choke Procurement’s performance. Therefore, a risk assessment is required to analyze the risk factors that could interfere Procurement’s business processes and provide a response to the most critical risks.

This research is about to assess risks that might have happened in Information Technology and Procurement’s business processes. The steps in this risk assessment are using COBIT 4.1 standard to define the processes in the analysis, ISO 31000 as a framework in risk assessment steps, and Risk Rating Methodology OWASP as a reference for valuation and risk calculations. Based on the interview that has done, 14 risk factors have been found in PT. X Procurement. Some of them are data contracts is not stored in a database system, no written agreement regarding to devoted vendor PIC to handle related project, company does not have any contingency plan if there is a problem in the manufacture of goods/services by the vendor, Procurement has not performed IT risk assessment yet, so there is no analysis of the events might occur, no special documentation such as risk recording of each vendor, no uniformity of vendors progress report format so their points of information might not delivered completely, and no requirement for vendors to provide vendor reporting progress.

The proposed response to the company are company should copy the contract and scan then store it into the system, identify and document the individuals involved in the project, providing a contingency plan in case either party to cancel the contract before the end of the contract period, make IT risk assessment, taking notes or special documentation related risk will each vendor, make format report for vendor reporting progress, and regularly schedule communication between Procurement and vendors to discuss the vendor progress.

Chrisdiyanto, I. 2013. IT Risk Assessment di Perpustakaan Universitas Kristen Petra. Surabaya: Universitas Kristen Petra.

IT Governance Institute. 2007. COBIT 4.1. USA: ISACA.

International Organization for Standardization. 2005. Information technology — Security techniques — Code of practice for information security management, USA: ISO.

International Organization for Standardization. 2008. Risk management — Principles and guidelines on implementation, USA: ISO.

National Institute of Standards and Technology. 2002. Computer Security, USA: NIST.

National Institute of Standards and Technology. 2005. Information Security, USA: NIST.

National Institute of Standards and Technology. 2012. Computer Security, USA: NIST.

Payment Card Industry. 2014. Information Supplement: Third-Party Security Assurance, USA: PCI.

The OWASP Risk Rating Methodology. Retrieved May 23, 2014, from https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.