An Analysis of Physical and Environmental Security in Communication and Information Department Mojokerto

. This study aims to provide an overview to the Communication and Information Department Mojokerto regarding the maturity level of physical and environmental security management at the agency, as well as to provide future recommendations. The results of research related to physical and environmental safety using the ISO 27002 standard, indicate that the level of physical and environmental security at the Communication and Information Department Mojokerto is still relatively low. Things that are still lacking include the lack of protection from external threats such as natural disasters, as well as the lack of care and maintenance of infrastructure. The maturity level of physical and environmental security control is 0.85 which is still at level 1 or Initial Ad Hoc from a maximum value of 5, which is at the Optimized level. It can be concluded that Communication and Information Department Mojokerto only knows that there are things that need attention but there is no standardization of the process. With this research, it is hoped that the Communication and Information Department Mojokerto can make improvements to improve physical and environmental security. In addition, it is also a consideration to obtain ISMS Certification with the ISO 27002 standard in the future.


Introduction
The era of globalization encourages the implementation of Information Technology -based on business operations [1]. IT has inspired the reengineering of traditional business processes to transform to be more efficient, improving communication within the company, between companies, and between customers and suppliers. Increasingly massive role of IT, organizations are required to manage information technology well [2]. Good management of Information and Communication Technology will encourage the presence and realization of good governance. Methodology and good governance are prerequisites that are mandatory in managing a good system [3]. With good governance, an accountable and sustainable system can be achieved for an agency or institution and can provide the widest possible benefit to the public. Under these conditions, data and information become a very valuable asset. As stated, that the data and information produced by the organization have a very valuable value because of the many resources that have been expended to produce the data and information. Information and data have now become very valuable, it can even be said to be very vital, so that damage or * Corresponding author : maya.si@upnjatim.ac.id leakage of information in an organization can result in the organization being stopped or closed.
Based on the results of observations and interviews conducted at the Communication and Information Department Mojokerto, especially in the field of informatics, based on information obtained from informants, the Mojokerto communication and information department was only established in 2017 and the section that handles security issues in the informatics field is still in the planning stages of formation. Therefore, it is necessary to evaluate the level of physical and environmental security at the Communication and Information Department Mojokerto for now so that it can provide recommendations based on the findings at the time of the research in order to facilitate policy making related to physical and environmental security.
There is no standard reference on the standard that should be used or chosen by the company to carry out an information system security audit. The selection of standards is determined jointly with the agency itself. The ISO 27002:2013 standard was chosen with the consideration that this standard is very flexible to be developed depending on the needs of the organization, organizational goals, security requirements, business processes, number of employees and the size of the organizational structure [4]. In addition, another consideration is that ISO 27002 provides an internationally recognized Information Security Management System (ISMS) implementation certificate called Information Security Management System (ISMS) certification [5]. ISO/IEC 27002 was developed to provide guidance on implementing information security. ISO/IEC 27002 is widely used in solving problems related to information security [6]. ISO 27002 is able to provide guidance in planning and implementing programs to protect information assets. Physical and Environmental Security is used because according to previous research researched by the control in this clause explains the most about risk mitigation.

Literature Review
An information is considered very important so that in some cases an information is only wanted to be accessed by certain people. If the information is in the wrong person, it can cause huge losses for the owners of the information. So that an information system used must have security so that it can be guaranteed.
Information security itself is an effort to secure information assets from all threats that may occur to reduce the negative risks received [7]. The more information stored in an organization, the more risks that will occur such as damage, loss, or also personal information that can be spread to irresponsible parties.
Three goals will be achieved from the existence of system security, namely confidentiality, availability and integrity [8]. Two major areas are included in the scope of information security, namely the existence of physical information security and logical information security [9].
Information security threats can include people, organizations, mechanisms, or events that have the potential to harm the company's information resources, threats can be internal or external and intentional or unintentional. Some of the benefits that can be obtained by implementing ISO 27001, there are data confidentiality is better maintained and reduces the threat of data theft. This standard also covers many important aspects of business. The following are some previous research in table 2.1 below [10].

Methodology
In this chapter, it will be explained how the research was carried out so that it can be seen the sequence of steps that are made systematically. The steps or stages in this research are shown in Figure 3.1 below [11]. The first step is to conduct a literature study by studying several previous studies, then identify business processes by conducting observations, then selecting clauses, analysis methods that are useful for selecting suitable methods to use, analyzing the level of maturity of the expected conditions through interviews, analyzing maturity levels current conditions through interviews and examination of interview results for assessment, and compiling a list of findings and recommendations based on ISO 27002 [12].

Results and Discussion
This chapter discusses the results and discussion of thesis research on the implementation of an information security audit at the Mojokerto District Communication and Information Technology using the ISO 27002:2013 standard. The audit itself consists of a series of stages, such as analysing the maturity level of the expected condition, then analysing the maturity level of the current condition.

Expected Condition Maturity Level Analysis
Before analyzing the current maturity level, the researcher first analyzed the condition maturity level expected by the relevant agency, namely the Communication and Information Department Mojokerto, by conducting interviews with the Information Technology Manager, his name is Mr. Ulin Nuha Nashirudin, S.Kom. The following results of the expected maturity level analysis of the relevant agencies are shown in Table 4.1 below.

Maturity Level Analysis Current Condition
The maturity level analysis of the current condition is carried out by calculating the maturity level of physical and environmental security. This maturity assessment is obtained based on the results of survey assessments and interviews with stakeholders within the organization. This calculation is carried out by means of each statement being assessed for its maturity level in accordance with the results of interviews and existing examinations using the assessment criteria contained in the maturity level assessment standard. The level of the criteria used includes non-existent which has a value of 0 (zero) to the optimal level which has a value of 5 (five) [13]. After assessing the maturity level of each question, then doing an average so that the level of security in the security control is obtained, then doing an average of the security controls so that the value of each control objective is obtained, after that doing the average of each control objective so that the value is obtained of the maturity of the clause [14]. The result of the maturity level calculation process of physical and environmental security is 0.85, namely initial which means no management for repairs, no documentation, no IT expert who knows everything about the software or hardware being developed, and still relying on individual abilities and responsibilities [15]. These results indicate that the physical and environmental security processes in this agency are carried out inconsistently and unofficially. [16] This can be seen by the number of undocumented procedures and many controls that have not been carried out, for example, special handling of external threats, installation of danger signs, logs of visitors coming and going not optimal, no identification for visitors, neglected equipment maintenance, not the existence of a record of borrowing equipment, and others. The following results of the maturity level analysis of the current condition are shown in Table 4.2 below.

Conclusion and Suggestion
This section contains conclusions from the overall research results and also suggestions that will be given from this research.

Conclusion
There are two conclusions from the results of this research, there are maturity level of physical and environmental security at Communication and Information Department Mojokerto is still at the first level (Initial Ad Hoc) with a value of 0.85. The next conclusion is the recommendations are given based on ISO 27002 for each security control based on the findings. However, based on the value of the gap, the resulting gap is quite large, so it requires more effort for future improvements.

Suggestion
In this study there are also suggestions, first suggestions it is hoped that Communication and Information Department Mojokerto can improve information system security management, rules, and information system security procedures so that external and internal threats related to information security can be controlled [17].
The second suggestions it is hoped that the Communication and Information Department Mojokerto will carry out a security analysis of the information system again by using the entire ISO 27002 security clause and control after the Communication and Information Department Mojokerto performs physical and environmental security improvements [18].
The third suggestions researcher hopes that future researchers can conduct research using the same topic but with a different ISO 27002 clause, as well as using other methods, for example such as the KAMI Index so that perspectives can be known from the point of view of different clauses and methods [19] [20].