Risk Management Capability Level of Mail Information System in Surabaya Government

ICT (Information and Communication Technology) plays a strategic role in government institutions. The existence of ICT is considered capable of promoting the realization of good governance. Therefore, Dinkominfo Surabaya implemented a mail management information system called e-Surat. Dinkomifo Surabaya has established a standard operating procedure (SOP) for e-Surat. However, problems such as data loss and mail disposition errors still occurred. Since SOPs were not enough to minimize the occurrence of information security risks, Dinkominfo Surabaya needed to know its capability level of information security risk. This study aimed to help Dinkominfo Surabaya assess the extent to which risk optimization management in e-Surat using COBIT 5 and focusing on the APO12 domain. The results showed that the capability level of the risk management process on the APO12 domain was at level 1 (performed), two levels below the expected level, indicating that the risk management process has been done well, although it has not met the criteria of the practice itself. Recommendations to improve risk management-related processes to achieve the expected level 3 (established) include determining the objectives and limits of the risk management process carried out and providing work products for institution leaders so that the handling of problems related to risk management can involve policymakers.