Integrated IT Risk ManagementPengelolaan Risiko IT mengacu kepada Manajemen Risiko Perusahaan, yang mencakup kegiatan mengidentifikasi, mengukur, menangani, dan memantau risiko yang muncul akibat pemanfaatan teknologi informasi. Pengelolaan risiko TI bertujuan agar terhindar dari kerugian material dan non-material akibat gangguan, ancaman (threat), dan kegagalan atas sumber daya manusia (people), proses (process), dan teknologi (technology). Secara umum alur pengelolaan risiko IT mencakup:a. Identifikasi risiko terkait layanan IT;b. Analisis risiko IT;c. Pengelolaan profil risiko IT;d. Pengelolaan daftar rencana mitigasi risiko IT;e. Pelaksanaan mitigasi risiko IT;f. Pemantauan pengelolaan risiko IT;g. Evaluasi pengelolaan risiko IT.Pimpinan tertinggi Fungsi IT secara umum memiliki tugas dan tanggung jawab membawahi langsung unit pengelolaan risiko IT, melakukan koordinasi dengan pemangku kepentingan berkaitan dengan IT risk profile Perusahaan, serta melaporkan penerapan pengelolaan risiko IT kepada Direktur Manajemen Risiko secara berkala. Terdapat beberapa risiko yang dikelola, di antaranya:a. On Going Business (OGB).b. Information Security Management System (ISMS).c. Disruptive Risk Assessment (DRA).d. Internal Control over Financial Reporting %u2013 IT General Control (ICoFR-ITGC).e. Anti Bribery Risk Assessment.Tata Kelola Keamanan Informasi (Information Security Governance)Tata Kelola Keamanan Informasi merupakan kerangka kerja yang memastikan bahwa keamanan informasi dikelola secara strategis dan terintegrasi dalam seluruh proses bisnis organisasi. Di tengah pesatnya perkembangan teknologi dan meningkatanya ancaman siber, penerapan tata kelola yang baik menjadi kunci dalam melindungi aset informasi, menjaga kepatuhan terhadap regulasi, serta membangun kepercayaan pelanggan dan mitra bisnis. Dengan pendekatan yang sistematis dan berbasis risiko, tata kelola keamanan informasi membantu organisasi dalam mencapai keseimbangan antara pelindungan data dan kelangsungan operasional. Sistem Manajemen Keamanan Informasi (SMKI)PHE menggunakan kerangka berbasis ISO 27001:2022 (Information Security Management System (ISMS)) dalam pengaturan Tata Kelola Keamanan Informasi. Sepanjang tahun 2024, Fungsi Information Technology Subholding Upstream telah melaksanakan berbagai kegiatan untuk memperkuat keamanan informasi Perusahaan. Pengelolaan keamanan informasi dilaksanakan Fungsi IT melalui implementasi ISO 27001:2022, program pelatihan dan kesadaran (awareness), pengelolaan keamanan siber, serta peningkatan infrastruktur keamanan, termasuk penerapan Integrated IT Risk ManagementIT Risk Management refers to Enterprise Risk Management, which includes activities to identify, measure, handle, and monitor risks arising from the use of information technology. IT risk management aims to avoid material and non-material losses due to disruptions, threats, and failures of human resources (people), processes (process), and technology (technology). In general, the IT risk management flow includes:a. Identification of risks related to IT services;b. IT risk analysis;c. IT risk profile management;d. Management of IT risk mitigation plan list;e. Implementation of IT risk mitigation;f. IT risk management monitoring;g. Evaluation of IT risk management.The highest leader of the IT Function generally has the task and responsibility of directly supervising the IT risk management unit, coordinating with stakeholders related to the Company's IT risk profile, and reporting the implementation of IT risk management to the Director of Risk Management periodically. There are several risks that are managed, including:a. Ongoing Business (OGB).b. Information Security Management System (ISMS).c. Disruptive Risk Assessment (DRA).d. Internal Control over Financial Reporting %u2013 IT General Control (ICoFR-ITGC).e. Anti-Bribery Risk Assessment.Information Security GovernanceInformation Security Governance is a framework that ensures that information security is managed strategically and integrated into all of an organization's business processes. Amidst the rapid development of technology and increasing cyber threats, the implementation of good governance is key to protecting information assets, maintaining regulatory compliance, and building trust with customers and business partners. With a systematic and risk-based approach, information security governance helps organizations achieve a balance between data protection and operational continuity.Information Security Management System (ISMS)PHE uses an ISO 27001:2022 (Information Security Management System (ISMS)) based framework in its Information Security Governance arrangements.Throughout 2024, the Information Technology Subholding Upstream Function has conducted various activities to strengthen the Company's information security. Information security management is conducted by the IT Function through the implementation of ISO 27001:2022, training and awareness programs, cybersecurity management, and improving security infrastructure, including the implementation Laporan Tahunan %u2022 Annual Report 616HULU ENERGI