Human Resource Information System (HRIS), sebagai salah satu sistem informasi vital di Universitas Indonesia, diharapkan dapat memberikan dukungan dalam percepatan pencapaian tujuan strategis Universitas Indonesia sebagai universitas sehat berbasis Good University Governance (GUG) melalui percepatan penyediaan informasi yang relevan, tepat waktu, dan berkualitas. Saat ini, HRIS mengelola layanan esensial di bidang sumber daya manusia, seperti pengelolaan gaji pegawai, pajak, kehadiran hingga pengelolaan karir pegawai berbasis teknologi informasi. Namun, pengelolaan HRIS masih belum sesuai dengan standar keamanan informasi, terlihat dari beberapa insiden dan penanganan insiden tersebut masih bersifat accidental. Tujuan dari penelitian ini adalah untuk mendapatkan desain manajemen risiko keamanan informasi HRIS. Penelitian dilakukan melalui metode kualitatif dimana kegiatan koleksi data melalui wawancara, observasi, dan analisis data sekunder. ISO/IEC27005:2018 digunakan sebagai penilaian menggunakan keamanan informasi dan penanganan risiko SNI ISO/IEC 27001:2013. Penelitian ini menghasilkan 49 risiko tersebut, yaitu 16 risiko tinggi, 23 risiko sedang, tujuh risiko rendah, dan tiga risiko sangat rendah. Luaran penelitian berupa rancangan manajemen risiko keamanan informasi HRIS dengan harapan dapat digunakan sebagai bahan referensi dalam penerapan manajemen risiko keamanan informasi di Universitas Indonesia Human Resource Information System (HRIS), as one of the vital information systems at Universitas Indonesia, is expected to provide support in accelerating the achievement of Universitas Indonesia's strategic goals as a healthy university based on Good University Governance (GUG) through accelerating the provision of relevant, timely, and quality information. HRIS manages essential services in human resources, such as management of employee salaries, taxes, and information technology-based employee career management. However, the management of HRIS is still not in compliance with information security standards, as can be seen from several incidents and the management of these incidents, which are still accidental. The purpose of this study was to obtain a design for HRIS information security risk management. The research was conducted through qualitative methods, while data collection was carried out by interviews, observations, and secondary data analysis. ISO/IEC27005:2018 is used as an assessment using information security and risk handling SNI ISO/IEC 27001:2013. This study resulted in 49 of these risks, namely 16 high risks, 23 moderate risks, seven low risks, and three very low risks. The results of this study are the design of HRIS information security risk management with the hope that it can be used as reference material in the application of information security risk management at Universitas Indonesia |