Information security cannot be separated from its user behavior. Many organizations applied an information security policy, but cease at the human aspects of information security. XYZ firm has implemented information security policies and socialized it towards its employee through several ways. However, the internal control division of XYZ firm always finds violation towards information security policies every time they conduct office sweeping. This study was conducted to measure the employee's information security awareness in XYZ firm using HAIS-Q framework that has seven focus area (password management, email usage, internet usage, social media, mobile device, information handling, and incident reporting) and weighed to three dimension of knowledge (knowledge, attitude, and behavior). The result of ISA measurement in the XYZ employee considered as good with total score 87.59. However, this study indicates that employee's information security awareness on internet usage should be improved by the firm since it was classified as average with score 79.07.