THEORY

What is COBIT 5?
COBIT 5 is the only business framework for the governance and management of enterprise IT.
It is the product of a global task force and development team from ISACA, a nonprofit,
independent association of more than 140,000 governances, security, risk and assurance
professionals in 187 countries.
COBIT 5 incorporates the latest thinking in enterprise governance and management techniques,
and provides globally accepted principles, practices, analytical tools and models to help
increase the trust in, and value from, information systems.
COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards
and resources, including ISACA's Val IT and Risk IT, Information Technology Infrastructure
Library (ITIL®) and related standards from the International Organization for Standardization
(ISO).
Governance is the responsibility of the board of directors who :
 Evaluate stakeholder needs to identify objectives
 Provide management with direction by prioritizing objectives
 Monitor management’s performance
COBIT defines the components to build and sustain a governance system : processes,
organizational structures, policies and procedures, information flows, culture and behaviors,
skills, and infrastructure.
Management plans, builds, runs and monitors activities, in alignment with the direction set by
the governance body, to achieve the enterprise objectives.
 Plan (APO = align, plan and organize)
 Build (BAI = build, acquire and implement)
 Run (DSS = deliver, service and support)
 Monitor (MEA = monitor, evaluate and assess)
Also, periodically, provides the board of directors with feedback that can be used to monitor
achievement of the organization’s objectives and, if necessary, to re-evaluate and perhaps
modify those objectives.
Why Use COBIT 5?
New user demands, industry-specific regulations and risk scenarios emerge every day.
Maximizing the value of intellectual property, managing risk and security and assuring
compliance through effective IT governance and management has never been more important.
No other framework focused on enterprise IT offers the breadth or benefits of COBIT. It helps
enterprises of all sizes :
 Maintain high-quality information to support business decisions
 Achieve strategic goals through the effective and innovative use of IT
 Achieve operational excellence through reliable, efficient application of technology
 Maintain IT-related risk at an acceptable level
 Optimize the cost of IT services and technology
 Support compliance with relevant laws, regulations, contractual agreements and
policies
COBIT 5 PRINCIPLE
COBIT 5 is based on the following 5 key principles of IT governance and management. These
principles help organizations build an effective governance and management framework that
protects stakeholder’s investments and produces the best possible information system.
1. Meeting stakeholder needs
Helps users customize business process and procedures to create an information system
that adds value to its stakeholders also allows the company to create the proper balance
between risk and reward.
2. Covering the enterprise end-to-end
Doesn’t just focus on the IT operation, it integrates all IT functions and processes into
companywide functions and processes.
3. Applying a single, integrated framework
Can be aligned at a high level with others standards and frameworks.
4. Enabling a holistic approach
That results in effective governance and management off all IT functions in the
company.
5. Separating governance from management
Distinguished between governance and management.
The COBIT 5 framework provides guidance for 37 IT-related processes grouped into 5 major
areas and two domains of governance and management. For each of the COBIT processes, the
“maturity level” of management processes can be evaluated on a scale of 0 to 5.
The scale is roughly defined as follows :
 0 Non-existent – management processes are not applied at all
 1 Initial/ad hoc – processes are ad hoc and disorganized
 2 Repeatable but intuitive – processes follow a regular pattern
 3 Defined – processes are documented and communicated
 4 Managed and Measureable – processes are monitored and measured
 5 Optimized – best practices are allowed and automated
 JOURNAL of COBIT
PT KOMPAS MEDIA NUSANTARA

BACKGROUND
Current technological developments have brought changes in business travel and
human interaction. Most organizations have been fully integrated by information technology.
This makes many large companies compete to develop an effective system to achieve the goals
of companies or organizations in utilizing the role of information technology. In addition, it
will be vital in work activities and also information technology has a major impact on the
organization's business management. Ineffective IT governance can cause business losses,
unexpected costs, low quality of IT use and failure to deliver value to the company.
Technology is also applied to companies engaged in the media, the development of the
sectors (and industries) of the media cannot be separated from technological progress,
development by market dynamics (such as the creation of arrangements and demand in media
and infrastructure content), and political policies (such as power). Mass media containing
information that is more trusted and consumed by the public can be used as an effective means
to lead the public. The application of the right technology should be an added value, here what
is more emphasized is the issue of depth (quality) of data not the amount (quantity) of data.
The use of technology and information seems to present "the world in hand”.
COMPANY PROFILE
PT KOMPAS MEDIA NUSANTARA is a company engaged in newspaper publishing.
Media companies are aware of the importance of technology to support the company's business
processes. In running the company, the company is supported by a special division to handle
internal parts of the company that support the needs of each company division, namely the
helpdesk and support (HDS) division.
ISSUE
The HDS Division has a very important role that is to facilitate all use of IT devices in
the scope of the company and government agencies that report every problem faced. The
complaints process will be carried out directly by the division by writing complaints to
applications that have been provided and then submitted and received directly by the HDS
division to be followed up based on existing complaints. The system used by this company is
an application released by Microsoft, namely Microsoft System Center 2012 R2 which is the
only product that can be integrated in most of the central system series and active directory.
This application creates and maintains dynamic database management services that enable
interaction in all divisions, both inside and outside the IT department. Microsoft's central
system application has not been audited and has never measured the level of success in
supporting company activities every day. Each complaint is generally grouped according to the
level of urgency of the problem. But what happens is that all complaints are included at the
level of the incident. Because complaints at other levels must go through a very complicated
process and need to configure events before they are reported.
 This makes the performance of the HDS division work ineffective and reduce the speed
of solving problems that are actually very urgent in the company. The key to the success of an
organization depends on how far the company can manage and control IT facilities as they
should, to ensure that the expected benefits are realized. So, we will focus on the DSS01 and
DSS02 processes which will review the company's ability to solve problems and complaints
that occur. DSS01 was chosen because this domain focuses on how the company manages the
company's operational activities every day both from the performance of Microsoft System
Center software applications and employee work operations. DSS02 was chosen because this
domain focuses on how this company makes service back to normal, recording and meeting
user requests; and record, investigate, diagnose, improve and resolve incidents.

Also, the analysis will based on the process capability level that shown in this figure :
ANALYSIS
A. DSS01 Manage Operations
 Perform Operational Procedures (DSS01-1)
This will discuss about operational management to maintain and carry out
operational procedures based on scheduling, data security, and backups that are carried
out in accordance with established procedures and conditions.
This print media company backups data every week, but the drawback is the
difficulty of restoring backed up data to retrieve it in the event of data loss. For the
percentage restore itself the success rate that can be achieved does not reach 50%. Based
on the results of data analysis, this sub-process has a process attribute achievement that
stops at 3.1 process definition, so the level capability in this sub-process is level 3
established process.
Recommendation : Company need to improve the backup facility so it can increase
the level of success in restoring data.

 Manage Outsourced IT Services (DSS01-2)

This will define the management of relationships between companies and
service providers about systems that are running as supporting business processes of
the company. Discuss the relationship between service providers and the company's
internal IT management processes which include performance, planning, change,
configuration, internal service and performance monitoring.
The application system used by this company is a product released by Microsoft.
If there is a change or update on the application then you must install the RPT again
and need an old .net, whereas the usual .net cannot be used in the latest application
updates. So that causes applications in this company difficult to update regularly. Based
on the results of data analysis, this sub-process has a process attribute achievement that
stops at 2.2 work product management, so the level capability in this sub-process is
level 2 managed process.
Recommendation : Company can use additional applications or connectors to make it
easier if there is an error occurs, company have to use other computer facilities and do
a regular updates.

 Monitor Infrastructure (DSS01-3)

This will identify the level of information to be recorded based on a
consideration of risk and performance, managing infrastructure lists, and establishing
procedures for monitoring event logs and conduct regular reviews.
The company has been reporting for monitoring event logs with reporting letters
that are made on time and well documented, but no one is responsible for monitoring
infrastructure. Based on the results of data analysis, this sub-process has a process
attribute achievement that stops at 3.2 process deployment, so the level capability in
this sub-process is level 3 established process.
Recommendation : Company need to add the employees or appointing employees to
be specifically responsible for monitoring infrastructure.
  Manage the Environment (DSS01-4)
This will discuss how to manage the environment around the company, which
includes the laying out of IT equipment, policies when it wants to access or enter the
IT environment, identify possible problems such as human error or natural disasters and
how companies manage devices in monitoring and controlling the IT environment.
Relating to the management of the work environment has been done well, there
is identification of fire disasters, and training for employees in the event of a fire
disaster. As well as to enter IT facilities not everyone can enter without access. But
there is no structured facility layout procedure. Based on the results of data analysis,
this sub-process has a process attribute achievement that stops at 3.2 process
deployment, so the level capability in this sub-process is level 3 established process.
Recommendation : Company need to make written regulations when in the IT room
and make standards to regulate IT facilities.

 Manage Facilities (DSS01-5)

This will discuss about management of company facilities and assets including
managing electricity equipment and internal communication adapts to legal procedures,
technical and business requirements, vendor specifications and safety considerations.
The company has a generator just in case the power outages are working
properly, the design of the workspace is in accordance with the standards of health and
cabling in accordance with predetermined standards. Based on the results of data
analysis, this sub-process has a process attribute achievement that stops at 4.1 process
measurement, so the level capability in this sub-process is level 4 predictable process.
Recommendation : Company should pay attention to facility maintenance and develop
more structured analysis results reports such as directly through the application.
The DSS01 (Manage Operations) results, show the overall level of ability in the DSS01 process
and the results of the average IT process will be shown in the table of process capability domain
DSS01 (Manage Operations).
Table 1 – Process Capability Domain DSS01 Manage Operation

Process Capability Expected

Domain Description
Attributes Level Capability
Perform Operational
DSS01-1 3.1 3 3
Procedures
Manage Outsourced
DSS01-2 2.2 2 3
IT Services
Monitor
DSS01-3 3.2 3 3
Infrastructure
Manage the
DSS01-4 3.2 3 4
Environment
DSS01-5 Manage Facilities 4.1 4 4
AVERAGE 3.0
B. DSS02 Manage Service Requests and Incidents
 Define Incident and Service Request Classification Schemes (DSS02-1)
This will determine demand and service clarification schemes and models.
Determine the event model to find out known errors in order to enable effective and
efficient resolution.
The company already has procedures that must be carried out for if an error
occurs, namely by directly handling the IT staff concerned and there is already
documentation about errors that occur in the form of e-mail. But if an error occurs that
causes the application to be unusable at all the company has prepared a backup device
for a temporary replacement. Based on the results of data analysis, this sub-process has
a process attribute achievement that stops at 3.2 process deployment, so the level
capability in this sub-process is level 3 established process.
Recommendation : Company need to improve the quality of resources to reduce the
occurrence of configuration errors.

 Record, Classify and Priorities Requests and Incidents (DSS02-2)

This will identify, record and clarify service requests, complaints and incidents,
and set priorities in accordance with the critical and business service agreements. Log
all service and incident requests, record all relevant information so that it can be handled
effectively and full historical records can be maintained.
The company has implemented a recording procedure if an error occurs so that
if a similar problem occurs, then the settlement can be easier. But in terms of grouping
problems based on the level of urgency still have to be done manually, because the
Microsoft system center is applied, all complaints are included as incidents, because to
make a complaint in the problem grouping, Change and service requests must first
configure, this becomes complicated for the user. Based on the results of data analysis,
this sub-process has a process attribute achievement that stops at 2.2 work product
management, so the level capability in this sub-process is level 2 managed process.
Recommendation : Company can simplify the problem, change and service requests,
so that the application can be used optimally and effectively.

 Verify, Approve, and Fulfil Service Requests (DSS02-3)

This require fulfill requests by performing the selected request procedure, using,
if possible, self-help automatic menus and predetermined request models for frequently
requested items. Companies can ask developers for help if an error occurs in the
application and are carried out based on the provisions of the SLA.
In the application there is no report error and contact us menu so that if an error
occurs in the application that requires help from the developer, then contacted manually
by the company. Based on the results of data analysis, this sub-process has a process
attribute achievement that stops at 3.1 process definition, so the level capability in this
sub-process is level 3 established process.
Recommendation : Company should add a report error and contact us feature, so it can
directly confirm the detailed errors that occur, also for a mild error developer can
directly provide solutions correctly through the application.
 Investigate, Diagnose, and Allocate Incidents (DSS02-4)
This require identify problems that occur, record symptoms of the problem,
determine the root cause of the problem and find a solution. Set events to specialist
functions if deeper expertise is needed, and involve appropriate management if needed.
The company will make efforts to resolve errors that occur in the application
but if it is difficult to overcome, the company will ask for help from the developer to
handle errors. Every error that occurs will be recorded in the IT logbook, making it
easier to handle if the same error occurs. Based on the results of data analysis, this sub-
process has a process attribute achievement that stops at 4.1 process measurement, so
the level capability in this sub-process is level 4 predictable process.
Recommendation : Company should maintain and improve quality in handling errors,
so that the process can be measured quantitatively that resulting in a stable process and
can be predicted according to predetermined limits.

 Resolve and Recover from Incidents (DSS02-5)

This contain document, implement and test appropriate solutions or solutions
identified and take remedial actions to restore IT related services. Archive incident
resolution and assess whether the resolution can be used as a source of knowledge in
the future.
The company carries out error handling that occurs quickly, namely the range
of 1-2 hours for production facilities, recording in every error that occurs and having a
server to backup company data. But it has one drawback, namely in restoring backup
data, the percentage of success does not reach 50% so that it once caused data to be
lost. Based on the results of data analysis, this sub-process has a process attribute
achievement that stops at 2.2 work product management, so the level capability in this
sub-process is level 2 managed process.
Recommendation : Company need to upgrade the restore facility so that when a
disaster strikes, data can be restored with a higher success rate.

 Close Service Requests and Incidents (DSS02-6)

This contain perform verification with the users involved (in this study are
internal employees) that the request has been fulfilled based on the level of satisfaction.
The company verifies with the developer if the problem in the application has
been resolved in the form of a ticket from the company and from the developer also
confirms closing the ticket if the problem has been resolved. Based on the results of
data analysis, this sub-process has a process attribute achievement that stops at 4.1
process measurement, so the level capability in this sub-process is level 4 predictable
process.
Recommendation : Company should maintain and improve until the process can be
measured quantitatively, that will result in a stable process so the results or products
can be measured and predicted.
  Track Status and Produce Reports (DSS02-7)
This provide structurally searches, analyzes and reports on events to fulfill
trends so as to provide continuous improvement information.
The company provides guidance to employees to manage minor errors in the
application. Every error that occurs is recorded in the logbook and made a report but
the SLA provisions are not considered by the company. The company keeps records of
errors that have occurred but bookkeeping is not done periodically. Based on the results
of data analysis, this sub-process has a process attribute achievement that stops at 2.2
work product management, so the level capability in this sub-process is level 2 managed
process.
Recommendation : Company supposed to pay more attention to the provisions of the
SLA and schedule it regularly so the books on errors that have occurred can be recorded
properly.
The DSS02 (Manage Service Requests and Incidents) results, show the overall level of ability
in the DSS02 process and the results of the average IT process will be shown in the table of
process capability domain DSS02 (Manage Service Requests and Incidents).
Table 2 – Process Capability Domain DSS02 Manage Service Requests and Incidents

Process Capability Expected

Domain Description
Attributes Level Capability
Define Incident and
Service Request
DSS02-1 3.2 3 3
Classification
Schemes
Record, Classify and
DSS02-2 Priorities Requests 2.2 2 3
and Incidents
Verify, Approve,
DSS02-3 and Fulfil Service 3.1 3 3
Requests
Investigate,
DSS02-4 Diagnose, and 4.1 4 4
Allocate Incidents
Resolve and
DSS02-5 Recover from 2.2 2 3
Incidents
Close Service
DSS02-6 Requests and 4.1 4 4
Incidents
Track Status and
DSS02-7 2.2 2 3
Produce Reports
AVERAGE 2.86
BEFORE AND AFTER IMPLEMENTATION COBIT
Before :
 The company will not know the capabilities of the system used whether it meets the
standards or not.
 The company will not know the extent to which the system used is well implemented based
on process capability.
 The company will not know how to improve their capability regarding of effectiveness and
efficiency of government and IT management.
After :
 The company will know which part they need to be improved and how to improved it.
 The company can maintain high quality information to support business decisions.
 The company can achieve strategic goals and realizing business benefits through the
effective and innovative use of IT.
 The company can achieve operational excellence through reliable, efficient application of
technology.
 The company can maintain IT-related risk at an acceptable level.
 The company can optimize the cost of IT services and technology.
CONCLUSION
From the table 1 and table 2, it can be concluded that the company has implemented
the COBIT system very well. Although there are still many things that need to be improved
better in the future. We can see on table 1 and 2, several domains already reach the expected
capability. So, the company has carried out maintenance, optimization and management
problems quite well. They can quickly take action if a problem occurs and quickly process the
problem with a solution. With procedures that have been well structured for their own
operations in this company.
From DSS01 subdomains, there is still a need to make improvements in relation to
performing operational procedures and managing outsourced IT services. Especially regarding
data backup management and application optimization. Then, from DSS02 sub-domain there
is still a need to make improvements in connection with service request classification.
Especially regarding the grouping of complaints according to the criteria of incident, problem,
change and service request.
REFERENCES
https://cobitonline.isaca.org/about
https://www.researchgate.net/figure/Process-Attributes-by-capability-levels_fig1_281107285
http://journal.unika.ac.id/index.php/sisforma/article/view/1927
Accounting Information Systems, Global Edition, 14th Edition, by Marshall B. Romney, Paul
John Steinbart
Information Technology for Managers, 2nd Edition, by George Reynolds