Atrinawati 2021 J. Phys. Conf. Ser. 1803 012033

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

Journal of Physics: Conference Series

PAPER • OPEN ACCESS You may also like


- Evaluation of Patient Information System
Assessment of Process Capability Level in in Public Health Service Using the COBIT
5 Framework
University XYZ Based on COBIT 2019 W Trianto

- Assessment of ripeness analysis of


information technology supervision on DS
To cite this article: L H Atrinawati et al 2021 J. Phys.: Conf. Ser. 1803 012033 and ME domains using COBIT 4.1 in the
information engineering department of
Musamus Merauke
A Prayitno, T K Rahayu, L Sumaryanti et
al.
View the article online for updates and enhancements. - Analysis of academic service cybersecurity
in university based on framework COBIT 5
using CMMI
I Riadi, I T R Yanto and E Handoyo

This content was downloaded from IP address 175.158.50.23 on 21/05/2023 at 19:36


ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

Assessment of Process Capability Level in University XYZ Based


on COBIT 2019

L H Atrinawati1*, E Ramadhani1, T P Fiqar2, Y T Wiranti1, A I N F Abdullah1,


H M J Saputra1, and D B Tandirau1
1 Information Systems Department, Kalimantan Institute of Technology, Balikpapan, Indonesia
2 Informatics Department, Kalimantan Institute of Technology, Balikpapan, Indonesia

Email: [email protected]*
Abstract. University XYZ is a state university in East Kalimantan, which established in 2014. All of its
academic and non-academic activities are supported by information technology managed by the
Information and Communication Technology Unit (ICT Unit). University XYZ implements an
information technology governance system that aims to support the University XYZ business strategy and
goals optimally. Information technology governance systems must be well managed to support business
process activities in University XYZ. This study aims to evaluate the capability of information
technology governance system using the COBIT 2019 framework. This study uses COBIT 2019 design
tools and core model to evaluate University XYZ governance system, then provide assistance in
determining a governance system that is adjusted to the COBIT 2019 capability level assessment. The
result of this research is a recommendation of the core model or process and the capability level that must
be implemented by University XYZ. This research will conclude that there are 11 Governance and
Management Objectives that have a priority of more than 50%. This study conducts an evaluation phase
of the core model or process so that recommendations are obtained for the development of information
technology governance.

1. Introduction
University XYZ was established in 2014. In 2019/2020, University XYZ has 5 majors and 14 study
programs, namely physics, mathematics, mechanical engineering courses, electrical engineering,
chemical engineering, material engineering and metallurgy, civil engineering, regional and city
planning, shipping engineering, information systems, informatics, industrial engineering,
environmental engineering, and marine engineering with a total of 3247 students and 156 teaching
staff (PDDIKTI). University XYZ is a tertiary institution focused on technology to support the needs
of the industrial world, through various educational programs at University XYZ, it is expected to
increase the knowledge and skills of human resources that will have an impact on improving
technological mastery and increasing capital productivity.
Information & Technology have become an essential also inseparable part some of the business
processes. Using I&T in organizations is making I&T governance much more significant problem.
Van Grembergen and De Haes (2010) has clearly illustrated that I&T governance must be inclusive of
governance corporate [1]. Good corporate governance can affect the level of confidence and more
secure investment protection in the future. In addition, information technology that is not managed
properly will certainly affect the quality of company performance [6]. Also based on Regulation of the
Minister of Research, Technology and Higher Education Number 62 the Year 2017 concerning
Information Technology Governance in the Environment Ministry of Research, Technology and
Higher Education, states that for the alignment of information technology planning, development and
implementation, it is necessary to have technology governance integrated information at universities
[2]. Higher education, through its organizational unit, develops Information Technology Governance
in which consists of Information Technology Governance Structure, Enterprise Architecture,
Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution
of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
Published under licence by IOP Publishing Ltd 1
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

development governance, service governance, and supervision governance. The Information


Technology Governance structure referred to in tertiary institutions is called the IT Manager
consisting of a Technical Services Unit (UPT) and an ad hoc team. One of the tasks of IT managers in
institutions is to formulate, determine, and implement technical policies, standards, procedures, and
principles related to Information Technology Governance. The University XYZ, as a state university,
positively needs to formulate and set policies, standards, procedures, and principles related to
Information Technology Governance in accordance with established regulations.
Information technology governance requires a framework as a guide in information technology
management. One of the frameworks is COBIT. COBIT (Control Objective for Information and
related Technology) assists companies in managing company information and technology. Company
information and technology refers to all information technology and processing applied by the
company, not only by the technology and information department. ISACA released the latest version
of COBIT, namely COBIT 2019. COBIT 2019 is considered more flexible and open to various
references and makes it easier for users to expand the focus of the area of information technology
management. COBIT 2019 is a refinement of the previous framework and recognizes that it can be
implemented in various organizational fields. In COBIT 2019, there is a new concept called the design
factor [3]. Design factors are used to design information technology governance by assessing several
important factors that affect companies in the range -100 to 100. University XYZ is a college that
focuses on technology to support the needs of the industrial world. Through various educational
programs at University XYZ, it is hoped that it can increase the knowledge and skills of HR (students
who study at University XYZ) which will have an impact on increasing mastery of technology and
increasing capital productivity. Furthermore, the increase in capital productivity is able to create new
industries, thereby increasing the number of industries in Kalimantan.
The research conducted from previous resulted in 11 core model process that is important to
University XYZ based on COBIT 2019. This research purpose is to assess the capability level of such
a process. After the research was carried out, 11 core models were suggested and had a capability level
of more than 50% [5]. After finding an information technology governance system design that is
adjusted to the design factors in COBIT 2019, a capability level assessment is required to assess the
core model, which has a priority of more than 50%. This capability level assessment was conducted so
that the University XYZ could find out the recommendations given by COBIT 2019 to develop a
better information technology governance system in the future.

2. Methodology
This research methodology uses the Governance System Design Workflow contained in the 2019
COBIT methodology handbook [3]. This methodology contains several stages, namely understanding
the context and strategy of the company, determining the initial scope of the government system,
improving the scope of the government system, the design of governance systems, concluding
capability level assessment. The image of the research methodology is as follows:

Figure 1 Research Methodology

2
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

a. Data collection
The steps taken to collect data are through previous research and interviews. Previous research
has resulted in 11 core model process that is important to University XYZ. The interview aims
to find data that has not been obtained from the analysis of available documents. Interviews
were conducted using questions in design toolkit provided by COBIT 2019 with several
stakeholders at University XYZ.
b. Process Capability Levels
This stage aims to find the capability level that suits the information technology governance
system of University XYZ. The level of process capability is measured using the
characteristics of the Capability and Maturity Model Integration (CMMI). The level of ability
is characterized by Level 0, Level 1, Level 2, Level 3, Level 4, and Level 5. The explanation
for each of these characteristics is as follows:
1. Level 0 - This process lacks basic capabilities and reflects an incomplete approach to
addressing governance and management objectives or does not fulfil the intent of any
process practice.
2. Level 1 - This process more or less achieves its goal through the adoption of an
incomplete set of activities that can be categorized as initial or intuitive and less
organized.
3. Level 2 - This process achieves its objective through implementing a series of basic, but
complete, activities that can be categorized as undertaken.
4. Level 3 - The process of achieving its objectives in a much more organized manner using
organizational assets. Processes are usually well defined.
5. Level 4 - The process of achieving its objectives is well defined, and its performance is
measured quantitatively.
6. Level 5 - The process of achieving its objectives, well defined, its performance is
measured to improve performance, and continuous improvement is carried out [3].
Determining the capability level is obtained by dividing the number of activities that have
been carried out by the total activity of University XYZ and multiplying by 100% so that the
appropriate capability level is obtained.
c. Rating Process Activities
The assessment criteria used to evaluate the components of the process are NPFL, namely
Not, Partially, Largely, and Fully. The University XYZ is considered to have met the core
model at a certain level if the process assessment criteria at that level are Fully. The
information on the percentage of each assessment criterion is as follows:
1. Fully (F) - Proficiency level is achieved by more than 85 percent.
2. Partially (P) - Proficiency level is achieved more than equal to 15 percent and less than
equal to 50 percent.
3. Largely (L) - Proficiency level is achieved more than equal to 50 percent and less than
equal to 85 percent.
4. Note (N) - The proficiency level is less than 15 percent attainable [3].
After getting the capability level value, it can be determined that the rating process activities
are under the criteria of Not, Partially, Largely, or Fully.
d. Focus Area Maturity Levels
Sometimes a higher level is required to declare damage free performance applicable to
individual process capability ratings. The maturity level can be used for that purpose. COBIT
2019 defines maturity level as a measure of performance at the focus area level [3]. In this
research, the process being measured is a process that has only Suggested Capability Levels 3
and 4.
e. Recommendations
By using the 2019 COBIT framework, it can provide recommendations for companies in
regulating IT governance and provide business flexibility to create practical governance
solutions tailored specifically for their organizational goals and objectives [7]. The
recommendations given by COBIT 2019 follow the existing activities at the currently

3
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

achieved capability level so that they can continue to the next capability level. This
recommendation is also useful for developing further information technology governance
because University XYZ can find out what are the shortcomings of the current information
technology governance system.

3. Results and Analysis


This evaluation is carried out on 11 core models resulting from governance results that have a priority
of more than 50%. This evaluation is carried out on the components of the Organizational Structure,
Information Flow and Items, and process components in each core model. Each of these components
can be found and assessed based on the COBIT 2019 Framework: Management and Governance
Objective [4]. The eleven-process models conducting by Hendy Research are:

Table 1. Eleven-process models conducted by


Hendy Research

Governance/Management
Reference Priority
Objectives
Managed Enterprise
APO03 70
Architecture
APO08 Managed Relationship 60
Managed Service
APO09 75
Agreements
APO11 Managed Quality 50
APO12 Managed Risk 55
APO13 Managed Security 115
APO14 Managed Data 105
Managed Solutions
BAI03 55 Figure 2. Overview of the current condition of
Identification & Build
Managed IT Changes 100
University XYZ with the target condition
BAI06
DSS04 Managed Continuity 70
Managed Security
DSS05 80
Services

3.1 APO03-Managed Enterprise Architecture


We used a questionnaire or survey instrument that is based on the activity in the APO03 Managed
Enterprise Architecture, which is at Capability Level 2. From the questionnaire, we know that 5
out of 8 main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
5
Pr oficiency _ level  x100% (1)
8
Pr oficiency _ level  62.5%
The APO03 process capability level at level 2 is 62.5% or largely so that an assessment of the
process capability level at level 3 cannot be carried out.
These recommendations are formulated based on the gap between process capability level
and the target capability level that provided by COBIT 2019. Recommendations that can be given
to APO03 with the aim of Managed Enterprise Strategy in the form of activities that must be
carried out; these recommendations are as follows:
 Assess the company's readiness for change.

4
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

 Understand the company's current goals and objectives. Work in the strategic plan process to
ensure that I&T related company architectural opportunities are utilized in the development of
strategic plans.
 Analyze stakeholder focus, business capability requirements, scope, constraints, and
principles, create an architectural vision.

3.2 APO08-Managed Relationship


We used a questionnaire or survey instrument that is based on the activity in the APO08 Managed
Relationship, which is at Capability Level 2. From the questionnaire, we know that 3 out of 7
main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
3
Pr oficiency _ level  x100% (2)
7
Pr oficiency _ level  42.85%
The APO08 process capability level at level 2 was 42.85% or partially so that an
assessment of the process capability level at level 3 could not be carried out.
Recommendations that can be given to APO08 with the aim of Managed Relationship in
the form of activities that must be carried out; these recommendations are as follows:
 Review the company's current direction, problems, objectives, and alignment with the
company architecture.
 Understand the current business environment, process constraints or problems, geographic
expansion, and regulatory drivers.
 Coordinates communicate change, and transition activities such as project change plans,
schedules, policy releases, releases of known errors, and training awareness.
 Coordinates and communicates operational activities, roles, responsibilities, including the
definition of request types, hierarchical escalation, major outages, service report content and
frequency.
 Take ownership of the response to the business for major events that could affect the
relationship with the business. Provide immediate support if needed.

3.3 APO09-Managed Service Agreements


We used a questionnaire or survey instrument that is based on the activity in the APO09 Managed
Service Agreements that are at Capability Level 2. From the questionnaire, we know that 4 out of
6 main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
4
Pr oficiency _ level  x100% (3)
6
Pr oficiency _ level  66.67%
The APO09 process capability level at level 2 is 66.67% or largely so that an assessment of
the process capability level at level 3 cannot be carried out.
Recommendations that can be given to APO03 with the aim of Managed Service
Agreements in the form of activities that must be carried out, these recommendations are as
follows:
 Publish in active service catalogues relevant to I&T, service packages, and service level
options from the portfolio.
 Compile customer service agreements based on service packs and service level options in the
relevant service catalogue.

5
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

3.4 APO11-Managed Quality


We used a questionnaire or survey instrument that is based on the activity in the APO11 Managed
Quality, which is at Capability Level 2. From the questionnaire, we know that 1 out of 2 main
activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
1
Pr oficiency _ level  x100% (4)
2
Pr oficiency _ level  50%
The APO11 process capability level at level 2 is 50% or largely so that an assessment of
the process capability level at level 3 cannot be carried out.
Recommendations that can be given for APO03 with the aim of Managed Quality in the
form of activities that must be carried out; these recommendations are as follows:
 Establish management standards quality, practices, and procedures in accordance with the
requirements control and criteria of the I&T framework and the company's quality
management policy.

3.5 APO12-Managed Risk


We used a questionnaire or survey instrument that is based on the activity in the APO12 Managed
Risk at Capability Level 2. From the questionnaire, we know that none of the 6 major activities
has been implemented in University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
0
Pr oficiency _ level  x100% (5)
6
Pr oficiency _ level  0%
The APO12 process capability level at level 2 is 0% or not, so an assessment of the process
capability level at level 3 cannot be carried out.
Recommendations that can be given to APO12 with the aim of Managed Risk in the form
of activities that must be carried out; these recommendations are as follows:
 Establish and maintain methods for collecting, classifying, and analyzing data related to I&T
risks.
 Record data related to I&T risks that are relevant and significant in the company's internal and
external operating environment.
 Inventory of business processes and document their dependence on I&T service management
processes and I&T infrastructure resources.
 Determine and agree on which I&T services and infrastructure resources are critical to
maintaining business process operations. Analyses dependency and identify weak links.
 Combine current risk scenarios by categories, line of business, and functional areas.
 Maintain an inventory of existing control activities to reduce risk and allow risks to be taken
according to risk appetite. Classify control activities and map them to specific I&T risk
scenarios and aggregate I&T risk scenarios.

3.6 APO13-Managed Security


We used a questionnaire or survey instrument that is based on the activity in the APO13 Managed
Security, which is at Capability Level 2. From the questionnaire, we know that 3 out of 7 main
activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:

6
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

Number _ of _ activities _ that _ have _ been _ done


Pr oficiency _ level  x100%
Number _ of _ activities
3
Pr oficiency _ level  x100% (6)
7
Pr oficiency _ level  42.85%
The APO13 process capability level at level 2 is 42.85% or partially so that an assessment of the
process capability level at level 3 can be carried out.
Recommendations that can be given to APO13 with the aim of Managed Security in the form
of activities that must be carried out; these recommendations are as follows:
 Define the scope of an information security management system (ISMS) in terms of the
characteristics of the company, organization, location, assets, and technology.
 Define the ISMS in accordance with company policy and the context in which the company
operates.
 Define and communicate the roles and responsibilities of information security management.
 Communicating the ISMS approach.

3.7 APO14-Managed Data


We used a questionnaire or survey instrument that is based on the activity in the APO14 Managed
Data at Capability Level 2. From the questionnaire, we know that 7 out of 16 main activities
already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
7
Pr oficiency _ level  x100% (7)
16
Pr oficiency _ level  43.75%
The APO14 process capability level at level 2 is 43.75% or partially so that an assessment of the
process capability level at level 3 cannot be carried out.
Recommendations that can be given for APO14 with the aim of Managed Data in the form
of activities that must be carried out; these recommendations are as follows:
 Ensure business-standard provisions are available and communicated to relevant stakeholders.
 Ensure that every business term that added to the business glossary has a unique name and
unique definition.
 Use industry-standard terms and definitions, as appropriate, to the business glossary.
 Create and follow a metadata management process.
 Ensure metadata documentation is independent data.
 Create and follow metadata categories, features, and standards
 Ensure mandated data history management policies, including retention, removal, and audit
trail requirements.
 Use policies and processes to control access, transmission, and modification of historical data
and archived data.
 Define the need for every data backup storage, taking into account volume, capacity, and
retention period, in line with business requirements.

3.8 BAI03-Managed Solutions Identification & Build


We used a questionnaire or survey instrument that is based on the activity in the BAI03 Managed
Solutions Identification & Build, which is at Capability Level 2. From the questionnaire, we know
that 19 out of 25 main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:

7
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

Number _ of _ activities _ that _ have _ been _ done


Pr oficiency _ level  x100%
Number _ of _ activities
19
Pr oficiency _ level  x100% (8)
25
Pr oficiency _ level  76%
The BAI03 process capability level at level 2 is 76% or largely so that an assessment of the
process capability level at level 3 cannot be carried out.
Recommendations that can be given to BAI03 with the aim of Manager Solutions
Identification & Build in the form of activities that must be carried out; these recommendations
are as follows:
 After quality assurance approval, submit the final high-level design to the project stakeholder
and sponsor/business process owner for approval based on agreed criteria.
 Designing application processing steps. This step includes specification of the transaction
types and business processing rules, automated controls, the definition of business data, use
cases, external interface displays, design constraints, and other requirements.
 Designing the system interface, including automatic data exchange.
 Track changes and design requests, review performance, and quality. Ensuring active
participation of all affected stakeholders.
 Document all components of the solution based on standards that defined. Maintain version
control over-developed components and related documentation.
 Identify, record, and classify every error during testing. Repeat the test until all errors have
been fixed. Ensure that an audit trail of test results is maintained.

3.9 BAI06-Managed IT Changes


We used a questionnaire or survey instrument that is based on the activity in the BAI06 Managed
IT Changes, which are at Capability Level 2. From the questionnaire, we know that 4 out of 8
main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:
Number _ of _ activities _ that _ have _ been _ done
Pr oficiency _ level  x100%
Number _ of _ activities
4
Pr oficiency _ level  x100% (9)
8
Pr oficiency _ level  50%
The BAI06 process capability level at level 2 is 50% or largely so that an assessment of the
process capability level at level 3 cannot be carried out.
Recommendations that can be given to BAI06 with the aim of Managed IT Changes for
BAI06 process capability at level 3, then the activities that must be carried out are as follows:
 Formally approve any changes by business process owners, service managers, and IT
technical stakeholders, as required.
 Defining what constitutes an emergency change.
 Ensure that there are documented procedures for declaring, assessing, pre-approving,
authorizing after changes, and recording emergency changes.
 Include changes in documentation in management procedures.

3.10 DSS04-Managed Continuity


We used a questionnaire or survey instrument that is based on the activity in the DSS04 Managed
Continuity, which is at Capability Level 2. From the questionnaire, we know that 10 out of 19
main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:

8
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

Number _ of _ activities _ that _ have _ been _ done


Pr oficiency _ level  x100%
Number _ of _ activities
10
Pr oficiency _ level  x100% (10)
19
Pr oficiency _ level  52.63%
The DSS04 process capability level at level 2 is 52.63% or largely so that an assessment of
the process capability level at level 3 cannot be carried out.
Recommendations that can be given for DSS04 with the aim of Managed Continuity for
DSS04 processing capabilities at level 3, then the activities that must be carried out are as follows:
 Establish and document policy objectives and agreed scope for business resilience.
 Determine the minimum time required to restore business processes and support I&T, based
on the length of acceptable business interruptions and the maximum tolerable outages.
 Determine the conditions and ultimate owners of decisions that will lead to engagement with
the sustainability plan.
 Define incident response actions and communications to be taken in the event of a disruption.
 Establish recovery conditions and procedures that will allow business processing to be
resumed.
 Develop and maintain operational BCP and DRP containing procedures to be followed to
enable the continued operation of critical business processes and / or temporary processing
arrangements. Include a link to the outsourced service provider package.
 Establish objectives to implement and test the business, technical, logistical, administrative,
procedural, and operating systems to verify the appropriateness from BCP and DRP in a
business meeting risks.
 Establish a realistic stakeholder exercises and validate continuity of procedures.
 Launch BCP and DRP awareness and also training.
 Obtain approval from business executives for selected strategic options.
 Share planning and supporting documentation securely with authorized interested third
parties.
 Schedule practice and test activities as defined in the continuity plan.
 Regularly, review sustainability planning and capabilities against assumptions and current
operational objectives also business strategies.
 Regularly, review continuity planning to consider the impact of major changes to the
company's organization, business processes, outsourcing arrangements, technology,
infrastructure, operating systems, and application systems.
 Consider whether a revised business impact assessment may be required, depending on the
nature of the change.
 Recommend changes in policies, plannings, procedures, infrastructure, roles and
responsibilities. Communicate it accordingly to management and process approval through the
IT change management process.
 Define plans and training requirements for those who undertaking continuity planning, impact
assessment, communication media, and incident response.
 Develop competencies based on training practitioners, including participation in exercises and
tests.

3.11 DSS05-Managed Security Services


We used a questionnaire or survey instrument that is based on the activity in the DSS05 Managed
Security Services, which are at Capability Level 2. From the questionnaire, we know that 19 out of
26 main activities already implemented in a University XYZ.
The calculation of the level of process capability at level 2 is as follows:

9
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

Number _ of _ activities _ that _ have _ been _ done


Pr oficiency _ level  x100%
Number _ of _ activities
19
Pr oficiency _ level  x100% (11)
26
Pr oficiency _ level  73.07%
The DSS05 process capability level at level 2 is 73.07% or largely so that an assessment of
the process capability level at level 3 cannot be carried out.
Recommendations that can be given for DSS05 with the aim of Managed Security Services
for DSS05 processing capability at level 3, then the activities that must be carried out are as
follows:
 Provides some physical protection to endpoint devices.
 Safely dispose of endpoint devices.
 Ensures personnel display approved identification had correctly at all times.
 Require visitors to be escorted all times while on the location.
 Define and communicate a risk scenario, so that it is easily recognized, and its likelihood and
impact can be understood.
 Communicates malicious software for awareness and enforces precautionary procedures also
liability. Conduct periodic training on malware in email and internet usage.
 Centrally distribute all software protection (versions and increments) using centralized
configuration, and IT change management.
 Based on a risk assessment and business requirements, create and maintain policies for
connectivity security.
 Establish trusted mechanisms to support secure transmission and reception of information.
 Manage changes to access rights (creation, modification, and deletion) in a timely manner
based on approved and authorized documented transactions by the designated individual
management.
 Reduce to the minimum required, and actively manage privileged user accounts. Ensures
monitoring of all activity on this account.
 Uniquely identifies all information processing activities by functional role. Coordinate to the
business units to ensure that all roles are defined consistently, including by the business itself
in business process applications.
 Authenticate access to information assets based on individual roles or business rules.
Coordinate with the business unit that manages the in-application.
 Ensure that all users and their activities on the IT system are uniquely identified.
 Ensuring access profiles stay current. The accesses base to the IT site (server room, building,
area, or zone) on job functions and responsibilities.
 Conduct regular physical for information security awareness training.
 Establish an inventory of sensitive documents and output devices, and carry out routine
reconciliations.
 Establish appropriate physical safeguards against sensitive documents.
 Log security-related events to keep records in the appropriate period.

4. Conclusions
This research conducted at the University XYZ produced 11 Governance and Management Objectives,
which had a priority of more than 50% based on the results of the assessment using the 2019 COBIT
Governance System Toolkit V 1.0. 11. This research has formulated recommendations for University
XYZ to improve their I&T governance. Several processes still did not meet the recommended
capability level, namely APO03, APO08, APO09, APO11, APO12, APO13, APO14, BAI03, BAI06,
DSS04 and DSS05. Furthermore, University XYZ can conduct implement the recommendations based
on the priority.

10
ICERIA 2020 IOP Publishing
Journal of Physics: Conference Series 1803 (2021) 012033 doi:10.1088/1742-6596/1803/1/012033

5. References
[1] Jairak, K., & Praneetpolgrang, P. (2013). Applying IT governance balanced scorecard and
importance-performance analysis for providing IT governance strategy in university.
Information Management & Computer Security, 21(4), 228–249.
[2] Kemenristekdikti, “Tata kelola teknologi informasi di lingkungan kementerian riset, teknologi,
dan pendidikan tinggi,” Jakarta, 2017.
[3] ISACA, COBIT 2019 Framework: Introduction and Methodology, USA: ISACA, 2018.
[4] ISACA, COBIT 2019 Governance and Management Objectives, USA: ISACA, 2018.
[5] Saputra, Hendy M.J., “Penyesuaian sistem tata kelola pada institut teknologi kalimantan dengan
menggunakan COBIT 2019,” unpublished.
[6] Anjani, G. S. (2014). Evaluasi Rekomendasi Perbaikan Layanan TI Badan Pengatur Hilir
Minyak dan Gas Bumi berdasarkan Kerangka Kerja COBIT 5 dan ITIL V3. Universitas
Indonesia.
[7] Governance. (2018). COBIT 2019 Framework: Governance and Management Objectives.
Schaumburg: ISACA.

Acknowledgements
Acknowledgement for XYZ University, especially for Personnel ICT Department of University XYZ
that giving the change for us to perform this research, and thank you for Academic and Student Affairs
Department that ready for collaboration for succeeding this research, and thank you for all teams that
have worked hard to solve the problem at ICT Department.

11

You might also like