Professional Documents
Culture Documents
Department of Electrical Engineering and Information Technology, Faculty of Engineering, Universitas Gadjah
Mada, Jl. Grafika No. 2, Yogyakarta, Indonesia, 55281
a)
Corresponding author: Amiruliqbal.mti13@mail.ugm.ac.id,
b)
widyawan@ugm.ac.id
c)
wmustika@ugm.ac.id
Abstract. Business Continuity Plan (BCP) is a plan that have function to maintain continuity of business activity during
and after the interruption or disaster happen. BCP can be an indicator of how well an organization in prepare to maintain
their business activities so that business activities can continue to function even in a state affected by a disruption or
disaster. There are several international standards that regulate and provide guidance in establishing BCP. In its
implementation, especially for non-profit organizations like educational institutions, diversity factor in forming BCP
makes its own difficulties when we want to compare the readiness in the face of a disruption or disaster in an
organization to another organization. COBIT 5 is one standard for IT governance that can be used in particular for
managing the performance of information technology in a business activity. COBIT 5 can provide direction or guidance
on quality systems, planning, management, security, development and management of IT services. This paper aims to
map and analyze an IT governance standards, that is COBIT 5 Domain DSS as a framework in making business
continuity planning (BCP) for uniformity the formation of BCP and to facilitate the measurement of the organization's
readiness in the face of a disruption or disaster..
INTRODUCTION
Rapid development of current Information Technology has made IT as a very significant component to support
organizations in conducting their business activities [1]. Computer system is used widely in various range of
business activities, including planning, controlling, organizing, and decision making [2]. Even at certain extend, it is
very difficult to find an organization that can run its business activities without the help of computer system.
At one hand, integration of business activities into a computer system is conducted with the purpose of
accelerating data processing and manipulation to be meaningful information [3]. At the other hand, as the computer
technology develops, the threats to it—in term of disturbance or even disaster—can bring a new type of catastrophe
for the organization [4]. There has been several occurrence of organization fall-offs when some threats become
troubles to the business activities that it conducts. The damages can range from loss of service provision up to
system failure .
A computer system, particularly the one with the function of providing service to someone or to a group of
persons, needs to guarantee that its service is always available. One of possible ways to do so is by creating a
Business Continuity Plan (BCP).
Business continuity plan is created and developed in order to minimalize or even to avoid interruption in
business activities that are integrated in computer system, so that the damage potential caused by disaster or
disturbance can be minimalized and therefore reducing the cost that the organization has to spend [5]. Such planning
requires the involvement of various working units or divisions within an organization and requires full support from
all related business units.
The 2016 Conference on Fundamental and Applied Science for Advanced Technology (ConFAST 2016)
AIP Conf. Proc. 1746, 020045-1–020045-6; doi: 10.1063/1.4953970
Published by AIP Publishing. 978-0-7354-1403-7/$30.00
020045-1
Business continuity plan in an organizations is not limited to profit-oriented organizations only. Non-profit
organizations, such as education institutions, also need this type of planning. It is because business continuity plan
can help organizations in maintaining their system and service to be always available.
There are several main factors that need to be considered in developing business continuity plan. There have to
be such factors in consideration because they can guide the organizations in minimizing the effects of disturbance or
threats related to their business and in providing easier way to normalize business activities. In the application,
however, there are significantly numerous different methods of business continuity plan. There are several
organizations that formulate the planning according to their own condition and requirement. Such policy can cause
difficulties for other companies that are just starting to formulate their business continuity planning, since they are
trying to refer to the best role model in creating business continuity planning.
On this research, a formulation in developing business continuity plan using COBIT 5 is proposed. It also
considers main factors that are necessary in business continuity plan. Such formulation is expected to provide
variation in planning, to assist organizations in creating business continuity planning in easier way, and to help
organizations in conducting benchmarking test in respect to other organizations.
The organization of this paper is as following. Brief explanation of the research is provided in Chapter I. Chapter
II describes other researches that are done previously using COBIT 5 and also main factors that have to be
considered in creating business continuity planning. The core of the research is discussed in Chapter III, which
covers the mapping of COBIT 5 related to the main factors in business continuity planning. Chapter IV summarizes
the research by discussing the conclusions.
RESEARCH QUESTION
The research will try to address issues in the aforementioned study areas like :
1. How could COBIT 5 implemented in BCP?
2. Is COBIT 5 have a guideline or toolkit to formulating BCP?
3. Which COBIT 5 Processes and related practices can be implemented as BCP?
LITERATURE REVIEW
COBIT 5
Control Objectives for Information and related Technology (COBIT) is a collection of best practice
documentation for IT governance that can help auditors, managements and users in bridging the gap between
business risks, control requirement and other technical problems. COBIT 5 is general purpose, and therefore can be
implemented for all size of company, either in commercial industry, non-profit organizations, or government/public
sector. There are two areas in COBIT 5, namely governance and management. Those two areas consist of 5 domains
and 37 processes[9].
020045-2
COBIT 5 is based on 5 key principles for IT governance and management of an organization. Those 5 principles
allow the organization to establish an effective governance and management framework, which in turn can optimize
investment and IT usage.
There are several processes in COBIT 5, among which a process from Deliver, Service and Support Domain is
selected for this research, namely DSS04 process. DSS Domain is chosen since it has focus on information
technology delivery, a process and support system that allows the implementation of effective and efficient IT.
Moreover, DSS Domain is a domain that focuses on the improvement of IT service to customers demanding the
service.
DSS04 process is the one in DSS Domain that aims to continue the critical business activities and to maintain the
information availability on the accepted level according to the standard of the organization or company. DSS04
contains guidance in making sure that IT service on the organization is always available. This process is selected in
BCP mapping because it is based on process description and process purpose statement that reflect points which are
in accordance to the main factors in BCP[10].
RESEARCH METHODS
The method used in this research was mapping between COBIT 5 DSS 04 with main component in Business
Continuity Plan. The methods of research included stage of analysis of potential and problems, determine
theimportant process and mapping the BCP main factor with COBIT 5 DSS 04.
The analysis of potential and problem was conducted through study of literature about BCP. Then result from the
analysis was using to choose the framework and determine the main component in BCP. COBIT 5 selected because
COBIT 5 is IT framework which has Control Objectives, management guidelines and maturity model [9]. COBIT 5
hasa toolkit for implementation, relatively easy to implement because there are lot of supporting documents/best
practices on implementation[9]. Furthermore is mapping the BCP main factor with COBIT 5 DSS 04 which
described in detail in next chapter.
020045-3
The implementation of best practice frameworks in business activities of a certain organization is a very complex
process, and thus it requires full support of all elements related to the organization. In order to make the utilization
of best practice be effective, an approach according to the business requirement of the organization is considered as
the best one. That approach will cause each party to follow the same goal and priority.
020045-4
5. Define and document the resources required to support the
continuity and recovery procedures, considering people, facilities
and IT infrastructure.
6. Define and document the information backup requirements
required to support the plans, including plans and paper
documents as well as data files, and consider the need for
security and off-site storage.
7. Determine required skills for individuals involved in executing
the plan and procedures.
8. Distribute the plans and supporting documentation securely to
appropriately authorized interested parties and make sure they
are accessible under all disaster scenarios.
Risk DSS04.4 Exercise, test 1. define objectives for exercising and testing the business,
Management and review technical, logistical, administrative, procedural and operational
the BCP systems of the plan to verify completeness of the BCP in meeting
business risk.
2. Define and agree on with stakeholders exercises that are realistic,
validate continuity procedures, and include roles and
responsibilities and data retention arrangements that cause
minimum disruption to business processes.
3. Assign roles and responsibilities for performing continuity plan
exercises and tests.
4. Schedule exercises and test activities as defined in continuity
plan.
5. Conduct a post-exercise debriefing and analysis to consider the
achievement.
6. Develop recommendations for improving the current continuity
plan based on the results of the review.
DSS04.5 Review, 1. review the continuity plan and capability on a regular basis
maintain and against any assumptions made and current business operational
improve the and strategic objectives.
continuity 2. Consider whether a revised business impact assessment may be
plan required, depending on the nature of the change.
3. Recommend and communicate changes in policy, plans,
procedures, infrastructure, and roles and responsibilities for
management approval and processing via the change
management process.
4. Review the continuity plan on a regular basis to consider the
impact of new or major changes to: enterprise organization,
business processes, outsourcing arrangements, technologies,
infrastructure, operating systems and application systems.
DSS04.6 Conduct 1. define and maintaining training requirements and plans for those
continuity performing continuity planning, impact assessments, risk
plan training assessments, media communication and incident response.
Ensure that the training plans consider frequency of training and
training delivery mechanisms.
2. Develop competencies based on practical training including
participation in exercises and test.
3. Monitor skills and competencies based on the exercise and test
results.
Disaster DSS04.7 Manage 1. back up systems, applications, data and documentation according
Recovery Backup to a defined schedule.
and arrangements 2. ensure that systems, applications, data and documentation
Restoration maintained or processed by third parties are adequately backed
020045-5
up or otherwise secured. Considering requiring return of backups
from third parties. Consider escrow or deposit arrangements.
3. Define requirements for on-site and off-site storage of backups
data that meet the business requirements. Consider the
accessibility requires to back up data.
4. Roll out BCP awareness and training.
5. Periodically test and refresh archived and backup data.
DSS04.8 Conduct 1. assess adherence to the documented BCP.
post- 2. Determine the effectiveness of the plan, continuity capabilities,
resumption roles and responsibilities, skills and competencies, resilience to
review the incident, technical infrastructure, and organizational
structures and relationship.
3. Identify weakness or omissions in the plan and capabilities and
make recommendations for improvement.
4. Obtain management approval for any changes to the plan and
apply via the enterprise change control process.
CONCLUSION
This paper focuses on the utilization of a standardized information technology management system that is
adopted widely all over the world. COBIT, as a standard reference in business continuity plan, provides guidance in
managing service aspects and in providing guidance in controlling activities that are related to business continuity
via DSS Domain process DSS04. From the result of mapping, COBIT 5 can be implemented into a BCP. COBIT 5
has control objectives that accordance with the main factor in a BCP. With a guide and toolkit owned by COBIT 5,
it can be used as a guide in formulating a BCP.
Business Continuity Plan aims to support those business activities by making sure that IT service can work
optimally and can be restored—with minimal amount of time and cost—after some disturbance or disaster. In
addition to that, Business Continuity Plan needs to have full support from all elements of the organization, including
owner, chief executive, managers and divisions within that organization.
In general, the utilization of IT has big potential in supporting organization in achieving their business goals.
Information technology can provide a significant benefit for the organization, in terms of competitive advantage and
on the raise of productivity. By managing and implementing a good performance standard to the technology, an
organization can manage and monitor its information technology in more effective way. This is certainly beneficial
to the organization since it can have a more accurate benchmarking, in order to maintain or to improve its
information technology service availability.
REFERENCES
[1] R. von Solms, Information Management in ComputerSecurity,7, 50 (1999).
[2] S. de Haes and W.V. Grembergen, in Hawaii Int. Conf. Syst. Sci. Proceeding of the 41st Annual Conference
(2008), pp. 428–428.
[3] I.G. Institute, Enterprise Value: Governance of IT Investments - Getting Started With Value Management
(ISACA, 2008).
[4] S.Halliday, K. Badenhorst,R. von Solms, Information Management in Computer Security,4, 19 (1996).
[5] International Organization for Standardization, ISO 22301:2012(E): Social Security -- Business Continuity
Management Systems -- Requirements (ISO, Geneva, 2012).
[6] S. Prakash, S. Mody, A. Wahab, S. Swaminathan, and R. Paramount, in Cloud Comput. Technol. Appl. Manag.
ICCCTAM 2012 Int. Conf. On (IEEE, 2012), pp. 139–144.
[7] R.L. Krutz and R.D. Vines, The CISSP Prep Guide, Gold edition, (Wiley Publisher, Indianapolis, 2003).
[8] M. Dey, in GCC Conf. Exhib. GCC 2011 IEEE (2011), pp. 229–232.
[9] Information Systems Audit and Control Association, editor, COBIT 5: A Business Framework for the
Governance and Management of Enterprise IT (ISACA, Rolling Meadows, Illionis, 2012).
[10] Isaca, COBIT 5 Enabling Processes (ISACA, 2011).
[11] Isaca, COBIT Process Assessment Model (PAM): Using COBIT 5 (ISACA, 2011).
020045-6