Professional Documents
Culture Documents
6366 17297 1 PB
6366 17297 1 PB
105/E/KPT/2022
Vol. 6, No. 2, Agustus 2023, hlm. 106-115 p-ISSN: 2614-8897
DOI: 10.33387/jiko.v6i2.6366 e-ISSN: 2656-1948
COBIT 2019 INFORMATION SECURITY FOCUS AREA IMPLEMENTATION
FOR REINSURCO DIGITAL TRANSFORMATION
Ananda Viamianni1, Rahmat Mulyana2, Fitriyana Dewi3
1
Information Systems, School of Industrial Engineering, Telkom University
2
Department of Computer and Systems Sciences, Stockholm University
3
Information Systems, School of Industrial Engineering, Telkom University
Email: *1anandaviamianni@student.telkomuniversity.ac.id, 2rahmat@dsv.su.se,
3
fitriyanadewi@telkomuniversity.ac.id
Abstract
As information technology (IT) advancement evolves in Indonesia's insurance sector, organizations like ReinsurCo
must accelerate their digital transformation (DT) to remain competitively viable. Although DT paves the way for
new business models and operational improvements, the implementation often fails due to poor IT governance.
Under the supervision of the State-Owned Enterprises Agency (SOE) and the Financial Services Authority (FSA),
ReinsurCo must comply with regulations stating that SOEs must independently assess IT maturity to ensure
information security. This research utilizes the five stages of Design Science Research (DSR): problem explication,
requirement specification, design and development, demonstration, and evaluation. Data was collected through
semi-structured interviews and both internal and external document triangulation. The data were then analyzed
using the COBIT 2019 Information Security framework, implementing design factors prioritizing information
technology governance and management (ITGM) objectives: APO13 Managed Security, DSS05 Managed
Security Services, and BAI06 Managed IT Changes. Further analysis and identification were conducted to discover
gaps against the seven component capabilities. These identified gaps were mapped into people, process, and
technology aspects, which led to the creation of essential improvement recommendations. These recommendations
were compiled into an implementation roadmap that can serve as a priority guide for ReinsurCo. This research is
expected to provide a knowledge base for prioritizing information security management in supporting DT by
implementing the COBIT 2019 Information Security framework. In a practical context, it aids ReinsurCo in
controlling its strategic plans to face information security challenges. Furthermore, this study also offers extensive
benefits to the insurance industry.
Keywords: Digital Transformation, IT Governance, Information Security Management, COBIT 2019 Information
Security, ReinsurCo
can also enhance IT capabilities and product or service data, as well as affiliated parties. As a company under
innovation, providing a competitive advantage in the the supervision of the SOE and the Financial Services
industry [5]. Authority (FSA), ReinsurCo needs to comply with
However, implementing DT is complex, as various regulations that have been given. One of
failures often occur due to poor Information ReinsurCo's efforts in implementing effective ITG is
Technology Governance (ITG) [6]. Studies have conducting its governance research. ReinsurCo's 2021
shown that organizations frequently fail to provide annual report shows that its ITG has matured.
structure and governance for DT projects due to a lack However, ReinsurCo still runs ITG processes
of alignment between business processes and traditionally, and traditional ITG practices are not
ownership [6]. Therefore, organizations must establish necessarily effective in guiding DT [11]. The study
effectiveness and alignment between IT and business found that new ITG mechanisms at ReinsurCo only
by preparing mature ITG mechanisms [7]. accounted for 9%, while old ITG mechanisms were
ITG is an integral part of corporate governance found to be as much as 91% [12]. Therefore, there is
that discusses definitions and implementation of room for improvement, especially in facing DT
processes, structures, and relational mechanisms to challenges. This is also driven by Ministerial
support business/IT alignment and create business Regulation Number 21 of 2020 regarding measuring
value from business investments into IT [8]. ITG organizational readiness levels in the transformation
controls the formulation and implementation of IT towards the Indonesia Industry 4.0 Readiness Index
strategies and ensures an alignment between business (INDI 4.0). In assisting organizations in achieving
and IT conducted by the board, executive INDI 4.0, the COBIT 2019 framework can control and
management, and IT management [9]. However, there maximize the value of information and technology to
are differences between IT management and ITG [8]. help organizations optimize their risks, realize
IT management is focused on providing effective IT potential benefits, and optimize resources [13]. In
services and products and managing IT operations [8] addition, to effectively implement ITG in an
by ensuring that governance mechanisms have been organization, it is necessary to build an ITG
implemented and governance guidelines have been framework structure with international standards such
correctly followed by the company [10]. On the other as COBIT, ITIL, ISO, and others that can help achieve
hand, ITG plays a crucial role in determining and effective ITG [14]. COBIT 2019, in particular, is a
distributing necessary mechanisms to ensure the significant driver of IT management in companies to
organization achieves its IT suitability objectives for be more responsive, flexible, and support innovation
the present and future [10]. Despite this, ITG and IT [15]. Therefore, the preparation of information
management are interconnected and cannot operate security management is needed to improve
separately. If a company wishes to grow and succeed, ReinsurCo's IT readiness in facing DT.
it not only needs to manage IT resources but also needs This research uses the COBIT 2019 Information
to implement them comprehensively within the Security framework and aims to answer the following
company as part of the corporate governance structure questions: What are the goals of information security
[10]. In addition, organizations need to develop IT ITGM needed by ReinsurCo? How to compile
capabilities that align with digital strategic priorities optimization recommendations for ITGM goals based
involving four elements: technology, governance, on gap analysis of the seven components current
processes, and talent [5]. capability and targets? Moreover, how to design
ReinsurCo is a public service that operates in the essential optimizations on ITGM goals based on the
reinsurance sector under the supervision of State- results of the recommendation compilation? By
Owned Enterprises (SOE). The SOE Ministry aligning technology planning and organizational
provides guidelines through the Minister of State- strategy, ReinsurCo can improve its performance and
Owned Enterprises Regulation (SOE) PER- meet growing needs in the insurance industry.
2/MBU/03/2023 that guide good ITG standards in
SOE operations, including the principle of information
security. In addition, this regulation outlines the 2. RESEARCH METHODOLOGY
implementation of Good Corporate Governance This study applies the design science research
(GCG) in SOE companies, which includes (DSR) framework in developing information security
transparency, accountability, social responsibility, and management for ReinsurCo's transformation. The
good business ethics. This regulation aims to enhance conceptual model can be seen in Figure 1.
the performance and transparency of SOE companies
and encourage efficient and effective management to
provide more significant benefits to the public and the
state. On the other hand, regulation of the Financial
Services Authority (FSA) Number 4/POJK.5/20221
added that insurance companies must ensure the
security of all Non-Bank Financial Services Institution
information, including consumer secrets and personal
Viamianni, A, dkk, Cobit 2019 Information Security … 108
framework, which includes core categories, namely maturity independently and set a target score of 3 using
APO13 and DSS05, and relevant categories, which are the COBIT framework [23]. Consequently, the gap
considered to be related to the ITGM goals with the findings for the ITGM objective DSS05 amounted to
core categories, even if they do not have a direct 2 gaps; for the ITGM objective BAI06, there was one
relationship with the focus area [20]. In addition, ITG gap.
process mechanisms affect DT [21], [22]. The results
of the ITGM goals prioritization can be seen in Table 3. 3 Results of the Organizational Structure
1. Component Assessment and Gap Analysis
The results of the organizational structure
Table 1 Analysis Results of ITGM Goal Priorities component assessment for the priority ITGM
Design objectives can be seen in Table 3.
ITGM Focus Area Mechanism Final
Factor
Goals Assessment Assessment Score
Assessment
APO13 Table 3 Assessment Results of Organizational Structure
80 2 5 800
Component Capabilities
DSS05 75 2 5 750
BAI06 95 1 4 380 COBIT Organizational ITGM
Current Condition
Structure Objectives
Chief Information APO13, IT Director
3. 2 Results of the Process Component Assessment Officer DSS05,
and Gap Analysis BAI06
The results of the process component assessment Chief Technology
APO13
Officer
for the priority ITGM objectives can be seen in Table Chief Information APO13
2. Security Officer DSS05
Enterprise Risk Risk Monitoring
APO13
Table 2 Assessment Results of Process Component Capabilities Committee Committee
Management Capability Business Process APO13, Head of IT
ITGM Achievement Owners DSS05, Division
Practices Level
APO13 APO13.01 100 % Fully 2 BAI06
Managed APO13.02 100 % Fully 3 Project Management IT Planning & QA
APO13
Security 100 % Fully 4 Office Officer
APO13.03 100 % Fully 4 Program Manager BAI06 Not available
100 % Fully 5 Project Manager BAI06 Not available
Total Capability Level Achieved 18 Head Architect APO13 Not available
Capability Score 3,3 Head Human Head of Human
DSS05 DSS05.01 100 % Fully 2 Resources Resources and
DSS05
Managed 100 % Fully 3 General Affairs
Security DSS05.02 100 % Fully 2 Division
Services 100 % Fully 3 Head Development Head of IT
APO13,
100 % Fully 4 Application &
DSS05,
DSS05.03 89 % Fully 2 Development
BAI06
100 % Fully 3 Department
DSS05.04 100 % Fully 2 Head IT Operations Head of IT
APO13,
83 % Largely 3 Infrastructure &
DSS05,
0 % None 4 Operation
BAI06
DSS05.05 100 % Fully 2 Department
100 % Fully 3 Head IT Head of Planning
DSS05.06 100 % Fully 2 Administration APO13 & QA Officer
100 % Fully 3 Department
DSS05.07 75 % Largely 2 Services Manager APO13 Infrastructure &
100 % Fully 3 BAI06 Operational
Total Capability Level Achieved 32 Information Security APO13, Officer
Capability Score 2 Manager DSS05,
BAI06
BAI06 BAI06.01 100 % Fully 2
Business Continuity Contingency
Managed 100 % Fully 3 BAI06
Manager Management
IT Changes BAI06.02 100 % Fully 2
Privacy Officer Legal &
33 % Partially 3 DSS05
Compliance
100 % Fully 4 BAI06
Division
BAI06.03 100 % Fully 4
BAI06.04 100 % Fully 2
100 % Fully 3 Based on the assessment of the capability of the
Total Capability Level Achieved 16 organizational structure component, it was found that
Capability Score 1,9
ReinsurCo still needs to map the roles of Program
Manager, Project Manager, and Head Architect,
The gap assessment on the process components indicating three gaps.
refers to the strategic planning of ReinsurCo, as stated
in the annual report. This report established a
3. 4 Results of the Information Components
minimum maturity value target of score 3, utilizing the
Assessment and Gap Analysis
COBIT 2019 framework. This aligns with the pre-
existing regulations of the Ministry of State-Owned
Enterprises, which guide such enterprises to assess IT
Viamianni, A, dkk, Cobit 2019 Information Security … 110
ITGM Skills Current Condition ITGM Key Cultural Elements Current Conditions
BAI06 Changes Application of ITG training, through the board of
Managed Management COBIT 2019 certification, directors' appeal to all
IT Changes and a helpdesk that handles employees.
SDP application and change DSS05 Creating a user- A comprehensive IT
management. Managed awareness culture in governance and security
Changes ITG training, competence Security maintaining security process initiative is
Support dictionary and training plan, Services and privacy practices implemented using
COBIT 2019 certification, maturity measurements
and a helpdesk that manages and ISO20000 and
the SDP application and ISO27001 standards.
change management. BAI06 Leaders should There is socialization
Managed promote a culture of and implementation of
One gap was found based on the assessment IT continuous initiatives related to
Changes improvement in IT understanding
results of people, skills, and competencies solutions and services, comprehensive IT
components. ReinsurCo has not conducted further considering the impact governance and
exploration related to the information security of technological processes.
framework to enhance information security. changes on the
company, managing
risks and costs, and
3. 6 Results of the Policy and Procedures evaluating benefits
Components Assessment and GAP Analysis and suitability with IT
strategies and
The results of the policy and procedure
company objectives
components assessment for priority ITGM objectives
can be seen in Table 6.
No gaps were found based on assessing the
Table 6 Analysis Results of Policy and Procedure Component culture, ethics, and behavior components. ReinsurCo
Assessment has implemented cultures according to the COBIT
ITGM Policy Current Condition 2019 reference.
APO13 Information ISMS Scope Statement,
Managed Security and ISMS Policy, and ISO
Security Privacy Policy 27001 3. 8 Results of the Service, Infrastructure, and
DSS05 Information Don’t have a policy for Application Components Assessment and GAP
Managed Security Policy secure disposal device to Analysis
Security protect information The results of assessing the service, infrastructure, and
Services
BAI06 IT Change Formal Standard Policy
application components for the priority objectives of ITGM
Managed Management and Helpdesk Policy can be seen in Table 8.
IT Changes Policy
Table 8 Assessment Results of Services, Infrastructure, and
Applications Components
Based on the policy and procedure components Service,
assessment, a single gap was identified: ReinsurCo still ITGM Infrastructure, and Current Condition
needs a policy for securely disposing of devices to protect Application
the information stored on those devices. APO13 Configuration BitLocker Windows
Managed Management Tools System, Firewall,
Security Privileged User, and
3. 7 Results of the Culture, Ethics, and Behavior Fortinet.
Component Assessment and GAP Analysis Security and Cybersecurity Summit
The results of the culture, ethics, and behavior Privacy Awareness 2021 Training, ISO
Services 27001, FireEye, and
components assessment for the priority ITGM Traffic Filtering
objectives can be seen in Table 7. Firewall.
Third-party ISO 27001 Assessment.
Table 7 Assessment Results of Culture, Ethics, and Behavior Security
Components Assessment
ITGM Key Cultural Elements Current Conditions Services
APO13 Cultivating a culture A comprehensive IT DSS05 Directory Services Single Sign-On (SSO).
Managed of security and privacy governance and security Managed Email Filtering Fortinet.
Security awareness to process initiative is Security Systems
encourage desired implemented using Services Identity and Access Data Management and
behavior and the maturity measurements Management IT Security Guidelines.
implementation of and ISO20000 and System
security and privacy ISO27001 standards. Security Awareness Dissemination of
policies in daily The board has approved Services Information Security
practice guidelines and Posters and Articles.
management for data Security Fortinet.
and IT security of Information and
directors, and the Event Management
application of the (SIEM) Tools
Information Security Security Operations Not Available
Management System Center (SOC)
(ISMS) is socialized Services
Viamianni, A, dkk, Cobit 2019 Information Security … 112
The implementation roadmap is designed to guide Management Capability Score Capability Score After
the execution of the designed recommendations. Practices Before Improvement Improvement
responsibilities in the
Based on the RRV analysis results, the Information
recommendations with the highest scores can be Technology
implemented first. The implementation design in Application
Table 13 can be initiated from Q4 (October – Development
Department
December) 2023 up to Q3 (July-September) 2024. Implementation of
Table 13 Implementation Roadmap No Head Architect Head Architect
2023 2024 responsibilities responsibilities in the
Recommendations IT Division Head
Q4 Q1 Q2 Q3
Information Component
People Aspect
BAI06 No post- Post-Implementation
Conducting training and implementation Emergency Change
certification for information security assessment Security Report
security framework
document for Document
Executing the responsibility of emergency changes
Project Manager in the IT
People, Skill, and Competencies Component
Application Development
APO13 No deeper Application of other
Department
exploration regarding information security
Executing the responsibility of
other information standards and
Program Manager in the IT
security standards frameworks, such as
Planning & Quality Assurance
and frameworks NIST SP 800-53
Department
training, CISSP,
Executing the responsibility of
CISM, CIS Critical
Head Architect in the IT Division
Security Controls
Process Aspect
Policy and Procedure Component
Implementing post-implementation
No policy for regular A policy for regular
emergency change information
access rights access rights review is
security document
monitoring in place
Implementing periodic access rights
DSS05 and No policy for regular A policy for regular
management policy
BAI06 event log monitoring event log review is in
Implementing a policy of periodic
place
incident log review
No policy for the A policy for Disposal
Implementing an SOP for
Disposal Device Devices is in place
emergency changes and information
security maintenance Services, Infrastructure, and Application Component
Implementing SOP and policy for DSS05 No SOC services SOC services such as
device disposal Splunk are available
Technology Aspect BAI06 No software or Software or
application testing application testing
Implementing Synk as a software
tools tools such as OWASP
and application testing tool
ZAP are available
Implementing Splunk as a SOC
service
5. CONCLUSIONS
4. 5 Impact of the Design In the process of developing an information
From the research conducted, the influence of the security management system for the transformation of
design on the proposed recommendations was found ReinsurCo using COBIT 2019 Information Security,
for each of the seven component capabilities presented three priority goals for information security (ITGM)
in Table 14. The estimation of the design impact can were identified: APO13 Managed Security, DSS05
be used to determine the level of change that occurred Managed Security Services, and BAI06 Managed IT
when ReinsurCo implemented the recommendations Changes. An analysis of the seven components of
designed in this study. capability and gap assessment was carried out on these
Table 14 Impact of Design Before and After Improvement three ITGM goals to derive optimization
Management Capability Score Capability Score After recommendations which were then mapped into the
Practices Before Improvement Improvement aspects of people, process, and technology. In terms of
Process Component
the people aspect, the recommendations include
APO13 3.3 3.3
DSS05 2 2.6 additions to the job descriptions for positions such as
BAI06 1.9 3 the Head Architect, Project Manager, and Program
Organizational Structure Component Manager to align with the current conditions at
APO13 No Program Manager Implementation of ReinsurCo, and the enhancement of individual
responsibilities Program Manager
responsibilities in the
capabilities through training aimed at expanding
Information knowledge about information security standards and
Technology frameworks. Regarding the process aspect,
Application recommendations include implementing standard
Development
Department
operating procedures (SOP) to ensure more effective
No Project Manager Implementation of and efficient operations at ReinsurCo, adding policy
DSS05
responsibilities Project Manager documents, and documentation of information to
Viamianni, A, dkk, Cobit 2019 Information Security … 115
facilitate administrative processes. Meanwhile, for the Transformasi Digital dan Kinerja Asuransi C,” Explore:
technology aspect, the recommendations involve the Jurnal Sistem Informasi dan Telematika, vol. 13, no. 2, p.
documentation of proposed tools that assist the 95, Dec. 2022, doi: 10.36448/jsit.v13i2.2712.
company in detecting, analyzing, and responding to [12] F. A. Pahrevi, R. Mulyana, L. Ramadani, and J. S.
Informasi, “Analisis Pengaruh Tata Kelola TI terhadap
security threats in real time, as well as software and Transformasi Digital dan Kinerja Asuransi C,” Jurnal
application testing tools to minimize potential risks. Sistem Informasi dan Telematika (Telekomunikasi,
This optimization design for ITGM goals has produced Multimedia dan Informatika), vol. 13, 2022.
an implementation roadmap and, as a result of the [13] S. F. Bayastura, S. Krisdina, and A. P. Widodo, “Analisis
proposed recommendations, an increase in the Dan Perancangan Tata Kelola Teknologi Informasi
maturity level of ITGM capabilities of APO13 Menggunakan Framework COBIT 2019 Pada PT.XYZ,”
Managed Security, DSS05 Managed Security JIKO (Jurnal Informatika dan Komputer), vol. 4, 2021,
Services, and BAI06 Managed IT Changes by 0.6 or doi: 10.33387/jiko.
25% from the previous capability level of ReinsurCo. [14] P. M. Dewi, R. Fauzi, and R. Mulyana, “Perancangan Tata
Kelola Teknologi Informasi Untuk Transformasi Digital
This study is expected to serve as a reference for Di Industri Perbankan Menggunakan Framework COBIT
practitioners in designing a company's strategic plan 2019 Dengan Domain Build, Acquire and Implement:
by applying the COBIT 2019 Information Security Studi Kasus Bank XYZ,” e-Proceeding of Engineering,
framework for information security management vol. 8, no. 5, p. 9672, 2021.
system design. Additionally, the results of this study [15] ISACA, COBIT 2019 Framework: Introduction and
are intended to provide ReinsurCo with a reference for Methodology. USA, 2018.
reviewing and evaluating company conditions. By [16] A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design
considering the essential recommendation results, the Science in Information Systems Research,” 2004.
company can prepare strategies to face the challenges [Online]. Available:
https://www.jstor.org/stable/25148625
and changes in the digital era. [17] A. Hevner and S. Chatterjee, Design Research in
Information Systems, vol. 22. in Integrated Series in
6. REFERENCES Information Systems, vol. 22. Boston, MA: Springer US,
[1] K. S. R. Warner and M. Wäger, “Building dynamic 2010. doi: 10.1007/978-1-4419-5653-8.
capabilities for digital transformation: An ongoing process [18] A. K. Shenton, “Strategies for ensuring trustworthiness in
of strategic renewal,” Long Range Plann, vol. 52, no. 3, pp. qualitative research projects,” Education for Information,
326–349, Jun. 2019, doi: 10.1016/j.lrp.2018.12.001. vol. 22, no. 2, pp. 63–75, 2004, doi: 10.3233/EFI-2004-
[2] C. Gong and V. Ribiere, “Developing a unified definition 22201.
of digital transformation,” Technovation, vol. 102, Apr. [19] ISACA, Designing and Information and Technology
2021, doi: 10.1016/j.technovation.2020.102217. Governance Solution. 2018.
[3] V. Gurbaxani and D. Dunkle, “Gearing up for successful [20] ISACA, COBIT Focus Area: Information Security. 2020.
digital transformation,” MIS Quarterly Executive, vol. 18, [Online]. Available: www.isaca.org
no. 3, pp. 209–220, 2019, doi: 10.17705/2msqe.00017. [21] R. Mulyana, L. Rusu, and E. Perjons, “How Hybrid IT
[4] J. Jewer and N. Van Der Meulen, “Governance of Digital Governance Mechanisms Influence Digital
Transformation: A Review of the Literature,” 2022, Transformation and Organizational Performance in the
[Online]. Available: https://hdl.handle.net/10125/80144 Banking and Insurance Industry of Indonesia,” in
[5] R. Mulyana, L. Rusu, and E. Perjons, “IT Governance Information Systems Development (ISD) Conference,
Mechanisms Influence on Digital Transformation: A Lisbon: Association for Information Systems (AIS), 2023.
Systematic Literature Review,” in Proc. 27th Annu. Am. [22] R. Mulyana, L. Rusu, and E. Perjons, “IT Governance
Conf. Inf. Syst, Twenty-Seventh Americas’ Conference on Mechanisms that Influence Digital Transformation: A
Information Systems (AMCIS), 2021, pp. 1–10. [Online]. Delphi Study in Indonesian Banking and Insurance
Available: https://aisel.aisnet.org/amcis2021 Industry,” Pacific Asia Conference on Information Systems
[6] N. Obwegeser, T. Yokoi, M. Wade, and T. Voskes, “7 Key (PACIS), no. AI-IS-ASIA, pp. 1–16, Jun. 2022.
Principles to Govern Digital Initiatives,” 2020. [Online]. [23] Kementerian Badan Usaha Milik Negara, Peraturan
Available: https://mitsmr.com/2UWvNEs Menteri Badan Usaha Milik Negara tentang Panduan
[7] S. Vejseli and A. Rossmann, “The Impact of IT Penyusunan Pengelolaan Teknologi Informasi Badan
Governance on Firm Performance A Literature Review,” Usaha Milik Negara. Indonesia: jdih.bumn.go.id : 4 hlm.,
in AIS Electronic Library (AISeL), Langkawi, 2017. 2013.
[8] S. De Haes, L. Caluwe, T. Huygh, and A. Joshi, Governing [24] A. K. Kavanagh, T. Bussa, and G. Sadowski, “Magic
Digital Transformation. Springer, 2020. doi: Quadrant for Security Information and Event
https://doi.org/10.1007/978-3-030-30267-2. Management,” Feb. 2020. [Online]. Available:
[9] S. De Haes and W. Van Grembergen, “IT Governance and https://www.gartner.com/doc/reprints?id=1-
Its Mechanisms,” Information systems control journal, no. 1YEDHXVD&ct=200219&st=sb
1, pp. 27–33, 2004. [25] M. Horvath, D. Gardner, Bhat Manjunath, R. Chugh, and
[10] R. Pereira and M. M. Da Silva, “Towards an integrated IT A. Zhao, “Magic Quadrant for Application Security
governance and IT management framework,” in Testing,” May 2023.
Proceedings of the 2012 IEEE 16th International
Enterprise Distributed Object Computing Conference,
EDOC 2012, 2012, pp. 191–200. doi:
10.1109/EDOC.2012.30.
[11] N. Robbiyani, R. Mulyana, and L. Abdurrahman,
“Pengujian Model Pengaruh Tata Kelola TI Terhadap