The document discusses the COBIT 5 framework for IT governance and management, emphasizing five key principles including stakeholder needs and governance separation. It outlines the framework's structure, focusing on planning, implementation, delivery, and monitoring processes in relation to cybersecurity governance and audit practices. Additionally, it addresses risk management, continuous improvement, and the importance of maintaining IT system status and stakeholder engagement.

1. Part II Cyber Security Governance, Audit, and
the COBIT 5 Framework
Rd. R. AgungT.
EL5216 ~ Manajemen Resiko Keamanan Informasi

2. The COBIT Framework
▪ Dibuat oleh ISACA pada tahun 1996 kemudian pada tahun 2012
ISACA mengeluarkan COBIT 5
– Evaluate, Direct, and Monitor;
– Align, Plan, and Organize;
– Build, Acquire, and Implement;
– Deliver, Service, and Support; dan
– Monitor, Evaluate, andAssess.
31 Maret 2018

3. Capacity Maturity Model Integration
(CMMI)
31 Maret 2018
Securing an IT Organization throughGovernance, Risk Management, and Audit by Ken Sigler • Dr. James L. Rainey, III . Page: 244

4. Framework Principles
▪ Didalam COBIT 5 Framework, terdapat 5 prinsip utama untuk
governance and management of IT, antara lain:
– Principles 1 (P1) : Meeting stakeholders needs
– Principles 2 (P2) : Covering the enterprise end-to-end
– Principles 3 (P3) : Applying a single integrated framework
– Principles 4 (P4) : Enabling a holistic approach
– Principles 5 (P5) : Separating governance from management
31 Maret 2018
https://www.alctraining.com.au/blog/the-5-key-principles-of-cobit-5/

5. COBIT 5 Principles
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/the-principles-of-cobit-5/

6. Principles 1
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-principle-1-meeting-stakeholder-needs/

7. Principles 2
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-principle-2-covering-the-enterprise-end-to-end/

8. Principles 3
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-3-applying-single-integrated-framework/

9. Principles 4
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-4-enabling-a-holistic-approach/

10. Principles 5
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-5-separating-governance-from-management/

11. Different Governance and Management
31 Maret 2018
https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-5-separating-governance-from-management/

12. Decomposition of Framework
▪ COBIT 5 berfokus utama pada persyaratan kualitas, security
requirement, dan fduciary requirements.
▪ Pengembangan selanjutnya dari COBIT 5 akan berfokus pada quality
confdentiality, cost integrity, delivery availability, effectiveness and
efciency of operations, reliability of information, and compliance with
laws and regulations
31 Maret 2018

13. Framework Structure Generic Domains
▪ At the organization level, processes are naturally grouped together
into generic domains.
▪ Four generic domains can be identifed for the organizational level:
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring
31 Maret 2018

14. Planning and organization
Pertanyaan umum yang harus
diajukan berkaitan tentang
perencanaan strategis, antara
lain:
1.What direction are we going
in?
2.Who is the stakeholder or
customer we are working for?
3. How can we improve our
performance and efciency to
make
it there?
31 Maret 2018
Planning and organization memiliki 4 elemen yang berbeda, dan
semuanya perlu ditetapkan agar berhasil mengikuti framework COBIT
5. Elemen-elemen tersebut antara lain visi, misi, value, dan tujuan.
Gambar berikut menunjukan konseptual secara umum dari elemen
tersebut:
Securing an IT Organization throughGovernance, Risk Management, and Audit by Ken Sigler • Dr. James L. Rainey, III . Page: 279

15. Acquisition and implementation
▪ Dokumen-dokumen pada tahap ini kemungkinan besar akan
diperbaharui oleh tenaga teknis, manajer proyek, serta manajer IT
ketika proyek berjalan. Dokumen-dokumen tersebut antara lain:
– Business Systems Document (fnalized draft);
– Design Specifcation Document (fnalized draft);
– InterfaceControl Document (frst draft, living document);
– System Deployment Document (frst draft, living document);
– Transition Management Document (frst draft, living document);
– UserTraining Documentation (frst draft, living document); dan
– Computer Operator’s Handbook (frst draft, living document)
31 Maret 2018

16. Delivery and support
▪ Dalam pengembangan perangkat lunak, organisasi yang
bertanggung jawab untuk membangun sistem biasanya memegang
tanggung jawab merumuskan dokumen yang akan mendorong
proyek melalui fase implementasi SDLC. Beberapa dari dokumen-
dokumen tersebut tercantum di bawah ini:
– Business Systems Document
– Design Specifcation Document
– InterfaceControl Document (fnalized draft)
– System Deployment Document (fnalized draft)
– Transition Management Document
– UserTraining Documentation (fnalized draft)
– Computer Operator’s Handbook (fnalized draft)
31 Maret 2018

17. Monitoring
▪ COBIT 5 memiliki dua level monitoring.Tingkat pertama yang
berhubungan dalam konteks governance. Proses EDM05 Memastikan
transparansi pemangku kepentingan menjelaskan peran direktur
dalam memantau dan mengevaluasi tata kelolaTI dan kinerjaTI
dengan metode umum untuk menetapkan tujuan dan sasaran serta
metrik terkait (ISACA 2012, hlm. 57)
31 Maret 2018

18. COBIT Management Guidelines
▪ COBIT Management Guidelines terdapat beberapa petunjuk dalam
penerapan COBIT, antara lain:
– Enterprise Management
– Risk Management
– Status of IT System
– Continuous Improvement
31 Maret 2018

19. Enterprise Management
▪ Stakeholders harus
mempertimbangkan antara
pengularan serta manfaat yang
didapat guna peningkatan
cybersecurity.
▪ Peningkatan biaya tidak selalu
selaras dengan benefit yang
diterima
31 Maret 2018
Securing an IT Organization throughGovernance, Risk Management, and Audit by Ken Sigler • Dr. James L. Rainey, III . Page: 300
Governance and Management Approach of
COBIT 5

20. Risk Management
▪ Beberapa goals hanya mengarah kepada kualitas, namun disisi lain
dapat diarahkan kepada timeliness in delivery
▪ Risk management dapat diartikan peristiwa dalam backup and
recovery sehingga setiap tahunnya diperlukan pelatihan disaster
recovery untuk melakukan evaluasi kesiapan dalam menghadapi
bencana dan sejauh mana kesiapan dalam data recovery, system
downtime, serta emergency awareness
31 Maret 2018

21. Status of IT System
▪ Organisasi harus mengetahui kebutuhan dasar suatu status system
IT, berdasarkan status tersebut dapat ditentukan tingkat keamanan
serta control yang dapat diterapkan
▪ Cukup sulit menentukan objective mengenai apa yang harus diukur
serta bagaimana cara mengukurnya
31 Maret 2018

22. Continuous Improvement
31 Maret 2018
Securing an IT Organization throughGovernance, Risk Management, and Audit by Ken Sigler • Dr. James L. Rainey, III . Page: 302

23. Sumber
▪ Securing an IT Organization through Governance, Risk Management, andAudit by Ken Sigler • Dr. James L. Rainey, III
▪ https://www.alctraining.com.au/blog/the-5-key-principles-of-cobit-5/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/the-principles-of-cobit-5/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-principle-1-meeting-stakeholder-needs/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-principle-2-covering-the-enterprise-end-to-
end/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-3-applying-single-integrated-
framework/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-4-enabling-a-holistic-approach/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-5-separating-governance-from-
management/
▪ https://www.orbussoftware.com/resources/videos/cobit-distilled/cobit-5-principle-5-separating-governance-from-
management/
31 Maret 2018

24. Terima Kasih…