Model Design of Information Security Governance

Assessment with Collaborative Integration of

COBIT 5 and ITIL
(Case Study: INTRAC)

Perdana Kusumah, Sarwono Sutikno & Yusep Rosmansyah

School of Electrical Engineering and Informatics
Bandung Institute of Technology
Indonesia
perdana.kusumah@gmail.com, ssarwono@gmail.com, yusep@stei.itb.ac.id

AbstractManagement of information without regard to risk the
achievement of enterprise goals can have an impact on
organizational performance, financial loss or organizations
credibility. The risk control for the negative effects and
utilization of chance in achieving enterprise goals is called
information security. Information security are generally solved
by partial and limited. It also happens to INTRAC that apply
only management area of information security by adopting
ISO/IEC 27001:2009 and ISO/IEC 27002:2005. This study aims
to develop process assessment model that support the
implementation of information security governance on an
organization. The method used in this study is qualitative
method. Based on the validation by expert judgment, information
security governance model has been prepared in accordance with
the requirements of information security, particularly in the
INTRAC.
Keywords: information security; enterprise goals; IT-related
goals; risk; service management system; governance processes;
process management; process reference model; process assessment
model; enablers.
I. INTRODUCTION
A. Background
Management of information without regard to risk the
achievement of enterprise goals can have an impact on
organizational performance, financial loss or organizations
credibility. The risk control for the negative effects and
utilization of chance in achieving enterprise goals is called
information security. Dimensions of information security in the
context of confidentiality, integrity and availability of
information are always in the context of the achievement of
business objectives or enterprise/organization goals. The
design and implementation of information security risk control
prevent the leaking of information, destruction of information
or unavailability of information. These conditions make the
information security becomes a very important factor to be
applied in the organization [1] [2]. In addition, other key
factors that greatly affect the security of information is security
awareness [3]. Information security issues can adversely
impact the organization's credibility, especially for government
agencies that manage confidential data [4].
The research that has been done related to information
security can be grouped into this areas: governance [5],
framework [6] [7], risk [8], technology/infrastructure [9] [10]
[11], organization [12], people [6], process [6], information
[13] [14], application/service [15], principle/policy [16],
culture/behavior [3] [17] and management [18] [19].
Currently, INTRAC has implemented information security
management areas using ISO/IEC 27001:2009 and ISO/IEC
27002:2005. However, the desktop assessment conducted by
the Directorate of Information Security - Ministry of
Communication and Informatics results the report that
information security management in INTRAC is not good
because the level of dependency on IT is very critical while on
the other hand very low level of maturity [20]. Holistic and
integrated discussion for all areas are needed to cope many
information security problems in order to support the
achievement of enterprise goals. Currently, there is no research
that addresses information security governance in government
institutions using COBIT 5 [21], primarily based on IT service
management system [22].
B. Problem Formulation
Based on the results of the initial studies that have been
conducted, many information security problems occur in many
organizations. The basic problems of security can be security
breaches or attacks that affect financial losses, lack of
awareness of information security and leakage of confidential
information. That problem can be overcome by the application
of specific information security solutions directly and partial.
Information security issues can have an impact on the
achievement of enterprise goals and IT. Therefore, all
components of the IT-related organizations must be managed
properly. Currently, INTRAC does not have a standard to
address information security issues.

1
C. Purpose
The purpose of this study is to develop an assessment
model for holistic and integrated information security
governance on service management system for the enterprise,
especially INTRAC.
D. Limitation
The design of the information security governance
model associated with service management system.
Components include in information security
governance are principles/policies, processes,
organizational structure, culture, information, services
and people.
E. Outputs
Tool for process scoping,
Process reference model,
Process assessment model.
F. Research Questions
What are the tasks that must be made to support the
preparation of the information security process
assessment models?
Are the model made in accordance with the
requirements of information security at INTRAC?
How information security governance of service
management system is that fit to INTRAC?
II. LITERATURE REVIEW
A. INTRAC
Based on Law No. 8 of 2010, INTRAC (Center for
Financial Transaction Reports and Analysis) is an independent
agency established in order to prevent and combat money
laundering [23].
1) Vision and Mission
INTRAC's vision is to become an independent institution in
the field of financial information plays an active role in the
prevention and combating of money laundering and terrorism
financing. Vision is formulated into the following mission [4]:
increase efforts and support disclosure of money
laundering and financing of terrorism,
enhance cooperation at domestic and abroad,
Improve governance and effective business processes
to support the tasks, functions and authority of
INTRAC.
INTRAC perform data management and financial
transaction information that is supported by the IT Center [24].
Based on the basic values of INTRAC, confidentiality is an
absolute factor to be applied in the management of information.
B. COBIT 5
Based on COBIT 5 [25], information is the primary
resource for all enterprise. Information can be created, used,
stored, disclosed or destroyed. Successful enterprise has
recognized that the board of directors and executives need to
embrace IT as an important part of doing business. COBIT 5
provides a comprehensive framework to help achieve the goals
2
within the framework of governance and management of
enterprise IT. COBIT 5 is generic and useful for all types of
enterprise. COBIT 5 defines enablers which is an important
factor to make an IT governance.
C. COBIT 5 Enabling Process
COBIT 5 Enabling Process [26] is a complement that
defines a COBIT 5 process reference models. The process is
one of the seven COBIT 5 enablers that consist of 37
processes. That processes can be described as follows.
1) EDM (Evaluate, Direct and Monitor), 5 processes.
2) APO (Align, Plan and Organise), 13 processes.
3) BAI (Build, Acquire and Implement), 10 processes.
4) DSS (Deliver, Service and Support), 6 processes.
5) MEA (Monitor Evaluate and Assess), 3 processes.
D. COBIT 5 for Risk
COBIT 5 for Risk discuss IT-related risk and present it
through two perspectives i.e. function and risk management.
Common risk categories exist in the organization, namely: the
creation and maintenance of portfolio, program cycle
management / project, decision-making related to IT
investments, expertise and IT capabilities, operations carried
out by staff, information (damage, leaks and access),
architecture, infrastructure, software, IT business ownership,
supplier selection, regulatory compliance, geopolitics, theft or
destruction of infrastructure, malware, logical attacks,
industrial action, environment, natural disasters, and innovation
[27].
E. Process Assessment Model (PAM)
PAM is a model that aims to assess the capability of the
process by one or several process reference model [28]. Scale
six process capability levels defined in ordinal scale that starts
from incomplete to optimizing. These levels can be described
as follows [29].
Level-0: Incomplete process.
Level-1: Performed process.
Level-2: Managed process.
Level-3: Established process.
Level-4: Predictable process.
Level-5: Optimizing process.
PA can be assessed based on the following intervals [29]:
N (not achieved): 0 15% achievement,
P (partially achieved): > 15% 50% achievement,
L (largely achieved): > 50% - 85% achievement,
F (fully achieved): > 85% - 100% achievement.
Structure assessment indicators are shown by Figure II-1.
COBIT 5 process assessment model refers to the structure of
Figure II-2.
F. COBIT 5 for Information Security
COBIT 5 for Information Security focus on information
security and provide a more complete guidelines and practices
for information security professionals and other related parties
at all levels of the enterprise [21]. COBIT 5 for Information
Security also provides specific guidance related to all the
enablers.

Figure II-1 Assessment indicator.
Figure II-2 COBIT 5 process assessment model.
G. IT Service Management
IT service management is a management system that aims
to direct and regulate the activity of the IT services. Cycle
management services include service strategy (SS), service
design (SD), service transition (ST), service operation (SO) and
continual service improvement (CSI) [30].
1) SS: strategy generation, service portfolio management,
financial management for IT services, demand management,
and business relationship management.
2) SD: design coordination, service catalogue
management, service level management, availability
management, capacity management, IT service continuity
management, information security management, and supplier
management.
3) ST: transisition planning and support, change
management, service asset and configuration management,
release and deployment management, service validation and
testing, change evaluation, and knowledge management.
4) SO: event management, incident management, request
fulfillment, problem management, access management, and
operation management.
5) CSI: service measurement, service reporting, and 7-step
improvement.
3
III. RESEARCH METHODOLOGY
The method used in this study is concurrent embedded
mixed method. This study uses quantitative methods that are
embedded or embedded within qualitative methods [31]. Once
generated information security governance models, the next
process is the validation in qualitative manner through expert
judgment. The framework used in this study refers to the
approach of R. Cole et al [32] which has the following four
stages.
Problem identification
The process of defining the research problem and may
include initial concept involving research object. This
process is described detail in chapter I.
Intervention
The process of planning, developing and taking action
to make a construction, models, methods, prototypes or
other resources. This process is described in detail in
chapter III and chapter IV. The qualitative data in this
study is used to analyze and design the models derived
from internal documents of INTRAC [33] [34].
Evaluation
The process of observation and measurement of the
level of suitability and accuracy of the output
produced. This process is a validation of the model
through expert judgment.
Reflection and Learning
Reflection and learning aim to report the results of
research and find out the contribution to the practical
and theoretical terms. This process is done by
presenting the results of research through seminars or
conferences.
IV. ANALYSIS AND DESIGN
A. Tool for Information Security Governance Process
Scoping
Based on ISO/IEC 27002:2013 [35], scoping determination
source of information security requirements are taken from the
principles, objectives, and business requirements of the
organization and/or risk assessment.
1) Objectives of Organization Mapping
Based on the results of the enterprise goals (EG) mapping,
there are six categories of INTRAC organizational goals
associated with generic information in accordance with the
objectives of COBIT 5 is EG05, EG09, EG11, EG14, EG-16
and EG-17.
2) IT Objectives Mapping
This mapping aim to reduce and formulate IT objectives in
the form of IT-related goals (ITRG) which is generic. Based on
the results of the mapping EG and ITRG, there are 34
processes related to IT governance.
3) IT Service Management Mapping
This mapping is to compare the relationship between governance and service
management system processes. The mapping process can be summarized into
a simple shape such as that shown in
Table IV-1.
4) Risk Priority Assessment
 COBIT 5 for Risk is used to identify and determine the risks 1) Determination of Process Scope
benefit/cost ratio (BCR) that exist in the INTRAC. ISO/IEC Based on the analysis of risk categories mapping,
31000:2009 is used to determine the level of risk that has governance and management processes, the scope of
been identified by COBIT 5 for Risk. information security governance consists of 26 processes.
5) Determination of Process Scope
C. Process Reference Model
Based on the analysis of risk categories mapping,
Process reference model refers to COBIT 5 for Information Security.
governance and management processes, the scope of
information security governance consists of 26 processes. Table IV-3 shows an example of a process reference model
that has been formulated.
B. Process Reference Model
Process reference model refers to COBIT 5 for Information Security.
Table IV-3 shows an example of a process reference model Table IV-2 Risk priority assessment.
that has been formulated. Risk Category P I L BCR Pt
Portfolio establishment and maintenance 2 4 M L L
Programme/projects life cycle management 3 3 M M M
Table IV-2 shows the results of the risk identification list in
INTRAC. IT investment decision making 1 3 L H M
IT expertise and skills 3 2 M M M
Table IV-1 Summary of process mapping COBIT 5 and ITIL.
Staff operations 2 4 M L L
Governance Process Service Management Process
(COBIT 5) (ITIL) Information (data breach: damage, leakage and
2 5 H L M
access)
EDM01
Architecture 2 4 M L L
EDM02
*) Incorporated into the scope of the process with Infrastructure 2 4 M L L
EDM03
consideration of governance
EDM04 Software 3 4 H L M
EDM05 Business ownership of IT 2 4 M L L
[SD] Design Coordination Supplier selection/performance, contractual
APO01 3 3 M L L
[CSI] 7-step Improvement compliance, termination of service and transfer
APO02 [SS] Strategy generation
Regulatory compliance 2 4 M H H
APO05 [SS] Service Portfolio Management
APO06 [SS] Financial management for IT services
Geopolitical 1 2 L L L
APO08
[SS] Demand management Infrastructure theft or destruction 1 5 M L L
[SS] Business Relationship Management
[SS] Service Portfolio Management
Malware 2 4 M L L
[SS] Demand management Logical attacks 4 4 H L M
APO09 [SD] Service Catalogue Management
[SD] Service Level Management Industrial action 2 3 M L L
[CSI] Service Reporting Environmental 2 1 L L L
APO10 [SD] Supplier Management
APO12 [SD] Information Security Management
Acts of nature 1 5 M L L
APO13 [SD] Information Security Management Innovation 2 1 L L L
BAI01 [SD] Design Coordination P: probability, I: impact, Le: level, Pt: priority, H: high, M: medium, L: low
[SD] Availability Management
BAI04 Table IV-3 Process reference model sample.
[SD] Capacity Management
BAI06 [ST] Change Management ID [process ID]
[ST] Transition Planning & Support
Name [process name]
[ST] Release & Deployment Management
BAI07
[ST] Service Validation & Testing Desc. [process description]
[ST] Change Evaluation
Purpose [purpose of governance/management process]
BAI08 [ST] Knowledge Management
BAI09 [ST] Service asset & Configuration Management Outcomes (Os)
BAI10 [ST] Service asset & Configuration Management Number Description
[SO] Event Management
DSS01 [number] [outcome description]
[SO] Operation Management
[SO] Incident Management Base Practices (BPs)
DSS02
[SO] Request Fulfilment
DSS03 [SO] Problem Management Number Description Supports
DSS04 [SD] IT Service Continuity Management [number] [base practice description] [reference]
[CSI] Service Measurement
MEA01 Work Products (WPs)
[CSI] Service Reporting
Inputs

4
ID [process ID] Compare designed information security assessment
Number Description Supports
model with other models to determine the
completeness of coverage.
[number] [input description] [reference]
Conduct further research on a reference model and
Outputs assessment of policies, organizational structure,
Number Description Input to Supports culture, information, services or people.
Conduct further research on weight rating of each
[number] [output description] [destination] [reference]
governance processes.
D. Process Assessment Model
Process assessment model is a model used to assess the
ability of governance processes based on a process reference
model. Process assessment model use the following data
sources: REFERENCES
Process reference model,
[1] Ko, M., Dorantes, C., "The Impact of Information Security Breaches on
ISO/IEC 15504 series, Financial Performance of The Breached Firms: an Empirical
COBIT 5 for Information Security, Investigation," Journal of Information Technology Management, vol.
COBIT 5 Process Assessment Model. XVII, pp. 13-22, 2006.
The results of the assessment information security process [2] Whitman, M. E., "In defense of the realm: understanding the threats to
information security," International Journal of Information
at INTRAC current and target performance are indicated by Management, vol. 24, no. 1, pp. 43-57, 2004.
Figure IV-1. These results indicate that only APO01 process [3] Kruger, H.A., Flowerday, S., Drevin, L., Steyn, T., "An assessment of
that reaches level 1, while 25 others are in level 0. the role of cultural factors in information security awareness," in
120%
Information Security South Africa (ISSA), 2011, 2011.
[4] ___, Rencana Strategis (Renstra) Pusat Pelaporan dan AnalisisTransaksi
100% Keuangan Tahun 2010 - 2014, Indonesia: PPATK, 2009.
80% [5] Nnoli, H., Lindskog, D., Zavarsky, P., Aghili, S., Ruhl, R., "The
Governance of Corporate Forensics Using COBIT, NIST and Increased
60% Automated Forensic Approaches," in Privacy, Security, Risk and Trust
(PASSAT), 2012 International Conference on and 2012 International
40%
Confernece on Social Computing (SocialCom), 2012.
20% [6] Nwafor, C.I., Zavarsky, P., Ruhl, R., Lindskog, D., "A COBIT and
NIST-based conceptual framework for enterprise user account lifecycle
0%
management," in Internet Security (WorldCIS), 2012 World Congress on,
2012.
EDM01
EDM02
EDM03
EDM04
EDM05

BAI01
BAI04
BAI06
BAI07
BAI08
BAI09
BAI10
APO01
APO02
APO05
APO06
APO08
APO09
APO10
APO12
APO13

MEA01
DSS01
DSS02
DSS03
DSS04

Current Target
Figure IV-1 Comparison of current and target achievement.
V. CONCLUSIONS
A. Conclusions
The conclusions of this research about information security
governance in government institutions are:
There are three main tasks to prepare information
security governance. Those consist of determining the
scope of the process, making the process reference
model, and making assessment model.
Governance model that has been made in accordance
with the requirements of information security in
INTRAC has been validated through expert judgment.
The suitable information security governance in
service management system for INTRAC is
collaborative integration of COBIT 5 and ITIL
framework which consists of 26 processes.
B. Suggestions
The suggestions for this research are to:
[7] Beckers, K., Fassbender, S., Heisel, M., Schmidt, H., "Using Security
Requirements Engineering Approaches to Support ISO 27001
Information Security Management Systems Development and
Documentation," in Availability, Reliability and Security (ARES), 2012
Seventh International Conference on, 2012.
[8] Kim, A. C., Lee, S. M. & Hoon, D., "Compliance Risk Assessment
Measures of Financial Information Security using System Dynamics,"
International Journal of Security and Its Applications, vol. 6, pp. 191-
200, 2012.
[9] Nagao, M., Koide, K., Satoh, A., Keeni, G. M, Shiratori, N., "Sharing
information for event analysis over the wide Internet," Communications
and Networks, Journal of, vol. 12, no. 4, pp. 382-394, 2010.
[10] Rong, Bo., Chen, H.H., Qian, Yi, Lu, K., Hu, R.Q., Guizani, S., "A
Pyramidal Security Model for Large-Scale Group-Oriented Computing
in Mobile Ad Hoc Networks: The Key Management Study," Vehicular
Technology, IEEE Transactions on, vol. 58, no. 1, pp. 398-408, 2009.
[11] Bloch, M., Barros, J., Rodrigues, M. R. D., McLaughlin, S.W., "Wireless
Information-Theoretic Security," Information Theory, IEEE Transactions
on, vol. 54, no. 6, pp. 2515-2534, 2008.
[12] Kyung, T., Kim, K., Kim, S., Song, Y., "A Study on Information
Security Level Evaluation Using Fuzzy AHP," in Information Science
and Applications (ICISA), 2011 International Conference on, 2011.
[13] Enokido, T., Takizawa, M., "Purpose-Based Information Flow Control
for Cyber Engineering," Industrial Electronics, IEEE Transactions on,
vol. 58, no. 6, pp. 2216-2225, 2011.
[14] Seehusen, F., Stolen, K., "Information flow security, abstraction and
composition," Information Security, IET, vol. 3, no. 1, pp. 9-33, 2009.
[15] Zhang, Y., Chen, J. L., "A Delegation Solution for Universal Identity

5
 Management in SOA," Services Computing on IEEE Transactions, vol.
4, no. 1, pp. 70-81, 2011.
[16] von Solms, R., Thomson, K. L., Maninjwa, M., "Information Security
Governance control through comprehensive policy architectures," in
Information Security South Africa (ISSA), 2011, 2011.
[17] Shaw, R.S., Chen, C. C., Harris, A. L., Huang, H. J., "The impact of
information richness on information security awareness training
effectiveness," Computers & Education, vol. 52, no. 1, pp. 92-100, 2009.
[18] Leszczyna, R., Fovino, I.N., Masera, M., "Approach to security
assessment of critical infrastructures' information systems," Information
Security, IET, vol. 5, no. 3, pp. 135-144, 2011.
[19] Siponen, M., Willison, R., "Information security management standards:
Problems and solutions," Information & Management, vol. 46, no. 5, pp.
267-270, 2009.
[20] ___, "Laporan Hasil Desktop Assessment Keamanan Informasi PPATK,"
Direktorat Keamanan Informasi, Kemkominfo, Jakarta, 2012.
[21] ___, COBIT 5 for Information Security, United States of America:
ISACA, 2012.
[22] Liu, M., Gao, Z., Luo, W., Wan, J., "Case study on IT service
management process evaluation framework based on ITIL," in Business
Management and Electronic Information (BMEI), 2011 International
Conference on, 2011.
[23] ___, Undang-undang Nomor 8 Tahun 2010 tentang Pencegahan dan
Pemberantasan Tindak Pidana Pencucian Uang, Jakarta: PPATK, 2010.
[24] ___, Peraturan Kepala PPATK Nomor: Per-07/1.01/PPATK/08/12 Tahun
2012 tentang Organisasi dan Tata Kerja PPATK, Jakarta: PPATK, 2012.
[25] ___, COBIT 5 - A Business Framework for the Governance and
Management of Enterprise IT, United State of America: ISACA, 2012.
[26] ___, COBIT 5 - Enabling Process, United State of America: ISACA,
2012.
[27] ___, COBIT 5 - for Risk, United State of America: ISACA, 2013.
[28] ___, ISO/IEC 15504-1 - Information technology - Process Assessment -
Part 1: Concept and Vocabulary, International Organization for
Standardization (ISO) and International Electrotechnical Commission
(IEC), 2004.
[29] ___, ISO/IEC 15504-2 - Software Engineering - Process Assessment -
Part 2: Performing an Assessment, International Organization for
Standardization (ISO) and International Electrotechnical Commission
(IEC), 2003.
[30] Long, J. O., ITIL 2011 At a Glance, New York: Springer, 2012.
[31] Cresswell, John W., Research Design: Qualitative, Quantitative, and
Mixed Methods Approaches, Third Edition, SAGE Publications, Inc,
2008.
[32] Cole, R., Purao, S., Rossi M., Sein, M., "Being Proactive: Where Action
Research meets Design Research," in ICIS 2005 Proceedings, Paper 27,
2005.
[33] ___, Peraturan Nomor PER-13/1.02/PPATK/09/2011 tentang Tata
Kelola Keamanan Informasi, Jakarta: PPATK, 2011.
[34] ___, Rencana Strategis Pusat Teknologi Informasi Tahun 2013 - 2014,
Jakarta: PPATK, 2012.
[35] ___, ISO/IEC 27002 - Information technology -- Security techniques --
Code of practice for information security controls, International
Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC), 2013.
[36] ___, Process Assessment Model (PAM): Using COBIT 5, United State
of America: ISACA, 2013.
[37] ___, ISO/IEC 15504-5 - Information Technology - Process Assessment -
Part 5: An Exemplar Software Life Cycle Process Assessment Model,
International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC), 2012.