DS5

Level No

1 1

2 1

3 1

4 1
2

5 1
2

4
 DS5 Manage Security

Statement

Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfoli

Implement a decision-making process to prioritise the allocation of IT resources for operations, projects and main
the enterprise’s portfolio of IT-enabled investment programmes and other IT services and assets.

The practices should support development of an overall IT budget as well as development of budgets for individual progra
emphasis on the IT components of those programmes.
The practices should allow for ongoing review, refinement and approval of
the overall budget and the budgets for individual programmes.

Implement a cost management process comparing actual costs to budgets.

Costs should be monitored and reported. Where there are
deviations, these should be identified in a timely manner and the impact of those deviations on programmes sho
Together with the business sponsor of those programmes, appropriate remedial action should be taken and, if ne
programme business case should be updated.

Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities.
IT’s contribution to the
business, either as a component of IT-enabled investment programmes or as part of regular operational support,
and documented in a business case, agreed to, monitored and reported.
Reports should be reviewed and, where there are
opportunities to improve IT’s contribution, appropriate actions should be defined and taken.
Where changes in IT’s contribution
impact the programme, or where changes to other related projects impact the programme, the programme busin
be updated.
Ya Ya, Ragu-Ragu Ragu-Ragu Tidak, Ragu-ragu Tidak Score
1 0.75 0.5 0.25 0
0

0 0

0 0

0 0

0
0

0 0

0
0

0 0

0
#DIV/0! #DIV/0!

#DIV/0! #DIV/0!

#DIV/0! #DIV/0!

#DIV/0! #DIV/0!
#DIV/0! #DIV/0!

#DIV/0! ###
Determine Technological Direction

Level No

0 1

1 1

2 1

3 1

2
 3

4 1
2
3
4
5
6

5 1

6
ne Technological Direction

Statement Ya
1
The organisation does not require the identification of functional and operational
requirements for development, implementation or
modification of solutions, such as system, service, infrastructure, software and data.
The organisation does not maintain an
awareness of available technology solutions potentially relevant to its business.

There is an awareness of the need to define requirements and identify technology solutions.
Individual groups meet to discuss needs
informally, and requirements are sometimes documented.
Solutions are identified by individuals based on limited market awareness
or in response to vendor offerings. There is minimal structured research or analysis of
available technology.

Some intuitive approaches to identify IT solutions exist and vary across the business.
Solutions are identified informally based on the internal experience and knowledge of
the IT function.
The success of each project depends on the expertise of a few key
individuals. The quality of documentation and decision making varies considerably.
Unstructured approaches are used to define
requirements and identify technology solutions.

Clear and structured approaches in determining IT solutions exist.

The approach to the determination of IT solutions requires the
consideration of alternatives evaluated against business or user requirements,
technological opportunities, economic feasibility, risk
assessments, and other factors.
The process for determining IT solutions is applied for some projects based on factors
such as the
decisions made by the individual staff members involved, the amount of management
time committed, and the size and priority of
the original business requirement.
Structured approaches are used to define requirements and identify IT solutions.

An established methodology for identification and assessment of IT solutions exists

and is used for most projects.
Project documentation is of good quality, and each stage is properly approved.
Requirements are well articulated and in accordance with predefined structures.
Solution alternatives are considered, including the analysis of costs and benefits.
The methodology is clear, defined, generally understood and measurable.
There is a clearly defined interface between IT management and business in the
identification and assessment of IT solutions.

The methodology for identification and assessment of IT solutions is subjected to

continuous improvement.
The acquisition and implementation methodology has the flexibility for large- and small-
scale projects.
The methodology is supported by internal and external knowledge databases
containing reference materials on technology solutions.
The methodology itself produces documentation in a predefined structure that makes
production and maintenance efficient.

New opportunities are often identified to utilise technology to gain competitive

advantage, influence business process re-engineering and improve overall efficiency.
Management detects and acts if IT solutions are approved without consideration of
alternative technologies or business functional requirements.
Ya, Ragu-Ragu Ragu-Ragu Tidak, Ragu-ragu Tidak Score
0.75 0.5 0.25 0

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0
0

0 0 #DIV/0! #DIV/0!

0
0
0
0
0
0

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0 #DIV/0! ###
 DS5 Manage Security

Level No

0 1

1 1

2 1

3 1
4 1

5 1
 DS5 Manage Security

Statement Ya
1
Verify that all data expected for processing are received and processed completely, accurately
and in a timely manner, and all output
is delivered in accordance with business requirements.
Support restart and reprocessing needs.

Define and implement procedures for effective and efficient data storage, retention and
archiving to meet business objectives, the organisation’s security policy and regulatory
requirements.

Define and implement procedures to maintain an inventory of stored and archived

media to ensure their usability and integrity.

Define and implement procedures to ensure that business requirements for protection
of sensitive data and software are met when data and hardware are disposed or
transferred.
Define and implement procedures for backup and restoration of systems, applications,
data and documentation in line with business requirements and the continuity plan.

Define and implement policies and procedures to identify and apply security
requirements applicable to the receipt, processing, storage and output of data to meet
business objectives, the organisation’s security policy and regulatory requirements.
Ya, Ragu-Ragu Ragu-Ragu Tidak, Ragu-ragu Tidak Score
0.75 0.5 0.25 0

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!
0

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0 #DIV/0! ###
 DS5 Manage Security

Level No

0 1
2

1 1
2

2 1

3 1

2
 3

4 1
2
3
4

6
7
8

10

11

5 1

5
6

7
8

10

11
 DS5 Manage Security

Statement Ya
1
There is a complete lack of any recognisable IT governance process.
The organisation does not even recognise that there is an issue to be to be addressed; hence,
there is no communication about the issue.

There is recognition that IT governance issues exist and need to be addressed.

There are ad hoc approaches applied on an individual or case-by-case basis.
Management’s approach is reactive, and there is only sporadic, inconsistent
communication on issues and approaches to address them. Management has only an
approximate indication of how IT contributes to business performance.
Management only reactively responds to an incident that has caused some loss or
embarrassment to the organisation.

There is awareness of IT governance issues.

IT governance activities and performance indicators, which include IT planning,delivery
and monitoring processes, are under development. Selected IT processes are
identified for improvement based on individuals’ decisions.

Management identifies basic IT governance measurements and assessment methods

and techniques; however,the process is not adopted across the organisation.
Communication on governance standards and responsibilities is left to the individual.
Individuals drive the governance processes within various IT projects and processes.
The processes, tools and metrics to measure IT governance are limited and may not
be used to their full capacity due to a lack of expertise in their functionality.

The importance of and need for IT governance are understood by management and
communicated to the organisation.
A baseline set of IT governance indicators is developed where linkages between
outcome measures and performance indicators are defined and documented.
Procedures are standardised and documented.
Management communicates standardised procedures, and training is Dashboards are
defined as part of the IT balanced business
scorecard. However, it is left to the individual to get training, follow the standards and
apply them.
established. Tools are identified to assist with overseeing IT governance.
Dashboards are defined as part of the IT balanced business
scorecard. However, it is left to the individual to get training, follow the standards and
apply them.
Processes may be monitored, but deviations, while mostly being acted upon by
individual initiative, are unlikely to be detected by management.

There is full understanding of IT governance issues at all levels.

There is a clear understanding of who the customer is, and responsibilities are defined
and monitored through SLAs.
Responsibilities are clear and process ownership is established.
IT processes and IT governance are aligned with and integrated into the business and
the IT strategy.

Improvement in IT processes is based primarily upon a quantitative understanding, and

it is possible to monitor and measure compliance with procedures and process metrics.
All process stakeholders are aware of risks, the importance of IT and the opportunities
it can offer.
Management defines tolerances under which processes must operate.
There is limited, primarily tactical, use of technology, based on mature techniques and
enforced standard tools.
IT governance has been integrated into strategic and operational planning and
monitoring processes.
Performance indicators over all IT governance activities are being recorded and
tracked, leading to enterprisewide
improvements.
Overall accountability of key process performance is clear, and management is
rewarded based on key performance Overall accountability of key process
performance is clear, and management is rewarded based on key performance
measures.

There is an advanced and forward-looking understanding of IT governance issues and

solutions.

Training and communication are supported by leading-edge concepts and techniques.

Processes are refined to a level of industry good practice, based on results of
continuous improvement and maturity modelling with other organisations.
The implementation of IT policies leads to an organisation, people and processes that
are quick to adapt and fully support IT governance requirements.
All problems and deviations are root cause analysed, and efficient action is expediently
identified and initiated.
IT is used in an extensive, integrated and optimised manner to automate the workflow
and provide tools to improve quality and effectiveness.
The risks and returns of the IT processes are defined, balanced and communicated
across the enterprise.
External experts are leveraged and benchmarks are used for guidance.
Monitoring, self-assessment and communication about governance expectations are
pervasive within the organisation, and there is optimal use of technology to support
measurement, analysis, communication and training.
Enterprise governance and IT
governance are strategically linked, leveraging technology and human and financial
resources to increase the competitive advantage
of the enterprise.
IT governance activities are integrated with the enterprise governance process.
Ya, Ragu-Ragu Ragu-Ragu Tidak, Ragu-ragu Tidak Score
0.75 0.5 0.25 0
0
0

0 0 #DIV/0! #DIV/0!

0
0

0 0 #DIV/0! #DIV/0!

0 0 #DIV/0! #DIV/0!

0
0

0 0 #DIV/0! #DIV/0!

0
0
0
0

0
0
0

0 0 #DIV/0! #DIV/0!

0
0

0
0

0
0 0 #DIV/0! #DIV/0!

0 #DIV/0! ###