Professional Documents
Culture Documents
Design of E-Government Security Governance
Design of E-Government Security Governance
Design of E-Government Security Governance
Abstract—e-Government is needed to actualize clean, The problem is that although governance and management
effective, transparent and accountable governance as well as of E e-Government in general and nationally are already
quality and reliable public services. The implementation of e- regulated in Perpres 95 of 2018, there are still many other
Government is currently constrained because there is no regulations that have not been regulated. One thing that has
derivative regulation, one of which is the regulation for e- not yet been regulated in the Perpres is regulation related to e-
Government Security. To answer this need, this study aims to Government Security or information security e-Government.
provide input on performance management and governance In [1], [2], [3], [4], and [5]it is mentioned that one of the risks
systems for e-Government Security with the hope that the that influence the successful implementation of e-Government
control design for e-Government Security can be met. The
is security factor. Even the survey on [6] states that issues
results of this study are the e-Government Security Governance
System taken from 28 core models of COBIT 2019. The 28 core
related to security (and also privacy) are of more concern to
models were taken using CSF and risk. Furthermore, residents than public convenience or access. The absence of
performance management for this governance system consists these regulations results in the implementation of e-
of capability and maturity levels which is an extension of the Government Security which cannot yet be carried out or if it
evaluation process in the e-Government Evaluation Guidelines is done must be done individually so that the main purpose of
issued by the Ministry of PAN & RB. The evaluation of the implementing e-Government is not achieved in an integrated
design carried out by determining the current condition of manner. Therefore, making information security policy on e-
capability and maturity level in Badan XYZ. The result of the Government becomes a crucial thing to do. Before entering
evaluation shows that the design possible to be implemented and into the various techniques used in information security,
needed. governance and management regulation are needed as a first
step in regulation. These governance and management
Keywords—e-Government, COBIT 2019, governance, regulation can be written into a governance system as
management, performance management, information security mentioned in [7].
I. INTRODUCTION The question that arises is how to design a governance
The implementation of e-Government (also known as system for e-Government Security. One of the frameworks
Sistem Pemerintahan Berbasis Elektronik/SPBE) is part of the that can be used is to use COBIT 2019. COBIT 2019 is the
governance area of change in of the Bureaucratic Reform most recent framework from ISACA published to renew
(Reformasi Birokrasi) activities currently being carried out by COBIT 5. Therefore, this research will use COBIT 2019 to
the Government of Indonesia. The implementation of e- design an e-Government Security Governance System using
Government also supports all areas of change in the COBIT 2019. This research will also include a step in the
Bureaucracy Reform as a fundamental and comprehensive process evaluation model that can be used as a performance
effort in the development of the state apparatus that utilizes management system.
technology and information (T&I) so that efficient, effective, This paper is organized as follows. In Section II, research
transparent and accountable governance and quality public and regulation related to this research will be discussed. In
services can be realized. Right now, the regulations relating to Section III, we explain the methodology used in this study. We
e-Government are only regulated in Presidential write down the results of the research in Section IV. The
Regulation/Perpres of the Republic of Indonesia Number 95 conclusions of this study are written in Section V, where we
of 2018 about e-Government. The Perpres was established to also propose future work from this research.
improve the integration and efficiency of the electronic-based
government system, governance and management of e- II. RELATED RESEARCH AND REGULATION
Government nationally. Before the enactment of the Perpres, To do this research, we previously looked for settings
the government (Ministries, Institutions, and Local related to this research in search engines. In Indonesia, the e-
Governments) had implemented e-Government individually Government evaluation is carried out using the Regulation of
according to their respective capacities, and achieved very Minister of Administrative and Bureaucratic
varied levels of e-Government progress. This can be seen from Reform/PermenPAN&RB No. 5 of 2018 about Guidelines for
the results of the PeGI (Pemeringkatan e-Government Evaluating e-Government. This guideline came into force in
Indonesian) index conducted by the Ministry of 2018. Previously the evaluation was carried out using PeGI.
Communication and Information. The latest PeGI results in The search terms for PeGI and e-Government Evaluation
2015 showed that the average achievement in implementing Guidelines are included in the search engine. We found the
E-GOVERNMENT at the Central Institution reached an index dimension and points of evaluation in each method, but none
value of 2.7 (good), while the Regional Government reached of it included security. It can be assumed that regulation
an index value of 2.5 (less). regarding security have not been regulated until the
Enterprise Risk
Information Flow of APO13.01 can be seen in Table IV.
Administration
Information
Committee
Manager
Head IT
Security
CISO
B. Organizational Structure
CIO
Organizational Structure is the main decision-making
entity in an organization. Organizational Structure APO13.01
can be seen in Table V. The level of involvement in the APO13.01 R R A R R
Organizational Structure can be divided:
TABLE VI. PEOPLE, SKILLS AND COMPETENCIES APO13
a. Responsible (R). The role of R means the party doing an
activity. Skill Related Guidance (Standards, Detailed
Frameworks, Compliance Reference
b. Accountable (A). Role A has the right to make a "yes" or Requirements)
"no" final decision on an activity, as well as answer the Information Skills Framework for the Information
questions of other parties. security Information Age V6, 2015 security SCTY
Information e-Competence Framework (e- D. Enable—
C. People, Skills and Competencies security CF)—A common European D.1.
strategy Framework for ICT Professionals Information
People, Skills and Competencies are needed to make good development in all industry sectors - Part 1: Security
decisions, implement corrective actions, and successfully Framework, 2016 Strategy
complete all activities. People, skills and competencies of Development
APO13 can be seen in Table VI.
TABLE VII. POLICIES AND PROCEDURES APO13
D. Policy and Procedure
Relevant Policy Related Detailed
Policies and Procedure translate desired behavior into Policy Description Guidance Reference
practical guidelines for day-to-day management. The policies Information Sets behavioral 1.ISO/IEC 1. 5.2 Policy;
and framework of APO13 can be seen in Table VII. security guidelines to 27001:2013/ 2. 5.
and privacy protect corporate Cor .2:2015(E); Information
E. Culture, Ethics and Behavior policy information, 2.ISO/IEC security
Culture, Ethics and Behavior of APO13 can be seen in systems and 27002:2013/ policies;
infrastructure. Cor. 2:2015(E); 3. 3.2
Table VIII. Given that 3.National Awareness
F. Infrastructure and Applications business Institute of and
requirements Standards and training
a. Configuration management tools regarding security Technology (AT-1);
and storage Special 4. 04.01
b. Security and privacy awareness services are more dynamic Publication Information
than I&T risk 800-53, Security
c. Third-party security assessment services management and Revision 5 Policy;
privacy, their (Draft), August 5. SM1.1
TABLE IV. PROCESS AND INFORMATION FLOW APO13.01 governance 2017; Information
should be handled 4.HITRUST CSF Security
Practice APO13.01 Establish and maintain an information separately from version 9, Policy
security management system (ISMS) that of I&T risk September
Description Establish and maintain an information security and privacy. For 2017; (5) ISF,
management system (ISMS) that provides a standard, operational The Standard of
formal and continuous approach to information security efficiency, Good Practice
management, enabling secure technology and business synchronize for Information
processes that are aligned with business requirements. information Security 2016
Capability Activities/BP security policy
2 1) Define the scope and boundaries of the information with I&T risk and
security management system (ISMS) in terms of the privacy policy.
characteristics of the enterprise, the organization, its
location, assets and technology. Include details of, and
justification for, any exclusions from the scope. For the implementation of the e-Government Security
2) Define an ISMS in accordance with enterprise policy
and the context in which the enterprise operates.
Governance System, the 28 core models are not recommended
3) Align the ISMS with the overall enterprise approach to to be applied simultaneously because the resources needed
the management of security. will be too much. For this reason, Focus Areas are needed for
4) Obtain management authorization to implement and grouping. The Focus Area is a specific governance topic,
operate or change the ISMS. domain, or problem that can be addressed by a collection of
5) Prepare and maintain a statement of applicability that key models and their components. For example, the
describes the scope of the ISMS.
6) Define and communicate Information security Information Security Focus Area of this governance system
management roles and responsibilities. consists of EDM01, APO01, APO02, APO04, APO07,
7) Communicate the ISMS approach. APO09, APO11, APO12, APO13, DSS02, DSS05, DSS06,
Information Flow/WP MEA02 and MEA04 obtained from process in APO13.
Input (From) Output (To) Capability
Outside Enterprise APO13.01WP01 APO01.05 2 With regard to performance management, the
COBIT security ISMS scope DSS06.03 implementation of performance measurements is carried out
approach statement using Table IX. In general, the determination of the capability
APO13.01WP02 Internal 2
ISMS policy level is carried out as follows:
TABLE VIII. CULTURE, ETHICS AND BEHAVIOR APO13.01 identified and the desire for the implementation of the
Key Culture Elements Related Detailed measurement is created by the leader.
Guidance Reference
Establish a culture of security and 1) ISO/IEC 1) 7.3
2. Determine the current conditions. The initial stage for this
privacy awareness that positively 27001:2013/ Awareness; phase is to determine the Focus Area for measurement.
influences desirable behavior and Cor.2:2015(E) 2) Framework
actual implementation of security 2) Creating a to achieve
3. Determine the expected conditions. After the initial
and privacy policy in daily Culture of an process capability level and Focus Area maturity level are
practice. Provide sufficient Security, intentional known in the second phase, in the third phase the target
security and privacy guidance, ISACA, 2011 security process capability level and target Focus Area maturity
indicate security and privacy aware level need to be determined.
champions (including C-level culture (all
executives, leaders in HR, and chapters) 4. Determine the change activities. The change activities in
security and/or privacy this fourth phase are activities that need to be carried out
professionals) and proactively
support and communicate security
to achieve the target level that has been determined in the
and privacy programs, innovations third phase.
and challenges.
5. Carry out change activities. The change activities specified
in phase four will not have an impact if they are not
1. For each process in the list, the intended achievements (N implemented.
/P /L /F) must be determined for each activity at level 2. 6. Assess the conditions after implementing the change
Furthermore, the following is carried out as follows: activities. After the activities in phase five have been
a. If all level 2 activities in each practice have been rated carried out (or can also be carried out periodically within
L or F, this process at least, meets level 2 requirements. a certain period, for example one year), a repeat
measurement of the maturity of the e-Government
b. If any level 2 activities in all process practices have Security capability needs to be done.
been rated N or P, then the evaluation of the need to
achieve the objectives of this process: 7. Follow up on condition assessment. By comparing the
results of the capability level and initial maturity level with
1) If necessary, ability level 1 must be the target for the implementation of the change activities, corrective
the process. steps can be taken.
2) If not, the process can be ruled out (still in level 2). To evaluate the design system, the measurement tools as
2. For each process on the list that has been given level 2 seen in Table IX is given out to six participants appointed in
capability, the desired performance (N/ P/ L/ F) must be Badan XYZ. The scoop of the evaluation design system is
determined for each activity at level 3. Then, the following Information Security Focus Area which consists of 14 core
is done as follows: model. The participant then using the tools to determine the
current conditions of capability and maturity level of Badan
a. If all level 3 activities in each practice have been rated XYZ. The result of the measurement is the capability level for
L or F, the process at least, meets level 3 requirements. all core model is 1 and the maturity level for Information
b. If there are level 3 activities in all process practices that Security Focus Area is 1. And for the evaluation criteria, the
have been rated N or P, then set a level 2 target for the six-participant rate that the purpose of the design model is
process. clear, the design system can be implemented and needed in the
organization. However, the language used in the design model
3. For levels 4 and 5 do the same with step 2 above. is difficult to understand so that additional information must
Achievement (N/ P/ L/ F) is done by weighing the be added or the measurement can be done with assistance.
results obtained in the Consideration column by: V. CONCLUSIONS
1. Not for achievement less than equal to 15%; The research problem raised in this study is how to design
2. Partially for achievements between 15% to 50%; an e-Government Security Governance System. The design
uses COBIT 2019 which is a new framework launched in
3. Largely for achievements between 50% to 85%; 2018. The design of the governance system in this study uses
the Type 5 DRM methodology. From the RC step for setting
4. Fully for achievements of more than 85%.
goals, the Success Factors, Measured Success Factors and Key
Whereas the level of maturity can be determined by taking Factors are obtained. In the DS-I step for understanding, 28
the lowest value of the capability level of the core model in core models out of 40 core models at COBIT 2019 have been
the Focus Area. In terms of the overall governance system selected as part of the e-Government Security Governance
being implemented, the level of maturity can be seen from the System. Then, in the PS step a governance system model has
lowest capability level of the 28 core models used in the e- been created. For each major model in the e-Government
Government Security Governance System. Security Governance System, there are six components,
namely: Process and Information Flow; Organizational
The design system can be implemented through seven structure; People, Skills and Competencies; Policy and
steps: Procedure; Culture, Ethics and Behavior; and Services,
1. Building a commitment to measuring the maturity and Infrastructure and Applications. Modelling the performance
capability of the e-Government Security. In this phase, the measurement system for this Governance system is inherent
main events, conditions, or problems that serve as a in the Process and Information Flow component. In this
stimulus for the implementation of the measurement are component, the level of capability and output of governance
activities has been determined so that it can be easily carried [10] F. Palijama, S. Sumpeno dan A. D. Wibawa, “Developing modified
out to determine the achievements that have or have not been PeGI indicators for e-Government Ranking method,” dalam 1st
carried out. For implementation, the Focus Area and type of International Conference on Information Technology, Information
Systems and Electrical Engineering (ICITISEE), Yogyakarta,
level of control can be used to give priority to implementation. Indonesia, 2016.
Then, the level of maturity can be taken from the capability
[11] F. A. Anza , D. I. Sensuse dan A. Ramadhan, “Developing E-
level of the core models within the scope of the Focus Area or Government maturity framework based on COBIT 5 and
the overall scope of e-Government Security. implementing in city level: Case study Depok city and South
Tangerang city,” dalam 4th International Conference on Electrical
From the results mentioned above, the Key Factors on RC Engineering, Computer Science and Informatics (EECSI),
have been included in the established governance system. The Yogyakarta, Indonesia, 2017.
Measured Success Factors submitted to RC have also been [12] L. T. Blessing dan A. Chakrabarti, DRM, a Design Research
answered by the management of the performance of the Methodology, London: Springer, 2009.
governance system. Because the Measured Success Factor has [13] D. Napitupulu dan D. I. Sensuse, “The Critical Success Factors Study
been fulfilled, the Success Factor of this research can also be for eGovernment Implementation,” International Journal of
said to be fulfilled. The next research that can be done is to Computer Applications, vol. 89, no. 16, pp. 23-32, 2014.
design technical regulation for e-Government Security, such [14] D. Napitupulu dan D. I. Sensuse, “Validity and reliability study for e-
as type of algorithm and key length. Government success factors,” dalam International Conference on
Cyber and IT Service Management (CITSM), Tangerang Selatan,
REFERENCE Indonesia, 2014.
[15] D. Napitupulu dan D. I. Sensuse, “Toward maturity model of e-
Government implementation based on success factors,” dalam
International Conference on Advanced Computer Science and
[1] S. Yingfa dan Y. Hong, “The Risk Study of E-Governance Based on Information System, Jakarta, Indonesia, 2014.
PEST Analysis Model,” dalam International Conference on E-
[16] R. Meiyanti, M. Misbah, D. Napitupulu, R. Kunthi, T. I. Nastiti, D. I.
Business and E-Government, Guangzhou, Tiongkok, 2010.
Sensuse dan Y. G. Sucahyo, “Systematic review of critical success
[2] X. Wenhua dan Y. Jian, “E-Government and the Change of factors of E-Government: Definition and realization,” dalam
Government Management Mode,” dalam International Conference on International Conference on Sustainable Information Engineering
E-Business and E-Government, Guangzhou, Tiongkok, 2010. and Technology (SIET), Malang, Indonesia, 2017.
[3] H. Wang dan J. Hou, “The External and Internal Barriers to E- [17] D. Napitupulu, D. I. Sensuse dan Y. G. Sucahyo, “Critical success
Government Implementation,” dalam International Conference on factors of e-Government implementation based on meta-
Management and Service Science, Wuhan, Tiongkok, 2010. ethnography,” dalam 5th International Conference on Cyber and IT
[4] K. Sunassee, T. Vythilingum dan R. K. Sungkur, “Providing improved Service Management (CITSM), Denpasar, Indonesia, 2017.
services to citizens, a critical review of E-Government facilities,” [18] G. S. F. Surya dan A. Amalia, “The critical success factors model for
dalam 1st International Conference on Next Generation Computing e-Government implementation in Indonesia,” dalam 5th International
Applications (NextComp), Mauritius, Mauritius, 2017. Conference on Information and Communication Technology
[5] M. Alshehri and S. Drew, "Implementation of e-Government: (ICoIC7), Kota Malaka, Malaysia, 2017.
Advantages and Challenges," in E-Activity and Leading Technologies [19] D. Napitupulu dan D. I. Sensuse, “Sosio-technical factors of E-
2010, Oviedo, Spanyol, 2010. Government implementation,” dalam 4th International Conference on
[6] M. Moon dan E. Welch, “Same bed, different dreams?: a comparative Electrical Engineering, Computer Science and Informatics (EECSI),
analysis of citizen,” dalam 37th Annual Hawaii International Yogyakarta, Indonesia, 2017.
Conference on System Sciences, Big Island, AS, 2004. [20] S. Yingfa and Y. Hong, "The Risk Study of E-Governance Based on
[7] ISACA, COBIT 2019 Intoduction and Methodology, Schaumburg: PEST Analysis Model," in International Conference on E-Business
ISACA, 2018. and E-Government, Guangzhou, Tiongkok, 2010.
[8] D. I. Sensuse, A. Nasbey, Nordianto, R. Dewiyanti, R. Novira and M. [21] Z. Tang and X. Jia, "E-Government Risks Research Based on System
F. Dzulfikar, "PeGI in practice: The e-Government assessment in Dynamics," in International Conference on Wireless
National Library of Indonesia," in 5th International Conference on Communications, Networking and Mobile Computing, Shanghai,
Cyber and IT Service Management (CITSM), Denpasar, 2017. Tiongkok, 2007.
[9] J. K. Putri and D. I. Sensuse, "Obstacle Factor Analysis of E- [22] ISACA, IT Control Objectives for Sarbanes-Oxley: Using COBIT 5
Government Implementation at the Ministry of Tourism," in in the Design and Implementation of Internal Controls Over Financial
International Conference on Advanced Computer Science and Reporting 3rd Edition, Rolling Meadows: ISACA, 2014.
Information Systems (ICACSIS), Yogyakarta, 2018.