Assessing Information Security Using COBIT 2019 and ISO 27001:2013 for Developing a Mitigation Plan

Assessing Information Security Using COBIT 2019 and ISO 27001:2013 for Developing a Mitigation Plan

  IJETT-book-cover           
  
© 2023 by IJETT Journal
Volume-71 Issue-10
Year of Publication : 2023
Author : Elok Aflakhah, Benfano Soewito
DOI : 10.14445/22315381/IJETT-V71I10P221

How to Cite?

Elok Aflakhah, Benfano Soewito, "Assessing Information Security Using COBIT 2019 and ISO 27001:2013 for Developing a Mitigation Plan," International Journal of Engineering Trends and Technology, vol. 71, no. 10, pp. 223-237, 2023. Crossref, https://doi.org/10.14445/22315381/IJETT-V71I10P221

Abstract
One of the vulnerabilities organizations face against cyberattacks arises from the absence of standardized governance for information system security. This encompasses insufficient security policies and a lack of consistent security updates and monitoring. This study aims to evaluate and gauge the information system security governance of the Directorate General of XYZ. COBIT 2019 and ISO 27001:2013 frameworks are employed to bolster the administration and safeguarding of information assets while establishing more robust and secure IT governance. The research bench methodology encompasses gathering data through interviews, observations, and analysis of pertinent security policy documents and information management practices. From this study, 12 specific information security domains are identified: EDM03, APO11, APO12, APO13, BAI06, BAI10, DSS02, DSS03, DSS04, DSS05, DSS06, and MEA03. Evaluating the present analysis, it is evident that the Directorate General of XYZ has not yet attained the targeted maturity level, set at level 5. This underscores the existing gaps in the organization's information system security governance. Based on the research findings, recommendations and a roadmap are proposed to rectify these information system security governance deficiencies. This initiative aims to elevate information security measures and curtail risks arising from various threats like cyberattacks, data breaches, and unauthorized access. Additionally, the organization's overall average maturity level achieved, calculated at 3.07, further emphasizes the need for comprehensive enhancements in its information system security governance practices.

Keywords
COBIT 2019, Design factor, IT governance, Maturity level, Gap.

References
[1] COBIT® 2019 Framework : Introduction and Methodology, Information Systems Audit and Control Association, pp. 1-64, 2018.
 [Google Scholar] [Publisher Link]
[2] Mohamad Adhisyanda Aditya, R. Dicky Mulyana, and Ali Mulyawan, “Comparison of COBIT 2019 and ITIL V4 as a Governance Guide and Management IT,” Journal of Computech and Business, vol. 13, no. 2, pp. 100-105, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[3] COBIT 5 : A Business Framework for the Governance and Management of Enterprise IT, Information Systems Audit and Control Association, pp. 1-94, 2012.
[Google Scholar] [Publisher Link]
[4] Axelos, ITIL ® Foundation ITIL, 4th ed., Stationery Office, 2019.
[Publisher Link]
[5] Robert R. Moeller, COSO Enterprise Risk Management Establishing Effective Governance, Risk, and Compliance Processes, 2nd ed., Wiley Publishers, pp. 1-384, 2011.
[Google Scholar] [Publisher Link]
[6] Corporate Governance of Information Technology, International Organization for Standardization, 2008.
[Google Scholar] [Publisher Link]
[7] Shahnilna Fitrasha Bayastura, Shinta Krisdina, and Aris Puji Widodo, “Analysis of Information Technology Governance Using the COBIT 2019 Framework AT PT. XYZ,” Journal of Informatics and Computers, vol. 4, no. 1, pp. 68-75, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[8] Diana Utomo et al., “Leveraging COBIT 2019 to Implement IT Governance in SME Context: A Case Study of Higher Education in Campus A,” Communication and Information Technology Journal, vol. 16, no. 2, pp. 129-141, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[9] Ahmad Ishlahuddin et al., “Analyzing IT Governance Maturity Level Using COBIT 2019 Framework: A Case Study of Small Size Higher Education Institute (XYZ-edu),” 3rd International Conference on Computer and Informatics Engineering, pp. 236-241, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[10] Adila Safitri, Imam Syafii, and Kusworo Adi, “Identification of SIPERUMKIM Governance Management Levels in Salatiga City based on COBIT 2019,” Jurnal Resti Rekayasa Sistem dan Teknologi Informasi, vol. 5, no. 3, pp. 429-438, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[11] COBIT 2019 Framework Governance and Management Objectives, Information Systems Audit and Control Association, pp. 1-302, 2018.
[Google Scholar] [Publisher Link]
[12] Muhammad Nawir, A.P. Irfan, and Farid Wajidi, “Integration of Framework ISO 27001 and Cobit 2019 in Smart Tourism Information Security PT. YoY International Management,” Journal of Computers and Informatics, vol. 10, no. 2, pp. 122-128, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[13] G.G. Prapenan, and G.C. Pamuji, “Information System Security Analysis of XYZ Company Using COBIT 5 Framework and ISO 27001:2013,” IOP Conference Series: Materials Science and Engineering, vol. 879, pp. 1-7, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Prima Pringgo Putra et al., “Designing Recommendations and Road Map of Governance for Quality Management System of Online SKCK Based on Information Security Using ISO 9001: 2015 and ISO 27001: 2013 (Case Study: Ditintelkam Polda ABC),” 14th International Conference on Telecommunication Systems, Services, and Applications, TSSA 2020, pp. 1-7, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[15] Muhammad Yasin et al., “Designing Information Security Governance Recommendations and Roadmap Using COBIT 2019 Framework and ISO 27001:2013 (Case Study Ditreskrimsus Polda XYZ),” 14th International Conference on Telecommunication Systems, Services, and Applications, TSSA 2020, pp. 1-5, 2020.
[CrossRef] [Google Scholar] [Publisher Link]]
[16] Dirk Steuperaert, “COBIT 2019: A Significant Update,” The EDP Audit, Control, and Security Newsletter, vol. 59, no. 1, pp. 14-18, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[17] Daniel Makupi, and Nelson Masese, “Determining Information Security Maturity Level of an organization based on ISO 27001,” SSRG International Journal of Computer Science and Engineering, vol. 6, no. 7, pp. 5-11, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[18] António Quintal, Rita Silva, and Álvaro Rocha, “Electronic Surgical Records Solution in Operating Room,” 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), Coimbra, Portugal, pp. 1-3, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[19] Hendi Sama et al., “Comparative Study of the NIST AND ISO 27001 Frameworks as Audit Standards Using Descriptive Literature Study Methods,” Rabit Journal of Technology and Information Systems Univrab, vol. 6, no. 2, pp. 116-121, 2021.
[CrossRef] [Google Scholar] [Publisher Link]

[20] Ken Peffers, Tuure Tuunanen, and Björn Niehavesc, “Design Science Research Genres: Introduction to the Special Issue on Exemplars and Criteria for Applicable Design Science Research,” European Journal of Information Systems, vol. 27, no. 2, pp. 129-139, 2018.
[CrossRef] [Google Scholar] [Publisher Link]
[21] Ken Peffers et al., “A Design Science Research Methodology for Information Systems Research,” Journal of Management Information Systems, vol. 24, no. 3, pp. 45-77, 2007.
[CrossRef] [Google Scholar] [Publisher Link]
[22] Ahmad Maulana Fikri et al., “Information Technology Governance Design Using the COBIT 2019 Framework (Case Study: PT XYZ),” Information Management for Educators and Professionals, vol. 5, no. 1, pp. 1-14, 2020.
[CrossRef] [Google Scholar] [Publisher Link]