Transcription
Journal of Theoretical and Applied Information Technology20th February 2014. Vol. 60 No.2 2005 - 2014 JATIT & LLS. All rights reserved.ISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195CONCEPTUAL MODEL OF IT GOVERNANCE FOR HIGHEREDUCATION BASED ON COBIT 5 FRAMEWORKHERU NUGROHOTelkom University, Telkom Applied Science School, Department of Information Technology, BandungE-mail: herunugroho@telkomuniversity.ac.id, hro@politekniktelkom.ac.idABSTRACTEffective governance in an organization does not happen by coincidence. The success of implementingeffective governance in an organization associated with the right pattern or fit for the organization so thatthey can be a complement or supplement of organization's strategic focus. Information technology (IT)governance is not a static concept but rather processes inherent in the organization. Decentralizedorganizations such as a university need a regular review to renew the IT governance structure to takeaccount of changing business and technological environment. However, the mechanism IT governance inan organization will depend on the characteristics and needs of the organization. ISO/IEC 38500 help thepeople at the highest levels in the organization to understand and fulfill their legal obligations, regulationsand ethics in relation to the use of IT in their organizations by providing key principles. COBIT 5framework provides guidance how IT governance should be built by taking into account the area ofenterprise governance and management of governance areas that both have their roles within the scope ofIT governance. Conceptual model of IT governance is built based on the main principles that should exist inthe process of governance with COBIT 5 framework guide as a reference how the governance of IT must beorganized with attention to area governance and management areas, each rendered in a particular domain sothat it will be a guide for higher education for developing IT blueprint that not only seen as supporting theIT aspects of academic and non-academic activities but look at the overall aspects of the scope of universitygovernance.Keywords: ISO/IEC 38500, IT Governance, COBIT 5 Framework, University Governance, key Principles1.strategic objectives and good management in linewith expectations.INTRODUCTIONAs happens in most organizations, informationtechnology become part of a higher educationinstitution. The challenge is how to understand ITgovernance and implement governance structurethat is expected with the potential of IT can berealized. The importance of enterprise governanceand IT governance has been recognized based onthe results of several studies. Governance,organization, and leadership in the top 10 top ITissues related to the university's strategic success.Enterprise governance is a term that appears todescribe a framework that includes corporategovernance and business management aspects of anorganization. [1]. The achievement of goodgovernance relating to enterprise strategies and theachievement of performance measures, allowing theenterprise focus on what will be the key drivers ofthe business in the future. Enterprise governance isan overall picture of the aspects of management andgovernance with the goal is achieved alignmentFigure 1: The enterprise governance framework [1]Scope of enterprise governance is accountabilityframework across the organization includes twodimensions, conformance or corporate governanceand performance or business governance.Compliance or conformance covering issuesrelating to corporate governance such as the role of216
Journal of Theoretical and Applied Information Technology20th February 2014. Vol. 60 No.2 2005 - 2014 JATIT & LLS. All rights reserved.ISSN: 1992-8645www.jatit.orgCEO, the role and composition of the board ofdirectors, control assurance, and risk managementto compliance. Performances include things thatwill be faced by the enterprise forward with a focuson strategy and value creation.The second dimension indicates that the role ofenterprise governance is to provide a unifiedframework to balance and maintained both of them.It will certainly be obtained through an increasedfocus on value creation as the driving organizationforward and the proper maintenance and adequatecontrol. Organization that is able to maintainstability of performance and compliance have longterm prospects are better [4].Based on the two dimensions, enterprisegovernance framework is built and its functionsrelated there, including information technology(IT). It means that IT governance as part ofenterprise governance integration can’t be separatedfrom the other enterprise functions (finance,marketing, etc.) so that the IT governance must beable to reflect the principles of IT governance notonly widely view as part of IT, but also attachedoverall of the enterprise. This justification has to beone of the triggers why in COBIT 5 framework, ITgovernance is not only seen as part of themanagement function but also part of the overallenterprise governance functions.2.IT GOVERNANCE AND ENTERPRISEGOVERNANCEIT Governance is a part of enterprise governance.Mechanism of IT governance in an organizationwill depend on the characteristics and needs of theorganization. ISO/IEC 38500 help the people at thehighest levels in the organization to understand andfulfill their legal obligations, regulations and ethicsin relation to the use of IT in their organizations byproviding key principles2.1 IT GovernanceAs the highest educational institution inIndonesia, university is expected to be a role modelin the implementation of good universitygovernance. Some of the reasons underlying it is asymbol of the value of higher education as well asthe guardian of values. There was nothing theinstitution or agency that has the resources in thiscase are very superior knowledge as there is inuniversity , the university portion of the budget inministry of education and culture of Indonesia isvery large achieve 50.7 percent.[13]E-ISSN: 1817-3195IT governance is part of corporate governance. ITgovernance involves an evaluation form and directsthe use of IT to support and monitor the use of theorganization in order to achieve the expected goal.IT Governance will include strategies and policiesfor using IT within an organization [6]. ITgovernance is part of corporate governance andresponsibility of the board of directors andexecutive management which included leadershiporganizational structure and processes to ensurethat the IT organization is able to support andexpand the organization's strategies and objectives[9].IT governance as a framework for decisionmaking and accountability to encourage behavior inthe use of information technology is expected [12].IT governance as an organizational capacity is doneby the board, executive management and ITmanagement with the goal of controlling theimplementation of the IT strategy with the hope ofintegration between business and IT [11].Effective governance in an organization doesnot happen by coincidence. The success ofimplementing effective governance in anorganization associated with the right pattern or fitfor the organization so that they can be acomplement or supplement the organizationsstrategic focus. IT governance is not a staticconcept but rather the processes inherent in theorganization.Decentralized organizations such as universitiesneed a regular review to renew the IT governancestructure to take account of changing business andtechnologicalenvironment.However,themechanism IT Governance in an organization willdepend on the characteristics and needs of theorganization [5].2.2 ConceptualModelforGovernance of Higher EducationEnterpriseEnterprise governance for higher education can beseen as arrangements that include variousuniversity assets in order to support the strategy inachieving the goals and objectives of theorganization. University asset in this case is thehuman resource, financial, physical facilities,intellectual property rights, information technology,and collaboration.Information technology is an inseparable part ofthe effort to implement good university governance.217
Journal of Theoretical and Applied Information Technology20th February 2014. Vol. 60 No.2 2005 - 2014 JATIT & LLS. All rights reserved.ISSN: 1992-8645www.jatit.orgThe soundness of university can be seen from howthe governance run by universities to achieve thegoals and objectives that were defined as part ofaccommodating the interests of both internal andexternal stakeholders. The conceptual model forenterprise governance of higher education can beseen in Figure 2.Figure 2: Conceptual Model of Enterprise Governance inHigher Education [3]University establish goals and objectives to beachieved based on the needs of stakeholders. Thenecessarily goals and objectives should be in linewith the vision and mission of university is usuallystated in the statute. To achieve the goals andtargets, university requires a set of organizationalstructures that contain specific tasks and functions.To achieve the goals and objectives of theuniversity are usually set strategy outlined in thestrategic plan document.Strategy formulated is also expected to encouragefunctional units and their personnel were includedto work in accordance with the strategic directionof management. To ensure that the strategy setproduces the desired behavior, it is necessary tocontrol, monitoring, and evaluation functions.Control, monitoring, and evaluation functionsdesigned to ensure the achievement of theseprocesses through several of Tridharma activities(teaching, research, and community service) in aneffective and accountable.E-ISSN: 1817-3195the game and keep harmonization between theplayers and coach who provide strategic directionchosen.2.3 IT Governance in ISO 38500The objective of ISO 38500 is to provide a structureof principles for directors (including owners, boardmembers, directors, partners and senior executives)to use when evaluating, directing and monitoringthe use of IT in their organizations. This standardprovides a structure for effective governance of ITto assist those at the highest level of organizationsto understand and fulfill their legal, regulatory andethical obligations regarding their organizations’use of IT. The scope of the standard is to provideguiding principles for directors of organizations onthe effective, efficient and acceptable use of ITwithin their organizations. It is applicable for allorganizations, from the smallest to the largest,regardless of purpose, design or ownershipstructure [2].IT is not getting sufficient coverage in theboardroom or at executive meetings. Discussionson IT are viewed as complex and are at the wronglevel. There is a need to talk about the use oftechnology, not the technology itself, e.g.,improved productivity as opposed to the latestversion of technology. IT governance is also givenlip service at higher levels in the organization. Eventhough the board and executives outwardly supportIT governance initiatives [2].The standard sets out six principles for goodcorporate governance of IT. The principles expresspreferred behavior to guide decision making. Thestatement of each principle refers to what shouldhappen, but does not prescribe how, when or bywhom the principles would be implemented; theseaspects are dependent on the nature of theorganization implementing the principles. It issimilar to a capability maturity model description ofan ideal state. Each of the principles is then tiedinto the model to provide a best practice for eachprinciple [2].The role of IT governance is to provide aframework for all the efforts made by university toachieve the desired goals. As an analogy to afootball team, to win in every game, a team notonly requires hard work and concentration duringthe game but also establish the right strategy andthe corresponding formation, and choosing the rightplayers to face the characteristics of opponents in218
Journal of Theoretical and Applied Information Technology20th February 2014. Vol. 60 No.2 2005 - 2014 JATIT & LLS. All rights reserved.ISSN: 1992-8645www.jatit.orgE-ISSN: 1817-31953. COBIT 5 FRAMERWORK3.1. IntroductionInformation is a key resource for all enterprises,and from the time that information is created to themoment that it is destroyed, technology plays asignificant role. Information technology isincreasingly advanced and has become pervasive inenterprises and in social, public and businessenvironments.Figure 3: ISO/IEC 38500:2008 Model for CorporateGovernance of ITThe following are the six principles for enterpriseIT governance can be applied to the majority oforganizations. These principles indicate that thepreferred behavior to aid the decision makingprocess. Statement on each principle refers to whatis supposed to happen, but does not include, whenor by whom these principles should beimplemented. These include the six principles [5]1. Principle 1: Responsibility2. Principle 2: Strategy3. Principle 3: Acquisition4. Principle 4: Performance5. Principle 5: Conformance6. Principle 6: Human BehaviorThere are three main task of directors in ITgovernance at the international standard ISO / IEC38500-2008.1. Evaluate2. Direct3. MonitorThe role of top level management is providingguidance in the form of planning and implementingpolicies in IT-related business processes.Management also evaluates related activities arecarried out with the involvement of IT. Thisevaluation will conclude with performanceevaluation and compliance with existing regulationsand policies as part of the monitoring process. Thisprocess is necessary to ensure that activities arecarried out in line with the organization's vision andmission that has been set [6].Over the past decade, the term ‘governance’ hasmoved to the forefront of business thinking inresponse to examples demonstrating the importanceof good governance and, on the other end of thescale, global business mishaps. Successfulenterprises have recognized that the board andexecutives need to embrace IT like any othersignificant part of doing business. Boards andmanagement—both in the business and ITfunctions—must collaborate and work together, sothat IT is included within the governance andmanagement approach. In addition, legislation isincreasingly being passed and regulationsimplemented to address this need.COBIT 5 provides a comprehensive framework thatassists enterprises in achieving their objectives forthe governance and management of enterprise IT.Simply stated, it helps enterprises create optimalvalue from IT by maintaining a balance betweenrealizing benefits and optimizing risk levels andresource use. COBIT 5 enables IT to be governedand managed in a holistic manner for the entireenterprise, taking in the full end-to-end businessand IT functional areas of responsibility,considering the IT-related interests of internal andexternal stakeholders. COBIT 5 is generic anduseful for enterprises of all sizes, whethercommercial, not-for-profit or in the public sector[6].3.2. COBIT 5 Process Reference ModelCOBIT 5 is not prescriptive, but it advocates thatenterprises implement governance and managementprocesses such that the key areas are covered. Anenterprise can organize its processes as it sees fit, aslong as all necessary governance and managementobjectives are covered. Smaller enterprises mayhave fewer processes; larger and more complexenterprises may have many processes, all to coverthe same objectives.219
Journal of Theoretical and Applied Information Technology20th February 2014. Vol. 60 No.2 2005 - 2014 JATIT & LLS. All rights reserved.ISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195Each domain contains a number of processes.Although, as described previously, most of theprocesses require ‘planning’, ‘implementation’,‘execution’ and ‘monitoring’ activities within theprocess or within the specific issue being addressed(e.g., quality, security), they are placed in domainsin line with what is generally the most relevant areaof activity when looking at IT at the enterprise level[7].4.Figure 4: COBIT 5 Governance and Management KeyAreasCOBIT 5 includes a process reference model,which defines and describes in detail a number ofgovernance and management processes. Itrepresents all of the processes normally found in anenterprise relating to IT activities, providing acommon reference model understandable tooperational IT and business managers. Theproposed process model is a complete,comprehensive model, but it is not the only possibleprocess model. Each enterprise must define its ownprocess set, taking into account its ON BASE ONFRAMEWORKOFITHIGHERCOBIT 5The COBIT 5 process reference model divides thegovernance and management processes ofenterprise IT into two main process domains:Conceptual model described in the previous sectionillustrates that enterprise governance at a highereducation effort to achieve the goals and objectives(business goal) from the universities. Based on theLaw of the Republic of Indonesia Number 12 Year2012 on Higher Education chapter 5, university as aform of higher education in Indonesia has goal asfollows:1. Development students potential to become aman of faith and fear of God Almighty andnoble, healthy, knowledgeable, skilled, creative,independent, skillfully, competent, and culturedfor the benefit of the nation.2. Produce graduates who master branch ofScience and or Technology to meet the ess.3. Generate Science and Technology through theresearch that takes into account and apply theHumanities value for the benefit of the nation'sprogress, and the progress of civilization andhuman welfare.4. Realizing Community Service-based reasoningand research works that are useful in promotingthe general welfare and national life.1. Governance,containsfivegovernanceprocesses; within each process, evaluate, directand monitor (EDM) practices are defined.2. Management, contains four domains, in linewith the responsibility areas of plan, build, runand monitor (PBRM), and provides end-to-endcoverage of IT. These domains are an evolutionof the COBIT 4.1 domain and process structure.The names of the domains are chosen in linewith these main area designations, but containmore verbs to describe them: Align, Plan andOrganize (APO), Build, Acquire and Implement(BAI), Deliver, Service and Support (DSS),Monitor, Evaluate and Assess (MEA).From this goal of university that set out in thelegislation, basically a university goal cannot beseparated from its function to realize the threeresponsibilities of universities, education andteaching, research, and community service.University governance is basically an effort tomaintain the balance of goal relating toconformance and performance that have beendirected by the board in the senate and assemblytrustee. COBIT 5 framework is used to buildmodels of IT governance in Higher Educationprovides guidance on how it should be managed torealize the benefits of IT, resource optimization,and risk optimization.Incorporating an operational model and a commonlanguage for all parts of the enterprise involved inIT activities is one of the most important andcritical steps towards good governance. It alsoprovides a framework for measuring andmonitoring IT performance, providing ITassurance, communicating with service providers,and integrating best management practices.220
Journal of Theoretical and Applied Information Technology20th February 2014. Vol. 60 No.2 2005 - 2014 JATIT & LLS. All rights reserved.ISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195Enterprise Governance ofHigher EducationREFRENCES:Corporate GovernanceBusiness GovernanceIT Governance in Higher EducationGovernanceGovernance Area1. Evaluate2. Direct3. MonitorPrinciples6 Key Principles1. Responsibility2. Strategy3. Acquisition4. Performance5. Conformance6. Human BehaviorMangementManagement Area1. Plan (APO)2. Build (BAI)3. Run (DSS)4. Monitor (MEA)IT re 5: Purposed Model of IT Governance for HigherEducationIT governance is basically constructed basedgovernance principles contained in the documentISO 38500, namely responsibility, strategy,acquisition, performance, conformance, and humanbehavior. These principles should run well forgovernance practices or management practices.Governance practices consist process evaluate,direct, monitor (EDM) and management practicesconsist process plan (APO), build (BAI), run(DSS), and monitor (MEA). Processes contained inthe governance or management area must meet sixkey principles previously described governance andIT organizations in it must complied with theprocesses that have been established.This proposed model illustrates how IT governanceshould construct alignedwith enterprisegovernance. It means that IT governance is nolonger purely the responsibility of the IT unit butbecame an integral part of university so thatcorporate governance relating to conformance canbe run with better and business governance relatingto performance are also able to produce somethinguseful for university. The implementation of thekey principles in the IT governance process willensure that every step taken in line with the visionand mission of the college stakeholder needs.[1] Connell. B, “Enterprise Governance: Gettingthe Balance Right”, London: CIMA/IFAC,2004.[2] Sylvester, Delton (2011), ISO 38500—WhyAnother Standard. COBIT Fokus Volume 2,April 2011. ISACA[3] Direktorat PAK, Ditjen.Dikti (2003) : BukuPedoman Penjaminan Mutu Pendidikan , Ditjen Dikti. PedomanPenjaminan Mutu (Quality Assurance)Pendidikan Tinggi. Buku X: Tata Kelola.[4] Hamaker, Stacey and Hutton, Austin (2005) :Enterprise Governance and the Role of IT.Information Systems Audit and ControlAssociation.[5] Hicks, Michael; Pervan, Graham; and Perrin,Brian, "A study of the review and improvementof IT governance in Australian universities"(2012). CONF-IRM 2012 Proceedings. Paper22.[6] International Organization for Standardization(ISO), ISO/IEC 38500:2008, Corporategovernance of information technology,Switzerland, 2008.[7] ISACA, COBIT 5 Framework. IL, USA:ISACA, 2012[8] IInternational Organization for Standardization(ISO), ISO/IEC 38500:2008. (2008). CorporateGovernance of Information Technology[9] The IT Governance Institute. (2004) BoardBriefing on IT Governance. IT GovernanceInstitute[10] Undang-Undang Republik Indonesia Nomor 12Tahun 2012 Tentang Pendidikan Tinggi.[11] Van Gembergen, Wim. (2004) Strategies ForInformation Technology Governance, IdeaGrup Inc[12] Weill, P., Ross, J.W. (2004) IT Governance,Harvard Business School Press, BostonMassachusetts[13] http://kampus.okezone.comGovernance functions will be translated in the formof evaluate, direct, and monitor the pressure thatwill accommodate business and stakeholderrequirements that can be translated into thedevelopment plans in the area management. In themanagement area, the direction of governance willbe translated in the form of planning, development,implementation, and internal evaluation.221
Copyright of Journal of Theoretical & Applied Information Technology is the property ofJournal of Theoretical & Applied Information Technology and its content may not be copiedor emailed to multiple sites or posted to a listserv without the copyright holder's expresswritten permission. However, users may print, download, or email articles for individual use.
CONCEPTUAL MODEL OF IT GOVERNANCE FOR HIGHER EDUCATION BASED ON COBIT 5 FRAMEWORK HERU NUGROHO Telkom University, Telkom Applied Science School, Department of Information Technology, Bandung . similar to a capability maturity model description of an ideal state. Each of the principles is then tied into the model to provide a best practice for .
