Strategic Planning of Information System: Resume - COBIT PT. Kereta Api Indonesia

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 9

Strategic Planning of

Information System
Resume – COBIT
PT. Kereta Api Indonesia

Nama Kelompok:
Fernando Hermawan – 201850285
Yunisa – 201850383
Julianto – 201850386

Trisakti School of Management


S1 Akuntansi
About COBIT (Control Objectives for Information and Related
Technology)
COBIT is an IT management framework developed by the ISACA to help businesses
develop, organize and implement strategies around information management and governance.

COBIT 5.0 proposes 5 principles that guide governance of IT:


1. Meeting stakeholders needs
2. Covering the enterprise end-to-end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Seperating governance from management

The framework also identifies seven aspects of governance that need to be in place in
order to support the five principles above:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies

COBIT 2019 has four main parts:


1. Introduction and Methodology. The 2019 update expands governance guidelines and
includes capability maturity models. COBIT 2019 includes capability maturity models
and a scored approach to evaluating how well an organization's governance and
management efforts are working.
2. Governance and Management Objectives. The 2019 update details the COBIT Core
Model and metrics for evaluating each of the model's 40 objectives.
3. Designing an Information and Technology Governance Solution. This new addition to
COBIT 2019 provides practical advice for how to tailor governance to meet a specific
organization's needs.
4. Implementing and Optimizing an Information and Technology Governance Solution. The
update provides details for how to use the Design Guide with the COBIT framework.

Benefits of COBIT
The COBIT 5 framework can help organisations of all sizes to:
•Improve and maintain high-quality information to support business decisions;
•Use IT effectively to achieve business goals;
•Use technology to promote operational excellence;
•Ensure IT risk is managed effectively;
•Ensure organisations realise the value of their investments in IT; and
•Achieve compliance with laws, regulations and contractual agreements.

Who uses COBIT to do their job?


If someone is applying for one of the following positions, she should become familiar with
COBIT and related governance frameworks:
 Chief Information Security Consultant  Regional Information Security Analyst
 Chief Information Security Officer (CISO)  Risk Officer
 Director, Security Assurance  Security Systems Administrator
 GRC Consultant  Senior Director of Cybersecurity
 Information Assurance Analyst  Senior GRC Analyst
 Information Security Administrator  Senior Information Security Assurance
 Information Security Assurance Analyst Consultant
 Infosec Risk Analyst  Senior Information Security Risk
 IT Governance Analyst Officer
 IT Security Engineer  Senior IT Security Consultant
 Principal Cybersecurity Manager  Senior IT Security Operations Specialist
 Principal Information Assurance Officer  Third-party Risk Management
Compliance Analyst

COBIT®5 Process Reference Model (© 2012 ISACA®)


This following picture informed code of each 37 processes involved in COBIT. And if
will be a supported information for analysing the data that we will discuss. For each of
COBIT processes, the “Maturity Level” of management processes can be evaluated on a scale
of 0 to 5. The scale is roughly defined as follows:
0 = Non-existent – Management processed are not applied at all.
1 = Initial/ad hoc – Processes are ad hoc and disorganized.
2 = Repeatable but intuitive – Process follow a regular pattern.
3 = Defined – Process are documented and communicated.
4 = Managed and measurable – Processed are monitored and measured.
5 = Optimized – Best practices are followed and automated.
Evaluation of Information Technology Governance Based on COBIT
Framework (Study Case on PT Kereta Api Indonesia)
Evaluation of IT governance is needed to make sure that the investment made by organization
is aligned with their business goals. Mapping of PT Kereta Api Indonesia’s business goals
with COBIT’s business goals identified 30 IT Process and 183 Control Objectives. PT Kereta
Api Indonesia has 4 process at level managed and measurable, 11 process at level defined, 13
process at level repeatable but intuitive and 2 process at level ad-hoc.

Company Profile
PT Kereta Api Indonesia is the major operator of public railways in Indonesia. It is
completely owned by the government and pays track access charges to the government.

Vision
To be the best railway service provider by focusing on customer service and meet
stakeholder’s expectation.

Mission
Undertake railways business and its supporting businesses through best practices and best
organization model to create higher added value for the stakeholders and environment
preservation based on four main pillars: Safety, Punctuality, Services, and Comfort.

PT KAI began to focus on developing the company's information technology system in


2010, PT KAI carried out a massive transformation in the IT field and was outlined in the
2011-2015 IT development master plan. In 2011 PT. Kereta Api Indonesia (KAI) (Persero)
launches an application that can monitor the entire IT network and infrastructure of PT. KAI
is integrated with the Network Operation Center (NOC). The application, named
MONALISA, can see directly and comprehensively the entire network and infrastructure in
the Operations Area (Daop) and Regional Division (Divre) as well as the Head Office of PT.
KAI So that if there is interference, the NOC can be immediately repaired. In this application,
it can be easier to see the extent of the use of various IT network infrastructures, which were
previously carried out manually. Monalisa itself stands for "Monitoring Application
Infrastructure and Service Level Agreement (SLA).
In addition, in 2011 PT Kereta Api Indonesia also began implementing Enterprise
Resource Planning, SAP. Modules used starting in 2011 included Finance and Controlling
(FICO) and Human Resources (HR). In addition, in 2011 PT KAI also launched an online
ticket sales system called Rail Ticket System (RTS) to facilitate and simplify the process of
selling tickets to end-users.
In 2012 PT KAI implemented a number of other SAP modules namely Material
Management (MM), Plant Maintenance (PM), Payroll and Case Management. After that, in
2013 PT KAI plans to implement the Sales & Distribution module, expanding the scope of
Plant Maintenance and Fund Management. PT KAI also uses smartsheets as tools in
implementing existing projects. In 2013, PT KAI was also certifying IT Security, namely ISO
27002. PT KAI cooperated with consulting security in the framework of the certification.
These following is a summary of “Maturity Level” of management process of PT.
Kereta Api Indonesia:
Plan and Organize
PT KAI already has an IT Master Plan that contains a work
Define a strategic plan and strategic investment for IT development for the long
PO 1 4
IT plan term for 5 years and for the short term it is made for a period
of less than 1 year.
Define the PT KAI does not yet have a standardized information
PO 2 information 1 architecture model that is used.
architecture
PT KAI's management has designed the direction of the
Determine company's technology development. This is marked by plans
PO 3 technological 2 to add a company's ERP module, increase the company's IT
direction infrastructure and various ISO certifications in the field of
information technology.
Define the IT PT KAI already has a clear division of tasks in the IT
processes, division. This is stated in the core tasks of the IT division. In
PO 4 2
organization and addition, information security has been done by doing
relationship encryption and cryptographic on company information
At PT KAI, the management has determined IT investment
priorities that are in accordance with the company's budget. In
Manage the IT addition, the determination of the budget for IT investment
PO 5 2
investment has been carried out by the board of directors for each year.
Planning the use of IT investment funds is outlined in the
company's IT Master Plan
The management of PT KAI has actively communicated the
Communicate
application of IT between the board of directors and the IT
PO 6 management aims 3
division. This is done through regular coordination and
and direction
evaluation meetings, both horizontally and vertically.
At PT KAI there is a strategic approach to recruiting and
managing IT personnel. An official training plan has been
Manage IT human
PO 7 3 established for IT HR. An employee rotation program has
resources
been established in the framework of developing management
and technical skills.
At PT KAI, management has implemented ISO 9001 which
regulates the quality management system of various divisions
PO 8 Manage quality 3
and facilities at the company. This shows that management
has realized a need for quality
Assess and At PT KAI, management especially the IT division does not
PO 9 1
manage IT risks yet have a formal and documented risk measurement
At PT KAI there is already a picture and plan regarding IT
development in the company that is described in the IT
PO 10 Manage Projects 1 Master Plan. Even so in project management there is no
formal framework, companies still use the traditional
approach in carrying out projects.
Average of Plan and
2,2
Organize
Acquire and Implement
At PT KAI, the purchase or manufacturing plan regarding IT
Identify automated projects has been carried out by the related business process
AI1 4
solutions owner. This plan includes the cost, time and desired project
specifications.
At PT KAI when the company decides to make or buy an
Acquire and
application or IT device, the requirements and specifications
maintain
AI2 3 are given by the BPO team. These specifications and
application
requirements will be consulted with the IT division and
software
translated into a planned solution
PT KAI has carried out regular maintenance and planning for
Acquire and
infrastructure maintenance. At the company's data center
maintain
AI3 2 every week the system will be switched to the back-up
technology
system to be rotated and ensure that the backup system is
infrastructure
working
At PT KAI in ensuring the implementation of a new system
Enable operation
AI4 3 or application so that it can be used by end-users of the IT
and use
division to train users.
At PT KAI, IT procurement policies and procedures have
been established, documented and communicated. IT
Procure IT acquisition policies and procedures at PT KAI refer to the
AI5 3
resources company's overall business processes. IT management
communicates the need for acquisition and contract
management through IT functions.
At PT KAI there is already formal documentation regarding
changes related to IT which includes procedures, processes,
policies and systems. Major system changes, for example,
AI6 Manage changes 2
when implementing SAP ERP is carried out in accordance
with related system standards that include project
preparation, business blueprint to go live preparation.
This cannot be discussed further because in the testing and
Install and accredit testing of a system that affects the operations of a large
AI7 solutions and 2 company submits completely test environment and test
changes procedures to external parties and vendors that provide
system procurement services
Average of Acquire and
2,7
Implement

Deliver and Support


At PT KAI for various IT services related to external and
internal parties, management determines the minimum SLA
Define and manage
DS1 4 limitation, namely reliability (99.9%). for external parties IT
service levels
management conducts performance evaluations every month
to ensure operational levels meet predetermined SLAs
DS2 Manage third-party 3 At PT KAI for services provided by third parties such as
services RTS, networks and so on already have SLA documentation
in the form of a formal agreement. This agreement
regarding SLA regulates important matters such as
minimum reliability regarding services, penalties if targets
are not reached and various other things.
At PT KAI the determination of capacity and performance
in the IT field has been harmonized with forecasting
Manage business needs. This is in accordance with the strategic
DS3 performance and 3 management of the company which has taken into account
capacity various macro assumptions and business developments. The
making of an IT Master Plan has been harmonized with the
company's strategic management
PT KAI already has several IT Continuity Plans for several
Ensure continuous
DS4 2 vital infrastructures such as data center which has 2 offsite
service
back up storage located in Jakarta and BSD.
At PT KAI, the company has taken various information
security measures. This can be seen from the application of
user access restrictions which are divided into 3 levels, the
Ensure systems
DS5 4 use of firewalls on corporate data center, encryption on mail
security
servers to the adoption of ISO 27001 regarding information
security standardization in accordance with international
standards
At PT KAI there are provisions and documentation
Identify and regarding the costs of information technology, the allocation
DS6 2
allocate costs of company IT costs is adjusted to business needs and the
implementation must be as planned
At PT KAI, IT management has conducted training both
internally within the IT division and to end-users so that the
Educate and train operation of the system runs effectively. PT KAI already
DS7 3
users has formal documentation and planning regarding user
training and education, besides that PT KAI also routinely
certifies IT personnel
At PT KAI there is already a help desk to help end users if
Manage service there are problems in the system. There are SOPs and other
DS8 2
desk and incidents documentation that help and direct the help desk task in
dealing with some common problems
Manage the PT KAI does not yet have a formal and documented
DS9 1
configuration configuration management.
At PT KAI the problem is identified whether it happened
due to a user error or a system error by the help desk. If a
DS1
Manage problems 2 system error occurs related to the application provided by
0
the external vendor then the problem is resolved using
vendor assistance
PT KAI has carried out several management related
operations such as oversight of IT infrastructure,
DS1
Manage operations 3 measurement of reliability and fulfilment of SLAs,
3
standardization and SOP documentation related to
operations and maintenance of infrastructure.
Average of Deliver and
2,6
Support

Monitor and Evaluation


ME1 Monitor and 3 At PT KAI has conducted supervision and performance
evaluate IT measurements for several IT services. The SLA level of
various IT infrastructures is monitored by an integrated
system, personnel evaluation is carried out in accordance
performance
with the KPI and a balance scorecard approach has been
developed for performance measurement
One of PT KAI's goals is the application of corporate
governance which includes information technology
governance. This can be seen with the establishment of an
audit committee in 2012, the formation of an IT Steering
Provide IT
ME4 2 Committee and changes in the company's organizational
governance
structure. The company's strategic planning has also been
poured into the company's RJPP and the BSC approach has
been used to map the company's objectives along with
KPIs
Average of Monitor and
2,5
Evaluation
Average of All Domain 2,51

PT KAI's maturity levels as a whole are at the Repeatable but intuitive level as shown in
table 4.16 which is worth 2.51, where the process has been developed to the extent that a
similar procedure can be carried out by everyone for the same task. There is no formal
training or communication regarding standard procedures, and responsibility is left to
individuals. There is a high dependence on individual knowledge so that the possibility of
error increases.

Conclusion:
a) The application of information technology governance at PT KAI is based on measuring
the level of maturity at the level of 2.55 at the level of Repeatable but intuitive, where the
process has been developed to the stage that allows similar procedures can be carried out
by everyone for the same task. There is no formal training or communication regarding
standard procedures, and responsibility is left to individuals. There is a high dependence
on individual knowledge so that the possibility of error increases.
b) Based on the results of the mapping of PT KAI's business objectives with the COBIT
business objectives at PT KAI there are 30 IT Processes and 183 Control Objectives
identified. The identified IT Process and Control Objectives must be taken into account
by the company in carrying out information technology governance.
c) At PT KAI there are 4 processes at the Managed and Measurable level, 11 processes at
the defined level, 11 processes at the repeatable but intuitive level and 4 process levels at
the ad-hoc level. To be able to improve the effectiveness of corporate information
technology governance, management can focus on IT processes that are still low (at an
ad-hoc level and repeatable but intuitive).

Suggestions for companies include:


a) Companies should apply cost management to the company. This is to facilitate the
company in tracking and identifying costs both at the operational level and when
implementing company projects. This can help the effectiveness of the company,
especially in the cost factor as well as help better control of costs.
b) Companies can adopt a framework on information architecture that is in line with
international standards such as the TOGAF, Zachman Framework and SAP-EAF. In this
case the company's best choice is to integrate the SAP-EAF information architecture
because the company uses SAP ERP.
c) Companies should adopt more modern project management to facilitate project
monitoring and evaluation. This can streamline the company in the planning, budgeting to
implementation and evaluation steps.
d) Create an architecture board or IT strategy committee on company management to help
the process of managing information technology in the company.
e) Create an internal test environment to test the application of an IT system that will be
used.
f) Making and communicating about risk appetite to the company to all levels of
management to ensure that all employees are aware of the level of company risk.

References:

Sudibyo, Suryawan. (2013) Evaluasi Tata Kelola Teknologi Informasi Berdasarkan COBIT
Framework (Studi Kasus di PT Kereta API Indonesia). Skripsi Fakultas Ekonomi Universitas
Indonesia.

ISACA. (2019). COBIT Framework. Introduction and Methodology.

Searchsecurity.techtarget.com/definition/COBIT

PT Kereta Api Indonesia (persero). (2016)/. Laporan Tahunan 2016.

You might also like