IT Governance

My name is ____just graduate this November from ___I had 1 year experience as intern at
____ as it planning where our job as a regulatory to the company and make sure the
planning from Head of it and business goals can align and all the strategy and project must
follow our governance and law. My day to day basis is budgeting, fulfilling ojk and bi report,
implement COBIT5 and help IT audit to gain evidence. On my spare time, I usually learning
about it on free course like cybersecurity and IT audit and governance. I take that course
because in my opinion that things are similar and completing each other to strengthen IT
core

1. IT Governance is defined as collection of tools, processes, and methodologies that enable

an organization to align business strategy and goals with IT services, infrastructure or the
environment. IT governance is a formal framework that provides a structure for aligning IT
strategy with business strategy, and for organizations ensure that IT investments support
business objectives. IT Governance ensure that investment in IT generate value-reward-and
mitigate IT-associated risk, avoiding failure. A good IT Governance aligns your business
strategically to support the evolution of an enterprise architecture allow it delivers
consistent and scalable business value. It focuses on performance and risk management,
with special attention for the metrics definition, rigorous process, costs transparency and
objectives control. It helps you measure your business growth and success, including its
financial health
IT Risk is anything that can impact the confidentiality, integrity, or availability of an asset.
Think of a risk as the likelihood of a threat occurring. An example of a risk to an organization
might be the lack of backup protocols for making sure its stored information can be
recovered in the event of an accident or security incident.
IT Compliance is the practice of ensuring that an organization meets all applicable laws,
regulations, and standards related to its use of information technology. IT Compliance is
primarily concerned with meeting external requirements. It involves adhering to a specific
set of rules and regulations, such as HIPAA, PCI DSS(Payment Card Industry Data Security
Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize
the security of credit, debit and cash card transactions and protect cardholders against
misuse of their personal information.), or GDPR.

2. Peraturan OJK itu IT harus memiliki IT Steering Comitee dan dilakukan setiap bulan. Bakal
diaudit OJK da nisi laporannya performance IT

3. Pentingnya IT Governance

4. Enterprise Risk Management

Pentingnya governance untuk mendefinisikan peran dan tanggung jawab dari masing
masing individu dalam perusahaan. IT governance memastikan keputusan dan investasi IT
selaras dengan bisnis. Lalu juga untuk meningkatkan performa IT

5. IT Management dan IT Governance

6. IT GRC do:
 Identify and Assess Risk
 Compliance (melihat kepatuhan yang sudah dilakukan)
 Gap Analysis of security control (melihat control security yang sudah ada dan
memastikan bekerja dengan baik)
 Policies, standard and process (melakukan pembuatan dan review policies, standard
dan proses)
 Reporting (melaporkan temuan)
 Align IT strategy with business strategy: IT should not be an independent entity
within an organization. Its goals and objectives should be aligned with the overall
business strategy to ensure it provides value to the company.
 Define clear roles and responsibilities: It's crucial to clearly define who is
responsible for what within IT governance. This includes roles for executives, IT staff,
and other stakeholders.
  Establish effective communication and collaboration: Effective communication
across all levels of the organization is essential for successful IT governance. This
includes regular meetings, reports, and updates.
 Develop and implement IT policies and procedures: Clear and concise policies and
procedures provide guidance for IT staff and help ensure compliance with
regulations.
 Monitor and measure IT performance: Regularly monitor and measure the
performance of IT systems and services to identify areas for improvement.
 Conduct regular audits and reviews: Regularly audit and review IT governance
practices to identify any weaknesses and make necessary improvements.

7. Day-to-Day Works of IT Governance:

 Review and update IT policies and procedures: As technology and regulations
evolve, it's important to regularly review and update IT policies and procedures to
ensure they remain effective.
 Monitor IT security and compliance: IT governance teams play a vital role in
ensuring the organization's IT systems and data are secure and compliant with
regulations.
 Manage IT risks: Identifying, assessing, and mitigating IT risks are essential for
protecting the organization from cyberattacks and other threats.
 Oversee IT projects: IT governance teams often oversee the planning, execution, and
monitoring of IT projects to ensure they are completed on time, within budget, and
meet the organization's needs.
 Provide reports and updates to stakeholders: Regularly provide reports and updates
to executives and other stakeholders on the performance of IT and any issues or
risks that need to be addressed.
 Stay up-to-date on industry trends and best practices: IT governance teams should
stay up-to-date on the latest industry trends and best practices to ensure they are
using the most effective methods for managing the organization's IT resources.

8. Framework:
 COBIT5 membantu perusahaan menciptakan nilai optimal dari TI dengan menjaga
keseimbangan antara menyadari manfaat dan mengoptimalkan tingkat risiko serta
penggunaan sumber daya. COBIT 5 membuat informasi dan teknologi yang saling
berhubungan dapat dikelola secara holistik bagi keseluruhan perusahaan,
mengambil seluruh tanggungjawab bisnis dan fungsional, memperhatikan
kepentingan TI terkait stakeholder internal dan eksternal. Pernah implementasi
o Ensure Benefit Delivery
o Manage budget and cost
o Manage program and project
 NIST CSF for Cybersecurity and how to manage and prevent cyberattack
 NIST RMF for manage and prevent risk
 ISO27001 adalah standar internasional untuk manajemen keamanan informasi.
Standar ini memberikan kerangka kerja yang komprehensif untuk mendesain,
mengimplementasikan, mengelola, dan memelihara sistem manajemen keamanan
informasi (ISMS). ISO/IEC 27001 membantu organisasi untuk mengidentifikasi,
mengelola, dan mengurangi risiko keamanan informasi yang mungkin dihadapi
dalam operasional sehari-hari mereka.
 ITIL singkatan dari Information Technology Infrastructure Library, adalah suatu
kerangka kerja (framework) yang memberikan pedoman dan praktik terbaik dalam
manajemen layanan teknologi informasi (IT Service Management atau ITSM). ITIL
berfokus pada penyediaan layanan IT yang efisien, efektif, dan sesuai dengan
kebutuhan bisnis. ITIL menyediakan serangkaian praktik terstandar yang dapat
membantu organisasi mengelola layanan IT dengan lebih baik. Kerangka kerja ini
mencakup berbagai proses dan fungsi, termasuk manajemen kejadian, manajemen
perubahan, manajemen kapasitas, manajemen konfigurasi, manajemen layanan, dan
lain sebagainya.
Fungsi framework sebagai alat pengukur hasil dari pencapaian strategi dan tujuan
organisasi
9. COBIT5

Lima Prinsip COBIT 5 :

1. (Meeting Stakeholder Needs) Memenuhi kebutuhan stakeholder
2. (Covering the Enterprise End-to-End) Meliputi seluruh kegiatan perusahaan
3. (Applying A Single Intgrated Fmarework) Menerapkan satu framework terpadu
4. (Enabling a Holistic Approach) Memungkinkan pendekatan holistik
5. (Separating Governance from Management) Memisahkan tata kelola dan manajemen
Governance ruang lingkupnya di Evaluate Direct Monitoring

10. ITIL
ITIL memberikan pedoman yang dapat diadopsi oleh organisasi untuk meningkatkan
pengelolaan layanan IT mereka, dengan fokus pada aspek-aspek seperti:
 Strategi Layanan (Service Strategy): Mengembangkan strategi untuk mencapai
tujuan bisnis dengan memanfaatkan layanan IT.
 Desain Layanan (Service Design): Mendesain layanan IT yang efektif dan efisien yang
sesuai dengan kebutuhan bisnis.
 Transisi Layanan (Service Transition): Mengelola perubahan dan transisi layanan
baru atau yang diperbarui ke dalam lingkungan produksi.
 Operasi Layanan (Service Operation): Menjalankan dan mendukung layanan IT
sehari-hari.
 Peningkatan Layanan (Continual Service Improvement): Terus-menerus
meningkatkan efisiensi dan efektivitas layanan IT melalui proses pemantauan dan
evaluasi.
ITIL sering digunakan oleh organisasi untuk meningkatkan manajemen layanan IT
mereka dan mengoptimalkan penggunaan sumber daya IT. Banyak organisasi, terutama
di dunia bisnis dan sektor publik, telah mengadopsi prinsip-prinsip ITIL sebagai bagian
dari praktik manajemen mereka.
11. ISO27001
ISO/IEC 27001 mencakup sejumlah komponen utama yang membentuk dasar dari standar
manajemen keamanan informasi ini. Berikut adalah beberapa komponen utama ISO/IEC
27001:
 Kebijakan Keamanan Informasi: Organisasi diharapkan memiliki kebijakan
keamanan informasi yang jelas dan terdokumentasi. Kebijakan ini harus mencakup
komitmen manajemen terhadap keamanan informasi.
 Pendekatan Berbasis Risiko: ISO/IEC 27001 menggunakan pendekatan berbasis
risiko untuk mengidentifikasi, menilai, dan mengelola risiko keamanan informasi. Ini
melibatkan penentuan risiko, penentuan tingkat risiko yang dapat diterima, dan
penerapan kontrol keamanan yang sesuai.
 Penilaian Risiko: Organisasi diharapkan untuk melakukan penilaian risiko terhadap
aset informasi mereka. Ini termasuk identifikasi ancaman, kerentanan, dan dampak
potensial dari kehilangan kerahasia, integritas, atau ketersediaan informasi.
 Pengelolaan Aset: ISO/IEC 27001 menekankan pengelolaan aset informasi, termasuk
identifikasi, kepemilikan, dan perlindungan aset tersebut. Ini mencakup pengelolaan
perubahan yang berkaitan dengan aset informasi.
 Keamanan Fisik dan Lingkungan: Standar ini mencakup perlindungan terhadap akses
fisik yang tidak sah atau kerusakan terhadap peralatan dan fasilitas yang dapat
memengaruhi keamanan informasi.
 Pengelolaan Akses: Kontrol akses ke sistem dan informasi harus diimplementasikan
dan diawasi secara ketat. Ini mencakup manajemen hak akses, autentikasi, dan
pemantauan aktivitas pengguna.
 Keamanan Komunikasi: ISO/IEC 27001 memerlukan perlindungan terhadap
keamanan komunikasi, termasuk enkripsi informasi yang dikirim melalui jaringan.
 Manajemen Kejadian Keamanan: Organisasi diharapkan untuk memiliki proses
untuk mendeteksi, melaporkan, menanggapi, dan memulihkan dari insiden
keamanan informasi.
  Manajemen Penyedia Layanan: Jika organisasi menggunakan penyedia layanan
eksternal, ISO/IEC 27001 memerlukan manajemen risiko keamanan informasi yang
terkait dengan penggunaan penyedia tersebut.
 Peningkatan Berkelanjutan: Siklus perbaikan berkelanjutan harus
diimplementasikan, yang melibatkan evaluasi dan perbaikan terus-menerus
terhadap efektivitas ISMS.
Komponen-komponen ini menciptakan kerangka kerja yang holistik untuk manajemen
keamanan informasi dalam suatu organisasi, membantu mengidentifikasi, mengurangi,
dan mengelola risiko keamanan informasi dengan cara yang terstruktur dan efektif.

12. Risk is anything that can impact the confidentiality, integrity, or availability of an asset.
Think of a risk as the likelihood of a threat occurring. An example of a risk to an organization
might be the lack of backup protocols for making sure its stored information can be
recovered in the event of an accident or security incident.

13. Manage Risk

• Acceptance: Accepting a risk to avoid disrupting business continuity
• Avoidance: Creating a plan to avoid the risk altogether
• Transference: Transferring risk to a third party to manage
• Mitigation: Lessening the impact of a known risk
Additionally, organizations implement risk management processes based on widely
accepted frameworks to help protect digital and physical assets from various threats, risks,
and vulnerabilities. Examples of frameworks commonly used in the cybersecurity industry
include the National Institute of Standards and Technology Risk Management Framework
(NIST RMF) and Health Information Trust Alliance (HITRUST)

14. Three Key Impacts of Threats, Risks, and Vulnerabilities

• Financial Impact. When an organization's assets are compromised by an attack, such as
the use of malware, the financial consequences can be significant for a variety of reasons.
These can include interrupted production and services, the cost to correct the issue, and
fines if assets are compromised because of non-compliance with laws and regulations.
• Identity Theft. Organizations must decide whether to store private customer, employee,
and outside vendor data, and for how long. Storing any type of sensitive data presents a risk
to the organization. Sensitive data can include personally identifiable information, or PII,
which can be sold or leaked through the dark web. That's because the dark web provides a
sense of secrecy and threat actors may have the ability to sell data there without facing
legal consequences.
• Damage To an Organization's Reputation. A solid customer base supports an
organization's mission, vision, and financial goals. An exploited vulnerability can lead
customers to seek new business relationships with competitors or create bad press that
causes permanent damage to an organization's reputation. The loss of customer data
doesn't only affect an organization's reputation and financials, it may also result in legal
penalties and fines. Organizations are strongly encouraged to take proper security measures
and follow certain protocols to prevent the significant impact of threats, risks, and
vulnerabilities. By using all the tools in their toolkit, security teams are better prepared to
handle an event such as a ransomware attack.

15. NIST Cybersecurity Framework (CSF) The CSF is a voluntary framework that consists of
standards, guidelines, and best practices to manage cybersecurity risk. This framework is
widely respected and essential for maintaining security regardless of the organization you
work for. The CSF consists of five important core functions
• Identify - which is related to the management of cybersecurity risk and its effect on an
organization's people and assets. For example, as a security analyst, you may be asked to
monitor systems and devices in your organization's internal network to identify potential
security issues
• Protect - which is the strategy used to protect an organization through the
implementation of policies, procedures, training, and tools that help mitigate cybersecurity
threats. For example, as a security analyst, you and your team might encounter new and
unfamiliar threats and attacks. For this reason, studying historical data and making
improvements to policies and procedures is essential.
• Detect - which means identifying potential security incidents and improving monitoring
capabilities to increase the speed and efficiency of detections. For example, as an analyst,
you might be asked to review a new security tool's setup to make sure it's flagging low,
medium, or high risk, and then alerting the security team about any potential threats or
incidents.
• Respond - which means making sure that the proper procedures are used to contain,
neutralize, and analyze security incidents, and implement improvements to the security
process. As an analyst, you could be working with a team to collect and organize data to
document an incident and suggest improvements to processes to prevent the incident from
happening again.
• Recover - which is the process of returning affected systems back to normal operation. For
example, as an entry-level security analyst, you might work with your security team to
restore systems, data, and assets, such as financial or legal files, that have been affected by
an incident like a breach.