Ontological Mapping Cobit 2019 Pada Penilaian Kesehatan Bank Di Indonesia

Penelitian ini bertujuan untuk melakukan pemetaan COBIT 2019 dengan Kebijakan Penilaian Tingkat Kesehatan Bank di Indonesia menggunakan teknik ontological mapping. Dengan mengadopsi bahasa ArchiMate, penelitian ini menganalisis dan menggambarkan hubungan antara konsep-konsep dalam COBIT 2019 dan faktor-faktor penilaian tingkat kesehatan bank. Metode analisis yang digunakan mencakup identifikasi tujuan dalam domain COBIT, pemetaan faktor penilaian TKB, dan pembuatan model COBIT 2019 dengan faktor penilaian TKB. Hasil penelitian menunjukkan bahwa beberapa domain COBIT 2019  memiliki relasi yang dengan faktor-faktor penilaian TKB, termasuk profil risiko, GCG, earning, dan capital. Kesimpulan dari penelitian ini memperkuat pemahaman mengenai keterkaitan antara kerangka kerja tata kelola TI (COBIT 2019) dan praktik penilaian tingkat kesehatan bank di Indonesia

Evaluation of Information Technology Governance Using COBIT 5 and ISO/IEC 38500

Infrastructure Section, Information and Communication Technology Development Division, South Tangerang City Communication and Information Office, one of the main tasks and functions is to provide services and management of internet network infrastructure for all Regional Apparatus Organizations (OPD) in South Tangerang City. The implementation of the Infrastructure Section is constrained by the problem of employee competence that has not reached the standard in internet network management and service, from these problems the researcher intends to evaluate governance using the COBIT 5 framework and ISO/IEC 38500 with recommendations for improvement in the Infrastructure Section. This study uses PAM (Process Assessment Model) with the Guttman scale to determine the results and level of capability. The use of COBIT 5 in this research will focus on the domain of EDM (Evaluate Direct Monitor) point 04, Ensure Resource Management and MEA (Monitor, Evaluate and Assessment) point 01, Performance and Conformance. The results and the level of capability obtained during the research were level 2 Managed Process with a value of 2.46 with a gap of 0.54. The level expected by the Infrastructure Section is at level 3 Established Process with a value of 3.00. Recommendations for achieving Level 3 are used ISO/IEC 38500

Aplicación de la norma ISO 27001 para la gestión de la seguridad de la información en la empresa Plataforma Buscador Académico BUSAC. S.A. en Ecuador

El presente trabajo de investigación tuvo como objetivo el de mejorar la seguridad de la información en la empresa Guru-IT, esto mediante la implementación de la norma ISO 27001, utilizando este marco metodológico se desarrollaron políticas de seguridad que permitieron garantizar la disponibilidad, integridad y confidencialidad de la información. Se realizaron mediciones de vulnerabilidades que fueron recolectadas mediante el instrumento guía de observación para su posterior análisis estadístico, producto de este análisis se pudo obtener una mejora en la tasa de vulnerabilidades detectadas en el post test que se redujo en un 13,55 % en base a los datos del pre test, de igual manera se obtuvo una reducción en los tiempos de implementación de prácticas de seguridad y de detección de componentes vulnerables, 5,65 % y 11,97 % respectivamente, entre los datos del pre test y post test. En conclusión, la implementación de la norma permitió mejorar la seguridad de la información, aportando así competitividad y dando un mayor valor comercial a la empres

Tercerización de servicios de tecnologías de información: modelo de gobierno para las universidades públicas

Purpose: The aim of this study was to design a governance model for IT services outsourcing at public universities. Design/methodology: This study employed a qualitative methodology divided into three steps: first, international standards for IT management and project management were reviewed; second, a literature review was conducted to define the state of the art of IT outsourcing at universities; and third, IT outsourcing at public universities in Norte de Santander was analyzed. Two universities were investigated here: Pamplona University and Francisco de Paula Santander University (Main Campus and Ocaña Campus). Findings: The model proposed here includes layers associated with the (mission-related, support, and strategic) processes that universities carry out. This model, which is applied in six stages, was analyzed from two perspectives: vertical coherence, which involves management and governance activities for all those involved; and horizontal coherence, in which said activities are associated with specific goals and progress and follow-up artifacts. Conclusions: Although outsourcing is a relevant aspect in corporate management, public universities still need control over the activities of their customers as well as suppliers. Therefore, the proposed model establishes concrete activities for these two actors by means of joint responsibility management at all the levels of the organization. Originality: This study contributes to the improvement of the processes that public universities carry out because it mitigates the risks associated with them by formalizing the activities, producing deliverables, establishing performance indicators, and assigning responsibilities at all the levels in the organization.Objetivo: El objetivo de esta investigación fue diseñar un modelo de gobierno para la tercerización de servicios de tecnología de la información (TI) en las universidades públicas. Diseño/metodología: Se empleó una metodología de tipo cualitativa, desarrollada en tres momentos: el primero, consistió en una revisión de estándares internacionales asociados a la gestión de TI y la gestión de proyectos; el segundo, permitió realizar una revisión bibliográfica para definir el estado del arte de la tercerización de TI en las universidades; el tercero, se materializó con el diagnóstico realizado a las universidades públicas de Norte de Santander en relación con la tercerización de sus servicios de TI. Las universidades objeto de estudio fueron: la Universidad de Pamplona y la Universidad Francisco de Paula Santander (sede Central y seccional Ocaña). Resultados: El modelo propuesto tuvo un enfoque por capas asociadas a los procesos de las universidades (misionales, de apoyo, estratégicos); además, se organizó en seis etapas que se analizaron desde dos perspectivas: la coherencia vertical, que incluyó actividades de gestión y de gobierno para los actores involucrados; y la coherencia horizontal, que permitió que dichas actividades se asociaran a metas específicas y artefactos de ejecución y seguimiento. Conclusiones: De esta investigación se concluye que, aunque la tercerización es un aspecto relevante en la gestión empresarial, las universidades públicas todavía requieren control sobre las actividades, tanto del lado del cliente, como del proveedor. Por esto, el modelo propuesto establece actividades concretas para los dos actores mediante la gestión conjunta de las responsabilidades en todos los niveles organizativos. Originalidad: Esta investigación contribuye con el mejoramiento de los procesos en las universidades públicas, puesto que el modelo mitiga los riesgos asociados a estos con la formalización de las actividades, la generación de entregables, el establecimiento de indicadores de desempeño y la asignación de responsabilidades en todos los niveles organizativos

Mind the Security Gap : Evaluating the Effectiveness of the UK Cyber Essentials Scheme and its Suitability for Large Enterprises

The Cyber Essentials scheme was launched in 2014 to help businesses in the UK demonstrate they had effective basic security controls in place. Later that year it was made a mandatory requirement by Crown Commercial Service for certain central government contracts and it is used today as an independent measure of assurance by public bodies such as the Ministry of Defence and the Scottish Government. Despite this, there have been high-profile compromises at UK organisations that held Cyber Essentials at the time of their attack. The aim of this research is to discover what could allow a low-level internet threat to bypass the Cyber Essentials controls which, after all, are designed to prevent such an attack from occurring. Is it the controls themselves, the requirements, scoping issues or the audit? The aim of Cyber Essentials is to be a universal scheme, regardless of size. Despite this there have been criticisms of scaling issues which have been dismissed in blog posts by NCSC. The main theme of the research was therefore to look at whether there is something to this – does the scheme have fundamental issues when applied at scale which could allow a low-skill attack to occur? And since large public sector bodies are mandating this from suppliers and organisations they do business with, are there issues with using it as an independent measure of assurance? A survey of large organisations was carried out to gather views on the pros and cons of the scheme and to help identify any issues they have with scale or assurance. These findings were then used to inform a literature review of the scheme documentation. This featured a methodical examination of every question related to scope and the security controls in Cyber Essentials, and an examination of each test in Cyber Essentials Plus. To provide further context an interview with a former Cyber Essentials assessor was carried out which helped identify further issues in the assurance process. The research found that neither Cyber Essentials nor Cyber Essentials Plus could be used as an independent measure of assurance and that both had issues when applied at scale. 17 recommendations have been made which, if implemented, would dramatically improve the scalability of the scheme and the assurance it offers. Despite these recommendations future work should be carried out to consider whether the scheme actually addresses modern low-skill cyber threats

Investigating COBIT 5 implementation in the public TVET college sector in South Africa

The purpose of this study was to investigate whether the COBIT 5 ICT governance framework has been implemented successfully in the public TVET sector. The study clarifies that ICT governance is not only about satisfying audit requirements; the core of ICT governance based on Cobit 5 is alignment between business and ICT. The study proposed a theoretical framework whereby the perceived benefits of implementing COBIT 5 in the public TVET college sector in South Africa was the dependent variable. The proposed independent variables were namely; Training, Adoption, Leadership, Value in IT Investment and Risk Management. The study infers that the board and/or council within an organisation need to lead the process in relation to the governance of ICT. Moreover, the study takes cognisance that ICT is a strategic enabler and thus the board or council ought to play their role of oversight, monitoring and ensuring optimal utilisation of IT resources. The study challenges the perception that IT is a mere operational functional and deduces that top management ought to incorporate IT when formulating and/or reviewing the business strategy. IT ought to be included in any strategic related activity in the organisation. IT should not be left out of the boardroom if management envisage to derive value from ICT investment