IOP Conference Series: Materials Science and Engineering

PAPER • OPEN ACCESS

Applying COBIT 5 in Higher Education

To cite this article: Wang Gunawan et al 2018 IOP Conf. Ser.: Mater. Sci. Eng. 420 012108

View the article online for updates and enhancements.

This content was downloaded from IP address 139.81.40.129 on 01/10/2018 at 18:45

2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

Applying COBIT 5 in Higher Education

Wang Gunawan1, Engelina Prisca Kalensun2, Ahmad Nurul Fajar3,
Sfenrianto4.
1,2
Information Systems Management Department, BINUS Graduate Program,
Master of Information Systems Management, Bina Nusantara University, Jakarta,
11530.
e-mail: [email protected]; [email protected]; [email protected];
4
[email protected];

Abstract. IT governance framework has emerged as important aspects for all

organizations. Organization that has lack of IT governance also experiences lack
of good corporate governance. As a result, the organization has difficulties to link
its IT benefits to organization’s objectives. In some cases, the lack of IT
governance even causes severe impacts to school management. The article takes
case of a higher institution, STMIK MBM, one of popular IT school in North
Sulawesi, that has experienced with frequent IT interruption. The frequent IT
interruption has caused severe consequences not only to current school operation,
but also to the reputation of the school. In the beginning year of 2017, the
ineffective academic data management has caused the severe interruption of
school operation and led to the change of school management. To promote IT
good governance, the new school director has initiative to apply COBIT 5, as an
effective IT governance framework for the school. The article provides an
analysis of COBIT 5 implementation with the objectives to provide a reference for
major school stakeholders to understand and develop effective business and IT
policy. The outcome is expected to provide insight of good IT governance for
higher education institution.

1.Introduction
Currently, IT Governance has emerged as essential in higher education institutions.
Yanosky and Caruso (1) addressed that governance, organization, and leadership were the top
10 strategic issues to determine the university's strategic success. Corporate governance is
defined as a term that seems to represent a framework that includes aspects of corporate
governance and the business management aspects of an organization (2). Achieving good
governance related to corporate strategy and achievement of performance measures, enables
the organization to focus on what will be the main driver of business in the future.
Corporate governance refers to overall goal of management and governance with the
objectives achieved by aligning strategic and management objectives in line with expectations
(3). To keep IT as value added in a higher education institution, it needs to apply IT
governance so that all factors and dimensions become synergistic and increases expected
return of investment. With IT governance, it is expected that convenience and improved
services for stakeholders in higher education environment enables to enhance with the
application of IT (4). Leaders and corporate policy makers are required to think creatively to
find various breakthrough strategies that can create synergies, which contribute optimally in
achieving corporate goals. Therefore, effective information management and efficient use of

Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution
of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
Published under licence by IOP Publishing Ltd 1
2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

technology are needed(5).The article applies COBIT 5 as IT governance framework in a

higher education in North Sulawesi, STMIK MBM, to assess the entire business and IT
process in that institution.

2. Literature Review
2.1.Information Technology Governance (IT Governance)
IT Governance is a structure of relationships and processes that enables to direct and control
an organization in achieving its goals by providing added value when balancing risk by
adjusting IT and business processes of the company (7). IT Governance emerged as a bridge
between business scope and IT, that enables to narrow gap between the applied technology
and accordance with the expected. IT governance is not a separate management, instead of a
part of corporate management. The benefits of IT Governance itself are essentially very
difficult to quantify because it involves in handling the intangible assets (5).
2.2.Corporate Governance is the Company's Strategic Imperative
Good corporate governance is a mandatory framework for all organizations to survive.
Corporate Governance is required to transform the legacy of applications, organizational
structures, and fragmented processes (both manual and automated) into an integrated
environment with optimal processes responsive to change and delivery of business strategy
(6).
2.3.COBIT 5 Framework
COBIT 5 is a comprehensive framework that helps enterprises to create optimal values from
IT, by maintaining a balance between realizing benefits, optimizing risk levels and resource
use(6). COBIT 5 enables information and relates technology to be governed and managed in a
holistic manner for the whole enterprise, taking in the full end-to-end business and functional
areas of responsibility, considering the IT-related interests of internal and external
stakeholder. The COBIT 5 principles and enablers are generic and useful for enterprises of all
sizes, whether commercial, not-for - profit or in the public sector (8).
The COBIT 5 Principles comprised of(8): (1) integrator framework, provides a basis for
integrating effective frameworks, standards and other practices. It enables building products
from a consistent knowledge base; (2) driven by stakeholder value, refers to stakeholder
analysis and the role of governance. COBIT 5 refers to governance is about negotiating and
deciding the best interests of different stakeholder values; (3) business focus and context.
COBIT focuses on shaping organization goals and objectives. It provides a through and end-
to-end enterprise perspective (IT and non-IT business functions). It also enables to link
between business information and IT function; (4) enabler-base. COBIT enables shaping
scope of governance, roles, activities and relationships; (5) clear distinction between
governance and management.
2.4.COBIT 5 Process Capability Model.
COBIT 5 enables to assess the enterprise process capability that comprises of six levels such
as(9): (1) level 0: Process incomplete. At this stage the process has no goal to achieve; (2)
level 1: The process is done. The process already exists and achieves its own goals; (3) level
2: successful process, is implemented in a series of activities, such as planning, monitoring
and adjusting activities. The results are established, controlled and maintained; (4) level 3: a
predefined process. This level has process definition and process deployment as attribute; (5)
level 4: The process can be predicted. This level implements the process within the specified

2
2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

limits that enable the achievement of the results of the process. It is known as “process
management” and “process control” as the process attribute; (6) level 5: Optimizing process,
applies the process in a way that enables achievement of relevant, current and projected
business objectives. This level has "process innovation" and "process optimization" as the
process attribute. COBIT 5 requires sequential achievement to proceed with higher level.
2.5.IT Security
Beznosov and Besnosova addressed there are three factors that affect the effectiveness of
information security control such as (10)(11): (1) human factor, are defined as those related to
cognition at the individual level, as well as culture and interaction with others. Adoption of
security practices poses several challenges for security practitioners. For example, effective
interaction and communication are needed to achieve mutual understanding of security risks
among various stakeholders. Kraemer and Carayon (12) define human error as the cause of
computer accidents and inhumane but unintentional computer security such as accidental
programming errors that cause the computer to crash under certain circumstances (11). A
person's attitude and personal factors have a profound effect. In order to run the organization
effectively, it needs people who have a high sense of responsibility as well as emotion
management; (2) organizational factors, is an aspect related to the organizational structure,
including size and managerial decisions surrounding IT security. Kankanhalli et al. (13)
proposes a model that links organizational factors such as organizational size, top
management support, and types of industries with the effectiveness of information security
control in organizations. Based on their studies, they concluded that management support is
positively related to the implementation of preventive security efforts. They found that
organizations that invested more resources in control to prevent poor security practices,
performs better than preventive actions in smaller measures (11). The existence of good
management and full support from the leadership to employees can be a good factor in
controlling the security of the organization. The article applies the role of organizational
factors that enables to reduce the potential risk that can damage the security of campus data;
(3) technological Factors, involves technical solutions such as applications and protocols.
Audestad(14) explains that one reason for not achieving 100 percent security is due to the
complexity of the technology. This complexity makes it very difficult for decision makers to
manage the big picture and design a security policy that covers all possible system
configurations. Jiwnani and Zelkowitz (15) describe system security testing as a long,
complex, and expensive process. They propose a taxonomy to classify vulnerabilities and help
security practitioners in prioritizing resources to improve them (11). Provision of resources
whether human resources or equipment that support operations must be in accordance with
current state of technology.
COBIT as an IT management model, applies two major internal control models such as:
holistic operating control model and focusing on the IT control model. COBIT provides a
high-level guide to IT resources, including data, applications, techniques, hardware and
personnel. It enables to achieve organizational goals through risk balancing and direction and
control measures (16).

3. Research Method.
The article applies COBIT 5 framework in a school of computer that located in North
Sulawesi, STMIK MBM. The STMIK MBM is established on the 2003, and has become one
of the popular schools in North Sulawesi. The data gathering method comprises of observation

3
2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

and interviews to major stakeholders in managerial levels and above, such as: secretary and
head of programmers, directors, CEO of the school, and school managers including IT
manager. There are total 12 persons were involved as major respondents. The data gathering
also involves with the plan of the school to deliver e-learning system that enriches learning
experiences.

4. Results and Findings.

Based on the results of interviews and findings, all respondents agree that reviews to entire
business process and IT system need to be taken to ensure to accommodate the needs of all
stakeholders (redesigning academic system), and preparing for developing e-learning
application. Further observation and focus group discussion have been conducted to address
the findings.
4.1.COBIT 5 for IT governance in higher education.
The use of COBIT 5 framework addresses two main areas such as: governance and
management areas. The governance area has a domain that consists of 3 main
processes/activities such as: evaluation, direction, and monitoring (EDM)(4)(17). The use of
EDM domain that is used IT governance in colleges is summarised in table 1.

Table 1. Evaluate, Direct, and Monitoring (EDM) Process Mapping.

No.
Process Process Description Goals and Processes

EDM01 Ensure there Analyzes the need for IT governance at Provide a good IT governance system with
are STMIK MBM and regulates IT ongoing system analysis. This is made to
governance governance processes and practices ensure and oversee the processes such as
arrangements appropriately supported by the vision and current learning management system, and
and mission the organization. academic and staff resource management,
maintenance etc. associated with IT, must truly have their
effectiveness in line with the vision and
frameworks.
mission.
EDM02 Ensuring IT governance planning done to manage The existence of investment in the IT field,
profit investment in IT can be a profit center must be efficient in terms of cost and time.
instead of cost center. Evaluation needs to be made to examine the
overall IT investments and current business
process, to ensure they will deliver benefits
as expected.
EDM03 Ensure risk Ensure IT management is used to Ensure that the risks analyzed can be
optimization understand and minimize risks that will addressed. Current risks such as slow access
occur both internally and externally. to intranet, data integrity, and IT security
issue should be well identified and managed
to minimize errors in IT governance.
EDM04 Ensure Ensure the availability of adequate Ensuring the need for resources (people
resource resources, people and processes and can training, enhancing business process, update
optimization manage IT governance well with respect to IT technology) can adapt to changing
cost efficiency. management (expectation) and school’s
objective to implement e-learning system.
EDM05 Ensure Ensure that IT governance must be Ensure good communication with
transparency transparently reported to stakeholders and stakeholders (collaboration system and
to stakeholders overseen the management process. director’s dashboard) and report on IT
governance processes (reporting system) in
accordance with existing regulations and in
line with campus strategy (ie. comply with
accreditation and DIKTI report, and
financial reports).

4
2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

4.2. Implementation of IT Governance.

The observation and focus group discussion results show that major business processes are still
documented manually. It may pose high risks, and prone to data lost or damaged. All respondents
agree the inaccurate data management relates to high students/staffs’ complaints.

Table 2. EDM03 Activity Mapping.

No. Activity Name Activity Corporate Governance Activities
EDM03.01 Evaluate the risk of data Make a list of risk and application of student data processing application
processing manually. systematically to reduce student data loss risk.

EDM03.02 Evaluate student data Migrating the management of student data from manual to systematic by
processing process. utilizing the use of IT.
EDM03.03 Evaluate the use of student Supervise and evaluate the process of student data processing
data processing application systematically as well as maintenance system to be adjusted with current
program. technology development.

Table 3. EDM04 Activity Mapping.

No. Activity Name Activity Corporate Governance Activities
EDM04.01 Evaluate resource Monitoring and determining what resource requirements are currently
management. required based such as key performance index (KPI), and link it with
resource development. The KPI design is also used to reviewing the school
policy and objectives.
EDM04.02 Direct the resource Train and direct human resources also set other resource specifications to
management. suit the needs of student data processing.
EDM04.03 Monitor resource Observe and analyze the work performance of existing resources so that later
management. can be reported and can be changed, such as reporting to director’s
dashboard.
Based on the table 2 and 3 above, we can derive some of the more detailed activities in
governance implementation, such as illustrated in table 4.

Table 4. Activity table and remedial steps taken on STMIK MBM.

No. Activity Activity on COBIT 5 Step improvement activity in STMIK MBM

Make a list of risk and application of Developing risk management procedure to avoid loss in the
academic data processing application academic data.
EDM03.01
systematically to reduce student data loss
risk.
Migrating the management of academic The design of academic data processing system should be
EDM03.02 data from manual to systematic by utilizing adjusted to the needs and operations in organisation. The
the use of IT. effectiveness of risk management is necessary to avoid
design and efficient errors in terms of cost and time.
Supervise and evaluate the process of Evaluation of the process of using academic data
academic data processing systematically as processing system should be done periodically to see if
EDM03.03 there are errors in the program so that it can be repaired
well as maintenance system to be adjusted
with current technology development. immediately.

Monitoring and determining what resource Make a list of the needs of all available resources to support
requirements are currently required based the smooth operation of the use of academic data
on the results of the analyzes that have been processing system. Equipment to support the course of the
EDM04.01 conducted and should be in accordance with program must be provided with complete and in accordance
existing rules and taking into account the with the needs.
effectiveness and efficiency of IT
governance objectives.

5
2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

Train and direct human resources also set Human resources in STMIK MBM must be trained
other resource specifications to suit the properly in order to use the program and perform the task
EDM04.02 needs of academic data processing. properly. Fulfillment of resources needs to be adjusted to
budgeted costs.

Observe and analyze the work performance Problem solving that occurs during the running of the
of existing resources so that later can be campus operations by using a systematic application
EDM04.03 reported and can be changed. program, must be resolved immediately and must continue
to monitor the performance of existing resources.

5. Lesson Learned and Discussion

The use of IT governance framework, COBIT 5 in STMIK MBM has delivered positive
impacts where all major stakeholders enable to develop effective assessments and further
implementation plan. The case of inaccurate academic student data that happened in the
beginning year 2017, has attracted the attention of school director to apply COBIT
framework. With its popular reputation of its application in the industries, COBIT 5 has
emerged as an important reference to IT governance in higher education institution, and
enables to provide seemingly integration of good governance system of education, business
and IT system. The COBIT 5 addresses the advantages of IT for operations that creates
efficiency in terms of cost and time in higher education as good as in the business. Significant
changes have been made to migrating from manual data processing system to systematic
academic system, and especially in delivering e-learning system. To anticipate the occurrence
of IT and business risks, the COBIT 5 framework facilitates the leaders of the school to
develop effective risk management policy that applies to major school stakeholders.

6. Conclusion
COBIT 5 framework as an effective IT governance framework enables to provide good
reference for STMIK MBM. COBIT 5 enables to address the issues of IT and business
integration that frequently creates major problems in the school. COBIT 5 has advantages to
provide effective guidance and strategies in STMIK MBM with several benefits such as
providing a good solution in business and IT governance, analyzing and delivering resource
performance, and creating IT governance can maximize and deliver time and cost benefits.
There are 3 important factors that determines the success of COBIT implementation, such as:
human, organization and technology. Those three factors enable to lower the security risk in
data management, improve IT service and access for all stakeholders.

7. References
1. Yanosky R, Caruso JB. Process and politics: IT governance in higher education. ECAR
Key Find. 2008;
2. Paradeise C, Reale E, Bleiklie I, Ferlie E. University governance. Springer; 2009.
3. Omari L Al, Barnes PH, Pitman G. Optimising COBIT 5 for IT Governance : Examples
from the Public Sector. Appl Theor Inf Syst Res. 2012;2–14.
4. Adikara F. Implementasi Tata Kelola Teknologi Informasi Perguruan Tinggi Berdasarkan
Cobit 5 Pada Laboratorium Rekayasa Perangkat Lunak. J Tek Inform Univ Esa Unggul.
2013;1–6.
5. Kaban IE. Tata kelola teknologi informasi - (. CommIT. 2009;3(C):1–5.
6. Macgregor S. COBIT 5 and TOGAF 9. [KN]. 2011;31.
7. Weill P, Ross JW. IT governance: How top performers manage IT decision rights for
superior results. Harvard Business Press; 2004.

6
2nd Nommensen International Conference on Technology and Engineering IOP Publishing
IOP Conf. Series: Materials Science and Engineering 420 (2018) 012108 doi:10.1088/1757-899X/420/1/012108
1234567890‘’“”

8. Garsoux M. COBIT 5 ISACA’s new framework for IT Governance, Risk, Security and
Auditing An overview. ISACA Whitepapers. 2013;39.
9. Pasquini A, Galiè E. COBIT 5 and the Process Capability Model. Improvements
Provided for IT Governance Process. Proc FIKUSZ ’13 Symp Young Res. 2013;67–76.
10. Beznosov K, Beznosova O. On the imbalance of the security problem space and its
expected consequences. Inf Manag Comput Secur. 2007;15(5):420–31.
11. Werlinger R, Hawkey K, Beznosov K. An integrated view of human, organizational, and
technological challenges of IT security management. Inf Manag Comput Secur.
2009;17(1):4–19.
12. Kraemer S, Carayon P. Human errors and violations in computer and information
security: The viewpoint of network administrators and security specialists. Appl Ergon.
2007;38(2):143–54.
13. Kankanhalli A, Teo H-H, Tan BCY, Wei K-K. An integrative study of information
systems security effectiveness. Int J Inf Manage. 2003;23(2):139–54.
14. Audestad JA. Four reasons why 100% security cannot be achieved. Telektronikk.
2005;101(1):38.
15. Jiwnani K, Zelkowitz M. Maintaining software with a security perspective. In: Software
Maintenance, 2002 Proceedings International Conference on. 2002. p. 194–203.
16. Hong K, Chi Y, Chao LR, Tang J. An integrated system theory of information security
management. Inf Manag Comput Secur. 2003;11(5):243–8.
17. De Haes S, Van Grembergen W, Debreceny RS. COBIT 5 and enterprise governance of
information technology: Building blocks and research opportunities. J Inf Syst.
2013;27(1):307–24.