evaluasi manajemen risiko teknologi informasi …
TRANSCRIPT
EVALUASI MANAJEMEN RISIKO TEKNOLOGI
INFORMASI MENGGUNAKAN FRAMEWORK
COBIT 5 DI PT. XYZ
SKRIPSI
Diajukan Guna Memenuhi Persyaratan Memperoleh
Gelar Sarjana Komputer (S.Kom.)
Kenny Pratama
00000019803
PROGRAM STUDI SISTEM INFORMASI
FAKULTAS TEKNIK DAN INFORMATIKA
UNIVERSITAS MULTIMEDIA NUSANTARA
TANGERANG
2021
ii
PERNYATAAN
iii
HALAMAN PERSETUJUAN
.
iv
HALAMAN PENGESAHAN
v
EVALUASI MANAJEMEN RISIKO TEKNOLOGI
INFORMASI MENGGUNAKAN FRAMEWORK COBIT 5
DI PT. XYZ
ABSTRAK
Oleh: Kenny Pratama
PT. XYZ telah memanfaatkan teknologi informasi agar dapat membantu
perusahaan untuk mencapai tujuan bisnis. Hal tersebut membuat sistem TI pada
perusahaan harus terhindar dari segala risiko yang dapat menghambat proses bisnis
dan berdampak buruk terhadap perusahaan. Untuk meminimalisir risiko yang akan
terjadi dalam perusahaan, PT. XYZ telah melakukan identifikasi, analisis,
pengendalian dan mitigasi terhadap seluruh risiko yang ada. Namun, hal tersebut
dirasa belum cukup untuk menangani risiko yang ada, sehingga perusahaan ingin
mengetahui capability level yang bisa didapatkan oleh perusahaan.
Maka dari itu, diperlukan penilaian terhadap pencapaian penerapan
manajemen risiko TI pada PT. XYZ, penelitian ini dilakukan menggunakan
pendekatan kualitatif yang menganalisa capability level dengan framework COBIT
5 yang berfokus pada 2 proses yang dapat menangani manajemen risiko TI dan
berkaitan dengan tujuan perusahaan dalam penanganan manajemen risiko TI.
Proses tersebut terdiri dari APO 12 ( Manage Risk ) untuk mengidentifikasi resiko
terkait TI, dan DSS 05 ( Manage Security Services ) untuk mengetahui peran
keamanan informasi serta pemantauan terhadap keamanan perusahaan.
Hasil penilaian terhadap pencapaian manajemen risiko TI di PT.XYZ
berhenti di level 3 (Established) untuk proses APO12 dan DSS05. Dan untuk target
yang telah ditentukan perusahaan yaitu pada level 4 (Predictable), sehingga untuk
dapat mencapai target kapabilitas, perusahaan memerlukan beberapa perbaikan
berdasarkan rekomendasi yang diberikan dan berdasar pada framework COBIT 5.
Kata Kunci : capability level, COBIT 5 , manajemen risiko TI
vi
INFORMATION TECHNOLOGY RISK MANAGEMENT
EVALUATION USING COBIT 5 FRAMEWORK AT PT.XYZ
ABSTRACT
By: Kenny Pratama
PT. XYZ has used information technology in order to help companies
achieve business goals. This means that the IT system in the company must be able
to avoid all the risks that can hinder business processes and have a negative impact
on the company. To minimize the risks that will occur in the company, PT. XYZ has
identified, analyzed, controlled and mitigated all existing risks. However, this is not
sufficient to deal with the existing risks, so that the company wants to know the level
of capability that the company can get.
Therefore, it is necessary to assess the achievement of IT risk management
implementation at PT. XYZ,, then a research was carried out using a qualitative
approach that analyzes the capability level with the COBIT 5 framework which
focuses on 3 processes that can handle IT risk management and is related to the
company's objectives in handling IT risk management. The process consists of APO
12 (Manage Risk) to identify risks related to IT, and DSS 05 (Manage Security
Services) to determine the role of information security and monitoring of company
security.
The results of the assessment of the achievement of IT risk management at
PT. XYZ stopped at level 3 (Established) for the APO12 and DSS05 processes. And
for the target that has been determined by the company, namely at level 4
(Predictable), so that in order to achieve the capability target, the company needs
some improvements based on the recommendations given and based on the COBIT
5 framework.
Keywords : capability level, COBIT 5, IT risk management
vii
KATA PENGANTAR
Puji dan syukur kepada Tuhan Yang Maha Esa, karena atas berkat dan
karunia-Nya, skripsi ini dapat selesai dengan lancar dan tepat waktu. Laporan ini
berisi mengenai penilaian terhadap penerapan manajemen risiko teknologi
informasi pada Divisi Teknologi Informasi dan Komunikasi di PT. XYZ. Skripsi
ini dibuat untuk memenuhi persyaratan memperoleh Gelar Sarjana Komputer
(S.Kom.).
Ucapan terima kasih kepada berbagai pihak atas pembelajaran , arahan dan
dukungan yang telah diberikan. Pihak-pihak tersebut antara lain:
1. PT. XYZ yang telah memberikan kesempatan dan kerjasama
sehingga penelitian ini dapat berjalan dengan baik.
2. Melissa Indah Fianty, S.Kom., M.MSI. selaku dosen pembimbing
yang telah membantu dan memberikan arahan.
3. Ririn Ikana Desanti, S.Kom., M.Kom. selaku Ketua Prodi Sistem
Informasi.
4. Orang tua dan teman yang telah memberikan dukungan sehingga
proposal ini dapat selesai tepat waktu.
Tangerang, 4 Juni 2021
Kenny Pratama
viii
DAFTAR ISI
PERNYATAAN .................................................................................................. ii
HALAMAN PERSETUJUAN ............................................................................ iii
HALAMAN PENGESAHAN ............................................................................. iv
ABSTRAK .......................................................................................................... v
ABSTRACT ......................................................................................................... vi
KATA PENGANTAR ....................................................................................... vii
DAFTAR ISI .................................................................................................... viii
DAFTAR GAMBAR .......................................................................................... xi
DAFTAR TABEL ............................................................................................. xii
BAB I PENDAHULUAN ................................................................................... 1
1.1 Latar Belakang....................................................................................... 1
1.2 Rumusan Masalah .................................................................................. 5
1.3 Batasan Masalah .................................................................................... 5
1.4 Tujuan dan Manfaat Penelitian ............................................................... 6
1.4.1 Tujuan Penelitian ............................................................................ 6
1.4.2 Manfaat Penelitian .......................................................................... 6
BAB II LANDASAN TEORI .............................................................................. 7
2.1 Teknologi Informasi .............................................................................. 7
2.2 Tata Kelola TI........................................................................................ 7
2.3 Manajemen Risiko TI ............................................................................ 9
2.4 COBIT 5 .............................................................................................. 10
2.5 Prinsip Dasar COBIT 5 ........................................................................ 12
2.6 Process Reference Model COBIT 5 ..................................................... 15
ix
2.6.1 Governance .................................................................................. 16
2.6.2 Management ................................................................................. 16
2.7 COBIT 5 Implementation Lifecycle ...................................................... 19
2.8 COBIT 5 Process Assessment Model (PAM) ....................................... 21
2.9 Skala Penilaian Proses COBIT 5 .......................................................... 23
2.10 Penelitian Terdahulu ............................................................................ 23
BAB III METODOLOGI PENELITIAN........................................................... 31
3.1 Gambaran Umum Objek Penelitian ...................................................... 31
3.1.1 Struktur Organisasi Perusahaan ..................................................... 32
3.1.2 Struktur Organisasi Divisi TI ........................................................ 34
3.1.3 Visi & Misi Perusahaan ................................................................ 34
3.2 Metode Penelitian ................................................................................ 35
3.2.1 Metode Penyelesaian Masalah ...................................................... 37
3.3 Variabel Penelitian............................................................................... 51
3.3.1 Variabel Dependen ....................................................................... 51
3.3.2 Variabel Independen ..................................................................... 52
3.4 Teknik Pengumpulan Data ................................................................... 53
3.4.1 Kuisioner ..................................................................................... 53
3.4.2 Wawancara ................................................................................... 54
3.5 Teknik Pengumpulan Sampel ............................................................... 54
3.6 Teknik Analisis Data ........................................................................... 54
BAB IV ANALISIS DAN HASIL PENELITIAN ............................................. 56
4.1 Analisa Tujuan Perusahaan .................................................................. 56
4.2 Pemetaan Enterprise Goals dengan IT-Related Goals .......................... 58
4.3 Pemetaan IT-Related Goals dengan Enabler Goals ............................... 61
x
4.4 Identifikasi IT Pain Point dan Trigger Events ...................................... 63
4.5 Pemetaan IT Pain Point dengan proses COBIT 5 ................................. 64
4.6 Pengukuran Tingkat Kapabilitas Proses COBIT 5 ................................ 65
4.6.1 Pengukuran Kapabilitas Proses APO12 ......................................... 65
4.6.2 Pengukuran Kapabilitas Proses DSS05 ......................................... 80
4.6.3. Hasil Pengukuran Tingkat Kapabilitas COBIT 5 ........................... 96
4.7. Gap Analysis........................................................................................ 97
4.8. Rekomendasi Perbaikan ..................................................................... 100
4.8.1. Rekomendasi Perbaikan APO12 ................................................. 100
4.8.2. Rekomendasi Perbaikan DSS05 .................................................. 101
4.9. Rekomendasi Peningkatan Level........................................................ 101
BAB V KESIMPULAN DAN SARAN ........................................................... 105
5.1 Kesimpulan........................................................................................ 105
5.2 Saran ................................................................................................. 106
DAFTAR PUSTAKA ....................................................................................... xiv
LAMPIRAN .................................................................................................... xvii
xi
DAFTAR GAMBAR
Gambar 2.1. Prinsip Dasar COBIT 5 .................................................................. 12
Gambar 2.2. Meeting Stakeholder Needs ............................................................ 13
Gambar 2.3. Business Needs .............................................................................. 14
Gambar 2.4. Process Reference Model COBIT 5 ............................................... 15
Gambar 2.5. COBIT 5 Implementation Lifecycle ................................................ 19
Gambar 2.6. Process Assessment Model ............................................................. 21
Gambar 3.1. Struktur Organisasi PT. XYZ ......................................................... 32
Gambar 3.2. Struktur Organisasi Divisi TIK PT. XYZ ....................................... 34
Gambar 3.3. Kerangka pikir ............................................................................... 38
Gambar 3.4. Enterprise Goals ............................................................................ 42
Gambar 3.5. IT-Related Goals............................................................................ 44
Gambar 3.6. Mapping Proses COBIT 5 .............................................................. 46
Gambar 3.7. Tingkat Kapabilitas ........................................................................ 48
Gambar 3.8. Gap Analysis.................................................................................. 50
Gambar 4.1. Pemetaan IT-Related Goals ............................................................ 59
Gambar 4.2. Pemetaan Enabler Goals ................................................................ 61
Gambar 4.3. Hasil Enabler Goals COBIT 5 ....................................................... 62
Gambar 4.4. Grafik Gap Analysis..................................................................... 100
xii
DAFTAR TABEL
Tabel 1.1. Permasalahan pada PT. XYZ ............................................................... 2
Tabel 2.1. Proses EDM ...................................................................................... 16
Tabel 2.2. Proses APO ....................................................................................... 17
Tabel 2.3. Proses BAI ........................................................................................ 17
Tabel 2.4. Proses DSS ........................................................................................ 18
Tabel 2.5. Proses MEA ...................................................................................... 19
Tabel 2.6. Tingkatan kapabilitas COBIT 5 ......................................................... 22
Tabel 2.7. Jurnal Terdahulu 1 ............................................................................. 24
Tabel 2.8. Jurnal Terdahulu 2 ............................................................................. 24
Tabel 2.9. Jurnal Terdahulu 3 ............................................................................. 25
Tabel 2.10. Jurnal Terdahulu 4 ........................................................................... 26
Tabel 2.11. Jurnal Terdahulu 5 ........................................................................... 27
Tabel 2.12. Jurnal Terdahulu 6 ........................................................................... 27
Tabel 2.13. Jurnal Terdahulu 7 ........................................................................... 28
Tabel 2.14. Jurnal Terdahulu 8 ........................................................................... 29
Tabel 2.15. Jurnal Terdahulu 9 ........................................................................... 29
Tabel 3.1. Perbandingan framework COBIT 5.0, ITIL, COSO, dan ISO 27001 .. 36
Tabel 3.2. Daftar Narasumber dan Wawancara ................................................... 41
Tabel 3.3. Tabel penilaian kuisioner ................................................................... 53
Tabel 4.1. Enterprise Goals PT.XYZ ................................................................. 57
Tabel 4.2. Hasil IT-Related Goals COBIT 5 ....................................................... 60
Tabel 4.3. Pemetaan IT Pain Point dengan proses COBIT 5 ............................... 64
Tabel 4.4. Rincian Hasil Pengukuran Proses APO12 Level 1 ............................. 66
Tabel 4.5. Rincian penilaian proses APO12 Level 1 ........................................... 73
Tabel 4.6. Rincian Hasil Pengukuran Proses APO12 Level 2 ............................. 73
Tabel 4.7. Rincian penilaian proses APO12 Level 2 ........................................... 76
Tabel 4.8. Rincian Hasil Pengukuran Proses APO12 Level 3 ............................. 76
Tabel 4.9. Rincian penilaian proses APO12 Level 3 ........................................... 79
Tabel 4.10. Hasil Pengukuran Proses APO12 ..................................................... 79
xiii
Tabel 4.11. Rincian Hasil Pengukuran Proses DSS05 Level 1 ............................ 80
Tabel 4.12. Rincian penilaian proses DSS05 Level 1 .......................................... 89
Tabel 4.13. Rincian penilaian proses DSS05 Level 1 ( Lanjutan )....................... 89
Tabel 4.14. Rincian Hasil Pengukuran Proses DSS05 Level 2 ............................ 90
Tabel 4.15. Rincian penilaian proses DSS05 Level 2 .......................................... 92
Tabel 4.16. Rincian Hasil Pengukuran Proses DSS05 Level 3 ............................ 92
Tabel 4.17. Rincian penilaian proses DSS05 Level 3 .......................................... 95
Tabel 4.18. Hasil Pengukuran Proses DSS05...................................................... 95
Tabel 4.19. Hasil Pengukuran Tingkat Kapabilitas COBIT 5 .............................. 96
Tabel 4.20. Hasil Pengukuran Kapabilitas (Persentase) ...................................... 97
Tabel 4.21. Kondisi perusahaan proses APO12 .................................................. 98
Tabel 4.22. Kondisi perusahaan proses DSS05 ................................................... 98
Tabel 4.23. Gap Analysis ................................................................................... 99
Tabel 4.24. Rekomendasi Peningkatan Level APO12 – Level 4 ....................... 102
Tabel 4.25. Rekomendasi Peningkatan Level DSS05 – Level 4 ........................ 103