Risks Assessment of Information Technology Processes Based on COBIT 5 Framework: A Case Study of ITS Service Desk

Abstract

Directorate of Information Technology and Systems Development (Direktorat Pengembangan Teknologi dan Sistem Informasi, DPTSI) is an organization unit of Institut Teknologi Sepuluh Nopember (ITS) Surabaya which responsible for providing services related to information technology and system for all stakeholders. Incident management and requests fulfillment are part of the services managed by Service Desk unit of DPTSI. Incident management and requests fulfillment hold significant role yet prone to error, they could pose threats and risks for the organization. Hence, identification and assessment of risks, especially risks of IT processes, are highly required to avoid problem or disruption in organizational business processes and to minimize losses. In this research, COBIT 5 Enabling Process is used as a framework to identify the IT processes, whereas COBIT 5 for Risks is used to conduct the risk management activities. Risks are identified from Service Desk’s business processes and existing condition of DPTSI. Data and information are obtained from interviews and observation, then they are mapped to corresponding ideal conditions based on COBIT 5 process DSS02 Manage Service Requests and Incidents. Furthermore, risks related to information technology processes are being identified, assessed and managed based on COBIT 5 process APO12 Manage Risks. The output of this research is a document containing list of IT risk assessment and risk control justification which can be used as a reference document for Service Desk unit of DPTSI ITS in managing risks associated with IT Processes. A good risk management processes will help the decisions’ maker of the organization to make strategic decisions. In addition, the document may be used as a reference for other organizations with similar business processes.