Evaluation Of Information System Governance Capability Level Of Engineering Construction Services Firm Using COBIT Framework 5

. Engineering Construction Services Firm Instrument Engineering is a company in engineering construction services. Not only construction services Engineering Construction Services Firm Instrument Engineering also has services in the field of non-construction such as operation and maintenance. There is no quality management standard in the company expected to increase productivity and superiority over competitors; the company needs a schedule to conduct periodic audits of information security management. It requires recommendations for improving the Information Security Management System), and the company hopes to make a standard document for data and information security risk governance aimed at supervision and review of the Information Security Management System. To make sure that SI operations within the Company have been carried out and objectives have been supported as effectively as possible, it is required to conduct an information system audit using the Control Objectives for Information and Related Technology (COBIT) framework based on the needs that have been described. The research on evaluating IT governance abilities using the COBIT 5 framework APO13 process ends at level 1 with a status of 82.12. EDM03 and APO12 processes terminate at level 2, with a Largely achieved status of 82.12 for EDM03 and 84.41 for APO12.


INTRODUCTION
Engineering Construction Services Firm Instrument Engineering is a company in engineering construction services.Not only construction services Engineering Construction Services Firm Instrument Engineering also has services in the field of non-construction such as operation and maintenance.When supported by effective IT governance, which begins with thorough planning and ends with implementation, the use of information technology within the organization can be successfully carried out.IT Governance, as defined by the ITGI (IT Governance Institute), is a part of business operations that are seamlessly integrated.It consists of organizational leadership structures and operational procedures to guarantee that the information technology is implemented successfully and in line with the company's goals [1][8] [12].
The company does not have an established schedule for periodic information security management audits and needs recommendations for improving the Information Security Management System.The company also needs not to have a quality management standard projected to increase productivity and give it an edge over competitors.The company hopes to create a standard document for data and information security risk governance aimed at supervising and reviewing Informatics.To make sure that SI operations within the Company have been carried out and objectives have been supported as effectively as possible, it is required to conduct an audit of the information systems utilizing the Control Objectives for Information Technology (COBIT) framework based on the needs that have been described.One of the frameworks for IT governance that suggests guiding principles for IT governance is COBIT 5 [2].To assist businesses in achieving the goals and management facets of IT governance, COBIT 5 offers a framework and analysis [3][4] [13].

Research Methods
The framework of COBIT 5 was employed as the study methodology.Additionally, COBIT is intended to be a solution to solve difficulties in IT Governance in identifying and managing risks and benefits associated with information resources.COBIT serves to bring together all control needs and technological issues [6][10] [11].

Observation
Observation is a way of collecting data by direct observation at the IT department of Engineering Construction Services Firm Instrument Engineering by observing systems and operational activities and systematically recording the objects to be studied.

Interview
Get information by asking directly to respondents or parties concerned.The interview results help obtain information and data regarding information system governance in the IT department.The interview was conducted according to the standards of the COBIT 5 framework and provided documents referring to the APO01, APO12, and APO13 processes.

Questionnaire
Distribute a questionnaire that will be filled out by the parties concerned with existing problems.
Questionnaires are given already with the conditions set by the COBIT 5 framework.The questionnaire will be given to IT staff who handle information systems at Engineering Construction Services Firm Instrument Engineering.The APO01, APO12, and APO13 domain questionnaires were developed using questions aligned with the COBIT 5 framework.

Fig 1.
Framework Research Figure 1 shows the approach is the framework carried out in this study in evaluating information system governance at Engineering Construction Services Firm.The framework is divided into 3 stages [5] Obtain information by interviewing directly with the respondents or the party concerned.Discuss information system governance.

 Capability Scoring
The capability level given is based on process capability consisting of level 0level 5 concerning COBIT 5.

Follow Up
 Finding This process auditors identify findings on processes that still need to be met according to COBIT 5 standards which refer to EDM03, APO12, and APO13 domain activities.

 Fishbone
Identify and analyze unmet findings according to COBIT 5 standards that refer to EDM03, APO12, and APO13 domain activities.

 Recommendation
Provide recommendations and suggestions to the IT department of the Engineering Construction Services Firm so that the department will be, referring which refers to EDM03, APO12, and APO13 domain activities [15].

 Follow Up Recommendation
To improve the quality of information system governance based on the COBIT 5 framework standard, provide follow-up to recommendations made in the previous process to the IT department of the Engineering Construction Services Firm.

III. RESULT AND DISCUSSION
1. Planning Collection of information data related to research by making observations at the company and direct identification at the place of PT.Wigafsindo Dynamics Instrument Engineering.To create process domains within the organization, the identification process entails identifying IT points and trigger events, mapping enterprise goals to IT-related goals, and mapping IT-related goals into COBIT 5. Talking with linked people helps with the identifying procedure.Enterprise goals are mapped to IT-related goals in Table 1.Mr. Yohanes interviews the IT personnel at the Engineering Construction Services Firm, and Mr. Yohanes interviews the IT personnel to discover the enterprise goals.The results of the chosen enterprise goals will follow the process of converting corporate goals into IT-Related Goals of converting corporate goals into IT-Related Goals will be followed by the results of the chosen enterprise goals.The COBIT 5 process's IT-Related objectives mapping is shown in Table 2.The primary (P) in the COBIT process listed in Table 1 is used to decide the procedure.

1.
Internal -Security of information processing infrastructure and applications EDM03,APO12, APO13 Based on the IT-Related Goals mappings findings and interviews with relevant IT workers, table 3 shows the COBIT 5 process mapping outcomes, one of which is Mr. Yohanes, ITCS at Engineering Construction Services Firm.From the mapping results, the 3 focus domains to be measured are EDM03, APO12, and APO13, which focus on the Internal -Security of information processing infrastructure and applications listed in Table 3.

Result of Data Analysis
The capability score is calculated using the average value of each score in each sub-process of each level.The following tables show the outcomes of the calculation of the capacity score: The outcomes of determining the capability level score in the EDM03 process are shown in Table 4.The table contains information on the capability score on EDM03, with an average of 87.2.With this score, it can be concluded that the EDM03 process continues at level two with Fully Achieved status; thus, this process can go to the next level, namely level 2, because to rise to that level must reach the minimum limit of 85.The capability grade score for the EDM03 level 2 process is calculated, and the results are shown in Table 5.The table contains information on the capability score on EDM03, with an average of 82. 15.With this score, it can be concluded that the EDM03 process stops at level two with the status of Largely Achieved.Thus, this process must go to a different level, namely level 3, because to rise to that level must reach the minimum limit of 85.Table 6.The outcomes of determining the competence level score in the APO12 method are shown in Table 6.The table contains information on the capability score of APO12 with an average of 87,002; with this score, it can be concluded that the APO12 process continues at level two with Fully Achieved status; thus, this process can go to the next level, namely level 2 because to go to that level must reach the minimum limit of 85.
Table 7.The capacity level score was determined using the APO12 level 2 process, and the findings are shown in Table 7.The table contains information the capability score on APO12, with an average of 84,415.With this score, it can be concluded that the APO12 process stops at level two with the status of Largely Achieved.Thus, this process cannot go to the next level, namely level 3, because to rise to that level must reach the minimum limit of 85 The outcomes of determining the competence level score in the APO13 method are displayed in Table 8.The table contains information on the capability score on APO13, with an average of 82.18.With this score, it can be concluded that the APO13 process stops at level one with the status of Largely Achieved.Thus, this process must go to a different level, namely level 2, because to rise to that level must reach the minimum limit of 85.

Gap Analysis
Level Target Level Saat Ini . is the result of a calculation that determines the current level of the company with the target of the company, which can be explained below: 1.The results of the APO13 calculation have yet to meet the target set by the company; the company in APO13 wants to reach level 3 as its goal, but the results of interviews and calculations carried out stop at level 1. 2. The calculation results of EDM03 and APO12 have yet to meet the targets set by the company, the target level desired by the company in EDM03 and APO12 is level 3, but the results of interviews and calculations carried out stop at level 2.

3.
Recommendation They are providing recommendations to the company so that the resulting process will be more optimal in the EDM03, APO12, and APO13 processes.To achieve the next capability level, some recommendations can be applied to Engineering Construction Services Firms managing IT.
Implementing Security Risk Management 2.
Companies need to create a Risk Governance Policy 3.
IT staff need written documentation, namely SOPs for Risk Management in responding quickly to changes in risk and reporting 4.
The company needs to determine the direction of decisions on integrating strategies and implementing risks that exist in IT Staff.

5.
Make standard rules so that employees cannot violate these rules.
Table 9 is a table of EDM03 improvement recommendations.The recommendations are derived from findings that have been found on the existence of outputs that have been given.This recommendation was made with the aim that the resulting EDM03 process will be more optimal for achieving the next capability level.
Table 10.APO12 Improvement Recommendation Table APO12 Improvement Recommendation 1. Forming a special IT risk management control team to achieve goals 2. Create standards and policies in implementing IT risk management and optimization 3. Conduct further monitoring related to emerging risks, such as risks from several aspects and scenarios.4. Forming documents containing principles, policies, and risk objectives that will be analyzed regularly and measured and evaluated related to their implementation.5. Improve the implementation of risk management, which has 6 processes, including data collection, risk analysis, risk profile, risk articulation, establishing risk portfolios, and risk response.
Table 10 is a table of APO12 improvement recommendations.The recommendations are derived from findings that have been found on the existence of outputs that have been given.This recommendation was made with the aim that the resulting APO12 process will be more optimal to achieve the next capability level.
Table 11.APO13 Improvement Recommendation Table APO13 Improvement Recommendation 1. Identify performance objectives of the information technology security management process 2. Conduct regular audits of information security management, and based on the findings of the SMKI audit, provide suggestions for enhancing the information security management system.3. Control the interfaces between the parties in charge of information technology security.4. Establish the need for the results of the work of the information technology security management process.5. Establish the requirements of documentation and control of deliverables.6. Create a Data and Information Security Audit Governance Standard document aimed at supervising and reviewing the Information Security Management System (SMKI) 7. Planning and supervising the performance of the information technology security management process.
Table 11 is a table of APO13 improvement recommendations.The recommendations are derived from findings that have been found on the existence of outputs that have been given.This recommendation was made with the aim that the resulting APO13 process will be more optimal for achieving the next capability level.

IV. CONCLUSION
We can make the following inferences based on the findings of research conducted by Engineering Construction Services Firm Instrument Engineering to evaluate information technology governance skills using the COBIT 5 framework: 1.The APO13 process terminates at level 1 with a status of "Largely achieved" at 82.12 for the APO13 process and a gap of 2, meaning that this process cannot advance to level 2, as to advance to level 2; these two processes must both reach the minimum threshold of 85.With a status of "Largely achieved" (82.12 for the EDM03 process and 84.41 for the APO12 process), the EDM03 and APO12 processes halt at level 2. Since there is a gap of 1, these two processes can not move to the next level, level 3, because they both fall short of the required threshold of 85. 2. Based on the outcomes of PT's assessment of information technology governance using the COBIT 5 framework, the applicable recommendations are detailed in Chapter IV of the recommendations section.Wifgasindo, among others, implements quality management standards because they can boost productivity and give them an edge over rivals, conducts routine information security management audits, and uses the findings of those audits to suggest ways to strengthen the information security management system and Creating Data and Information Security Audit Governance Standards documents aimed at supervising and reviewing the Information Security Management System. V.

Fig 2 .
Fig 2. Target Level Comparison Chart and Current Level

Table 1 .
Mapping Enterprise Goals To IT-Related Goals

Table 4 .
EDM03 Capability Score Calculation Results Table

Table 5 .
EDM03 Level 2 Capability Score Calculation Results Table Table of Capability Score Calculation Results APO12 Table of APO12 Level 2 Capability Score Calculation Results

Table 8 .
APO12 Capability Score Calculation Results Table