APPLICATION OF THE COBIT 2019 FRAMEWORK TO ANALYSE THE SECURITY OF ACADEMIC INFORMATION SYSTEMS

STMIK Amik Riau implements an integrated information system to support a fast and real-time information management process where each service has its security. In this study, the analysis used to determine the maturity level of information system security governance was the COBIT 2019 framework with a CMMI scale. In COBIT 2019 the domains used were DSS05 and APO13. Based on the result of the analysis, the results of the average value of the overall maturity level on the security of the academic information system of STMIK Amik Riau were currently at level 3, which was defined. It meant that the security of the information system was running well but needed to be evaluated and optimized continuously. The value of each sub domain was 3.08 for the DSS05 sub domain (user), 3.35 for DSS 05 sub domains (maintainer), and 2.5 for APO13 sub domains (maintainer). Then the average result obtained from the gap was 0.53, meaning that the current level of maturity level with the desired maturity level is not too far away and can be increased by providing recommendations.


INTRODUCTION
Academic is a field that studies curriculum.The function of academics is to increase knowledge in terms of education, be able to convey and accept ideas of thought, science, as well as be able to test them honestly, openly, and freely that can be managed by an agency, one of which is the campus (Suhana et al., 2022).Campus as an educational institution that has many divisions and staff and students who need an academic information system in order to help speed up obtaining information needs and be able to provide good benefits for the institution.However, along with the development of technology, it is often misused by some irresponsible parties which can pose a threat from the use of technology (Rizal and Yani, 2016).The Academic Information System is a purpose-built system that facilitates the management of various academic-related data.It encompasses a comprehensive range of information, such as student records, lecturer profiles, recording of lecture outcomes, curriculum details, and lecture schedules (Syafariani and Devi, 2019).One of the universities which has implemented an academic system is STMIK Amik Riau (Anam et al., 2019).
STMIK Amik Riau implements an integrated information system to support a fast and real-time information management process which includes various services such as E-KRS, E-KTM, E-EDOM, and other information where each service has security (Zoromi, 2013).According to (Garfinkel, 1995) information security is how we can prevent fraud (cheating) or detect fraud in an information-based system, in which the information itself has no physical meaning and even has a necessity where security is intended to keep the system from being secured.
Security is very necessary because it can protect the data and information of a company or an institution from the disclosure of unauthorized people, and can optimize the performance of a company or institution (Mahfouz Alhassan and Adjei-Quaye, 2017).Information system security is something that must be considered in system management because if there is a leakage of information, it can damage one performance which will affect other works and can interfere with the smooth running of the system (Akpan et al., 2022).After conducting an interview with the person in charge of system management, currently STMIK Amik Riau has never conducted a security evaluation of its academic system using COBIT 2019, so it is necessary to evaluate and analyse it in order to find out the shortcomings or weaknesses in the system and can provide recommendations from the results of determining the level of maturity of the system to increase the level currently owned to the expected level.There are several kinds of frameworks that can be used such as COBIT (Astuti et al., 2017), ITIL (Anam et al., 2020), PMBOK (Bastori et al., 2020), ISO (Daryanto et al., 2022) and others.
This study utilized COBIT 2019 in which many studies use it, such as XYZ Hospital Information System Security Governance Analysis Using COBIT 2019 (Gusni et al., 2021), Application of the COBIT 2019 Framework to Information Technology Audit at Sambas Polytechnic (Saleh et al., 2021) and others.The reason was because COBIT 2019 is a standard that is considered complete in carrying out governance and has a comprehensive scope, namely, defining components to build and sustain governance systems, processes, organizational structures, policies and procedures, information flows, skills, and infrastructure and defining that design factors are things that companies must consider to build the most appropriate and effective governance system (Gusni et al., 2021).In addition, the campus can achieve risk optimization, governance and information system management.
COBIT 2019 consists of five key domains: Evaluate, Direct, and Monitor (EDM); Align, Plan, and Organize (APO); Build, Acquire, and Implement (BAI); Deliver, Service, and Support (DSS); and Monitor, Evaluate, and Assess (MEA).There are two domains that will be used for the analysis of the STMIK Amik Riau information system, namely DSS and APO.DSS is one of the knowledge management systems that has a role in supporting the decision-making process for a company or organization.The APO domain spans strategies and tactics, and identifies risks that are the best way IT can contribute to achieving goals.After getting the results from DSS and APO, measurements was taken by using the CMMI model so that the results by conducting this analysis are expected to be able to determine the level of maturity level in the system and the campus can increase the level of recommendations in this study.

METODE
Research Methodology is a technique compiled by researchers to collect data and information in conducting research that is in accordance with the subject and object under study (Adelia et al., 2020).With these data, it is expected qualified results.Figure 1 is the flow of this research methodology.

Problem Identification
After establishing the research purpose, the initial step for researchers is to identify the specific problem to be addressed.This crucial process involves defining the boundaries of the problem to ensure that the study remains focused on its intended goals.In the present study, the problem identification process involved analyzing relevant studies and aligning them with the COBIT 2019 framework guidelines for information system security at STMIK Amik Riau.This analysis aimed to determine the maturity level of the system and assess its security level accordingly.

Literature Studies
The literature study carried out was by studying theories related to the topics discussed.Such as about COBIT 2019 and the domains that were used in this study, namely DSS and APO, as well as knowing the level of maturity through CMMI.Theories come from books, journals, and studies that support this research.

DSS and APO
This stage determined the sub domain and the questionnaire questions according to the selected sub domain with the determination of each sub-process.

Decision Support System (DSS)
Decision support system is one of the knowledge management systems that has a role in supporting the decision-making process for a company or organization.The sub domain was DSS 05 Manage Security Services.DSS 05 is a process that aims to protect the information of a company or institution and keep the level of risk thresholds in the company in line with existing security regulations (Imany et al., 2019) as well as creating and managing information security roles and access rights and conducting security oversight.The sub-process consists of seven processes, namely: a. DSS 05.01 (Protect against malware) It implements and manages measurable prevention, investigations and improvements on (especially performing the latest updates on security and virus control) across campus lines to protect information systems and technology from malware (Krisdiyawan and Kuswantoro, 2017).b.DSS 05.02 (Manage network and security connectivity) It uses security measures and related management procedures to protect information systems on all connectivity (Wijaya and Andani, 2017).c.DSS 05.03 (Manage device security) It ensures that every device (such as laptops, servers, other mobile devices and software devices) is safe (protected) in accordance with the security requirements of the processing, storage or transmission of information (Woda and Bisma, 2020).d.DSS 05.04 (Manage user identity and device remote access) It ensures each user has access rights to the information they need regarding their business needs and coordinate with the business unit that manages the access rights (Imany et al., 2019).e. DSS 05.05 (Manage access to IT assets/devices) It creates and implements procedures for granting, restricting and revoking access based on need.Access to the area must have the authority to enter and must also be monitored.All of these provisions shall apply to all faculty, student and outside staff (Firmansyah, 2021).f.DSS 05.06 (Manage sensitive documents and output devices) It creates physical security on IT devices for sensitive information system security (Woda and Bisma, 2020).g.DSS 05.07 (Monitor infrastructure for security-related events/events) Supervise infrastructure to prevent unauthorized access and ensure that events are integrated with the surveillance process (Imany et al., 2019).

Align, Plan and Organize (APO)
It covers strategy and tactics and identifies concerns about how IT can best contribute to achievements.The sub domain was APO 13 Manage Security.APO 13 is a process that defines, executes, and oversees a system for information security management (Aritonang et al., 2018).
The purpose of the process is to keep the impact and events of information security incidents at the risk threshold set by the manager (Imany et al., 2019).a. APO 13.01 (Create and maintain an information security management system) It creates and maintains an information security management system (SMKI) that provides a sustainable information security management approach, providing secure systems and business processes that are aligned with business needs and system security management (Gunawan and Tjahjadi, 2018).b.APO13.02(Define and regulate information security risk security plans) It manages information security design that describes how information security risks should be managed and aligned with agency strategies and infrastructure.It ensures that recommendations to implement security enhancements are based on an already approved and implemented business case (Shariff, 2018).c.APO 13.03 (Monitoring and reviewing information security management systems) It manages and periodically communicates the needs and benefits of continuous improvement/improvement of information security.It is also collecting and analysing data, and improving effectiveness (Sepis, 2022).

Questionnaire Distribution
The data in this study was collected by using the RACI technique, which means Responsible, Accountable, Consulted, informed in the COBIT framework which was used for the determination process between the responsible parties in the organization.RACI Chart was explained below (Rachmat Widayanto and Rachmadi, 2019).The data was collected by distributing questionnaires to the chairmen of STMIK Amik Riau and SISFO who are part of the information system manager, and STMIK Amik Riau students who are users or recipients of information.Table 1 is the respondents in this study who were selected based on the RACI Model.
Table 1.Determination of RACI respondents

R (Responsible)
The person who serves as the person in charge and has the authority to make decisions in a case.

A (Accountable)
The person who is given the task of carrying out an activity or performing such work.

SISFO C (Consulted)
The people deemed to have the authority to give necessary advice or advice.

Chairman of STMIK Amik Riau and SISFO I (Informed)
Recipients of information or who must be given information or who must know the development of an activity carried out.

Validity Test
Analysis of the questionnaire results was carried out to determine the level of validity and invalidity of the submitted questionnaire results.It is necessary to adjust the validity test.The test requirement is if the r count is ≥ r table, then the question is valid.If r count is ≤ r table, then the question is invalid.The result of the value obtained in the calculation was obtained by using the provisions of the existing facilities in the SPSS.The error level value used was 5%.The results showed that users were worth 0.413 with n=23 and managers were worth 0.997 with n=3.

Reliability Test
The calculation of the analysis of the questionnaire results taken by the researcher used the formulation of the calculation of alpha Cronbach interpretation.Cronbach's alpha performance was calculated by SPSS software.Reliability testing with Cronbach alpha can be seen from the Alpha value table, if the Alpha value is > from the r value of the table then it can be inferred that the value obtained is reliable.Conversely, if the Alpha value is < from the r value of the table then it can be said that the value obtained is not reliable.

Maturity Level
In measuring the maturity of the security level of the academic information system of STMIK Amik Riau, a questionnaire was used as a data collection method that had an index value of each of the criteria in the measurements carried out, namely using the following formula: Index = The number of answer scores Questionnaire (1) Maturity level is part of COBIT which is used to measure or calculate IT process values which have levels from a scale of 0 to a scale of 5. COBIT recommends that the current maturity level with the expected maturity level is only one level above it because each level must be met first before heading to the next one.After measuring the maturity level, the next step was to calculate the gap (GAP) which is the difference between the current maturity level and the maturity level which is expected by using the formula: Gap = A -B (2) Description: A = degree of expected maturity.B = degree of current maturity.Analysis of this gap was carried out by identifying activities and improvements made by the information system security manager STMIK Amik Riau.

HASIL DAN PEMBAHASAN
Discussed the results and discussion of the implementation of the COBIT 2019 framework which was carried out to determine the maturity level in information system security at STMIK Amik Riau and provide recommendations for the desired conditions to increase the maturity level in accordance with the provisions desired by the determinants of the STMIK Amik Riau information system security decision.Before knowing the maturity level, the first step was to spread the questionnaire.Then the results of the questionnaire obtained from the response were processed.The following are the stages in processing questionnaire data.

Validity and Reliability
There were several results from respondents who filled out the questionnaire, where in testing the validity of the resulting higher value will show the accuracy of the data measurement tool, and while testing the reliability of the resulting indexes test will refer to how far the measurement tool is declared reliable.

Validity Results
Validity testing was carried out to determine the validity of a questionnaire of each variable.If the r count is ≥ r table, then it can be declared valid and if the r count is ≤ r table, then the data is declared invalid.a. the results of the questionnaire validity on the users.In this study, the error level value used was 5%, which was worth 0.413 with n = 23.From the results of the validity calculation in the table 3, it can be seen that r count is > r table in which fourteen questionnaires and all of them were declared valid because the result was more than the number of r tables, which was 0.413.b.Validity results on the management questionnaire The error level value used was 5% which was 0.997 with n=3.From table 4, it can be seen that there were ten valid data because the calculated r value was greater than the table r, which was 0.997.5, the results from the tests that had been carried out on three respondents with five questionnaires were declared valid because the results were more than the number of r tables, namely 0.997.

Reliability Results
To ensure the consistency of the questionnaire used in this research, a reliability test is necessary.Prior to conducting the test, a decision-making criterion is established with an alpha value of 0.60.Variables with values greater than 0.60 are considered reliable, while those with values lower than 0.60 cannot be deemed reliable.The following are the results of the reliability test conducted on the variables in this study: a.The results of the questionnaire reliability on the user.

Reliability Statistics
Cronbach's Alpha N of Items .75615 Based on the findings presented in Table 6, the results of the reliability test indicate that the Cronbach's alpha value for this variable exceeds the threshold value of 0.60, with a value of 0.756.This result signifies that all the statements included in the questionnaire are considered reliable and can be relied upon for further analysis.
b.The results the questionnaire reliability on the manager..45614 Based on the findings presented in Table 7, the results of the reliability test indicate that the Cronbach's alpha value for this variable exceeds the threshold value of 0.60, with a value of 0.611.This result indicates that all the statements included in the questionnaire are considered reliable and can be trusted for further analysis.

Maturity Level Measurement
In measuring the maturity of the security level of the STMIK Amik Riau information system, a questionnaire was used as a data collection method that had an index value of each sub-domain process in the measurement to be carried out.

Assessment results
Following the completion of the questionnaire calculation process, the results revealed the values for each questionnaire item based on the total number of questions completed by 23 user respondents and three manager respondents.The following steps outline the calculation process for determining the index of each managed domain process.a. User To get the maturity value, it used equation 2, namely the number of questionnaire values divided by the number of questions.
Table 8. level maturity of DSS05 User From table 8 which is the result of the recapitulation it can be seen that the DSS05 process is at level 3 with a maturity value of 3.08.

b. Manager
The following is maturity values for DSS05 and APO13 sub domains for managers.From the results of the recapitulation in table 9, it can be described, that currently the maturity level result in the DSS05 domain is 3.35 with level 3 which is defined, then in the apo13 domain it has level 2 with a maturity value of 2.5.

Gap analysis
Gap analysis helps to find deficiencies that must be overcome.It is easier to measure or identify them and in the long run, and help in making improvements.At this stage, the researcher performed a difference calculation, which was the result of the maturity level calculation that had been obtained previously by means of the expected maturity level value reduced by the current maturity level value.

a. Domain sub-process gap analysis
Table 10 is the result of the gap analysis subprocess. it can be seen that the gap obtained from the current maturity level as a whole in the domain will only increase 1 level from the expected maturity level.but there are several domains that have quite high gaps, especially PO13.03.Based on the gap analysis shown in the table 11, there is a distance of 0.43 in the DSS05 domain from the user, 0.16 in the DSS05 domain from the manager, and 1.00 in the APO13 domain from the manager between the expected conditions.The biggest gap is in the APO13 domain.The average value of GAP is 0.53 which means that there is not too much difference for the expected conditions.

Recommendations
Recommendations were grouped into two views, namely recommendations from the user side and recommendations from the manager side.

User-side recommendations
There is already management related to access rights but it is too flexible, especially related to access to academic information system space at STMIK Amik Riau.So, it is recommended that the staffs who are responsible for it must make regulations that regulate the mechanism for requesting room access, asset access, and data access.Access granted must always be recorded and monitored.This mechanism must emphasize security.Granting access must be based on business needs, but it must not be too free to access the assets needed.

DSS05
They should create a custom logging that logs each security event or incident that occurs and each incident that occurs is assigned a unique identifier ID.APO13 a. Conduct or revaluate access rights or redefine the terms of determination of parties entitled to access rights according to their functions.b.Add infrastructure to run security management processes and conducting trainings aimed at improving human resource performance for the management team to optimize performance.c.Security managers should implement recommendations that have been made from the results of the evaluation so that they can maximize performance.

CONCLUSION
The results of the overall average maturity level in the security of the academic information system of STMIK Amik Riau are currently at level 3, namely defined.The value of each sub domain is 3.08 for the DSS05 sub domain (user), 3.35 for the DSS 05 sub domain (manager), and 2.5 for the APO13 sub domain (manager).This level shows that the security governance of the information system at STMIK Amik Riau has been running or implemented but it needs updating, evaluation and must be ensured that the performance of the running process has supported the achievement of the goal of increasing the current level to the expected level by using gaps to find out the level gap.
The level gap for the expected level in system security at STMIK Amik Riau is not too big, which is worth 0.53 which means that STMIK Amik Riau can raise the level with several recommendations where the recommendations are related to system security.The recommendation is to make regulations that regulate the mechanism for requesting room access, asset access, and data access.Access granted must always be recorded and monitored.This mechanism must emphasize security and for granting access must be based on business needs, it must not be too free to access the assets needed.They must create a custom logging that logs each security event or incident that occurs and each incident that occurs is assigned a unique identifier ID.
Based on the conclusions described above, there are several suggestions that can be considered and evaluated for the security manager of the STMIK Amik Riau information system, namely the security manager is expected to consider implementing the proposal from the recommendations of the process submitted by the researcher.In addition, security managers are encouraged to make documentation after carrying out activities related to important data or infrastructure.This documentation is very useful as material for security evaluation in the future.Then the next researcher who will evaluate the security of the academic information system of STMIK Amik Riau can choose different process domains in COBIT 2019 and use different scales.

Figure
Figure 1.Research Methodology Table 2 is the maturity level of COBIT.

Table 5 .
Validity results of APO13 maintainers

Table 7 .
Reliable results of managers

Table 10 .
Results of sub-process gap analysis.

Table 11 .
Results of sub domain gap analysis.