Incident Management of Information Technology in the Indonesia Higher Education based on COBIT Framework : A Review

Nowadays, implementing the IT management in Indonesia Higher Education (HE) has been an integral part of institution management and all business functions, starting from teaching & learning, academic information system, administration & payment system, registration of student’s admission and so on. Handling incident response is an IT management and evaluation activity that must be done by the HE in Indonesia. Because, this activity is used to control the business sustainability and help perform attempts of betterment. To this matter, a standardized guideline is required so that the management of handling incidents in the HE environment can be performed effectively and efficiently. COBIT framework version 4 has four domains with 34 processes, while the version 5 has five domains with 37 processes. The process of handling incidents in COBIT 5 is discussed in the DSS02 process, namely Manage Service Request, and Incident of DSS domain. Meanwhile, COBIT 4 is discussed in the DS8 process, namely Manage Service Desk and Incidents. This paper reviews the status of management of handling IT incidents in Indonesia HE limited from 2010 to 2016.


Introduction
Information Technology (IT) has been massively implemented in many Higher Education (HE) institutions in Indonesia as a medium for improving competitiveness [1] and to take a role in encouraging the accomplishment of mission, vision, and objectives of the HE, and to become one of the main components in entering the global era which is then indicated by the term of the world class university as well as network of cooperation with domestic and overseas institutions of the HE.The university is a business organization which moves in education field [2].
There are three domains of the IT utilization in Indonesia HE, namely as support services of (1) administration, (2) teaching media and (3) information-communication. The administrative computation aims at facilitating in managing archives, handling received letters and a making of reports, covering the college payment of entrance fee and regular registration in every semester for fresh students, and other aspects unrelated to data processing and finance.As teaching media, the IT is used to support teaching and learning processes such as for developing blended learning, e-learning, virtual learning, and other platform variations.As a part of information-communication, it is used as a medium for announcing profile, achievements and internal activities in the campus on the website or e-magazine of the corresponding campus, for sharing information regarding scholarships, for improving the surveillance system of learning activities and achievements from students, guardianship, and many more.When implementing them, it Syifaul Fuada 2 takes two main components, the first one is management, as to the extent of participation in the management of the IT and business.The second one is the organizational structure, as according to the organizational strategic plan and the management model of the IT.
Two things, when combined, are forming a management "framework" of the IT in which every organization is free to form the framework as necessary, but it should refer to the widely accepted standards [3].Based on the evaluation, according to [4], the framework mostly used by the HE institutions in the evaluation of the IT is COBIT.Such framework has reached the version 5 which is the continuance of the previous one [5].
The COBIT as an acronym for Control Objectives for Information and Related Technology is a framework developed by International Technology Governance Institute (ITGI) with its base in the United States of America.The principles of the framework are briefly to meet the requirements for business development [6], to be representative and comprehensive, which then includes issues of planning, implementing, operation, and surveillance to the whole processes of the IT [7].A review [8] of this framework shows that it has a simple but powerful characteristic.COBIT version 5 is the renewed version of its predecessor as shown in Figure 1.

Figure 1. COBIT framework version
The benefits of COBIT 5 are that it can maximize the utilization of IT by maintaining the stability between optimizing the identification of risk level and the resources used thus it can bring the benefit into reality [9], this framework can comprehensively unite various managements, therefore this framework can bridge any business risks, the need to control the IT, and several technical issues related to the IT [10].The COBIT framework version 4 has 4 (four) key domains used to conduct an IT audit.Meanwhile, the newer version, COBIT 5, has 5 (five) key domains.Not to say that all these components are to be implemented; it depends on the conditions in every institution of the HE, for instance, to the extent of infrastructure supports, internal structure of institution and etc.
In relation with the utilization of the IT in the environment of the HE, the Delivery and Support (DS) as well as the Deliver, Service and Support (DDS) domain are one of key domains to maintain the sustainability of a business institute, for it is significantly related with the handling of potential risks/ incidents within the IT, such as virus attack to computers of administration division resulting in the corrupted data or interrupted services to students, the main website of the corresponding campus being hacked which potentially blocks the flow of information, and other kinds or examples of incidents.The domain is also expected to be able to handle such related incidents in order to ensure the smooth flow of networking or internet in the campus environment.In order to make the handling incidents effective and efficient, the attempts for time, resources and cost must be executed in an organized way and guided by the IT framework.
The COBIT framework framework consists of three parts: (1) focus on functional planning of audit procedures; (2) conduct the audit to investigate the current condition of IT management; (3) conduct the audit to investigate the as is condition as a fundamental for performing refinement in the future provided with the recommendation; and for framework/ model development by incorporating other factors.With reference to the description above, this paper attempts to analyze the second and third points.This paper will later contribute to examination or delineation of management status of the IT in several HE Institutions in Indonesia, to be measured based on COBIT framework, especially in the DS and DSS domain which is related with handling the IT incidents.Secondly, this paper is aimed to identify the technique of recommendation submission to be more optimal in managing IT utilization in the future provided with the as-is condition revealed.
This paper is a literature study in which the sources are obtained from scientific documents, i.e. journals, conference papers or final projects in related with IT audit using COBIT framework, especially in DS and DSS domains.

1 The IT Incidents in HE Institutions and Cause
In the application of the IT, incidents may happen both expected and unexpectedly manifested in various forms, ex.malware or computer virus dissemination, email spams or email bombs, DoS attack, data bugging, network intrusion, etc.Such incidents might be caused by technical factors which are initiated from activities from certain parties, who were only curious (for fun).The most common mechanisms used to cause such incidents of the IT in addition to the email, i.e. spamming and mail bomb, or by social engineering.
A successful HE Institution usually can understand the use of IT and is able to take economic advantage of it and also manage any occurring risks.A COBIT framework provides services to help identify the main source of the IT, Incident Management of Information Technology in the Indonesia Higher Education based COBIT Framework: A Review investigate the needs for business, help organize activities of the IT into a common model process, identify and define targets of management control to be a matter of consideration [1].This way, the campus can generate fine quality of education and education services because all processes of utilizing the IT can run well, from the very beginning point of entering the university to all administration processes until the student's graduation [11].

COBIT version comparison
Control Objective for Information and Related Technology (COBIT) is a framework considered as the best practice standard manual of management of the IT for an organization [12].COBIT  There are several differences between COBIT 4.1 and COBIT 5, especially in the domain division and the working processes [13].In the framework of COBIT 5, there is a distinct separation.Such separation may provide better facilitation to institutions which are willing to distinctively separate its management and regular operational processes [14].The main purpose of management in COBIT is to give its users value of "how to realize advantages or benefits," and "how to optimize risks and resources".In the standard of COBIT, several principles are defined to guide IT management, as shown in Table 1.It shows that the process of incident handling in COBIT 4 is discussed at DS8 in the DS domain, which is Manage Service Desk and Incidents.Meanwhile, such term in COBIT 5 is discussed in DSS02 process of Manage Service Request and Incident in DSS domain that is managed by the management.
The strengths of discussing the COBIT in incident handling is that of the explicit control and that it is defined strictly in all process goals, risks and security, and that the assignment and responsibility of the organization's stakeholders are made more explicit using the mapping of Responsible, Accountable, Consulted and Informed (RACI).Additionally, the process evaluation which determines the degree of capability from such incident handling may facilitate the stakeholder being responsible for the incident in repairing the weaknesses form such incident handling.Furthermore, the weaknesses of COBIT are that the explanation of the process of handling the incident is less detailed, such as the principle and the stages of incident settlement.

Results and Discussion
In this part, we discuss the Implementation in Indonesia's HE Institutions.The study of using COBIT framework has been massively done in a HE institution in which later the study finding can be made as a recommendation for bettering IT management as well as for giving the best solutions for improving the performance of human resources [11].
Table 2 and Table 3 consists of 5 (five) columns, namely: the references cited written in numbers, the research subjects and instrument for data collection, the addressed COBIT domains, study findings and technique of recommendation arrangement.This paper is not intended to describe the weaknesses of each studies mentioned, especially the method of recommendation arrangement.
Reviewing the discussion on Table 2 and Table 3, we can see that the framework of COBIT is one of the models considered appropriate for evaluating IT management in the business process of the Indonesia HE institution.The result of the study is the institution's condition at that time, which in other words, such condition might change right now and even better considering that the IT penetration within the campus environment is getting sharper and the demand for a better quality of human resources is ever increasing to be more advanced.Moreover, a new policy has been issued regarding the need for reorganizing management for the optimization of IT use.Nevertheless, the author is incapable of showing any corresponding evidences because the literature obtained has not shown the gradual study outcomes.
Meaning that, a typical study is done in different ranges of time in order to investigate the improvement in the findings.To achieve that, it should be done only by the same researchers using the same instruments thus the findings can be representative.
Furthermore, it can be observed that the version 4 is used more frequently due to the year when the studies were conducted.The applications of COBIT 5 for IT audit in HE institutions are only found after 2013, only a year after its launch.On the other hand, COBIT 4 was launched earlier in 2007, in which the IT use is still ongoing or even has just started the penetration in campus environment in Indonesia (use of internet network, computerized administration, and etc.) which makes it worth more uses.Other factors causing the number of COBIT audit applied in HE institutions might highly be dependent on the willing of researchers to conduct IT assessment in the campus environment.The most contributing studies come from study findings for theses of bachelors and masters as well as final projects.However, the topics under investigation are not limited to only campus environment but also to enterprises, or other nonprofit or institutions.Such issue becomes one of the factors of limited literature to be reviewed for this paper.About determining the respondents, several of the researchers use random sampling technique by taking several respondents (referring to RACI chart or not) who they thought are related or associated with IT management or knowledgeable.RACI is an acronym for Responsible (the executor of duties), Accountable (the person responsible in its eventual and rightful to make decisions), Consulted (the person to communicate with), and Informed (the person informed about the process development, or decisions or measures taken).One of the Syifaul Fuada respondents is the one having an important function in one of the divisions within an organization, and that person should be the head or the representative.
Recommendation is made in order that IT can be exploited optimally, especially in managing incidents occurring within the internal environment thus they can assure the smooth flow of IT use in the environment.The IT audits in HE institutions have been conducted by the corresponding researchers accordingly with the research objectives.It may be done to a larger sample, such as more than 10 HE institutions in a certain area.Not only that the researchers investigate the maturity level but also arrange the recommendation, thus it is more appropriate to be applied in a campus environment, both at a faculty or university scale.The DSS 02 subdomain is for managing service demands and managing incidents reach the scale 4 (Managed).
While the overall capability level based on the overall means from DSS 01 until DSS 06 is at 3 (defined), meaning that most activities in DSS domain for the Directorate SISFO Telkom University have been performed, using the application standard in implementing such process, documented and the communication has run well.
The audit is done by collecting evidences of the existing condition within the environment of DSS domain that is from DSS 01 until 06 obtained from the source of information (the selected respondents).
The recommendation withdrawal gap analysis obtained from the achieved target level (To Be). [17] The library of STMIK Potensi Utama Medan (2014) A questionnaire is distributed to 20 respondents with the question referring to COBIT 5.0: The study findings conclude that the library auto system that is considered appropriate for the corresponding campus is the proprietary based, although the discrepancy of the two is mere 0,05 The study objective is to conduct audit of the two library auto systems which have been used for two years in the campus since 2010, namely open source and proprietary based system.
The comparison for measurement outcome of the maturity level from the two systems becomes the standard of determining which of the two systems is more appropriate.The researcher made the standard for the to-be maturity level is 5 for all domains from the two kinds of questionnaire.
The study reveals that the as is condition of IT management for DSS domain is 1.87, while the management awareness is 4.27 On the other hand, the average from all domains is at level 2, which means repeatable but intuitive.The gap between the current condition and the to-be one is still large.
Next, the mean of management awareness test has reached 4.20 (of the to-be condition at 5), meaning that most respondents agree that the processes defined in the IT management (in this case is the COBIT framework) is important.
Upon knowing the as is condition and the awareness of the importance of standardized management, it is expected that evaluation and correction is immediately conducted during the process of achieving level 5.
The study objective is to investigate the as is condition, and then is to identify whether the standard of COBIT in IT management is crucial.
There are two kinds of questionnaires, one contains questions which refer to COBIT 5.0 and the questionnaire of management awareness to obtain descriptive understanding about the scope of IT management needed and required in the development of IT management.
The recommendation is proposed implicitly through the management awareness test.It means that the researchers arrange the recommendation from the distributed questionnaire and implicitly state it to the respondents through that closed questionnaire.The study discusses several issues: (1) analyzing the IT maturity level in UNRI, (2) analyzing every domain in each sample and ( 3) analyzing the maturity level in each sample.
The PO domain above the scale of 3 (defined), a part of AI is still at 2 (repeatable but intuitive), a part of ME is still even at 1 (initial) and in DS Overall, the maturity level of IT use is found below 3 except in the part of the university heads.
The recommendation is arranged based on the result of questionnaire in which the lowest objective score is used as the standard. [1] 50 Private HE Institutions in Yogyakarta (2010) The samples are 50 private HE institutions which are selected randomly from all the existing HE institutions in Yogyakarta.In other words, the quality status of the private institutions is not considered in this study.
The questionnaire is distributed to all the 50 samples.The study has concluded that the private HE institutions in Yogyakarta (recapitulation by 85.44%) generally have the maturity level at 3 (defined) of the scale 5 (to-be).
Specially for DS 8 subdomain, the mean has reached above 3.5 (reaching managed).
Generally, the evaluation for the maturity level of the IT implementation in private HE institutions in Yogyakarta has been influenced by the dimension of service quality by distributing the criteria scores proportionally.
It is a census study employing the survey approach, by the purpose of identifying the maturity level, performance and development of IT in the private institutions in Yogyakarta.
The findings are not classified into the which of the samples are low, medium, or high.
No recommendation proposed.Overall, the maturity level of private HE institutions is above 3 (defined) from the to-be level of 4.
The distribution of the maturity level is classified into three, as follows: Based on the gap analysis (the difference level to be achieved with the as is condition) can be made as the standard for the betterment.
There is no recommendation provided. [21] Academic Information System (SIAK) STMIK Widya Pratama Pekalongan (2016) The questionnaire is distributed to 20 respondens as the samples (random) containing questions which refer to COBIT 4.1: The study has found that the maturity level is 0.67 (initial) both in DS domain (12 control processes) and in ME domain (4 control processes) Specifically, in DS8 subdomain the maturity level is 0.57 (initial) meaning that the handling of issues occurring during IT utilization has not been managed well.
The study is aimed to observe the condition of IT management in the campus.
There is no recommendation provided. [22] Financial Information System (SIK) Universitas Kristen Duta Wacana Yogyakarta (2016) The primary data are obtained from interview, questionnaire and observation done to the Financial Information System.The interview is done to several parties, namely the developer, the maintenance, the decision maker, and users of SIK.The secondary data are obtained from relevant documents and head's policies with the financial information system.The study has found that for DS8 subdomain is 3.6 (managed).SOP and user manual have been provided to help users operate SIK.Should any incidents occur while using IT, the follow-up measure should be done by the unit of PUSPINDIKA on an Ad-hoc basis or by cooperating with another unit specializing on it to find the temporary solution.Such incidents are then analyzed in order to observe the occurring pattern.Then, the source of the problem and settlement mechanism can be identified.
The capability maturity level as a whole from the management of SIK in UKDW is 4 The objective of the study is to observe the process condition of development, maintenance, application and utilization of SIK in UKDW The finding is presented descriptively from each subdomain under investigation.
There is no recommendation provided.
Syifaul Fuada The audit of information system in the study is aimed to investigate the as is maturity level, gap and recommendation to minimize such gap.
The to-be maturity level is obtained through interview with respondents who are questioned simultaneously about the as is condition, and the to-be condition in the future, which is 2 and 3 (for DS8 subdomain is 2).
The recommendation is arranged based on the gap between the as is and the to-be condition.This recommendation is enriched with ITIL V3 framework which previously has been mapped into COBIT 4.1 [24] Universitas Mercu Buana Jakarta (2014).
The instrument employed is interview to users, IT staff and management staff, process checking and document checking.The number of respondents is not stated.For DS8 subdomain, the maturity level is 2 of the to-be condition of 3.
Meanwhile, the maturity level from the overall 19 processes is 2, which means that there is only one of them reaches the target that is DS6 subdomain.It can be concluded that IT management in the university is still at the starting phase.
The objective of the study is to investigate the as is maturity level of UMB as well as to arrange the recommendation The recommendation is arranged based on the gap between the as is condition (level 2) and the to-be condition (level 3) and also by considering the priority of problem and available resources.It means that the recommendation is not addressed to all subdomains but to certain subdomains.[25] Private he Institution in Palembang city (2014).Not specified which are: the samples.
The respondents for this study are 100 students as users of SIA.Gender is not considered.The study has found that for DS8 subdomain, the maturity level is at 3 (defined).
As a whole, both DS and ME are at the level 3 (defined), meaning that the academic processes related to academic information system in the institution has been through a fairly good conduct seen from the point of view of the users, thus the as is condition only requires minor correction to reach the to-be condition.
The recommendation arrangement is based on the current achievement, and presented gradually about how to make the level 3 into 4 and 5. [26]

Universitas Dian Nuswantoro Semarang (2013)
The interview is intended to analyze the IT services and the questionnaire is distributed to selected respondents referring to RACI table using purposive sampling method.It is not stated in detail the number of samples.
COBIT 4.1 Specific for DS08 The study findings show that the maturity level in the process of service desk and IT incidents management in Universitas Dian Nuswantoro is at the level 2, meaning that the management has possessed the awareness and care to the function of service desk and incident management, has not documented the standard procedure implemented in the management, and the support as well as accountability are still based on individual characteristic.
The strategy for repairmen is adjusted with the 6 (six) maturity attributes of COBIT.
The recommendation is done gradually from a high level to the higher one, which is intended to reach level 3 and then 4. The objective control used in the measurement of DS8 is: service desk, registration for customer demands, escalation incidents, closing incidents, report and analysis of incidents.
The study reveals that the mean of maturity level is 2 (Repeatable) which mean that the subjects of the study have a repetitive pattern The lowest objective score is used as the standard for arranging the recommendation, within which there are three levels of recommendation.
Incident Management of Information Technology in the Indonesia Higher Education based COBIT Framework: A Review EAI Endorsed Transactions on Energy Web Online First

and Support (DS) DSS (Deliver, Service and Support)
As mentioned in Introduction, this work is the literature study in which the sources of literature are obtained from documents of study findings gathered from journals, conference papers or Final Projects within the last 6 years (2010-2016).This paper contains status of several Indonesia HE in terms of handling incidents of IT within their campus environment and measured based on COBIT Framework and on techniques of arranging recommendations from every institution referring to COBIT Framework (both in the version 4 and 5).

Table 2 .
The implementation of COBIT 5 covering the DSS 02 subdomain Incident Management of Information Technology in the Indonesia Higher Education based COBIT Framework: A Review EAI Endorsed Transactions onEnergy Web Online First

Table 3 .
The implementation of COBIT version 4.0 and 4.1 covering the DS 8 subdomain