chapter iv problem analysisthesis.binus.ac.id/asli/bab4/bab4_06-19.pdf · internal value chain and...
TRANSCRIPT
CHAPTER IV
PROBLEM ANALYSIS
4.1. Business Profile
The objective of PT Sampoerna Telekomunikasi Indonesia (STI) is to become low
cost telecommunication provider. The company will serve mostly rural subscriber not
accessible by other telecommunication provider. The company must operate as
efficiently as possible in order to achieve this objective. IT is perceived as strategic
tools to operate efficiently.
4.1.1. Current Internal Environment
Currently STI has two (2) major applications in use that is real time billing
application and customer care applications. The service that STI offers to its
subscribers is voice, SMS and Internet. The subscriber of STI is divided in three (3)
categories: individual, corporate and wartel/warsel. Each category has a different
business rules applied to it.
29
30
STI is supported by an internal IT group. The charter of the internal IT group is:
The Information Technology Group is responsible for the development,
deployment and management of all world class Information Technology
solutions within the company. These solutions should be delivered on
time, in budget and within the service targets laid out in the relevant
Service Level Agreements
4.1.2. Market Competition
There are currently 7 telecommunication operators in Indonesia. They are Telkom
(including Telkom PSTN, Telkomsel, and Telkom Flexi), Indosat (including
Satelindo, IM3 and StarOne), Excelcom, LippoTel, Mobile 8, Bakri Telecom (Esia)
and CAC. Four of the operators are publicly listed company on Jakarta Stock
Exchange, they are Telkom, Indosat, Excelcom and Bakrie Telecom. Two of the
operators are also publicly listed on New York Stock Exchange, that is Telkom and
Indosat. Information on financial or number of subscriber from these publicly listed
companies is easier to collects. Majority market share of telecommunication
subscriber in Indonesia is owned by Telkom and Indosat.
Periodically, these operators (even the non publicly listed operator) are publishing
their information on media.
31
Table 4.1. Number of Subscriber and ARPU
ARPU (in thousand rupiah)
(2004/12)
Operator Service Type Subscriber (in
thousand)
(2005/04) Prepaid Postpaid
Telkom Fixed 8200 n/a n/a
Telkomsel Mobile 18500 95 125
Telkom Flexi Fixed 1800 128
Indosat Mobile 12500 92 104
StarOne Fixed 115 60
Excelcomindo Mobile 5000 94 105
LippoTel Mobile 100 71
Mobile 8 Mobile 500 100
Esia Fixed 250 84
CAC Mobile 0
ARPU or Average Revenue per User is an indicator of gross revenue of
telecommunication operator. ARPU is calculated on a monthly basis. ARPU is
usually different between prepaid (pra-bayar) and postpaid (pasca-bayar) subscriber.
Composition of subscriber is usually 90% prepaid and 10% postpaid for each
operator.
32
4.1.3. Current Mobile Technology
Technology used by each competitor is as follows,
Table 4.2. Telecommunication Technology
Operator Technology Frequency
(MHz)
Service Type
Telkom PSTN Fixed
Telkomsel GSM, GPRS, EDGE 900/1800 Mobile
Telkom Flexi CDMA2000/EVDO 800/1900 Fixed Wireless Access
Indosat GSM, GPRS 900/1800 Mobile
StarOne CDMA2000 800/1900 Fixed Wireless Access
Excelcomindo GSM, GPRS 900 Mobile
LippoTel GSM 1800 Mobile
Mobile 8 AMPS, CDMA1,
CDMA2000/EVDO
800 Mobile
Esia CDMA2000 800 Fixed Wireless Access
CAC WCDMA 2100 Mobile
4.1.4. Internal Value chain and relationship
According to value chain (figure 4.1), competitive advantage could be achieve by
increasing the value of individual value chain activity or reconfiguring value chain.
Included in the value chain are:
33
1. Inbound logistics
2. Operations
3. Outbound logistics
4. Sales and marketing
5. Servicing
6. Support activities infrastructure
7. Human resource management
8. Product and technology development
9. Procurement
Figure 4.1. Value Chain
Detailed value chain activities are:
1. Inbound logistics
1. Receiving inventory for sale
34
2. Receiving network asset
3. Quality control
2. Operations
1. Customer service
2. Service assurance
3. Technology infrastructure
4. Billing
3. Outbound logistics
1. Distribution
2. Return inventory
3. Invoicing
4. Sales and marketing
1. Promotion
2. Sales analysis
3. Market research
5. Servicing
1. Warranty
2. Maintenance
6. Support activities infrastructure
1. Legal
2. Accounting
3. Financial management
7. Human resource management
35
1. Personnel
2. Payroll
3. Recruitment
4. Training
5. Manpower training
8. Product and technology development
1. Developing service
2. Research and Development
9. Procurement
1. Supplier Management
2. Funding
3. Subcontracting
4.1.5. External Value Chain Analysis
STI receives inventories fro sale from manufacturer. These inventories include:
1. Handset CDMA2000 1x at 450MHz, with accessories
2. Starter pack (RUIM cards)
3. Top-up voucher (scratch cards)
36
These inventories are then sold to subscriber, either directly from STI’s front shop or
through dealer / agent. The external value chain of STI could be seen on figure 4.2.
Manufacturer STI Dealer / Agent Customer
Value and Demand Information
Cost and Supply Information
Figure 4.2. STI External value chain
4.2. Analysis
4.2.1. Business Model
ETOM is categorized into 3 major categories:
1. Strategy, Infrastructure & Product
2. Operations
3. Enterprise Management
Each of these categories has sub-categories and can be drilled down to several layers.
Each ETOM item describes a business process that must be provided by an operator
37
in order to operate effectively. Each of ETOM item is translated into business process,
and depending on the complexity of the business process, a tool might be required to
support the execution of that particular business process. The role of IT in supporting
the adoption of ETOM in the organization is by providing tool.
ETOM level 0 or CEO view provides the following
Strategy, Infrastructure & Product Operations
Market, Product & Customer
Service
Resource (Application, Computing and Network)
Supplier / Partner
Customer
Suppliers and Partners
Enterprise Management
Shareholders Other StakeholdersEmployees
Figure 4.3. The eTOM Level 0 View
Case study in implementation of ETOM for Global IT architecture provides the
following mapping,
38
Figure 4.4. eTOM mapping in Vodafone
Hence, adoption of ETOM would require STI to provide the following business
process and possibly its tools
Table 4.3. Mapping of eTOM to STI
1. Market/Sales, Product and Customer 1.1. Sales & Marketing 1.2. Business Intelligence & MIS 1.3. Customer Management 1.4. Content Management 1.5. Billing 2. Service 2.1. Service Management
39
2.2. Provisioning & Fullfillment 2.3. Rating 3. Resource 3.1. Network Management 3.2. Network Infrastructure 3.3. IT Infrastructure 4. Supplier/Partner 4.1. Supplier/Partner Management 5. Enterprise Management
4.2.2. SWOT Analysis
SWOT analysis of STI provides the following result
Table 4.4. SWOT Analysis
Strength Weaknesses
CDMA, more options
Low cost
Experience in rural market
Small agile company
No legacy technology
Lack of distribution
network
Lack of coverage
infrastructure
Lack of human resources
Large CAPEX required
Opportunities
Only operator on 450 MHz
frequency band
Targeting rural subscriber
inaccessible by competitor
More manufacturers are
Improving resource
efficiency
Improving operational
efficiency
Increasing price
Integrated Support
System
Improving Sales support
capabilities
40
supporting CDMA 450
competitiveness
Create smart and
attractive packaging
Researching on new
offering
Threat
Highly competitive industry
Coverage expansion of
competitor
More education effort
required
New Technology, i.e.
WiMAX, GSM 450
Increasing service
coverage
Reducing inventory cost
Customer quality
experience
Increasing responsiveness
Improving supply chain
efficiency
Improving operational
readiness
Improving personnel
capabilities
Strength
1. Offering CDMA services, with more options going forward. CDMA is the
latest cellular technology. It provides more features and options compare to
other mature cellular technology, notably GSM.
2. STI is set to become a low cost provider, primarily due to it lower frequency.
Lower frequency means lower number of cellular infrastructure to be
provided.
3. STI has an experience of dealing with rural market. As the only operator
specializes in rural market, STI clearly has a competitive advantage in term of
41
experience compare to other operator which specializes mostly in urban
market.
4. STI is a small company, there is not much bureaucracy. The company is more
agile compared to its bigger competitor.
5. STI does not have legacy technology that needs to be maintained. STI is a
start up company; no legacy technology exists in the company.
Weakness
1. Lack of distribution network. STI is using a unique frequency. Hence, unlike
any other operator, STI can not depend on external distribution channel to
provide terminal / handset. STI must provide its own distribution channel.
2. Lack of coverage infrastructure. STI is a start up company, deploying cellular
services would require time.
3. Lack of human resources. The numbers of STI staff are too small to be able to
operate effectively.
4. Large capex required. STI is a start up company; hence it requires large
capital in order to be able to provide cellular services. Cellular operator is a
capital intensive investment.
42
Opportunity
1. STI is the only operator having license in the 450 MHz frequency band. This
frequency is enabling STI to provide larger coverage with fewer
infrastructures.
2. STI is targeting rural subscriber which is un-tapped by other operators. Other
operators are targeting urban market with high teledensity.
3. Around the world CMDA 450 is gaining momentum, with more manufacturer
provides equipment for CDMA 450. This will drive down the cost of the
terminal / handset.
Threat
1. Telecommunication industry is a highly competitive industry, competition
will be tough.
2. Coverage expansion of other operator could potentially take customer away
from STI’s service.
3. Since most of STI’s customer is rural market, more effort is required to
educate customer.
4. Entrance of new technology, especially GSM450 and WiMAX.
43
To deal with weakness and threat faced by STI, STI should:
1. Improving resource efficiency, this would involve in increasing efficiency of
the resource usage in order to achieve company objective to become a low
cost operator.
2. Improving operational efficiency, this would involve in increasing efficiency
of daily operation in order to achieve company objective to become a low cost
operator.
3. Increasing price competitiveness, this would involve creating attractive price
of the terminal / handset itself and attractive price of the service / tariff.
4. Create smart and attractive packaging; this would involve creating packaging
that would appeal to mostly rural customer.
5. Researching on new offering, this would involve on researching on offering
based on CDMA technology that is usable to create smart and attractive
packaging.
6. Integrated Support System, this would involve in creating a single data source
that would be used by company wide application to expedite data extraction.
Hence all application would have a single view of the data.
7. Improving Sales support capabilities, this would involve in providing logistic
and POS application that would enable sales division to operate effectively.
8. Increasing service coverage, this would involve in providing larger service
coverage other than the existing coverage.
44
9. Reducing inventory cost, this would involve better management of inventory
of terminal / handset in order to avoid over stock in one area and under stock
in other area.
10. Customer quality experience, this would involve in provide the customer with
the best experience in dealing with STI.
11. Increasing responsiveness, this would involve in increase responsiveness of
STI toward customer’s query.
12. Improving supply chain efficiency, this would involve in increasing efficiency
of supply chain that is provided by STI to provide terminal / handset to
customer.
13. Improving operational readiness, this would involve in increasing operational
readiness of STI’s operation division.
14. Improving personnel capabilities, this would involve in increasing the quality
of STI’s personnel.
45
4.2.3. Porter’s Five Forces
Five forces analysis of STI could be seen on figure 6. The analysis is done on the
assumption that STI is offering basic communication services to rural subscribers.
Figure 4.5. Porter’s five forces
Bargaining power of supplier: Medium
• STI purchase terminal/handset in bulk directly from manufacturer. There are a few manufacturer in the world
Bargaining power of buyers: Medium
• Buyer could purchase competitor’s service
• For some buyers, STI is the only telecommunication provider.
Threat of new substitute product / service: Low
• Satellite communication (expensive)• Non interactive communication (i.e.
POS, telegram, telex)
Rivalry amongst existing competitor: High
• Telecommunication operators are continuously offering discount/bonus to attract subscriber
• Market leader has total subscriber equal to that of the sum of other operator
• Competitor could decide to enter rural market with low teledensity
Threat of new entrants: Low • High investment required to be a
telecommunication operator. • No other competitor is licensed to
operator on 450MHz frequency band
Threat of new entrants is considered low due to the fact that:
1. There is a high investment cost required to be a telecommunication operator.
This cost would cover license and capital.
46
2. Currently, no other operator is licensed to operator on 450MHz frequency
band, and government is not offering 450MHz to other operator.
Bargaining power of buyer is considered medium due to the fact that:
1. For some buyers, STI is the only telecommunication provider. Other operators
are not interested to provide coverage if the buyer is located in an area with
low teledensity.
2. If competitor decides to enter the low teledensity market, there is a possibility
that the buyer would switch to competitor’s offering although this would cost
buyer a significant amount of money since their terminal / handset (purchased
from STI) is not usable on the competitor’s service. This is due to frequency
difference.
Threat of new substitute product / service is considered medium due to the fact that
competitor could decide to enter low teledensity market even though they will loose
money.
Bargaining power of supplier is considered medium due to the fact that STI always
purchase terminal / handset directly from manufacturer in bulk quantity. There are a
few manufacturers in the world. STI need to purchase its own terminal / handset since
the handset is specific to 450 MHz frequency. The market usually offers a very
competitive price on their product.
47
Rivalry amongst existing competitor is high due to the fact:
1. Competitors are continuously offering discount / bonus for their subscriber.
2. Market leader (Telkomsel) has total subscriber of 18,500,000. This number is
bigger than the number of subscriber from all other operator combined. It
would be extremely difficult to challenge Telkomsel.
4.2.4. Strategic Group Map
Different competitive position of industry rivals in cellular industry is shown in
competition map of STI is as follows,
High
Low
Rural UrbanCoverage
Serv
ice
Pric
e STI
Telkom Flexi
EsiaStarOne
Telkomsel Excelcom
Satelindo
Mobile 8
Figure 4.6 Strategic Group Map
48
4.2.5. Balanced Scorecard
Balanced scorecard model of STI is as follows,
Figure 4.7. Balanced Scorecard Model
The objective of STI is mapped into Balanced Score Card as follows,
Table 4.5. BSC Financial Perspective
Financial Perspective
Objective Measure Parameter
To increase corporate value
ROE High
To increase revenue Revenue High
49
To improve resource efficiency
Ratio of Cost per subscriber
Low
Table 4.6. BSC Customer Perspective
Customer Perspective
Objective Measure Parameter
Customers quality experience
Customer churn rate Low
Creating smart & attractive packaging
Customer growth High
Increasing service coverage
Customer growth High
Increasing price competitiveness
Service price vs competitor price
Increasing Responsiveness
Customer Care Response Time
Low
Table 4.7. BSC Internal Perspective
Internal Perspective
Objective Measure Parameter
Integrated support system response time low Improving operational readiness
Time to market Low
Improving operational efficiency
Ratio of OPEX per subscriber
Lower
Table 4.8. BSC Innovation and Learning Perspective
Innovation and Learning Perspective
Objective Measure Parameter
Researching on new offering
Number of product / service offering
High
Improving personnel capabilities
Ratio of Revenue per employee
High
50
4.2.6. Critical Success Factor
Critical Success Factor of STI is mapped as follows,
Table 4.9. CSF Financial Perspective
Financial
Objective CSF IS Needed Portfolio
To increase corporate value
To increase revenue
Aggressively launch new market and new product
Better resource planning
ERP Strategic
ERP Strategic CRM Strategic Office automation Support
To improve resource efficiency
Using automation where possible
EAM Support
Table 4.10. CSF Customer Perspective
Customer
Objective CSF IS Needed Portfolio
Customers quality experience
Commit to provide best service
CRM Strategic
Creating smart & attractive packaging
Develop packages suitable for target market
Business Intelligence
Strategic
ERP Strategic Increasing service coverage
Launch new market Business
Intelligence Strategic
Office automation Support Increasing price competitiveness
Improving operational efficiency
ERP Support
51
Knowledge Management
Strategic Identifying and sharing causes of all problem CRM Strategic
Increasing Responsiveness
Tracking all enquiries / progress daily
Trouble ticketing system
Strategic
Table 4.11. CSF Internal Perspective
Internal
Objective CSF IS Needed Portfolio
ERP Strategic CRM Strategic
Integrated support system
Provide integrated system
POS Strategic Provide easy customized system
Billing system Key Operational
Knowledge Management
Support
Office automation Support
Improving operational readiness Provide SOP that
align with business objective
ERP Strategic Reducing inventory cost
Inventory Management system
Key Operational Improving operational efficiency
Improving supply chain efficiency
Inventory Management system
Support
Table 4.12. CSF Innovation and Learning Perspective
Innovation and Learning
Objective CSF IS Needed Portfolio
Market survey & analysis
Business Intelligence
Support Researching on new offering
Research and development
Knowledge Management
Support
Recruit right candidates
HR information system
Support Improving personnel capabilities Provide sufficient
training Learning Management System
Support
52
Merit system for innovation
HR information system
Support
Each portfolio of the IS need is mentioned on the right most column.
4.2.7. Consolidated Balanced Scorecard and Critical Success Factors
Consolidated BSC and CSF are as follows,
Table 4.13. Consolidated BSC – CSF Financial Perspective
Financial
Objectives Measure (s) Action (CSF) IS Needs
To increase corporate value
ROE
To increase revenue
Revenue Aggressively launch new market and new product
Better resource planning
ERP
ERP CRM Office automation
To improve resource efficiency
Ratio of Cost per subscriber
Using automation where possible
EAM
Table 4.14. Consolidated BSC – CSF Customer Perspective
Customer
Objectives Measure (s) Action (CSF) IS Needs
Customers quality experience
Customer churn rate
Commit to provide best service
CRM
53
Creating smart & attractive packaging
Customer growth Develop packages suitable for target market
Business Intelligence
ERP Increasing service coverage
Customer growth Launch new market Business
Intelligence Office automation Increasing price
competitiveness Service price vs competitor price
Improving operational efficiency
ERP
Knowledge Management
Identifying and sharing causes of all problem CRM
Increasing Responsiveness
Customer Care Response Time
Tracking all enquiries / progress daily
Trouble ticketing system
Table 4.15. Consolidated BSC – CSF Internal Perspective
Internal
Objectives Measure (s) Action (CSF) IS Needs
ERP CRM
Integrated support system
Response time Provide integrated system
POS Provide easy customized system
Billing system
Knowledge Management Office automation
Improving operational readiness
Time to market
Provide SOP that align with business objective
ERP Reducing inventory cost
Inventory Management system
Improving operational efficiency
Ratio of OPEX per subscriber
Improving supply chain efficiency
Inventory Management system
54
Table 4.16. Consolidated BSC – CSF Innovation and Learning Perspective
Innovation and Learning
Objectives Measure (s) Action (CSF) IS Needs
Market survey & analysis
Business Intelligence
Researching on new offering
Number of product / service offering
Research and development
Knowledge Management
Recruit right candidates
HR information system
Provide sufficient training
Learning Management System
Improving personnel capabilities
Ratio of Revenue per employee
Merit system for innovation
HR information system
4.2.8. Mapping of eTOM and Consolidated BSC/CSF
Mapping between eTOM and consolidated BSC/CSF is described in table 4.17
Table 4.17. Mapping of eTOM and Consolidated BSC/CSF
eTOM Consolidated BSC/CSF
Sales & Marketing
Business Intelligence, Inventory Management System, POS
Business Intelligence & MIS
Business Inteligence
Customer Management
CRM (operational), Trouble Ticketing
Content Management
Billing System, CRM (operational)
55
Billing
Billing System
Service Management
Network Resource Management (NRM), Enterprise Asset Management (EAM), Billing System
Provisioning and Fulfillment
Network Resource Management (NRM), Enterprise Asset Management (EAM)
Rating
Billing System
Network Management
Enterprise Asset Management (EAM)
Network Infrastructure IT Infrastructure Supplier / Partner Management
Inventory Management System, Point of Sales (POS)
Enterprise Management
Enterprise Resource Planning (ERP), Office Automation, Human Resource Information System, Learning Management System
Sales and Marketing requirement can not be fulfilled entirely with automated system.
Business Intelligence System, Inventory Management System and Point of Sale
System would only provide support for Sales and Marketing objectives.
Network Resource Management (NRM) and Enterprise Asset Management (EAM)
would also only provide support for Service Management, and Provisioning and
Fulfillment objectives. Billing System also provides support for Service Management
objectives.
56
Enterprise Management is a large area consisting of many objectives. Some of the
objectives will be supported by Enterprise Resource Planning (ERP) System, Office
Automation System, Human Resource Information System and Learning
Management System.
4.3. IS Strategy
The analysis produces the following strategy.
4.3.1. Applications Portfolio
IS needs and each of its placements in the application portfolio (table 4.17)
Table 4.17. Applications Portfolio
Strategic High Potential ERP
CRM (operational) Business Intelligence
Trouble Ticketing POS
Billing System Inventory Management System
Office Automation EAM
Knowledge Management HRIS LMS
Key Operational Support
57
4.3.2. Management of IS investment
IT investment is a significant investment for STI, it has to be managed correctly. The
current industry standard for IT governance is COBIT and the current industry
standard for IT management is ITIL. Current mapping of COBIT and ITIL is
available (IT Service Management Forum 2005). The mapping also shows that 42%
of COBIT control objectives are not covered in ITIL processes. However, 100% of
ITIL processes are covered in COBIT control objectives.
Complying with COBIT would also provide a competitive edge for STI to pass IS
audit successfully since it is most likely that audit would also use COBIT since it is
an industry standard.
4.3.2.1. Organizational Structure
The recommended organization structure is those of COBIT, this would include an IT
steering committee and separation of four functions:
1. Planning and Organization
2. Acquisition and Implementation
3. Delivery and Support
4. Monitoring
58
Inclusion of IT Steering Committee within organization is also advised under COBIT
Planning and Organization control objective number 4 (PO4) which is to define the IT
organization and relationship,
The organization's senior management should appoint a planning or steering
committee to oversee the information services function and its activities.
Committee membership should include representatives from senior management,
user management and the information services function. The committee should
regularly meet and report to senior management.
There are four steps involved in IT Steering Committee:
1. Review the IT steering committee charter
2. Determine the effectiveness of IT steering committee
3. Review the IT steering committee
4. Issue audit report
4.3.2.2. Business Continuity Planning
Business Continuity Planning is advised under,
1. COBIT Delivery and Support control objective number 4 (DS4): Ensure
continuous service. Detailed control objectives are:
1. IT Continuity Framework
2. IT Continuity Plan Strategy and Philosophy
59
3. IT Continuity Plan Contents
4. Minimising IT Continuity Requirements
5. Maintaining the IT Continuity Plan
6. Testing the IT Continuity Plan
7. IT Continuity Plan Training
8. IT Continuity Plan Distribution
9. User Department Alternative Processing Back-up Procedures
10. Critical IT Resources
11. Back-up Site and Hardware
12. Off-site Back-up Storage
13. Wrap-up Procedures
2. COBIT Delivery and Support control objective number 1 (DS1): Define and
manage service levels. Business Continuity Planning will incur additional
operational cost to the company. It must be justified using Service Level
Agreement.
There are four steps involved in implementing Business Continuity Plan,
1. Business Impact Analysis (BIA)
2. Risk Assessment
3. Risk Management
4. Risk Monitoring
60
4.3.2.3. Security Management
Information is a critical asset of the company. Information security is advised under,
1. COBIT Planning and Organization control objective number 2 (PO2): Define
the information architecture. Detailed control objective number 4: Security
levels.
2. COBIT Planning and Organization control objective number 4 (PO4): Define
the IT organization and relationship. Detailed control objective number 6:
Responsibility for logical and physical security
3. COBIT Planning and Organization control objective number 6 (PO6):
Communicate management aims and direction. Detailed control objective
number 8: Security and internal control framework policy.
4. COBIT Acquisition and Implementation control objective number 1 (AI1):
Identify automated solutions. Detailed control objective number 9: Cost
effective security controls
5. COBIT Acquisition and Implementation control objective number 3 (AI3):
Acquire and maintain technology infrastructure. Detailed control objective
number 3: System software security.
6. COBIT Acquisition and Implementation control objective number 5 (AI5):
Install and accredit system. Detailed control objective number 10: Security
testing and accreditation.
7. COBIT Delivery and Support control objective number 2 (DS2): Manage
third party services. Detailed control objective number 7: Security relationship.
61
8. COBIT Delivery and Support control objective number 5 (DS5): Ensure
system security. All detailed control objectives.
9. COBIT Delivery and Support control objective number 7 (DS7): Educate and
train users. Detailed control objective number 3: Security principles and
awareness training.
10. COBIT Delivery and Support control objective number 11 (DS11): Manage
data. Detailed control objective number 16: Security provision for output
reports.
11. COBIT Delivery and Support control objective number 12 (DS12): Manage
facilities. Detailed control objective number 1: Physical security.
12. COBIT Monitoring control objective number 2 (M2): Assess internal control
adequacy. Detailed control objective number 4: Operational security and and
internal control assurance.
13. COBIT Monitoring control objective number 3 (M3): Obtain independent
assurance. Detailed control objective number 1: Independent security and
internal control certification / accreditation of IT services.
14. COBIT Monitoring control objective number 3 (M3): Obtain independent
assurance. Detailed control objective number 2: Independent security and
internal control certification / accreditation of third party service providers.
Security must conform to three tenets of information security: confidentiality,
availability and integrity. International Information System Security Certification
Consortium (IISSCC) defines 10 security domains that must be fulfilled,
62
1. Access Control Systems and Methodology
2. Application and Systems Development Security
3. Business Continuity Planning and Disaster Recovery Planning
4. Cryptography
5. Law, Investigation, and Ethics
6. Operations Security
7. Physical Security
8. Security Architecture and Models
9. Security Management Practices
10. Telecommunications and Networking Security
4.3.2.4. Budget
The budget for acquisition of applications should be requested by business users and
approved by management since it is a significant investment.
4.3.2.5. Measurement
Survey was conducted by IT Governance Institute and Lighthouse Global on 2004 to
measure the effectiveness of performance measurement techniques for IT projects
and investment. The result is shown on figure 4.8.
63
Figure 4.8. Perceived Effectiveness of Performance Measurement Techniques for IT Projects and Investments
It could be seen that for project / investment with intangible benefit, Information
Economics is widely used. However, the in-house method of measurement is
perceived as more effective than Information Economics.
IT measurement is also advised under COBIT Delivery and Support control objective
number 1 (DS1): Define and manage service level. Detailed control objectives are,
1. Service Level Agreement Framework
2. Aspects of Service Level Agreements
3. Performance Procedures
4. Monitoring and Reporting
5. Review of Service Level Agreements and Contracts
6. Chargeable Items
7. Service Improvement Programme