IT GOVERNANCE EVALUATION USING COBIT 5 FRAMEWORK ON THE NATIONAL LIBRARY

National Library of Indonesia (NLI) is a public library located in Jakarta, established by the decree of Ministry of Education and Culture in 1980. This day NLI has already applied digitalization of its contents and its management with IT, IT has been an important aspect in an organization. The objective of IT implementation is to increase effectivity and performance in organization. In order to get maximum results, good IT Governance is important in order to get good alignment between the IT and the business, the better IT Governance the greater outcome that the organization will get. This research will use qualitative method using COBIT 5 framework, interview and observation as research instruments, the reason of these method usage because authors can collect data as accurate as possible based on the actual condition. The objective of this research is to get an overview about the level of IT Governance on going, the analysis tool will be used is COBIT 5 focusing on DSS domain. The average score of DSS01, DSS02 and DSS03 is in 1.2 to 1.6 and for the DSS04, DSS05 and DSS06 domain the average score is between 2.1 and 2.3.


Introduction
Library is an organization whose aim is to build and maintain knowledge and collection to provide information for research, educational, cultural etc.
[1].Public library is a center of information and knowledge, public library can be accessed by any users regardless their race, age, sex religion, language or social status.The public library is free of charge as the public library is the responsibility of the local governments.Its funding and operation must be supported and financed by local governments [2].
National Library of Indonesia (NLI) is a nonministry government institution located at Gambir, south side of Merdeka Square, Jakarta.The national library was established in 1980 by the decree of Ministry of Education and Culture [3].One of the NLI mission is to develop a modern national library infrastructure, modern library means that most of the content will be digitalized and can be accessed widely through the internet.In order to provide maximum service, effective and efficient IT governance is mandatory.Good IT governance ensure that the IT sustain and extends the NLI strategy and goals [4] [5].
In this era the needs for Information Technology is high because IT offers efficiency and effectiveness to support organization in achieving it goals.and because of the benefits many organizations make huge investments in IT [6] [7].The success of IT implementation depends on the how well organization manages and monitor the IT, these action is to ensure that the IT implementation will generates benefits for the organization [8].Poor management and monitoring can lead organization's IT investments will go in vain [9], In order to get maximum benefits from the IT investments organization must evaluate its IT Governance periodically.This action is needed to oversee that the IT management is running well and optimum.
Organizations should adopt and implement IT Governance as its implementation is useful to ensure that the IT supports and aligns consistenly with the organizations objectives [5].IT Governance concerns on how the IT in the organization is managed and structured, it provides practices that enable the alignment between business and IT to enhance their performance and governance [10] [11] [12].COBIT (Control Objectives for Information and related Technology) is a framework developed and published by ISACA (Information Systems Audit and Control Association).COBIT has proven it reliability and has become worldwide leader in IT Governance, control security and assurance [13].
In this research authors will try to evaluate IT governance in NLI, the purpose of this research is to get an overview of the IT governance and performance in order to determine the capability levels of IT governance in NLI.COBIT 5 will be used as a guidance in assessing all processes within the IT function [14].COBIT 5 helps the organization to create an optimal IT value by creating and maintaining the balance between benefits, optimizing the level of the risk and achieving goals through effective IT governance and IT management [14].The domain that will be used in this research is Deliver, Service and Support, DSS focuses on delivery aspects of IT and support process that enables effective and efficient execution of IT.

IT Governance
Governance in business context is a series of rules, processes and actions that organization undertakes to determine organization strategies and operate the organization in a determined manner to help organization achieve it goals.While IT Governance refers to organizational structures and processes to ensure that the organization's IT fully support the organization goals [4] [15] [16].
IT Governance Institute (ITGI) defines that IT Governance can be applied into almost all kind of organizations, including aligning IT strategies with organization's strategies.Efficient IT resource allocation can help the organization to achieve its goals and in addition organization can carry out performance measurements to get an overview and assess how far the organizations has fulfilled their goals [15] [17].The IT Governance definition can be seen on Figure 1.IT Governance Definition.COBIT is a framework that helps auditors.Management and users to bridge the gap between business risk, needs, control and technical issues [15][16].COBIT has experienced the evolution that is long enough to create best framework that can be used in implementation of the Enterprise IT Governance [18] [19].
COBIT 5 is a framework developed and published by ISACA (Information Systems Audit and Control Association) on 2012 [20].It provides guidance for organizations in order to achieve organization's goals related to IT Governance and IT management.COBIT 5 provides comprehensive framework to support the establishment for an alignment between IT with the business itself.COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire organization, it covers the overall business process and functional areas of responsibility and considering the IT related interests of internal or external stakeholders [21] [22].
COBIT 5 allows organization to develop system and procedures for good IT control and management, the development is useful to provide management of Enterprise IT.COBIT 5 includes a set of 37 divided into two main processes shown in Figure 2 Governance and Management Key Areas.

Governance Processes
Governance processes is to ensure that enterprise objectives are optimally achieved by evaluating stakeholder needs, condition, option and set the direction through prioritization and monitoring the performance against agreed sets of goals.

Management Processes
Management processes is to manage plans, builds, runs and monitors working to ensure that the process set by the governance body will achieve the organizations objectives [24].

Methods
This research is conducted by using qualitative method, the research instruments chosen are interview and observation because these instruments allows authors to gather and collect data simultaneously within the current situation [25].The research flowchart can be seen on Figure 3 Research Flowchart.Data from the observation were gathered by interviewing respondents, there are 3 respondents in total.the first one is the head of automation sub-field, the second and the third are the computer institution expert.Based on Figure 4 is the Interview Flowchart.Report as the final result from the observation and interview is processed and calculated based on COBIT 5 capability levels model as seen on Table 1 COBIT 5 Capability Levels Model.The result will contain current capability level and expected capability level, after the calculation the next step is to do gap analysis in order to analyze the interpretation of the current and expected level and to provide recommendation and corrective action needed to overcome the gap and to achieve improvements in IT Governance.

Result and Analysis
In this step authors analyze the overall process with the COBIT 5 framework.Our analysis will be focusing on the IT department at the National Library of Indonesia (NLI).the analysis will include its employees, equipment, standard operational procedure etc.The domain that will be used in this process is Delivery, Service and Support (DSS).

DSS01 Manage Operations
The purpose of this sub-domain is to assess the coordination and the execution of the activities including the operational procedures that are important and required for the optimum delivery of internal and outsourced IT services.This subdomain also includes the execution of pre-defined standard operating procedures and the required monitoring activities.
Most of the operations at the NLI is already running well, and the IT facilities are already being taken care and treated well.But there are lack of documentation to support the operations, the average score for this sub-domain is 1.2. the details of this sub-domain can be seen on table 2 Capability Levels of DSS01 Manage Operations.The purpose of this sub-domain is to assess the timeliness and effectiveness of the response given based on the user requests and resolution of all types of incidents, in order to increase productivity and minimize disruptions through quick resolution for the incidents.Identification of user needs and recovery activities are already existing, all of the incident is already solved and already handled by experts in their field, reports is already being generated in timely manner and online reporting is already being implemented.But there is still no incident definition, escalation analysis and documentation about the incident.The average score for this subdomain is 1.3.The details of this sub-domain can be seen on table 3 Capability Levels of DSS02 Manage Service Requests and Incidents.

DSS03 Manage Problems
The main purpose of this sub-domain is to assess the identification, classification of incidents and their root cause in order to provide best resolution in timely manner to prevent the incidents reoccur, also to enhance improvements from the recommendations composed in this sub-domain.the objective of this sub-domain are improvement of service levels, costs reduction and improvement of service by reduction the number of operational problems.
Identification of incidents are already done, known-error and its solutions are already made, problem, costs monitoring and progress reports for communication is already being implemented supported by meetings to discuss occurring problems and upcoming problems.But there is still no IT service desk and system to support the recording and problem management.The average score for this sub-domain is 1.6.The details of this sub-domain can be seen on table 4 Capability Levels of DSS03 Manage Problems.

DSS04 Manage Continuity
The purpose of this sub-domain is to assess the establishment and the maintenance of a plan that will enable the business and IT respond to an incident in a harmony and in timely manner, this action purpose is to ensure the operation of critical business process and required IT services goes well when incidents occurring, also to maintain the availability of information when incidents ocurring.The objective of this subdomain is to continue critical business operations and maintain, provide availability of data & information in the event of a disruption.Identification of internal, outsourced service, key stakeholder, business process and scenario is already done.Backup of data is already done regularly.Business analysis is already implemented and business continuity plan and the response is also already being made supported by regular review, maintenance and improvement of the continuity plan.But the Business Continuity Plan (BCP) hasn't tested yet, so the training and its review could not be done.The average score for this sub-domain is 2.1.The details of this subdomain can be seen on table 5 Capability Levels of DSS04 Manage Continuity.

DSS05 Manage Security Services
The purpose of this sub-domain is to assess the protection of organization information in order to maintain the information security according to the security policy, and the establishment alongside with the maintenance of IT security roles, access privileges and performance of security monitoring.
Every policy is already made based on the risk and business evaluation there is already activities to protect devices against malware and the software used is already updated regularly.Network security and its protocol already exist and network filtering is already implemented, endpoint devices is already managed and configured well.Management of user identity, logical access, management of sensitive documents and outputs device alongside with physical access management is already managed well.But the anti-malware software distribution is still done manually and there is no security events review, internal or external audit to audit the access of sensitive information is still not implemented.The average score for this subdomain is 2.1.The details of this sub-domain can be seen on table 6 Capability Levels of DSS05 Manage Security Services.

DSS06 Manage Business Process Controls
The purpose of this sub-domain is to assess the definition and maintenance of business process controls to ensure the information needed satisfies all relevant control requirement.The objective of this sub-domain is to maintain information integrity and security within business process either processed internally or outsourced.There is already identification and documentation done about control activity, monitoring is already implemented to enhance improvement.Every information transaction is made according to procedure and its verified to ensure its accuracy, information asset is already classified and training is already conducted alongside with good security, error correction procedure and review.But access control is still not reviewed periodically.The average score for this sub-domain is 2.3.The details of this subdomain can be seen on table 7 Capability Levels of DSS06 Manage Business Process Control.
Based on the research conducted, improvements is needed in order to improve the performance level that are below the expected level.these are the recommendations for the improvements are:

Recommendation based on DSS01 Manage Operations
In this domain, lack of documentation is the major problem.Definition and documentation is still not done thoroughly, NLI should document and define all of the SOP so all of the activity is well documented and can be monitored or revised periodically.

Recommendation based on DSS02 Manage Service Requests and Incidents
These domains, lack of definition, documentation and escalation analysis are the major problem.Definition and documentation is still not done thoroughly, NLI should document and define all of the SOP so all of the activity is well documented and can be monitored or revised periodically.NLI should also do escalation analysis, escalation analysis useful to keep track of the problem that frequently occur.the analysis also can be used for the reference to produce solutions for the problems.

Recommendation based on DSS03 Manage Problems
In this domain the major problem is there is no IT service desk and the system.NLI should implement IT service desk and system, this implementation is needed to create incidents ticket, incidents recording and incidents progress monitoring.

Recommendation based on DSS04 Manage Continuity
In this domain the major problem is the BCP is never tested, trained or reviewed.NLI should test, train and review the BCP regularly, this actions is needed in order to improve, maximize and to detect flaws from the BCP and to provide the corrections needed.

Recommendation based on DSS05 Manage Security Services
In this domain the major problem are antimalware software distribution is still done manually, no security events review and internal audit on sensitive information is still not conducted.NLI should distribute anti-malware software centrally so all of the anti-malware software on devices can be installed and updated at the same time.NLI also should review security events regularly in order to make sure there is no severe security events occurring without the NLI knowledge.NLI should also conduct internal audit on sensitive information regularly, this action is needed to prevent sensitive information accessed by unwanted party.

Recommendation based on DSS06 Manage Business Process Controls
These domains the major problem is access control is still not reviewed periodically, NLI should do this action in order to prevent unauthorized user can modify or access sensitive information.

Conclusion
The conclusion of this research is that the IT governance at the NLI has already implemented but most of them still not run optimally because they have not reached the expected level.on DSS01 manage operations the average score is 1.2, on DSS02 manage service requests and incident the average score is 1.3, on DSS03 manage problems the average score is 1.6, on DSS04 manage continuity the average score is 2.3, on DSS05 manage security services the average score is 2.1, on DSS06 manage business process controls the average score is 2.3.The performance level of DSS01, DSS02 and DSS03, they are still at level 1 performed process, on the DSS04, DSS05 and DSS06 the performance level is still at level 2 managed process.Result of this research is the performance of IT Governance in NLI has already performed, but most of it is still not defined, formalized and documented.We hope this research and recommendations can be used by NLI as reference for the improvement of their IT Governance.

Figure 1 .
Figure 1.IT Governance Definition [13] COBIT 5 COBIT (Control Objectives for Information and related Technology) is a set of documentation and guidelines for implementation of IT Governance.COBIT is a framework that helps auditors.Management and users to bridge the gap between business risk, needs, control and technical issues[15][16].COBIT has experienced the evolution that is long enough to create best framework that can be used in implementation of the Enterprise IT Governance[18] [19].

Figure 5 .
Figure 5. Radar chart of the Summary of Performance Level on DSS Domain

TABLE 8
The summary of the performance level can be seen on table 8 summary of performance level on DSS domain and figure5Radar chart of the Summary of the Performance Level on DSS Domain.