Information Security Governance and Management Capability Assessment: A Lesson Learned from Directorate General of Taxes

Main Article Content

Bandi Ashari


The information has an important role in improving the business operation and serving the decision-making process. The emerging of e-commerce and e-government require more frequent data exchanges included sensitive data. This study will focus on looking at the portrait of the Directorate General of Tax (DGT) in planning and building the ability to enforce IT governance, especially those related to information security. In addition, this research can also be used as a DGT basis for continuous improvement. We use the ISGM capability model to combine COBIT 5 and ISO 27001 as an approach to measure the capability of organizations in governing and manage their information security. We found that DGT’s information security governance and management capability at overall is at level well defined. Almost of ISGM building blocks has been established according to tailor-made policy and standard. With this capability level, DGT’s ISGM could contribute to the business as shown in several DGT’s program. But, to get optimal value from ISGM DGT need to improve the capability level, especially related to organizational aspects like alignment with business strategies and resource management.

Article Details

Author Biography

Bandi Ashari, University of Indonesia

Faculty of Computer Science
University of Indonesia


DAMA, DAMA-DMBOK2 Framework, V.2. DAMA International, 2017.

T. C. Zhiling, “Strategic value alignment for information security management: a critical success factor analysis,” Inf. & Comput. Secur., vol. 26, no. 2, pp. 150–170, Jan. 2018.

F. Piedrabuena, L. González, and R. Ruggia, “Enforcing data protection regulations within e-Government Master Data Management Systems,” in 17th International Conference on Enterprise Information Systems, ICEIS 2015, 2015, vol. 3, pp. 316–321.

T. Ioanna, “From theory to practice: guidelines for enhancing information security management,” Inf. & Comput. Secur., vol. 27, no. 3, pp. 326–342, Jan. 2019.

A. Da Veiga and J. H. P. Eloff, “An information security governance framework,” Inf. Syst. Manag., vol. 24, no. 4, pp. 361–372, 2007.

A. C. Johnston and R. Hale, “Improved Security Through Information Security Governance,” Commun. ACM, vol. 52, no. 1, pp. 126–129, Jan. 2009.

I. C. Vicente Aceituno, Information Security Management Maturity Model Handbook, v02 ed. Madrid, Spain: ISM3 Consortium, 2007.

P. Kusumah, S. Sutikno, and Y. Rosmansyah, “Model design of information security governance assessment with collaborative integration of COBIT 5 and ITIL (case study: INTRAC),” in 2014 International Conference on ICT For Smart Society (ICISS), 2014, pp. 1–6.

Y. Rimawati and S. Sutikno, “The assessment of information security management process capability using ISO/IEC 33072:2016 (Case study in Statistics Indonesia),” in 2016 International Conference on Information Technology Systems and Innovation (ICITSI), 2016, pp. 1–6.

S. Yulianto, C. Lim, and B. Soewito, “Information security maturity model: A best practice driven approach to PCI DSS compliance,” in 2016 IEEE Region 10 Symposium (TENSYMP), 2016, pp. 65–70.

S. M. Muthukrishnan and S. Palaniappan, “Security metrics maturity model for operational security,” in 2016 IEEE Symposium on Computer Applications Industrial Electronics (ISCAIE), 2016, pp. 101–106.

M. Carcary, K. Renaud, S. McLaughlin, and C. O’Brien, “A Framework for Information Security Governance and Management,” IT Prof., vol. 18, no. 2, pp. 22–30, Mar. 2016.

ISO, “Information technology -- Security techniques -- Systems Security Engineering -- Capability Maturity Model,” Geneva, CH, Oct. 2008.