By
Maulid Ibnu Adhi Purwoko 21951005
MASTER’S DEGREE in
MASTER OF INFORMATION TECHNOLOGY FACULTY OF ENGINEERING & INFORMATION
SWISS GERMAN UNIVERSITY The Prominence Tower
Jalan Jalur Sutera Barat No. 15, Alam Sutera Tangerang, Banten 15143 - Indonesia
February 2021
Revision after thesis defense on 3 February 2021
STATEMENT BY THE AUTHOR
I hereby declare that this submission is my work and to the best of my knowledge, it contains no material previously published or written by another person, nor material which to a substantial extent has been accepted for the award of any other degree or diploma at any educational institution, except where due acknowledgment is made in the thesis.
[Maulid Ibnu Adhi Purwoko
_____________________________________________
Student
Date
Approved by:
Dr. Ir. Moh. A. Amin Soetomo, MSc.
_____________________________________________
Thesis Advisor
Date
Dr.Mulya R.Mashudi, S.T., M.E.M.
_____________________________________________
Thesis Co-Advisor
Date
Dr. Maulahikmah Galinium, S.Kom, M.Sc.
_____________________________________________
Dean Date
ABSTRACT
PRESERVING BANK PRIVACY DATA ON THIRD-PARTY USING COBIT FRAMEWORK IN ABC BANK
By
Maulid Ibnu Adhi Purwoko
Dr.Ir.Moh.A.Amin Soetomo, MSc., Advisor Dr.Mulya R.Mashudi, S.T., M.E.M., Co-Advisor
SWISS GERMAN UNIVERSITY
Many studies are related to third-party security assessments that play a role in processing and protecting banking customer privacy data. This is different from the prevailing practice in Banks, regulators, and banking supervisory authorities in Indonesia which do not formulate substantive guidelines or procedural provisions to be applied nationally concerning the risk assessment of third parties processing Bank data. COBIT is a framework used in IT governance, which implements IT service management and also as an audit function has 3 components, namely measurement of Company Goals, IT Goals, and Risk Assessment which can be seen holistically in evaluating third parties in terms of services, where the Bank's confidential data protection can be added based on metrics in DMBOK, PIMS framework from ISO27701, and NIST Privacy framework. This research was conducted by collecting literacy information related to third-party cooperation and also sending a questionnaire to a sample of 10 third-party services that process bank-owned data. The main method of data collection is to map the process flow in assessing the third party who will manage the Bank's data. Also, in assessing the risk we sent a sample questionnaire to 10 third-party companies, based on the type of service they provide. The data analysis includes qualitative inductive analysis based on the COBIT DSS framework. Which is used to conclude based on 3 metric goals on Data Governance, namely effectiveness, availability, and value.
Keywords: Third Party, Data Privacy and Protection, COBIT DSS.
© Copyright 2021 by Maulid Ibnu Adhi Purwoko
All rights reserved
DEDICATION
I dedicate this works for the future of the country I loved : Indonesia and company that I worked at present
ACKNOWLEDGEMENTS
Alhamdulillah, with great gratitude to Allah and my role model Prophet Muhammad P.B.U.H. To my parents who have taught and supported me. My beautiful wife and my two amazing kiddos who have provided motivation to me, so that I can continue my Masters.
And most importantly, I want to thank to my committee members for their support, patience, and good humor. Dr.Ir.Moh.A.Amin Soetomo, MSc. as my thesis Advisor, was very helpful in guiding me in completing my thesis with various inputs related to research methodology and how to prepare it. Dr. Mulya R.Mashudi, S.T., M.E.M. for his advice in writing my thesis. And also I would thank to all friends from MIT SGU Batch 24 and Batch 25 for their enthusiastic support.
TABLE OF CONTENTS
Page
STATEMENT BY THE AUTHOR ...2
ABSTRACT...3
DEDICATION ...5
ACKNOWLEDGEMEN TS ...6
TABLE OF CONTENTS ...7
LIST OF FIGURES ...10
LIST OF TABLES ...11
CHAPTER 1 - INTRODUCTION ...12
1.1 Background ...12
1.2 Problem Statement ...14
1.3 Research Objective ...15
1.4 Research Question...16
1.5 Scope and Limitation ...16
1.6 Significance of Study ...16
1.7 Hypothesis...16
1.8 Thesis Structure...17
CHAPTER 2 - LITERATURE REVIEW ...18
2.1 Principles and Factors ...18
2.1.1 Data Privacy and Protection...18
2.1.2 Third Party ...20
2.2 Regulatory Impact...21
2.2.1 Indonesian Government Draft Law on PDP (Personal Data Protection)...21
2.2.3 General Data Protection Regulation ...22
2.3 Governance and IT Control Framework ...23
2.2.2 OJK Regulation...23
2.3.1 Data Management (DMBOK)...24
2.3.2 International Organization standardization 27701 ...26
2.3.3 National Institute of Standard and Technology (NIST Privacy Framework) ...28
2.3.4 Control Objective for Information and Related Technology (COBIT) ...29
2.4 Vendor/Third-party risk assessment ...30
2.4.3 Risk Evaluation ...32
2.4.4 Risk Treatment ...33
2.5 Conceptual Framework ...33
2.5.1 Propose Framework ...33
2.5.2 Questionnaire ...34
2.6 Previous Studies ...35
CHAPTER 3 - RESEARCH METHODS ...37
3.1 Data Collection ...37
3.2Benchmark/Analysis ...38
3.2.1 Propose Framework ...39
3.2.2 Third-Party Risk Assessment...40
3.2.2.1 Classifying ... 41
3.3 Evaluation ...43
3.4 Validation...43
CHAPTER 4 - RESULTS AND DISCUSSIONS ...45
4.1 Initial Evaluation and Limitation ...45
4.1.1 Data Collection ...45
4.1.2 Benchmark/Analysis ...45
4.1.2.1 Discussion with Head of Information Security Risk Management at Local Private Bank 1 ... 45
4.1.2.2 Discussion with Head of Information Security Risk at Local Private Bank 2 ... 46
4.1.2.3 Discussion with Top 5 consultant ... 46
4.1.3 Third-Party Risk Assessment...47
4.1.3.1 Assessment Result ... 47
4.1.3.2 Percentage Level of Compliance ... 49
4.2 Data Analysis and Findings ...49
4.2.1 Data Analysis ...49
4.2.2 Validity...50
4.2.2.1 Validated with Data Privacy & Protection Community Chairman... 50
4.2.2.2 Validated with Business Information Security O fficer at International Bank ... 51
CHAPTER 5 - CONCLUSIONS AND RECOMMENDATIONS...53
5.1 Conclusions ...53
5.2 Recommendation ...54
5.3Future Work ...55
GLOSSARY ...56
APPENDIX I - Weighing the impact of GDPR...57
APPENDIX II - Data Protection Impact Assessment (DPIA) ...58
APPENDIX III - DPIA Screening Question...58
APPENDIX IV - Step Complition for DPIA ...59
APPENDIX V - Privacy Framework on Third-party ...59
APPENDIX VI - COBIT DSS ...63
APPENDIX VII - Key Management Practice map based on DMBOK, ISO 27701, NIST Privacy Framework through COBIT DSS Framework...67
APPENDIX VIII - Third Party Question ...76
APPENDIX IX - Discussion with Top 5 Consultant ...85
APPENDIX X - Expert Validation 1 ...86
APPENDIX XI - Expert Validation 2...86
REFERENCES ...87
CURRICULUM VITAE ...93
LIST OF FIGURES
Figures Page
Figure 1. 1 Types of data exposed (%) ...13
Figure 1. 2 Victim demography by cause ...13
Figure 1. 3 Thesis Objective ...15
Figure 2. 1 DMBOK Area Function……… 25
Figure 2. 2 Core, Profiles, and Implementation Tiers ...29
Figure 2. 3 Privacy Framework ...29
Figure 2. 4 Third-Party Risk Assessment Proposed Framework ...34
Figure 2. 5 Key Management Practice mapping Framework ...35
Figure 3. 1 Thesis Method Flowchart……….. 37
LIST OF TABLES
Table Page
Table 1. 1 IBM cost of Data Breach report...14
Table 2. 1 Information Type ...19
Table 2. 2 Third-Party Factor...20
Table 2. 3 OJK Regulation...23
Table 2. 4 Implementation Guide ...25
Table 2. 5 Measure Data Governance Progress Metric ...26
Table 2. 6 List of differences between ISO27701 and GDPR ...26
Table 2. 7 ISO27701 PIMS based on third-party Control Objective “A” ...27
Table 2. 8 ISO27701 PIMS based on third-party Control Objective “B” ...28
Table 2. 9 ABC Bank Third-Party Assessment Domain Key...32
Table 2. 12 Related Works...36
Table 3. 1 Third-Party questionnaire mapping to COBIT DSS Control………40
Table 3. 2 Third-Party Assessment controls mapping with Third-Party services. ...42
Table 4. 1 Third-Party Assessment Result………47