Delfindra Faiz Noorhadi
Islamic University of Indonesia

Published : 1 Documents Claim Missing Document
Claim Missing Document
Check
Articles

Found 1 Documents
Search

Integrating ISO, CIPP and CMMI Frameworks for Data Privacy Compliance: A System-Level Maturity Assessment with PDCA-Based Architecture in a KBMI Group IV Bank Delfindra Faiz Noorhadi; Mukhammad Andri Setiawan
Journal of Information System and Informatics Vol 8 No 3 (2026): June
Publisher : Asosiasi Doktor Sistem Informasi Indonesia

Show Abstract | Download Original | Original Source | Check in Google Scholar | DOI: 10.63158/journalisi.v8i3.1623

Abstract

This study examines the organizational and technical readiness of a systemically important Indonesian bank (KBMI Group IV) in responding to the enactment of the Personal Data Protection (PDP) Law, which necessitates robust privacy engineering and system architecture adaptation. This maturity assessment is conducted as a single-case study based on empirical data collected from two primary respondents: a Business Branch Manager and a Department Head Application Developer. To comprehensively evaluate the system, this study integrates a multi-model framework. First, the Context, Input, Process and Product (CIPP) model qualitatively measures the organization's governance, resources, workflows and policy impacts. These qualitative findings are then translated into CMMI-based process maturity scores. The observed empirical findings reveal an overall maturity score of 3.69, positioning the organization at Level 3 (Defined) as an institutional baseline rather than a sector-wide indicator. The observed findings also expose a regulatory conflict between the PDP Law's 'Right to be Forgotten' and mandatory financial data retention regulations. To address these observed gaps, the study proposes two framework outputs: a comprehensive mapping matrix that aligns regulatory requirements with ISO 27001 and ISO 27701 standards and a conceptual PDCA-based system architecture utilizing data masking and pseudonymization. Although the proposed framework is developed within the context of a single institution, it offers a valuable preliminary foundation for evaluating technical privacy compliance in the banking sector, subject to further validation across a broader range of financial institutions.