<![CDATA[A vehicle insurance company is grappling with a critical issue amid its efforts to integrate information technology into its operations. The problem revolves around the absence of documented procedures related to IT service management and infrastructure resources, impacting various operational facets, including business processes, staff management, applications, infrastructure, facilities, and vendor relationships. To address these concerns, the company has taken measures, including identification, analysis, control, and mitigation of IT-related risks. However, these measures have proven insufficient for optimal risk management, prompting the need for a comprehensive evaluation of their IT risk management capabilities. This assessment focuses on evaluating the implementation of IT risk management using a qualitative approach within the COBIT 5 framework. Specifically, it assesses the company's performance in two closely related processes: APO 12 (Manage Risk) for identifying IT-related risks and DSS 05 (Manage Security Services) for understanding the role of information security and monitoring security aspects. The assessment results indicate that the company's IT risk management capability is at level 3 (Established) for both processes. However, the company aspires to reach level 4 (Predictable) and improve their risk management. Furthermore, a critical discovery is the absence of Standard Operating Procedures (SOPs) related to data encryption, which is vital for information security. While some monitoring methods for information security service design have been effective, there is a need for enhanced data security through the development of encryption-related SOPs. The company plans to implement improvements based on COBIT 5 framework recommendations to achieve a higher level of risk management capability. These enhancements aim to better align IT-related risk management with the company's business objectives and improve the overall effectiveness of the processes.]]>
