IT GOVERNANCE

Suggested Answers
Nov-Dec 2021

1. Suppose you are working in an organization in Bangladesh. You have bought an enterprise resource planning solution recently.
One of your subordinates knowingly tampered with computer source code without taking proper authentication and
permission. Finding this out, you have decided to take measures against this action following a legal way.
(a) Does this type of behavior fall under the ICT Act, 2006 of Bangladesh? If so, what is 05 the punishment for such action under
this act? 5

Ans. Yes. Under the ICT Act, 2006 of Bangladesh

55. Punishment for tampering with computer source code.
(1) Whoever intentionally or knowingly conceals, destroys or alters or intentionally or knowingly causes other person
to conceal, destroy or alter any computer source code used for a computer, computer program, computer system or
computer network, when the computer source code is required to be kept or maintained by any law for time being in force,
then this activity of his will be regarded as offence.
(2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment for a
term which may extend to three years, or with fine which may extend to Taka three lakhs, or with both.
Explanation: For the purpose of this section, "computer source code" means the listing of programs, computer commands,
design and layout and program analysis of computer resources in any form.

(b) One of your colleagues at work asked you about National IT Policy 2009 of Bangladesh. 05 Among many questions, he asked
you about strategic theme of National IT Policy. Please briefly write about the social equity and productivity part of the strategic
theme of the policy. 5

Ans. Strategic Themes

E.1. Social Equity:
1.1 Mainstream social advancement opportunities for disadvantaged groups as an immediate priority to minimize
economic disparity and bridge the digital divide for (a) lower income groups, (b) ethnic minorities, (c) women, and (d)
persons with disabilities and special needs
1.2 Facilitate citizens’ participation in local and national government, and policy making as a broad national agenda
1.3 Provide incentives to the private sector and NGO/CSO/CBOs to generate and share locally relevant and local language
digital content and online services
1.4 Develop and preserve content to bolster culture, heritage and religion National ICT Policy -2009 [5]
1.5 Bring into focus children's issues, including protection of children from harmful digital content

E.2. Productivity:
2.1 Encourage maximum utilization of ICT services nationwide to boost productivity of small, medium and micro
enterprises and agriculture sector, and focus on innovation and competitiveness 2.2 Ensure dissemination and utilization
of latest know-how and market information to increase production capability and supply chain management of agriculture
through ICT applications

2.3 Ensure better monitoring, skills gap determination, appropriate training and modern enterprise operations
to enhance productivity of large enterprises by encouraging immediate implementation of end to end
applications (ERP)
2.4 Ensure sustainable productivity in the service sector through increased automation of operations and
management information systems
2.5 Encourage e-commerce, e-payments, and e-transactions in general bringing in a new dimension of
productivity to the economy at the earliest.

2. (a) A decision support system involves an interactive analytical modeling process. Using a 08 DSS software
package for decision support may result in a series of displays in response to alternative what-if changes entered
by a manager. This differs from the demand responses of management information systems because decision
makers are not demanding pre-specified information; rather, they are exploring possible alternatives.
Four basic types of analytical modeling activities are involved in using a decision support system: what-if
analysis, sensitivity analysis, goal-seeking analysis, and optimization analysis. Briefly describe their activities
with examples. 8

Page 1 of 8
Ans. What-if analysis Observing how changes to selected variables affect other variables. Example: What if we cut
advertising by 10 percent? What would happen to sales?

Sensitivity analysis Observing how repeated changes to a single variable affect other variables. Example: Let’s
cut advertising by $100 repeatedly so we can see its relationship to sales.

Goal-seeking analysis Making repeated changes to selected variables until a chosen variable reaches a target
value.
Example: Let’s try increases in advertising until sales reach $1 million.

Optimization analysis finding an optimum value for selected variables, given certain constraints. Example:
What’s the best amount of advertising to have, given our budget and choice of media?

(b) What is Executive Information systems? Briefly describe it. 02

Ans. Executive information systems (EIS) are information systems that combine many of the features of management
information systems and decision support systems. When they were first developed, their focus was on meeting
the strategic information needs of top management. Thus, the first goal of executive information systems was
to provide top executives with immediate and easy access to information about a firm’s critical success factors
(CSFs), that is, key factors that are critical to accomplishing an organization’s strategic objectives. For example,
the executives of a retail store chain would probably consider factors such as its e-commerce versus traditional
sales results or its product line mix to be critical to its survival and success.

(c) Blockchains are the ideal solution for multiple entities that do not fully trust each other 05 and need to agree
on a single version of events, or require a data source that is tamper-proof. Describe how implementation of a
blockchain can improve trust between stakeholders. 5

Ans. There are several environments where blockchains could solve problems, or at least reduce risk or increase
efficiency. Blockchains are the ideal solution for multiple entities that do not fully trust
each other and need to agree on a single version of events, or require a data source that is tamperproof.
Blockchains could also add value where third parties are used either due to a low trust
environment (such as escrow services) or as a golden source of truth.

(d) Companies in the FinTech industry can be divided into several major parts in accordance with their distinctive business
models. Please briefly describe the major parts of the FinTech Industry. 5

Answer:

Page 2 of 8
3. Which organizations should use IT governance? How do the goals of implementing a IT governance program vary for
small and large organizations? 2

Model Answer

A formal IT governance program should be used by any organization in any industry that needs to comply with regulations
related to financial and technological accountability. However, implementing a comprehensive IT governance program
requires a lot of time and effort. Where very small entities might practice only essential IT governance methods, the goal
of larger and more regulated organizations should be a full-fledged IT governance program.

4. (a) In almost every industry some firms do better than most others. There’s almost always a standout firm. Mirpur Agro
Limited (MAL) has employed you to find out why do some firms do better than others, and how do they achieve competitive
advantage? Answer to this question based on Michael Porter’s competitive forces model. 8

Model Answer

The most widely used model for understanding competitive advantage is Michael Porter’s competitive forces model. This
model provides a general view of the firm, its competitors, and the firm’s environment. Porter’s model is all about the
firm’s general business environment.

In this model, five competitive forces shape the fate of the firm.

Traditional Competitors
All firms share market space with other competitors who are continuously devising new, more efficient ways to produce
by introducing new products and services, and attempting to attract customers by developing their brands and imposing
switching costs on their customers.

New Market Entrants

In a free economy with mobile labor and financial resources, new companies are always entering the marketplace. In some
industries, there are very low barriers to entry, whereas in other industries, entry is very difficult. For instance, it is fairly
easy to start a pizza business or just about any small retail business, but it is much more expensive and difficult to enter the
computer chip business, which has very high capital costs and requires significant expertise and knowledge that are hard
to obtain. New companies have several possible advantages: They are not locked into old plants and equipment, they often
hire younger workers who are less expensive and perhaps more innovative, they are not encumbered by old worn-out brand
Page 3 of 8
 names, and they are “more hungry” (more highly motivated) than traditional occupants of an industry. These advantages
are also their weakness: They depend on outside financing for new plants and equipment, which can be expensive; they
have a less-experienced workforce; and they have little brand recognition.

Substitute Products and Services

In just about every industry, there are substitutes that your customers might use if your prices become too high. New
technologies create new substitutes all the time. Ethanol can substitute for gasoline in cars; vegetable oil for diesel fuel in
trucks; and wind, solar, coal, and hydro power for industrial electricity generation. Likewise, Internet and wireless
telephone service can substitute for traditional telephone service. And, of course, an Internet music service that allows you
to download music tracks to an iPod or smartphone has become a substitute for CD-based music stores. The more substitute
products and services in your industry, the less you can control pricing and the lower your profit margins.

Customers

A profitable company depends in large measure on its ability to attract and retain customers (while denying them to
competitors) and charge high prices. The power of customers grows if they can easily switch to a competitor’s products
and services or if they can force a business and its competitors to compete on price alone in a transparent marketplace
where there is little product differentiation and all prices are known instantly (such as on the Internet). For instance, in the
used college textbook market on the Internet, students (customers) can find multiple suppliers of just about any current
college textbook. In this case, online customers have extraordinary power over used-book firms.

Suppliers

The market power of suppliers can have a significant impact on firm profits, especially when the firm cannot raise prices
as fast as can suppliers. The more different suppliers a firm has, the greater control it can exercise over suppliers in terms
of price, quality, and delivery schedules. For instance, manufacturers of laptop PCs almost always have multiple competing
suppliers of key components, such as keyboards, hard drives, and display screens.

(b) This question is in continuation to the scenario described in Question (a). The traditional competitive forces are still at
work, but because of the Internet, competitive rivalry has become much more intense. Summarize the potentially negative
impacts of the Internet on competitive forces of the business firms identified by Porter. 5

Model Answer

Page 4 of 8
5. (a) Explain how wireless network access points can be used for security breaches. 2

Model Answer

The wireless network are vulnerable because radio frequency bands are easy to scan. Both Blue-tooth and Wi-Fi networks
are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the 802.11 standard can be easily
penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software. Hackers use these
tools to detect unprotected networks, monitor network traffic, and, in some cases, gain access to the Internet or to corporate
networks.

Wi-Fi transmission technology was designed to make it easy for stations to find and hear one another. The service set
identifiers (SSIDs) that identify the access points in a Wi-Fi network are broadcast multiple times and can be picked up
fairly easily by intruders’ sniffer programs. Wireless networks in many locations do not have basic protections against war
driving, in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic. An intruder
who has associated with an access point by using the correct SSID is capable of accessing other resources on the network.
For example, the intruder could use the Windows operating system to determine which other users are connected to the
network, access their computer hard drives, and open or copy their files.

Intruders also use the information they have gleaned to set up rogue access points on a different radio channel in physical
locations close to users to force a user’s radio network interface controller (NIC) to associate with the rogue access point.
Once this association occurs, hackers using the rogue access point can capture the names and passwords of unsuspecting
users.

(b) Explain clearly how SQL injection attack and ransomware work. 2

Model Answer

SQL injection attacks have become a major malware threat. SQL injection attacks take advantage of vulnerabilities in
poorly coded web application software to introduce malicious program code into a company’s systems and networks.
These vulnerabilities occur when a web application fails to validate properly or filter data a user enters on a web page,
which might occur when ordering something online. An attacker uses this input validation error to send a rogue SQL query
to the underlying database to access the database, plant malicious code, or access other systems on the network. Large web
applications have hundreds of places for inputting user data, each of which creates an opportunity for an SQL injection
attack.

Malware known as ransomware is proliferating on both desktop and mobile devices. Ransomware tries to extort money
from users by taking control of their computers or displaying annoying pop-up messages. One nasty example,
CryptoLocker, encrypts an infected computer’s files, forcing users to pay hundreds of dollars to regain access. You can get
ransomware from downloading an infected attachment, clicking a link inside an e-mail, or visiting the wrong website.

6. “Bhalo Babosa Udyog” has identified the main risks to its systems, and now will need to develop a security policy for
protecting the company’s assets. Answer the following questions in this context. 6

(a) What are the components of a security policy? Which questions are generally asked when defining a security policy?

(b) Explain clearly acceptable use policy and identity management in the context of security policy.

Model Answer

(a) After you’ve identified the main risks to your systems, your company will need to develop a security policy for
protecting the company’s assets. A security policy consists of statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals. What are the firm’s most important information
assets? Who generates and controls this information in the firm? What existing security policies are in place to protect the
information? What level of risk is management willing to accept for each of these assets? Is it willing, for instance, to lose
customer credit data once every 10 years? Or will it build a security system for credit card data that can withstand the once-
in-a-hundred-year disaster? Management must estimate how much it will cost to achieve this level of acceptable risk.

(b) The security policy drives other policies determining acceptable use of the firm’s information resources and which
members of the company have access to its information assets. An acceptable use policy (AUP) defines acceptable uses of
the firm’s information resources and computing equipment, including desktop and laptop computers, wireless devices,
telephones, and the Internet. A good AUP defines unacceptable and acceptable actions for every user and specifies
consequences for noncompliance.

Page 5 of 8
 Security policy also includes provisions for identity management. Identity management consists of business processes and
software tools for identifying the valid users of a system and controlling their access to system resources. It includes policies
for identifying and authorizing different categories of system users, specifying what systems or portions of systems each
user is allowed to access, and the processes and technologies for authenticating users and protecting their identities.

7. You may remember incidents, where an organization got accused of exposing or stealing users’ private data. Explain clearly
how the power of information technology to store and retrieve information, can have a negative effect on the right to
privacy of every individual. Also, explain the terms opt-in and opt-out in this regard. 4

Model Answer

The power of information technology to store and retrieve information, however, can have a negative effect on the right to
privacy of every individual. For example, confidential e-mail messages by employees are monitored by many companies.
Personal information is being collected about individuals every time someone visits a site on the World Wide Web.
Confidential information on individuals contained in centralized computer databases by credit bureaus, government
agencies, and private business firms has been stolen or misused, resulting in the invasion of privacy, fraud, and other
injustices. The unauthorized use of such information has badly damaged the privacy of individuals. Errors in such databases
could seriously hurt the credit standing or reputation of an individual.

Governments around the world, but none more than in the United States, are debating privacy issues and considering
various forms of legislation. With regard to the Internet, opt-in versus opt-out is central to the debate over privacy
legislation. Consumer protection groups typically endorse an opt-in standard, making privacy the default. An opt-in system
automatically protects consumers who do not specifically allow data to be compiled about them. Most business interests
back opt-out, arguing it doesn’t disrupt the flow of e-commerce.

8. Effective control requires a detailed inventory of information assets. Creating this list is the first step in classifying assets
and determining the level of protection needed for each asset. Now, answer the following questions based on the CISA
Review Manual. 6

(a) Elucidate clearly the roles of classes or levels of sensitivity and criticality to information resources in classifying assets.
(b) Elaborate the role of the information owner in information classification.
(c) What are the issues that should be defined in data classification as control measures? What are the other issues data
classification need to take into account?

Model Answer

(a) Information assets have varying degrees of sensitivity and criticality in meeting business objectives. By assigning
classes or levels of sensitivity and criticality to information resources and establishing specific security rules for each class,
it is possible to define the level of access controls that should be applied to each information asset. Classification of
information assets reduces the risk and cost of over- or under-protecting information resources in linking security to
business objectives because it helps to build and maintain a consistent perspective of the security requirements for
information assets throughout the organization.

(b) The information owner is responsible for the information and should decide on the appropriate classification, based on
the organization’s data classification and handling policy. Classifications should be simple such as designations by differing
degrees for sensitivity and criticality. End-user managers and security administrators can then use these classifications in
their risk assessment process to assist with determining who should be able to access what, and the most appropriate level
of such access. Most organizations use a classification scheme with three to five levels of sensitivity. The number of
classification categories should take into consideration the size and nature of the organization and the fact that complex
schemes may become too impractical to use.

(c) Data classification is a major part of managing data as an asset. Data classification as a control measure should define:

• The importance of the information asset.

• The information asset owner.
• The process for granting access.
• The person responsible for approving the access rights and access levels.
• The extent and depth of security controls.

Data classification must take into account legal, regulatory, contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability of information. Data classification is also useful to identify who should have
access to the production data used to run the business versus those who are permitted to access test data and programs
under development. For example, application programmers or system development programmers should not have access
to production data or programs.
Page 6 of 8
9. You are designing and developing business IT solution of Endemic Protection Limited (EPL). Answer the following
questions in this context. 15

(a) Before you design a new system, it is important to study the system that will be improved or replaced (if there is one).
What are the areas of the present system that need to be analyzed? Also mention the information system activities that are
important in this respect.

(b) There are two common approaches to analysis and design: SDLC and object-oriented. Whereas the SDLC remains the
predominant approach to software development, the object-oriented approach is substantially gaining favor. Define an
object-oriented system and describe the main concepts of object-oriented programming.

(c) EPL can now start evaluating their installed system. In this stage, define data conversion with its importance and
involved activities. Why is a good data conversion process essential?

Model Answer

(a) You need to analyze how this system uses hardware, software, network, and people resources to convert data resources,
such as transactions data, into information products, such as reports and displays. Then you should document how the
information system activities of input, processing, output, storage, and control are accomplished. For example, you might
evaluate the format, timing, volume, and quality of input and output activities. Such user interface activities are vital to
effective interaction be- tween end users and a computer-based system. Then, in the systems design stage, you can specify
what the resources, products, and activities should be to support the user interface in the system you are designing.

(b) An object-oriented system is composed of objects. An object can be anything a programmer wants to manage or
manipulate—cars, people, animals, savings accounts, food products, business units, organizations, customers—literally
anything. Once an object is defined by a programmer, its characteristics can be used to allow one object to interact with
another object or pass information to another object. The behavior of an objectoriented system entails collaboration between
these objects, and the state of the system is the combined state of all the object in it. Object-oriented programming (OOP)
is the programming paradigm that uses “objects” to design applications and computer programs. It employs several
techniques from previously established paradigms, including:

Inheritance: The ability of one object to inherit the characteristics of a higher-order object. For example, all cars have
wheels; therefore, an object defined as a sports car and as a special type of the object cars must also have wheels.

Modularity: The extent to which a program is designed as a series of interlinked yet stand-alone modules.

Polymorphism: The ability of an object to behave differently depending on the conditions in which its behavior is invoked.
For example, two objects that inherit the behavior speak from an object class animal might be a dog object and a cat object.
Both have a behavior defined as speak. When the dog object is commanded to speak, it will bark, whereas when the cat
object is commanded to speak, it will meow.

Encapsulation: Concealing all of the characteristics associated with a particular object inside the object itself. This paradigm
allows objects to inherit characteristics simply by defining a sub-object. For example, the object airplane contains all of
the characteristics of an airplane: wings, tail, rudder, pilot, speed, altitude, and so forth.

(c) Implementing new information systems for many organizations today frequently involves replacing a previous system
and its software and databases. One of the most important implementation activities required when installing new software
in such cases is called data conversion. For example, installing new software packages may require converting the data
elements in databases that are affected by a new application into new data formats. Other data conversion activities that
are typically required include correcting incorrect data, filtering out unwanted data, consolidating data from several
databases, and organizing data into new data subsets, such as databases, data marts, and data warehouses. A good data
conversion process is essential because improperly organized and formatted data are frequently reported to be one of the
major causes of failures in implementing new systems.

10. The effectiveness of an information system’s controls is evaluated through an information systems audit. Information
systems are designed so that every financial transaction can be traced. In other words, IT audit is the examination and
evaluation of an organization's information technology infrastructure, policies and operations. IT audit can be considered
as the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains
data integrity, allows organizational goals to be achieved effectively and uses resources efficiently. Suppose, you work
as an auditor in a financial institution. The institution wants to do an information system audit of its own. Answer the
following questions.
(a) Discuss IS audit categorization in brief. 05
Page 7 of 8
Ans. IT audits has been categorized into five types, as discussed below:
Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are
adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's
activity.
Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate,
and efficient processing of applications under normal and potentially disruptive conditions.

Systems Development: An audit to verify that the systems under development meet the objectives of the organization and
to ensure that the systems are developed in accordance with generally accepted standards for systems development.
Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational
structure and procedures to ensure a controlled and efficient environment for information processing.
Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (computer
receiving services), server, and on the network connecting the clients and server.
(b) What is a maturity level of a software process? Explain initial level maturity in detail. 05

Ans:
A maturity level is a well-defined evolutionary level toward achieving a mature software process. Each maturity level
comprises a set of process goals that, when satisfied, stabilize an important component of the software process. Achieving
each level of the maturity framework establishes a different component in the software process, resulting in an increase in
the process capability of the organization.
CMM has total five levels, given as follows:
Level 1: The Initial Level, Level 2: The Repeatable Level, Level 3: The Defined Level, Level 4: The Managed Level, and
e Level 5: The Optimizing Level.
The Initial Level: At the Initial Level, the organization typically does not provide a stable environment for developing
and maintaining software. Such organizations frequently have difficulty making commitments that the staff can meet with
an orderly engineering process, resulting in a series of crises. During a crisis, projects typically abandon planned procedures
and revert to coding and testing. Success depends entirely on having an exceptional manager and a seasoned and effective
software team. Occasionally, capable and forceful software managers can withstand the pressures to take shortcuts in the
software process; but when they leave the project, their stabilizing influence leaves with them. Even a strong engineering
process cannot overcome the instability created by the absence of sound management practices. In spite of this adhoc, even
chaotic, process, Level 1 organizations frequently develop products that work, even though they may be over the budget
and schedule. Success in Level 1 organizations depends on the competence and heroics of the people in the organization
and cannot be repeated unless the same competent individuals are assigned to the next project. Thus, at Level 1, capability
is a characteristic of the individuals, not of the organization.

(c) Give the contents of current file with respect to IS Audit working papers. 05

Ans. The current file normally includes:

• Correspondence relating to the acceptance of appointment and the scope of the work,
• Evidence of the planning process of the audit and audit program,
• A record of the nature, timing, and extent of auditing procedures performed, and the results of
such procedures,
• Copies of letters and notes concerning audit matters communicated to or discussed with the client, including
material weaknesses in relevant internal controls,
• Letters of representation and confirmation received from the client,
• Conclusions reached by the auditor concerning significant aspects of the audit, including the manner in which
the exceptions and unusual matters, if any, disclosed by the auditor’s procedures were resolved and treated, and
Copies on the data and system being reported on and the related audit reports.

(d) Discuss the controls to consider when reviewing the organization and management controls in an Information System. 05

Ans. The controls to consider while reviewing the organization and management controls in an Information system shall include:
Responsibility: The strategy to have a senior management personnel responsible for the IS within the overall
organizational structure.
An official IT structure: There should be a prescribed organization structure with all staff deliberated on their roles and
responsibilities by written down and agreed job descriptions.
An IT steering committee: The steering committee shall comprise of user representatives from all areas of the business,
and IT personnel. The committee would be responsible for the overall direction of IT. Here the responsibility lies beyond
just the accounting and financial systems, for example, the telecommunications system (phone lines, videoconferencing)
office automation, and manufacturing processing systems.

---The End---

Page 8 of 8