Professional Documents
Culture Documents
SPCI207
SPCI207
POSTGRADUATE COURSE
M. Sc. CYBER FORENSICS AND
INFORMATION SECURITY
SECOND YEAR
FOURTH SEMESTER
CORE PAPER - XIV
WELCOME
Warm Greetings.
I invite you to join the CBCS in Semester System to gain rich knowledge leisurely at
your will and wish. Choose the right courses at right times so as to erect your flag of
success. We always encourage and enlighten to excel and empower. We are the cross
bearers to make you a torch bearer to have a bright future.
DIRECTOR
(i)
M.Sc. CYBER FORENSICS AND CORE PAPER - XIV
INFORMATION SECURITY GOVERNANCE, RISK &
SECOND YEAR - FOURTH SEMESTER COMPIANCE
COURSE WRITER
Ms. Abirami. N
Guest Faculty
Center for Cyber Forensic & Information Security
University of Madras, Chennai - 600 005
Dr. M. Srinivasan
Professor & Head
Department of Criminology
University of Madras
Chennai - 600 005.
(ii)
M.Sc. CYBER FORENSICS AND INFORMATION SECURITY
SECOND YEAR
FOURTH SEMESTER
(iii)
Quantitative - Risk Management framework – COSO -The Internal environment -
Objective Setting - Event Identification -Risk assessment -Risk Response - Control
activities - Information & communication - Monitoring – NIST - Risk Assessment –
Risk Mitigation - Evaluation & Assessment - Case Study Analysis
Unit 5: Compliance
(iv)
M.Sc. CYBER FORENSICS AND INFORMATION SECURITY
SECOND YEAR
FOURTH SEMESTER
1 Introduction to GRC 1
(v)
1
LESSON - 1
Introduction to GRC
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
1.1 Introduction
1.6 Summary
1.7 Keywords
1.1 Introduction
It helps to align IT activities in order to achieve business goals. It refers to a company
coordinated strategy for managing the corporate issues with regards to regulatory requirements.
GRC provides legal professionals with a broad range of solutions with regulatory for better
business outcomes.
Complaint (C) - Organizational activities are operated to meets the laws & regulations
impacting those systems.
Why do we need?
To control the increasing complexity.
GRC works publicly held companies to integrate and to manage IT operations that
are subjected to regulation.
• Holds platform owners and admins accountable for meeting enterprise standards
and supports their ability to do that.
3
Corporate governance is “a toolkit that enables management and the board to deal more
effectively with the challenges of running a company. Corporate governance ensures that
businesses have appropriate decision-making processes and controls in place so that the
interests of all stakeholders are balanced.”- ICSA, the Governance Institute.
IT Governance
Meet relevant legal and regulatory obligations, such as those set out in the GDPR
or the Companies Act.
Competitive Advantage.
Reduction of Risk.
There are three widely recognized, vendor-neutral, third-party frameworks that are often
described as ‘IT governance frameworks’. While on their own they are not completely adequate
to that task, each has significant IT governance strengths:
ITIL: ITIL or IT Infrastructure Library®, was developed by the UK’s Cabinet Office as a
library of best-practice processes for IT service management. Widely adopted around the world,
ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be
achieved. On ITIL page, can access a free briefing paper on ITIL, IT service management and
ISO 20000
Governance Framework
At a minimum, a sound framework should provide a blueprint for how information security
is governed, define the role of policy and procedure which identifies applicable legal or regulatory
requirements and support data classification standards and data breach response criteria. How
such frameworks are interpreted and implemented within companies remains wildly varied. For
instance, are the controls around sensitive system IDs and passwords part of information security
or part of a larger control framework? Is oversight of third parties’ part of information security or
a larger vendor management framework? The lack of clear boundaries creates the challenge.
The answer is both. Information security must be highly integrated into many other operations
and control frameworks within institutions. This tip will briefly describe some of the key principles
to consider when building a framework and evaluating a number of standard industry resources
against these principles.
It’s a team effort. The governance program must have broad management support,
with involvement from senior management, legal, human resources, compliance,
audit, risk management and IT.
The more that people are aware of the risks, rules and their roles; the more they
can make the governance program stronger. Information security cannot be managed
by a team of experts; it must be everyone’s responsibility. With these principles in
mind,can begin to evaluate the various reference sources that are available to firms
to support their own information security governance program.
FFIEC guidelines
The materials given in the interagency guidelines on information security are one of the
best resources, and certainly the gold standard for banks. Both the material found in the IT
7
Examination Handbook under Information Security and the interagency guidelines are the best
available in terms of an overall “program “design and should be the main reference document
for every financial institution.
PCI DSS:
Created specifically for the payment card industry, the PCI Data Security Standard, like
the ISO standard, does not provide a governance framework and is heavily IT focused, but it
does provide broader language regarding procedural aspects (who has access to data and
why). It also includes a detailed checklist that can be useful in designing an internal self-
assessment process.
COBIT: While COBIT is a framework document by design, and a very good one, it is not
as strong when it comes to information security. It can be an excellent resource for broad IT
governance frameworks, but many of the deeper elements of information security management
will be found in the above-mentioned documents.
Program: A comprehensive program document that defines clear roles and responsibilities;
discrete program elements; how the overall program is governed; a risk assessment
methodology; reporting requirements and testing methodology.
Risk Assessment: A risk assessment methodology that evaluates inherent risks controls
and residual risk to the systems data, physical records and third parties. It is important to note
that each of these four areas will have specific and unique business owners that all must
participate in the risk assessment and risk mitigation process.
Policies and Training: The framework should include clear operating polices that outline
specific do’s and don’ts for managing data, as well as a regular, comprehensive training curriculum
that is mandatory for all staff.
Response: A clear and well-tested set of procedures to respond in the event of a data
breach that, like the program itself, includes both operational and senior management.
The key to information security governance is to remember that the goal is not absolute
data restriction. We live with data in motion every day and we cannot do our jobs without the
use of confidential data. The goal with information security governance is to build superior
resiliency in how data is managed on a day-to-day basis and ability to respond should something
go wrong.
Key Merits
• Use metrics that can be used a “translator” within organizations to enable effective
two- way understanding between Finance and IT
1.6 Summary
GRC provides legal professionals with a broad range of solutions with regulatory for
better business outcomes. It Holds platform owners and admins accountable for meeting
9
enterprise standards and supports their ability to do that. The major outcome is Proactively
forecast demand for products and services as well as enhancements and defect repairs.
Corporate governance is “a toolkit that enables management and the board to deal more
effectively with the challenges of running a company. Governance, risk and compliance (GRC)
refers to a strategy for managing an organization’s overall governance, enterprise risk
management and compliance with regulations. IT governance is an element of corporate
governance, aimed at improving the overall management of IT, and driving improved value
from its investment in information and technology. There are three widely recognized, vendor-
neutral, third-party frameworks that are often described as ‘IT governance frameworks’. It is an
IT governance control framework that helps organizations meet today’s business challenges in
the areas of regulatory compliance, risk management and aligning IT strategy with organizational
goals. The concept of an information security framework is somewhat amorphous, in part because
even the phrase “information security” itself can be surprisingly subject to interpretation.
Regardless of which materials firms choose as a primary reference, the following concepts are
central and critical to building a successful information security governance framework
1.7 Keywords
GRC - Governance, Risk and Compliance
4. Discuss the major principles to evaluate any reference materials for Information
Security Governance.
2. Gad Selig, “Implementing IT Governance”, Van Haren Publishing; First edition edition
April 17, 2008).
11
LESSON - 2
Basel and OECD
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Pillars of Basel
Structure of Lesson
2.1 Introduction
2.2.1 Basel - I
2.2.2 Basel - II
2.3 OECD
2.4 Summary
2.5 Keywords
2.1 Introduction
Basel is a CITY IN SWITZERLAND which is also the headquarters of Bureau of
International Settlement (BIS). The Bank for International Settlements (BIS) established on 17
May 1930, is the world’s oldest international financial organization. In total BIS has 60 member
countries from all over the world and covers approx. 95% of the world GDP. The Basel Committee
- initially named the Committee on Banking Regulations and Supervisory Practices - was
established by the central bank Governors. The Committee, headquartered at the Bank for
International Settlements in Basel, was established to enhance financial stability by improving
the quality of banking supervision worldwide, and to serve as a forum for regular co-operation
between its member countries on banking supervisory matters.
The Basel Committee has expanded its membership from the G10 to 45 institutions, the
Committee has established a series of international standards for bank regulation, most notably
its landmark publications of the accords on capital adequacy which are commonly known as
Basel I, Basel II and, most recently, Basel III. The set of the agreement by the BCBS (BASEL
COMMITTEE ON BANKING SUPERVISION), which mainly focuses on risks to banks and the
financial system are called Basel accord. The purpose of the accord is to ensure that financial
institutions have enough capital on account to meet the obligations and absorb unexpected
losses. India has accepted Basel accords for the banking system. BASEL ACCORD has given
us three BASEL NORMS which are BASEL 1, 2 and 3.
To ensure that banks “hold capital and reserves sufficient to support the risks that
arise in their business”
2.2.1 Basel I:
The reason was to create a level playing field for “internationally Active banks” Banks
from different countries competing for the same loans would have to set aside roughly the
same amount of capital on the loans.
13
It focused almost entirely on credit risk; It defined capital and structure of risk weights
for banks.
The minimum capital requirement was fixed at 8% of Risk- Weighted Assets (RWA).
Pitfall of Basel I
Limited differentiation of credit risk
No recognition of term-structure
Banks were needed to develop and use better risk management techniques in
monitoring and managing all the three types of risks that is credit and increased
disclosure requirements.
Operational risk
Market risk
Capital risk
Banks need to mandatory disclose their risk exposure, etc to the central bank.
Minimum capital requirements for credit risk, market risk and operational risk—
expanding the 1988 Accord (Pillar I).
Basel III norms aim at making most banking activities such as their trading book
activities more capital-intensive.
The guidelines aim to promote a more resilient banking system by focusing on four
vital banking parameters viz. capital, leverage, funding and liquidity.
The Reserve Bank of India has extended the timeline for full implementation of the
Basel III capital regulations by a year to March 31, 2019.
2 The OECD Substantive Committees, one for each work area of the OECD, plus
their variety of subsidiary bodies. Committee members are typically subject-matter
experts from member and non-member governments.
OECD uses its wealth of information on a broad range of topics to help government’s
foster prosperity and fight poverty through economic growth and financial stability. We help to
ensure the environmental implications of economic and social development are taken into
account.
16
The group analyses and reports on the impact of social policy issues such as gender
discrimination on economic growth and makes policy recommendations designed
to foster growth with sensitivity to environmental issues.
The organization also seeks to eliminate bribery and other financial crime worldwide.
2.4 Summary
Basel is a city in Switzerland which is also the headquarters of Bureau. It is initially named
the Committee on Banking Regulations and Supervisory Practices - was established by the
central bank Governors. The Basel Committee has expanded its membership from the G10 to
17
45 institutions. The set of the agreement by the BCBS (Basel Committee on Banking Supervision),
which mainly focuses on risks to banks and the financial system are called Basel accord. In
1988, The Basel Committee on Banking Supervision introduced capital measurement system
called Basel capital accord, also called as Basel. In 2004, Basel II guidelines were published by
BCBS, which were considered to be the refined and reformed versions of Basel I accord. In
2010, Basel III guidelines were released. These guidelines were introduced in response to the
financial crisis of 2008. The Organization for Economic Co-operation and Development is an
intergovernmental economic organization with 36 member countries, founded in 1961 to stimulate
economic progress and world trade. The OECD’s structure consists of three main elements.
OECD uses its wealth of information on a broad range of topics to help government’s foster
prosperity and fight poverty through economic growth and financial stability.
2.5 Keywords
BCBS - Basel Committee on Banking Supervision
2. Gad Selig, “Implementing IT Governance”, Van Haren Publishing; First edition edition
April 17, 2008).
19
LESSON - 3
Best Practices for IT Governance
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
3.1 Introduction
3 4.3 Advantages
3.5 Summary
3.6 Keywords
3.1 Introduction
An information security risk management methodology and a comprehensive security
strategy explicitly linked with business and IT objectives. An effective security organizational
structure and a security strategy that talks about the value of information protected and delivered.
Security policies that address each aspect of strategy, control and regulation. A complete set of
security standards for each policy to ensure that procedures and guidelines comply with policy.
Institutionalized monitoring processes to ensure compliance and provide feedback on
effectiveness and mitigation of risk. A process to ensure continued evaluation and update of
security policies, standards, procedures and risks.
Using ITIL as a guiding tool, organizations are able to develop and implement a clear
security structure based on best practices. One of its requirements is continuous review and
this ensures that an organization evaluates the effectiveness of its security measures. The
security structure is well organized and therefore prevents disorganized implementation and
rushed decisions. ITIL requires proper reporting and therefore keeps the executive management
up-to-date with the current security situation that enables them to make appropriate security
decisions. Roles and responsibilities are clearly spelt out and in the event that an incident
occurs, the procedures of action are understood.
Service Strategy
Service Design
Service Operation
21
Service Transition
With each of them containing a number of ITIL Processes and Functions within it. The
key to running efficient IT Service Management is knowing who does what; therefore, within
the ITIL framework you’ll find numerous roles involved in the process(es) itself. Some roles
span across several processes and have different influence on the process itself. Those complex
relationships are maintained within the RACI (Responsible, Accountable, Support, Consulted,
Informed) matrix, which spans across all Service Lifecycle processes and roles.
22
The Service Strategy phase of the Service Lifecycle provides guidance on how to design,
develop, and implement IT Service Management. Students will understand how service strategies
can be developed to give the business a distinct advantage in the marketplace. During Service
Strategy, an organization will determine its target markets and how to differentiate itself from its
competitors. The organization’s management team will understand the costs and risks associated
with their Service Portfolios and can efficiently use this information in their operational decision-
making. Practical examples will be used to describe the assessment and planning involved
within the IT departments of small, medium, and large corporations. Having the proper strategies
in place can give the company a proactive and productive approach to their business operations.
The Service Design phase of the Service Lifecycle provides guidance on how to design
and develop services and IT Service Management processes that will support the service
strategies already developed. Learning how to design service plans will prepare IT professionals
and business leaders to address customer concerns in the most proficient manner.
23
The Service Operation phase of the Service Lifecycle provides guidance on the practical
aspects of day-to-day business operations. The goal is for the IT department to keep things
running smoothly, reliably, efficiently and cost-effectively. The activities and processes in this
phase ensure that services are delivered to customers at the agreed upon levels with minimal
interruptions and disruptions. Service Operation focuses on providing value to both the customer
and the service provider.
24
The Service Transition phase of the Service Lifecycle teaches IT professionals and their
business associates to manage changes in a productive manner. Service Transition provides
guidance on how to efficiently and effectively transition new and changed services into operations
without disrupting or interrupting other services or processes.
Even if nothing changes in an organization, there is always room for development and
improvement in IT services. Continual assessment is the key to understanding where
improvements can be made. ITIL training can help learners identify where these possibilities for
progress are.
25
It is the second document in the series and contains a list of code of practices that
ensure security.
The third document in this family is ISO 27003:2010, which is designed to provide
guidance during the implementation stage of the security management system.
ISO 27001:2013 is the standard adapted to offer guidance through the processes of
establishment, implementation, maintenance and continual improvement of the information
security management system. The standard considers various types of organizations and
industries encompassing their sizes and markets. It is therefore a wide and generic document
and its adoption and implementation ought to be a strategic decision. The standard’s adaptation
process must be influenced by the organization’s needs and aligned to its business objectives.
The board and the executive management are at liberty to select the security policies that are
appropriate for the current state of security and may complement these policies with more
options also referred to as extended control sets. Thorough evaluation of the organization’s
information security risks is fundamental in order to make suitable selection of controls.
ISO 27002:2013 is mainly a code of practice and categorically deals with all types of
information security and not only IT systems’ security (ISO/IEC 27002 2013). It offers guidelines
and recommendations of suitable controls to organizations that have assessed their information
security risks. Since it is a code of guidelines, organizations are not necessarily required to
adopt it as a standard and are therefore free to choose guidelines that are relevant to their
organization’s needs. This standard is considered indispensable to any organization that depends
on information.
26
ISO does not decide when to develop a new standard but responds to a request from
industry or other stakeholders such as consumer groups. Typically, an industry sector or group
communicates the need for a standard to its national member who then contacts ISO. Contact
details for national members can be found in the list of members.
ISO standards are developed by groups of experts from all over the world, that are part of
larger groups called technical committees. These experts negotiate all aspects of the standard,
including its scope, key definitions and content. Details can be found in the list of technical
committees.
The technical committees are made up of experts from the relevant industry, but also
from consumer associations, academia, NGOs and government. Read more about who develops
ISO standards.
b. ISO/IEC 27002:2005
a. ISO/IEC 27001:2005
b. ISO/IEC 27002:2005
3.4.3 Advantages
Provide evidence and assurance that an organization has complied with the
standards requirement.
3.5 Summary
An effective security organizational structure and a security strategy that talks about the
value of information protected and delivered. ITIL is a compilation of best practices for IT
organizations’ management. ITIL aims at ensuring that strategic security considerations are
taken at various operational levels. ITIL requires proper reporting and therefore keeps the
executive management up to date with the current security situation that enables them to make
appropriate security decisions. Some roles span across several processes and have different
influence on the process itself. The ISO 27000:2013 is a series consisting of four standardization
documents. COBIT is a framework created by the ISACA (Information Systems Audit and Control
Association) for IT governance and management. ISO/IEC 27001is the Requirements for
Information Security Management Systems and ISO/IEC 27002 is the Code of Practice for
Information Security Management. It provides a catalogue of controls that can be implemented
for ISMS.
3.6 Keywords
ITIL - Information Technology Infrastructure Library
2. Gad Selig, “Implementing IT Governance”, Van Haren Publishing; First edition edition
April 17, 2008).
30
LESSON - 4
COBIT and ISM Maturity model
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
4.1 Introduction - COBIT
4.7 Summary
4.8 Keywords
requirements. COBIT is a thoroughly recognized guideline that can be applied to any organization
in any industry.
The COBIT business orientation includes linking business goals with its IT infrastructure
by providing various maturity models and metrics that measure the achievement while identifying
associated business responsibilities of IT processes. The main focus of COBIT was illustrated
with a process-based model subdivided into four specific domains, including:
All of this is further understood under 34 processes as per the specific line of responsibilities.
COBIT has a high position in business frameworks and has been recognized under various
international standards, including ITIL, CMMI, COSO, PRINCE2, TOGAF, PMBOK, TOGAF, and
ISO 27000. COBIT acts as a guideline integrator-merging all solutions under one umbrella. The
latest COBIT version 5 came out in April 2012 and consolidated the principles of COBIT 4.1,
Risk IT Frameworks, and Val IT 2.0. This version draws reference form IT Assurance Framework
(ITAF) from ISACA and the revered BMIS (Business Model for Information Security).
IT helps in organizing the objectives of IT governance and bringing in the best practices
in IT processes and domains while linking business requirements.
b. Process Descriptions
It is a reference model and also acts as a common language for every individual in the
organization. The process descriptions include planning, building, running, and monitoring of
all IT processes.
c. Control Objectives
This provides a complete list of requirements that have been considered by the
management for effective IT business control.
32
d. Maturity Models
Accesses the maturity and the capability of every process while addressing the gaps.
e. Management Guidelines
The first principle is meeting the stakeholders’ needs. This principle is about
identifying the key stakeholders, their needs and how value is created for enterprises
by addressing those needs through the cascading of goals.
The second principle is covering the enterprise end-to-end. This principle is about
covering all the functions and processes wherever information is processed in the
enterprise.
The third principle is applying a single integrated framework. This principle is about
having a single and integrated framework that consists of the various established
frameworks and standards required for the governance and management of
enterprise IT.
The fourth principle is enabling a holistic approach. This principle is about using a
set of enablers for an all-inclusive or holistic approach to support the governance
and management of enterprise IT.
The framework also identifies seven aspects of governance that need to be in place in
order to support the five principles above are
goals, while optimizing the use of resources. Management activities normally include the
requirements to plan, direct, control and coordinate.
Maturity Levels: A 5-level process maturity continuum - where the uppermost (5th)
level is a notional ideal state where processes would be systematically managed by
a combination of process optimization and continuous process improvement.
Key Process Areas: A Key Process Area identifies a cluster of related activities that,
when performed together, achieve a set of goals considered important.
Goals: The goals of a key process area summarize the states that must exist for
that key process area to have been implemented in an effective and lasting way.
The extent to which the goals have been accomplished is an indicator of how much
capability the organization has established at that maturity level. The goals signify
the scope, boundaries, and intent of each key process area.
Commitment to perform
Ability to perform
Activities performed
Verifying implementation.
Key Practices: The key practices describe the elements of infrastructure and practice
that contribute most effectively to the implementation and institutionalization of the
area.
The model provides a theoretical continuum along which process maturity can be developed
incrementally from one level to the next.
Level 1 - Initial
It is characteristic of processes at this level that they are (typically) undocumented and in
a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner
by users or events. This provides a chaotic or unstable environment for the processes.
It is characteristic of this level of maturity that some processes are repeatable, possibly
with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may
help to ensure that existing processes are maintained during times of stress.
Level 3 - Defined
It is characteristic of processes at this level that there are sets of defined and documented
standard processes established and subject to some degree of improvement over time. These
standard processes are in place. The processes may not have been systematically or repeatedly
used - sufficient for the users to become competent or the process to be validated in a range of
situations. This could be considered a developmental stage - with use in a wider range of
conditions and user competence development the process can develop to next level of maturity.
4.7 Summary
COBIT stands for Control Objectives for Information and Related Technology. It was
designed to be a supportive tool for managers-and allows bridging the crucial gap between
technical issues, business risks, and control requirements. COBIT has a high position in business
frameworks and has been recognized under various international standards. Five different
components are used in COBIT and various five principles are also used. Security is the result
of a process and Using Security in Context, an incident is defined as a failure to meet the
organization’s Security Objectives. A maturity model can be viewed as a set of structured levels
that describe how well the behaviors, practices and processes of an organization can reliably
and sustainably produce required outcomes. A maturity model can be used as a benchmark for
comparison and as an aid to understanding.
4.8 Keywords
COBIT - Control Objectives for Information and Related
Technology
2. Gad Selig, “Implementing IT Governance”, Van Haren Publishing; First edition edition
April 17, 2008).
40
LESSON – 5
Information Security Governance
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
5.1 Introduction
5.6 Summary
5.7 Keywords
5.1 Introduction
Information security governance (ISG) is the responsibility of the board of directors and
senior executives. It must be an integral and transparent part of enterprise governance and be
aligned with the IT governance framework. Whilst senior executives have the responsibility to
consider and respond to the concerns and sensitivities raised by information security, boards of
directors will increasingly be expected to make information security an intrinsic part of governance,
41
integrated with processes they already have in place to govern other critical organizational
resources.
Candidates will be required to understand the contents of the framework, which will
generally consist of a comprehensive security strategy that is intrinsically linked with business
objectives.
Governing security policies that address each aspect of strategy, controls and
regulation
A complete set of standards for each policy to ensure that procedures and guidelines
comply with policy
Management of risks
Verification of results
Why is it important?
Provides a framework for secure business operations in an interconnected world
1. Board members understand that information security is critical to the company and
requires regular updates on performance and security incidents.
2. The officers and business unit managers participate in a risk management committee
that meets regularly on the topic of information security.
3. Executive management sets acceptable risk levels which are the basis for the
company’s security policies and related practices.
4. Executive management holds business unit managers responsible for carrying out
risk management activities for their specific business units.
5. Critical business processes are documented along with the risks that are inherent
in the different steps within the business processes.
6. Employees are held accountable for any security breaches they participate in, either
maliciously or accidentally.
7. Security products, managed services and consultants are purchased and deployed
in an informed manner and are regularly reviewed.
8. The organization regularly reviews its business and security processes with the
goal of continuous improvement.
Protection from the increasing potential for civil or legal liability as a result of
information inaccuracy or the absence of due care.
A firm foundation for efficient and effective risk management, process improvement,
and rapid incident response related to securing information.
A level of assurance that critical decisions are not based on faulty information.
a. Strategic alignment
b. Risk Management
c. Value delivery
d. Resource Management
e. Performance Measurement
f. Integration
a. Strategic Alignment
b. Risk Management
To manage and mitigate risks and reduce potential impacts on information assets to an
acceptable level.
Perform regular risk assessments with senior managers and key staff.
Ensure critical and confidential information is withheld from those who should not
have access to it.
Develop IT continuity plans that can be executed and are tested and maintained.
c. Resource Management
Ensure that IT services and infrastructure can resist and recover from failures due
to error, deliberate attack or disaster.
Ensure proper use and performance of the applications and technology solutions.
45
d. Performance Measurement
e. Value Delivery
f. Integration
ISG ensures that the relevant assurance factors are integrated to make sure that processes
operate as intended from end to end. Candidates are tested on the integration and coordination
46
5.6 Summary
Information security governance is the responsibility of the board of directors and senior
executives. To make information security an intrinsic part of governance, integrated with
processes they already have in place to govern other critical organizational resources. ISG is to
ensure that there is an accurate security framework that meets the objectives of the
organization.Generally,consist of a comprehensive security strategy that is intrinsically linked
with business objectives. In comparing the critical differences with respect to the effectiveness
of a company’s information security governance program, some distinctions are common to
successful organization. Information security governance generates various significant benefits.
Information security governance contains a structured set of elements that are required to
provide senior management with assurance that its major objectives are captured in the
organization’s security posture. It is mainly involved in the development, implementation and
management of a security program that achieves six outcomes.
5.7 Keyword
ISG - Information Security Governance
2. Gad Selig, “Implementing IT Governance”, Van Haren Publishing; First edition edition
April 17, 2008).
LESSON – 6
Information System Strategy
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
6.1 Introduction
6.7 Summary
6.8 Keywords
6.1 Introduction
Information System Strategic Planning has been prescribed by King (1978) as a process
that serves to relate the organization’s mission, objectives, and strategies, and other salient
characteristics to an Information System strategy set:” The Information System strategy set is
49
the product of the strategic planning process for “IS” in that it is derived from the organization’s
“strategy set” through the application of strategic planning methods to the IS function.
To ensure that information resources when applied will directly strategies contribute
toward the attainment of enacted organizational strategies.
At the beginning of the year, the planning team takes as input an overall vision and
mission statement developed at the enterprise level. During this phase, the team reviews the
enterprise strategies, technology trends, employee trends, and so on to better understand the
future environment that will shape the IT organization and its deliverables. IT subject matter
experts from throughout the organization are recruited to help define the major trends that may
be critical in shaping the organization and its decision making in the next few years.
The team identifies a small number of high-impact areas that require more in-depth
analysis to inform the overall strategic planning process. Depending on circumstances at a
given point in time, these may include IoT, social media trends, and changing regulatory
compliance rules.
51
3. Current-state assessment
The planning team analyses the current state of all the IT related systems and policies
and compares these with the long-range outlook, paying special attention to the key drivers
developed in the preceding phase. The result is a set of recommendations for adjustments to
IT’s focus areas and spending plans.
The next phase is the development of a strategic plan for IT. The plan includes a discussion
of strategic objectives and a budget and investment plan. The plan reflects IT’s highest priority
items and provides an outcome framework for defining success. Each item includes a roadmap
that can influence budget and organization decisions in the upcoming year.
Once the annual budget is approved, the information from the preceding phases is used
to guide the governance process and the many decisions made across the organization to
implement the strategic plan and one-year strategic objectives. These decisions include project
chartering, supplier selection, sourcing, investment trade-off decisions, and so on.
6. Regular reviews
Monthly reviews based on a wide variety of input help ensure that the strategic plan and
governance decisions are followed. This culminates in a year-end assessment. Reviews continue
into the following year until a new strategic plan and new governance decisions provide input
for modifying the review process. This process can include a security strategic planning
component, or planning can occur in a coordinated and parallel fashion in another team.
Information system strategy in a critical aspect of an organization for its growth and
expansion. Within it, the integration of the data system and its function within the organization
52
can be handled easily. Besides that, it also enables the classification of different opportunities
for the use of information systems for different strategies. It gives the surety that only useful
resources or the use of resources which are less are allocated to the applications and the use
of scarce resources in a sustainable way. With the system information strategy, it ensures that
the Information system functions accordingly and supports the business goals and objectives
of the organization at the different levels.
There are several instances of strategically information systems which have helped the
organizations to help create and sustain the resources in this competitive market over the past
years and has allocated several effective benefits and simply continued to provide survival of
the organizations which have used these systems. These systems are often termed as ‘strategic
concepts of the organization.’ To give the maximum performance of the firms financially in a
fluctuating market, the correlation between strategic management and information system is
significant fundamentally.
In a firm, data execution is performed by the user end, which is later processed to generate
useful data products and services like reports, which are utilized by different users. Such a
strategy is called operation support. The primary purpose of this system is to keep a check on
transactions, operations, control, chain supply, and management. It also helps to facilitate internal
and external talks, and it updates the central main database of the organization. The operation
support system is further divided into three systems which are,
Firms require accurate data in a specific format to understand the decisions of the
organizations. Management support system strategy enables the effective decision and task
53
operation process more manageable for the managers. They are essentially divided into a
different strategy like management, decision, accounting and expert information system. These
systems facilitate and provide precise information and data to the manager for easy routines,
decision-making processes. Decision support system which helps to solve particular issues
related problems.
Lowering the costs of the products: It may help the firms lower their costs and
allowing them to give products and services at a much smaller cost than their
competitors. Thus, such a strategy can provide the expansion and growth of the
firm.
Leveraging technology in the value chain: In this way, the organizations pinpoint
the particular activities in the business, where competitive market strategies can be
applied and where the strategical information systems can be more effective.
54
6.7 Summary
Information System Strategic Planning is a process that serves to relate the organization’s
mission, objectives, and strategies, and other salient characteristics to an Information System
strategy set. IT strategic planning is the alignment of IT management and operation with
enterprise strategic planning. IT subject matter experts from throughout the organization are
recruited to help the major trends that may be critical in shaping the organization and its decision
making in the next few years. The planning team analyses the current state of all the IT related
systems and policies. Once the annual budget is approved, the information is used to guide the
governance process and the many decisions made across the organization to implement the
strategic plan. Strategic information system provides a connection between demands of
organization and latest information technology. The primary purpose of operations support system
is to keep a check on transactions, operations, control, chain supply, and management.
Management support system strategy enables the effective decision and task operation process
more manageable for the managers.
6.8 Keywords
ISSP - Information System Strategy Planning
LESSON - 7
Steering Committee, Policies and Procedures
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
7.1 Introduction
7.5.2 Roles
7.5.4 Procedures
7.6 Summary
7.7 Keywords
7.1 Introduction
Information security affects all aspects of an organization. To ensure that all stakeholders
affected by security considerations are involved, a steering committee of executives should be
formed. Members of such a committee may include, amongst others, the chief executive officer
(CEO) or designee, business unit executives, chief financial officer (CFO), chief information
officer (CIO)/IT director, chief security officer (CSO), CISO, human resources, legal, risk
management, audit, operations and public relations. A steering committee serves as an effective
communication channel for management’s aims and directions and provides an ongoing basis
for ensuring alignment of the security programme with organizational objectives. It is also
instrumental in achieving behavior change toward a culture that promotes good security practices
and policy compliance.
It is crucial for leaders to have various levels of managers and executives on the steering
committee.
b. An increase in meetings:
Naturally, steering committees will want to meet to decide on project budgets, scopes,
changes, and any other topic that could arise.
Again, many of the members of the steering committee could only be concerned about
their interest.
57
d. Defined roles:
This might not be everyone’s first time on a steering committee, so many will probably
know the basics of how it works.
Often, there is either one person or a small group of people who decide to take the lead
in a group setting.
The other major factor is organizational representation. For large projects, various
departments should be represented in the organization by someone with appropriate
decision-making authority.
Members should receive information before the initial meeting so they can craft any
questions they have beforehand.
Is there a limit on ideas that can be implemented? These are all questions that need
to be answered in meetings with steering committee members.
If changes are not frequent, leaders may want to schedule benchmark meetings
throughout the development of the project as needed.
Leaders can create a plan for teams to meet with the steering committee to answer
questions and update them on progress, or even utilize a company intranet for
progress updates.
After the completion of the project, leaders should debrief with committee members
to gain insight into the process and any problems that occurred.
The officers and business unit managers participate in a risk management committee
that meets regularly on the topic of information security.
Executive management sets acceptable risk levels which are the basis for the
company’s security policies and related practices.
Executive management holds business unit managers responsible for carrying out
risk management activities for their specific business units.
Critical business processes are documented along with the risks that are inherent
in the different steps within the business processes.
59
Employees are held accountable for any security breaches they participate in, either
maliciously or accidentally.
There may be some members that are new to serving on a steering committee. Leaders
can help ease them into their duties by providing training and coaching. Committee members
are as productive as their experience will allow, so it is essential that leaders offer an adequate
education for committee members new and experienced.
Leaders should make it a priority to not make steering committee teams to small or big.
One change management framework suggested that leaders keep the size to around six, a
size large enough to represent a lot of the organization’s department but not too big to encroach
on efficiency.
Meetings will go a lot faster and operate at a higher level of efficiency if agendas concerning
project information are given to the steering committee before they arrive. This will allow them
to craft any initial questions they have before the meeting to save time.
It makes sense for members to take time to make informed decisions, however, when a
group is involved, a decision that should only take 24 hours could end up taking a week if there
are not any established parameters for how long decision-making should take. Leaders should
express that the purpose is not about rushing decisions but facilitating efficiency so that teams
are not left to push back deadlines.
It is a great idea to have the project manager serves as a liaison between the project
manager and steering committee. It will cut down confusion if all questions, concerns, and
60
decisions are communicated to the project manager so they can disperse the information
uniformly.
The Steering Committee is the governing body of the Correlation Network. The major
goal of the Steering Committee is facilitating the fulfilment of the Correlation Network mission
by developing and supporting policies, strategies and operational implementations of the network.
The Steering Committee consists of their chairperson, the two network coordinators and
6 representatives, including at least one community representative. The total number of Steering
Committee members, representing specific thematic focus and communities is defined by them.
Steering Committee members work voluntarily without financial compensation for their
work within the Steering Committee. Their members receive all available information, related to
the Network’s operation on their demand. SC members receive annual Correlation Network
Progress Reports provided by the CNO.
Organizational Policies relate to the internal business of the council (around matters
such as corporate services or governance). Organizational Policies will have a direct
effect on our staff but will not have specific relevance to our customers.
Along with legislation, local laws, charters, delegations and Terms of Reference,
policies provide the controls that Council operates within.
7.5.2 Roles
Policy Coordinator: The Policy Coordinator ensures that the process of developing,
approving, reviewing and rescinding a policy is managed effectively for the
organization. This role is undertaken by the Executive and Commercial Services
Officer, who also administers the policy register.
Policy Owner: Staff who are accountable for particular areas are Policy Owners.
This role ensures that the policies they are accountable for are kept up to date,
reviewed on time, and communicated effectively.
Policy Review Group: The Policy Review Group consists of the Manager Executive
and Commercial Services and three members of the Loddon Leaders group (who
are appointed annually on a rotating basis). The role of the group is to check all
policies and procedures to ensure they are checked, complete and ready for
finalization prior to them being submitted to the MEG for approval.
The Policy Owner will determine the regular review frequency in accordance with the
guidelines. However, a review may be triggered at any time if necessary, due to events such as
changes in legislation, Council Plan or stakeholder issues. The Policy Coordinator will enter a
policy’s review date and Policy Owner on the policy and procedure register, and reminders will
be sent six months in advance for each policy review. Every six months, a report will be provided
by the Policy Coordinator to the MEG on the status of review dates and their completion. All
policies must be reviewed at least once every four years to ensure they are consistent with the
Council Plan.
62
7.5.4 Procedures
7.6 Summary
Information security affects all aspects of an organization. To ensure that all stakeholders
affected by security considerations are involved, a steering committee of executives should be
formed. Steering committees are an important component of the project management process.
With challenges and disadvantages in mind, leaders can make informed decisions on taking
steps to create an effective steering committee. The Steering Committee is the governing body
of the Correlation Network. The Steering Committee consists of their chairperson, the two network
coordinators and 6 representatives, including at least one community representative. Steering
Committee members work voluntarily without financial compensation for their work within the
Steering Committee. The Policy Coordinator will enter a policy’s review date and Policy Owner
on the policy and procedure register, and reminders will be sent six months in advance for each
policy review. Procedures prescribe specific actions needed to be taken to implement a policy
or other requirement such as a legal obligation.
7.7 Keywords
CEO - Chief Executive Officer
2. What are the essential steps for creating effective Steering committee? Explain.
LESSON – 8
Various Forms of Management
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
8.1 Introduction
8.5 Summary
8.6 Keywords
8.1 Introduction
The various forms of managements are Personnel, Financial and Quality Managements.
Personnel Management (staffing function of Management), also known as Human Resource
Management (HRM). Personnel management is concerned with the proper use of human factors.
65
Personnel management may be defined as that part of the management process, which is
primarily concerned with the human constituents of an organization. Financial management in
a business seeks to plan and direct the use of the company’s financial resources and Quality
Management Systems (QMS) are, typically, customer focused.
It also focuses on the administrative specialization that deals with the process of hiring
and developing employees to become more valuable to the company. It is sometimes considered
to be a sub-category of human resources that only focuses on administration.
Hiring
Employee handbook
Promotion policies
Training
Required vacations
Termination policies
Sourcing practices relate to the way an organization obtains the IS function required to
support the business. Organizations can perform all IS functions in-house or outsource all
functions across the globe. Sourcing strategy should consider each IS function and determine
which approach allows the IS function to meet the organization’s goals.
The IS auditor must be aware of the various forms outsourcing can take as well as
the associated risks.
IS budgets
Besides these, there are some other significant features which will also make sense
towards a startup business.
68
The four elements of financial management can be described as the four steps of the
Control Process. When following the four-step control process, a manager can make their
department more effective which increases productivity. There are three categories of controls
can be used to monitor employee’s discipline, manage their schedules, and enforce budgets
that have been set.
Planning
Controlling
Decision Making
Planning:
Controlling:
Make sure that each area of the organization is following the plans that have been
established.
Decide how to use organizational resources to most effectively carry out established
plans.
Decision-Making:
Day-to-day operations
Service management
70
Security
General administration
8.5 Summary
Personnel management can also be defined as, that field of management, which is
con-cerned with the planning, organizing, directing and controlling various operative functions.
It also focuses on the administrative specialization that deals with the process of hiring and
developing employees to become more valuable to the company. Personnel management is
defined as an administrative specialization that focuses on hiring and developing employees to
become more valuable to the company. Organizations can perform all IS functions in-house or
outsource all functions across the globe. Sourcing strategy should consider each IS function
71
and determine which approach allows the IS function to meet the organization’s goals. Information
security and financial management Security issues in financial accounting is complex and the
risks are often difficult to stipulate, even for experts. The use of an information security
management system became a requirement for organizations because on the states began
adopting mandatory data protection legislation and information. The importance of financial
management is vital to an organization. The four elements of financial management can be
described as the four steps of the Control Process.
8.6 Keywords
QMS - Quality Management Systems
LESSON – 9
Information Security Management
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
9.1 Introduction
9.2.2 Purpose
9.7 Summary
9.8 Keywords
9.1 Introduction
Information Security Management (ISM) describes controls that an organization needs to
implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity
of assets from threats and vulnerabilities.By extension,ISM includes information risk
management, a process which involves the assessment of the risks an organization must deal
with in the management and protection of assets, as well as the dissemination of the risks to all
appropriate stakeholders. This requires proper asset identification and valuation steps, including
evaluating the value of confidentiality, integrity, availability, and replacement of assets.
Access to authorized persons shall be enabled when needed for modifying the
information.
All employees are responsible for implementing security policies and information security
and must provide support to the management bodies that have prescribed the policies and
rules.
9.2.2 Purpose
Privacy Information Security Management should identify risks to property, property value
and identify possible vulnerabilities and potential causes of unwanted incidents, which may
result in damage to the system or NHIF.Managing risks to an acceptable level through design,
implementation and maintenance of the ISMS.
The policy in compliance with other standards and NHIF documents including:
1. Physical security
Confidentiality
This is equivalent to privacy, and it has a set of rules which limits access to information. It
protects against disclosure of information to unintended recipients and is designed to prevent
sensitive information from reaching the wrong people. It ensures that only the designated person
gets the information and access will be restricted to those authorized to view the data in question.
Breaches of confidentiality take many forms. Permitting someone to look over your shoulder
at your computer screen while you have confidential data displayed on it could be a breach of
confidentiality. If a laptop computer containing sensitive information about a company’s employees
is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information
over the telephone is a breach of confidentiality if the caller is not authorized to have the
information.
Integrity
It involves maintaining the consistency, accuracy, and trustworthiness of data over its
entire life cycle, and allows transferring accurate and desired information from senders to intended
receivers. It ensures that data cannot be altered by unauthorized people. This is not the same
thing as referential integrity in databases. Integrity is violated when an employee accidentally or
with malicious intent deletes important data files, when a computer virus infects a computer,
when an employee is able to modify his own salary in a payroll database, when an unauthorized
user vandalizes a web site, when someone is able to cast a very large number of votes in an
online poll, and so on.
Availability
For any information system to serve its purpose, the information must be available when
it is needed. This means that the computing systems used to store and process the information,
the security controls used to protect it, and the communication channels used to access it must
be functioning correctly. High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial -of- service attacks.
77
Measure products/services
Manage products/services
Assure accountability
Optimize performance
The foundation of strong upper-level management support is critical, not only for the
success of the information security program, but also for the program’s implementation.
The second component is the existence of information security policies and procedures
backed by the authority necessary to enforce compliance. Information security policies delineate
the information security management structure, clearly assign information security responsibilities
and lay the foundation needed to reliably measure progress and compliance.
Finally, the information security measurement program itself must emphasize consistent
periodic analysis of the measures data. Results of this analysis are used to apply lessons
79
learned, improve effectiveness of existing security controls, and plan for the implementation of
future security controls to meet new information security requirements as they occur.
Excessive costs
Budget overruns
Late projects
Inexperienced staff
Organization/functional charts
Job descriptions
Operations procedures
There are various phases to computer hardware, software and IS service contracts,
including:
Contract acceptance
Contract maintenance
Contract compliance
An IS auditor has been asked to review the draft of an outsourcing contract and SLA and
recommend any changes or point out any concerns prior to these being submitted to senior
management for final approval. The agreement includes outsourcing support of Windows and
UNIX server administration and network management to a third party.
Servers will be relocated to the outsourcer’s facility that is located in another country, and
connectivity will be established using the Internet. Operating system software will be upgraded
on a semi-annual basis, but it will not be escrowed. All requests for addition or deletion of user
accounts will be processed within three business days.
81
Intrusion detection software will be continuously monitored by the outsourcer and the
customer notified by e-mail if any anomalies are detected. New employees hired within the last
three years were subject to background checks. Prior to that, there was no policy in place.
A right to audit clause is in place, but 24-hour notice is required prior to an on-site visit. If
the outsourcer is found to be in violation of any of the terms or conditions of the contract, it will
have 10 business days to correct the deficiency. The outsourcer does not have an IS auditor,
but it is audited by a regional public accounting firm.
9.7 Summary
Information Security Management describes controls that an organization needs to
implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity
of assets from threats and vulnerabilities. The purpose of security information management is
to provide and protect information and property from all types of threats, internal or external,
accidental or deliberate, by establishing, implementing, executing, monitoring, reviewing,
maintaining and improving information security management system. Privacy Information Security
Management should identify risks to property, property value and identify possible vulnerabilities
and potential causes of unwanted incidents. There are several principles of information security
and one of the core principles is CIA triad. Confidentiality is equivalent to privacy, and it has a
set of rules which limits access to information. Integrity ensures that data cannot be altered by
unauthorized people. Availability is best ensured by rigorously maintaining all hardware,
performing hardware repairs immediately. Measuring, monitoring and reporting on information
security processes are required to ensure that organizational objectives are achieved.
9.8 Keywords
ISM - Information Security Management
LESSON – 10
Risk Management Process
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Know the risk process like transfer, avoidance, retention and control
Structure of Lesson
10.1 Introduction
10.4 Summary
10.5 Keywords
10.1 Introduction
Implementing a risk management process is vital for any organization. Good risk
management doesn’t have to be resource intensive or difficult for organizations to undertake or
insurance brokers to provide to their clients. With a little formalization, structure, and a strong
understanding of the organization, the risk management process can be rewarding.
Risk management does require some investment of time and money, but it does not need
to be substantial to be effective. In fact, it will be more likely to be employed and maintained if
it is implemented gradually over time.
85
The four main risk categories of risk are hazard risks, such as fires or injuries; operational
risks, including turnover and supplier failure; financial risks, such as economic recession;
and strategic risks, which include new competitors and brand reputation. Being able to identify
what types of risk you have is vital to the risk management process.
An organization can identify their risks through experience and internal history, consulting
with industry professionals, and external research. They may also try interviews or group
brainstorming, as discussed in this Project Manager article 8 New Ways to Identify Risks.It’s
important to remember that the risk environment is always changing, so this step should be
revisited regularly.
Many organizations use a heat map to measure their risks on this scale. A risk map is a
visual tool that details which risks are frequent and which are severe (and thus require the most
resources). This will help you identify which are very unlikely or would have low impact, and
which are very likely and would have a significant impact.
86
Knowing the frequency and severity of your risks will show you where to spend your time
and money and allow your team to prioritize their resources.More details on risk maps can be
found in the blog posts on the topic: The Importance of Risk Mapping and How to Build a Risk
Map.
What are the potential ways to treat the risk and of these, which strikes the best balance
between being affordable and effective? Organizations usually have the options to accept, avoid,
control, or transfer a risk.
Accepting the risk means deciding that some risks are inherent in doing business and
that the benefits of an activity outweigh the potential risks. To avoid a risk, the organization
simply has to not participate in that activity. Risk control involves prevention (reducing the
likelihood that the risk will occur) or mitigation, which is reducing the impact it will have if it does
occur.
Risk transfer involves giving responsibility for any negative outcomes to another party, as
is the case when an organization purchases insurance.
Once all reasonable potential solutions are listed, pick the one that is most likely to achieve
desired outcomes. Find the needed resources, such as personnel and funding, and get the
necessary buy-in. Senior management will likely have to approve the plan, and team members
will have to be informed and trained if necessary. Set up a formal process to implement the
solution logically and consistently across the organization and encourage employees every
step of the way.
5. Monitor results
Risk management is a process, not a project that can be “finished” and then forgotten
about. The organization, its environment, and its risks are constantly changing, so the process
should be consistently revisited.Determine whether the initiatives are effective and whether
changes or updates are required. Sometimes, the team may have to start over with a new
process if the implemented strategy is not effective.
87
If an organization gradually formalizes its risk management process and develops a risk
culture, it will become more resilient and adaptable in the face of change. This will also mean
making more informed decisions based on a complete picture of the organization’s operating
environment and creating a stronger bottom line over the long-term.
Clear Risk’s cloud-based Claims, Incident, and Risk management system allows
organizations to better control their risk management activities. They are proud to help their
customers introduce new risk management initiatives and lower the cost of risk.
a. Risk evaluation
c. Risk monitoring.
A systematic approach used to identify, evaluate, and reduce or eliminate the possibility
of an unfavorable deviation from the expected outcome of medical treatment and thus prevent
the injury of patients as a result of negligence and the loss of financial assets resulting from
such injury.’
2. Identification,
3. Assessment,
6. Implementation,
Establishing the context includes planning the remainder of the process and mapping out
the scope of the exercise, the identity and objectives of stakeholders, the basis upon which
risks will be evaluated and defining a framework for the process, and agenda for identification
and analysis.
2. Identification
After establishing the context, the next step in the process of managing risk is to identify
potential risks. Risks are about events that, when triggered, will cause problems. Hence, risk
identification can start with the source of problems, or with the problem itself.
Risk identification requires knowledge of the organization, the market in which it operates,
the legal, social, economic, political, and climatic environment in which it does its business, its
financial strengths and weaknesses, its vulnerability to unplanned losses, the manufacturing
processes, and the management systems and business mechanism by which it operates.
89
Any failure at this stage to identify risk may cause a major loss for the organization. Risk
identification provides the foundation of risk management. The identification methods are formed
by templates or the development of templates for identifying source, problem or event. The
various methods of risk identification methods are.
3. Assessment
Once risks have been identified, they must then be assessed as to their potential severity
of loss and to the probability of occurrence. These quantities can be either simple to measure,
in the case of the value of a lost building, or impossible to know for sure in the case of the
probability of an unlikely event occurring.
The fundamental difficulty in risk assessment is determining the rate of occurrence since
statistical information is not available on all kinds of past incidents. Furthermore,evaluating the
severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation
is another question that needs to be addressed.
Thus, best educated opinions and available statistics are the primary sources of information.
Nevertheless, a risk assessment should produce such information for the management of the
organization that the primary risks are easy to understand and that the risk management decisions
may be prioritized. Thus, there have been several theories and attempts to quantify risks.
Numerous different risk formula exists but perhaps the most widely accepted formula for
risk quantification is the rate of occurrence multiplied by the impact of the event. In business, it
is imperative to be it’s to present the findings of risk assessments in financial terms. Robert
Courtney Jr. (IBM. 1970) proposed a formula for presenting risks in financial terms. The Courtney
formula was accepted as the official risk analysis method of the US governmental agencies.
The formula proposes the calculation of ALE (Annualized Loss Expectancy) and compares
the expected loss value to the security control implementation costs (Cost-Benefit Analysis).
90
Once risks have been identified and assessed, all techniques to manage the risk fall into
one or more of these four major categories:
a. Risk Transfer
Risk Transfer means that the expected party transfers whole or part of the losses
consequential o risk exposure to another party for a cost. Insurance contracts fundamentally
involve risk transfers. Apart from the insurance device, there are certain other techniques by
which the risk may be transferred.
b. Risk Avoidance
Avoid the risk or the circumstances which may lead to losses in another way, includes not
performing an activity that could carry risk. Avoidance may seem the answer to all risks, but
avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may
have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of
earning the profits.
c. Risk Retention
Risk-retention implies that the losses arising due to a risk exposure shall be retained or
assumed by the party or the organization. Risk-retention is generally a deliberate decision for
business organizations inherited with the following characteristics. Self-insurance and Captive
insurance are the two methods of retention.
d. Risk Control
Decide on the combination of methods to be used for each risk. Each risk management
decision should be recorded and approved by the appropriate level of management.
91
For example,
A risk (concerning the image of the organization should have a top management decision
behind it whereas IT management would have the authority to decide on computer virus risks.The
risk management plan should propose applicable and effective security controls for managing
the risks.
A good risk management plan should contain a schedule for control implementation and
responsible persons for those actions. The risk management concept is old but is still net very
effectively measured. Example: An observed high risk of computer viruses could be mitigated
by acquiring and implementing antivirus software.
6. Implementation
Follow all the planned methods for mitigating the effect of the risks. Purchase insurance
policies for the risks that have been decided to be transferred to an insurer, avoid all risks that
can be avoided without sacrificing the entity’s goals, reduce others, and retain the rest.
Initial risk management plans will never be perfect. Practice, experience and actual loss
results will necessitate changes in the plan and contribute information to allow possible different
decisions to be made in dealing with the risks being faced. Risk analysis results and management
plans should be updated periodically. There are two primary reasons for this:
To evaluate whether the previously selected security controls are still applicable
and effective.
To evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of the rapidly changing business environment.
10.4 Summary
Risk management does require some investment of time and money, but it does not need
to be substantial to be effective. With a little formalization, structure, and a strong understanding
of the organization, the risk management process can be rewarding. An organization can identify
their risks through experience and internal history, consulting with industry professionals, and
external research. Many organizations use a heat map to measure their risks on this scale.
92
More details on risk maps can be found in our blog posts on the topic. Risk transfer involves
giving responsibility for any negative outcomes to another party, as is the case when an
organization purchases insurance. Risk management is a process, not a project that can be
“finished” and then forgotten about. Risk identification requires knowledge of the organization,
the market in which it operates, the legal, social, economic, political, and climatic environment.
Once risks have been identified, they must then be assessed as to their potential severity of
loss and to the probability of occurrence. Risk analysis results and management plans should
be updated periodically.
10.5 Keywords
ALE - Annualized Loss Expectancy
5. Discuss in detail about the seven steps for risk management with neat sketch.
2. George Westerman and Richard Hunter, “IT Risk”, Harvard Business Review Press
(August 21, 2007)
93
LESSON – 11
Risk Analysis Methods
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
11.1 Introduction
11.6 Summary
11.5 Keywords
11.1 Introduction
After identifying and classifying the risks, proceeding with their analysis, that is, the
possibility and the consequences of each risk factor are examined in order to establish the level
of risk of our project.The risk analysis will determine which risk factors would potentially have a
94
greater impact on the project and, therefore, must be managed by the entrepreneur with particular
care.There are three kinds of methods used for determining the level of risk of our business.The
methods can be:
Qualitative Methods
Quantitative Methods
Semi-quantitative Methods.
These methods can be used when the level of risk is low and does not warrant the
time and resources necessary for making a full analysis.
These methods are also used when the numerical data available are not adequate
for a more quantitative analysis that would serve as the basis for a subsequent and
more detailed analysis of the entrepreneur’s global risk.
Brainstorming
Analysis of likelihood
Analysis of consequences
Computer simulation
95
This method seeks to represent reality through a mathematical risk model, insuch a
way that by assigning values randomly to the variables of the model,different
scenarios and results are obtained.
The Monte Carlo Method is based on making a sufficiently high number ofiterations
(assignments of values in a random fashion), so that the sample ofresults obtained
is sufficiently broad tobe considered to be representative ofa real situation. These
iterations can be made by using a data processing engine.
With the results obtained from the various iterations made, a statistical study
isperformed, from which relevant conclusions are extracted with respect to the riskof
the project, such as mean, maximum and minimum values, standard
deviations,variances and likelihood of occurrence of the different variables
determined onwhich to measure the risk.
For the measurement of the likelihood of occurrence of the risk and the impact that
it would have on our business project; this impact is measured in the Profit obtained
by the entrepreneur in the financial year and the Net Present Value of the business
project.
Moreover, a risk model will enable us to carry out a control and monitoring of the
project, by comparing the value at risk of the variables with the real value finally
incurred in the period under analysis.
The steps to be taken for the development of a Risk Model based on the measurement of
the likelihood of occurrence are set out below:
For this purpose, we need to identify the likelihood function that is associated with
each of the variables affected by the risk, that is, the function that explains and
reflects the behavior of the risk variable defined by the entrepreneur.
Among the principal, most common and easiest for the user to apply, we note
particularly the following likelihood distribution functions, assignable to the variables
of a business project.
Once the distribution functions have been analyzed, we identify those we consider
to be most in line with the risk variables selected by the entrepreneur, because
these will be the ones that best describe and reflect the behavior of the variable.
We must note that the selection of the likelihood functions within the Risk Analysis
Module comes predefined by the tool, so that the entrepreneur will find an association
already made; each risk variable has been assigned a likelihood distribution.
The entrepreneur must assign values to the variables of such functions in order to
be able to carry out the simulation.
In some cases, the entrepreneur will be asked to determine what the range of variation is;
then he or she must indicate the minimum, maximum and, when so requested, the most likely
value.
Minimum: The lowest value that the variable being analyzed can reach.
Maximum: The highest value that the variable being analyzed can reach.
Most likely: Value which the user feels can be reached by the variable being analyzed,
in normal circumstances.
For another kind of variable, the estimated value and the likelihood of occurrence associated
with it will be requested.
Value 1: A possible value which the user assigns to the variable being analyzed.
Value 2: Second possible value that the user assigns to the variable being analyzed.
The likelihood of occurrence 1 and 2 must sum up between them 100% of the
likelihood.
In order to measure the global risk of a business project, the use of variables that
are representative of the value of the business is recommended.
Using the starting variables, the entrepreneur will be able to study the consequences
that the variability occurring in the risk variables considered in his or her project will
eventually have on the business project.
The calculation of the NPV is made by discounting the flow of funds of each of the
years considered, in accordance with the weighted average cost of capital, WACC).
That is, it means calculating the flow of funds generated by the project as the
difference between the collections and payments generated in a financial year and
bringing them to the present time by applying a discount rate.
A discount rate is applied, which is the average cost of the funds the entrepreneur
uses, by averaging his/her own resources (capital, reserves) and outside resources
(debt).
Net Profit
Result obtained after deducting from the value of the sales the total amount of the
expenses for the year (ordinary, extraordinary, financial expenses, depreciation and
taxes).
Selects which variables of his/her Business Plan that are affected by the risk,
Introduces the values asked for by the tool for each of the variables affected by the
risk.
100
Determines which is the starting variable where the total risk of his/her business
project, profit or net present value is going to be quantified.
At this point the tool will begin the simulation process, that is, it will make the
necessary iterations, through a data processing engine.
This step will be executed automatically by the tool, the calculation engine will
generate a thousand iterations, in order to obtain a representative sample.
The simulation generates randomly a thousand possible values for the risk variables,
all of which are found between the intervals previously defined by the user and will
give a thousand values of the starting variables, profit or net present value.
This will enable the entrepreneur to arrive at conclusions on the degree of occurrence
or likelihood of the various possible results, such as, what is the most likely value of
what the business is worth and what is the minimum value or the maximum value
the profit could attain, etc.
Reports on the possible values to be taken by the output variables of the model (net
profit and net present value) and the likelihood associated with each of them.
The Histogram shows the possible values of the net profit or of the NPV of the
business project that can be obtained with a certain level of confidence (likelihood
of occurrence associated with value).
11.6 Summary
The risk analysis will determine which risk factors would potentially have a greater impact
on the project. The qualitative methods can be used when the level of risk is low and does not
warrant the time and resources necessary for making a full analysis. Quantitative methods are
those that enable us to assign values of occurrence to the various risks identified. Monte Carlo
is a quantitative method for the development of a risk analysis and is based on making a
sufficiently high number of iterations. Word classifications are used in semi quantitative method,
such as high, medium or low, or more detailed descriptions of likelihood and consequences.
Risk model is the representation of the reality to be analyzed through a structure of mathematical
calculations, in which the significant risk variables are calculated and are placed in relation to
the rest of the variables. Once the risk variables that affect the entrepreneur’s business plan
have been identified. In order to quantify the risk of the business project, the variable or variables
on which this risk is going to be measured must be identified. The calculation of the NPV is
made by discounting the flow of funds of each of the years considered, in accordance with the
weighted average cost of capital. Reports on the possible values to be taken by the output
variables of the model and the likelihood associated with each of them.
11.7 Keywords
NPV - Net Present Value
2. George Westerman and Richard Hunter, “IT Risk”, Harvard Business Review Press
(August 21, 2007)
103
LESSON – 12
Risk Management Framework
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
12.1 Introduction
12.3.1 Effectiveness
12.3.2 Limitations
12.5.2 NIST
12.6 Summary
12.7 Keywords
12.1 Introduction
In 1992, the Committee of Sponsoring Organizations of the Tread way Commission
(COSO) developed a model for evaluating internal controls. This model has been adopted as
the generally accepted framework for internal control and is widely recognized as the definitive
standard against which organizations measure the effectiveness of their systems of internal
control. Over a decade ago, the Committee of Sponsoring Organizations of the Tread way
Commission (COSO) issued Internal Control – Integrated Framework to help businesses and
other entities assess and enhance their internal control systems. That framework has since
been incorporated into policy, rule, and regulation, and used by thousands of enterprises to
better control their activities in moving toward achievement of their established objectives. Recent
years have seen heightened concern and focus on risk management, and it became increasingly
clear that a need exists for a robust framework to effectively identify, assess, and manage
risk.The need for an enterprise risk management framework, providing key principles and
concepts, a common language, and clear direction and guidance, became even more compelling.
COSO believes this Enterprise Risk Management – Integrated Framework fills this need, and
expects it will become widely accepted by companies and other organizations and indeed all
stakeholders and interested parties.
to identify potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
Applied across the enterprise, at every level and unit, and includes taking an entity
level portfolio view of risk.
Designed to identify potential events that, if they occur, will affect the entity and to
manage risk within its risk appetite.
Achievement of Objectives
Because objectives relating to reliability of reporting and compliance with laws and
regulations are within the entity’s control, enterprise risk management can be expected to provide
reasonable assurance of achieving those objectives. Achievement of strategic objectives and
operations objectives, however, is subject to external events not always within the entity’s control;
accordingly, for these objectives, enterprise risk management can provide reasonable assurance
that management, and the board in its oversight role, are made aware, in a timely manner, of
the extent to which the entity is moving toward achievement of the objectives.
Objective Setting – Objectives must exist before management can identify potential
events affecting their achievement. Enterprise risk management ensures that
management has in place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its risk appetite.
Enterprise risk management is not strictly a serial process, where one component affects
only the next. It is a multidirectional, iterative process in which almost any component can and
does influence another.
108
12.3.1 Effectiveness
The eight components will not function identically in every entity. Application in small and
mid-size entities, for example, may be less formal and less structured. Nonetheless, small
entities still can have effective enterprise risk management, if each of the components is present
and functioning properly.
12.3.2 Limitations
While enterprise risk management provides important benefits, limitations exist. In addition
to factors discussed above, limitations result from the realities that human judgment in decision
making can be faulty, decisions on responding to risk and establishing controls need to consider
the relative costs and benefits, breakdowns can occur because of human failures such as
simple errors or mistakes, controls can be circumvented by collusion of two or more people,
and management has the ability to override enterprise risk management decisions. These
limitations preclude a board and management from having absolute assurance as to achievement
of the entity’s objectives.
Internal control is an integral part of enterprise risk management. This enterprise risk
management framework encompasses internal control, forming a more robust conceptualization
and tool for management. Internal control is defined and described in Internal Control – Integrated
Framework. Because that framework has stood the test of time and is the basis for existing
rules, regulations, and laws that document remains in place as the definition of and framework
109
for internal control. While only portions of the text of Internal Control – Integrated Framework
are reproduced in this framework, the entirety of that framework is incorporated by reference
into this one.
This comprises the analysis and evaluation of risk through processes of identification,
description and estimation.
Identification
Risk workshops
Stakeholder consultations
Benchmarking
Estimation
how risks are assessed. Mapping involves a matrix of likelihood/probability and impact/
consequences
The risk appetite and risk tolerance of an organization dictate the nature and level of risks
that are acceptable to that organization. Risk appetite could be defined as ‘‘the risks that an
organization is in business to take, based on its corporate goals and its strategic imperatives.’’
while risk tolerance represents ‘‘the threshold of risk that that organization considers acceptable,
based on its capabilities to manage the identified risks.
Risk Register
It is recommended that organizations record their risks in a risk register. This can include
the following information: a unique identifier number, risk category, description of risk, the date
the risk is identified and by whom. Other possible data includes the likelihood of risk,
consequences, interdependencies with other risks and a monetary estimation.
Before responses are developed for each of the risks identified, it is necessary to determine
the organization’s attitude to risk or risk appetite. The risk appetite will be influenced by the size
and type of organization, its culture and its capacity to withstand the impacts of adverse
occurrences.
This is the process of selecting and implementing measures to manage the risk. The
challenge for risk managers is to determine a portfolio of appropriate responses that form a
coherent and integrated strategy such that the net remaining risk falls within the acceptable
level of exposure. It is important to note that there is no right response to risk. The choice of
response will depend on issues such as the organization’s risk appetite, the impact and probability
of the risk and the costs and benefits of the mitigation plans. Responses to risk generally fall
into the following categories:
Risk avoidance: Action is taken to halt the activities giving rise to risk, such as a product
line, a geographical market or a whole business unit.
111
Risk reduction: action is taken to mitigate the risk of likelihood or impact or both, generally
via internal controls. Risk sharing or transfer: action is taken to transfer a portion of the risk
through insurance, outsourcing or hedging.
Residual risk reporting involves comparing gross risk (the assessment of risk before
controls or risk responses are applied) and net risk (the assessment of risk, taking account of
any controls or risk responses applied) to enable a review of risk response effectiveness and
possible alternative management options.
112
The first volume contains the Framework as well as this Executive Summary. The
Framework defines enterprise risk management and describes principles and
concepts, providing direction for all levels of management in businesses and other
organizations to use in evaluating and enhancing the effectiveness of enterprise
risk management. This Executive Summary is a high-level overview directed to
chief executives, other senior executives, board members, and regulators.
Suggested actions that might be taken as a result of this report depend on position and
role of the parties involved:
Board of Directors– The board should discuss with senior management the state of the
entity’s enterprise risk management and provide oversight as needed. The board should ensure
it is apprised of the most significant risks, along with actions management is taking and how it
is ensuring effective enterprise risk management. The board should consider seeking input
from internal auditors, external auditors, and others.
Senior Management– This study suggests that the chief executive assess the
organization’s enterprise risk management capabilities. In one approach, the chief executive
brings together business unit heads and key functional staff to discuss an initial assessment of
enterprise risk management capabilities and effectiveness. Whatever its form, an initial
assessment should determine whether there is a need for, and how to proceed with, a broader,
more in-depth evaluation.
Other Entity Personnel– Managers and other personnel should consider how they are
conducting their responsibilities in light of this framework and discuss with more senior personnel
ideas for strengthening enterprise risk management. Internal auditors should consider the breadth
of their focus on enterprise risk management.
113
Regulators– This framework can promote a shared view of enterprise risk management,
including what it can do and its limitations. Regulators may refer to this framework in establishing
expectations, whether by rule or guidance or in conducting examinations, for entities they oversee.
Educators – This framework might be the subject of academic research and analysis, to
see where future enhancements can be made. With the presumption that this report becomes
accepted as a common ground for understanding, its concepts and terms should find their way
into university curricula.
With this foundation for mutual understanding, all parties will be able to speak a common
language and communicate more effectively. Business executives will be positioned to assess
their company’s enterprise risk management process against a standard and strengthen the
process and move their enterprise toward established goals. Future research can be leveraged
off an established base. Legislators and regulators will be able to gain an increased understanding
of enterprise risk management, including its benefits and limitations. With all parties utilizing a
common enterprise risk management framework, these benefits will be realized.
Ongoing evaluations, separate evaluations, or some combination of the two are used to
ascertain whether each of the five components of internal control, including controls to affect
114
the principles within each component, is present and functioning. Ongoing evaluations, built
into business processes at different levels of the entity, provide timely information. Separate
evaluations, conducted periodically, will vary in scope and frequency depending on assessment
of risks, effectiveness of ongoing evaluations, and other management considerations. Findings
are evaluated against criteria established by regulators, standard-setting bodies, or management
and the board of directors, and deficiencies are communicated to management and the board
of directors as appropriate.
The Information and Communication component and the Monitoring Activities component
are the last two components of the Framework. The Information and Communication component
has three (3) while Monitoring Activities has two (2) principles.
The approaches that can be taken to achieve the objective of this principle include Creating
an Inventory of Information Requirements, Obtaining Information from External Sources,
Obtaining Information from Non-Finance Management, Creating and Maintaining Information
Repositories, Using an Application to Process Data into Information, Enhancing Information
Quality through a Data Governance Program and Identifying, Securing, and Retaining Financial
Data and Information.
This principle deals with a plethora of issues. It states that the entity’s external parties
have to be involved, as matters of internal control over financial reporting have to be
communicated to interested parties or those expected to possess them. It also encourages the
management of the entity to obtain information on its internal control through external sources
including carrying out surveys.
Outside Parties and Reviewing External Audit Communications are the methodologies
recommended by the Framework.
The management of an entity needs to evaluate the internal control of the firm to determine
whether the components are not only present but also functioning. It can achieve this end by
taking the following approaches; Periodically Reviewing the Mix of Monitoring Activities,
Establishing a Baseline, Identifying and Using Metrics, Designing and Implementing a Dashboard,
Using Technology to Support Monitoring Activities, Conducting Separate Evaluations, Using
Internal Audit to Conduct Separate Evaluations and Understanding Controls at an Outsourced
Service Provider
Once the evaluation of the entity’s internal control has been carried out and it has been
determined that some components are either present but not functioning or not present at all,
feedback has to be relayed to those concerned. The deficiencies identified should be addressed
by taking corrective actions in due time. This objective can be attained by Assessing and Reporting
Deficiencies, Monitoring Corrective Action and Developing Guidelines for Reporting Deficiencies.
12.5.2 NIST
The Risk Management Framework (RMF) is a set of criteria that dictate how the United
States government IT systems must be architected, secured, and monitored. Today, the RMF is
maintained by the National Institute of Standards and Technology (NIST) and provides a solid
foundation for any data security strategy. NIST is responsible for developing information security
standards and guidelines, including minimum requirements for federal information systems.
More than ever, organizations must balance a rapidly evolving cyber threat landscape against
the need to fulfill business requirements. To help these organizations manage their cyber security
risk, NIST convened stakeholders to develop a cyber security framework that addresses threats
117
and supports business. It provides guidance on applying risk assessment concepts to all the
three tiers in the risk management hierarchy and supports each step in the risk management
framework(prepare, conduct and maintain).
Risk mitigation planning is the process of developing options and actions to enhance
opportunities and reduce threats to project objectives. Risk mitigation implementation is the
process of executing risk mitigation actions. Risk mitigation progress monitoring includes tracking
identified risks, identifying new risks, and evaluating risk process effectiveness throughout the
project.
The risk mitigation step involves development of mitigation plans designed to manage,
eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually
monitored to assess its efficacy with the intent of revising the course-of-action if needed.
Risk mitigation strategies are based on the assessed combination of the probability of
occurrence and severity of the consequence for an identified risk.
Watch/Monitor: Monitor the environment for changes that affect the nature and/or
the impact of the risk.
12.6 Summary
Enterprise risk management deals with risks and opportunities affecting value creation or
preservation. It focuses directly on achievement of objectives established by a particular entity
and provides a basis for defining enterprise risk management effectiveness. The categorization
of entity objectives allows a focus on separate aspects of enterprise risk management.
Achievement of strategic objectives and operations objectives, however, is subject to external
events not always within the entity’s control; accordingly, for these objectives, enterprise risk
management can provide reasonable assurance. Enterprise risk management consists of eight
interrelated components. These are derived from the way management runs an enterprise and
are integrated with the management process. The eight components will not function identically
in every entity. The limitations of ERM preclude a board and management from having absolute
assurance as to achievement of the entity’s objectives. This enterprise risk management
framework encompasses internal control, forming a more robust conceptualization and tool for
management. This comprises the analysis and evaluation of risk through processes of
identification, description and estimation. The choice of response will depend on issues such as
119
the organization’s risk appetite, the impact and probability of the risk and the costs and benefits
of the mitigation plans. The Risk Management Framework provides a process that integrates
security and risk management activities into the system development life cycle. RMF focused
on security, so the security objectives are CIA, confidentiality, integrity, availability, and it look at
the impact values and we rate those low, moderate, or high. Remember, risk is the intersection
of the impact and the probability.
12.7 Keywords
COSO - Committee of Sponsoring Organizations of the
Treadway Commission
2. George Westerman and Richard Hunter, “IT Risk”, Harvard Business Review Press
(August 21, 2007).
121
LESSON – 13
Introduction to Information Technology and Security
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Various evolution information system functions
Understanding the process of Audit and assessment
Know the role of compliance officer
Understanding the process of compliance function
Structure of Lesson
13.1 Introduction
(1950 – 1960)
13.7 Summary
13.8 Keywords
122
13.1 Introduction
Information technology Security is a field within information technology involving the
protection of computer systems and the prevention of unauthorized use or changes or access
of electronic data. It deals with the protection of software, hardware, networks and its information.
Due to the heavy reliance on computers in the modern industry that store and transmit an
abundance of confidential information about people, cyber security is a critical function and
needed insurance of many businesses. It also protects computer systems from theft or damage.
During this period, the role of IS was mostly to perform activities like transaction
processing, recordkeeping and accounting. IS was mainly used for electronic data processing
(EDP).
Transaction Processing System (TPS) was the first computerized system developed to
process business data. TPS was mainly aimed at clerical staff of an organization. The early
TPS used batch processing data which was accumulated over a period and all transactions
were processed afterward.
During this era, the role of IS evolved from TPS to Management Information Systems
(MIS). MIS process data into useful informative reports and provide managers with the tools to
organize evaluate and efficiently manage departments within an organization. MIS delivers
information in the form of displays and pre-specified reports to support business decision-
making. Examples of output from MIS are cost trend, sales analysis and production performance
reporting systems.
Summary information establishes data into a format that an individual can review
quickly and easily.
124
This period also marked the development when the focus of organizations shifted slowly
from merely automating basic business processes to consolidating the control within the data
processing function.
In this era, a major advancement was an introduction of the personal computers (PC).
With the introduction of PCs, there was the distribution of computing or processing power
across the organization. IS function associated strongly with management rather than a technical
approach in an organization? The role focused on “interactive computer-based system” to aid
decision-makers in solving problems.
This new role of information systems to provide interactive ad-hoc support for the decision-
making process to managers and other business professionals is called Decision Support
Systems (DSS). DSS serve the planning, management and operations level of an organization
usually senior management.
DSS uses data from both internal and/or external sources. Internal sources of data might
include inventory, sales, manufacturing or financial data from an organization’s database. External
sources could include pricing, interest rates, population or trends. Managers use DSS to
manipulate the data to help with decisions. Examples of DSS are projected revenue figures
based on new product sales assumptions, product pricing and risk analysis systems.
This period gave rise to departmental computing due to many organizations purchasing
their own hardware and software to suit their departmental needs. Instead of waiting for indirect
support of centralized corporate service department, employees could use their own resources
to support their job requirements. This trend led to new challenges of data incompatibility, integrity
and connectivity across different departments. Further, top executives were neither using DSS
nor MIS hence executive information systems (EIS) or executive support systems (ESS) were
developed.
125
EIS offers decision making facilities to executives through providing both internal and
external information relevant to meeting the strategic goals of the organization. These are
sometimes considered as a specific form of DSS. Examples of the EIS are systems for easy
access to actions of all competitors, economic developments to support strategic planning and
analysis of business performance.
During this era, the rapid growth of the intranets, extranets, internet and other
interconnected global networks dramatically changed the capabilities of IS in business. It became
possible to circulate knowledge to different parts of the world irrespective of time and space.
This period also saw an emergence of enterprise resource planning (ERP) systems. ERP
is an organization-specific form of a strategic information system that incorporates all components
of an organization including manufacturing, sales, resource management, human resource
planning and marketing.
Expert systems (ES) are a computer system that mimics the decision-making ability of
human experts. For example, systems making financial forecasts, diagnosing human illnesses
and scheduling routes for delivery vehicles. Knowledge management system (KMS) is an IT
system that stores and retrieves knowledge to support creation, organization and dissemination
of business knowledge within the enterprise. Examples of KMS are feedback database and
helpdesk systems. ES uses data from Knowledge Management Systems to generate desirable
information system’s output for example loan application approval system.
The Internet and related technologies and applications changed the way businesses
operate and people work. Information systems functions in this period are still the same just like
50 years ago doing records keeping, reporting management, transactions processing, support
management and managing processes of the organization. It is used to support business process,
decision making and competitive advantage.
126
The difference is greater connectivity across similar and dissimilar system components.
There is great network infrastructure, higher level of integration of functions across applications
and powerful machines with higher storage capacity. Many businesses use Internet technologies
and web-enable business processes to create innovative e-business applications. E-business is
simply conducting business process using the internet.
Security Audit services offer clients a thorough, cost-effective means of evaluating their
overall information security posture in order to identify vulnerabilities and make informed
remediation decisions, guided by expertise to ensure that their networks, systems, data and
customers are protected from the rising tide of cybercrime.
Conduct investigations
Educate staff
Design and monitor control systems to deal with violations of legal rules and internal
policies.
Review and evaluate company procedures and reports to identify hidden risks or
common issues.
procedures for the operation of the organization. Broadly speaking the following are the major
roles within the compliance function.
One of the most difficult roles of the compliance officer is to transform compliance from a
burden to a benefit. A Culture of Compliance should be an integral part of the organization’s
ethics and it is the role of the compliance officer to implement the elements of compliance that
should be evident throughout the organization. By ensuring a correct implementation of such
compliance elements, a correct compliance culture they can produce efficiencies, maintain
consistency, improve reliability and assurance, and result in increased stakeholder confidence.
The Compliance officer is the regulatory expert of the firm, and it is their role to not only
be up to date with all regulatory issues relevant to the sector they operate, but be able to identify
potential threats of non-compliance and take measures to alleviate them. These threats can be
from non-adherence to specific laws and regulations throughout the firm’s operations, from
launching and marketing a new product, to employing new people and changing internal
procedures. Regulated entities are especially prone to hefty fines in case of non-compliance,
so this role is important for the firm’s profitability
c. Monitoring
d. Communicating
The Compliance Officer is the way the Regulator communicates with the firm. It is the
Compliance Officer’s job to communicate all requirements emanating from the law to the firm
so measures should be taken and changes to be made for the company’s compliance and
adherence to this regime. At the same time, the compliance officer can also communicate the
sector’s requests and requirements to the regulator, either directly or via questions and
suggestions to upcoming laws and consultation papers.
129
e. Handling Issues
It is their role to take action should issues arise, whether that is employees’ concerns on
anti-money laundering suspicions for clients, or circulars issued by the regulator that affect the
firm’s operations, or any issue that might leave the company vulnerable to sanctions and fines.
Designing a template
13.7 Summary
Information technology deals with the protection of software, hardware, networks and its
information. An information system is a combination of processes, hardware, trained personnel,
software, infrastructure and standards that are designed to create, modify, store, manage and
130
distribute information to suggest new business strategies and new products. EDP is described
as the use of computers in recording, classifying, manipulating, and summarizing data.
Transaction Processing System (TPS) was the first computerized system developed to process
business data.DSS uses data from both internal and/or external sources. Internal sources of
data might include inventory, sales, manufacturing or financial data from an organization’s
database. EIS offers decision making facilities to executives through providing both internal
and external information relevant to meeting the strategic goals of the organization. Expert
systems (ES) are a computer system that mimics the decision-making ability of human experts.
An Information security audit is a systematic, measurable technical assessment of how the
organization’s security policy is employed. A Compliance officer is responsible for ensuring a
company’s policies and procedures comply with regulatory and ethical standards. Staff in the
compliance function must stay on top of the latest laws, regulations and business trends and
should be able to translate these into requirements and procedures for the operation of the
organization. The compliance officer can also communicate the sector’s requests and
requirements to the regulator, either directly or via questions and suggestions to upcoming
laws and consultation papers.
13.8 Keywords
EDP - Electronic Data Processing
LESSON – 14
Designing an Internal Compliance System
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
14.1 Introduction
14.5 Summary
14.6 Keywords
14.1 Introduction
The Company promotes a systematic approach: the appointment of a Director as a
Compliance Officer who promotes compliance, and the deliberation of corporate ethics and
compliance matters in the Internal Control Committee (ICC).
section in charge of grasping information on the amendment of laws related to our business,
which informs the legal amendment company-wide immediately and reflects the self-assessment
checklist.
Principle 1:
Principle 2:
Anyone who is aware of fraudulent or illegal business transactions conducted in the name
of the University shall report them immediately.
Principle 3:
Each unit is responsible for the restitution of any disallowances due to noncompliance
with laws, regulations or special restrictions.
134
Principle 4:
Every employee who conducts University business transactions is responsible for staying
abreast of ever-changing legal and regulatory requirements.
Principle 5:
The organization uses reasonable efforts not to include within its “substantial
authority” any person whom the organization knows or should know through due
diligence has engaged in illegal activities or other conduct inconsistent with an
effective CEP.
The organization takes reasonable steps to ensure the CEP is followed, including
monitoring and auditing to detect criminal conduct, evaluate the CEP’s effectiveness
and a mechanism to report potential criminal activity without fear of retaliation.
135
Establishing effective policies and procedures does not begin and end with regulations. It
takes the right amount of collaboration, the right types of distributive mediums, and the right
methods to measure understanding. All these things take an enormous amount of time and
energy but automating them with a software solution can increase efficiency and ensure
compliance with your policies and procedures. Here are five steps to ensure compliance, and
what software features to look for to choose the best possible solution.
Meet with divisional leaders to ensure the policies and procedures are feasible
a. Meet with divisional leaders to ensure the policies and procedures are feasible
The first step to ensuring compliance begins with involving the leaders of each section of
the organization. Policies are often created by someone within an organization that does not
have a comprehensive understanding of the daily tasks within each department. Involving others,
even if just for a 30-minute interview surrounding a policy, ensures that the new policies:
employees through vessels they are comfortable with. A benefit to meeting with your divisional
leaders is that you can leverage more information from them, including how the policies will be
best received. Examples of different vessel requirements include situations where employees
do not access computers during the workday but may have a company smart phone, making
them a better candidate for a video presentation of their policies and procedures.
Do your employees know where to look for their policies and procedures, or are they
overwhelmed by a minefield of folders on a shared drive with a naming convention that can only
be interpreted by codebreakers?
Not only should you spend time ensuring that the organizationpolicies and procedures
makes logical sense, should also make sure that an employee from any department, and any
level of management, should be able to find the policies that apply to them within 3 clicks. This
will help ensure they do not get frustrated and abandon their attempt at being compliant.
Department
Setting deadlines for acknowledgment does not just mean establishing an Outlook Calendar
reminder on their effective date. Once the policies and procedures have been created and are
accessible, set up weekly meetings with all managers to ensure they have a successful plan in
place to ensure their employees compliance understanding.
If you send out surveys to each employee, send scheduled email reminders for them to
guarantee they have received the policies and procedures, and know the deadlines. Include a
contact number and email address within their reminders in case they have questions. To manage
this process without slowing down the email servers, consider using a software solution for
policies and procedures. Solutions such as Converge Point are built into SharePoint, stay behind
firewall, and access the Active Directory, so don’t have to worry about working an entirely new
program into the company.
137
Each policy and procedure are an individual and should be treated as such. Standardized
all accepted responses are right for some standard policies but ensuring compliance with
procedures should go a step further to guarantee understanding.
Depending on the task or field, taking quizzes, scheduling practice runs, or the combination
of both can dramatically increase your employee compliance with policies and procedures.
The best way to ensure these policies are enforceable is to integrate them into expense
management software. Here are three ways that these systems can support accounts payable
management and encourage cooperation from the entire organization.
In the end, effective internal controls can mean the difference between a successful
business and one that struggles to compete, CFO.com suggests. Using an automated expense
policy and integrating rules into easy-to-use software can help ensure compliance throughout
an organization, from employees to executives.
138
14.5 Summary
To design an internal compliance system, Company sets a section in charge of grasping
information on the amendment of laws related to our business, which informs the legal
amendment company-wide immediately and reflects the self-assessment checklist. The
compliance function plays a critical role within an enterprise risk management framework. The
compliance function is based one of the seven components. Establishing effective policies and
procedures does not begin and end with regulations. It takes the right amount of collaboration,
the right types of distributive mediums, and the right methods to measure understanding. Policies
are often created by someone within an organization that does not have a comprehensive
understanding of the daily tasks within each department.A benefit to meeting with your divisional
leaders is that you can leverage more information from them, including how the policies will be
best received. Each policy and procedure are an individual and should be treated as such
standardized. An expense policy not only sets the stage for potential savings and risk avoidance,
but also improves employee morale, because rules now become consistent and evenly applied.
14.6 Keywords
ICC - Internal Control Committee
LESSON – 15
Information System Audit
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
15.1 Introduction
15.7 Summary
15.8 Keywords
15.1 Introduction
An information system (IS) audit or information technology (IT) audit is an examination of
the controls within an entity’s Information technology infrastructure. These reviews may be
performed in conjunction with a financial statement audit, internal audit, or other form of attestation
engagement. It is the process of collecting and evaluating evidence of an organization’s
140
information systems, practices, and operations. Obtained evidence evaluation can ensure
whether the organization’s information systems safeguard assets, maintains data integrity, and
are operating effectively and efficiently to achieve the organization’s goals or objectives.
1. Will always the organization’s computerized systems be available for the business
when required? (Availability)
3. Will the information provided by the system always be accurate, reliable, and timely?
(Integrity).
Legal Requirements.
Entity Aspects.
141
Reliable Information.
Proper Communication.
Evaluation.
Test.
Comparison.
Judgments.
Legal Requirements
The auditor can determine the scope of an audit of financial statements following
the requirements of legislation, regulations or relevant professional bodies.
The state can frame rules for determining the scope of audit work. In the same way,
professional bodies can make rules to conduct the audit.
Entity Aspects
The audit should be organized to cover all aspects of the entity as far as they are
relevant to the financial statements being audited.
A business entity has many areas of working. A small entity may have few functions
while a large concern has many functions. The auditor has to go through all the
functions of the business.
The audit report should cover all functions so that the reader may know about all
the workings of a concern.
Reliable Information
The auditor should obtain reasonable assurance as to whether the information
contained in the underlying accounting records and other source data is reliable
and sufficient as the basis for the preparation of the financial statements.
The auditor can use various techniques to test the validity of data. All auditors while
doing the audit work usually apply the compliance test and substance test. The
auditor can show such information in the report.
142
Proper Communication
The auditor should decide whether the relevant information is properly communicated
in the financial statements.
The principles of accounting can be applied to decide about the disclosure of financial
information in the statements.
Evaluation
The auditor assesses the reliability and sufficiency of the information contained in the
underlying accounting records and other source data by making a study and evaluation of
accounting systems and internal controls to determine the nature, extent, and timing of other
auditing procedures.
Test
The auditing assesses the reliability and sufficiency of the information contained in the
underlying accounting records and other source data by carrying out other tests, inquiries and
other verification procedures of accounting transactions and account balances as he considers
appropriate in the particular circumstances. There are compliance tests and substantive tests
to examine the data. The vouching, verification and valuation technique is also used.
Comparison
Judgments
Time budgets
Co-ordination of staff
orientation and saves time on training newly appointed staff on the audit activity - auditors
can begin audit engagements immediately.
Assist in clarifying audit issues, audit staff job routines, and measurements.
As part of the internalqualityaudit preparation, theauditor will review the ISO 9001
requirements and process documentation defined by the company for the process to be audited.
While it may be beneficial to use an auditchecklisttemplate when preparing for an audit, it is
important to ensure that the checklist be adapted to the process of the organization, and that it
is not a generic process. So, the steps of creating an audit checklist would be reviewing the ISO
9001 standard, and then creating questions to ask when reviewing records and personnel of
the process. The goal is to find evidence that the process is meeting its own requirements.
As an example, the ISO 9001 clause for management review inputs requires that
management review include:
145
Customer feedback,
If the company process requires that management reviews produce minutes of meeting
as a record, then the internal audit checklist could request that the auditor review the minutes of
meetings and question that each piece of input information was presented to the management
review meeting for assessment.
As this would only be one question on a checklist for reviewing the management review
process, the auditchecklist would contain the many questions required to assess the process.
To auditauditors will use the checklists created and look for evidence that the process being
audited meets the requirements of the defined process. Where process documentation is not
present, it is often relevant to use the requirements of the ISO 9001 standard, focusing on
reviewing the process suppliers, process inputs, process steps, process outputs and process
customers to ensure that they are consistently understood by the employees using the process.
The idea is to review for the effectiveness of the process, and to ensure that non-
conformances could not be caused because the process does not have a written document
describing it.
A qualified opinion, if there were any scope limitations that were imposed upon the
auditor’s work.
The typical audit report contains three paragraphs, which cover the following topics:
An audit report is issued to the user of an entity’s financial statements. The user may rely
upon the report as evidence that a knowledgeable third party has investigated and rendered an
opinion on the financial statements. An audit report that contains a clean opinion is required by
many lenders before they will loan funds to a business. It is also necessary for a publicly held
entity to attach the relevant audit report to its financial statements before filing them with the
Securities and Exchange Commission.
15.7 Summary
Information System Audit is the process of collecting and evaluating evidence of an
organization’s information systems, practices, and operations. The purpose of an IS audit is to
review and evaluate an organization’s information system’s availability, confidentiality, and
integrity. The scope of an audit is the determination of the range of the activities and the period
of records that are to be subjected to an audit examination. The scope of an audit is the
determination of the range of the activities and the period of records that are to be subjected to
an audit examination. The principles of accounting can be applied to decide about the disclosure
of financial information in the statements. Audit planning is required for an Auditor to conduct an
effective and efficient audit. An audit manual usually contains an overview of the industry risk
factors facing an organization as well as the protocol of the audit process. Auditchecklist is a
147
key element in planning for and carrying out a process audit. An audit report is a written opinion
of an auditor regarding an entity’s financial statements. The report is written in a standard
format, as mandated by generally accepted auditing standards.
15.8 Keywords
IS - Information System
IT - Information Technology
LESSON – 16
Best Practices for IT Compliance and
Regulatory requirements
Learning Objectives
At the end of this lesson student will get knowledge about the following:
Structure of Lesson
16.1 Introduction
16.6 Summary
16.7 Keywords
16.1 Introduction
Teams developing software in regulated environments face the significant challenge of
defining comprehensive, high-quality software requirements for regulatory compliance. Faulty
compliance requirements not only put a project at risk, but they can put the organization itself at
149
legal and financial risk. A recent survey of 400 U.S. CEOs revealed that the regulatory
environment tops the list of issues that can have the most impact on a company.
Understanding the concepts of GRC and the relationships between those concepts gives
product owners and business analysts a framework to help identify the right stakeholders and
understand relevant business processes. Read up on these capabilities and identify the groups
within your organization responsible for them. Research regulations that impact an industry
and the region. Talk to the experts and ask questions. Understanding the business of managing
compliance in your organization provides clarity for better analysis.
Obviously, one of the best ways to understand regulatory requirements is to read and
understand the most recent relevant regulations and guidelines. Stay up to date on regulatory
change by subscribing to relevant government and industry websites. And don’t overlook
requirements from prior projects as a source of information. Review and consolidate them to
begin developing a reference library.
150
The software development industry has seen a significant increase in the use of visual
models, because it helps project teams and stakeholders have deeper conversations that lead
to better requirements. Business process models improve understanding and help teams
comprehend the impact of regulatory change. Develop business process models for the key
processes in your environment, as well as the processes related to governance, risk management
and compliance to improve the quality of your compliance requirements and your ability to
analyse them.
Because compliance requirements frequently affect multiple projects and systems, they
are prime candidates for reuse. This includes requirements related to concepts like access
security, data confidentiality, data availability, authentication, logging and auditability, to name a
few. Centralizing compliance requirements and the visual models associated with them will
provide support for multiple teams as they define user stories and functional requirements.
Other artifacts-like risk definitions and stakeholder listscan be centralized as well. Think about
both external regulatory requirements and those needed to support internal governance needs.
By developing a shared repository of these critical non-functional requirements, an organization
can define them in one place and teams can reference them as needed, eliminating unnecessary
work and improving requirements quality.
The regulatory environment is complex and changing, so product owners and business
analysts need to spend time analyzing the impact of regulatory change. Particularly in Agile
environments-where up-front analysis is shunned-teams need to understand that there will
151
need to be some pre-work to understand compliance and governance processes before they
start executing on sprints. Don’t get stuck in “analysis paralysis,” but do allow enough time to
analyse the environment, regulatory information, business processes and other visual models
to gain a strong understanding of compliance requirements.
¨ Additional duty on the independent director to periodically review the legal compliance
reports prepared by the Company and steps taken by the Company to improve.
¨ Obligation on the Board of Directors to lay down a Code of Conduct for all Board
members and senior management of the Company.
¨ Additional duty on the Audit Committee to review of certain information by the Audit
Committee
¨ Additional Disclosures
152
¨ Certification by CEO/CFO
Any international companies that have registered equity or debt securities with the
U.S. Securities and Exchange Commission (SEC)
Any accounting firm or other third party that provides financial services to either of
the above
Managing security risks more effectively and responding quicker in the event of a
breach.
The first thing an IT manager must do to prepare their organization for SOX compliance
is to understand which sections of the act have clear implications for data management, reporting
and security. These are:
Section 302: SOX Section 302 relates to a company’s financial reporting. The act requires
a company’s CEO and CFO to personally certify that all records are complete and accurate.
Specifically, they must confirm that they accept personal responsibility for all internal controls
and have reviewed these controls in the past 90 days. These internal controls include a company’s
information security infrastructure as much as its accounting and reporting is performed
electronically in other words, for almost all modern businesses there is a clear mandate to
ensure high security standards are enforced.
Section 404: Section 404 stipulates further requirements for the monitoring and
maintenance of internal controls related to the company’s accounting and financials. It requires
businesses to have an annual audit of these controls performed by an outside firm. This audit
assesses the effectiveness of all internal controls and reports its findings back directly to the
SEC.
PCAOB: The Public Company Accounting Oversight Board was created to develop
auditing standards and train auditors on the best practices for assessing a company’s
internal controls. It is here that the specific SOX requirements for information security
are spelled out. PCAOB publishes periodic recommendations and changes to the
auditing process. For obvious reasons, being aware of the most recent iteration of
these guidelines is essential to passing an audit.
A SOX compliance audit of a company’s internal controls takes place once a year. An
independent auditor must conduct SOX audits. It is the company’s responsibility to find and hire
an auditor, and to arrange all necessary meetings prior to when the audit takes place. To avoid
a conflict of interest, SOX audits must be separate from other internal audits undertaken by the
company. Many companies will time the audit so that results are available for inclusion in their
annual report, thus satisfying the requirement of making findings easily accessible to
stockholders.
The first step in a SOX audit usually involves a meeting between management and the
auditing firm. In this meeting, both parties will discuss the specifics of the audit, including when
it will take place, what it will look at, what its purposes are and what results management
expects to see.
A key portion of a SOX audit will involve a review of the company’s financials. Auditors will
inspect previous financial statements to confirm the accuracy while ultimately it is the auditor’s
discretion whether a company’s financials pass, any variance in the numbers more than 5%
either way is likely to set off red flags. An audit will also look at personnel and may interview
155
staff to confirm that their regular duties match their job description, and that they have the
training necessary to access financial information safely.
A review of internal controls comprises one of the largest components of a SOX compliance
audit. As noted above, internal controls include any computers, network hardware and other
electronic infrastructure that financial data passes through. From the IT side of things, a typical
audit will look at four things:
Access: Access refers to both the physical and electronic controls that prevent unauthorized
users from viewing sensitive information. This includes keeping servers and data centers in
secure locations, but also making sure effective password controls, lockout screens and other
measures are in place. Implementing the principle of least privilege (POLP) is generally
considered one of the best methods of organization-wide access control.
Security: IT security is, of course, a broad topic. In this case, it means making sure
appropriate controls are in place to prevent breaches and having tools to remediate incidents
as they occur. Taking steps to manage risk is a good policy regardless of SOX compliance
status. Investing smartly in services or appliances that will monitor and protect the financial
database is the best way to avoid compliance and security issues altogether.
Backup procedures: Finally, backup systems should be in place to protect the sensitive
data. Data centers containing backed-up data including those stored off site or by a third party
are subject to the same SOX compliance requirements as those hosted on-premises.
defined together with process inputs and outputs, key process-activities, process objectives,
performance measures and an elementary maturity model.
Business and IT goals are linked and measured to create responsibilities of business and
IT teams. Five processes are identified: Evaluate, Direct and Monitor (EDM); Align, Plan and
Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and
Monitor, Evaluate and Assess (MEA).
The COBIT framework ties in with COSO, ITIL, BiSL, ISO27000, CMMI, TOGAF and
PMBOK. The framework helps companies follow law, be more agile and earn more. Below are
COBIT components:
Maturity models: Assesses maturity and capability per process and helps to address
gaps.
This principle is something that should apply to just about every business decision that is
made daily but certainly to those decisions that are made with regard to IT. The whole purpose
of IT is to enable others within the organizations to do their jobs to the best of their abilities. If a
given IT project isn’t meet the needs of the stakeholders, there is very little point to continuing
with the project. Only when stakeholder needs are properly met is a project going to be considered
a successful venture in the end. It should be no surprise that this principle is included in the
COBIT framework because it is such an important aspect of the IT world.
If have any real-world business experience, probably already know that the IT department
doesn’t always agree with what the other departments in the organization have to say. Finding
harmony between IT and everyone else can be challenging, but it must be accomplished if the
business it going to reach its full potential. What is done in IT should be done to the benefit of
everyone throughout the entire organization, not just a select group of people. Often, this is one
of the greatest challenges that decision makers within a business will have to deal with. In order
to get the best possible return for the investment that you have made in the IT area, it is crucial
that the work they do is framed with the best interests of the whole organization in mind.
The advantages of having a single framework in use throughout the organization should
be obvious. If nothing else, using a single framework should add simplicity and consistency to
everything that the business does. Also, costs are generally better controlled when there is a
single framework in play rather than a variety of frameworks serving various needs in different
parts of the business.
Flexibility within the project management team is another benefit of this approach. When
different parts of the business are governed by several different frameworks, the IT department
might not be as flexible in responding to needs and problems. However, when working within
only one framework, it should be much easier for any member of the IT team to work on any
problem that may come up – no matter where it is throughout the organization. This kind of
flexibility is appealing and can help insulate the department against the loss of key team members.
Building a strong IT infrastructure over the long run should be the goal and using a single IT
framework from the start can help make that a reality.
158
Many organizations fall into the habit of dividing up their IT department into different
segments which rarely interact. This can be a mistake when it comes to being able to develop
new technologies that have an impact on the business. Ideally, the whole IT department will be
‘on the same page’ in terms of its priorities and techniques. Just like the marketing department
needs to have a consistent plan of action for selling the company’s products or services, so
should the IT department be working together as closely as possible. Allowing the IT department
to become fragmented early in the development of the organization can create tricky problems
that will be harder to solve later
Too often, especially in small organizations, governance and management become one
and the same. That can be a problem when it comes to IT. The COBIT framework calls for the
two to be separated, so that the governance of what the IT department will be responsible for is
different from the day to day management of that department.
Depending on the structure of your organization, the responsibility for governance of the
IT department could come from a Board of Directors, or even straight from the owner of the
company. Meanwhile, the management of the IT department will generally be left the department
head. In other words, the person responsible for managing the day to day activity of the IT
department shouldn’t be the same person who is governing them. Those are two different
responsibilities and should be separated as such.
It is no secret that a strong and productive IT department is one of the greatest advantages
that an organization can have in this day. Technology has never been more important than it is
today, and the IT department that working for the business may mean the difference between
success and failure in the long run. Ideally, the IT department won’t feel like a separate arm of
the organization, and instead will be just another integrated group of employees much like the
teams in marketing, accounting, etc.
16.6 Summary
For software development teams at companies in regulated industries to succeed, they
must develop an understanding of their complex regulatory environments, the skills needed to
interpret rapidly changing regulations and the ability to develop clear, complete compliance
159
16.7 Keywords
SOX - Sarbanes - Oxley
SECTION - A
(10 x 2 = 20 Marks)
SECTION - B
SECTION - C