SPCI207

SPCI207
POSTGRADUATE COURSE
M. Sc. CYBER FORENSICS AND
INFORMATION SECURITY
SECOND YEAR
FOURTH SEMESTER
CORE PAPER - XIV
GOVERNANCE, RISK &

COMPLIANCE
INSTITUTE OF DISTANCE EDUCATION

UNIVERSITY OF MADRAS
M.Sc. CYBER FORENSICS AND CORE PAPER - XIV
INFORMATION SECURITY GOVERNANCE, RISK &
SECOND YEAR - FOURTH SEMESTER COMPIANCE
WELCOME
Warm Greetings.
It is with a great pleasure to welcome you as a student of Institute of Distance

Education, University of Madras. It is a proud moment for the Institute of Distance education
as you are entering into a cafeteria system of learning process as envisaged by the University
Grants Commission. Yes, we have framed and introduced Choice Based Credit
System(CBCS) in Semester pattern from the academic year 2018-19. You are free to
choose courses, as per the Regulations, to attain the target of total number of credits set
for each course and also each degree programme. What is a credit? To earn one credit in
a semester you have to spend 30 hours of learning process. Each course has a weightage
in terms of credits. Credits are assigned by taking into account of its level of subject content.
For instance, if one particular course or paper has 4 credits then you have to spend 120
hours of self-learning in a semester. You are advised to plan the strategy to devote hours of
self-study in the learning process. You will be assessed periodically by means of tests,
assignments and quizzes either in class room or laboratory or field work. In the case of PG
(UG), Continuous Internal Assessment for 20(25) percentage and End Semester University
Examination for 80 (75) percentage of the maximum score for a course / paper. The theory
paper in the end semester examination will bring out your various skills: namely basic
knowledge about subject, memory recall, application, analysis, comprehension and
descriptive writing. We will always have in mind while training you in conducting experiments,
analyzing the performance during laboratory work, and observing the outcomes to bring
out the truth from the experiment, and we measure these skills in the end semester
examination. You will be guided by well experienced faculty.
I invite you to join the CBCS in Semester System to gain rich knowledge leisurely at
your will and wish. Choose the right courses at right times so as to erect your flag of
success. We always encourage and enlighten to excel and empower. We are the cross
bearers to make you a torch bearer to have a bright future.
With best wishes from mind and heart,
DIRECTOR
(i)
M.Sc. CYBER FORENSICS AND CORE PAPER - XIV
INFORMATION SECURITY GOVERNANCE, RISK &
SECOND YEAR - FOURTH SEMESTER COMPIANCE
COURSE WRITER
Ms. Abirami. N
Guest Faculty
Center for Cyber Forensic & Information Security
University of Madras, Chennai - 600 005
COORDINATION AND EDITING
Dr. M. Srinivasan
Professor & Head
Department of Criminology
University of Madras
Chennai - 600 005.
© UNIVERSITY OF MADRAS, CHENNAI 600 005.
(ii)
M.Sc. CYBER FORENSICS AND INFORMATION SECURITY
SECOND YEAR
FOURTH SEMESTER
CORE PAPER - XIV
GOVERNANCE, RISK & COMPLIANCE

SYLLABUS
Unit 1: Introduction to GRC
Governance, Risk & Compliance definition - Scope and Objectives - IT Governance

Metrics & Framework - BASEL – OECD
Unit 2: Best Practices for IT Governance
ITIL - ISO/IEC 27001- Control Objectives of Information and Related Technology

(COBIT) - The Information Security Management Maturity Model - Capability Maturity
Model - Any other latest standards and compliance technologies.
Unit 3: Information Security Governance
Effective Information Security Governance - Importance of Information Security

Governance - Outcomes of Information Security Governance -Strategic alignment
-Value Management -Risk Management - Performance Measurement - Information
System Strategy- Strategic Planning - Steering Committee - Policies and Procedures
Unit 4: Information Security Management Practices
Personnel Management- Financial Management - Quality Management -Information

Security Management - Performance Optimization - Roles and Responsibilities -
Auditing IT Governance Structure -Evaluation Criteria & Benchmark – Assessment
Tools - Case Study Analysis - Risk Management Process -Developing a Risk
Management Program - Risk analysis methods – Qualitative, Semi quantitative,
(iii)
Quantitative - Risk Management framework – COSO -The Internal environment -
Objective Setting - Event Identification -Risk assessment -Risk Response - Control
activities - Information & communication - Monitoring – NIST - Risk Assessment –
Risk Mitigation - Evaluation & Assessment - Case Study Analysis
Unit 5: Compliance
Introduction to Information Technology and Security - Evolution of Information

systems - Roles and responsibilities - Audit, Assessment and review - The Role of
the Compliance Officer -The duties and responsibilities of the compliance officer
and the function of compliance - Compliance officer activities - The requirements
of a Compliance Officer - Drafting compliance reports - Designing an Internal
Compliance System - Regulatory principles - Issues - Developing high-level
compliance policies –Defining responsibility for compliance - The compliance
function - Specific internal compliance control issues - Information System Audit -
Scope of System Audit - Audit Planning - Audit Manual - Audit check lists - Audit
Reports - Best Practices for IT compliance and Regulatory Requirements -IT
Compliance requirements under clause 49 of SEBI Listing agreement - IT
Compliance requirements under Sarbanes Oxley Act of USA - Control Objectives
in Information Technology of ISACA.
(iv)
M.Sc. CYBER FORENSICS AND INFORMATION SECURITY
SECOND YEAR
FOURTH SEMESTER
CORE PAPER - XIV

SCHEME OF LESSONS
Sl.No. Title Page
1 Introduction to GRC 1
2 Basel and OECD 11
3 Best Practices for IT Governance 19
4 COBIT and ISM Maturity Model 30
5 Information Security Governance 40
6 Information System Strategy 48
7 Steering Committee, Policies and Procedures 55
8 Various forms of Management 64
9 Information Security Management 72
10 Risk Management Process 84
11 Risk Analysis Methods 93
12 Risk Management Framework 103
13 Introduction to Information Technology and security 121
14 Designing an Internal Compliance System 132
15 Information System Audit 139
16 Best practices for IT compliance and regulatory requirements 148
(v)
1
LESSON - 1
Introduction to GRC
Learning Objectives
At the end of this lesson student will get knowledge about the following:
 Understand the process of GRC
 Scope of the GRC
 Various IT Governance Metrics
 Know the IT Governance Framework
 Understanding the process of Information Security Governance.
Structure of Lesson
1.1 Introduction
1.2 Importance of Governance
1.2.1 Governance Attributes
1.2.2 Governance Outcomes
1.2.3 Corporate Governance
1.3 IT Governance, Risk & Compliance
1.3.1 Importance of IT Governance
1.3.2 Various names of IT Governance
1.3.3 IT Governance Framework
1.4 Major Principles
1.5 Information Security Governance
1.6 Summary
1.7 Keywords
1.8 Review Questions
1.9 Suggested Reading

2
1.1 Introduction
It helps to align IT activities in order to achieve business goals. It refers to a company
coordinated strategy for managing the corporate issues with regards to regulatory requirements.
GRC provides legal professionals with a broad range of solutions with regulatory for better
business outcomes.
Governance (G) - Organizational activities and operations are aligned to supports

organizational business goals.
Risk (R) - Organizational activities is identified and addressed aligned to supports

organizational business goals.
Complaint (C) - Organizational activities are operated to meets the laws & regulations
impacting those systems.
GRC - Business practices to create a synchronized approach, avoiding repetition of

tasks and ensuring approaches are effective & efficient.
Why do we need?
 To control the increasing complexity.
 Directing the plans to support the organization.
 Helps to achieve plans.
How Does GRC Works?
 GRC works publicly held companies to integrate and to manage IT operations that
are subjected to regulation.
1.2 The Importance of Governance

• Enables alignment to organizational goals & vision
• Creates a structure to standardize future development
• Provides a framework that can scale to support enterprise-wide growth
• Holds platform owners and admins accountable for meeting enterprise standards
and supports their ability to do that.
3
1.2.1 Governance Attributes
1.2.2 Governance Outcomes

• Proactively forecast demand for products and services as well as enhancements
and defect repairs
• Clarifies decision-making accountability and alignment across stakeholders
• Provides transparency of costs, process and projects and services
• Ensures technology is fit-for-purpose and fit-for-use
• Increases ability to benchmark & look for performance improvements across

business.
4
1.2.3 Corporate Governance
Corporate governance is “a toolkit that enables management and the board to deal more
effectively with the challenges of running a company. Corporate governance ensures that
businesses have appropriate decision-making processes and controls in place so that the
interests of all stakeholders are balanced.”- ICSA, the Governance Institute.
1.3 IT Governance, Risk & Compliance

Governance, risk and compliance (GRC) refers to a strategy for managing an organization’s
overall governance, enterprise risk management and compliance with regulations. Think of
GRC as a structured approach to aligning IT with business objectives, while effectively managing
risk and meeting compliance requirements.
A well-planned GRC strategy comes with lots of benefits: improved decision-making,

more optimal IT investments, elimination of silos, and reduced fragmentation among divisions
and departments, to name a few
IT Governance
IT governance is an element of corporate governance, aimed at improving the overall

management of IT, and driving improved value from its investment in information and technology.
IT Governance framework enables organizations to effectively manage its IT risks and

ensures that the activities associated with information and technology are aligned with the
overall business objectives. ISO 38500 is the international standard for IT governance
1.3.1 Importance of IT Governance
IT governance enables an organization to:
 Demonstrate measurable results against broader business strategies and goals.
 Meet relevant legal and regulatory obligations, such as those set out in the GDPR
or the Companies Act.
 Assure stakeholders that they can have confidence in theorganization’s IT services.
 Facilitate an increase in the return on IT investment.
 Comply with certain corporate governance or public listing rules or requirements.

5
 Compliance with regulations.
 Competitive Advantage.
 Support of Enterprise Goals.
 Growth and Innovation.
 Increase in Tangible Assets.
 Reduction of Risk.
1.3.2 Various names of IT Governance

 Information and communications technology governance (ICT Governance)
 Corporate governance of information technology
 Corporate governance of information and communications technology
1.3.3 IT Governance Framework
There are three widely recognized, vendor-neutral, third-party frameworks that are often
described as ‘IT governance frameworks’. While on their own they are not completely adequate
to that task, each has significant IT governance strengths:
ITIL: ITIL or IT Infrastructure Library®, was developed by the UK’s Cabinet Office as a
library of best-practice processes for IT service management. Widely adopted around the world,
ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be
achieved. On ITIL page, can access a free briefing paper on ITIL, IT service management and
ISO 20000
COBIT: Control Objectives for Information and Related Technology (COBIT) is an IT

governance control framework that helps organizations meet today’s business challenges in
the areas of regulatory compliance, risk management and aligning IT strategy with organizational
goals. COBIT is an internationally recognized framework. In particular, COBIT’s Management
Guidelines component contains a framework for the control and measurability of IT by providing
tools to assess and measure the enterprises IT capability for the 37 identified COBIT processes.
ISO 27002: ISO 27002 (supported by ISO 27001), is the global best-practice standard for
information security management in organizations. The challenge, for many organizations, is to
establish a coordinated, integrated framework that draws on all three of these standards.
6
Governance Framework
At a minimum, a sound framework should provide a blueprint for how information security
is governed, define the role of policy and procedure which identifies applicable legal or regulatory
requirements and support data classification standards and data breach response criteria. How
such frameworks are interpreted and implemented within companies remains wildly varied. For
instance, are the controls around sensitive system IDs and passwords part of information security
or part of a larger control framework? Is oversight of third parties’ part of information security or
a larger vendor management framework? The lack of clear boundaries creates the challenge.
The answer is both. Information security must be highly integrated into many other operations
and control frameworks within institutions. This tip will briefly describe some of the key principles
to consider when building a framework and evaluating a number of standard industry resources
against these principles.
1.4 Major Principles

When evaluating any reference materials for information security governance, the following
principles should always be kept in mind.
 Information security must be managed as a business issue, not an IT issue.

Unfortunately, many programs have their roots in IT because IT manages the systems
with the most data. However, virtually all compromises are ultimately caused by
careless people and poor procedure, not weak systems.
 It’s a team effort. The governance program must have broad management support,
with involvement from senior management, legal, human resources, compliance,
audit, risk management and IT.
 The more that people are aware of the risks, rules and their roles; the more they
can make the governance program stronger. Information security cannot be managed
by a team of experts; it must be everyone’s responsibility. With these principles in
mind,can begin to evaluate the various reference sources that are available to firms
to support their own information security governance program.
FFIEC guidelines
The materials given in the interagency guidelines on information security are one of the
best resources, and certainly the gold standard for banks. Both the material found in the IT
7
Examination Handbook under Information Security and the interagency guidelines are the best
available in terms of an overall “program “design and should be the main reference document
for every financial institution.
ISO/IEC 27002 (formerly ISO 17799):
The international standards document, created in 2000 and subsequently updated in

2005 and 2007, has been an influential tactical document since its creation. The roots of it can
be seen in the Information Security section of the FFIEC IT examination handbook. The cons of
the ISO standard are that it is too technology-centric, does not provide a governance framework
and includes broader themes of availability and integrity. However, it does contain some of the
best data-control categories available and should be a standard-issue reference document for
any information security officer.
PCI DSS:
Created specifically for the payment card industry, the PCI Data Security Standard, like
the ISO standard, does not provide a governance framework and is heavily IT focused, but it
does provide broader language regarding procedural aspects (who has access to data and
why). It also includes a detailed checklist that can be useful in designing an internal self-
assessment process.
COBIT: While COBIT is a framework document by design, and a very good one, it is not
as strong when it comes to information security. It can be an excellent resource for broad IT
governance frameworks, but many of the deeper elements of information security management
will be found in the above-mentioned documents.
1.5 Information Security Governance

Regardless of which materials firms choose as a primary reference, the following concepts
are central and critical to building a successful information security governance framework.
Policy: The program should be grounded in a clear, board-level information security

policy that positions it as a business issue, mandates the need for a comprehensive program,
delegates authority to the role of an information security officer and establishes clear reporting
requirements back to the board of directors.
8
Program: A comprehensive program document that defines clear roles and responsibilities;
discrete program elements; how the overall program is governed; a risk assessment
methodology; reporting requirements and testing methodology.
Risk Assessment: A risk assessment methodology that evaluates inherent risks controls
and residual risk to the systems data, physical records and third parties. It is important to note
that each of these four areas will have specific and unique business owners that all must
participate in the risk assessment and risk mitigation process.
Policies and Training: The framework should include clear operating polices that outline
specific do’s and don’ts for managing data, as well as a regular, comprehensive training curriculum
that is mandatory for all staff.
Response: A clear and well-tested set of procedures to respond in the event of a data
breach that, like the program itself, includes both operational and senior management.
The key to information security governance is to remember that the goal is not absolute
data restriction. We live with data in motion every day and we cannot do our jobs without the
use of confidential data. The goal with information security governance is to build superior
resiliency in how data is managed on a day-to-day basis and ability to respond should something
go wrong.
Key Merits
• Use metrics that can be used a “translator” within organizations to enable effective
two- way understanding between Finance and IT
• We recommend specific governance processes and organizational structures to

facilitate process
• Apply portfolio management techniques to articulate business - provide tips on how

to effectively measure and communicate “IT cost to deliverables and value” for new
initiatives, incremental enhancements, and the often overlooked but necessary
maintenance efforts.
1.6 Summary
GRC provides legal professionals with a broad range of solutions with regulatory for
better business outcomes. It Holds platform owners and admins accountable for meeting
9
enterprise standards and supports their ability to do that. The major outcome is Proactively
forecast demand for products and services as well as enhancements and defect repairs.
Corporate governance is “a toolkit that enables management and the board to deal more
effectively with the challenges of running a company. Governance, risk and compliance (GRC)
refers to a strategy for managing an organization’s overall governance, enterprise risk
management and compliance with regulations. IT governance is an element of corporate
governance, aimed at improving the overall management of IT, and driving improved value
from its investment in information and technology. There are three widely recognized, vendor-
neutral, third-party frameworks that are often described as ‘IT governance frameworks’. It is an
IT governance control framework that helps organizations meet today’s business challenges in
the areas of regulatory compliance, risk management and aligning IT strategy with organizational
goals. The concept of an information security framework is somewhat amorphous, in part because
even the phrase “information security” itself can be surprisingly subject to interpretation.
Regardless of which materials firms choose as a primary reference, the following concepts are
central and critical to building a successful information security governance framework
1.7 Keywords
GRC - Governance, Risk and Compliance
ITIL - IT Infrastructure Library
COBIT - Control Objectives for Information and Related

Technology
ICSA - Institute of Chartered Secretaries and Administrators
ISO - International Organization for Standardization
FFIEC - Federal Financial Institutions Examination Council

1. What is GRC? Why do we need?
2. Show the importance of IT Governance.
3. Write a brief note on Governance framework.

10
4. Discuss the major principles to evaluate any reference materials for Information
Security Governance.
5. Give a brief account on Governance attributes.
6. Write a note on COBIT.

1. Anthony Tarantino, “The Governance, Risk, and Compliance Handbook: Wiley; 1
edition (March 14, 2008).
2. Gad Selig, “Implementing IT Governance”, Van Haren Publishing; First edition edition
April 17, 2008).
11
LESSON - 2
Basel and OECD
Learning Objectives
 Know the process of Basel committee
 Understanding the Basel norms
 Various norms of Basel
 Pillars of Basel
 Understanding the process and functions of OECD.
Structure of Lesson
2.1 Introduction
2.2 Need for Banking supervision
2.2.1 Basel - I
2.2.2 Basel - II
2.2.3 Basel - III
2.3 OECD
2.3.1 Structure of OECD
2.3.2 Work of OECD
2.3.3 Functions of OECD
2.4 Summary
2.5 Keywords

12
2.1 Introduction
Basel is a CITY IN SWITZERLAND which is also the headquarters of Bureau of
International Settlement (BIS). The Bank for International Settlements (BIS) established on 17
May 1930, is the world’s oldest international financial organization. In total BIS has 60 member
countries from all over the world and covers approx. 95% of the world GDP. The Basel Committee
- initially named the Committee on Banking Regulations and Supervisory Practices - was
established by the central bank Governors. The Committee, headquartered at the Bank for
International Settlements in Basel, was established to enhance financial stability by improving
the quality of banking supervision worldwide, and to serve as a forum for regular co-operation
between its member countries on banking supervisory matters.
The Basel Committee has expanded its membership from the G10 to 45 institutions, the
Committee has established a series of international standards for bank regulation, most notably
its landmark publications of the accords on capital adequacy which are commonly known as
Basel I, Basel II and, most recently, Basel III. The set of the agreement by the BCBS (BASEL
COMMITTEE ON BANKING SUPERVISION), which mainly focuses on risks to banks and the
financial system are called Basel accord. The purpose of the accord is to ensure that financial
institutions have enough capital on account to meet the obligations and absorb unexpected
losses. India has accepted Basel accords for the banking system. BASEL ACCORD has given
us three BASEL NORMS which are BASEL 1, 2 and 3.
2.2 Need for Banking Supervision

 To ensure that banks operate in a safe and sound manner.
 To ensure that banks “hold capital and reserves sufficient to support the risks that
arise in their business”
 Sound practices for banks’ risk management
2.2.1 Basel I:
The reason was to create a level playing field for “internationally Active banks” Banks
from different countries competing for the same loans would have to set aside roughly the
same amount of capital on the loans.
13
Basel I Norms (1988)

 In 1988, The Basel Committee on Banking Supervision (BCBS) introduced capital
measurement system called Basel capital accord, also called as Basel 1.
 It focused almost entirely on credit risk; It defined capital and structure of risk weights
for banks.
 The minimum capital requirement was fixed at 8% of Risk- Weighted Assets (RWA).
 India adopted Basel 1 guidelines in 1999.
Pitfall of Basel I
 Limited differentiation of credit risk
 Strategic measure of default risk
 No recognition of term-structure
 Simplified calculation of potential future counterparty risk
 Lack of recognition of portfolio diversification effects
2.2.2 Basel – II Norms (2004)

 In 2004, Basel II guidelines were published by BCBS, which were considered to be
the refined and reformed versions of Basel I accord.
 Banks should maintain a minimum capital adequacy requirement of 8% of risk assets.
 Banks were needed to develop and use better risk management techniques in
monitoring and managing all the three types of risks that is credit and increased
disclosure requirements.
The three types of risk are;
 Operational risk
 Market risk
 Capital risk
 Banks need to mandatory disclose their risk exposure, etc to the central bank.
 Basel II norms in India and overseas are yet to be fully implemented.

14
Three pillars of Basel-II

Basel-II consists of three pillars:
 Minimum capital requirements for credit risk, market risk and operational risk—
expanding the 1988 Accord (Pillar I).
 Supervisory review of an institution’s capital adequacy and internal assessment

process (Pillar II).
 Effective use of market discipline as a lever to strengthen disclosure and encourage

safe and sound banking practices (Pillar III).
2.2.3 Basel – III (2010)

 In 2010, Basel III guidelines were released. These guidelines were introduced in
response to the financial crisis of 2008.
 Basel III norms aim at making most banking activities such as their trading book
activities more capital-intensive.
 The guidelines aim to promote a more resilient banking system by focusing on four
vital banking parameters viz. capital, leverage, funding and liquidity.
 Presently Indian banking system follows Basel II norms.
 The Reserve Bank of India has extended the timeline for full implementation of the
Basel III capital regulations by a year to March 31, 2019.
Figure 2.1: Three pillars of Basel-III

15
2.3 OECD (Organization for Economic Co- Operation and

Development)
 The Organization for Economic Co-operation and Development is an
intergovernmental economic organization with 36 member countries, founded in
1961 to stimulate economic progress and world trade.
 It is a forum of countries describing themselves as committed to democracy and

the market economy, providing a platform to compare policy experiences, seeking
answers to common problems, identify good practices and coordinate domestic
and international policies of its members.
2.3.1 Structure of OECD
The OECD’s structure consists of three main elements:
1 The OECD member countries, each represented by a delegation led by an

ambassador. Together, they form the OECD Council. Member countries act
collectively through Council to provide direction and guidance to the work of
Organization.
2 The OECD Substantive Committees, one for each work area of the OECD, plus
their variety of subsidiary bodies. Committee members are typically subject-matter
experts from member and non-member governments.
3 The OECD Secretariat led by the Secretary-General provides support to Standing

and Substantive Committees. It is organized into Directorates.
2.3.2 Work of OECD
OECD uses its wealth of information on a broad range of topics to help government’s
foster prosperity and fight poverty through economic growth and financial stability. We help to
ensure the environmental implications of economic and social development are taken into
account.
16
Figure 2.2: Work of OECD
2.3.3 Functions of OECD

 The OECD publishes economic reports, statistical databases, analyses and forecasts
on the outlook for economic growth worldwide.
 The group analyses and reports on the impact of social policy issues such as gender
discrimination on economic growth and makes policy recommendations designed
to foster growth with sensitivity to environmental issues.
 The organization also seeks to eliminate bribery and other financial crime worldwide.
2.4 Summary
Basel is a city in Switzerland which is also the headquarters of Bureau. It is initially named
the Committee on Banking Regulations and Supervisory Practices - was established by the
central bank Governors. The Basel Committee has expanded its membership from the G10 to
17
45 institutions. The set of the agreement by the BCBS (Basel Committee on Banking Supervision),
which mainly focuses on risks to banks and the financial system are called Basel accord. In
1988, The Basel Committee on Banking Supervision introduced capital measurement system
called Basel capital accord, also called as Basel. In 2004, Basel II guidelines were published by
BCBS, which were considered to be the refined and reformed versions of Basel I accord. In
2010, Basel III guidelines were released. These guidelines were introduced in response to the
financial crisis of 2008. The Organization for Economic Co-operation and Development is an
intergovernmental economic organization with 36 member countries, founded in 1961 to stimulate
economic progress and world trade. The OECD’s structure consists of three main elements.
OECD uses its wealth of information on a broad range of topics to help government’s foster
prosperity and fight poverty through economic growth and financial stability.
2.5 Keywords
BCBS - Basel Committee on Banking Supervision
OECD - Organization for Economic Co-operation and

Development
RWA - Risk- Weighted Assets
BIS - Bank for International Settlements
GDP - Gross Domestic Product

1. List out the needs for Banking supervision.
2. Give a brief note on Basel norms.
3. Write a note on three types of risks in Basel-II.
4. Sketch the three pillars of Basel-III and briefly explain.
5. Explain the working way of OECD.
6. Write a note on functions of OECD.

18

April 17, 2008).
19
LESSON - 3
Best Practices for IT Governance
Learning Objectives
 Understanding about ITIL
 Various Services modules in ITIL
 Know the process and roles of ITIL
 Understanding the Process of ISO/ IEC
 Know the advantages of ISMS
Structure of Lesson
3.1 Introduction
3.2 ITIL (Information Technology Infrastructure Library)
3.3 Service Lifecycle modules
3.3.1 Service Strategy
3.3.2 Service Design
3.3.3 Service Operation
3.3.4 Service Transition
3.3.5 Continual Service Improvement
3.4 ISO/ IEC 27001 (ISMS)
3.4.1 Key Principles in Standard Development
3.4.2 ISMS Standards
3 4.3 Advantages
3.5 Summary
3.6 Keywords

20
3.1 Introduction
An information security risk management methodology and a comprehensive security
strategy explicitly linked with business and IT objectives. An effective security organizational
structure and a security strategy that talks about the value of information protected and delivered.
Security policies that address each aspect of strategy, control and regulation. A complete set of
security standards for each policy to ensure that procedures and guidelines comply with policy.
Institutionalized monitoring processes to ensure compliance and provide feedback on
effectiveness and mitigation of risk. A process to ensure continued evaluation and update of
security policies, standards, procedures and risks.
3.2 ITIL (Information Technology Infrastructure Library)

ITIL is a compilation of best practices for IT organizations’ management. ITIL aims at
ensuring that strategic security considerations are taken at various operational levels. Information
security is viewed as a cycle which needs to be controlled, planned, designed, tested and
maintained. According to ITIL, information security is broken down to policies, processes,
procedures and work instructions.
Using ITIL as a guiding tool, organizations are able to develop and implement a clear
security structure based on best practices. One of its requirements is continuous review and
this ensures that an organization evaluates the effectiveness of its security measures. The
security structure is well organized and therefore prevents disorganized implementation and
rushed decisions. ITIL requires proper reporting and therefore keeps the executive management
up-to-date with the current security situation that enables them to make appropriate security
decisions. Roles and responsibilities are clearly spelt out and in the event that an incident
occurs, the procedures of action are understood.
3.3 Service Lifecycle modules

The ITIL best practices framework is based around five Service Lifecycle modules:
 Service Strategy
 Service Design
 Service Operation
21
 Service Transition
 Continual Service Improvement
Figure 3.1: ITIL Service Life Cycle Modules
With each of them containing a number of ITIL Processes and Functions within it. The
key to running efficient IT Service Management is knowing who does what; therefore, within
the ITIL framework you’ll find numerous roles involved in the process(es) itself. Some roles
span across several processes and have different influence on the process itself. Those complex
relationships are maintained within the RACI (Responsible, Accountable, Support, Consulted,
Informed) matrix, which spans across all Service Lifecycle processes and roles.
22
3.3.1 Service Strategy
The Service Strategy phase of the Service Lifecycle provides guidance on how to design,
develop, and implement IT Service Management. Students will understand how service strategies
can be developed to give the business a distinct advantage in the marketplace. During Service
Strategy, an organization will determine its target markets and how to differentiate itself from its
competitors. The organization’s management team will understand the costs and risks associated
with their Service Portfolios and can efficiently use this information in their operational decision-
making. Practical examples will be used to describe the assessment and planning involved
within the IT departments of small, medium, and large corporations. Having the proper strategies
in place can give the company a proactive and productive approach to their business operations.
3.3.2 Service Design
The Service Design phase of the Service Lifecycle provides guidance on how to design
and develop services and IT Service Management processes that will support the service
strategies already developed. Learning how to design service plans will prepare IT professionals
and business leaders to address customer concerns in the most proficient manner.
23
3.3.3 Service Operation
The Service Operation phase of the Service Lifecycle provides guidance on the practical
aspects of day-to-day business operations. The goal is for the IT department to keep things
running smoothly, reliably, efficiently and cost-effectively. The activities and processes in this
phase ensure that services are delivered to customers at the agreed upon levels with minimal
interruptions and disruptions. Service Operation focuses on providing value to both the customer
and the service provider.
24
3.3.4 Service Transition
The Service Transition phase of the Service Lifecycle teaches IT professionals and their
business associates to manage changes in a productive manner. Service Transition provides
guidance on how to efficiently and effectively transition new and changed services into operations
without disrupting or interrupting other services or processes.
3.3.5 Continual Service Improvement
Even if nothing changes in an organization, there is always room for development and
improvement in IT services. Continual assessment is the key to understanding where
improvements can be made. ITIL training can help learners identify where these possibilities for
progress are.
25
3.4 ISO/ IEC 27001 (ISMS)

ISO (International Organization for Standardization) is a family of standards that provides
organizations with a general framework for information security policies and standards. This
series is useful to every organization that wishes to secure information assets such as financial
reports, employee information, intellectual property or customer details. The ISO 27000:2013 is
a series consisting of four standardization documents.
 The First document contains the requirements for an information security

management system.
 It is the second document in the series and contains a list of code of practices that
ensure security.
 The third document in this family is ISO 27003:2010, which is designed to provide
guidance during the implementation stage of the security management system.
 Fourth on this series is ISO 27004:2009 that encompasses the analysis of

measurements required for an information security system.
ISO 27001:2013 is the standard adapted to offer guidance through the processes of
establishment, implementation, maintenance and continual improvement of the information
security management system. The standard considers various types of organizations and
industries encompassing their sizes and markets. It is therefore a wide and generic document
and its adoption and implementation ought to be a strategic decision. The standard’s adaptation
process must be influenced by the organization’s needs and aligned to its business objectives.
The board and the executive management are at liberty to select the security policies that are
appropriate for the current state of security and may complement these policies with more
options also referred to as extended control sets. Thorough evaluation of the organization’s
information security risks is fundamental in order to make suitable selection of controls.
ISO 27002:2013 is mainly a code of practice and categorically deals with all types of
information security and not only IT systems’ security (ISO/IEC 27002 2013). It offers guidelines
and recommendations of suitable controls to organizations that have assessed their information
security risks. Since it is a code of guidelines, organizations are not necessarily required to
adopt it as a standard and are therefore free to choose guidelines that are relevant to their
organization’s needs. This standard is considered indispensable to any organization that depends
on information.
26
3.4.1 Key Principles in Standard Development

ISO standards respond to a need in the market
ISO does not decide when to develop a new standard but responds to a request from
industry or other stakeholders such as consumer groups. Typically, an industry sector or group
communicates the need for a standard to its national member who then contacts ISO. Contact
details for national members can be found in the list of members.
ISO standards are based on global expert opinion
ISO standards are developed by groups of experts from all over the world, that are part of
larger groups called technical committees. These experts negotiate all aspects of the standard,
including its scope, key definitions and content. Details can be found in the list of technical
committees.
ISO standards are developed through a multi-stakeholder process
The technical committees are made up of experts from the relevant industry, but also
from consumer associations, academia, NGOs and government. Read more about who develops
ISO standards.
ISO standards are based on a consensus
Developing ISO standards is a consensus-based approach and comments from all

stakeholders are taken into account.
3.4.2 ISMS Standards

a. ISO/IEC 27001:2005
b. ISO/IEC 27002:2005
a. ISO/IEC 27001:2005
It is the Requirements for Information Security Management Systems. It specifies the

requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving a documented ISMS within the context of the organization’s overall business risks.
27
The ISMS processes are based on the following Plan-Do-Check-Act model:
Figure 3.2: PDCA Model
b. ISO/IEC 27002:2005
ISO/IEC 27002:2005 is the Code of Practice for Information Security Management. It

provides a catalogue of controls that can be implemented for ISMS. The standard comprises of
11 security areas, 39 controls objectives and 133 controls.
Figure-3.3: Security areas of ISO/IEC 27002

28
3.4.3 Advantages
Certification of ISMS brings several advantages;
 Provide a structured way of managing information security within an organization.
 Provide an independent assessment of an organization’s conformity to the best

practices agreed by a community of experts for ISMS.
 Provide evidence and assurance that an organization has complied with the
standards requirement.
 Enhance information security governance within the organization.
 Enhance the organization’s global positioning and reputation.
 Increase the level of information security in the organization.
3.5 Summary
An effective security organizational structure and a security strategy that talks about the
value of information protected and delivered. ITIL is a compilation of best practices for IT
organizations’ management. ITIL aims at ensuring that strategic security considerations are
taken at various operational levels. ITIL requires proper reporting and therefore keeps the
executive management up to date with the current security situation that enables them to make
appropriate security decisions. Some roles span across several processes and have different
influence on the process itself. The ISO 27000:2013 is a series consisting of four standardization
documents. COBIT is a framework created by the ISACA (Information Systems Audit and Control
Association) for IT governance and management. ISO/IEC 27001is the Requirements for
Information Security Management Systems and ISO/IEC 27002 is the Code of Practice for
Information Security Management. It provides a catalogue of controls that can be implemented
for ISMS.
3.6 Keywords
ITIL - Information Technology Infrastructure Library
RACI - Responsible, Accountable, Support, Consulted,

Informed
29
ISG - IT Steering Group
ISO - International Organization for Standardization
ITAF - IT Assurance Framework

1. List out the Processes and roles of service design.
2. Explain the five Service Lifecycle modules in ITIL.
3. What are the four standardization documents in ISO 27000:2013?
4. List down the key principles in standard development.
5. Show the PDCA model with brief explanation.
6. List out the advantages of ISMS.

April 17, 2008).
30
LESSON - 4
COBIT and ISM Maturity model
Learning Objectives
 Understanding the process of COBIT
 Various components of COBIT
 Know the principles and goals of COBIT
 Understanding the Process Information security model
 Know the various levels in CMM
Structure of Lesson
4.1 Introduction - COBIT
4.2 Various Components of COBIT
4.3 COBIT Principles
4.4 COBIT Goals Cascade steps
4.5 Information Security Management Model
4.6 Maturity Models
4.6.1 Capability Maturity Model
4.7 Summary
4.8 Keywords
4.1 Introduction - COBIT

COBIT stands for Control Objectives for Information and Related Technology. It is a
framework created by the ISACA (Information Systems Audit and Control Association) for IT
governance and management. It was designed to be a supportive tool for managers—and
allows bridging the crucial gap between technical issues, business risks, and control
31
requirements. COBIT is a thoroughly recognized guideline that can be applied to any organization
in any industry.
The COBIT business orientation includes linking business goals with its IT infrastructure
by providing various maturity models and metrics that measure the achievement while identifying
associated business responsibilities of IT processes. The main focus of COBIT was illustrated
with a process-based model subdivided into four specific domains, including:
 Planning & Organization
 Delivering and Support
 Acquiring & Implementation
 Monitoring & Evaluating
All of this is further understood under 34 processes as per the specific line of responsibilities.
COBIT has a high position in business frameworks and has been recognized under various
international standards, including ITIL, CMMI, COSO, PRINCE2, TOGAF, PMBOK, TOGAF, and
ISO 27000. COBIT acts as a guideline integrator-merging all solutions under one umbrella. The
latest COBIT version 5 came out in April 2012 and consolidated the principles of COBIT 4.1,
Risk IT Frameworks, and Val IT 2.0. This version draws reference form IT Assurance Framework
(ITAF) from ISACA and the revered BMIS (Business Model for Information Security).
4.2 Various Components of COBIT

a. Framework
IT helps in organizing the objectives of IT governance and bringing in the best practices
in IT processes and domains while linking business requirements.
b. Process Descriptions
It is a reference model and also acts as a common language for every individual in the
organization. The process descriptions include planning, building, running, and monitoring of
all IT processes.
c. Control Objectives
This provides a complete list of requirements that have been considered by the
management for effective IT business control.
32
d. Maturity Models
Accesses the maturity and the capability of every process while addressing the gaps.
e. Management Guidelines
Helps in better-assigning responsibilities, measuring performances, agreeing on common

objectives, and illustrating better interrelationships with every other process.
4.3 COBIT Principles

The Principles can be listed as follows:
 The first principle is meeting the stakeholders’ needs. This principle is about
identifying the key stakeholders, their needs and how value is created for enterprises
by addressing those needs through the cascading of goals.
 The second principle is covering the enterprise end-to-end. This principle is about
covering all the functions and processes wherever information is processed in the
enterprise.
 The third principle is applying a single integrated framework. This principle is about
having a single and integrated framework that consists of the various established
frameworks and standards required for the governance and management of
enterprise IT.
 The fourth principle is enabling a holistic approach. This principle is about using a
set of enablers for an all-inclusive or holistic approach to support the governance
and management of enterprise IT.
 The fifth principle is separating governance from management. This principle is

about differentiating between the governance and management roles, activities and
responsibilities.
33
Figure 4.1: COBIT principles
The framework also identifies seven aspects of governance that need to be in place in
order to support the five principles above are
Figure 4.2: COBIT Enablers

34
4.4 COBIT Goals Cascade steps
Figure 4.3: COBIT Goals cascade steps
The four key steps in the goals cascade are:
Step 1 - Identify the influence of key stakeholder drivers on stakeholder needs.
Step 2 - Stakeholder needs cascade to enterprise goals.
Step 3 - Enterprise goals cascade to IT-related goals.
Step 4 - IT-related goals cascade to enabler goals.
4.5 Information Security Management Model

Security is the result of a process. The better the security process, the better the protection
achieved from the resources available. Using Security in Context, an incident is defined as a
failure to meet the organization’s Security Objectives. Since the definition is context dependent,
ISM3 does not consider any single set of security measures or security management processes
as compulsory or useful for all organizations. To manage something means to define and achieve
35
goals, while optimizing the use of resources. Management activities normally include the
requirements to plan, direct, control and coordinate.
There are three levels of Security Management:
 Strategic, which deals with broad goals and provision of resources.
 Tactical, which deals with specific goals and management of resources.
 Operational, which deals with achieving defined goals.
4.6 Maturity Models

A maturity model can be viewed as a set of structured levels that describe how well the
behaviors, practices and processes of an organization can reliably and sustainably produce
required outcomes.
A maturity model can be used as a benchmark for comparison and as an aid to

understanding - for example, for comparative assessment of different organizations where there
is something in common that can be used as a basis for comparison. In the case of the CMM
the model involves five aspects:
 Maturity Levels: A 5-level process maturity continuum - where the uppermost (5th)
level is a notional ideal state where processes would be systematically managed by
a combination of process optimization and continuous process improvement.
 Key Process Areas: A Key Process Area identifies a cluster of related activities that,
when performed together, achieve a set of goals considered important.
 Goals: The goals of a key process area summarize the states that must exist for
that key process area to have been implemented in an effective and lasting way.
The extent to which the goals have been accomplished is an indicator of how much
capability the organization has established at that maturity level. The goals signify
the scope, boundaries, and intent of each key process area.
 Common Features: Common features include practices that implement and

institutionalize a key process area.
36
There are five types of common features:
 Commitment to perform
 Ability to perform
 Activities performed
 Measurement and analysis
 Verifying implementation.
 Key Practices: The key practices describe the elements of infrastructure and practice
that contribute most effectively to the implementation and institutionalization of the
area.
4.6.1 Capability Maturity Model
The model provides a theoretical continuum along which process maturity can be developed
incrementally from one level to the next.
Figure 4.4: CMM

37
Level 1 - Initial
It is characteristic of processes at this level that they are (typically) undocumented and in
a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner
by users or events. This provides a chaotic or unstable environment for the processes.
Level 2 - Managed (Repeatable)
It is characteristic of this level of maturity that some processes are repeatable, possibly
with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may
help to ensure that existing processes are maintained during times of stress.
Level 3 - Defined
It is characteristic of processes at this level that there are sets of defined and documented
standard processes established and subject to some degree of improvement over time. These
standard processes are in place. The processes may not have been systematically or repeatedly
used - sufficient for the users to become competent or the process to be validated in a range of
situations. This could be considered a developmental stage - with use in a wider range of
conditions and user competence development the process can develop to next level of maturity.
Level 4 - Quantitatively Managed (Capable)
It is characteristic of processes at this level that, using process metrics, effective

achievement of the process objectives can be evidenced across a range of operational conditions.
The suitability of the process in multiple environments has been tested and the process refined
and adapted. Process users have experienced the process in multiple and varied conditions
and are able to demonstrate competence. The process maturity enables adaptions to particular
projects without measurable losses of quality or deviations from specifications. Process Capability
is established from this level.
Level 5 - Optimizing (Efficient)
It is a characteristic of processes at this level that the focus is on continually improving

process performance through both incremental and innovative technological changes/
improvements. At maturity level 5, processes are concerned with addressing statistical common
causes of process variation and changing the process to improve process performance. This
would be done at the same time as maintaining the likelihood of achieving the established
quantitative process-improvement objectives.
38
4.7 Summary
COBIT stands for Control Objectives for Information and Related Technology. It was
designed to be a supportive tool for managers-and allows bridging the crucial gap between
technical issues, business risks, and control requirements. COBIT has a high position in business
frameworks and has been recognized under various international standards. Five different
components are used in COBIT and various five principles are also used. Security is the result
of a process and Using Security in Context, an incident is defined as a failure to meet the
organization’s Security Objectives. A maturity model can be viewed as a set of structured levels
that describe how well the behaviors, practices and processes of an organization can reliably
and sustainably produce required outcomes. A maturity model can be used as a benchmark for
comparison and as an aid to understanding.
4.8 Keywords
COBIT - Control Objectives for Information and Related
Technology
ISACA - Information Systems Audit and Control Association
CMM - Capability Maturity Model
BMIS - Business Model for Information Security

1. Discuss the Various components of COBIT.
2. Explain the COBIT principles with neat sketch.
3. List out the goals of COBIT.
4. Write a note on ISM model.
5. What are three levels of Security Management?
6. Explain the five levels of CMM with neat sketch.

39

April 17, 2008).
40
LESSON – 5
Information Security Governance
Learning Objectives
 Understand the process of ISG
 Know the ISG framework contents
 Know the importance of ISG
 Various outcomes of ISG
 Understanding the Effectives of ISG
Structure of Lesson
5.1 Introduction
5.2 ISG – Framework Contents
5.3 Effective Information Security Governance
5.4 Importance of Information Security Governance
5.5 Outcomes of Information Security Governance
5.6 Summary
5.7 Keywords
5.1 Introduction
Information security governance (ISG) is the responsibility of the board of directors and
senior executives. It must be an integral and transparent part of enterprise governance and be
aligned with the IT governance framework. Whilst senior executives have the responsibility to
consider and respond to the concerns and sensitivities raised by information security, boards of
directors will increasingly be expected to make information security an intrinsic part of governance,
41
integrated with processes they already have in place to govern other critical organizational
resources.
5.2 ISG – Framework Contents

ISG is to ensure that there is an accurate security framework that meets the objectives of
the organization. Candidates are tested on the broad requirements for effective ISG and what
is required to develop a framework with an accompanying plan of action for implementing it.
Candidates will be required to understand the contents of the framework, which will
generally consist of a comprehensive security strategy that is intrinsically linked with business
objectives.
 Governing security policies that address each aspect of strategy, controls and
regulation
 A complete set of standards for each policy to ensure that procedures and guidelines
comply with policy
 An effective security organizational structure void of conflicts of interest and with

sufficient authority and adequate resources
 Institutionalized metrics and monitoring processes to ensure compliance, provide

feedback on effectiveness, and provide the basis for appropriate management
decisions.
What does it need to include?

 Alignment with the information security strategy of the nation
 Management of risks
 Efficient and effective management
 Verification of results
Why is it important?
 Provides a framework for secure business operations in an interconnected world
 Ensures the country’s security resources are well spent.

42
5.3 Effective Information Security Governance

In comparing the critical differences with respect to the effectiveness of a company’s
information security governance program, the following distinctions are common to successful
organization.
1. Board members understand that information security is critical to the company and
requires regular updates on performance and security incidents.
2. The officers and business unit managers participate in a risk management committee
that meets regularly on the topic of information security.
3. Executive management sets acceptable risk levels which are the basis for the
company’s security policies and related practices.
4. Executive management holds business unit managers responsible for carrying out
risk management activities for their specific business units.
5. Critical business processes are documented along with the risks that are inherent
in the different steps within the business processes.
6. Employees are held accountable for any security breaches they participate in, either
maliciously or accidentally.
7. Security products, managed services and consultants are purchased and deployed
in an informed manner and are regularly reviewed.
8. The organization regularly reviews its business and security processes with the
goal of continuous improvement.
5.4 Importance of Information Security Governance

Information security governance generates significant benefits, including:
 An increase in share value for organizations that practice good governance.
 Increased predictability and reduced uncertainty of business operations by lowering

information security-related risks to definable and acceptable levels.
 Protection from the increasing potential for civil or legal liability as a result of
information inaccuracy or the absence of due care.
 The structure and framework to optimize allocation of limited security resources

43
 Assurance of effective information security policy and policy compliance.
 A firm foundation for efficient and effective risk management, process improvement,
and rapid incident response related to securing information.
 A level of assurance that critical decisions are not based on faulty information.
 Accountability for safeguarding information during critical business activities, such

as mergers and acquisitions, business process recovery, and regulatory response.
5.5 Outcomes of Information Security Governance

 Information security governance contains a structured set of elements that are
required to provide senior management with assurance that its major objectives are
captured in the organization’s security posture. After the elements have been put in
place, management can rest assured that adequate and effective information security
will protect the organization’s most critical and important assets.
 ISG is mainly involved in the development, implementation and management of a

security program that achieves six outcomes that candidates will be tested on. These
include:
a. Strategic alignment
b. Risk Management
c. Value delivery
d. Resource Management
e. Performance Measurement
f. Integration
a. Strategic Alignment
It is often difficult to achieve the goal of strategic alignment of information security in

support of organizational objectives.
 Ensure transparency and understanding of IT security costs, benefits, strategy,

policies and service levels.
 Develop a common and comprehensive set of IT security policies.
 Communicate the IT strategy, policies and control framework.

44
 Enforce IT security policies.
 Define security incidents in business impact terms.
 Establish clarity on the business impact of risks to IT objectives and resources.
 Establish IT continuity plan that supports business continuity plans.
b. Risk Management
To manage and mitigate risks and reduce potential impacts on information assets to an
acceptable level.
 Account for and protect all IT assets.
 Establish and reduce the likelihood and impact of IT security risks.
 Perform regular risk assessments with senior managers and key staff.
 Permit access to critical and sensitive data only to authorized users.
 Ensure critical and confidential information is withheld from those who should not
have access to it.
 Identify, monitor and report security vulnerabilities and incidents.
 Develop IT continuity plans that can be executed and are tested and maintained.
A key goal of information security is to reduce adverse impacts on the organization to an

acceptable level of risk. Therefore, a key metric is the adverse impacts of information security
incidents experienced by the organization. An effective security programme will show a trend of
impact reduction. Quantitative measures can include trend analysis of impacts over time.
c. Resource Management
Information security knowledge and infrastructure should be used efficiently and

effectively.
 Maintain the integrity of information and processing infrastructure.
 Account for and protect all IT assets.
 Ensure that IT services and infrastructure can resist and recover from failures due
to error, deliberate attack or disaster.
 Ensure proper use and performance of the applications and technology solutions.
45
d. Performance Measurement
Measuring, monitoring and reporting on information security processes ensures that

organizational objectives are achieved.
 Number of incidents damaging reputation with the public
 Number of systems where security requirements are not met
 Time to grant, change and remove access privileges
 Number and type of suspected and actual access violations
 Number and type of malicious code prevented
 Number and type of security incidents
 Number and type of obsolete accounts
 Number of unauthorized IP addresses, ports and traffic types denied
 Number of access rights authorized, revoked, reset or changed
e. Value Delivery
Security investments should be optimized to support organizational objectives. Security

activities consume resources. Optimal investment levels occur when strategic goals for security
are achieved and an acceptable risk posture is attained by the organization at the lowest possible
cost. The following goals should be considered:
 Ensure automated business transactions and information exchanges can be trusted.
 Make sure that IT services are available as required.
 Minimize the probability of IT service interruption.
 Minimize the impact of security vulnerabilities and incidents.
 Ensure minimum business impact in the event of an IT service disruption or change.
 Establish cost-effective action plans for critical IT risks.
f. Integration
ISG ensures that the relevant assurance factors are integrated to make sure that processes
operate as intended from end to end. Candidates are tested on the integration and coordination
46
of the various assurance functions so as to ensure complete security, formal relationships

between assurance functions, and the roles and responsibilities between assurance functions.
5.6 Summary
Information security governance is the responsibility of the board of directors and senior
executives. To make information security an intrinsic part of governance, integrated with
processes they already have in place to govern other critical organizational resources. ISG is to
ensure that there is an accurate security framework that meets the objectives of the
organization.Generally,consist of a comprehensive security strategy that is intrinsically linked
with business objectives. In comparing the critical differences with respect to the effectiveness
of a company’s information security governance program, some distinctions are common to
successful organization. Information security governance generates various significant benefits.
Information security governance contains a structured set of elements that are required to
provide senior management with assurance that its major objectives are captured in the
organization’s security posture. It is mainly involved in the development, implementation and
management of a security program that achieves six outcomes.
5.7 Keyword
ISG - Information Security Governance

1. Write a note on ISG framework.
2. Why ISG is important? Explain.
3. Explain the effectiveness of ISG.
4. Show the importance of ISG.
5. What are the outcomes of ISG?
6. Discuss Risk and Resource Managements.

47

April 17, 2008).
3. Information Security Governance: Guidance for Information Security Managers,

2nd Edition, 2008, IT Companion Publication.
48
LESSON – 6
Information System Strategy
Learning Objectives
 Understand the Planning process of information system
 Various phases of strategic planning
 Know the importance of strategic information system
 Various types of information system strategies
 Know the uses of strategic information system
Structure of Lesson
6.1 Introduction
6.2 Planning process of Information system
6.3 Phases of Strategic planning
6.4 Importance of Strategic information system
6.5 Types of Information system strategies
6.5.1 Operations Support System
6.5.2 Management Support System
6.6 Uses of Strategic information system
6.7 Summary
6.8 Keywords
6.1 Introduction
Information System Strategic Planning has been prescribed by King (1978) as a process
that serves to relate the organization’s mission, objectives, and strategies, and other salient
characteristics to an Information System strategy set:” The Information System strategy set is
49
the product of the strategic planning process for “IS” in that it is derived from the organization’s
“strategy set” through the application of strategic planning methods to the IS function.
6.2 Planning process of Information system

The intent of this form of IS strategic planning is two fold:
 To ensure that information resources when applied will directly strategies contribute
toward the attainment of enacted organizational strategies.
 To ensure that the information resource is seen during organizational strategic

planning as a competitive tool. As such, this form of IS strategic planning fits within
the information resource realm of IS planning.
Figure 6.1: Planning Process
IT strategic planning is the alignment of IT management and operation with enterprise

strategic planning. The need to move beyond IT management and to ensure that the IT planning
process is integrated with enterprise strategic planning follows from two strategic factors: mission
necessity and enterprise maturity. With many actors exploiting IT to maximize effectiveness, an
organization must engage in strategic planning to ensure that investments in IT produce business
value and that the assessment of risks is aligned with enterprise goals and objectives. This is a
necessity to support the overall enterprise mission.
50
6.3 Phases of Strategic planning

One of the best-documented examples of IT strategic planning is the process used at
Intel. It is worth examining this model because it also serves as a model for security strategic
planning. Intel’s IT strategic planning process comprises six phases, as shown:
Figure 6.2: Phases of Strategic Planning
1. Two- to five-year business and technology outlook
At the beginning of the year, the planning team takes as input an overall vision and
mission statement developed at the enterprise level. During this phase, the team reviews the
enterprise strategies, technology trends, employee trends, and so on to better understand the
future environment that will shape the IT organization and its deliverables. IT subject matter
experts from throughout the organization are recruited to help define the major trends that may
be critical in shaping the organization and its decision making in the next few years.
2. Strategic deep dive
The team identifies a small number of high-impact areas that require more in-depth
analysis to inform the overall strategic planning process. Depending on circumstances at a
given point in time, these may include IoT, social media trends, and changing regulatory
compliance rules.
51
3. Current-state assessment
The planning team analyses the current state of all the IT related systems and policies
and compares these with the long-range outlook, paying special attention to the key drivers
developed in the preceding phase. The result is a set of recommendations for adjustments to
IT’s focus areas and spending plans.
4. Imperatives, roadmaps, and Finances
The next phase is the development of a strategic plan for IT. The plan includes a discussion
of strategic objectives and a budget and investment plan. The plan reflects IT’s highest priority
items and provides an outcome framework for defining success. Each item includes a roadmap
that can influence budget and organization decisions in the upcoming year.
5. Governance process and decision making
Once the annual budget is approved, the information from the preceding phases is used
to guide the governance process and the many decisions made across the organization to
implement the strategic plan and one-year strategic objectives. These decisions include project
chartering, supplier selection, sourcing, investment trade-off decisions, and so on.
6. Regular reviews
Monthly reviews based on a wide variety of input help ensure that the strategic plan and
governance decisions are followed. This culminates in a year-end assessment. Reviews continue
into the following year until a new strategic plan and new governance decisions provide input
for modifying the review process. This process can include a security strategic planning
component, or planning can occur in a coordinated and parallel fashion in another team.
6.4 Importance of Strategic information system

Strategic information system provides a connection between demands of organization
and latest information technology. This tactic helps an organization to get hold of the market by
utilizing Information technology to meet its challenging requirements to the continuous variation
in the corporate environment.
Information system strategy in a critical aspect of an organization for its growth and
expansion. Within it, the integration of the data system and its function within the organization
52
can be handled easily. Besides that, it also enables the classification of different opportunities
for the use of information systems for different strategies. It gives the surety that only useful
resources or the use of resources which are less are allocated to the applications and the use
of scarce resources in a sustainable way. With the system information strategy, it ensures that
the Information system functions accordingly and supports the business goals and objectives
of the organization at the different levels.
There are several instances of strategically information systems which have helped the
organizations to help create and sustain the resources in this competitive market over the past
years and has allocated several effective benefits and simply continued to provide survival of
the organizations which have used these systems. These systems are often termed as ‘strategic
concepts of the organization.’ To give the maximum performance of the firms financially in a
fluctuating market, the correlation between strategic management and information system is
significant fundamentally.
6.5 Types of Information System strategies

a. Operations support system
b. Management support system
6.5.1 Operations support system
In a firm, data execution is performed by the user end, which is later processed to generate
useful data products and services like reports, which are utilized by different users. Such a
strategy is called operation support. The primary purpose of this system is to keep a check on
transactions, operations, control, chain supply, and management. It also helps to facilitate internal
and external talks, and it updates the central main database of the organization. The operation
support system is further divided into three systems which are,
 Transaction Processing System (TPS)
 Process Control System (PCS)
 Enterprise Collaboration System (ECS)
6.5.2 Management Support System
Firms require accurate data in a specific format to understand the decisions of the
organizations. Management support system strategy enables the effective decision and task
53
operation process more manageable for the managers. They are essentially divided into a
different strategy like management, decision, accounting and expert information system. These
systems facilitate and provide precise information and data to the manager for easy routines,
decision-making processes. Decision support system which helps to solve particular issues
related problems.
6.6 Uses of Strategic information system

 Creating hurdles for the entry of a competitor: In this, a firm uses information
systems to supply products and services that are hard to duplicate or that are used
primarily to aid highly specialized networks of business. This strategy stops the
entry of competitors in the market as they find the cost of giving such services at a
very high price.
 Improving marketing by generating database: Information system also gives

the firms and organization an edge over their competition by generating stronger
databases to enhance their sales and marketing tactics. It treats existing information
as a useful resource. For instance, a business firm may use its updated databases
to monitor the purchase of the customers and to locate many segments of the
market.
 Locking customers and suppliers: It is an essential way of getting the advantage

of competition by making the customers and suppliers permanent. In this information
systems strategy are implemented to provide benefits to the customer and the
suppliers so that it may change their mind and it becomes hard for them to switch
over to the other competitor so that they continue to provide the services.
 Lowering the costs of the products: It may help the firms lower their costs and
allowing them to give products and services at a much smaller cost than their
competitors. Thus, such a strategy can provide the expansion and growth of the
firm.
 Leveraging technology in the value chain: In this way, the organizations pinpoint
the particular activities in the business, where competitive market strategies can be
applied and where the strategical information systems can be more effective.
54
6.7 Summary
Information System Strategic Planning is a process that serves to relate the organization’s
mission, objectives, and strategies, and other salient characteristics to an Information System
strategy set. IT strategic planning is the alignment of IT management and operation with
enterprise strategic planning. IT subject matter experts from throughout the organization are
recruited to help the major trends that may be critical in shaping the organization and its decision
making in the next few years. The planning team analyses the current state of all the IT related
systems and policies. Once the annual budget is approved, the information is used to guide the
governance process and the many decisions made across the organization to implement the
strategic plan. Strategic information system provides a connection between demands of
organization and latest information technology. The primary purpose of operations support system
is to keep a check on transactions, operations, control, chain supply, and management.
Management support system strategy enables the effective decision and task operation process
more manageable for the managers.
6.8 Keywords
ISSP - Information System Strategy Planning
ISSS - Information System Strategy Set
TPS - Transaction Processing System
PCS - Process Control System
ECS - Enterprise Collaboration System

1. What are the planning processes of information system?
2. Explain the six phases of strategic planning with neat sketch.
3. Show the importance of Strategic planning system.
4. What are the two types of information system strategies? Explain.
5. List down the Uses of Strategic information system.

Anthony Tarantino, “The Governance, Risk, and Compliance Handbook: Wiley; 1 edition
(March 14, 2008).
55
LESSON - 7
Steering Committee, Policies and Procedures
Learning Objectives
 Know the challenges to establish steering committee
 Various steps for creating steering committee
 Know the operation rules of steering committee
 Practices for developing steering committee
 Understanding various roles and procedures
Structure of Lesson
7.1 Introduction
7.2 Challenges to establishing a Steering Committee
7.3 Essential steps for creating effective Steering committee
7.3.1 Other Personnel’s concerned with ISG
7.4 Best Practices for Developing a Steering Committee
7.4.1 Operation rules Steering Committee
7.5 Policies & Procedure
7.5.1 Policies are either council or organizational
7.5.2 Roles
7.5.3 Policy Review
7.5.4 Procedures
7.6 Summary
7.7 Keywords

56
7.1 Introduction
Information security affects all aspects of an organization. To ensure that all stakeholders
affected by security considerations are involved, a steering committee of executives should be
formed. Members of such a committee may include, amongst others, the chief executive officer
(CEO) or designee, business unit executives, chief financial officer (CFO), chief information
officer (CIO)/IT director, chief security officer (CSO), CISO, human resources, legal, risk
management, audit, operations and public relations. A steering committee serves as an effective
communication channel for management’s aims and directions and provides an ongoing basis
for ensuring alignment of the security programme with organizational objectives. It is also
instrumental in achieving behavior change toward a culture that promotes good security practices
and policy compliance.
7.2 Challenges to establishing a Steering Committee

Steering committees are an important component of the project management process.
When creating one, there are some challenges and potential pitfalls that leaders need to be
aware of. This creates a lot of positives as many voices and interests can be taken into account
throughout the project lifecycle. Unfortunately, this can also create a challenge as personality
conflicts can arise since those in senior leadership may take a more active decision-making
role over those that are mid-level managers. This can create tense conflicts and competing
interests.
a. Handling differing personalities and interests:
It is crucial for leaders to have various levels of managers and executives on the steering
committee.
b. An increase in meetings:
Naturally, steering committees will want to meet to decide on project budgets, scopes,
changes, and any other topic that could arise.
c. The threat of bargaining:
Again, many of the members of the steering committee could only be concerned about
their interest.
57
d. Defined roles:
This might not be everyone’s first time on a steering committee, so many will probably
know the basics of how it works.
e. A higher probability of group-think:
Often, there is either one person or a small group of people who decide to take the lead
in a group setting.
7.3 Essential steps for creating effective Steering committee

With challenges and disadvantages in mind, leaders can make informed decisions on
taking steps to create an effective steering committee. Below are steps leaders can take to
create well-functioning and efficient project steering committees.
a. Pick the Right People

 The first is the individual’s personality and the likelihood that they are successful
working in teams.
 The other major factor is organizational representation. For large projects, various
departments should be represented in the organization by someone with appropriate
decision-making authority.
b. Inform Them of the Project

 Regardless of the experience that everyone may have serving on steering
committees, each person needs to understand the plan, description, purpose, and
current scope.
 Members should receive information before the initial meeting so they can craft any
questions they have beforehand.
c. Set Clear Rules and Goals

 Leaders need to give steering committee members the tools to perform their duties
by setting standards and clear goals.
 Does the budget need to stay within a specific parameter?
· How many deadline or scope changes will be allowed?

58
 Is there a limit on ideas that can be implemented? These are all questions that need
to be answered in meetings with steering committee members.
d. Schedule Follow-Up Meetings as Necessary

 Frequent meetings can decrease efficiency and effectiveness. Therefore, leaders
need to only schedule meetings when there is something appropriate to discuss
such as a budget or scope change.
 If changes are not frequent, leaders may want to schedule benchmark meetings
throughout the development of the project as needed.
 It is crucial that every session has a defined purpose.
e. Make Communication and Debriefing a Priority

 This can happen through developing a mechanism for committee members to
communicate with each other and the project manager.
 Leaders can create a plan for teams to meet with the steering committee to answer
questions and update them on progress, or even utilize a company intranet for
progress updates.
 After the completion of the project, leaders should debrief with committee members
to gain insight into the process and any problems that occurred.
7.3.1 Other Personnel’s concerned with Information Security Governance

 Board members understand that information security is critical to the company and
requires regular updates on performance and security incidents.
 The officers and business unit managers participate in a risk management committee
that meets regularly on the topic of information security.
 Executive management sets acceptable risk levels which are the basis for the
company’s security policies and related practices.
 Executive management holds business unit managers responsible for carrying out
risk management activities for their specific business units.
 Critical business processes are documented along with the risks that are inherent
in the different steps within the business processes.
59
 Employees are held accountable for any security breaches they participate in, either
maliciously or accidentally.
7.4 Best Practices for Developing a Steering Committee

Below are helpful tips leaders can use to create an effective and efficient steering committee
that guide project teams to success.
Provide Training and Coaching
There may be some members that are new to serving on a steering committee. Leaders
can help ease them into their duties by providing training and coaching. Committee members
are as productive as their experience will allow, so it is essential that leaders offer an adequate
education for committee members new and experienced.
Keep a Manageable Size
Leaders should make it a priority to not make steering committee teams to small or big.
One change management framework suggested that leaders keep the size to around six, a
size large enough to represent a lot of the organization’s department but not too big to encroach
on efficiency.
Always Provide Agenda Information Beforehand
Meetings will go a lot faster and operate at a higher level of efficiency if agendas concerning
project information are given to the steering committee before they arrive. This will allow them
to craft any initial questions they have before the meeting to save time.
Encourage Fast Decision-Making
It makes sense for members to take time to make informed decisions, however, when a
group is involved, a decision that should only take 24 hours could end up taking a week if there
are not any established parameters for how long decision-making should take. Leaders should
express that the purpose is not about rushing decisions but facilitating efficiency so that teams
are not left to push back deadlines.
Have a Liaison between the Project Manager and Committee
It is a great idea to have the project manager serves as a liaison between the project
manager and steering committee. It will cut down confusion if all questions, concerns, and
60
decisions are communicated to the project manager so they can disperse the information
uniformly.
7.4.1 Operation rules Steering Committee
a. Role of the Steering Committee
The Steering Committee is the governing body of the Correlation Network. The major
goal of the Steering Committee is facilitating the fulfilment of the Correlation Network mission
by developing and supporting policies, strategies and operational implementations of the network.
b. Membership and Structure
The Steering Committee consists of their chairperson, the two network coordinators and
6 representatives, including at least one community representative. The total number of Steering
Committee members, representing specific thematic focus and communities is defined by them.
c. Rights and Responsibilities
Steering Committee members work voluntarily without financial compensation for their
work within the Steering Committee. Their members receive all available information, related to
the Network’s operation on their demand. SC members receive annual Correlation Network
Progress Reports provided by the CNO.
7.5 Policies & Procedure

A policy is a set of principles that define what we will do and why. It can:
 Translate values into the way we operate
 Achieve compliance with our responsibilities and legal obligations
 Help achieve the Council Plan and other strategic documents
 Help manage risk.
7.5.1 Policies are either council or organizational

 Council Policies relate to our customers and community and include planning policies.
Council Policies will influence and guide what services are provided and consequently
how Council is perceived by our community.
61
 Organizational Policies relate to the internal business of the council (around matters
such as corporate services or governance). Organizational Policies will have a direct
effect on our staff but will not have specific relevance to our customers.
 Along with legislation, local laws, charters, delegations and Terms of Reference,
policies provide the controls that Council operates within.
7.5.2 Roles
 Policy Coordinator: The Policy Coordinator ensures that the process of developing,
approving, reviewing and rescinding a policy is managed effectively for the
organization. This role is undertaken by the Executive and Commercial Services
Officer, who also administers the policy register.
 Policy Owner: Staff who are accountable for particular areas are Policy Owners.
This role ensures that the policies they are accountable for are kept up to date,
reviewed on time, and communicated effectively.
 Policy Author: Policy Owners may assign responsibility of writing or reviewing a

policy to a Policy Author in their team. The Policy Owner still has accountability for
the policy and must ensure it meets its objectives.
 Policy Review Group: The Policy Review Group consists of the Manager Executive
and Commercial Services and three members of the Loddon Leaders group (who
are appointed annually on a rotating basis). The role of the group is to check all
policies and procedures to ensure they are checked, complete and ready for
finalization prior to them being submitted to the MEG for approval.
7.5.3 Policy Review
The Policy Owner will determine the regular review frequency in accordance with the
guidelines. However, a review may be triggered at any time if necessary, due to events such as
changes in legislation, Council Plan or stakeholder issues. The Policy Coordinator will enter a
policy’s review date and Policy Owner on the policy and procedure register, and reminders will
be sent six months in advance for each policy review. Every six months, a report will be provided
by the Policy Coordinator to the MEG on the status of review dates and their completion. All
policies must be reviewed at least once every four years to ensure they are consistent with the
Council Plan.
62
7.5.4 Procedures
Procedures prescribe specific actions needed to be taken to implement a policy or other

requirement such as a legal obligation. They set out the how, when and who, in order to:
 Provide clear instruction on the way that a policy will be implemented
 Ensure uniformity and compliance across the organization
 Allow monitoring of policy implementation.
7.6 Summary
Information security affects all aspects of an organization. To ensure that all stakeholders
affected by security considerations are involved, a steering committee of executives should be
formed. Steering committees are an important component of the project management process.
With challenges and disadvantages in mind, leaders can make informed decisions on taking
steps to create an effective steering committee. The Steering Committee is the governing body
of the Correlation Network. The Steering Committee consists of their chairperson, the two network
coordinators and 6 representatives, including at least one community representative. Steering
Committee members work voluntarily without financial compensation for their work within the
Steering Committee. The Policy Coordinator will enter a policy’s review date and Policy Owner
on the policy and procedure register, and reminders will be sent six months in advance for each
policy review. Procedures prescribe specific actions needed to be taken to implement a policy
or other requirement such as a legal obligation.
7.7 Keywords
CEO - Chief Executive Officer
CIO - Chief Information Officer
CFO - Chief Financial Officer
CSO - Chief Security Officer
CNO - Computer Network Operation
CISO - Chief Information Security Officer

63

1. List out the Challenges to establish a Steering Committee.
2. What are the essential steps for creating effective Steering committee? Explain.
3. How to develop a steering committee? Explain.
4. Discuss in detail about operation rules steering committee.
5. Give a brief account on policy and procedures.

2. Information Security Governance: Guidance for Information Security Managers,

2nd Edition, 2008, IT Companion Publication.
64
LESSON – 8
Various Forms of Management
Learning Objectives
 Understanding the personnel management at all levels
 Know the process of hiring and developing employees
 Know the importance of financial management
 Various elements of financial management
 Understanding the process of quality management
Structure of Lesson
8.1 Introduction
8.2 Personnel Management
8.2.1 Outsourcing practices and strategies
8.3 Financial Management
8.3.1 Financial Management Practices
8.3.2 Importance of Financial Management
8.3.3 Elements of Financial Management
8.4 Quality Management
8.5 Summary
8.6 Keywords
8.1 Introduction
The various forms of managements are Personnel, Financial and Quality Managements.
Personnel Management (staffing function of Management), also known as Human Resource
Management (HRM). Personnel management is concerned with the proper use of human factors.
65
Personnel management may be defined as that part of the management process, which is
primarily concerned with the human constituents of an organization. Financial management in
a business seeks to plan and direct the use of the company’s financial resources and Quality
Management Systems (QMS) are, typically, customer focused.
8.2 Personnel Management

Personnel management can also be defined as, that field of management which is
con-cerned with the planning, organizing, directing and controlling various operative functions
of procurement, development, maintenance and utilization of a labor force in such a way that
objectives of company, those of personnel at all levels and those of community are achieved.
 Encourage the technical development of all team members
 Train technical and non-technical personnel on compliance requirements
 Assorted other managerial tasks and responsibilities
Personnel management is a vital part of running a successful IT department. As the

manager, you’ll be tasked with hiring, providing support and training for junior team members,
getting them up to speed with compliance requirements and best practices.
It also focuses on the administrative specialization that deals with the process of hiring
and developing employees to become more valuable to the company. It is sometimes considered
to be a sub-category of human resources that only focuses on administration.
Personnel management is defined as an administrative specialization that focuses on

hiring and developing employees to become more valuable to the company. It is sometimes
considered to be a sub-category of human resources that only focuses on administration.
 Hiring
 Employee handbook
 Promotion policies
 Training
 Scheduling and time reporting
 Employee performance evaluations

66
 Required vacations
 Termination policies
Sourcing practices relate to the way an organization obtains the IS function required to
support the business. Organizations can perform all IS functions in-house or outsource all
functions across the globe. Sourcing strategy should consider each IS function and determine
which approach allows the IS function to meet the organization’s goals.
8.2.1 Outsourcing practices and strategies

 Contractual agreements under which an organization hands over control of part or
all of the functions of the IS department to an external party.
 Becoming increasingly important in many organizations.
 The IS auditor must be aware of the various forms outsourcing can take as well as
the associated risks.
8.3 Financial Management

Financial management in a business seeks to plan and direct the use of the company’s
financial resources cashes it generates through its operations and the capital obtained from
investors or lenders. Although a company may have an accounting staff or an outside accounting
firm to provide financial guidance, financial management is one of the most important aspects
of the business owner’s job.
Information security and financial management Security issues in financial accounting

iscomplex and the risks are often difficult to stipulate, even for experts. The issues presented in
this article try to be formed in a contribution to the consolidation of problems in the field of risk,
and former vulnerabilities in cyber security in financial accounting.
The use of an information security management system became a requirement for

organizations because on the states began adopting mandatory data protection legislation and
information, but also because of attacks on organizations that may have severe negative
consequences such as stealing and selling confidential strategies by competitors, branch and
technological secrets, theft and using for illegal purposes of customer data etc.
67
8.3.1 Financial Management Practices

 User-pays scheme – charge-back
 IS budgets
8.3.2 Importance of Financial Management
The importance of financial management is vital to an organization. It is a pathway to

attain goals and objectives. The financial manager measures organizational efficiency through
proper allocation, acquisition, and management. It improves operational efficiency by providing
a timely supply of fund. The following noticeable importance is found from financial management:
 Provides guidance in financial planning
 Assist in acquiring funds from different sources
 Helps in investing the appropriate amount of funds
 Increase organizational efficiency
 Reduces delay production
 Cut down financial costs
 Reduces cost of fund
 Ensures proper use of fund
 Helps business firm to take financial decisions
 Makes a guideline of earning maximum profits incurring minimum cost
 Increase shareholder’s wealth
 Control the financial aspects of the business
 Provide information through financial reporting
 Makes the employees aware of saving funds.
Besides these, there are some other significant features which will also make sense
towards a startup business.
68
Figure 8.1: Significant features of Financial Management
Proper financial Management improves the transparency and speediness of payable

and receivable management. Hence, a faithful relationship is built up with supplier and customer.
It helps to minimize organizational expenses. Financial management doesn’t support maximizing
prepaid expenses. It helps you how to reduce prepaid expenses. This management helps you
to determine a value of assets and management of those assets. When the procurement of
fund reduces costs, the efficiency of production will increase. It will enhance organizational
profitability. Timely management of funds helps you to reduce the costs of a fund and increase
the value of the organization.
Financial management is a process of utilizing resources. This management doesn’t

support you to keep excess money on hand. It focuses on the proper uses of funds for reducing
the cost of fund. It reduces organizational expenses. Thus, it increases organizational value.
Finally, we can say that in a startup business management especially financial managers are
very much responsible for the financial strength of the business organization. They prepare all
the reports including investment plans and strategies for the long-term achievements of their
business organizations. So, we can conclude that financial management is very vital for any
start-up business to plan, organize, operate, control and monitor financial resources for achieving
the ultimate goals as well as objectives.
69
8.3.3 Elements of Financial Management
The four elements of financial management can be described as the four steps of the
Control Process. When following the four-step control process, a manager can make their
department more effective which increases productivity. There are three categories of controls
can be used to monitor employee’s discipline, manage their schedules, and enforce budgets
that have been set.
The four steps of control process include the following:
 Planning
 Controlling
 Organizing and Directing
 Decision Making
Planning:
Identify steps that must be taken to accomplish and organization’s objectives.
Controlling:
Make sure that each area of the organization is following the plans that have been
established.
Organizing and Directing:
Decide how to use organizational resources to most effectively carry out established
plans.
Decision-Making:
Make choices among available alternatives.
8.4 Quality Management

 Software development, maintenance and implementation
 Acquisition of hardware and software
 Day-to-day operations
 Service management
70
 Security
 Human resource management
 General administration
Figure 8.2: Quality Management System
8.5 Summary
Personnel management can also be defined as, that field of management, which is
con-cerned with the planning, organizing, directing and controlling various operative functions.
It also focuses on the administrative specialization that deals with the process of hiring and
developing employees to become more valuable to the company. Personnel management is
defined as an administrative specialization that focuses on hiring and developing employees to
become more valuable to the company. Organizations can perform all IS functions in-house or
outsource all functions across the globe. Sourcing strategy should consider each IS function
71
and determine which approach allows the IS function to meet the organization’s goals. Information
security and financial management Security issues in financial accounting is complex and the
risks are often difficult to stipulate, even for experts. The use of an information security
management system became a requirement for organizations because on the states began
adopting mandatory data protection legislation and information. The importance of financial
management is vital to an organization. The four elements of financial management can be
described as the four steps of the Control Process.
8.6 Keywords
QMS - Quality Management Systems
HRM - Human Resource Management

1. Write a note on personnel management.
2. List out the importance of financial management.
3. What are the features of financial management?
4. Describe the elements of financial management.
5. Explain the quality management with neat sketch.

1 William McKnight, “Information Management” TheSavvy Manger’s Guide, 12th
December 2013.
72
LESSON – 9
Information Security Management
Learning Objectives
 Various information security management policies
 Know the purpose of ISM
 Understanding the ISM principles
 Understand the process of performance measures
 Know the roles and responsibilities
Structure of Lesson
9.1 Introduction
9.2 Information Security Management Policy
9.2.1 Scope of application
9.2.2 Purpose
9.2.3 Policy Specifics - Operations
9.3 Information Security Management Principles
9.4 Performance Optimization
9.5 Auditing IT Governance Structure and Implementation
9.6 Roles and Responsibilities
9.7 Summary
9.8 Keywords

73
9.1 Introduction
Information Security Management (ISM) describes controls that an organization needs to
implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity
of assets from threats and vulnerabilities.By extension,ISM includes information risk
management, a process which involves the assessment of the risks an organization must deal
with in the management and protection of assets, as well as the dissemination of the risks to all
appropriate stakeholders. This requires proper asset identification and valuation steps, including
evaluating the value of confidentiality, integrity, availability, and replacement of assets.
9.2 Information Security Management Policy

The purpose of information security management is to provide and protect information
and property from all types of threats, internal or external, accidental or deliberate, by establishing,
implementing, executing, monitoring, reviewing, maintaining and improving information security
management system - ISMS (Information Security Management System). The implementation
of these policies and rules is important for maintaining the integrity of information systems for
ensuring provision of services to insured persons, employees of the National Health Insurance
Fund (NHIF) and other stakeholders.
The Policy ensures and guarantees that:
 Information is protected from unauthorized access.
 Confidentiality of information shall be kept.
 Information shall not be disclosed to unauthorize persons any accidental or deliberate

actions.
 Integrity of information shall be maintained by ensuring protecting against

unauthorized changes.
 Access to authorized persons shall be enabled when needed for modifying the
information.
 Compliance is ensured with all regulatory and legal requirements
 Policy is supported through continuous business plan which will be defined,

maintained and tested in continuous practical work.
 Training is delivered in all NHIF organizational units.

74
 Any violation of safe handling of information shall be reviewed and investigated.
 All security violations will be documented and investigated.
9.2.1 Scope of application
All employees are responsible for implementing security policies and information security
and must provide support to the management bodies that have prescribed the policies and
rules.
 Protection of NHIF information
 Protection of information assets
 Providing reliable information
 Ensuring the availability of information to authorized persons
 Confidentiality in all cases of access to existing information.
9.2.2 Purpose
Privacy Information Security Management should identify risks to property, property value
and identify possible vulnerabilities and potential causes of unwanted incidents, which may
result in damage to the system or NHIF.Managing risks to an acceptable level through design,
implementation and maintenance of the ISMS.
The policy in compliance with other standards and NHIF documents including:
 Standard ISO 9001:2001
 Documents on establishment, operation and organization
 Compliance with NHIF contractual obligations
 Compliance with NHIF instructions
 Ensuring operation in accordance with ISO 27001:2005
 Ensuring the accomplishment of objectives under ISO 27001:2005 and maintaining

the certified status.
75
9.2.3 Policy Specifics – Operations
Specific rules are set up to support these documents, including:
1. Physical security
2. System Access Control and Data
3. Education regarding safety and specific training in relation thereto
4. Internet and e-mail communication
5. Data Protection through copies
6. Use of mobile devices
7. Storage and Availability of Confidential Information
8. Prevention and detection of activity of software viruses or other malicious codes.
9.3 Information Security Management Principles

There are several principles of information security and we know to use confidentiality,
integrity and availability which known as the CIA Triad as the core principles of information
security.
Figure 9.1: CIA Triad

76
Confidentiality
This is equivalent to privacy, and it has a set of rules which limits access to information. It
protects against disclosure of information to unintended recipients and is designed to prevent
sensitive information from reaching the wrong people. It ensures that only the designated person
gets the information and access will be restricted to those authorized to view the data in question.
Breaches of confidentiality take many forms. Permitting someone to look over your shoulder
at your computer screen while you have confidential data displayed on it could be a breach of
confidentiality. If a laptop computer containing sensitive information about a company’s employees
is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information
over the telephone is a breach of confidentiality if the caller is not authorized to have the
information.
Integrity
It involves maintaining the consistency, accuracy, and trustworthiness of data over its
entire life cycle, and allows transferring accurate and desired information from senders to intended
receivers. It ensures that data cannot be altered by unauthorized people. This is not the same
thing as referential integrity in databases. Integrity is violated when an employee accidentally or
with malicious intent deletes important data files, when a computer virus infects a computer,
when an employee is able to modify his own salary in a payroll database, when an unauthorized
user vandalizes a web site, when someone is able to cast a very large number of votes in an
online poll, and so on.
Availability
Ensures the readiness of the information on requirement. To simplify, information must

be available to authorized person(s) when they require it. Availability is best ensured by rigorously
maintaining all hardware, performing hardware repairs immediately when needed and maintaining
a correctly functioning operating system environment that is free of software conflicts.
For any information system to serve its purpose, the information must be available when
it is needed. This means that the computing systems used to store and process the information,
the security controls used to protect it, and the communication channels used to access it must
be functioning correctly. High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial -of- service attacks.
77
9.4 Performance Optimization

Five ways to use performance measures:
 Measure products/services
 Manage products/services
 Assure accountability
 Make budget decisions
 Optimize performance
Measuring, monitoring and reporting on information security processes are required to

ensure that organizational objectives are achieved. Methods to monitor security-related events
across the organization must be developed; it is critical to design metrics that provide an indication
of the performance of the management system and, from a management perspective, information
needed to make decisions to guide the security activities of the organization.
The following factors must be considered during development and implementation of an

information security measurement program:
 Measures must yield quantifiable information.
 Data that supports the measures needs to be readily obtainable.
 Only repeatable information security processes should be considered for

measurement.
 Measures must be useful for tracking performance and directing resources.
The critical success factors of an information security performance management program,

the following are the four interdependent components can be counted:
 Strong upper-level management support
 Practical information security policies and procedures
 Quantifiable performance metrics
 Results-oriented measures analysis

78
Figure 9.2 Components of information security performance management
The foundation of strong upper-level management support is critical, not only for the
success of the information security program, but also for the program’s implementation.
The second component is the existence of information security policies and procedures
backed by the authority necessary to enforce compliance. Information security policies delineate
the information security management structure, clearly assign information security responsibilities
and lay the foundation needed to reliably measure progress and compliance.
The third component is developing and establishing quantifiable performance metrics

that are designed to capture and provide meaningful performance data. To provide meaningful
data, quantifiable information security metrics must be based on information security performance
goals and objectives and be easily obtainable and feasible to measure.
Finally, the information security measurement program itself must emphasize consistent
periodic analysis of the measures data. Results of this analysis are used to apply lessons
79
learned, improve effectiveness of existing security controls, and plan for the implementation of
future security controls to meet new information security requirements as they occur.
Indicators of effective performance measurement might include:
 The time it takes to detect and report security-related incidents
 The number and frequency of subsequently discovered unreported incidents
 Benchmarking comparable organizations for costs and effectiveness
 The ability to determine the effectiveness/efficiency of controls
 Clear indications that security objectives are being met
 The absence of unexpected security events
 Knowledge of impending threats
 Effective means of determining organizational vulnerabilities
 Methods of tracking evolving risk
 Consistency of log review practices
 Results of business continuity planning (BCP)
9.5 Auditing IT Governance Structure and Implementation

 Indicators of potential problems include:
 Unfavourable end-user attitudes
 Excessive costs
 Budget overruns
 Late projects
 High staff turnover
 Inexperienced staff
 Frequent hardware/software errors
The following documents should be reviewed:
 IT strategies, plans and budgets
 Security policy documentation

80
 Organization/functional charts
 Job descriptions
 Steering committee reports
 System development and program change procedures
 Operations procedures
 Human resource manuals
 Quality assurance procedures
Reviewing Contractual Commitments
There are various phases to computer hardware, software and IS service contracts,
including:
 Development of contract requirements and service levels
 Contract bidding process
 Contract selection process
 Contract acceptance
 Contract maintenance
 Contract compliance
Case Study a Scenario
An IS auditor has been asked to review the draft of an outsourcing contract and SLA and
recommend any changes or point out any concerns prior to these being submitted to senior
management for final approval. The agreement includes outsourcing support of Windows and
UNIX server administration and network management to a third party.
Servers will be relocated to the outsourcer’s facility that is located in another country, and
connectivity will be established using the Internet. Operating system software will be upgraded
on a semi-annual basis, but it will not be escrowed. All requests for addition or deletion of user
accounts will be processed within three business days.
81
Intrusion detection software will be continuously monitored by the outsourcer and the
customer notified by e-mail if any anomalies are detected. New employees hired within the last
three years were subject to background checks. Prior to that, there was no policy in place.
A right to audit clause is in place, but 24-hour notice is required prior to an on-site visit. If
the outsourcer is found to be in violation of any of the terms or conditions of the contract, it will
have 10 business days to correct the deficiency. The outsourcer does not have an IS auditor,
but it is audited by a regional public accounting firm.
9.6 Roles and Responsibilities

Although members of an organization frequently wear multiple hats, defined roles and
responsibilities are important in the security administration process. Also, roles and responsibilities
are central to the separation of duties concept-the concept that security is enhanced through
the division of responsibilities in the production cycle.
Some of these roles are:
 Senior Management: Executive or senior-level management is assigned the overall

responsibility for the security of information. Senior management might delegate
the function of security, but they are viewed as the end of the food chain when
liability is concerned.
 Information Systems Security Professionals: Information systems security

professionals are delegated the responsibility for implementing and maintaining
security by the senior-level management. Their duties include the design,
implementation, management, and review of the organization’s security policy,
standards, guidelines, and procedures.
 Data Owners: As we previously discussed in the section titled “Information

Classification Roles,” data owners are primarily responsible for determining the
data’s sensitivity or classification levels. They can also be responsible for maintaining
the information’s accuracy and integrity.
 Users: As we previously discussed in the section titled “Information Classification

Roles,” users are responsible for following the procedures set out in the organization’s
security policy during the course of their normal daily tasks.
82
 Information Systems Auditor: Information systems auditors are responsible for

providing reports to the senior management on the effectiveness of the security
controls by conducting regular, independent audits. They also examine whether the
security policies, standards, guidelines, and procedures effectively comply with the
company’s stated security objectives.
9.7 Summary
Information Security Management describes controls that an organization needs to
implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity
of assets from threats and vulnerabilities. The purpose of security information management is
to provide and protect information and property from all types of threats, internal or external,
accidental or deliberate, by establishing, implementing, executing, monitoring, reviewing,
maintaining and improving information security management system. Privacy Information Security
Management should identify risks to property, property value and identify possible vulnerabilities
and potential causes of unwanted incidents. There are several principles of information security
and one of the core principles is CIA triad. Confidentiality is equivalent to privacy, and it has a
set of rules which limits access to information. Integrity ensures that data cannot be altered by
unauthorized people. Availability is best ensured by rigorously maintaining all hardware,
performing hardware repairs immediately. Measuring, monitoring and reporting on information
security processes are required to ensure that organizational objectives are achieved.
9.8 Keywords
ISM - Information Security Management
NHIF - National Health Insurance Fund
CIA - Confidentiality, Integrity and Availability
BCP - Business Continuity Planning

1. List out the information security management policies.
2. Write a brief note on the purpose of ISM.
3. What are the five ways to use performance measures?

83
4. Discuss the components of information security performance management.
5. Examine the information management security principles with neat sketch.
6. Explain the roles and responsibilities of members of the organization.

1. William McKnight, “Information Management” TheSavvy Manger’s Guide, 12th
December 2013.
84
LESSON – 10
Risk Management Process
Learning Objectives
 Understand the process of Risk management
 Know how to measure severity and alternate solutions
 Combination of Various steps as Risk Management
 Understand the risk management as cyclic process
 Know the risk process like transfer, avoidance, retention and control
Structure of Lesson
10.1 Introduction
10.2 Developing various process of risk management
10.3 Seven steps for risk management
10.4 Summary
10.5 Keywords
10.1 Introduction
Implementing a risk management process is vital for any organization. Good risk
management doesn’t have to be resource intensive or difficult for organizations to undertake or
insurance brokers to provide to their clients. With a little formalization, structure, and a strong
understanding of the organization, the risk management process can be rewarding.
Risk management does require some investment of time and money, but it does not need
to be substantial to be effective. In fact, it will be more likely to be employed and maintained if
it is implemented gradually over time.
85
10.2 Developing various process of Risk Management

The key is to have a basic understanding of the process and to move towards its
implementation.
Figure 10.1: Risk Management Process
1. Identify potential risks
The four main risk categories of risk are hazard risks, such as fires or injuries; operational
risks, including turnover and supplier failure; financial risks, such as economic recession;
and strategic risks, which include new competitors and brand reputation. Being able to identify
what types of risk you have is vital to the risk management process.
An organization can identify their risks through experience and internal history, consulting
with industry professionals, and external research. They may also try interviews or group
brainstorming, as discussed in this Project Manager article 8 New Ways to Identify Risks.It’s
important to remember that the risk environment is always changing, so this step should be
revisited regularly.
2. Measure frequency and severity
Many organizations use a heat map to measure their risks on this scale. A risk map is a
visual tool that details which risks are frequent and which are severe (and thus require the most
resources). This will help you identify which are very unlikely or would have low impact, and
which are very likely and would have a significant impact.
86
Knowing the frequency and severity of your risks will show you where to spend your time
and money and allow your team to prioritize their resources.More details on risk maps can be
found in the blog posts on the topic: The Importance of Risk Mapping and How to Build a Risk
Map.
3. Examine alternative solutions
What are the potential ways to treat the risk and of these, which strikes the best balance
between being affordable and effective? Organizations usually have the options to accept, avoid,
control, or transfer a risk.
Accepting the risk means deciding that some risks are inherent in doing business and
that the benefits of an activity outweigh the potential risks. To avoid a risk, the organization
simply has to not participate in that activity. Risk control involves prevention (reducing the
likelihood that the risk will occur) or mitigation, which is reducing the impact it will have if it does
occur.
Risk transfer involves giving responsibility for any negative outcomes to another party, as
is the case when an organization purchases insurance.
4. Decide which solution to use and implement it
Once all reasonable potential solutions are listed, pick the one that is most likely to achieve
desired outcomes. Find the needed resources, such as personnel and funding, and get the
necessary buy-in. Senior management will likely have to approve the plan, and team members
will have to be informed and trained if necessary. Set up a formal process to implement the
solution logically and consistently across the organization and encourage employees every
step of the way.
5. Monitor results
Risk management is a process, not a project that can be “finished” and then forgotten
about. The organization, its environment, and its risks are constantly changing, so the process
should be consistently revisited.Determine whether the initiatives are effective and whether
changes or updates are required. Sometimes, the team may have to start over with a new
process if the implemented strategy is not effective.
87
If an organization gradually formalizes its risk management process and develops a risk
culture, it will become more resilient and adaptable in the face of change. This will also mean
making more informed decisions based on a complete picture of the organization’s operating
environment and creating a stronger bottom line over the long-term.
Clear Risk’s cloud-based Claims, Incident, and Risk management system allows
organizations to better control their risk management activities. They are proud to help their
customers introduce new risk management initiatives and lower the cost of risk.
Essentially risk management is the combination of 3 steps:
a. Risk evaluation
b. Emission and exposure control
c. Risk monitoring.
A systematic approach used to identify, evaluate, and reduce or eliminate the possibility
of an unfavorable deviation from the expected outcome of medical treatment and thus prevent
the injury of patients as a result of negligence and the loss of financial assets resulting from
such injury.’
10.3 Seven steps for Risk Management

In this context of risk management, the ‘mathematical valuation of risk’ is indeed important.
The risk management system has seven steps which are actually is a cycle.
1. Establish the context,
2. Identification,
3. Assessment,
4. Potential risk treatments,
5. Create the plan,
6. Implementation,
7. Review and evaluation of the plan.

88
Figure 10.2: Steps of risk management
1. Establish the Context
Establishing the context includes planning the remainder of the process and mapping out
the scope of the exercise, the identity and objectives of stakeholders, the basis upon which
risks will be evaluated and defining a framework for the process, and agenda for identification
and analysis.
2. Identification
After establishing the context, the next step in the process of managing risk is to identify
potential risks. Risks are about events that, when triggered, will cause problems. Hence, risk
identification can start with the source of problems, or with the problem itself.
Risk identification requires knowledge of the organization, the market in which it operates,
the legal, social, economic, political, and climatic environment in which it does its business, its
financial strengths and weaknesses, its vulnerability to unplanned losses, the manufacturing
processes, and the management systems and business mechanism by which it operates.
89
Any failure at this stage to identify risk may cause a major loss for the organization. Risk
identification provides the foundation of risk management. The identification methods are formed
by templates or the development of templates for identifying source, problem or event. The
various methods of risk identification methods are.
3. Assessment
Once risks have been identified, they must then be assessed as to their potential severity
of loss and to the probability of occurrence. These quantities can be either simple to measure,
in the case of the value of a lost building, or impossible to know for sure in the case of the
probability of an unlikely event occurring.
Therefore,in the assessment process, it is critical to making the best-educated guesses

possible in order to properly prioritize the implementation of the risk management plan.
The fundamental difficulty in risk assessment is determining the rate of occurrence since
statistical information is not available on all kinds of past incidents. Furthermore,evaluating the
severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation
is another question that needs to be addressed.
Thus, best educated opinions and available statistics are the primary sources of information.
Nevertheless, a risk assessment should produce such information for the management of the
organization that the primary risks are easy to understand and that the risk management decisions
may be prioritized. Thus, there have been several theories and attempts to quantify risks.
Numerous different risk formula exists but perhaps the most widely accepted formula for
risk quantification is the rate of occurrence multiplied by the impact of the event. In business, it
is imperative to be it’s to present the findings of risk assessments in financial terms. Robert
Courtney Jr. (IBM. 1970) proposed a formula for presenting risks in financial terms. The Courtney
formula was accepted as the official risk analysis method of the US governmental agencies.
The formula proposes the calculation of ALE (Annualized Loss Expectancy) and compares
the expected loss value to the security control implementation costs (Cost-Benefit Analysis).
90
4. Potential Risk Treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into
one or more of these four major categories:
a. Risk Transfer
Risk Transfer means that the expected party transfers whole or part of the losses
consequential o risk exposure to another party for a cost. Insurance contracts fundamentally
involve risk transfers. Apart from the insurance device, there are certain other techniques by
which the risk may be transferred.
b. Risk Avoidance
Avoid the risk or the circumstances which may lead to losses in another way, includes not
performing an activity that could carry risk. Avoidance may seem the answer to all risks, but
avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may
have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of
earning the profits.
c. Risk Retention
Risk-retention implies that the losses arising due to a risk exposure shall be retained or
assumed by the party or the organization. Risk-retention is generally a deliberate decision for
business organizations inherited with the following characteristics. Self-insurance and Captive
insurance are the two methods of retention.
d. Risk Control
Risk can be controlled either by avoidance or by controlling losses. Avoidance implies

that either a certain loss exposure is not acquired or an existing one is abandoned. Loss control
can be exercised in two ways.
5. Create the Plan
Decide on the combination of methods to be used for each risk. Each risk management
decision should be recorded and approved by the appropriate level of management.
91
For example,
A risk (concerning the image of the organization should have a top management decision
behind it whereas IT management would have the authority to decide on computer virus risks.The
risk management plan should propose applicable and effective security controls for managing
the risks.
A good risk management plan should contain a schedule for control implementation and
responsible persons for those actions. The risk management concept is old but is still net very
effectively measured. Example: An observed high risk of computer viruses could be mitigated
by acquiring and implementing antivirus software.
6. Implementation
Follow all the planned methods for mitigating the effect of the risks. Purchase insurance
policies for the risks that have been decided to be transferred to an insurer, avoid all risks that
can be avoided without sacrificing the entity’s goals, reduce others, and retain the rest.
7. Review and Evaluation of the Plan
Initial risk management plans will never be perfect. Practice, experience and actual loss
results will necessitate changes in the plan and contribute information to allow possible different
decisions to be made in dealing with the risks being faced. Risk analysis results and management
plans should be updated periodically. There are two primary reasons for this:
 To evaluate whether the previously selected security controls are still applicable
and effective.
 To evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of the rapidly changing business environment.
10.4 Summary
Risk management does require some investment of time and money, but it does not need
to be substantial to be effective. With a little formalization, structure, and a strong understanding
of the organization, the risk management process can be rewarding. An organization can identify
their risks through experience and internal history, consulting with industry professionals, and
external research. Many organizations use a heat map to measure their risks on this scale.
92
More details on risk maps can be found in our blog posts on the topic. Risk transfer involves
giving responsibility for any negative outcomes to another party, as is the case when an
organization purchases insurance. Risk management is a process, not a project that can be
“finished” and then forgotten about. Risk identification requires knowledge of the organization,
the market in which it operates, the legal, social, economic, political, and climatic environment.
Once risks have been identified, they must then be assessed as to their potential severity of
loss and to the probability of occurrence. Risk analysis results and management plans should
be updated periodically.
10.5 Keywords
ALE - Annualized Loss Expectancy
RMP - Risk Management Process
CBA - Cost Benefit Analysis

1. How to identify risks in management?
2. What is the combination of three steps for risk management?
3. Explain the various categories of potential risk treatment.
4. Write a note on initial risk management plans.
5. Discuss in detail about the seven steps for risk management with neat sketch.
6. Describe the architecture of risk management process.

1. Michael P. Cangemi and Tommie W. Singleton, “Managing the Audit Function”,
Wiley; 3 edition (April 11, 2003).
2. George Westerman and Richard Hunter, “IT Risk”, Harvard Business Review Press
(August 21, 2007)
93
LESSON – 11
Risk Analysis Methods
Learning Objectives
 Know the process of Qualitative and Quantitative Methods
 Understand the process of Monte Carlo method
 Know the selection process of the likelihood functions
 Understand the identification of the variables on which the risk is to be measured
 Know the generation of reports
Structure of Lesson
11.1 Introduction
11.2 Qualitative Methods
11.3 Quantitative Method
11.3.1 Monte Carlo Method
11.4 Semi Quantitative Method
11.5 Risk Model
11.5.1 Steps taken for the development of a Risk Model
11.6 Summary
11.5 Keywords
11.1 Introduction
After identifying and classifying the risks, proceeding with their analysis, that is, the
possibility and the consequences of each risk factor are examined in order to establish the level
of risk of our project.The risk analysis will determine which risk factors would potentially have a
94
greater impact on the project and, therefore, must be managed by the entrepreneur with particular
care.There are three kinds of methods used for determining the level of risk of our business.The
methods can be:
 Qualitative Methods
 Quantitative Methods
 Semi-quantitative Methods.
11.2 Qualitative Method

 This is the kind of risk analysis method most often used for decision making in
business project, entrepreneurs base themselves on their judgment, experience
and intuition for decision making.
 These methods can be used when the level of risk is low and does not warrant the
time and resources necessary for making a full analysis.
 These methods are also used when the numerical data available are not adequate
for a more quantitative analysis that would serve as the basis for a subsequent and
more detailed analysis of the entrepreneur’s global risk.
 The qualitative methods include:
 Brainstorming
 Questionnaire and structured interviews
 Evaluation for multidisciplinary groups
 Judgment of specialists and experts (Delphi Technique)
11.3 Quantitative Method

 Quantitative methods are considered to be those that enable us to assign values of
occurrence to the various risks identified, that is, to calculate the level of risk of the
project.
 Los quantitative methods include:
 Analysis of likelihood
 Analysis of consequences
 Computer simulation
95
The development of these measurements can be affected by means of different

mechanisms, among which we note particularly the Monte Carlo Method, which is characterized
by:
 A broad vision in order to show a range of possible scenarios
 Simplicity in putting it into practice
 Suitable for performing computer simulations
11.3.1 Monte Carlo Method

 This is a quantitative method for the development of a risk analysis. The methodwas
given this name in reference to the Principality of Monaco, which is famous as”the
capital of games of chance”.
 This method seeks to represent reality through a mathematical risk model, insuch a
way that by assigning values randomly to the variables of the model,different
scenarios and results are obtained.
 The Monte Carlo Method is based on making a sufficiently high number ofiterations
(assignments of values in a random fashion), so that the sample ofresults obtained
is sufficiently broad tobe considered to be representative ofa real situation. These
iterations can be made by using a data processing engine.
 With the results obtained from the various iterations made, a statistical study
isperformed, from which relevant conclusions are extracted with respect to the riskof
the project, such as mean, maximum and minimum values, standard
deviations,variances and likelihood of occurrence of the different variables
determined onwhich to measure the risk.
11.4 Semi-Quantitative Method

 Word classifications are used, such as high, medium or low, or more detailed
descriptions of likelihood and consequences.
 These classifications are shown in relation to an appropriate scale for calculating

the level of risk. We need to give careful attention to the scale used in order to avoid
misunderstandings or misinterpretations of the results of the calculation.
96
11.5 Risk Model

This is a mechanism that enables us to put the Monte Carlo quantitative risk analysis
method into practice.
It is the representation of the reality to be analyzed through a structure of mathematical

calculations, in which the significant risk variables are calculated and are placed in relation to
the rest of the variables that affect our project, and with the economic variables on which we are
going to measure the project’s level of risk, Profit and Net Present Value.
Why develop a Risk Model?
 For the measurement of the likelihood of occurrence of the risk and the impact that
it would have on our business project; this impact is measured in the Profit obtained
by the entrepreneur in the financial year and the Net Present Value of the business
project.
 Moreover, a risk model will enable us to carry out a control and monitoring of the
project, by comparing the value at risk of the variables with the real value finally
incurred in the period under analysis.
11.5.1 Steps taken for the development of a Risk Model
The steps to be taken for the development of a Risk Model based on the measurement of
the likelihood of occurrence are set out below:
Figure 11.1: Steps in development of a risk model
Stage 1- Selection of the likelihood functions

 Once the risk variables that affect the entrepreneur’s Business Plan have been
identified, we need to learn the behavior of such variables, that is, what their range
of variation is going to be for each of the projection periods.
97
 For this purpose, we need to identify the likelihood function that is associated with
each of the variables affected by the risk, that is, the function that explains and
reflects the behavior of the risk variable defined by the entrepreneur.
 Among the principal, most common and easiest for the user to apply, we note
particularly the following likelihood distribution functions, assignable to the variables
of a business project.
 Once the distribution functions have been analyzed, we identify those we consider
to be most in line with the risk variables selected by the entrepreneur, because
these will be the ones that best describe and reflect the behavior of the variable.
 We must note that the selection of the likelihood functions within the Risk Analysis
Module comes predefined by the tool, so that the entrepreneur will find an association
already made; each risk variable has been assigned a likelihood distribution.
 The entrepreneur must assign values to the variables of such functions in order to
be able to carry out the simulation.
Figure 11.2: Likelihood distribution functions

98
In some cases, the entrepreneur will be asked to determine what the range of variation is;
then he or she must indicate the minimum, maximum and, when so requested, the most likely
value.
 Minimum: The lowest value that the variable being analyzed can reach.
 Maximum: The highest value that the variable being analyzed can reach.
 Most likely: Value which the user feels can be reached by the variable being analyzed,
in normal circumstances.
For another kind of variable, the estimated value and the likelihood of occurrence associated
with it will be requested.
 Value 1: A possible value which the user assigns to the variable being analyzed.
 Likelihood 1: Likelihood of occurrence which the user considers for value 1.
 Value 2: Second possible value that the user assigns to the variable being analyzed.
 Likelihood 2: Likelihood of occurrence which the user considers for value 2.
 The likelihood of occurrence 1 and 2 must sum up between them 100% of the
likelihood.
Stage 2 - Identification of the variables on which the risk is to be

measured
 In order to quantify the risk of the business project, the variable or variables on
which this risk is going to be measured must be identified.
 In order to measure the global risk of a business project, the use of variables that
are representative of the value of the business is recommended.
There are several company assessment methods based on different criteria:
Figure 11.3: Company Assessment Methods

99
 Basing ourselves on the determination of the value of the company through an

estimate of the flows of money that it will generate in the future, we consider the Net
Present Value, NPV, of the business project as an adequate variable on which to
measure the risk and, as a supplementary short-term variable, the value of the Net
Profit.
 Using the starting variables, the entrepreneur will be able to study the consequences
that the variability occurring in the risk variables considered in his or her project will
eventually have on the business project.
Net Present value (NPV)

 This is a way to quantify, as of the date of today, the value of the flow of funds that
the company is going to generate year-after-year throughout its lifetime.
 The calculation of the NPV is made by discounting the flow of funds of each of the
years considered, in accordance with the weighted average cost of capital, WACC).
 That is, it means calculating the flow of funds generated by the project as the
difference between the collections and payments generated in a financial year and
bringing them to the present time by applying a discount rate.
 A discount rate is applied, which is the average cost of the funds the entrepreneur
uses, by averaging his/her own resources (capital, reserves) and outside resources
(debt).
Net Profit
 Result obtained after deducting from the value of the sales the total amount of the
expenses for the year (ordinary, extraordinary, financial expenses, depreciation and
taxes).
Stage 3- Computer Simulation

 A brief summary of the steps taken up to this point
 The entrepreneur performs an exercise of reflection in order to identify the risks

through one of the methods proposed.
 Selects which variables of his/her Business Plan that are affected by the risk,
 Introduces the values asked for by the tool for each of the variables affected by the
risk.
100
 Determines which is the starting variable where the total risk of his/her business
project, profit or net present value is going to be quantified.
 At this point the tool will begin the simulation process, that is, it will make the
necessary iterations, through a data processing engine.
 This step will be executed automatically by the tool, the calculation engine will
generate a thousand iterations, in order to obtain a representative sample.
 The simulation generates randomly a thousand possible values for the risk variables,
all of which are found between the intervals previously defined by the user and will
give a thousand values of the starting variables, profit or net present value.
 This will enable the entrepreneur to arrive at conclusions on the degree of occurrence
or likelihood of the various possible results, such as, what is the most likely value of
what the business is worth and what is the minimum value or the maximum value
the profit could attain, etc.
Stage 4 - Generation of reports

 The results that the risk model is going to show the possible conclusions to be
reached with the sample obtained from the various iterations made, which is a
representative sample.
Figure 11.4: Risk Analysis Tool

101
The reports generated by the Risk Analysis tool are as follows:
 Reports on the possible values to be taken by the output variables of the model (net
profit and net present value) and the likelihood associated with each of them.
 The Histogram shows the possible values of the net profit or of the NPV of the
business project that can be obtained with a certain level of confidence (likelihood
of occurrence associated with value).
11.6 Summary
The risk analysis will determine which risk factors would potentially have a greater impact
on the project. The qualitative methods can be used when the level of risk is low and does not
warrant the time and resources necessary for making a full analysis. Quantitative methods are
those that enable us to assign values of occurrence to the various risks identified. Monte Carlo
is a quantitative method for the development of a risk analysis and is based on making a
sufficiently high number of iterations. Word classifications are used in semi quantitative method,
such as high, medium or low, or more detailed descriptions of likelihood and consequences.
Risk model is the representation of the reality to be analyzed through a structure of mathematical
calculations, in which the significant risk variables are calculated and are placed in relation to
the rest of the variables. Once the risk variables that affect the entrepreneur’s business plan
have been identified. In order to quantify the risk of the business project, the variable or variables
on which this risk is going to be measured must be identified. The calculation of the NPV is
made by discounting the flow of funds of each of the years considered, in accordance with the
weighted average cost of capital. Reports on the possible values to be taken by the output
variables of the model and the likelihood associated with each of them.
11.7 Keywords
NPV - Net Present Value
WACC - Weighted Average Cost of Capital

1. Give a brief note on qualitative method with diagram.
2. What is Monte Carlo Method? Explain.

102
3. Explain likelihood distribution functions with neat sketch.
4. Show the identification of the variables on which the risk is to be measured.
5. Write a note on NPV.
6. Explain the architecture of risk analysis tool.

(August 21, 2007)
103
LESSON – 12
Risk Management Framework
Learning Objectives
 Various components of risk management
 Know the limitations and effectiveness of risk management
 Various strategies used in the management
 Understanding the generic process
 Know the use of the report
Structure of Lesson
12.1 Introduction
12.2 Enterprise Risk Management
12.3 Components of Enterprise Risk Management
12.3.1 Effectiveness
12.3.2 Limitations
12.3.3 Encompasses Internal Control
12.4 Risk Management Generic Process
12.4.1 Risk Assessment
12.4.2 Risk Management Policy
12.4.3 Risk response
12.4.4 Risk reporting
12.4.5 Residual Risk reporting
12.4.6 Organization of this report
12.4.7 Use of this report

104
12.5 Information and Communication
12.5.1 Monitoring Activities
12.5.2 NIST
12.5.3 Risk Mitigation
12.6 Summary
12.7 Keywords
12.1 Introduction
In 1992, the Committee of Sponsoring Organizations of the Tread way Commission
(COSO) developed a model for evaluating internal controls. This model has been adopted as
the generally accepted framework for internal control and is widely recognized as the definitive
standard against which organizations measure the effectiveness of their systems of internal
control. Over a decade ago, the Committee of Sponsoring Organizations of the Tread way
Commission (COSO) issued Internal Control – Integrated Framework to help businesses and
other entities assess and enhance their internal control systems. That framework has since
been incorporated into policy, rule, and regulation, and used by thousands of enterprises to
better control their activities in moving toward achievement of their established objectives. Recent
years have seen heightened concern and focus on risk management, and it became increasingly
clear that a need exists for a robust framework to effectively identify, assess, and manage
risk.The need for an enterprise risk management framework, providing key principles and
concepts, a common language, and clear direction and guidance, became even more compelling.
COSO believes this Enterprise Risk Management – Integrated Framework fills this need, and
expects it will become widely accepted by companies and other organizations and indeed all
stakeholders and interested parties.
12.2 Enterprise Risk Management

Enterprise risk management (ERM) is a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the enterprise, designed
105
to identify potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
 A process, ongoing and flowing through an entity
 Effected by people at every level of an organization
 Applied in strategy setting
 Applied across the enterprise, at every level and unit, and includes taking an entity
level portfolio view of risk.
 Designed to identify potential events that, if they occur, will affect the entity and to
manage risk within its risk appetite.
 Able to provide reasonable assurance to an entity’s management and board of

directors.
 Geared to achievement of objectives in one or more separate but overlapping

categories.
This definition is purposefully broad. It captures key concepts fundamental to how

companies and other organizations manage risk, providing a basis for application across
organizations, industries, and sectors. It focuses directly on achievement of objectives established
by a particular entity and provides a basis for defining enterprise risk management effectiveness.
Achievement of Objectives
Within the context of an entity’s established mission or vision, management establishes

strategic objectives, selects strategy, and sets aligned objectives cascading through the
enterprise. This enterprise risk management framework is geared to achieving an entity’s
objectives, set forth in four categories:
 Strategic – high-level goals, aligned with and supporting its mission
 Operations – effective and efficient use of its resources
 Reporting – reliability of reporting
 Compliance – compliance with applicable laws and regulations.

106
This categorization of entity objectives allows a focus on separate aspects of enterprise

risk management. These distinct but overlapping categories – a objective can fall into more
than one category – address different entity needs and may be the direct responsibility of
different executives. This categorization also allows distinctions between what can be expected
from each category of objectives. Another category, safeguarding of resources, used by some
entities, also is described.
Because objectives relating to reliability of reporting and compliance with laws and
regulations are within the entity’s control, enterprise risk management can be expected to provide
reasonable assurance of achieving those objectives. Achievement of strategic objectives and
operations objectives, however, is subject to external events not always within the entity’s control;
accordingly, for these objectives, enterprise risk management can provide reasonable assurance
that management, and the board in its oversight role, are made aware, in a timely manner, of
the extent to which the entity is moving toward achievement of the objectives.
12.3 Components of Enterprise Risk Management

Enterprise risk management consists of eight interrelated components. These are derived
from the way management runs an enterprise and are integrated with the management process.
Figure 12.1 COSO Model

107
 Internal Environment – The internal environment encompasses the tone of an

organization, and sets the basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
 Objective Setting – Objectives must exist before management can identify potential
events affecting their achievement. Enterprise risk management ensures that
management has in place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its risk appetite.
 Event Identification – Internal and external events affecting achievement of an entity’s

objectives must be identified, distinguishing between risks and opportunities.
Opportunities are channeled back to management’s strategy or objective-setting
processes.
 Risk Assessment – Risks are analyzed, considering likelihood and impact, as a

basis for determining how they should be managed. Risks are assessed on an
inherent and a residual basis.
 Risk Response – Management selects risk responses – avoiding, accepting,

reducing, or sharing risk – developing a set of actions to align risks with the entity’s
risk tolerances and risk appetite.
 Control Activities – Policies and procedures are established and implemented to

help ensure the risk responses are effectively carried out.
 Information and Communication – Relevant information is identified, captured, and

communicated in a form and timeframe that enable people to carry out their
responsibilities. Effective communication also occurs in a broader sense, flowing
down, across, and up the entity.
 Monitoring – The entirety of enterprise risk management is monitored, and

modifications made as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations, or both.
Enterprise risk management is not strictly a serial process, where one component affects
only the next. It is a multidirectional, iterative process in which almost any component can and
does influence another.
108
12.3.1 Effectiveness
Determining whether an entity’s enterprise risk management is “effective” is a judgment

resulting from an assessment of whether the eight components are present and functioning
effectively. Thus, the components are also criteria for effective enterprise risk management.
For the components to be present and functioning properly there can be no material weaknesses,
and risk needs to have been brought within the entity’s risk appetite.
When enterprise risk management is determined to be effective in each of the four

categories of objectives, respectively, the board of directors and management have reasonable
assurance that they understand the extent to which the entity’s strategic and operations objectives
are being achieved, and that the entity’s reporting is reliable and applicable laws and regulations
are being complied with.
The eight components will not function identically in every entity. Application in small and
mid-size entities, for example, may be less formal and less structured. Nonetheless, small
entities still can have effective enterprise risk management, if each of the components is present
and functioning properly.
12.3.2 Limitations
While enterprise risk management provides important benefits, limitations exist. In addition
to factors discussed above, limitations result from the realities that human judgment in decision
making can be faulty, decisions on responding to risk and establishing controls need to consider
the relative costs and benefits, breakdowns can occur because of human failures such as
simple errors or mistakes, controls can be circumvented by collusion of two or more people,
and management has the ability to override enterprise risk management decisions. These
limitations preclude a board and management from having absolute assurance as to achievement
of the entity’s objectives.
12.3.3 Encompasses Internal Control
Internal control is an integral part of enterprise risk management. This enterprise risk
management framework encompasses internal control, forming a more robust conceptualization
and tool for management. Internal control is defined and described in Internal Control – Integrated
Framework. Because that framework has stood the test of time and is the basis for existing
rules, regulations, and laws that document remains in place as the definition of and framework
109
for internal control. While only portions of the text of Internal Control – Integrated Framework
are reproduced in this framework, the entirety of that framework is incorporated by reference
into this one.
12.4 Risk Management Generic Process

12.4.1 Risk assessment
This comprises the analysis and evaluation of risk through processes of identification,
description and estimation.
Identification
This aims to determine an organization’s exposure to uncertainty. It requires a thorough

knowledge of the organization’s strategy, its products/services and markets, and the legal,
social, political, economic and technological environment in which it exists. Identification requires
a methodical approach to ensure all significant activities within the organization have been
identified and all risks flowing from those activities are defined. Methods of identifying risks
include:
 Risk workshops
 Stakeholder consultations
 Benchmarking
 Scenario or ‘what if’ analysis
 Auditing and inspection
 Research methods (interviews, surveys, etc.)
 Cause and effect diagrams.
Estimation
Risk estimation can be quantitative, semi-quantitative or qualitative in terms of likelihood

of occurrence and possible consequences. Assessing the impact of each risk can be done
using a variety of tools including: probability; scenario planning; simulations, including Monte
Carlo spreadsheet simulation; decision trees; real option modeling; sensitivity analysis; risk
mapping; statistical inference; SWOT or PEST analysis; root cause analysis; cost benefit/risk
benefit analysis; and human reliability analysis. Risk mapping is the most frequent example of
110
how risks are assessed. Mapping involves a matrix of likelihood/probability and impact/
consequences
The risk appetite and risk tolerance of an organization dictate the nature and level of risks
that are acceptable to that organization. Risk appetite could be defined as ‘‘the risks that an
organization is in business to take, based on its corporate goals and its strategic imperatives.’’
while risk tolerance represents ‘‘the threshold of risk that that organization considers acceptable,
based on its capabilities to manage the identified risks.
Risk Register
It is recommended that organizations record their risks in a risk register. This can include
the following information: a unique identifier number, risk category, description of risk, the date
the risk is identified and by whom. Other possible data includes the likelihood of risk,
consequences, interdependencies with other risks and a monetary estimation.
12.4.2 Risk management policy
Before responses are developed for each of the risks identified, it is necessary to determine
the organization’s attitude to risk or risk appetite. The risk appetite will be influenced by the size
and type of organization, its culture and its capacity to withstand the impacts of adverse
occurrences.
12.4.3 Risk response (treatment)
This is the process of selecting and implementing measures to manage the risk. The
challenge for risk managers is to determine a portfolio of appropriate responses that form a
coherent and integrated strategy such that the net remaining risk falls within the acceptable
level of exposure. It is important to note that there is no right response to risk. The choice of
response will depend on issues such as the organization’s risk appetite, the impact and probability
of the risk and the costs and benefits of the mitigation plans. Responses to risk generally fall
into the following categories:
Risk avoidance: Action is taken to halt the activities giving rise to risk, such as a product
line, a geographical market or a whole business unit.
111
Risk reduction: action is taken to mitigate the risk of likelihood or impact or both, generally
via internal controls. Risk sharing or transfer: action is taken to transfer a portion of the risk
through insurance, outsourcing or hedging.
Risk acceptance: no action is taken to affect likelihood or impact. Implementation of the

chosen risk responses involves developing a risk plan outlining the management processes
that will be used to manage the risk of opportunity to a level defined by the organization’s risk
appetite and culture. An important part of the risk response in the ongoing monitoring to determine
the effectiveness (or performance) of the risk response.
12.4.4 Risk reporting
There are two areas of risk reporting:
 Reporting to external audiences. External risk reporting has developed rapidly in

the last five years. In the UK the Combined Code on Corporate Governance focuses
attention on internal control. The proposal for a mandatory operating and financial
review (OFR) that resulted in the Accounting Standards Board’s Reporting Statement
of best practice on the OFR recommends that a review of risks is included in the
annual report.
 Reporting to internal audiences. The reporting of risks and risk management

information is essential for internal decision makers to integrate risk evaluations
into their operational and capital investment decisions, review of performance and
compensation/reward decisions. Fuller information on risk reporting is given in the
reporting of organizational risks for the internal and external decision makers
12.4.5 Residual risk reporting
Residual risk reporting involves comparing gross risk (the assessment of risk before
controls or risk responses are applied) and net risk (the assessment of risk, taking account of
any controls or risk responses applied) to enable a review of risk response effectiveness and
possible alternative management options.
112
12.4.6 Organization of this Report
This report is in two volumes.
 The first volume contains the Framework as well as this Executive Summary. The
Framework defines enterprise risk management and describes principles and
concepts, providing direction for all levels of management in businesses and other
organizations to use in evaluating and enhancing the effectiveness of enterprise
risk management. This Executive Summary is a high-level overview directed to
chief executives, other senior executives, board members, and regulators.
 The second volume, Application Techniques, provides illustrations of techniques

useful in applying elements of the framework.
12.4.7 Use of this Report
Suggested actions that might be taken as a result of this report depend on position and
role of the parties involved:
Board of Directors– The board should discuss with senior management the state of the
entity’s enterprise risk management and provide oversight as needed. The board should ensure
it is apprised of the most significant risks, along with actions management is taking and how it
is ensuring effective enterprise risk management. The board should consider seeking input
from internal auditors, external auditors, and others.
Senior Management– This study suggests that the chief executive assess the
organization’s enterprise risk management capabilities. In one approach, the chief executive
brings together business unit heads and key functional staff to discuss an initial assessment of
enterprise risk management capabilities and effectiveness. Whatever its form, an initial
assessment should determine whether there is a need for, and how to proceed with, a broader,
more in-depth evaluation.
Other Entity Personnel– Managers and other personnel should consider how they are
conducting their responsibilities in light of this framework and discuss with more senior personnel
ideas for strengthening enterprise risk management. Internal auditors should consider the breadth
of their focus on enterprise risk management.
113
Regulators– This framework can promote a shared view of enterprise risk management,
including what it can do and its limitations. Regulators may refer to this framework in establishing
expectations, whether by rule or guidance or in conducting examinations, for entities they oversee.
Professional Organizations– Rule-making and other professional organizations providing

guidance on financial management, auditing, and related topics should consider their standards
and guidance in light of this framework. To the extent diversity in concepts and terminology is
eliminated, all parties benefit.
Educators – This framework might be the subject of academic research and analysis, to
see where future enhancements can be made. With the presumption that this report becomes
accepted as a common ground for understanding, its concepts and terms should find their way
into university curricula.
With this foundation for mutual understanding, all parties will be able to speak a common
language and communicate more effectively. Business executives will be positioned to assess
their company’s enterprise risk management process against a standard and strengthen the
process and move their enterprise toward established goals. Future research can be leveraged
off an established base. Legislators and regulators will be able to gain an increased understanding
of enterprise risk management, including its benefits and limitations. With all parties utilizing a
common enterprise risk management framework, these benefits will be realized.
12.5 Information and Communication

Information and communication is an integral part of the risk assessment process, which
typically includes the processes of communication among the organizations responsible for
site assessment and management. This also includes communication with the various parties
who are potentially at risk from the site or are otherwise interested in the site. Overall, the
process is designed to be iterative and to inform the risk assessment and risk management
decisions. The goal of risk communication is for all stakeholders to have a common understanding
of the processes and assumptions used in risk assessment. Often, however, risk communication
issues can only be minimized, not avoided.
12.5.1 Monitoring Activities
Ongoing evaluations, separate evaluations, or some combination of the two are used to
ascertain whether each of the five components of internal control, including controls to affect
114
the principles within each component, is present and functioning. Ongoing evaluations, built
into business processes at different levels of the entity, provide timely information. Separate
evaluations, conducted periodically, will vary in scope and frequency depending on assessment
of risks, effectiveness of ongoing evaluations, and other management considerations. Findings
are evaluated against criteria established by regulators, standard-setting bodies, or management
and the board of directors, and deficiencies are communicated to management and the board
of directors as appropriate.
The Information and Communication component and the Monitoring Activities component
are the last two components of the Framework. The Information and Communication component
has three (3) while Monitoring Activities has two (2) principles.
1. The organization obtains or generates and uses relevant, quality information to

support the functioning of internal control.
2. The organization internally communicates information, including objectives and

responsibilities for internal control, necessary to support the functioning of internal
control.
3. The organization communicates with external parties regarding matters affecting

the functioning of internal control.
4. The organization selects, develops, and performs ongoing and or separate

evaluations to ascertain whether the components of internal control are present
and functioning.
5. The organization evaluates and communicates internal control deficiencies in a

timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
The principles relating to Information and Communication include;
Principle 1- The organization obtains or generates and uses relevant, quality

information to support the functioning of internal control:
The importance of information to the management of an organization cannot be over-

emphasized. Relevant information can be sourced both internally and externally and there
could be new requirements by regulatory bodies on financial reporting or information to support
the functioning of internal control. The management therefore has to make conscious efforts to
obtain information on their internal control responsibilities.
115
The approaches that can be taken to achieve the objective of this principle include Creating
an Inventory of Information Requirements, Obtaining Information from External Sources,
Obtaining Information from Non-Finance Management, Creating and Maintaining Information
Repositories, Using an Application to Process Data into Information, Enhancing Information
Quality through a Data Governance Program and Identifying, Securing, and Retaining Financial
Data and Information.
Principle 2 - The organization internally communicates information, including

objectives and responsibilities for internal control, necessary to support the functioning
of internal control:
It is not sufficient to obtain the required information on management’s objectives and

responsibilities on internal control, such information must properly communicate and cascaded
to the appropriate persons. It has to be carried out in the right manner and at the appropriate
time. Also, the use of separate reporting lines would be required for a Whistle Blowing program
to function optimally.
The Framework recommends the following approaches to achieve this; Communicating

Information Regarding External Financial Reporting Objectives and Internal Control,
Communicating Internal Control Responsibilities, Developing Guidelines for Communication to
the Board of Directors, Reviewing Financial and Internal Control Information with the Board of
Directors, Communicating a Whistle-Blower Program to Company Personnel, Communicating
through Alternative Reporting Channels and Establishing Cross-Functional and Multidirectional
Internal Control Communication Processes and Forums.
Principle 3 - The organization communicates with external parties regarding matters

affecting the functioning of internal control:
This principle deals with a plethora of issues. It states that the entity’s external parties
have to be involved, as matters of internal control over financial reporting have to be
communicated to interested parties or those expected to possess them. It also encourages the
management of the entity to obtain information on its internal control through external sources
including carrying out surveys.
Communicating Information to Relevant External Parties, Obtaining Information from

Outside Sources, Surveying External Parties, Communicating the Whistle-Blower Program to
116
Outside Parties and Reviewing External Audit Communications are the methodologies
recommended by the Framework.
The principles relating to Monitoring Activities are;
Principle 4 - The organization selects, develops, and performs ongoing and or

separate evaluations to ascertain whether the components of internal control are present
and functioning:
The management of an entity needs to evaluate the internal control of the firm to determine
whether the components are not only present but also functioning. It can achieve this end by
taking the following approaches; Periodically Reviewing the Mix of Monitoring Activities,
Establishing a Baseline, Identifying and Using Metrics, Designing and Implementing a Dashboard,
Using Technology to Support Monitoring Activities, Conducting Separate Evaluations, Using
Internal Audit to Conduct Separate Evaluations and Understanding Controls at an Outsourced
Service Provider
Principle 5 - The organization evaluates and communicates internal control

deficiencies in a timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate:
Once the evaluation of the entity’s internal control has been carried out and it has been
determined that some components are either present but not functioning or not present at all,
feedback has to be relayed to those concerned. The deficiencies identified should be addressed
by taking corrective actions in due time. This objective can be attained by Assessing and Reporting
Deficiencies, Monitoring Corrective Action and Developing Guidelines for Reporting Deficiencies.
12.5.2 NIST
The Risk Management Framework (RMF) is a set of criteria that dictate how the United
States government IT systems must be architected, secured, and monitored. Today, the RMF is
maintained by the National Institute of Standards and Technology (NIST) and provides a solid
foundation for any data security strategy. NIST is responsible for developing information security
standards and guidelines, including minimum requirements for federal information systems.
More than ever, organizations must balance a rapidly evolving cyber threat landscape against
the need to fulfill business requirements. To help these organizations manage their cyber security
risk, NIST convened stakeholders to develop a cyber security framework that addresses threats
117
and supports business. It provides guidance on applying risk assessment concepts to all the
three tiers in the risk management hierarchy and supports each step in the risk management
framework(prepare, conduct and maintain).
12.5.3 Risk Mitigation
Risk mitigation planning is the process of developing options and actions to enhance
opportunities and reduce threats to project objectives. Risk mitigation implementation is the
process of executing risk mitigation actions. Risk mitigation progress monitoring includes tracking
identified risks, identifying new risks, and evaluating risk process effectiveness throughout the
project.
The risk mitigation step involves development of mitigation plans designed to manage,
eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually
monitored to assess its efficacy with the intent of revising the course-of-action if needed.
Figure 12.2 Risk mitigation planning, implementation, and progress monitoring

118
Risk Mitigation Strategies
Risk mitigation strategies are based on the assessed combination of the probability of
occurrence and severity of the consequence for an identified risk.
Risk mitigation strategies handling includes:

 Assume/Accept: Acknowledge the existence of a particular risk, and make a
deliberate decision to accept it without engaging in special efforts to control it.
Approval of project or program leaders is required.
 Avoid: Adjust program requirements or constraints to eliminate or reduce the risk.

This adjustment could be accommodated by a change in funding, schedule, or
technical requirements.
 Control: Implement actions to minimize the impact or likelihood of the risk.
 Transfer: Reassign organizational accountability, responsibility, and authority to

another stakeholder willing to accept the risk.
 Watch/Monitor: Monitor the environment for changes that affect the nature and/or
the impact of the risk.
12.6 Summary
Enterprise risk management deals with risks and opportunities affecting value creation or
preservation. It focuses directly on achievement of objectives established by a particular entity
and provides a basis for defining enterprise risk management effectiveness. The categorization
of entity objectives allows a focus on separate aspects of enterprise risk management.
Achievement of strategic objectives and operations objectives, however, is subject to external
events not always within the entity’s control; accordingly, for these objectives, enterprise risk
management can provide reasonable assurance. Enterprise risk management consists of eight
interrelated components. These are derived from the way management runs an enterprise and
are integrated with the management process. The eight components will not function identically
in every entity. The limitations of ERM preclude a board and management from having absolute
assurance as to achievement of the entity’s objectives. This enterprise risk management
framework encompasses internal control, forming a more robust conceptualization and tool for
management. This comprises the analysis and evaluation of risk through processes of
identification, description and estimation. The choice of response will depend on issues such as
119
the organization’s risk appetite, the impact and probability of the risk and the costs and benefits
of the mitigation plans. The Risk Management Framework provides a process that integrates
security and risk management activities into the system development life cycle. RMF focused
on security, so the security objectives are CIA, confidentiality, integrity, availability, and it look at
the impact values and we rate those low, moderate, or high. Remember, risk is the intersection
of the impact and the probability.
12.7 Keywords
COSO - Committee of Sponsoring Organizations of the
Treadway Commission
SWOT - Strengths, Weaknesses, Opportunities and Threats
PEST - Political, Economic, Social and Technological
OFR - Operating and Financial Review
ERM - Enterprise Risk Management
RMF - Risk Management Framework
NIST - National Institute of Standards and Technology

1. Write a brief note on enterprise risk management.
2. Give an account on the four categories of enterprise risk management framework.
3. List out and explain the categories of risk response.
4. What are the limitations of ERM?
5. Discuss the two areas of risk reporting.
6. What is the use of the report? Explain.
7. Explain the components of ERM with neat sketch.
8. Discuss the monitoring principles of RMF.
9. Write a note on risk mitigation.

120

1. Marghanita da Cruz, “Frameworks for IT Management: An Introduction (ITSM
Library)”, Van Haren; 1st edition (March 7, 2006).
(August 21, 2007).
121
LESSON – 13
Introduction to Information Technology and Security
Learning Objectives
 Various evolution information system functions
 Understanding the process of Audit and assessment
 Know the role of compliance officer
 Understanding the process of compliance function
 Know the process of drafting a compliance report
Structure of Lesson
13.1 Introduction
13.2 Evolution of Information System
13.3 Various functions in Information System Evolution
13.3.1 Electronic Data Processing, Transaction Processing System
(1950 – 1960)
13.3.2 Management Information Systems (1960 to 1970)
13.3.3 Decision Support Systems (1970 to 1980)
13.3.4 Executive Information Systems (1980 to 1990)
13.3.5 Knowledge Management Systems (1990 to 2000)
13.3.6 E-Business (2000 – Present)
13.4 Audit, Assessment and Review
13.5 Role of compliance officer
13.6 Roles in Compliance Function
13.6.1 The Requirements of compliance officer
13.6.2 Drafting a Compliance report
13.7 Summary
13.8 Keywords
122
13.1 Introduction
Information technology Security is a field within information technology involving the
protection of computer systems and the prevention of unauthorized use or changes or access
of electronic data. It deals with the protection of software, hardware, networks and its information.
Due to the heavy reliance on computers in the modern industry that store and transmit an
abundance of confidential information about people, cyber security is a critical function and
needed insurance of many businesses. It also protects computer systems from theft or damage.
13.2 Evolution of Information System

An information system is a combination of processes, hardware, trained personnel,
software, infrastructure and standards that are designed to create, modify, store, manage and
distribute information to suggest new business strategies and new products. It leads to efficient
work practices and effective communication to make better decisions in an organization. There
has been a significant evolution of Information System function over the past few decades.
The evolution of Information System function can be summarized as follows:

123
13.3 Various functions in Information System Evolution

13.3.1 Electronic Data Processing, Transaction Processing System
(1950 – 1960)
During this period, the role of IS was mostly to perform activities like transaction
processing, recordkeeping and accounting. IS was mainly used for electronic data processing
(EDP).
EDP is described as the use of computers in recording, classifying, manipulating, and

summarizing data. It is also called information processing or automatic data processing.
Transaction Processing System (TPS) was the first computerized system developed to
process business data. TPS was mainly aimed at clerical staff of an organization. The early
TPS used batch processing data which was accumulated over a period and all transactions
were processed afterward.
TPS collects, stores, modifies and retrieves day-to-day transactions of an organization.

Usually, TPS computerize or automate an existing manual process to allow for faster processing,
improved customer service and reduced clerical costs. Examples of outputs from TPS are cash
deposits, automatic teller machine (ATM), payment order and accounting systems. TPS is also
known as transaction processing or real-time processing.
13.3.2 Management Information Systems (1960 to 1970)
During this era, the role of IS evolved from TPS to Management Information Systems
(MIS). MIS process data into useful informative reports and provide managers with the tools to
organize evaluate and efficiently manage departments within an organization. MIS delivers
information in the form of displays and pre-specified reports to support business decision-
making. Examples of output from MIS are cost trend, sales analysis and production performance
reporting systems.
Usually, MIS generates three basic types of information which are:
 Detailed information reports typically confirm transaction-processing activities. A

detailed Order Report is an example of a detailed report.
 Summary information establishes data into a format that an individual can review
quickly and easily.
124
 Exception information report information by filtering data that is an exception inventory

report. Exception reports help managers save time because they do not have to
search through a detailed report for exceptions.
This period also marked the development when the focus of organizations shifted slowly
from merely automating basic business processes to consolidating the control within the data
processing function.
13.3.3 Decision Support Systems (1970 to 1980)
In this era, a major advancement was an introduction of the personal computers (PC).
With the introduction of PCs, there was the distribution of computing or processing power
across the organization. IS function associated strongly with management rather than a technical
approach in an organization? The role focused on “interactive computer-based system” to aid
decision-makers in solving problems.
This new role of information systems to provide interactive ad-hoc support for the decision-
making process to managers and other business professionals is called Decision Support
Systems (DSS). DSS serve the planning, management and operations level of an organization
usually senior management.
DSS uses data from both internal and/or external sources. Internal sources of data might
include inventory, sales, manufacturing or financial data from an organization’s database. External
sources could include pricing, interest rates, population or trends. Managers use DSS to
manipulate the data to help with decisions. Examples of DSS are projected revenue figures
based on new product sales assumptions, product pricing and risk analysis systems.
13.3.4 Executive Information Systems (1980 to 1990)
This period gave rise to departmental computing due to many organizations purchasing
their own hardware and software to suit their departmental needs. Instead of waiting for indirect
support of centralized corporate service department, employees could use their own resources
to support their job requirements. This trend led to new challenges of data incompatibility, integrity
and connectivity across different departments. Further, top executives were neither using DSS
nor MIS hence executive information systems (EIS) or executive support systems (ESS) were
developed.
125
EIS offers decision making facilities to executives through providing both internal and
external information relevant to meeting the strategic goals of the organization. These are
sometimes considered as a specific form of DSS. Examples of the EIS are systems for easy
access to actions of all competitors, economic developments to support strategic planning and
analysis of business performance.
13.3.5 Knowledge Management Systems (1990 to 2000)
During this era, the rapid growth of the intranets, extranets, internet and other
interconnected global networks dramatically changed the capabilities of IS in business. It became
possible to circulate knowledge to different parts of the world irrespective of time and space.
This period also saw an emergence of enterprise resource planning (ERP) systems. ERP
is an organization-specific form of a strategic information system that incorporates all components
of an organization including manufacturing, sales, resource management, human resource
planning and marketing.
Moreover, there was a breakthrough in the development and application of artificial

intelligence (AI) techniques to business information systems. Expert systems (ES) and knowledge
management systems (KMS) interconnected to each other.
Expert systems (ES) are a computer system that mimics the decision-making ability of
human experts. For example, systems making financial forecasts, diagnosing human illnesses
and scheduling routes for delivery vehicles. Knowledge management system (KMS) is an IT
system that stores and retrieves knowledge to support creation, organization and dissemination
of business knowledge within the enterprise. Examples of KMS are feedback database and
helpdesk systems. ES uses data from Knowledge Management Systems to generate desirable
information system’s output for example loan application approval system.
13.3.6 E-Business (2000 – Present)
The Internet and related technologies and applications changed the way businesses
operate and people work. Information systems functions in this period are still the same just like
50 years ago doing records keeping, reporting management, transactions processing, support
management and managing processes of the organization. It is used to support business process,
decision making and competitive advantage.
126
The difference is greater connectivity across similar and dissimilar system components.
There is great network infrastructure, higher level of integration of functions across applications
and powerful machines with higher storage capacity. Many businesses use Internet technologies
and web-enable business processes to create innovative e-business applications. E-business is
simply conducting business process using the internet.
13.4 Audit, Assessment and Review

An Information security audit is a systematic, measurable technical assessment of how
the organization’s security policy is employed. It is part of the on-going process of defining and
maintaining effective security policies. Security audits provide a fair and measurable way to
examine how secure a site really is.
Security Audit services offer clients a thorough, cost-effective means of evaluating their
overall information security posture in order to identify vulnerabilities and make informed
remediation decisions, guided by expertise to ensure that their networks, systems, data and
customers are protected from the rising tide of cybercrime.
The assessment is designed to:
 Create a security benchmark for your organization
 Identify the strengths and weaknesses of current security practices
 Prioritize the exposures that present the greatest risk
 Provide risk mitigation recommendations consistent with compliance regulations,

security industry best practices, client industry best practices, and client business
objectives.
13.5 Role of compliance officer

A Compliance officer is responsible for ensuring a company’s policies and procedures
comply with regulatory and ethical standards. Also referred to as a Compliance Specialist,
these highly analytical professionals perform regular audits, implement company policies, and
design control systems.
127
Compliance Officer Duties

 Review practices
 Conduct investigations
 Identify potential risks
 Maintain regulatory knowledge
 Review and update internal policies
 Prepare and file required documents
 Educate staff
Compliance Officer Responsibilities

 Develop and implement company policies and regulations.
 Oversee all business operations relating to compliance including policies,

investments, and procedures.
 Design and monitor control systems to deal with violations of legal rules and internal
policies.
 Regularly assess the efficiency of control systems and recommend effective

improvements.
 Review and evaluate company procedures and reports to identify hidden risks or
common issues.
 Coordinate with different department managers to review all departmental compliance

policies.
 Perform periodic audits on company procedures and processes.
 Lead employee training sessions on legal and compliance issues.
13.6 Roles in Compliance function

The basic function that the compliance role does is to promote ethical conduct and
compliance with rules, regulations and standard processes that govern how these organizations
should conduct business. Staff in the compliance function must stay on top of the latest laws,
regulations and business trends and should be able to translate these into requirements and
128
procedures for the operation of the organization. Broadly speaking the following are the major
roles within the compliance function.
a. Develop and maintain the appropriate compliance culture
One of the most difficult roles of the compliance officer is to transform compliance from a
burden to a benefit. A Culture of Compliance should be an integral part of the organization’s
ethics and it is the role of the compliance officer to implement the elements of compliance that
should be evident throughout the organization. By ensuring a correct implementation of such
compliance elements, a correct compliance culture they can produce efficiencies, maintain
consistency, improve reliability and assurance, and result in increased stakeholder confidence.
b. Advise on regulatory issues
The Compliance officer is the regulatory expert of the firm, and it is their role to not only
be up to date with all regulatory issues relevant to the sector they operate, but be able to identify
potential threats of non-compliance and take measures to alleviate them. These threats can be
from non-adherence to specific laws and regulations throughout the firm’s operations, from
launching and marketing a new product, to employing new people and changing internal
procedures. Regulated entities are especially prone to hefty fines in case of non-compliance,
so this role is important for the firm’s profitability
c. Monitoring
Compliance monitoring is a key component of any effective compliance function, as

appropriate and focused feedback to all levels of the organization comes from timely
implementation of measures to become compliant with upcoming regulations. As mentioned
before, especially in the financial services sector, the next year is filled with the transposition
and implementation of relevant directives and regulations.
d. Communicating
The Compliance Officer is the way the Regulator communicates with the firm. It is the
Compliance Officer’s job to communicate all requirements emanating from the law to the firm
so measures should be taken and changes to be made for the company’s compliance and
adherence to this regime. At the same time, the compliance officer can also communicate the
sector’s requests and requirements to the regulator, either directly or via questions and
suggestions to upcoming laws and consultation papers.
129
e. Handling Issues
It is their role to take action should issues arise, whether that is employees’ concerns on
anti-money laundering suspicions for clients, or circulars issued by the regulator that affect the
firm’s operations, or any issue that might leave the company vulnerable to sanctions and fines.
13.6.1 Requirements of compliance officer

 Bachelor’s degree in law, finance, business management or a related field.
 5 years’ proven experience in a compliance officer role.
 Good knowledge of legal requirements and procedures.
 Brilliant oral and written communication skills.
 Highly analytical with strong attention to detail.
13.6.2 Drafting a Compliance report
A compliance report includes
 The title page and meeting Corporate standards
 Designing a template
 The executive summary
 The Introduction and Contents pages
 Report Scope, Parameters and People
 The purpose of the (monitoring) review and report
 Compliance ‘Project’ reports – summary and objectives
 Acknowledging Key personnel
 Report ‘Findings’ and Recommendations
 Any ‘Points to be noted’
13.7 Summary
Information technology deals with the protection of software, hardware, networks and its
information. An information system is a combination of processes, hardware, trained personnel,
software, infrastructure and standards that are designed to create, modify, store, manage and
130
distribute information to suggest new business strategies and new products. EDP is described
as the use of computers in recording, classifying, manipulating, and summarizing data.
Transaction Processing System (TPS) was the first computerized system developed to process
business data.DSS uses data from both internal and/or external sources. Internal sources of
data might include inventory, sales, manufacturing or financial data from an organization’s
database. EIS offers decision making facilities to executives through providing both internal
and external information relevant to meeting the strategic goals of the organization. Expert
systems (ES) are a computer system that mimics the decision-making ability of human experts.
An Information security audit is a systematic, measurable technical assessment of how the
organization’s security policy is employed. A Compliance officer is responsible for ensuring a
company’s policies and procedures comply with regulatory and ethical standards. Staff in the
compliance function must stay on top of the latest laws, regulations and business trends and
should be able to translate these into requirements and procedures for the operation of the
organization. The compliance officer can also communicate the sector’s requests and
requirements to the regulator, either directly or via questions and suggestions to upcoming
laws and consultation papers.
13.8 Keywords
EDP - Electronic Data Processing
TPS - Transaction Processing System
MIS - Management Information Systems
DSS - Decision Support Systems
EIS - Executive Information Systems
ESS - Executive Support Systems
ERP - Enterprise Resource Planning
KMS - Knowledge Management Systems

131

1. Write a note on evolution of information system.
2. Discuss the various functions in evolution of information system.
3. What is the role of compliance officer?
4. List out the responsibilities of compliance officer.
5. Explain the major role within the compliance function.
6. What are the requirements of the compliance officer?

1. Tripathi Surya Prakash, “Introduction to Information Security and Cyber Laws”, Wiley;
Dreamtech Press India Pvt. Ltd
132
LESSON – 14
Designing an Internal Compliance System
Learning Objectives
 Understand the process of compliance management system
 Various regulatory principles
 Different components related to compliance function
 Various Steps to ensure Compliance with Policies and Procedures
 Understanding the internal compliance control issues.
Structure of Lesson
14.1 Introduction
14.2 Regulatory Principles
14.3 The Compliance Function
14.3.1 Five steps to ensure compliance with policies and procedures
14.4 Specific Internal compliance control issues
14.5 Summary
14.6 Keywords
14.1 Introduction
The Company promotes a systematic approach: the appointment of a Director as a
Compliance Officer who promotes compliance, and the deliberation of corporate ethics and
compliance matters in the Internal Control Committee (ICC).
An annual self-assessment is conducted with a checklist to see the status of compliance.

Measures are taken against high risk items according to plans. The Company also sets a
133
section in charge of grasping information on the amendment of laws related to our business,
which informs the legal amendment company-wide immediately and reflects the self-assessment
checklist.
Figure 14.1: Compliance Management System
14.2 Regulatory Principles

There are five different principles, they are
Principle 1:
Individuals conducting business transactions shall be personally responsible to face

punitive actions resulting from blatant violations of laws, regulations or restrictions affecting the
conduct of those transactions.
Principle 2:
Anyone who is aware of fraudulent or illegal business transactions conducted in the name
of the University shall report them immediately.
Principle 3:
Each unit is responsible for the restitution of any disallowances due to noncompliance
with laws, regulations or special restrictions.
134
Principle 4:
Every employee who conducts University business transactions is responsible for staying
abreast of ever-changing legal and regulatory requirements.
Principle 5:
Legal and regulatory requirements, as well as any donor-imposed restrictions, shall be

maintained on record with the University and be readily accessible.
14.3 The Compliance function

The compliance function plays a critical role within an enterprise risk management
framework. It should be considered as “first among equals” among the other risk management
participants (excluding internal audit), including the Chief Risk Officer.
The compliance function is one of these components; they are:
 Established standards and procedures within an organization to prevent and detect

criminal conduct.
 The organization has a sound governing structure, such as a Board of Directors,

which is knowledgeable about the contents and operation of the CEP and exercises
reasonable oversight with respect to the implementation and effectiveness of the
CEP.
 The organization uses reasonable efforts not to include within its “substantial
authority” any person whom the organization knows or should know through due
diligence has engaged in illegal activities or other conduct inconsistent with an
effective CEP.
 The organization communicates periodically and in a practical manner its standards

and procedures and other aspects of its CEP through training and information
dissemination to its governing authority, high-level personnel, substantial authority
personnel, employees and, as appropriate, agents.
 The organization takes reasonable steps to ensure the CEP is followed, including
monitoring and auditing to detect criminal conduct, evaluate the CEP’s effectiveness
and a mechanism to report potential criminal activity without fear of retaliation.
135
 The organization has appropriate incentives and disciplinary measures to promote

and enforce its CEP.
 If criminal activity is detected, the organization takes reasonable steps to respond

appropriately and prevent further criminal conduct, including by making changes to
the CEP.
14.3.1 Fivesteps to EnsureCompliance with Policies and Procedures
Establishing effective policies and procedures does not begin and end with regulations. It
takes the right amount of collaboration, the right types of distributive mediums, and the right
methods to measure understanding. All these things take an enormous amount of time and
energy but automating them with a software solution can increase efficiency and ensure
compliance with your policies and procedures. Here are five steps to ensure compliance, and
what software features to look for to choose the best possible solution.
 Meet with divisional leaders to ensure the policies and procedures are feasible
 Determine the best format of policies for your audience
 Make Policies and Procedures easily accessible to your employees
 Set deadlines for each policy and procedure to be acknowledged
 Determine the best way to measure understanding
a. Meet with divisional leaders to ensure the policies and procedures are feasible
The first step to ensuring compliance begins with involving the leaders of each section of
the organization. Policies are often created by someone within an organization that does not
have a comprehensive understanding of the daily tasks within each department. Involving others,
even if just for a 30-minute interview surrounding a policy, ensures that the new policies:
 Are not misunderstood
 Use the correct terminology
 Make sense to the employee
b. Determine the best format of policies for your audience
Different departments contain different personalities, schedules, and daily experiences.

To ensure compliance with policies and procedures, make sure that you deliver them to your
136
employees through vessels they are comfortable with. A benefit to meeting with your divisional
leaders is that you can leverage more information from them, including how the policies will be
best received. Examples of different vessel requirements include situations where employees
do not access computers during the workday but may have a company smart phone, making
them a better candidate for a video presentation of their policies and procedures.
c. Make Policies and Procedures easily accessible to your employees
Do your employees know where to look for their policies and procedures, or are they
overwhelmed by a minefield of folders on a shared drive with a naming convention that can only
be interpreted by codebreakers?
Not only should you spend time ensuring that the organizationpolicies and procedures
makes logical sense, should also make sure that an employee from any department, and any
level of management, should be able to find the policies that apply to them within 3 clicks. This
will help ensure they do not get frustrated and abandon their attempt at being compliant.
Structure your folders by:
 Department
 Type of Policy (EX: Management “Fire Drill Procedure)
And give links to these shared drives to the appropriate managers.
d. Set deadlines for each policy and procedure to be acknowledged
Setting deadlines for acknowledgment does not just mean establishing an Outlook Calendar
reminder on their effective date. Once the policies and procedures have been created and are
accessible, set up weekly meetings with all managers to ensure they have a successful plan in
place to ensure their employees compliance understanding.
If you send out surveys to each employee, send scheduled email reminders for them to
guarantee they have received the policies and procedures, and know the deadlines. Include a
contact number and email address within their reminders in case they have questions. To manage
this process without slowing down the email servers, consider using a software solution for
policies and procedures. Solutions such as Converge Point are built into SharePoint, stay behind
firewall, and access the Active Directory, so don’t have to worry about working an entirely new
program into the company.
137
e. Determine the best way to measure understanding
Each policy and procedure are an individual and should be treated as such. Standardized
all accepted responses are right for some standard policies but ensuring compliance with
procedures should go a step further to guarantee understanding.
Depending on the task or field, taking quizzes, scheduling practice runs, or the combination
of both can dramatically increase your employee compliance with policies and procedures.
14.4 Specific internal compliance control issues

Implementing an automated expense policy is the starting point for managing this
challenge. An expense policy not only sets the stage for potential savings and risk avoidance,
but also improves employee morale, because rules now become consistent and evenly applied.
Employees know what’s expected, and risks are mitigated.
The best way to ensure these policies are enforceable is to integrate them into expense
management software. Here are three ways that these systems can support accounts payable
management and encourage cooperation from the entire organization.
1. Training and guidance. Integrating policies enables rules to be applied consistently,

ensuring that all parties are treated fairly. For example, an employee might receive
an alert that suggests alternative travel methods when booking a flight between
certain destinations.
2. System-initiated auditing. Automated systems can generate audit instructions based

on criteria, and they can help with conducting random audits.
3. Exception handling. Including approval or handling alternatives can remove

frustration and provide a sense of control. Rather than telling travelling employees
that they cannot book a flight, give them the choice of getting manager approval.
In the end, effective internal controls can mean the difference between a successful
business and one that struggles to compete, CFO.com suggests. Using an automated expense
policy and integrating rules into easy-to-use software can help ensure compliance throughout
an organization, from employees to executives.
138
14.5 Summary
To design an internal compliance system, Company sets a section in charge of grasping
information on the amendment of laws related to our business, which informs the legal
amendment company-wide immediately and reflects the self-assessment checklist. The
compliance function plays a critical role within an enterprise risk management framework. The
compliance function is based one of the seven components. Establishing effective policies and
procedures does not begin and end with regulations. It takes the right amount of collaboration,
the right types of distributive mediums, and the right methods to measure understanding. Policies
are often created by someone within an organization that does not have a comprehensive
understanding of the daily tasks within each department.A benefit to meeting with your divisional
leaders is that you can leverage more information from them, including how the policies will be
best received. Each policy and procedure are an individual and should be treated as such
standardized. An expense policy not only sets the stage for potential savings and risk avoidance,
but also improves employee morale, because rules now become consistent and evenly applied.
14.6 Keywords
ICC - Internal Control Committee
CEP - Certificate of Suitability
CFO - Chief Financial Officer

1. List out the five regulatory principles.
2. Explain the steps to ensure compliance with policies and procedures.
3. Write a brief note on internal compliance control issues.
4. Discuss the compliance management system with neat sketch.

1. Anthony Tarantino, “Manager’s Guide to Compliance”, Wiley; 1 edition (April 21,
2006.
2. Sarbanes-Oxley Group, “The Sarbanes-Oxley Guide for Finance And Information

Technology Professionals”, CreateSpace Independent Publishing Platform (June
3, 2004).
139
LESSON – 15
Information System Audit
Learning Objectives
 Understand the process of information audit flow
 Scope of the Auditing
 Know the process of Audit planning
 Process of Audit checklist preparation
 Know the process of audit report
Structure of Lesson
15.1 Introduction
15.2 Scope of Auditing
15.3 Audit Planning
15.4 Audit Manual
15.5 Audit Checklist
15.5.1 Audit Checklist Preparation
15.6 Audit Report
15.7 Summary
15.8 Keywords
15.1 Introduction
An information system (IS) audit or information technology (IT) audit is an examination of
the controls within an entity’s Information technology infrastructure. These reviews may be
performed in conjunction with a financial statement audit, internal audit, or other form of attestation
engagement. It is the process of collecting and evaluating evidence of an organization’s
140
information systems, practices, and operations. Obtained evidence evaluation can ensure
whether the organization’s information systems safeguard assets, maintains data integrity, and
are operating effectively and efficiently to achieve the organization’s goals or objectives.
Figure 15.1: Information audit flow
The purpose of an IS audit is to review and evaluate an organization’s information system’s

availability, confidentiality, and integrity by answering the following questions:
1. Will always the organization’s computerized systems be available for the business
when required? (Availability)
2. Will the information in the systems be disclosed only to authorized users?

(Confidentiality)
3. Will the information provided by the system always be accurate, reliable, and timely?
(Integrity).
15.2 Scope of Auditing

The scope of an audit is the determination of the range of the activities and the period of
records that are to be subjected to an audit examination. Scope of an audit are,
 Legal Requirements.
 Entity Aspects.
141
 Reliable Information.
 Proper Communication.
 Evaluation.
 Test.
 Comparison.
 Judgments.
Legal Requirements
 The auditor can determine the scope of an audit of financial statements following
the requirements of legislation, regulations or relevant professional bodies.
 The state can frame rules for determining the scope of audit work. In the same way,
professional bodies can make rules to conduct the audit.
Entity Aspects
 The audit should be organized to cover all aspects of the entity as far as they are
relevant to the financial statements being audited.
 A business entity has many areas of working. A small entity may have few functions
while a large concern has many functions. The auditor has to go through all the
functions of the business.
 The audit report should cover all functions so that the reader may know about all
the workings of a concern.
Reliable Information
 The auditor should obtain reasonable assurance as to whether the information
contained in the underlying accounting records and other source data is reliable
and sufficient as the basis for the preparation of the financial statements.
 The auditor can use various techniques to test the validity of data. All auditors while
doing the audit work usually apply the compliance test and substance test. The
auditor can show such information in the report.
142
Proper Communication
 The auditor should decide whether the relevant information is properly communicated
in the financial statements.
 Accounting is an information system so facts and figures must be so presented that

the reader can get information about the business entity. The auditor can mention
this fact in his report.
 The principles of accounting can be applied to decide about the disclosure of financial
information in the statements.
Evaluation
The auditor assesses the reliability and sufficiency of the information contained in the
underlying accounting records and other source data by making a study and evaluation of
accounting systems and internal controls to determine the nature, extent, and timing of other
auditing procedures.
Test
The auditing assesses the reliability and sufficiency of the information contained in the
underlying accounting records and other source data by carrying out other tests, inquiries and
other verification procedures of accounting transactions and account balances as he considers
appropriate in the particular circumstances. There are compliance tests and substantive tests
to examine the data. The vouching, verification and valuation technique is also used.
Comparison
The auditor determines whether the relevant information is properly communicated by

comparing the financial statements with the underlying accounting records and other source
data to see whether they properly summarized the transactions and events recorded therein.
The auditor can compare the accounting records with financial statements to check that the
same has been processed for preparing the final accounts of a business concern.
Judgments
The auditor determines whether the relevant information is properly communicated by

considering the judgment that management has made in preparing the financial statements,
accordingly. The auditor assesses the selection and consistent application of accounting policies,
how the information has been classified and the adequacy of disclosure.
143
15.3 Audit Planning

Audit planning is required for an Auditor to conduct an effective and efficient audit. Target
of audit planning should be about the following -
 Time budgets
 Recruitment of audit staff
 Schedule about date of audit procedure
Base of Audit Planning

Audit planning should be based on the following -
 Complete accounting knowledge of client’s business
 Reliability of internal control system
 Programming of audit procedures and
 Co-ordination of staff
Development of Audit Plan

The following points need to be considered at the time of preparation of an audit plan.
 Auditor Engagement terms
 Statutory responsibility of Auditor
 Co-ordination with other Auditors
 Internal control system of branches and subsidiaries
 Reliability of internal control system of an organization
 To mark important audit areas
 Impact of legal rules
 Nature and timing of reports
15.4 Audit Manual

An audit manual usually contains an overview of the industry risk factors facing an
organization as well as the protocol of the audit process, the tools and methodologies for
conducting the audit, forms to be completed, and people to contact. As such, it facilitates
144
orientation and saves time on training newly appointed staff on the audit activity - auditors
can begin audit engagements immediately.
Although an audit manual is an extensive compilation of resource material intended to be

used by internal audit staff, other departments may find it useful as a guide to improve their own
operations through creating or updating their own manual, policies, procedures, and practices.
A well-developed and appropriately communicated audit manual can:
 Serve as a guide to those responsible for internal audit activities.
 Represent a key benchmark by which internal audit can be measured.
 Be a reference for undertaking an audit assignment.
 Aid in making effective decisions.
 Assist in undertaking staff appraisals, training, and development.
 Enhance staff morale and productivity.
 Assist in clarifying audit issues, audit staff job routines, and measurements.
15.5 Audit Checklist

Audit checklist is a key element in planning for and carrying out a process audit. The
checklist for any internal quality audit is composed of a set of questions derived from the quality
management system standard requirements and any process documentation prepared by the
company.
15.5.1 Audit Checklist Preparation
As part of the internalqualityaudit preparation, theauditor will review the ISO 9001
requirements and process documentation defined by the company for the process to be audited.
While it may be beneficial to use an auditchecklisttemplate when preparing for an audit, it is
important to ensure that the checklist be adapted to the process of the organization, and that it
is not a generic process. So, the steps of creating an audit checklist would be reviewing the ISO
9001 standard, and then creating questions to ask when reviewing records and personnel of
the process. The goal is to find evidence that the process is meeting its own requirements.
As an example, the ISO 9001 clause for management review inputs requires that
management review include:
145
 Information on results of audits,
 Customer feedback,
 Process performance and product conformity,
 Status of corrective and preventive actions,
 Follow-up actions from previous management reviews,
 Changes that could affect the quality management system, and
 Recommendations for improvement.
If the company process requires that management reviews produce minutes of meeting
as a record, then the internal audit checklist could request that the auditor review the minutes of
meetings and question that each piece of input information was presented to the management
review meeting for assessment.
As this would only be one question on a checklist for reviewing the management review
process, the auditchecklist would contain the many questions required to assess the process.
To auditauditors will use the checklists created and look for evidence that the process being
audited meets the requirements of the defined process. Where process documentation is not
present, it is often relevant to use the requirements of the ISO 9001 standard, focusing on
reviewing the process suppliers, process inputs, process steps, process outputs and process
customers to ensure that they are consistently understood by the employees using the process.
The idea is to review for the effectiveness of the process, and to ensure that non-
conformances could not be caused because the process does not have a written document
describing it.
15.6 Audit Report

An audit report is a written opinion of an auditor regarding an entity’s financial statements.
The report is written in a standard format, as mandated by Generally Accepted Auditing Standards
(GAAS). GAAS requires or allows certain variations in the report, depending upon the
circumstances of the audit work in which the auditor engages. The following report variations
may be used:
146
 A clean opinion, if the financial statements are a fair representation of an entity’s

financial position, being free of material misstatements. This is also known as an
unqualified opinion.
 A qualified opinion, if there were any scope limitations that were imposed upon the
auditor’s work.
 An adverse opinion, if the financial statements were materially misstated.
 A disclaimer of opinion, which can be triggered by several situations. For example,

the auditor may not be independent, or there is a going concern issue with the
auditee.
The typical audit report contains three paragraphs, which cover the following topics:
 The responsibilities of the auditor and the management of the entity.
 The scope of the audit.
 The auditor’s opinion of the entity’s financial statements.
An audit report is issued to the user of an entity’s financial statements. The user may rely
upon the report as evidence that a knowledgeable third party has investigated and rendered an
opinion on the financial statements. An audit report that contains a clean opinion is required by
many lenders before they will loan funds to a business. It is also necessary for a publicly held
entity to attach the relevant audit report to its financial statements before filing them with the
Securities and Exchange Commission.
15.7 Summary
Information System Audit is the process of collecting and evaluating evidence of an
organization’s information systems, practices, and operations. The purpose of an IS audit is to
review and evaluate an organization’s information system’s availability, confidentiality, and
integrity. The scope of an audit is the determination of the range of the activities and the period
of records that are to be subjected to an audit examination. The scope of an audit is the
determination of the range of the activities and the period of records that are to be subjected to
an audit examination. The principles of accounting can be applied to decide about the disclosure
of financial information in the statements. Audit planning is required for an Auditor to conduct an
effective and efficient audit. An audit manual usually contains an overview of the industry risk
factors facing an organization as well as the protocol of the audit process. Auditchecklist is a
147
key element in planning for and carrying out a process audit. An audit report is a written opinion
of an auditor regarding an entity’s financial statements. The report is written in a standard
format, as mandated by generally accepted auditing standards.
15.8 Keywords
IS - Information System
IT - Information Technology
ISO - International Standard Organization
GAAS - Generally Accepted Auditing Standards

1. Explain the various scope of auditing.
2. List out the development of audit planning.
3. Discuss the Information audit flow with neat sketch.
4. How to Prepare audit checklist?
5. Show the variations in audit report.

148
LESSON – 16
Best Practices for IT Compliance and
Regulatory requirements
Learning Objectives
 Various best practices to reach the goals
 Know the process of IT compliance requirements
 Understand the concept of SOX
 Understand SOX compliance and auditing of internal controls
 Know the process of COBIT
Structure of Lesson
16.1 Introduction
16.2 Seven best practices to reach the goals
16.3 IT Compliance requirements under clause 49 of SEBI listing agreement
16.4 IT Compliance requirements Under Sarbanes Oxley act USA
16.4.1 SOX Compliance Audits
16.4.2 SOX auditing of internal controls
16.5 Control objectives in information technology ISACA
16.6 Summary
16.7 Keywords
16.1 Introduction
Teams developing software in regulated environments face the significant challenge of
defining comprehensive, high-quality software requirements for regulatory compliance. Faulty
compliance requirements not only put a project at risk, but they can put the organization itself at
149
legal and financial risk. A recent survey of 400 U.S. CEOs revealed that the regulatory
environment tops the list of issues that can have the most impact on a company.
For software development teams at companies in regulated industries to succeed, they

must develop an understanding of their complex regulatory environments, the skills needed to
interpret rapidly changing regulations and the ability to develop clear, complete compliance
requirements.
16.2 Seven best practices to reach the goals

1. Identify Regulatory Stakeholders and Engage Them Effectively
Who is involved in governance, risk management and compliance in your organization?

These are the stakeholders who will be the busiest – and thus the most difficult to set up
meetings with, so identify them early on and plan up-front for the most efficient ways to engage
them. Get on calendars early, do the research and develop laser-focused interview questions –
ideally chosen from a pre-defined repository of compliance-related questions. A business analyst
doesn’t need to know everything about compliance, but it’s important to know the right people
to talk to in order to capture a complete, accurate set of compliance requirements.
2. Get to Know Your Organization’s Regulatory Environment
Understanding the concepts of GRC and the relationships between those concepts gives
product owners and business analysts a framework to help identify the right stakeholders and
understand relevant business processes. Read up on these capabilities and identify the groups
within your organization responsible for them. Research regulations that impact an industry
and the region. Talk to the experts and ask questions. Understanding the business of managing
compliance in your organization provides clarity for better analysis.
3. Mine Existing Documentation for Foundational Understanding
Obviously, one of the best ways to understand regulatory requirements is to read and
understand the most recent relevant regulations and guidelines. Stay up to date on regulatory
change by subscribing to relevant government and industry websites. And don’t overlook
requirements from prior projects as a source of information. Review and consolidate them to
begin developing a reference library.
150
4. Model Business Processes to Improve Understanding
The software development industry has seen a significant increase in the use of visual
models, because it helps project teams and stakeholders have deeper conversations that lead
to better requirements. Business process models improve understanding and help teams
comprehend the impact of regulatory change. Develop business process models for the key
processes in your environment, as well as the processes related to governance, risk management
and compliance to improve the quality of your compliance requirements and your ability to
analyse them.
5. Build a Repository of Common Compliance Requirements
Because compliance requirements frequently affect multiple projects and systems, they
are prime candidates for reuse. This includes requirements related to concepts like access
security, data confidentiality, data availability, authentication, logging and auditability, to name a
few. Centralizing compliance requirements and the visual models associated with them will
provide support for multiple teams as they define user stories and functional requirements.
Other artifacts-like risk definitions and stakeholder listscan be centralized as well. Think about
both external regulatory requirements and those needed to support internal governance needs.
By developing a shared repository of these critical non-functional requirements, an organization
can define them in one place and teams can reference them as needed, eliminating unnecessary
work and improving requirements quality.
6. Document Traceability from Regulations to Requirements
Establishing traceability between compliance requirements and related artifacts like

business value, process steps, risks, stakeholders, other requirements and the original regulation
itself gives teams a powerful analysis tool. It helps them define stronger requirements and
assess the impact of regulatory change. It also gives them a compliance plan to illustrate to
auditors how the team is working to develop compliance. Robust analysis is the best way to
enable compliance; traceability is an important technique to support that analysis.
7. Don’t Short-Change Analysis
The regulatory environment is complex and changing, so product owners and business
analysts need to spend time analyzing the impact of regulatory change. Particularly in Agile
environments-where up-front analysis is shunned-teams need to understand that there will
151
need to be some pre-work to understand compliance and governance processes before they
start executing on sprints. Don’t get stuck in “analysis paralysis,” but do allow enough time to
analyse the environment, regulatory information, business processes and other visual models
to gain a strong understanding of compliance requirements.
16.3 IT Compliance requirements under clause 49 of SEBI

listing agreement
IT compliance requirements under clause 49 of SEBI listing agreement had constituted a
Committee on Corporate Governance under the Chairmanship of Shri N. R. Narayana Murthy
to further improve the standards of corporate governance in India. The significant features of
these amendments may be summarized as under:
¨ Broadening of the definition of independent director
¨ Fixing of norms relating to Non-executive directors’ compensation and disclosures
¨ Additional duty on the independent director to periodically review the legal compliance
reports prepared by the Company and steps taken by the Company to improve.
¨ Obligation on the Board of Directors to lay down a Code of Conduct for all Board
members and senior management of the Company.
¨ Fixation of the term of Non-executive Directors to a maximum of nine years
¨ Requirement of all members of the Audit Committee being financially literate
¨ Increase in the powers of the Audit Committee
¨ Additional duty on the Audit Committee to review of certain information by the Audit
Committee
¨ Requirements relating to Audit reports and Audit Qualifications
¨ New Requirement of Whistle Blower Policy
¨ Applicability of the requirements to subsidiary companies relating to composition of

the Board of directors, laying of minutes of the Board meeting before the Board of
the holding company and additional requirement to be included in the Board report
of the Holding Company.
¨ Disclosure of contingent liabilities
¨ Additional Disclosures
152
¨ Certification by CEO/CFO
¨ Change in the Format of reporting to Stock Exchanges relating to Corporate

Governance
¨ Entitlement to practicing Company secretaries to certify the compliance of the

conditions of corporate governance
16.4 IT Compliance requirements Under Sarbanes Oxley act

USA
The Sarbanes–OxleyActof2002 also known as the “Public Company Accounting Reform
and Investor Protection Act” and “Corporate and Auditing Accountability, Responsibility, and
Transparency Act” (in the House) and more commonly called Sarbanes–Oxley or SOX, is
a United States federal law that set new or expanded requirements for all U.S. public
company boards, management and public accounting firms. Several provisions of the Act also
apply to privately held companies, such as the willful destruction of evidence to impede a federal
investigation. The stated goal of SOX is “to protect investors by improving the accuracy and
reliability of corporate disclosures.”
SOX is applicable to:
 All publicly held American companies
 Any international companies that have registered equity or debt securities with the
U.S. Securities and Exchange Commission (SEC)
 Any accounting firm or other third party that provides financial services to either of
the above
Penaltiesfornon-compliance: Formal penalties for non-compliance with SOX can include

fines, removal from listings on public stock exchanges and invalidation of D&O insurance policies.
Under the Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance
audit can face fines of $5 million and up to 20 years in jail.
IT organizations are using SOX as a framework for:
 Auditing existing IT infrastructure, identifying inefficiencies, redundancies and

superfluous controls.
153
 Streamlining reporting and auditing processes, increasing productivity and reducing

costs.
 Managing security risks more effectively and responding quicker in the event of a
breach.
The first thing an IT manager must do to prepare their organization for SOX compliance
is to understand which sections of the act have clear implications for data management, reporting
and security. These are:
Section 302: SOX Section 302 relates to a company’s financial reporting. The act requires
a company’s CEO and CFO to personally certify that all records are complete and accurate.
Specifically, they must confirm that they accept personal responsibility for all internal controls
and have reviewed these controls in the past 90 days. These internal controls include a company’s
information security infrastructure as much as its accounting and reporting is performed
electronically in other words, for almost all modern businesses there is a clear mandate to
ensure high security standards are enforced.
Section 404: Section 404 stipulates further requirements for the monitoring and
maintenance of internal controls related to the company’s accounting and financials. It requires
businesses to have an annual audit of these controls performed by an outside firm. This audit
assesses the effectiveness of all internal controls and reports its findings back directly to the
SEC.
SOX compliance requirements include:
 PCAOB: The Public Company Accounting Oversight Board was created to develop
auditing standards and train auditors on the best practices for assessing a company’s
internal controls. It is here that the specific SOX requirements for information security
are spelled out. PCAOB publishes periodic recommendations and changes to the
auditing process. For obvious reasons, being aware of the most recent iteration of
these guidelines is essential to passing an audit.
 COSO: COSO is the Committee of Sponsoring Organizations, a joint organization

consisting of representatives from the Institute of Management Accountants (IMA),
the American Accounting Association (AAA), the American Institute of Certified Public
Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives
International (FEI). Since 1992, COSO has published periodic updates to their internal
154
control framework recommendations this document outlines guidelines for creating

and implementing internal controls and serves as the basis for the auditing standards
developing by PCAOB.
 COBIT: COBIT (Control Objectives for Information and Related Technology) is a

framework published by ISACA. Formally known as the Information Systems Audit
and Control Association, ISACA covers guidelines for developing and assessing
internal controls related to corporate information technology. Effectively a more
specific version of the COSO framework, it outlines best practices for 34 IT processes.
Many organizations will rely on both frameworks when developing a roadmap to
SOX compliance.
 ITGI: The Information Technology Governance Institute (ITGI) is dedicated to helping

businesses meet their objectives without compromising information security. ITGI
has independently published its own framework for SOX compliance, using both
COBIT and COSO as guides. Unlike COBIT, however, the ITGI framework deals
only with security issues.
16.4.1 SOX Compliance Audits
A SOX compliance audit of a company’s internal controls takes place once a year. An
independent auditor must conduct SOX audits. It is the company’s responsibility to find and hire
an auditor, and to arrange all necessary meetings prior to when the audit takes place. To avoid
a conflict of interest, SOX audits must be separate from other internal audits undertaken by the
company. Many companies will time the audit so that results are available for inclusion in their
annual report, thus satisfying the requirement of making findings easily accessible to
stockholders.
The first step in a SOX audit usually involves a meeting between management and the
auditing firm. In this meeting, both parties will discuss the specifics of the audit, including when
it will take place, what it will look at, what its purposes are and what results management
expects to see.
A key portion of a SOX audit will involve a review of the company’s financials. Auditors will
inspect previous financial statements to confirm the accuracy while ultimately it is the auditor’s
discretion whether a company’s financials pass, any variance in the numbers more than 5%
either way is likely to set off red flags. An audit will also look at personnel and may interview
155
staff to confirm that their regular duties match their job description, and that they have the
training necessary to access financial information safely.
16.4.2 SOX Auditing of Internal Controls
A review of internal controls comprises one of the largest components of a SOX compliance
audit. As noted above, internal controls include any computers, network hardware and other
electronic infrastructure that financial data passes through. From the IT side of things, a typical
audit will look at four things:
Access: Access refers to both the physical and electronic controls that prevent unauthorized
users from viewing sensitive information. This includes keeping servers and data centers in
secure locations, but also making sure effective password controls, lockout screens and other
measures are in place. Implementing the principle of least privilege (POLP) is generally
considered one of the best methods of organization-wide access control.
Security: IT security is, of course, a broad topic. In this case, it means making sure
appropriate controls are in place to prevent breaches and having tools to remediate incidents
as they occur. Taking steps to manage risk is a good policy regardless of SOX compliance
status. Investing smartly in services or appliances that will monitor and protect the financial
database is the best way to avoid compliance and security issues altogether.
Change management: Change management involves IT department’s processes for

adding new users or workstations, updating and installing new software, and making any changes
to Active Directory databases or other information architecture components. Having a record of
what was changed, in addition to when it was changed and who changed it, simplifies a SOX IT
audit and makes it easier to correct problems when they arise.
Backup procedures: Finally, backup systems should be in place to protect the sensitive
data. Data centers containing backed-up data including those stored off site or by a third party
are subject to the same SOX compliance requirements as those hosted on-premises.
16.5 Control objectives in information technology ISACA

COBIT (Control Objectives f or Information and Related Technologies) is
a framework created by ISACA for information technology (IT) management and IT governance.
The framework defines a set of generic processes for the management of IT, with each process
156
defined together with process inputs and outputs, key process-activities, process objectives,
performance measures and an elementary maturity model.
Framework and components
Business and IT goals are linked and measured to create responsibilities of business and
IT teams. Five processes are identified: Evaluate, Direct and Monitor (EDM); Align, Plan and
Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and
Monitor, Evaluate and Assess (MEA).
The COBIT framework ties in with COSO, ITIL, BiSL, ISO27000, CMMI, TOGAF and
PMBOK. The framework helps companies follow law, be more agile and earn more. Below are
COBIT components:
 Framework: Organizes IT governance objectives and good practices by IT domains

and processes and links them to business requirements.
 Process descriptions: A reference process model and common language for

everyone in an organization. The processes map to responsibility areas of plan,
build, run, and monitor.
 Control objectives: Provides a complete set of high-level requirements to be

considered by management for effective control of each IT process.
 Management guidelines: Helps assign responsibility, agree on objectives, measure

performance, and illustrate interrelationship with other processes.
 Maturity models: Assesses maturity and capability per process and helps to address
gaps.
As a framework designed to help business professionals discuss IT-related goals and

results, Control Objectives for Information and Related Technology is often simply referred to
as COBIT. This framework has existed since the mid-1990’s and has been developed and
adapted since that time. Thanks to the popularity of COBIT, there are a great number of tools
and resources available to help managers get the most benefit from using this framework.
There are five basic principles involved in the COBIT framework:
157
1) Meet Stakeholder Needs
This principle is something that should apply to just about every business decision that is
made daily but certainly to those decisions that are made with regard to IT. The whole purpose
of IT is to enable others within the organizations to do their jobs to the best of their abilities. If a
given IT project isn’t meet the needs of the stakeholders, there is very little point to continuing
with the project. Only when stakeholder needs are properly met is a project going to be considered
a successful venture in the end. It should be no surprise that this principle is included in the
COBIT framework because it is such an important aspect of the IT world.
2) Covering the Enterprise End-to-End
If have any real-world business experience, probably already know that the IT department
doesn’t always agree with what the other departments in the organization have to say. Finding
harmony between IT and everyone else can be challenging, but it must be accomplished if the
business it going to reach its full potential. What is done in IT should be done to the benefit of
everyone throughout the entire organization, not just a select group of people. Often, this is one
of the greatest challenges that decision makers within a business will have to deal with. In order
to get the best possible return for the investment that you have made in the IT area, it is crucial
that the work they do is framed with the best interests of the whole organization in mind.
3) Applying a Single, Integrated Framework
The advantages of having a single framework in use throughout the organization should
be obvious. If nothing else, using a single framework should add simplicity and consistency to
everything that the business does. Also, costs are generally better controlled when there is a
single framework in play rather than a variety of frameworks serving various needs in different
parts of the business.
Flexibility within the project management team is another benefit of this approach. When
different parts of the business are governed by several different frameworks, the IT department
might not be as flexible in responding to needs and problems. However, when working within
only one framework, it should be much easier for any member of the IT team to work on any
problem that may come up – no matter where it is throughout the organization. This kind of
flexibility is appealing and can help insulate the department against the loss of key team members.
Building a strong IT infrastructure over the long run should be the goal and using a single IT
framework from the start can help make that a reality.
158
4) Enabling a Holistic Approach
Many organizations fall into the habit of dividing up their IT department into different
segments which rarely interact. This can be a mistake when it comes to being able to develop
new technologies that have an impact on the business. Ideally, the whole IT department will be
‘on the same page’ in terms of its priorities and techniques. Just like the marketing department
needs to have a consistent plan of action for selling the company’s products or services, so
should the IT department be working together as closely as possible. Allowing the IT department
to become fragmented early in the development of the organization can create tricky problems
that will be harder to solve later
5) Separating Governance from Management
Too often, especially in small organizations, governance and management become one
and the same. That can be a problem when it comes to IT. The COBIT framework calls for the
two to be separated, so that the governance of what the IT department will be responsible for is
different from the day to day management of that department.
Depending on the structure of your organization, the responsibility for governance of the
IT department could come from a Board of Directors, or even straight from the owner of the
company. Meanwhile, the management of the IT department will generally be left the department
head. In other words, the person responsible for managing the day to day activity of the IT
department shouldn’t be the same person who is governing them. Those are two different
responsibilities and should be separated as such.
It is no secret that a strong and productive IT department is one of the greatest advantages
that an organization can have in this day. Technology has never been more important than it is
today, and the IT department that working for the business may mean the difference between
success and failure in the long run. Ideally, the IT department won’t feel like a separate arm of
the organization, and instead will be just another integrated group of employees much like the
teams in marketing, accounting, etc.
16.6 Summary
For software development teams at companies in regulated industries to succeed, they
must develop an understanding of their complex regulatory environments, the skills needed to
interpret rapidly changing regulations and the ability to develop clear, complete compliance
159
requirements. IT compliance requirements under clause 49 of SEBI listing agreement had

constituted a Committee on Corporate Governance. The stated goal of SOX is “to protect
investors by improving the accuracy and reliability of corporate disclosures. The first thing an IT
manager must do to prepare their organization for SOX compliance is to understand which
sections of the act have clear implications for data management, reporting and security. A SOX
compliance audit of a company’s internal controls takes place once a year. Internal controls
include any computers, network hardware and other electronic infrastructure that financial data
passes through. The framework defines a set of generic processes for the management of IT,
with each process defined together with process inputs and outputs, key process-activities,
process objectives, performance measures and an elementary maturity model.
16.7 Keywords
SOX - Sarbanes - Oxley
SEC - Securities and Exchange Commission
COSO - Committee of Sponsoring Organizations
IMA - Institute of Management Accountants
AAA - American Accounting Association
AICPA - American Institute of Certified Public Accountants
IIA - Institute of Internal Auditors
COBIT - Control Objectives for Information and Technology
ITGI - Information Technology Governance Institute
POLP - Principle Of Least Privilege

1. What are the significant features of under clause 49 amendments?
2. List out the seven best practices to reach the goal.
3. Give a brief note on under clause 49 of SEBI agreement.

160
4. Explain the SOX compliance requirements.
5. Write a note on COSO.
6. Explain the various components of COBIT.

April 17, 2008).
2. Sarbanes-Oxley Group, “The Sarbanes-Oxley Guide for Finance and Information

Technology Professionals”, Create Space Independent Publishing Platform (June
3, 2004).
161
Model Question Paper

M.Sc., Cyber Forensics and Information Security
Second Year – Fourth Semester
Core Paper - XIV
Time : 3 Hours Maximum : 80 Marks
SECTION - A
Answer any TEN out of TWELVE Questions
(10 x 2 = 20 Marks)
1. What is GRC? Why do we need?
2. List out the principles of COBIT.
3. State the objectives of BASEL.
4. List out the advantages of ISMS.
5. Write a note on ISG framework.
6. What are three levels of Security Management?
7. List out the Challenges to establish a Steering Committee.
8. What are the features of financial management?
9. What is the combination of three steps for risk management?
10. Write a note on NPV.
11. What is the role of compliance officer?
12. What is clause 49 of SEBI listing agreement?

162
SECTION - B
Answer any FIVE out of Seven Questions (5 x 6 = 30 Marks)
1. Write a brief note on Governance framework.
2. Illustrate the working way of OECD & its functions.
3. Explain the five Service Lifecycle modules in ITIL.
4. Discuss the key process of CMM model.
5. Explain the six phases of strategic planning with neat sketch
6. How to Prepare audit checklist?
7. Give a brief note on risk mitigation.
SECTION - C
Answer any THREE out of FIVE questions (3 x 10 = 30 Marks)
1. Describe briefly about the outcomes of Information Security Governance.
2. Explain the COBIT principles with neat sketch.
3. Discuss the steps to ensure compliance with policies and procedures.
4. Examine the Information audit flow with neat sketch.
5. Explain the generic process of Risk Management.

SPCI207

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPCI207

Uploaded by

Copyright:

Available Formats

SPCI207

GOVERNANCE, RISK &

INSTITUTE OF DISTANCE EDUCATION

It is with a great pleasure to welcome you as a student of Institute of Distance

With best wishes from mind and heart,

COORDINATION AND EDITING

© UNIVERSITY OF MADRAS, CHENNAI 600 005.

CORE PAPER - XIV

GOVERNANCE, RISK & COMPLIANCE

Unit 1: Introduction to GRC

Governance, Risk & Compliance definition - Scope and Objectives - IT Governance

Unit 2: Best Practices for IT Governance

ITIL - ISO/IEC 27001- Control Objectives of Information and Related Technology

Unit 3: Information Security Governance

Effective Information Security Governance - Importance of Information Security

Unit 4: Information Security Management Practices

Personnel Management- Financial Management - Quality Management -Information

Introduction to Information Technology and Security - Evolution of Information

CORE PAPER - XIV

GOVERNANCE, RISK & COMPLIANCE

Sl.No. Title Page

2 Basel and OECD 11

3 Best Practices for IT Governance 19

4 COBIT and ISM Maturity Model 30

5 Information Security Governance 40

6 Information System Strategy 48

7 Steering Committee, Policies and Procedures 55

8 Various forms of Management 64

9 Information Security Management 72

10 Risk Management Process 84

11 Risk Analysis Methods 93

12 Risk Management Framework 103

13 Introduction to Information Technology and security 121

14 Designing an Internal Compliance System 132

15 Information System Audit 139

16 Best practices for IT compliance and regulatory requirements 148

 Understand the process of GRC

 Scope of the GRC

 Various IT Governance Metrics

 Know the IT Governance Framework

 Understanding the process of Information Security Governance.

1.2 Importance of Governance

1.2.1 Governance Attributes

1.2.2 Governance Outcomes

1.2.3 Corporate Governance

1.3 IT Governance, Risk & Compliance

1.3.1 Importance of IT Governance

1.3.2 Various names of IT Governance

1.3.3 IT Governance Framework

1.4 Major Principles

1.5 Information Security Governance

1.8 Review Questions

1.9 Suggested Reading

Governance (G) - Organizational activities and operations are aligned to supports

Risk (R) - Organizational activities is identified and addressed aligned to supports

GRC - Business practices to create a synchronized approach, avoiding repetition of

 Directing the plans to support the organization.

 Helps to achieve plans.

How Does GRC Works?

1.2 The Importance of Governance

• Creates a structure to standardize future development

• Provides a framework that can scale to support enterprise-wide growth

1.2.1 Governance Attributes

1.2.2 Governance Outcomes