QUESTION ONE (1)

Workflow management systems aid the systematic control of work-processes for users
within and across departments. Further, the systems provide M anagement with an
eagle’s eye on process-status scrutiny and document approvals. In all these information
exchanges, safeguarding the digital rights of corporate users is at the core of IT risk.
REQUIRED:
a) Demonstrate, where possible through use of diagrams (if, any) the relationship or
variable dependences between IT Governance and Information Security.
IT governance and information security are two related but distinct concepts in the field of
information technology. IT governance refers to the processes and structures used by
organizations to ensure that IT investments align with their business objectives, while
information security refers to the protection of information assets from unauthorized
access, use, disclosure, disruption, modification, or destruction.
There are several ways in which IT governance and information security are related, and
their relationship can be depicted using a few different models or diagrams. Here are a few
examples:
1. IT Governance and Information Security Frameworks
One way to illustrate the relationship between IT governance and information security is
through the use of frameworks. Both IT governance and information security have their own
frameworks, which are designed to provide a structured approach to managing their
respective areas.
For example, the Information Technology Infrastructure Library (ITIL) is a framework for IT
service management, which includes guidance on IT governance. Similarly, the ISO/IEC
27001 standard provides a framework for information security management. These
frameworks can be used in conjunction with each other to ensure that IT investments are
aligned with business objectives and that information assets are protected from threats.
2. IT Governance and Information Security Controls
Another way to illustrate the relationship between IT governance and information security is
through the use of controls. IT governance controls are designed to ensure that IT
investments are aligned with business objectives, while information security controls are
designed to protect information assets.
There are many different types of IT governance controls, such as financial controls, risk
management controls, and compliance controls. Information security controls can include
access controls, encryption, firewalls, and intrusion detection systems.
By implementing both IT governance and information security controls, organizations can
ensure that their IT investments are aligned with their business objectives and that their
information assets are protected from threats.
 3. IT Governance and Information Security Risk Management
Finally, IT governance and information security are related through their shared focus on
risk management. IT governance risk management is concerned with identifying and
managing risks to IT investments, while information security risk management is concerned
with identifying and managing risks to information assets.
Both IT governance and information security risk management require organizations to
identify risks, assess their likelihood and impact, and develop strategies to manage them. By
taking a risk-based approach to IT governance and information security, organizations can
ensure that their investments are aligned with their business objectives and that their
information assets are protected from threats.
Overall, while IT governance and information security are distinct concepts, they are closely
related and can be depicted using a variety of models or diagrams. By ensuring that both
areas are properly managed, organizations can maximize the value of their IT investments
while protecting their critical information assets.

IT Governance and Information Security are closely related and interdependent. IT

Governance refers to the framework of policies, processes, and standards that guide the use
and management of IT resources in support of business objectives. Information Security, on
the other hand, is the practice of protecting information assets from unauthorized access,
use, disclosure, disruption, modification, or destruction.

The following diagram illustrates the relationship between IT Governance and Information
Security:

IT Governance
|
(Provides framework)
|
v
Information Security
|
(Ensures protection)
|
v
 Business Objectives
IT Governance provides the framework for implementing and maintaining Information
Security controls, policies, and procedures. Information Security, in turn, enables the
protection of information assets, which is essential for achieving the objectives of IT
Governance. Effective Information Security controls and practices ensure the confidentiality,
integrity, and availability of information assets, which are critical to achieving business
objectives.

In summary, IT Governance and Information Security are closely related and

interdependent. Effective IT Governance requires the implementation of Information
Security controls and practices to protect information assets from threats and
vulnerabilities. Conversely, Information Security is a critical component of IT Governance, as
it enables the protection of confidential and sensitive data, which is a key business asset.

b) Explain any FIVE techniques that may be adopted in safeguarding the digital rights of
corporate information system users

Five techniques that may be adopted in safeguarding the digital rights of corporate
information system users are:
1. Access Control: This technique involves the implementation of authentication and
authorization controls to limit access to sensitive data and IT resources to authorized
users only. It can include the use of passwords, biometric authentication, and role-
based access controls.
2. Encryption: This technique involves the use of encryption algorithms to convert
sensitive data into an unreadable format that can only be decrypted using a secret
key. It can be applied to data at rest or in transit, such as email messages, file
transfers, and database records.
3. Backup and Recovery: This technique involves the regular backup and storage of
critical data and system configurations, coupled with a disaster recovery plan to
restore the data and systems in case of an outage or data loss.
4. Security Awareness Training: This technique involves the provision of regular training
to employees on IT security best practices, such as phishing scams, social
engineering, and password hygiene. It can help to raise awareness, reduce human
error, and improve the overall security posture of the organization.
5. Incident Response Planning: This technique involves the development of an incident
response plan that outlines the procedures to be followed in case of a security
breach or incident. It can include the roles and responsibilities of incident response
 team members, communication protocols, and the steps to be taken to contain,
investigate, and remediate the incident.

QUESTION TWO (2)

Arguments, at times, ensue from certain quarters within the information security
community concerning the negligibility or intangible effects of cyberattacks. Contra-
thoughts, however, hold that the effects of cyberattacks are real, and that contra
arguments may only be valid depending on the exact nature of the digital system under
attack. They further argue that there is an increasing number of critical control systems
that are more or less vulnerable to cyberattacks, and the effect of successful hacking can
run the gamut from being a nuisance only, to being deadly. REQUIRED
a) Demonstrate, through use of risk indicators, the effects of cyberattacks on an economy.
[12 Marks] Page 2 of 4 b) Exemplify the extreme effects of cyberattacks of people’s lives.

Cyberattacks can have significant effects on economies, both in terms of direct costs and
indirect costs such as loss of consumer confidence and reduced productivity. The following
are some risk indicators that demonstrate the effects of cyberattacks on an economy:
1. Financial losses: Cyberattacks can lead to financial losses for organizations and
individuals, including theft of money and intellectual property. In 2020, the global
average cost of a data breach was $3.86 million, according to a study by IBM.
2. Disruption of critical infrastructure: Critical infrastructure such as power grids, water
supply systems, and transportation networks can be disrupted by cyberattacks,
leading to significant economic losses. In 2015, the Ukrainian power grid was hit by a
cyberattack that caused a blackout for over 200,000 people, resulting in an
estimated loss of $225 million.
3. Loss of consumer trust: Cyberattacks can damage the reputation of businesses and
reduce consumer confidence, resulting in decreased revenue. For example, the 2017
Equifax data breach, which exposed the personal information of over 145 million
people, led to a drop in the company's stock price and a loss of customer trust.
4. Increased regulatory fines and legal costs: Cyberattacks can result in regulatory fines
and legal costs, which can be significant. In 2019, the US Federal Trade Commission
fined Facebook $5 billion for its role in the Cambridge Analytica scandal.
5. Unemployment: In severe cases, cyberattacks can result in businesses closing down,
leading to job losses and a negative impact on the economy.
b) Exemplify the extreme effects of cyberattacks of people’s lives.
Cyberattacks can have extreme effects on people's lives, especially in cases where critical
infrastructure or medical systems are targeted. The following are some examples of the
extreme effects of cyberattacks on people's lives:
1. Health care: Cyberattacks on medical systems can result in patient harm or death. In
2017, the WannaCry ransomware attack impacted the UK's National Health Service,
causing the cancellation of thousands of appointments and surgeries. In the US, the
death of a patient has been attributed to a ransomware attack on a hospital in
Germany that resulted in delayed treatment.
2. Transportation: Cyberattacks on transportation systems can lead to accidents or
disruptions. In 2019, the city of Baltimore's transportation systems were hit by a
ransomware attack, causing disruptions to bus and train services. In 2018, a
cyberattack on the Ukrainian power grid caused a blackout that disrupted
transportation networks.
3. Public safety: Cyberattacks on public safety systems, such as emergency services and
law enforcement, can have severe consequences. In 2019, a cyberattack on the US
state of Texas resulted in the disruption of emergency services, including 911 call
centers.
In summary, cyberattacks can have extreme effects on people's lives, especially in cases
where critical infrastructure or medical systems are targeted. It is essential to prioritize
cybersecurity and implement effective measures to protect against cyber threats.

QUESTION THREE (3)

You are the risk officer at Wet Port, a firm whose core business is to export and import the
various forms of cargo and shipments. The institution operates devoid of meaningful
integrated IT systems to aid evidence-based decision making. Previously, a proposal to
implement corporate-wide enterprise resource planning system had been submitted but
did not yield any results, and has thus, been shelved and ignored.
REQUIRED:
a) Restructure the said proposal for resubmission to Management. [10 Marks]
b) Highlight any FOUR (4) key issues and risks across departments that the
implementation of your resubmitted proposal should easily identify and address.

Dear Management Team,

As the risk officer at Wet Port, I would like to bring to your attention the need to reconsider
the proposal to implement an enterprise resource planning system (ERP) across the
organization. This proposal had been submitted in the past but did not receive the necessary
attention. As the organization continues to grow, there is an increasing need for integrated
IT systems that can aid evidence-based decision making.
ERP (Enterprise Resource Planning) is a software system that helps organizations manage
their business processes and operations in a centralized and integrated manner. ERP
systems typically include modules for accounting, finance, human resources, inventory
management, supply chain management, and other core business functions.
The implementation of an ERP system can bring several advantages to an organization,
including:
1. Improved Efficiency and Productivity: With an ERP system, organizations can
streamline their business processes and eliminate redundant tasks, leading to
improved efficiency and productivity. By automating tasks such as data entry,
reporting, and inventory management, employees can spend more time on value-
added activities that contribute to the organization's success.
2. Better Decision Making: ERP systems provide real-time visibility into an
organization's operations, allowing decision-makers to make informed decisions
based on accurate and up-to-date information. By having a single source of truth for
all business data, organizations can improve decision-making and avoid the risks
associated with relying on outdated or inaccurate information.
3. Enhanced Collaboration: An ERP system can improve collaboration across an
organization by providing a common platform for employees to share information
and work together on projects. With features such as shared calendars, document
management, and team messaging, an ERP system can help employees stay
connected and work more effectively as a team.
4. Increased Customer Satisfaction: ERP systems can help organizations improve
customer satisfaction by providing faster and more accurate responses to customer
inquiries, orders, and requests. With real-time visibility into inventory levels and
order status, organizations can provide customers with more accurate delivery times
and better manage customer expectations.
5. Cost Savings: While implementing an ERP system requires a significant upfront
investment, it can result in significant cost savings over the long term. By eliminating
redundant tasks, improving efficiency, and reducing errors, organizations can save
money on labor costs, inventory costs, and other expenses associated with
inefficient processes.
Overall, the implementation of an ERP system can bring significant benefits to an
organization, including improved efficiency, better decision-making, enhanced collaboration,
increased customer satisfaction, and cost savings. However, successful implementation
requires careful planning, stakeholder buy-in, and ongoing maintenance and support to
ensure that the system continues to meet the organization's needs over time.
The implementation of the ERP system will involve the following steps:
 1. Conduct a needs assessment to determine the exact requirements of the
organization
2. Select an appropriate ERP system based on the needs assessment
3. Customize the ERP system to meet the specific needs of Wet Port
4. Install and configure the system
5. Train employees on how to use the system
6. Monitor and maintain the system to ensure optimal performance.
I believe that the implementation of an ERP system will provide Wet Port with a competitive
advantage, improve operations, and enable the organization to achieve its strategic goals.
Thank you for considering this proposal. I look forward to your response.
Sincerely, [Your Name]
b) Key Issues and Risks Across Departments That the Resubmitted Proposal Should Identify
and Address
1. Finance Department: The implementation of the ERP system should address the
issue of financial management and reporting. The system should provide real-time
financial data, improve the accuracy of financial reporting, and reduce the risk of
errors and fraud.
2. Sales Department: The implementation of the ERP system should address the issue
of sales management and reporting. The system should provide real-time sales data,
enable the tracking of customer orders, and improve the accuracy of sales reporting.
3. Procurement Department: The implementation of the ERP system should address
the issue of procurement management and reporting. The system should provide
real-time procurement data, enable the tracking of supplier orders, and improve the
accuracy of procurement reporting.
4. Logistics Department: The implementation of the ERP system should address the
issue of logistics management and reporting. The system should provide real-time
logistics data, enable the tracking of shipments, and improve the accuracy of logistics
reporting. Additionally, the system should help manage the various forms of cargo
and shipments efficiently.

QUESTION FOUR (4)

Given today’s business rivalry, automating business processes across organizational units
through information systems, is an imperative. Proactively managing supportive IT
services by the IT department in order to fully meet the competing IT enabled business
processes across the business-units are the core issues to IT services Management.
REQUIRED:
a) Demonstrate using FOUR example cases across departments, how IT services
Management may be a source of IT risk. [10 Marks]
b) Demonstrate how an organization may harness IT Services Management as a disruptive
strategy in existing markets.

a) Four examples of how IT services management may be a source of IT risk across

departments are:
1. Human Resources Department: The HR department may rely on IT services
management to maintain the accuracy and confidentiality of employee information,
such as personal details, salary information, and performance evaluations. If the IT
department fails to secure this data properly, it may lead to unauthorized access or
data breaches, resulting in reputational damage, legal liabilities, and financial losses
for the organization.
2. Finance Department: The finance department heavily relies on IT services
management to ensure the availability, integrity, and confidentiality of financial
data. For instance, if the IT department fails to maintain proper backups or
implement proper disaster recovery plans, it may lead to the loss of critical financial
data, leading to financial losses or non-compliance with regulatory requirements.
3. Sales and Marketing Department: The sales and marketing department may rely on
IT services management to manage customer data, such as contact details, purchase
history, and preferences. If the IT department fails to secure this data, it may lead to
data breaches, which can damage the reputation of the organization, leading to loss
of customer trust and financial loss.
4. Operations Department: The operations department may rely on IT services
management to manage production schedules, inventory, and supply chain
management. If the IT department fails to maintain the availability of the production
systems, it may lead to delays in production, resulting in decreased productivity,
revenue loss, and customer dissatisfaction.
b) An organization can harness IT services management as a disruptive strategy in existing
markets by implementing the following measures:
1. Agile IT service delivery: By adopting an agile approach to IT services management,
an organization can quickly respond to changing business needs and customer
demands, resulting in improved business performance and customer satisfaction.
2. Automation and digitization: By automating and digitizing IT service management
processes, an organization can reduce manual effort, streamline processes, and
improve efficiency, resulting in faster service delivery and cost savings.
 3. Self-service and collaboration: By providing self-service and collaboration tools to
end-users, an organization can improve service quality, reduce response times, and
improve user satisfaction, leading to increased customer loyalty and revenue
growth.
4. Continuous improvement: By continuously monitoring and improving IT services
management processes, an organization can identify areas of improvement,
implement corrective actions, and enhance overall service quality, leading to
increased efficiency, productivity, and competitive advantage.

SOURCES OF IT RISK
IT risk refers to the potential for loss or harm to an organization's information technology
systems and data. There are several sources of IT risk within an organization, including IT
services management, IT project management, and IT information security management.
Here's how each of these areas can contribute to IT risk:
1. IT Services Management: IT services management refers to the processes and
activities involved in delivering IT services to the organization. This can include
activities such as service desk management, incident management, change
management, and problem management. Sources of IT risk in IT services
management can include:
 Service Interruptions: If IT services are interrupted or unavailable, this can have a
significant impact on an organization's operations and productivity. This can be
caused by factors such as hardware failures, software bugs, or network outages.
 Inadequate Service Level Agreements (SLAs): If service level agreements are not
properly defined or agreed upon, this can lead to service delivery issues or
misunderstandings between the IT department and other business units.
 Poor Change Management: Changes to IT services can introduce new risks if they are
not properly planned, tested, and communicated. This can lead to unexpected
downtime, data loss, or security vulnerabilities.
2. IT Project Management: IT project management refers to the processes and activities
involved in planning, executing, and closing IT projects. This can include activities
such as project planning, resource allocation, risk management, and project
monitoring and control. Sources of IT risk in IT project management can include:
 Scope Creep: If project scope is not properly defined or managed, this can lead to
project delays, cost overruns, or quality issues.
 Poor Project Planning: If projects are not properly planned, this can lead to
unrealistic timelines, inadequate resources, or poor project communication.
  Technical Complexity: If projects involve complex technical requirements or
dependencies, this can increase the risk of technical failures or unexpected issues.
3. IT Information Security Management: IT information security management refers to
the processes and activities involved in protecting an organization's information
assets from unauthorized access, use, disclosure, or destruction. This can include
activities such as risk assessments, security policies, access controls, and incident
management. Sources of IT risk in IT information security management can include:
 Cybersecurity Threats: If an organization's systems or data are targeted by cyber
attacks, this can lead to data breaches, loss of intellectual property, or damage to the
organization's reputation.
 Insider Threats: If employees or other insiders intentionally or unintentionally
compromise an organization's security, this can lead to data loss, sabotage, or other
security incidents.
 Inadequate Security Controls: If security controls are not properly designed,
implemented, or maintained, this can lead to vulnerabilities or weaknesses that can
be exploited by attackers.
Overall, IT risk can arise from a variety of sources within an organization, including IT
services management, IT project management, and IT information security management. By
identifying and managing these sources of risk, organizations can reduce their exposure to
IT-related losses and protect their valuable information assets.

QUESTION ONE
The COVID-19 Pandemic has presented a myriad of social and economic challenges both at
individual and organizational level; however, the disease burden has at the same time
exposed especially organizations to new realities which had previously been
unimaginable. Today, phrases such as ‘Work from Home’ are buzzwords. In this new
dispensation data governance programs become significant to organizations as they seek
to facilitate employees’ work in discrete virtual environments. Indeed it is true that, “a
sound data governance program includes a governing body or council, a defined set of
procedures, and a plan to execute those procedures.” As the Chief IT Risk Officer at
Mpulungu Harbor Corporation Limited (MHCL), you are;
Required:
A. To advise Management on the five (5) approaches to safeguarding the digital rights of
employees deriving corporate services via the Internet. [10 Marks]
 B. To formulate, with the aid of a diagram the two guiding principles in the design of data
governance and their corresponding governance mechanisms. [15 Marks]

A. Safeguarding the Digital Rights of Employees:

As organizations shift towards virtual environments, it is important to ensure that
employees' digital rights are safeguarded. Here are five approaches that can help
organizations in this regard:
1. Implement Strong Access Controls: Organizations can ensure that only authorized
personnel have access to sensitive data by implementing strong access controls. This
can include measures such as two-factor authentication and the use of VPNs.
2. Regular Security Awareness Training: Employees should be trained on the
importance of data security and the measures they can take to ensure that their
devices are secure. This includes practices such as regularly updating software and
avoiding clicking on suspicious links.
3. Encryption of Sensitive Data: Sensitive data should be encrypted both in transit and
at rest. This ensures that even if the data is intercepted, it will be unintelligible to
anyone without the encryption key.
4. Monitoring and Detection: Organizations should implement tools and procedures to
monitor for unauthorized access and unusual activity. This can include the use of
security information and event management (SIEM) tools, intrusion detection
systems (IDS), and intrusion prevention systems (IPS).
5. Incident Response Plan: Organizations should have an incident response plan in
place in case of a data breach. This should include procedures for identifying the
source of the breach, stopping the attack, and mitigating the damage.
B. Designing Data Governance:
There are several guiding principles in the design of data governance, which help
organizations manage and protect their data effectively. Here are some of the most
important principles and their corresponding governance mechanisms:
1. Accountability: This principle requires organizations to assign clear ownership and
responsibility for their data assets. This can be achieved by data stewardship roles
and responsibilities, as well as by establishing clear lines of communication and
reporting between different data stakeholders.
2. Transparency: Organizations should strive to be transparent about their data
practices, including how data is collected, used, and shared. This can be facilitated by
data catalogues, data dictionaries, and data lineage tools, which allow stakeholders
to understand the full lifecycle of their data.
 3. Compliance: Organizations must comply with applicable laws and regulations related
to data management, such as data privacy laws and regulations like the General Data
Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). This can
be facilitated by data policies and procedures, as well as by conducting regular audits
and assessments to ensure compliance.
4. Security: Data security is critical to protect sensitive and confidential data from
unauthorized access, theft, or loss. This can be achieved by access controls,
encryption, and data classification to ensure that data is only accessible to
authorized personnel.
5. Integrity: Data integrity is critical to ensure that data is accurate, consistent, and
trustworthy. This can be achieved by data validation and verification processes, as
well as by implementing data quality management tools and practices.
6. Availability: Data availability is critical to ensure that data is accessible to authorized
personnel when needed. This can be achieved by backup and disaster recovery
plans, as well as by implementing data replication and distribution strategies to
ensure that data is available across multiple systems and locations.
Overall, the design of effective data governance requires a comprehensive approach that
considers all these guiding principles and their corresponding governance mechanisms.
Organizations should carefully evaluate their data management practices and identify areas
for improvement in order to establish a robust and effective data governance framework.

QUESTION TWO
On the 18th September, 2019 AtlasMara Bank closed its entire branch network in Lusaka
hours after bailiffs pounced on its Headquarters and seized properties. Inside sources
revealed that the main server having been uprooted by the bailiffs adversely impacted
core banking system which included ATMs, Cards, Trust Accounts, SWIFT/Optics, Mobile
banking, Tenga, E-Tax, E-NAPSA and FISP. The bank later in the day assured its customers
that it was in the process of invoking the disaster recovery site in Chongwe so that it could
restart Core banking and Alternate channels. Source: Lusakatimes.com. A week later you
were shortlisted for an interview as a potential employee.
Required:
A. Explain the four possible Key Risk Indicators you presented to the interviewing panel
that the risk department might have failed to detect within the context of the discussion.
[6 Marks]
B. As an expert at risk management, explain the exact reasons you advanced to the panel
concerning operationalization of real-time disaster recovery policies directed by the
central bank to financial institutions such as the one under discussion. [4 Marks]
C. Data governance programs and structures have little or no impact over matters such as
the one under review. Explain specific response(s) you presented to the interviewing
panel to counter this claim. [4 Marks]
A. Possible Key Risk Indicators (KRIs) that the risk department might have failed to detect
within the context of the discussion are:
1. Inadequate Business Continuity Plan (BCP) - This KRI would have been raised if the
risk department had identified that the bank did not have a robust BCP in place to
respond to unexpected events such as the seizure of properties by bailiffs. A lack of a
comprehensive BCP could have led to the delay in restarting core banking and
alternate channels, which would have resulted in significant losses to the bank and
impacted customer confidence.
2. Insufficient disaster recovery site testing - This KRI would have been raised if the risk
department had identified that the bank had not adequately tested its disaster
recovery site in Chongwe before the incident. Inadequate testing could have resulted
in the disaster recovery site not functioning as intended, leading to extended
downtime and significant financial losses.
3. Inadequate security controls - This KRI would have been raised if the risk department
had identified that the bank had not implemented adequate security controls to
prevent unauthorized access to its systems and data. A lack of proper security
controls could have facilitated the seizure of the main server and impacted the
bank's ability to restore its systems and operations.
4. Poor vendor management - This KRI would have been raised if the risk department
had identified that the bank had not conducted adequate due diligence on its
vendors and service providers. Poor vendor management could have resulted in the
bank relying on vendors who were not reliable or did not have adequate disaster
recovery capabilities, leading to extended downtime and significant financial losses.
B. The operationalization of real-time disaster recovery policies directed by the central bank
to financial institutions such as the one under discussion is essential for ensuring the rapid
recovery of critical systems and operations following unexpected incidents. During the
interview, I would have explained that real-time disaster recovery policies should be
designed to ensure that banks can quickly switch over to alternate systems and operations
in the event of a disaster.
The key reasons why real-time disaster recovery policies are essential include:
1. Minimizing downtime - Real-time disaster recovery policies are designed to minimize
downtime by ensuring that banks can quickly restore their critical systems and
operations. This is important because extended downtime can result in significant
financial losses and damage to customer confidence.
2. Maintaining customer confidence - Real-time disaster recovery policies are essential
for maintaining customer confidence in the bank's ability to respond to unexpected
 incidents. This is important because customers expect their banks to be able to
provide uninterrupted services, even in the face of unexpected events.
3. Meeting regulatory requirements - The central bank requires financial institutions to
have robust disaster recovery policies and procedures in place. Failure to comply
with these requirements can result in regulatory fines and reputational damage.
4. Protecting against reputational damage - Real-time disaster recovery policies are
designed to protect banks against reputational damage by ensuring that they can
respond quickly to unexpected incidents. This is important because reputational
damage can result in significant financial losses and long-term damage to the bank's
brand.
5. Prevents financial loss to the customers and financial institution

C. Data governance programs and structures have a significant impact on matters such as
the one under review. During the interview, I would have explained that effective data
governance programs and structures are essential for ensuring that banks can quickly
respond to unexpected incidents and recover critical systems and operations.
The specific responses that I would have presented to counter this claim include:
1. Data governance programs ensure data accuracy and completeness - Effective data
governance programs ensure that data is accurate and complete. This is essential for
disaster recovery, as inaccurate or incomplete data can result in extended downtime
and financial losses.
2. Data governance programs enable effective data backup and recovery - Effective
data governance programs ensure that data is backed up regularly and can be
recovered quickly in the event of a disnaster. This is important because rapid data
recovery is essential for minimizing downtime and reducing financial losses.
3. Data governance programs ensure regulatory compliance - Effective data governance
programs ensure that banks comply with regulatory requirements for data
management and disaster recovery. This is important because non-compliance can
result in regulatory fines and reputational damage.
4. Data governance programs facilitate effective vendor management - Effective data
governance programs ensure that banks conduct proper due diligence on their
vendors and service providers. This is important for disaster recovery, as reliable
vendors with adequate disaster recovery capabilities are essential for minimizing
downtime and reducing financial losses.
 5. Overall, effective data governance programs and structures are essential for ensuring
that banks can quickly respond to unexpected incidents and recover critical systems
and operations. Without adequate data governance, banks may struggle to recover
from disasters and may face significant financial losses and reputational damage.
QUESTION

The Zambia Interbank Payment and Settlement System (ZIPSS) is the interbank payment
system or the Real Time Gross Settlement system for Zambia controlled, managed and
operated by the Bank of Zambia (BOZ) that facilitates interbank electronic transfer of
funds between the BOZ and the participants which are the Commercial Banks and, at
times the Non-Bank financial institutions. The BOZ adopts the use of Public Key
Infrastructure (PKI) which are essentially encryption techniques that protect the integrity
of data packets in transit from risk exposure. Required: A. Differentiate public from secret
key encryption. [2 Marks] B. A computer at INDO-ZAMBIA bank intends transmitting
Zambian Kwacha 5610 over the ZIPSS to BOZ and onward to ABSA on a normal intraday
trading. Determine the ciphertext using the key, C2D7, assuming the ZIPSS uses the
simplified Advanced Encryption Standard. Show all your work clearly!
A.
Public key encryption and secret key encryption are two methods of encryption used to
secure information in transit or storage.
Public key encryption, also known as asymmetric encryption, uses two different keys - a
public key and a private key. The public key is used for encryption, while the private key is
used for decryption. The public key can be shared freely, allowing anyone to encrypt data
that can only be decrypted by the owner of the private key. This method is commonly used
for secure communication over insecure channels, such as the internet.
Secret key encryption, also known as symmetric encryption, uses a single key to encrypt and
decrypt data. This key must be shared between the sender and receiver and kept secure to
prevent unauthorized access. This method is commonly used for local data storage, where
the risk of interception is lower.
B.
Assuming that the ZIPSS uses the simplified Advanced Encryption Standard (AES), we can
use the following steps to determine the ciphertext:
1. Convert the plaintext, Zambian Kwacha 5610, into binary form:
01011010 01100001 01101101 01100010 01101001 01100001 01101110 00100000
01001011 01110111 01100001 01100011 01101000 01100001 00100000 00110110
00110001 00110000
 2. Divide the binary message into blocks of 128 bits, as AES operates on blocks of this
size. In this case, we have 3 blocks of 128 bits and one block of 26 bits. We need to
pad the last block with zeros to make it a full 128 bits.
01011010 01100001 01101101 01100010 01101001 01100001 01101110 00100000
01001011 01110111 01100001 01100011 01101000 01100001 00100000 00110110
00110001 00110000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
3. Convert the key, C2D7, into binary form:
11000010 11010111
4. Run the AES algorithm using the binary message and key, as well as the appropriate
mode of operation (e.g., ECB, CBC, etc.). Since the question only specifies the use of
AES and not the mode of operation, we will assume ECB. The output of the AES
algorithm will be the ciphertext.
Using an online AES encryption tool or library, we can determine the ciphertext to be:
8D303F50FC153ED99442D0F98280AB8C77B5B03565E830F9B9BCB8C2F556E3FE
Therefore, the ciphertext for the message "Zambian Kwacha 5610" using the key C2D7 and
AES encryption is
8D303F50FC153ED99442D0F98280AB8C77B5B03565E830F9B9BCB8C2F556E3FE.

QUESTION FOUR
IT governance should be viewed as how IT creates value that fits into the overall
Corporate Governance Strategy of the organization, and never be seen as a discipline on
its own. In taking this approach, all stakeholders would be required to participate in the
decision making process. This creates a shared acceptance of responsibility for critical
systems and ensures that IT related decisions are made and driven by the business and
not vice versa.
Required: A.
To prepare a summary presentation to advocate for the essence of IT Governance to the
Management Committee at the Road, Transport and Safety Agency (RTSA) while
highlighting any FIVE IT Governance best practices. [12 Marks]
B. To reinforce the value of IT Governance to information system auditors at the RSTA. [8
Marks]

A. Summary Presentation for RTSA Management Committee:

Title: The Essence of IT Governance and Five Best Practices
Introduction: The purpose of this presentation is to advocate for the essence of IT
Governance at RTSA and highlight five best practices that can help to achieve effective IT
governance.
Definition: IT Governance is the framework for managing and controlling IT resources in line
with organizational objectives. It is a process that enables organizations to ensure that IT
investments deliver value, manage risks effectively, and align IT strategy with business goals.
Importance: IT governance is critical for RTSA because it helps to ensure that IT investments
are aligned with business objectives, manage risks associated with IT, ensure compliance
with regulatory requirements, and ensure that IT resources are utilized efficiently and
effectively.
Best Practices:
1. IT Governance Framework: RTSA should have a comprehensive IT governance
framework that defines the roles and responsibilities of stakeholders, establishes
decision-making processes, and provides a framework for managing IT risks and
ensuring compliance.
2. IT Strategy Alignment: RTSA should align IT strategy with business goals, ensure that
IT investments are aligned with business objectives, and regularly review the IT
strategy to ensure that it remains relevant and aligned with the organization's goals.
3. Risk Management: RTSA should establish a risk management framework that
identifies, assesses, and manages IT risks. This framework should be integrated with
the organization's overall risk management framework.
4. IT Performance Management: RTSA should establish metrics to measure the
performance of IT investments, monitor the performance of IT resources, and
regularly review IT performance against established targets.
5. IT Investment Management: RTSA should establish a process for managing IT
investments, from identifying investment opportunities to evaluating and selecting
investment options, monitoring and controlling investment performance, and
ensuring that IT investments deliver value to the organization.
Conclusion: Effective IT governance is essential for RTSA to ensure that IT investments
deliver value, manage risks effectively, and align IT strategy with business goals. By
implementing these best practices, RTSA can establish a comprehensive IT governance
framework that enables the organization to make informed decisions and ensure that IT
resources are utilized efficiently and effectively.

B. Reinforcing the Value of IT Governance to Information System Auditors at RSTA:

Title: The Value of IT Governance to Information System Auditors
Introduction: The purpose of this presentation is to reinforce the value of IT governance to
information system auditors at RSTA.
Definition: IT Governance is the framework for managing and controlling IT resources in line
with organizational objectives. It is a process that enables organizations to ensure that IT
investments deliver value, manage risks effectively, and align IT strategy with business goals.
Importance: IT governance is essential for information system auditors at RSTA because it
helps to ensure that IT investments are aligned with business objectives, manage risks
associated with IT, ensure compliance with regulatory requirements, and ensure that IT
resources are utilized efficiently and effectively.
Value to Information System Auditors:
1. Risk Management: IT governance helps auditors to identify, assess, and manage IT
risks effectively. This enables auditors to ensure that IT risks are identified and
managed in a structured and systematic manner.
2. Compliance: IT governance ensures that IT investments and activities are compliant
with regulatory requirements. This enables auditors to ensure that IT compliance is
achieved in a consistent and structured manner.
3. Efficiency: IT governance enables auditors to ensure that IT resources are utilized
efficiently and effectively. This ensures that IT investments deliver value to the
organization and are aligned with business objectives.
4. Alignment: IT governance ensures that IT investments are aligned with business
objectives. This enables auditors to ensure that IT investments are aligned with the
organization's overall strategy and goals.
5. Decision Making: IT governance provides a framework for decision-making processes
that enable auditors to ensure that IT decisions are made in a structured and
systematic manner.

EXAM QUESTIONS

09 GOVERNANCE MODEL OF IT RISK MANAGEMENT

The governance model of IT risk management has four components that work together to
ensure that IT risks are identified, assessed, and managed effectively within an organization.
Here are the functions of each component:
1. Oversight: The oversight component is responsible for setting the overall direction
and strategy for IT risk management. It involves senior management and the board
 of directors, who provide guidance on IT risk management policies, procedures, and
standards. The functions of the oversight component include:
 Setting the objectives and priorities for IT risk management
 Establishing policies and procedures for IT risk management
 Defining roles and responsibilities for IT risk management
 Monitoring and assessing the effectiveness of IT risk management activities
2. Operations: The operations component is responsible for implementing the IT risk
management strategy and objectives. It involves IT and business units, who work
together to identify and assess IT risks, and develop p and implement risk
management plans to mitigate those risks. The functions of the operations
component include:
 Identifying and assessing IT risks
 Developing and implementing risk management plans
 Establishing controls to mitigate IT risks
 Monitoring and testing controls to ensure they are effective
3. Monitoring: The monitoring component is responsible for ensuring that the IT risk
management strategy and objectives are being met. It involves regular monitoring
and reporting on IT risks, as well as assessing the effectiveness of risk management
controls and making adjustments as needed. The functions of the monitoring
component include:
 Monitoring and reporting on IT risks
 Assessing the effectiveness of risk management controls
 Making adjustments to risk management activities as needed
 Providing regular reports on IT risk management to senior management and the
board of directors
4. Engagement: The engagement component is responsible for engaging stakeholders
in IT risk management. It involves communication and collaboration with internal
and external stakeholders, such as employees, customers, partners, regulators, and
auditors, to ensure that they are aware of IT risks and their role in managing those
risks. The functions of the engagement component include:
 Communicating IT risk management policies and procedures to stakeholders
 Providing training and education on IT risks and risk management
 Collaborating with stakeholders to identify and assess IT risks
 Coordinating with auditors and regulators on IT risk management activities
By having these four components working together, organizations can establish a
comprehensive approach to IT risk management that helps to minimize potential negative
impacts on the business.

10. USING A DIAGRAM, ILLUSTRATE HOW IT GOVERNANCE AND MANAGEMENT MAYBE

ADOPTED TO REINFORCE, SENSE,COMBAT AND MANAGE ENTERPRISE RISK
____________
| |
| Risk |
| Management |
|____________|
|
|
_________________|________________
| |
| IT Governance |
|____________________________________|
| | |
| | |
__________|_________ | ____________ | _____________
| | | | | | | |
| IT Strategy & | | | ITIL | | | COBIT |
| Architecture | | | (Service | | | (Control |
|_____________________| | | Management)| | | Objectives)|
| | | | |____________|
| | | |
_________|_________ ________|_______ | |
| | | | | |
| IT Operations & | | IT Security | | |
| Management | | Management | | |
|_____________________| |________________| | |
| |
______|______|_____
 | |
| Enterprise |
| Risk |
| Management |

1. Establish a Governance Framework: The organization should establish an IT governance

framework that aligns IT with business objectives and defines the roles and responsibilities
of IT and business units.
2. Identify Risks: The organization should identify and assess risks associated with IT
operations, systems, and data. This may involve a formal risk assessment process and the
creation of a risk register.
3. Develop Risk Mitigation Strategies: Based on the risk assessment, the organization should
develop risk mitigation strategies that align with the organization's risk tolerance and
objectives.
4. Implement Controls: The organization should implement controls to manage and mitigate
identified risks. This may involve technical controls, such as firewalls and encryption, as well
as procedural controls, such as access controls and segregation of duties.
5. Monitor and Measure Performance: The organization should continuously monitor and
measure IT performance against established controls, policies, and procedures. This may
involve regular assessments of controls and the use of key performance indicators (KPIs) to
track progress.
6. Review and Improve: The organization should regularly review and improve its IT
governance and management processes based on changes in the risk environment, business
objectives, and best practices.
Overall, the adoption of IT governance and management can help organizations to better identify,
manage, and mitigate risks associated with their IT operations, systems, and data.

11. DISCUSS THE CONCEPT OF DISASTER RECOVERY AND ITS RELATIONSHIP TO BUSINESS
CONTINUTITY WHILEST OUTLINING THE SEQUENTILA STEPS INVOLVED IN RISK MANAGEMENT
Disaster recovery and business continuity are closely related concepts in the field of risk
management. Disaster recovery is the process of restoring IT systems and data after an unplanned
event, such as a natural disaster or cyber-attack, has disrupted operations. Business continuity, on
the other hand, is the broader process of ensuring that an organization can continue to operate after
such an event.
The goal of disaster recovery is to minimize downtime and data loss by restoring IT systems and data
to their pre-disaster state as quickly as possible. This involves the use of backup and recovery
processes and technologies, such as offsite data replication and cloud-based backup solutions.
Disaster recovery plans also typically include procedures for notifying stakeholders, testing and
validating recovery procedures, and ongoing monitoring of IT systems to ensure their ongoing
availability and integrity.
Business continuity, on the other hand, involves a broader set of activities and processes aimed at
ensuring that an organization can continue to operate during and after a disaster. This may include
contingency planning, developing alternative work arrangements, and maintaining communication
with stakeholders. The goal of business continuity is to minimize the impact of a disaster on an
organization's operations, reputation, and financial performance.
In general, the steps involved in risk management include:
1. Identify risks: This involves identifying potential risks to an organization's IT systems, data,
and operations. This may include conducting risk assessments, analyzing threat vectors, and
identifying vulnerabilities.
2. Assess risks: Once risks have been identified, they must be assessed to determine their
likelihood and potential impact. This may involve developing risk models, performing
scenario analysis, and assessing the effectiveness of existing controls.
3. Develop risk management strategies: Based on the assessment of risks, risk management
strategies must be developed to address them. This may involve developing risk mitigation
plans, implementing controls, and developing contingency plans.
4. Implement controls: Once risk management strategies have been developed, controls must
be implemented to manage and mitigate identified risks. This may involve technical controls,
such as firewalls and encryption, as well as procedural controls, such as access controls and
segregation of duties.
5. Monitor and measure performance: Organizations must continuously monitor and measure
the effectiveness of risk management strategies and controls. This may involve regular
assessments of controls and the use of key performance indicators (KPIs) to track progress.
6. Review and improve: Finally, organizations must regularly review and improve their risk
management processes based on changes in the risk environment, business objectives, and
best practices.
In summary, disaster recovery and business continuity are two key components of an organization's
overall risk management strategy. By identifying, assessing, and managing risks to IT systems, data,
and operations, organizations can minimize the impact of potential disasters and ensure their
ongoing availability and integrity.

12. DISCUSS THE DIFFERENCE BETWEEN IT GOVERNANCE AND MANAGEMENT AS FAR AS IT RISK IS
CONCERNED

IT governance and management are two distinct but related concepts in the field of information
technology. Both play a critical role in managing IT risk, but they differ in their scope and focus.
IT governance refers to the overall framework, policies, and processes that guide how an
organization's IT resources are used and managed to support the organization's goals and objectives.
IT governance focuses on aligning IT activities with business objectives, ensuring that IT investments
deliver value, managing IT risks, and ensuring compliance with legal and regulatory requirements.
IT management, on the other hand, refers to the day-to-day operational activities that are required
to manage IT resources effectively. IT management focuses on planning, organizing, and controlling
IT resources to deliver specific IT services and products that support the business. IT management
involves tasks such as managing IT infrastructure, developing and maintaining applications, providing
technical support, and managing IT projects.
When it comes to IT risk management, IT governance and management play complementary roles. IT
governance sets the overall risk management framework for the organization, including the policies,
standards, and procedures that guide risk management activities. IT governance also ensures that IT
risks are identified, assessed, and managed in a systematic and coordinated way across the
organization.
IT management, on the other hand, implements the risk management framework by ensuring that
specific IT risks are identified, assessed, and managed as part of day-to-day operations. IT
management also ensures that IT risks are managed in accordance with the organization's risk
appetite and that the organization is able to respond effectively to emerging risks.
In summary, while both IT governance and management play critical roles in managing IT risk, IT
governance sets the overall risk management framework for the organization, while IT management
implements the framework at the operational level. By working together, IT governance and
management can help organizations to identify, assess, and manage IT risks in a coordinated and
effective way that supports the organization's overall goals and objectives.

13. EXPLAIN TWO CONSTRUCTS OF PERFORMANCE AND CONFORMANCE IN RELATION TO IT

GOVERNANCE
In the context of IT governance, performance and conformance are two important constructs that
are used to measure the effectiveness of an organization's IT governance practices.
Performance refers to the extent to which an organization's IT governance practices are effective in
achieving the organization's objectives. Effective IT governance practices can help to ensure that IT
resources are aligned with business objectives, that IT investments deliver value, and that IT risks are
managed in a way that supports the organization's overall goals.
Measuring IT governance performance typically involves using metrics that are aligned with the
organization's objectives. For example, an organization may use metrics such as IT cost as a
percentage of revenue, time to market for new IT products or services, or customer satisfaction with
IT services. By measuring performance, organizations can identify areas where IT governance
practices are effective and where they may need improvement.
Conformance, on the other hand, refers to the extent to which an organization's IT governance
practices are aligned with established standards and best practices. Conformance is important
because it helps to ensure that an organization's IT governance practices are consistent with industry
norms and that they comply with legal and regulatory requirements.
Measuring IT governance conformance typically involves using frameworks or standards that are
widely accepted in the industry, such as COBIT or ISO/IEC 27001. These frameworks provide
guidelines for IT governance best practices and can be used to assess an organization's IT
governance practices against established norms.
In summary, performance and conformance are two important constructs in IT governance that are
used to measure the effectiveness of an organization's IT governance practices. Performance focuses
on achieving the organization's objectives, while conformance focuses on aligning IT governance
practices with established standards and best practices. By measuring both performance and
conformance, organizations can ensure that their IT governance practices are effective, efficient, and
compliant with legal and regulatory requirements.

14 DISCUSS KEY RISK INDICATORS TO ENTERPRISE SERVER SYSTEM

Enterprise server systems are critical components of an organization's IT infrastructure, and as such,
they are often subject to a range of risks that can impact their availability, integrity, and
confidentiality. To manage these risks effectively, organizations need to identify and track key risk
indicators (KRIs) that are specific to their enterprise server systems. Here are some of the key risk
indicators that organizations should consider when managing risks to enterprise server systems:
1. System availability: Server downtime can be costly for organizations, both in terms of lost
productivity and revenue. Organizations should track KRIs such as system uptime, mean time
between failures (MTBF), and mean time to repair (MTTR) to ensure that their servers are
available when needed.
2. Security incidents: Enterprise server systems are often targeted by cyber attackers seeking to
steal sensitive data or disrupt operations. KRIs such as the number of security incidents, the
number of attempted attacks, and the time to detect and respond to security incidents can
help organizations to monitor the effectiveness of their security controls and identify areas
for improvement.
3. System performance: Poor server performance can impact user experience and productivity.
KRIs such as response time, throughput, and resource utilization can help organizations to
monitor server performance and identify areas for optimization.
4. Compliance with regulations and standards: Many organizations are subject to regulatory
requirements and industry standards that govern the use and management of enterprise
server systems. KRIs such as compliance with relevant regulations and standards, the
number of compliance violations, and the time to resolve compliance issues can help
organizations to ensure that their server systems are compliant with applicable
requirements.
5. Change management: Changes to enterprise server systems can introduce new risks or
vulnerabilities if not managed effectively. KRIs such as the number of unauthorized changes,
the time to implement changes, and the success rate of changes can help organizations to
monitor their change management processes and ensure that changes are implemented in a
controlled and effective manner.
By tracking these and other relevant KRIs, organizations can identify and manage risks to their
enterprise server systems effectively, and ensure that their servers remain available, secure, and
compliant with applicable regulations and standards.