Professional Documents
Culture Documents
Workflow management systems aid the systematic control of work-processes for users
within and across departments. Further, the systems provide M anagement with an
eagle’s eye on process-status scrutiny and document approvals. In all these information
exchanges, safeguarding the digital rights of corporate users is at the core of IT risk.
REQUIRED:
a) Demonstrate, where possible through use of diagrams (if, any) the relationship or
variable dependences between IT Governance and Information Security.
IT governance and information security are two related but distinct concepts in the field of
information technology. IT governance refers to the processes and structures used by
organizations to ensure that IT investments align with their business objectives, while
information security refers to the protection of information assets from unauthorized
access, use, disclosure, disruption, modification, or destruction.
There are several ways in which IT governance and information security are related, and
their relationship can be depicted using a few different models or diagrams. Here are a few
examples:
1. IT Governance and Information Security Frameworks
One way to illustrate the relationship between IT governance and information security is
through the use of frameworks. Both IT governance and information security have their own
frameworks, which are designed to provide a structured approach to managing their
respective areas.
For example, the Information Technology Infrastructure Library (ITIL) is a framework for IT
service management, which includes guidance on IT governance. Similarly, the ISO/IEC
27001 standard provides a framework for information security management. These
frameworks can be used in conjunction with each other to ensure that IT investments are
aligned with business objectives and that information assets are protected from threats.
2. IT Governance and Information Security Controls
Another way to illustrate the relationship between IT governance and information security is
through the use of controls. IT governance controls are designed to ensure that IT
investments are aligned with business objectives, while information security controls are
designed to protect information assets.
There are many different types of IT governance controls, such as financial controls, risk
management controls, and compliance controls. Information security controls can include
access controls, encryption, firewalls, and intrusion detection systems.
By implementing both IT governance and information security controls, organizations can
ensure that their IT investments are aligned with their business objectives and that their
information assets are protected from threats.
3. IT Governance and Information Security Risk Management
Finally, IT governance and information security are related through their shared focus on
risk management. IT governance risk management is concerned with identifying and
managing risks to IT investments, while information security risk management is concerned
with identifying and managing risks to information assets.
Both IT governance and information security risk management require organizations to
identify risks, assess their likelihood and impact, and develop strategies to manage them. By
taking a risk-based approach to IT governance and information security, organizations can
ensure that their investments are aligned with their business objectives and that their
information assets are protected from threats.
Overall, while IT governance and information security are distinct concepts, they are closely
related and can be depicted using a variety of models or diagrams. By ensuring that both
areas are properly managed, organizations can maximize the value of their IT investments
while protecting their critical information assets.
The following diagram illustrates the relationship between IT Governance and Information
Security:
IT Governance
|
(Provides framework)
|
v
Information Security
|
(Ensures protection)
|
v
Business Objectives
IT Governance provides the framework for implementing and maintaining Information
Security controls, policies, and procedures. Information Security, in turn, enables the
protection of information assets, which is essential for achieving the objectives of IT
Governance. Effective Information Security controls and practices ensure the confidentiality,
integrity, and availability of information assets, which are critical to achieving business
objectives.
b) Explain any FIVE techniques that may be adopted in safeguarding the digital rights of
corporate information system users
Five techniques that may be adopted in safeguarding the digital rights of corporate
information system users are:
1. Access Control: This technique involves the implementation of authentication and
authorization controls to limit access to sensitive data and IT resources to authorized
users only. It can include the use of passwords, biometric authentication, and role-
based access controls.
2. Encryption: This technique involves the use of encryption algorithms to convert
sensitive data into an unreadable format that can only be decrypted using a secret
key. It can be applied to data at rest or in transit, such as email messages, file
transfers, and database records.
3. Backup and Recovery: This technique involves the regular backup and storage of
critical data and system configurations, coupled with a disaster recovery plan to
restore the data and systems in case of an outage or data loss.
4. Security Awareness Training: This technique involves the provision of regular training
to employees on IT security best practices, such as phishing scams, social
engineering, and password hygiene. It can help to raise awareness, reduce human
error, and improve the overall security posture of the organization.
5. Incident Response Planning: This technique involves the development of an incident
response plan that outlines the procedures to be followed in case of a security
breach or incident. It can include the roles and responsibilities of incident response
team members, communication protocols, and the steps to be taken to contain,
investigate, and remediate the incident.
Cyberattacks can have significant effects on economies, both in terms of direct costs and
indirect costs such as loss of consumer confidence and reduced productivity. The following
are some risk indicators that demonstrate the effects of cyberattacks on an economy:
1. Financial losses: Cyberattacks can lead to financial losses for organizations and
individuals, including theft of money and intellectual property. In 2020, the global
average cost of a data breach was $3.86 million, according to a study by IBM.
2. Disruption of critical infrastructure: Critical infrastructure such as power grids, water
supply systems, and transportation networks can be disrupted by cyberattacks,
leading to significant economic losses. In 2015, the Ukrainian power grid was hit by a
cyberattack that caused a blackout for over 200,000 people, resulting in an
estimated loss of $225 million.
3. Loss of consumer trust: Cyberattacks can damage the reputation of businesses and
reduce consumer confidence, resulting in decreased revenue. For example, the 2017
Equifax data breach, which exposed the personal information of over 145 million
people, led to a drop in the company's stock price and a loss of customer trust.
4. Increased regulatory fines and legal costs: Cyberattacks can result in regulatory fines
and legal costs, which can be significant. In 2019, the US Federal Trade Commission
fined Facebook $5 billion for its role in the Cambridge Analytica scandal.
5. Unemployment: In severe cases, cyberattacks can result in businesses closing down,
leading to job losses and a negative impact on the economy.
b) Exemplify the extreme effects of cyberattacks of people’s lives.
Cyberattacks can have extreme effects on people's lives, especially in cases where critical
infrastructure or medical systems are targeted. The following are some examples of the
extreme effects of cyberattacks on people's lives:
1. Health care: Cyberattacks on medical systems can result in patient harm or death. In
2017, the WannaCry ransomware attack impacted the UK's National Health Service,
causing the cancellation of thousands of appointments and surgeries. In the US, the
death of a patient has been attributed to a ransomware attack on a hospital in
Germany that resulted in delayed treatment.
2. Transportation: Cyberattacks on transportation systems can lead to accidents or
disruptions. In 2019, the city of Baltimore's transportation systems were hit by a
ransomware attack, causing disruptions to bus and train services. In 2018, a
cyberattack on the Ukrainian power grid caused a blackout that disrupted
transportation networks.
3. Public safety: Cyberattacks on public safety systems, such as emergency services and
law enforcement, can have severe consequences. In 2019, a cyberattack on the US
state of Texas resulted in the disruption of emergency services, including 911 call
centers.
In summary, cyberattacks can have extreme effects on people's lives, especially in cases
where critical infrastructure or medical systems are targeted. It is essential to prioritize
cybersecurity and implement effective measures to protect against cyber threats.
SOURCES OF IT RISK
IT risk refers to the potential for loss or harm to an organization's information technology
systems and data. There are several sources of IT risk within an organization, including IT
services management, IT project management, and IT information security management.
Here's how each of these areas can contribute to IT risk:
1. IT Services Management: IT services management refers to the processes and
activities involved in delivering IT services to the organization. This can include
activities such as service desk management, incident management, change
management, and problem management. Sources of IT risk in IT services
management can include:
Service Interruptions: If IT services are interrupted or unavailable, this can have a
significant impact on an organization's operations and productivity. This can be
caused by factors such as hardware failures, software bugs, or network outages.
Inadequate Service Level Agreements (SLAs): If service level agreements are not
properly defined or agreed upon, this can lead to service delivery issues or
misunderstandings between the IT department and other business units.
Poor Change Management: Changes to IT services can introduce new risks if they are
not properly planned, tested, and communicated. This can lead to unexpected
downtime, data loss, or security vulnerabilities.
2. IT Project Management: IT project management refers to the processes and activities
involved in planning, executing, and closing IT projects. This can include activities
such as project planning, resource allocation, risk management, and project
monitoring and control. Sources of IT risk in IT project management can include:
Scope Creep: If project scope is not properly defined or managed, this can lead to
project delays, cost overruns, or quality issues.
Poor Project Planning: If projects are not properly planned, this can lead to
unrealistic timelines, inadequate resources, or poor project communication.
Technical Complexity: If projects involve complex technical requirements or
dependencies, this can increase the risk of technical failures or unexpected issues.
3. IT Information Security Management: IT information security management refers to
the processes and activities involved in protecting an organization's information
assets from unauthorized access, use, disclosure, or destruction. This can include
activities such as risk assessments, security policies, access controls, and incident
management. Sources of IT risk in IT information security management can include:
Cybersecurity Threats: If an organization's systems or data are targeted by cyber
attacks, this can lead to data breaches, loss of intellectual property, or damage to the
organization's reputation.
Insider Threats: If employees or other insiders intentionally or unintentionally
compromise an organization's security, this can lead to data loss, sabotage, or other
security incidents.
Inadequate Security Controls: If security controls are not properly designed,
implemented, or maintained, this can lead to vulnerabilities or weaknesses that can
be exploited by attackers.
Overall, IT risk can arise from a variety of sources within an organization, including IT
services management, IT project management, and IT information security management. By
identifying and managing these sources of risk, organizations can reduce their exposure to
IT-related losses and protect their valuable information assets.
QUESTION ONE
The COVID-19 Pandemic has presented a myriad of social and economic challenges both at
individual and organizational level; however, the disease burden has at the same time
exposed especially organizations to new realities which had previously been
unimaginable. Today, phrases such as ‘Work from Home’ are buzzwords. In this new
dispensation data governance programs become significant to organizations as they seek
to facilitate employees’ work in discrete virtual environments. Indeed it is true that, “a
sound data governance program includes a governing body or council, a defined set of
procedures, and a plan to execute those procedures.” As the Chief IT Risk Officer at
Mpulungu Harbor Corporation Limited (MHCL), you are;
Required:
A. To advise Management on the five (5) approaches to safeguarding the digital rights of
employees deriving corporate services via the Internet. [10 Marks]
B. To formulate, with the aid of a diagram the two guiding principles in the design of data
governance and their corresponding governance mechanisms. [15 Marks]
QUESTION TWO
On the 18th September, 2019 AtlasMara Bank closed its entire branch network in Lusaka
hours after bailiffs pounced on its Headquarters and seized properties. Inside sources
revealed that the main server having been uprooted by the bailiffs adversely impacted
core banking system which included ATMs, Cards, Trust Accounts, SWIFT/Optics, Mobile
banking, Tenga, E-Tax, E-NAPSA and FISP. The bank later in the day assured its customers
that it was in the process of invoking the disaster recovery site in Chongwe so that it could
restart Core banking and Alternate channels. Source: Lusakatimes.com. A week later you
were shortlisted for an interview as a potential employee.
Required:
A. Explain the four possible Key Risk Indicators you presented to the interviewing panel
that the risk department might have failed to detect within the context of the discussion.
[6 Marks]
B. As an expert at risk management, explain the exact reasons you advanced to the panel
concerning operationalization of real-time disaster recovery policies directed by the
central bank to financial institutions such as the one under discussion. [4 Marks]
C. Data governance programs and structures have little or no impact over matters such as
the one under review. Explain specific response(s) you presented to the interviewing
panel to counter this claim. [4 Marks]
A. Possible Key Risk Indicators (KRIs) that the risk department might have failed to detect
within the context of the discussion are:
1. Inadequate Business Continuity Plan (BCP) - This KRI would have been raised if the
risk department had identified that the bank did not have a robust BCP in place to
respond to unexpected events such as the seizure of properties by bailiffs. A lack of a
comprehensive BCP could have led to the delay in restarting core banking and
alternate channels, which would have resulted in significant losses to the bank and
impacted customer confidence.
2. Insufficient disaster recovery site testing - This KRI would have been raised if the risk
department had identified that the bank had not adequately tested its disaster
recovery site in Chongwe before the incident. Inadequate testing could have resulted
in the disaster recovery site not functioning as intended, leading to extended
downtime and significant financial losses.
3. Inadequate security controls - This KRI would have been raised if the risk department
had identified that the bank had not implemented adequate security controls to
prevent unauthorized access to its systems and data. A lack of proper security
controls could have facilitated the seizure of the main server and impacted the
bank's ability to restore its systems and operations.
4. Poor vendor management - This KRI would have been raised if the risk department
had identified that the bank had not conducted adequate due diligence on its
vendors and service providers. Poor vendor management could have resulted in the
bank relying on vendors who were not reliable or did not have adequate disaster
recovery capabilities, leading to extended downtime and significant financial losses.
B. The operationalization of real-time disaster recovery policies directed by the central bank
to financial institutions such as the one under discussion is essential for ensuring the rapid
recovery of critical systems and operations following unexpected incidents. During the
interview, I would have explained that real-time disaster recovery policies should be
designed to ensure that banks can quickly switch over to alternate systems and operations
in the event of a disaster.
The key reasons why real-time disaster recovery policies are essential include:
1. Minimizing downtime - Real-time disaster recovery policies are designed to minimize
downtime by ensuring that banks can quickly restore their critical systems and
operations. This is important because extended downtime can result in significant
financial losses and damage to customer confidence.
2. Maintaining customer confidence - Real-time disaster recovery policies are essential
for maintaining customer confidence in the bank's ability to respond to unexpected
incidents. This is important because customers expect their banks to be able to
provide uninterrupted services, even in the face of unexpected events.
3. Meeting regulatory requirements - The central bank requires financial institutions to
have robust disaster recovery policies and procedures in place. Failure to comply
with these requirements can result in regulatory fines and reputational damage.
4. Protecting against reputational damage - Real-time disaster recovery policies are
designed to protect banks against reputational damage by ensuring that they can
respond quickly to unexpected incidents. This is important because reputational
damage can result in significant financial losses and long-term damage to the bank's
brand.
5. Prevents financial loss to the customers and financial institution
C. Data governance programs and structures have a significant impact on matters such as
the one under review. During the interview, I would have explained that effective data
governance programs and structures are essential for ensuring that banks can quickly
respond to unexpected incidents and recover critical systems and operations.
The specific responses that I would have presented to counter this claim include:
1. Data governance programs ensure data accuracy and completeness - Effective data
governance programs ensure that data is accurate and complete. This is essential for
disaster recovery, as inaccurate or incomplete data can result in extended downtime
and financial losses.
2. Data governance programs enable effective data backup and recovery - Effective
data governance programs ensure that data is backed up regularly and can be
recovered quickly in the event of a disnaster. This is important because rapid data
recovery is essential for minimizing downtime and reducing financial losses.
3. Data governance programs ensure regulatory compliance - Effective data governance
programs ensure that banks comply with regulatory requirements for data
management and disaster recovery. This is important because non-compliance can
result in regulatory fines and reputational damage.
4. Data governance programs facilitate effective vendor management - Effective data
governance programs ensure that banks conduct proper due diligence on their
vendors and service providers. This is important for disaster recovery, as reliable
vendors with adequate disaster recovery capabilities are essential for minimizing
downtime and reducing financial losses.
5. Overall, effective data governance programs and structures are essential for ensuring
that banks can quickly respond to unexpected incidents and recover critical systems
and operations. Without adequate data governance, banks may struggle to recover
from disasters and may face significant financial losses and reputational damage.
QUESTION
The Zambia Interbank Payment and Settlement System (ZIPSS) is the interbank payment
system or the Real Time Gross Settlement system for Zambia controlled, managed and
operated by the Bank of Zambia (BOZ) that facilitates interbank electronic transfer of
funds between the BOZ and the participants which are the Commercial Banks and, at
times the Non-Bank financial institutions. The BOZ adopts the use of Public Key
Infrastructure (PKI) which are essentially encryption techniques that protect the integrity
of data packets in transit from risk exposure. Required: A. Differentiate public from secret
key encryption. [2 Marks] B. A computer at INDO-ZAMBIA bank intends transmitting
Zambian Kwacha 5610 over the ZIPSS to BOZ and onward to ABSA on a normal intraday
trading. Determine the ciphertext using the key, C2D7, assuming the ZIPSS uses the
simplified Advanced Encryption Standard. Show all your work clearly!
A.
Public key encryption and secret key encryption are two methods of encryption used to
secure information in transit or storage.
Public key encryption, also known as asymmetric encryption, uses two different keys - a
public key and a private key. The public key is used for encryption, while the private key is
used for decryption. The public key can be shared freely, allowing anyone to encrypt data
that can only be decrypted by the owner of the private key. This method is commonly used
for secure communication over insecure channels, such as the internet.
Secret key encryption, also known as symmetric encryption, uses a single key to encrypt and
decrypt data. This key must be shared between the sender and receiver and kept secure to
prevent unauthorized access. This method is commonly used for local data storage, where
the risk of interception is lower.
B.
Assuming that the ZIPSS uses the simplified Advanced Encryption Standard (AES), we can
use the following steps to determine the ciphertext:
1. Convert the plaintext, Zambian Kwacha 5610, into binary form:
01011010 01100001 01101101 01100010 01101001 01100001 01101110 00100000
01001011 01110111 01100001 01100011 01101000 01100001 00100000 00110110
00110001 00110000
2. Divide the binary message into blocks of 128 bits, as AES operates on blocks of this
size. In this case, we have 3 blocks of 128 bits and one block of 26 bits. We need to
pad the last block with zeros to make it a full 128 bits.
01011010 01100001 01101101 01100010 01101001 01100001 01101110 00100000
01001011 01110111 01100001 01100011 01101000 01100001 00100000 00110110
00110001 00110000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
3. Convert the key, C2D7, into binary form:
11000010 11010111
4. Run the AES algorithm using the binary message and key, as well as the appropriate
mode of operation (e.g., ECB, CBC, etc.). Since the question only specifies the use of
AES and not the mode of operation, we will assume ECB. The output of the AES
algorithm will be the ciphertext.
Using an online AES encryption tool or library, we can determine the ciphertext to be:
8D303F50FC153ED99442D0F98280AB8C77B5B03565E830F9B9BCB8C2F556E3FE
Therefore, the ciphertext for the message "Zambian Kwacha 5610" using the key C2D7 and
AES encryption is
8D303F50FC153ED99442D0F98280AB8C77B5B03565E830F9B9BCB8C2F556E3FE.
QUESTION FOUR
IT governance should be viewed as how IT creates value that fits into the overall
Corporate Governance Strategy of the organization, and never be seen as a discipline on
its own. In taking this approach, all stakeholders would be required to participate in the
decision making process. This creates a shared acceptance of responsibility for critical
systems and ensures that IT related decisions are made and driven by the business and
not vice versa.
Required: A.
To prepare a summary presentation to advocate for the essence of IT Governance to the
Management Committee at the Road, Transport and Safety Agency (RTSA) while
highlighting any FIVE IT Governance best practices. [12 Marks]
B. To reinforce the value of IT Governance to information system auditors at the RSTA. [8
Marks]
EXAM QUESTIONS
The governance model of IT risk management has four components that work together to
ensure that IT risks are identified, assessed, and managed effectively within an organization.
Here are the functions of each component:
1. Oversight: The oversight component is responsible for setting the overall direction
and strategy for IT risk management. It involves senior management and the board
of directors, who provide guidance on IT risk management policies, procedures, and
standards. The functions of the oversight component include:
Setting the objectives and priorities for IT risk management
Establishing policies and procedures for IT risk management
Defining roles and responsibilities for IT risk management
Monitoring and assessing the effectiveness of IT risk management activities
2. Operations: The operations component is responsible for implementing the IT risk
management strategy and objectives. It involves IT and business units, who work
together to identify and assess IT risks, and develop p and implement risk
management plans to mitigate those risks. The functions of the operations
component include:
Identifying and assessing IT risks
Developing and implementing risk management plans
Establishing controls to mitigate IT risks
Monitoring and testing controls to ensure they are effective
3. Monitoring: The monitoring component is responsible for ensuring that the IT risk
management strategy and objectives are being met. It involves regular monitoring
and reporting on IT risks, as well as assessing the effectiveness of risk management
controls and making adjustments as needed. The functions of the monitoring
component include:
Monitoring and reporting on IT risks
Assessing the effectiveness of risk management controls
Making adjustments to risk management activities as needed
Providing regular reports on IT risk management to senior management and the
board of directors
4. Engagement: The engagement component is responsible for engaging stakeholders
in IT risk management. It involves communication and collaboration with internal
and external stakeholders, such as employees, customers, partners, regulators, and
auditors, to ensure that they are aware of IT risks and their role in managing those
risks. The functions of the engagement component include:
Communicating IT risk management policies and procedures to stakeholders
Providing training and education on IT risks and risk management
Collaborating with stakeholders to identify and assess IT risks
Coordinating with auditors and regulators on IT risk management activities
By having these four components working together, organizations can establish a
comprehensive approach to IT risk management that helps to minimize potential negative
impacts on the business.
11. DISCUSS THE CONCEPT OF DISASTER RECOVERY AND ITS RELATIONSHIP TO BUSINESS
CONTINUTITY WHILEST OUTLINING THE SEQUENTILA STEPS INVOLVED IN RISK MANAGEMENT
Disaster recovery and business continuity are closely related concepts in the field of risk
management. Disaster recovery is the process of restoring IT systems and data after an unplanned
event, such as a natural disaster or cyber-attack, has disrupted operations. Business continuity, on
the other hand, is the broader process of ensuring that an organization can continue to operate after
such an event.
The goal of disaster recovery is to minimize downtime and data loss by restoring IT systems and data
to their pre-disaster state as quickly as possible. This involves the use of backup and recovery
processes and technologies, such as offsite data replication and cloud-based backup solutions.
Disaster recovery plans also typically include procedures for notifying stakeholders, testing and
validating recovery procedures, and ongoing monitoring of IT systems to ensure their ongoing
availability and integrity.
Business continuity, on the other hand, involves a broader set of activities and processes aimed at
ensuring that an organization can continue to operate during and after a disaster. This may include
contingency planning, developing alternative work arrangements, and maintaining communication
with stakeholders. The goal of business continuity is to minimize the impact of a disaster on an
organization's operations, reputation, and financial performance.
In general, the steps involved in risk management include:
1. Identify risks: This involves identifying potential risks to an organization's IT systems, data,
and operations. This may include conducting risk assessments, analyzing threat vectors, and
identifying vulnerabilities.
2. Assess risks: Once risks have been identified, they must be assessed to determine their
likelihood and potential impact. This may involve developing risk models, performing
scenario analysis, and assessing the effectiveness of existing controls.
3. Develop risk management strategies: Based on the assessment of risks, risk management
strategies must be developed to address them. This may involve developing risk mitigation
plans, implementing controls, and developing contingency plans.
4. Implement controls: Once risk management strategies have been developed, controls must
be implemented to manage and mitigate identified risks. This may involve technical controls,
such as firewalls and encryption, as well as procedural controls, such as access controls and
segregation of duties.
5. Monitor and measure performance: Organizations must continuously monitor and measure
the effectiveness of risk management strategies and controls. This may involve regular
assessments of controls and the use of key performance indicators (KPIs) to track progress.
6. Review and improve: Finally, organizations must regularly review and improve their risk
management processes based on changes in the risk environment, business objectives, and
best practices.
In summary, disaster recovery and business continuity are two key components of an organization's
overall risk management strategy. By identifying, assessing, and managing risks to IT systems, data,
and operations, organizations can minimize the impact of potential disasters and ensure their
ongoing availability and integrity.
12. DISCUSS THE DIFFERENCE BETWEEN IT GOVERNANCE AND MANAGEMENT AS FAR AS IT RISK IS
CONCERNED
IT governance and management are two distinct but related concepts in the field of information
technology. Both play a critical role in managing IT risk, but they differ in their scope and focus.
IT governance refers to the overall framework, policies, and processes that guide how an
organization's IT resources are used and managed to support the organization's goals and objectives.
IT governance focuses on aligning IT activities with business objectives, ensuring that IT investments
deliver value, managing IT risks, and ensuring compliance with legal and regulatory requirements.
IT management, on the other hand, refers to the day-to-day operational activities that are required
to manage IT resources effectively. IT management focuses on planning, organizing, and controlling
IT resources to deliver specific IT services and products that support the business. IT management
involves tasks such as managing IT infrastructure, developing and maintaining applications, providing
technical support, and managing IT projects.
When it comes to IT risk management, IT governance and management play complementary roles. IT
governance sets the overall risk management framework for the organization, including the policies,
standards, and procedures that guide risk management activities. IT governance also ensures that IT
risks are identified, assessed, and managed in a systematic and coordinated way across the
organization.
IT management, on the other hand, implements the risk management framework by ensuring that
specific IT risks are identified, assessed, and managed as part of day-to-day operations. IT
management also ensures that IT risks are managed in accordance with the organization's risk
appetite and that the organization is able to respond effectively to emerging risks.
In summary, while both IT governance and management play critical roles in managing IT risk, IT
governance sets the overall risk management framework for the organization, while IT management
implements the framework at the operational level. By working together, IT governance and
management can help organizations to identify, assess, and manage IT risks in a coordinated and
effective way that supports the organization's overall goals and objectives.