Chapter 1 - Governance and Management of Information Systems

Question 1

What is governance?

Answer 1

Governance is a system of policies, standards, guidelines and procedures that help steer an organisation’s day to day operations and decisions.

Question 2

What are the benefits of governance?

Answer 2

1. Specifying decision rights to support business needs.
2. Encouraging effective use of IT.
3. Implementing and integrating desired business processes into the enterprise.
4. Providing stability and removing limitations of organisational structure.
5. Improving customer, business and internal relationships and reducing internal territorial strife.
6. Strategic alignment of IT with business.

Question 3

What is enterprise governance?

Answer 3

Enterprise governance are the set of responsibilities and practices exercised by the board and executive management to provide strategic direction ensuring that:

1. Goals are achievable.
2. Risks are properly addressed.
3. Organisational resources are properly utilised.

Question 4

What are the dimensions of enterprise governance?

Answer 4

The two dimensions of enterprise governance are:

1. Corporate governance or conformance.
2. Business governance or performance.

Question 5

What is corporate governance?

Answer 5

Corporate governance is a system by which companies are directed and controlled to achieve the objective of increasing shareholders’ value by enhancing economic performance.

Question 6

What are the internal control practices required for good corporate governance?

Answer 6

CARES

1. C - Compliance with laws and standards.
2. A - Establishment of Audit committee.
3. R - Risk management.
4. E - Elimination of conflict of interest.
5. S - Segregation of incompatible functions.

Question 7

What are the differences between corporate governance and business governance?

Answer 7

1. Conformance takes a historic view and covers governance issues such as:
   - Roles of the chairman and CEO
   - Roles and composition of BOD.
   - Board committees.
   - Control assurance.
   - Risk management for compliance.

Whereas, performance is forward looking.

2. Conformance focuses on compliance with laws and regulations. Compliance is subject to assurance and audit.

Whereas, performance focuses on strategy and value creation including risk management.

3. Conformance examples - SOX Act of the US, Clause 49 listing requirements of SEBI provide compliance.

Performance comprises of organisational mechanisms for aligning activites with organisational strategies to maximise performance and value creation. No regime of audit and standards. A performance management tool called balanced scorecard is used to fill the oversight mechanism gap.

4. Oversight mechanism - Conformance is monitored by the audit committee.

Whereas, performance does not have a dedicated oversight mechanism. A strategic committee of similar stature (which will report to the board) can be established to bridge this gap.

Question 8

What are the best practices of corporate governance?

Answer 8

CA FIRE

1. C - Clear assignment of responsibilities - heirarchy for approvals from BOD.
2. A - Appropriate flow of information internally and to the public - for good corporate governance.
3. F - Financial and managerial incentives (compensations, promotions, etc. ) - to management and employees to motivate and ensure outstanding performance.
4. I - Implementing strong internal control systems - including functions such as internal and external audit, risk management, functions independent of business line.
5. R - Risk monitoring - where conflicts of interest may be high including business relationships with borrowers affiliated with the bank, large shareholders, management and key decision makers.
6. E - Establishment of an interaction mechanism - for interaction and co-operation among the board of directors , management and auditors.

Question 9

What is IT governance?

Answer 9

IT governance is the system by which IT activities in a company are directed and controlled to achieve business objectives with the ultimate objective of meeting stakeholder needs.

Question 10

What are the key practices to determine the status of IT governance?

Answer 10

1. Who makes the directing, controlling and executing decisions?
2. How the decisions are made?
3. What information is required to make the decisions?
4. What decision making mechanisms are required?
5. How are exceptions handled?
6. How are governance results monitored and improved?

Question 11

What are the benefits of IT governance?

Answer 11

ABOUT MICE

1. A - Improved AGILITY to support business needs.
2. B - BETTER COST PERFORMANCE of IT.
3. O - OPTIMAL UTILISATION of IT resources.
4. U - Increased USER SATISFACTION with IT services.
5. T - Improved TRANSPARENCY and understanding of IT’s contribution to business.
6. M - Management and mitigation of IT related business risks.
7. I - Increased value delivered through enterprise IT.
8. C - Compliance with relevant laws, regulations and policies.
9. E - IT becoming an ENABLER FOR CHANGE rather than an inhibitor for change.

Question 12

What are critical points to be ensured to derive benefits of IT governance?

Answer 12

IT ROUT

1. I - IT is relevant and links to business strategy.
2. T - Timing of realisation of IT benefits is realistic and documented.
3. R - Risks and assumptions associated with realising IT benefits are understood, correct and current.
4. O - Ownership is defined and agreed.
5. U - Unambiguous measures have been identified.
6. T - Timely/accurate data for measurement is available and/or is easy to obtain.

Question 13

What is governance of enterprise IT?

Answer 13

It is a sub set of corporate governance. GEIT addresses how IT is applied inside the organisation encompassing all key areas. It ensures achievement of enterprise objectives and that IT capabilities are provided effectively and efficiently.

Question 14

What are the benefits of GEIT?

Answer 14

1. Consistent approach integrated/aligned with the enterprise governance approach.
2. IT related decisions are made in line with the strategies and objectives of the enterprise.
3. IT processes are transparently and effectively overseen.
4. Compliance with legal and regulatory requirements.
5. Meeting governance requirements for board members.

Question 15

What are the key governance practices to implement GEIT in an enterprise?

Answer 15

EDM

1. E - Evaluate the governance system - Staying up to date on the current requirements of the enterprise and making a judgement of the future design of GEIT.
2. D - Direct the governance system - Senior management involvement is important. Otherwise requirements may be missed and this will not support the governance system.
3. M - Monitor the governance system - Monitoring the effectiveness and performance of the governance system to assess whether system and mechanisms implemented are operating effectively.

Question 16

What is enterprise risk management?

Answer 16

ERM is a process

Effected by an entity’s BOD, management and other personnel

Applied in strategy setting across the enterprise

Designed to identify potential activities that may affect the entity

Manage risks to be within its risk appetite

To provide reasonable assurance regarding the achievement of entity objectives.

Question 17

Write a short note on SOX.

Answer 17

In the United States, the Sarbanes-Oxley Act is a corporate governance law for internal controls. It is a sub set of ERM.

It was passed in 2002 to restore investors’ confidence in the US public markets which were devastated by business scandals and lapses in corporate governance. Now, publicly held companies must accurately report their financial data. Their reporting of financial activities and standing must be truthful and accurate.

SOX is based on the COSO model and hence public companies are encouraged to adopt the COSO internal control integrated framework.

Question 18

Who is responsible for implementing internal control under SOX?

Answer 18

The CEOs and CFOs are responsible for the quality and effectiveness of internal controls in an organisation. They must ensure that internal controls are established, designed and maintained to ensure that material information is made known to them by others in the organisation.

Executives could be sent to jail if the company is found submitting fraudulent accounting findings to the Security Exchange Commission. An organisation must ensure its financial statements comply with the Financial Accounting Standards and International Accounting Standards or local rules through internal controls.

In India, Clause 49 of the listing agreements issued by the SEBI is on similar lines of SOX Regulation.

Question 19

Explain internal control over financial reporting.

Answer 19

It is a process effected by the CEO, CFO or other personnel of an organisation that provide reasonable assurance regarding:

1. The reliability of financial reporting.
2. Preparation of financial statements for external purposes in accordance with GAAP.

Question 20

What are the contents of an internal control report?

Answer 20

A company’s annual report must include an internal control report of the management containing the following:

1. A statement of management’s responsibility - for establishing and maintaining adequate internal control over financial reporting for the company.
2. Framework used by the management for evaluation of effectiveness of the company’s internal control over financial reporting.
3. Management’s assessment of effectiveness of the company’s internal control over financial reporting which must include disclosure of any material weaknesses in internal control which is identified by the management.
4. An attestation report issued by a public accounting firm on the management’s assessment of the company’s internal control over financial reporting.

Question 21

What are the components of COSO’s Internal Control Integrated Framework?

Answer 21

COMORIN

1. CO - Control Environment - Categorising the materiality and criticality of each business process and its owners.
2. CO - Control Activities - To manage, mitigate and minimise risks associated with each business process. Since risk can never be totally eliminated it must be kept at the minimum acceptable level.
3. MO - Monitoring - Continuous monitoring with modifications as per changing conditions. This helps the management to ensure that internal controls operate reliably over time.
4. RI - Risk Assessment - Since each business process has various associated risks, a control environment must include assessment of risks.
5. IN - Information and communication - Helps in identifying, capturing and reporting financial/operating information which is useful to control the business processes in an organisation.

Question 22

Risk Related Terms: Explain threat.

Answer 22

A threat is an action/event that can have a negative impact on the IT/IS assets of an organisation in the form of:

1. Destruction/modification/theft of IT/IS assets
2. Unwanted disclosure of sensitive data/information.
3. Denial of service.

A threat cannot exist without a target asset and can be typically prevented by applying protection to assets.

Question 23

Risk Related Terms: Explain attack.

Answer 23

An attack is the exploitation of a vulnerability by a threat agent.

Set of actions –> designed to compromise information systems in the following terms –> (CIA) confidentiality, integrity, availability or other IS features.

Its consequences will depend on the type of attack and the degree of its success.

Question 24

Risk Related Terms: Explain vulnerability.

Answer 24

Vulnerabilities are weaknesses/flaws in the system’s security that potentially allow threats to harm/exploit the system. They are opening doors for attackers.

Weaknesses may be in:

1. Information systems
2. Cryptographic/security systems
3. Other system components such as hardware, internal controls, etc.

Examples of vulnerabilities are:

1. Leaving the front door open can make a house vulnerable to unwanted visitors.
2. Short passwords - Automated information systems can become vulnerable to password cracking or guessing routines.

Determining a system’s vulnerability involves:

1. Security evaluation.
2. Inspection of safeguards.
3. Testing and penetration analysis.

Question 25

Explain the conditions for vulnerability.

Answer 25

Vulnerability must have at least one condition out of the following:

Allows an attacker to:

1. Execute commands as another user.
2. Access confidential data.
3. Pose as another entity.
4. Conduct a denial of service.

Question 26

Risk Related Terms: Explain risk.

Answer 26

A risk is the likelihood that a particular threat will exploit a particular vulnerability to harm an asset.

Example: If a firewall has several ports open, there will be a higher probability that an intruder will use one of the ports to access the network in an unauthorised manner.

Formula: Risk = Threat + Vulnerability

Question 27

Risk Related Terms: Explain likelihood.

Answer 27

It is the probability that a threat incident will be successful in resulting in an undesirable event.

The following factors must be considered while assessing the likelihood of occurrence of a threat:

1. The presence, quality and strengths of the threat.
2. The effectiveness of safeguards/security.

Question 28

Risk Related Terms: Explain assets.

Answer 28

An asset is any tangible/intangible thing which is of value to an organisation. For instance, hardware, software, people, data, facilities, etc.

Managing risks and safeguarding information assets are the primary responsibility of the security manager.

Question 29

What are the characteristics of assets?

Answer 29

Assets can have one or more of the following characteristics:

1. Recognised to be of value to the organisation.
2. Not easily replaceable without applying costs, skill, time, resources or a combination of these.
3. Form a part of the organisation’s corporate entity without which the organisation may be at threat.
4. Information assets/data can be classified as proprietary, top secret, highly confidential.

Question 30

Risk Related Terms: Explain exposure.

Answer 30

Exposure is the extent of loss that will result if a risk materialises.

It includes:

1. Immediate impact - clear results. For example; impact of fire on IT/IS assets.
2. Long run impact - a sharp action by a competitor may erode/undermine the organisation’s financial viability.

Question 31

Risk Related Terms: Explain safeguard/counter measure/security controls.

Answer 31

A safeguard is anything (action, device, procedure, technique or any other measure) that removes a vulnerability or protects the information systems against one or more threats.

For example; A well known threat - spoofing a user’s identity - can have two counter measures:

1. Strong authentication protocols to validate users.
2. Passwords should not be stored in configuration files.

Question 32

Risk Related Terms: Explain residual risk.

Answer 32

Residual risk is any risk remaining after the countermeasures are analysed and implemented.

Since there is no such thing as zero risk, it can only be kept to a minimal acceptable level and never be totally eliminated. This is the main objective of risk management.

Question 33

Information systems can give rise to many risks. Explain.

Answer 33

Information systems can give rise to many direct and indirect risks.

A risk is the likelihood that a particular threat will exploit a particular vulnerability to harm an asset and in turn cause harm to the organisation.

Risks lead to gap between:

1. Need to protect information systems.
2. The degree of protection applied.

Question 34

What are the factors leading to a gap between the need to protect a system and the degree of protection applied?

Answer 34

DUAL WINE

1. D - Devolution (delegation of power) of management control.
2. U - Uneven technological changes.
3. A - Application of unconventional electronic attacks.
4. L - Lack of awareness of information systems security.
5. W - Widespread use of technology.
6. I - Interconnectivity of systems.
7. N - No bar on distance, time and place as constraints.
8. E - External factors - Legal requirements and technological advancement.

Question 35

What are the new risks which can have significant impact on critical business operations?

Answer 35

MEGHA

1. M - Misuse of information systems.
2. E - Extortion and leakage of confidential corporate information.
3. G - Growing requirements for availability and robustness.
4. H - Hacking - leading to denial of service and virus attacks.
5. A - Abuse of privacy and ethical values.

Question 36

What are the objectives of risk reduction/security?

Answer 36

BICEP

1. B - Better interaction with trading partners.
2. I - Improved and self evident information management.
3. C - Competitive advantage.
4. E - Enhanced business performance.
5. P - Protected reputation.

Question 37

What is risk management?

Answer 37

Risk management is the process of identifying, assessing and taking steps to reduce risk to an acceptable level by implementing controls in a cost effective manner.

Every information system has inherent risks. Risks cannot be eliminated but can only be mitigated through appropriate security. Information systems auditor busy evaluate whether available controls are adequate and appropriate to mitigate IS risks. In case of any deficiencies, the auditor busy report these weaknesses to the management with appropriate recommendations.

It is not possible to eliminate risks completely. Estimation of losses caused by risk is either impossible or too costly. An asset is secure when expected losses from a threat are at an acceptable level. This level decides how much the management is willing to spend on controls.

Question 38

What are the various activities relating to risk management?

Answer 38

1. Risk assessment
   a) Identification of risk.
   b) Analysis of the risk.
   c) Risk prioritisation.
2. Risk Mitigation Control
   a) Reduction of risk.
   b) Risk planning.
   c) Risk monitoring.

Question 39

What are the various risk management strategies?

Answer 39

TEAMS

1. T - Turn back - the management may decide to ignore the risk if the probability or impact of the risk is very low.
2. E - Eliminate/Terminate the risk - wherever possible, avoid activities that involve risk. For example, not using internet or public network on a system which is connected to an organisation’s internal network. Instead using a stand alone PC for internet usage.
3. Accept/Tolerate the risk - these are the risks which the business decides to accept. No mitigation tools are designed for these risks either because there are none or because the cost of deploying controls outweigh benefits derived from them.
4. M - Mitigate/Treat the risk - Reduce the impact of the risk by designing, implementing and monitoring appropriate internal controls. For example, using an effective anti virus solution to stay protected against risk of viruses and updating them regularly.
5. S - Share/Transfer the risk - Transfer the risk through risk insurance, contractual arrangement or other means.

Question 40

What are the sources of risk?

Answer 40

I’M N THE PC

1. I - Individual activities.
2. M - Management activities and controls.
3. N - Natural events.
4. T - Technology and technical issues.
5. H - Human behaviour.
6. E - Economic circumstances.
7. P - Political circumstances.
8. C - Commercial and legal relationships.

Question 41

What are the characteristics of risk?

Answer 41

1. Potential of loss which exists due to threat/vulnerabilities.
2. Uncertainty of loss expressed in terms of probability of loss.
3. Probability/likelihood that a threat agent is backing a specific attack against a particular system.

Question 42

What are the key governance practices of risk management?

Answer 42

EDM

1. E - Evaluate risk management - continuous examination and judgement on the effect of risk of usage of IT in the enterprise - considering if the enterprise’s risk appetite is appropriate - how much risk the company should take.
2. D - Direct risk management - providing reasonable assurance that risk management practices are appropriate to ensure that the actual risk does not exceed the risk appetite.
3. M - Monitor risk management - monitor the goals of the risk management process and establish how problems will be identified, tracked and reported for remediation.

Question 43

What are the key management practices of risk management?

Answer 43

CA MARD

1. C - Collect data - Identify and collect relevant data for effective risk identification, analysis and reporting.
2. A - Analyse the risk - Develop useful information to support risk decisions.
3. M - Maintain a risk profile - Maintain an inventory of known risks including expected frequency, potential impact and responses along with stock of related resources, capabilities and control activities.
4. A - Articulate the risk - provide information on the current state of IT related exposures and opportunities in a timely manner to all stakeholders for appropriate response.
5. R - Respond to risk - respond in a timely manner to limit the magnitude of loss from IT related events.
6. D - Define a risk management action portfolio - manage opportunities and reduce risks to an acceptable level.

Question 44

What are the metrics of risk management?

Answer 44

1. Percentage of critical business processes, IT services and business programs covered by risk assessment.
2. Number of significant IT related incidents that were not identified in risk assessment.
3. Percentage of enterprise risk assessments including IT related risks.
4. Frequency of updating the risk profile based on status of risk assessment.

Question 45

What is GRC?

Answer 45

GRC stands for governance, risk management and compliance. It is a methodology enabling a top to bottom approach to enterprise governance, risk management and compliance.

G - Governance - taking care of the business, making sure that things are done according to the standards, regulations and decisions of BOD of the enterprise.

R - Risk management - strategic activities related to risk identification through risk assessment and treatment of identified risks.

C - Compliance - with laws, rules and regulations affecting the current business.

Question 46

What are the key management practices of IT compliance as per COBIT 5?

Answer 46

IOCO

1. I - Identify external compliance requirements - Identify and monitor changes in local and international laws, regulations and external requirements on a continuous basis so that they can be complied with from an IT perspective.
2. O - Optimise response to external requirements - Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated.
3. C - Confirm external compliance - Confirm compliance of policies, principles, standards, procedures and methodologies with legal, regulatory and contractual requirements.
4. O - Obtain assurance of external compliance - Obtain and report adherence with policies principles, standards, procedures and methodologies. Corrective action must be taken in a timely manner to address and close compliance gaps.

Question 47

What are the key metrics for assessing a compliance process?

Answer 47

1. Compliance with external laws and regulations
   a) Cost of non compliance of IT regulations including settlements and fines.
   b) Coverage of compliance assessments.
   c) Number of IT related non compliance issues reported to the board or which cause public comment/embarrassment.
   d) Number of non compliance issues relating to contractual agreements with IT service providers.
2. IT compliance with internal policies
   a) Number of incidents related to non compliance of policies.
   b) Frequency of policy review and updates.
   c) Percentage of stakeholders who understand policies
   d) Percentage of policies supported by effective standards and practices.

Question 48

What is COBIT?

Answer 48

COBIT stands for Control Objectives for Information and related Technology.

It is a business framework for governance and management of enterprise IT.

COBIT 5 provides a set of generally accepted processes to assist in maximising the benefits derived using IT and developing appropriate IT governance.

It helps enterprises to manage IT related risk and ensures compliance, continuity, security and privacy.

Question 49

What is the need for enterprises to use COBIT 5?

Answer 49

COBIT 5 helps enterprises make more informed decisions. It provides the necessary tools to understand, utilise, implement and direct important IT related activities. COBIT 5 is intended for all types and sizes of enterprises.

It can bring many business benefits including:

1. More business focused IT solutions and services.
2. Achieve strategic goals and realise business benefits through the effective and innovative use of IT.
3. Compliance with laws, rules, regulations and contractual requirements.
4. High quality information to support business decisions.
5. Operational excellence through reliable and efficient application of technology.
6. Greatly improves business outcomes.
7. Increased user satisfaction with IT services.
8. Increased value creation from the use of IT.
9. Increased enterprise wide involvement in IT related activities.
10. Reduced IT related risks.
11. Lower IT costs.

Question 50

Write a note on flexibility of COBIT 5. How can it be customised to meet specific needs of an enterprise?

Answer 50

MR FAIL

COBIT 5 can be tailored to meet an enterprise’s specific business model, technology environment, industry, location and corporate culture. It has an open design and can be applied to meet needs related to:

1. Management and governance of enterprise IT.
2. Risk management.
3. Financial processing or CSR reporting.
4. Assurance activities.
5. Information security.
6. Legislative and regulatory compliance.

Question 51

What are the principles of COBIT 5?

Answer 51

MS ACE

1. M - Meeting stakeholder needs: COBIT 5 provides all the required processes to support value creation in a business through the use of IT. An enterprise can customise COBIT 5 to suit its requirements and create value for its stakeholders through the use of IT. Value creation means realising benefits at an optimal resource cost while minimising risks.
2. S - Separating governance from management: