Lecture 24 - IT Governance and Controls, IT Security

Question 1

-What questions must Governance-in-general answer?

Answer 1

o How do we organize ourselves? (In order to ensure ownership, objectivity, efficient decision making and action at the appropriate “level”)
o How do we decide? (In order to ensure a common set of guiding principles and the Strategy is reflected in all key decisions)
o How do we operate? (In order to ensure participation, accountability, co-ordination, integration of initiatives, funding, resource allocation, sustainment, evolution, etc.)

Governance is about the… “Rules of the Game”

Question 2

What are three key responsibilities of IT Governance?

Answer 2

• PLAN: IT’s alignment and use within all activities of the enterprise
• CONTROL: Management of technology related business risks
• MEASURE: Verification of the value delivered by the use of IT across the enterprise

Question 3

What is IT Governance

Answer 3

IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

Question 4

What is COBIT?

And its domains:

Answer 4

COBIT (Control Objectives for Information & related Tech)
• Measures, Indicators, Processes, Practices:

• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

Question 5

What is SOX?

Answer 5

SOX (Sarbanes-Oxley Act in USA)

Prevent and detect fraud
Relies on independent auditors
Relies on correct (T-based) controls

Question 6

Example of a Control: 3-Way Match

Answer 6

Check before further transactions are allowed: supplier-invoice, purchase order, packing slip

Question 7

Example of an Audit: 3-Way Match

Answer 7

A check after transactions have concluded

Sales revenue, cash receipts, invoice

Question 8

Information Security must protect:

Answer 8

o	Data (wherever data is physically stored for later retrieval)
o	Computer (physical access to computers / processors)
o	Network (connection / authority on network)

Question 9

Information Security must ensure:

Answer 9

o	Confidentiality (no inappropriate disclosure)
o	Authenticity (data indeed comes from claimed source)
o	Integrity (no unauthorized modification)
o	Availability (may degrade confidentiality, authenticity and integrity)

Question 10

Who/What are the Threats?

Answer 10

Automated threats (having no real-time human director)
o	Malware: Viruses, Bots, Spyware, Misleading E-mail, Denial-of-Service Attacks

Human-Directed threats: (having a real-time human director)
o Hackers, Crackers, social engineers

Question 11

What are the threats motivations? (2)

Answer 11

Financial Gain

Political Gain

Question 12

Stages of Digital Forensics (4)

Answer 12

Collection
o	Physical access is obtained
o	Image copy is made
Authentication & Preservation 
o	Read contents 
o	Document chain of custody 
Recovery
o	Files
o	Fragments of files 
Analysis & Interpretation
o	Build evidence 
o	Put information in context
o	History of disk activity
o	Live analysis

Question 13

ANTI-Forensics

Answer 13

Anti-Forensics Industry: A new branch of digital forensics
Makes it difficult/impossible to track user activity or to access data

1. Configuration Settings
2. Third Party Tools
3. Forensic Defeating Software