Question

In: Computer Science

Question 1: IT Governance [50 marks] According to a variety of studies, IT governance is usually...

Question 1: IT Governance [50 marks]

According to a variety of studies, IT governance is usually implemented so as to ensure that IT operations and investments deliver more value to the business.

a) Discuss the activities that are required to setup IT governance in an organization. [25 marks]

b) With the aid of examples, discuss the factors that could affect IT governance. [25 marks]

Question 2: Strategic Management of IT [50 marks]

The strategic management of IT can be achieved through the use of various resources.

a) With the aid of examples, discuss the role played by policies and procedures in the strategic management of IT. [25 marks]

b) Propose and discuss the aspects that should be considered during the drafting of an Information Security policy document [25 marks]

Question 3: Risk Management [50 marks]

Risk management was identified in the NamCode as being an important activity during governance.

a) Outline how you would develop a risk management program in IT [25 marks]

b) Critically evaluate the strengths and weakness of the various risk analysis methods in IT. [25 marks]

Question 4: Business Continuity planning [50 marks]

Business Continuity planning involves the creation and validation of a logistical plan that outlines how an organization will recover from a disaster or extended disruption of operations.

a) Identify and discuss the phases of a Business Continuity life cycle. [25 marks]

b) With the aid of examples, discuss the various issues that could indicate that a Disaster Recovery Plan is not in order. [25 marks].

Solutions

Expert Solution

Question 1: IT Governance [50 marks]

According to a variety of studies, IT governance is usually implemented so as to ensure that IT operations and investments deliver more value to the business.

a) Discuss the activities that are required to setup IT governance in an organization. [25 marks]

b) With the aid of examples, discuss the factors that could affect IT governance. [25 marks]

Question 2: Strategic Management of IT [50 marks]

The strategic management of IT can be achieved through the use of various resources.

a) With the aid of examples, discuss the role played by policies and procedures in the strategic management of IT. [25 marks]

b) Propose and discuss the aspects that should be considered during the drafting of an Information Security policy document [25 marks]

A. What is Strategy management for IT services?
For IT services is a process of defining and maintaining the perspective, position, plans, and patterns of an organization with regards to its services and management of those services. The purpose of strategy management for IT services is to make sure that a strategy is defined properly, maintained and managed adequately to achieve its purpose.

Role played by policies and procedures in the strategic management of IT:

Example : The organization's IT policies, standards, and procedures.

An auditor can learn a great deal about an organization by simply reviewing the strategic plan and examining the company's policies and procedures. These documents reflect management's view of the company. Some might even say that policies are only as good as the management team that created them. Policies should exist to cover most every aspect of organizational control because companies have legal and business requirements to establish policies and procedures. The law dictates who is responsible and what standards must be upheld to meet minimum corporate governance requirements.

Management is responsible for dividing the company into smaller subgroups that control specific functions. Policies and procedures dictate how activities occur in each of the functional areas. One of the first steps in an audit is for the auditor to examine these critical documents. Any finding an auditor makes should be referenced back to the policy. This allows the auditor to establish a cause and specify how to rectify identified problems. Policies can be developed in either a top-down or a bottom-up method.

Policy Development:
Not all policies are created in the same way. The policy process can be driven from the top or from the bottom of the organization. Top-down policy development means that policies are pushed down from the top of the company. The advantage of a top-down policy development approach is that it ensures that policy is aligned with the strategy of the company. What it lacks is speed. It's a time-consuming process that requires a substantial amount of time to implement. A second approach is bottom-up policy development. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and builds on known risk. This is faster than a top-down approach but has a huge disadvantage in that it risks the lack of senior management support.

No matter what the development type is, policies are designed to address specific concerns:

Policies and Procedures :

Policies are high-level documents developed by management to transmit its guiding strategy and philosophy to employees. Management and business process owners are responsible for the organization and design of policies to guide it toward success. Policies apply a strong emphasis to the words of management. They define, detail, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders. Policies can be developed internally, or can be based on international standards such as Common Criteria or ISO 17799:

One specific type of policy is the organization's security policy. Security policy dictates management's commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. Figure 2.4 highlights these concerns.

An auditor must look closely at all policies during the audit process and should review these to get a better idea of how specific processes function. As an example, the auditor should examine policies that have been developed for disaster recovery and business continunity. Some questions to consider are what kind of hardware and software backup is used; whether the software backup media is stored off site, and if so, what kind of security does the offsite location have, and what type of access is available? These are just a few of the items an auditor will be tasked with reviewing. The disaster recovery policy is an important part of corrective control. Disaster recovery is discussed in detail in Chapter 9, "Disastor Recovery and Business Continuity."

During the audit, the auditor must verify how well policy actually maps to activity. You might discover that existing policy inhibits business or security practices. Operators might have developed better methods to meet specific goals. When faced with these situations, the auditor should identify the problem and look for ways to improve policy.

Policies don't last forever. Like most things in life, they need to be reviewed periodically to make sure they stay current. Technology becomes obsolete, new technology becomes affordable, and business processes change. Although it's sometimes easy to see that low-level procedures need to be updated, this also applies to high-level policies. Policies are just one level of procedural control. The next focus of discussion is on procedures.

Evaluate the organization's IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements.
Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards, and procedures.

Knowledge Statements :
Knowledge of the purpose of IT strategies, policies, standards, and procedures for an organization and the essential elements of each
Knowledge of generally accepted international IT standards and guidelines
Knowledge of the processes for the development, implementation, and maintenance of IT strategies, policies, standards, and procedures (for example, protection of information assets, business continuity and disaster recovery, systems and infrastructure lifecycle management, IT service delivery and support)
An auditor can learn a great deal about an organization by simply reviewing the strategic plan and examining the company's policies and procedures. These documents reflect management's view of the company. Some might even say that policies are only as good as the management team that created them. Policies should exist to cover most every aspect of organizational control because companies have legal and business requirements to establish policies and procedures. The law dictates who is responsible and what standards must be upheld to meet minimum corporate governance requirements.

Management is responsible for dividing the company into smaller subgroups that control specific functions. Policies and procedures dictate how activities occur in each of the functional areas. One of the first steps in an audit is for the auditor to examine these critical documents. Any finding an auditor makes should be referenced back to the policy. This allows the auditor to establish a cause and specify how to rectify identified problems. Policies can be developed in either a top-down or a bottom-up method.

Policy Development
Not all policies are created in the same way. The policy process can be driven from the top or from the bottom of the organization. Top-down policy development means that policies are pushed down from the top of the company. The advantage of a top-down policy development approach is that it ensures that policy is aligned with the strategy of the company. What it lacks is speed. It's a time-consuming process that requires a substantial amount of time to implement. A second approach is bottom-up policy development. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and builds on known risk. This is faster than a top-down approach but has a huge disadvantage in that it risks the lack of senior management support.

No matter what the development type is, policies are designed to address specific concerns:

Policies and Procedures :
Policies are high-level documents developed by management to transmit its guiding strategy and philosophy to employees. Management and business process owners are responsible for the organization and design of policies to guide it toward success. Policies apply a strong emphasis to the words of management. They define, detail, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders. Policies can be developed internally, or can be based on international standards such as Common Criteria or ISO 17799:

One specific type of policy is the organization's security policy. Security policy dictates management's commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. Figure 2.4 highlights these concerns.

An auditor must look closely at all policies during the audit process and should review these to get a better idea of how specific processes function. As an example, the auditor should examine policies that have been developed for disaster recovery and business continunity. Some questions to consider are what kind of hardware and software backup is used; whether the software backup media is stored off site, and if so, what kind of security does the offsite location have, and what type of access is available? These are just a few of the items an auditor will be tasked with reviewing. The disaster recovery policy is an important part of corrective control.

During the audit, the auditor must verify how well policy actually maps to activity. You might discover that existing policy inhibits business or security practices. Operators might have developed better methods to meet specific goals. When faced with these situations, the auditor should identify the problem and look for ways to improve policy.

Policies don't last forever. Like most things in life, they need to be reviewed periodically to make sure they stay current. Technology becomes obsolete, new technology becomes affordable, and business processes change. Although it's sometimes easy to see that low-level procedures need to be updated, this also applies to high-level policies. Policies are just one level of procedural control. The next focus of discussion is on procedures.

Procedures :
Procedures are somewhat like children—they are detailed documents built from the parent policy. Procedures provide step-by-step instruction. Like children, they are more dynamic than their parent policy. They require more frequent changes to stay relevant to business processes and the technological environment. Procedures are detailed documents tied to specific technologies and devices. Procedures change when equipment changes. The company might have a policy dictating what type of traffic can enter or leave the company's network, but a procedure would provide the step-by-step instruction on how the policy is to be carried out. As an example, if your company has a CheckPoint firewall, the procedure would provide step-by-step instruction on its configuration. If the company decided to migrate to a Cisco Adaptive Security Appliance (ASA), the policy would remain unchanged, but the procedure for configuration of the firewall would change.

During an audit, the auditor must review all relevant procedures and map them to employee behavior through direct observation or interview. Misalignment can mean that there are no existing procedures, that procedures don't map well to existing practices, or that employees have not had the proper or adequate training on the procedures.

B. The aspects that should be considered during the drafting of an Information Security policy document.

A security policy can be as broad as you want it to be from everything related to IT security and the security of related physical assets, but enforceable in its full scope. The following list offers some important considerations when developing an information security policy.

1. Purpose
First state the purpose of the policy which may be to:

2. Audience
Define the audience to whom the information security policy applies. You may also specify which audiences are out of the scope of the policy (for example, staff in another business unit which manages security separately may not be in the scope of the policy).

3. Information security objectives
Guide your management team to agree on well-defined objectives for strategy and security. Information security focuses on three main objectives:

5. Data classification
The policy should classify data into categories, which may include “top secret”, “secret”, “confidential” and “public”. Your objective in classifying data is:

To ensure that sensitive data cannot be accessed by individuals with lower clearance levels.
To protect highly important data, and avoid needless security measures for unimportant data.

Question 3: Risk Management [50 marks]

Risk management was identified in the NamCode as being an important activity during governance.

a) Outline how you would develop a risk management program in IT [25 marks]

b) Critically evaluate the strengths and weakness of the various risk analysis methods in IT. [25 marks]

Question 4: Business Continuity planning [50 marks]

Business Continuity planning involves the creation and validation of a logistical plan that outlines how an organization will recover from a disaster or extended disruption of operations.

a) Identify and discuss the phases of a Business Continuity life cycle. [25 marks]

b) With the aid of examples, discuss the various issues that could indicate that a Disaster Recovery Plan is not in order. [25 marks].

note: plzzz don't give dislike.....plzzz comment if you have any problem i will try to solve your problem.....plzzz give thumbs up i am in need....


Related Solutions

Question 1: IT Governance [50 marks] According to a variety of studies, IT governance is usually...
Question 1: IT Governance [50 marks] According to a variety of studies, IT governance is usually implemented so as to ensure that IT operations and investments deliver more value to the business. a) Discuss the activities that are required to setup IT governance in an organization. [25 marks] b) With the aid of examples, discuss the factors that could affect IT governance. [25 marks]
Explain in detail governance, corporate governance and information security governance and their outcomes. (30 marks)
Explain in detail governance, corporate governance and information security governance and their outcomes.
Question 1 ( 50 marks) how the UK government is solving refugee problems in the Middle...
Question 1 ( 50 marks) how the UK government is solving refugee problems in the Middle East? (750 word)
QUESTION 1 (25 + 10 + 15 = 50 marks) Jules Vern had worked as a...
QUESTION 1 (25 + 10 + 15 = 50 marks) Jules Vern had worked as a business consultant for several years with KPNY, one of the ‘big four’ accounting firms. Jules has recently gone into her own private practice trading as Vern Business Solutions. a) You are required to record the following transactions into the transaction analysis chart (template provided). Dates are as follows:- January 1 Invested $100,000 of her own funds into a business bank account. 2 Purchased a...
Question 1 (50 marks) Given the following attributes in a project management • Project scope &...
Question 1 Given the following attributes in a project management • Project scope & feasibility • Documentation • Project planning • Testing and piloting • Risk minimization Discuss briefly each of them and on how would you use them as the IT manager for the company. Provide a details information support your discussion. [50 marks] Guideline: Plan and deploy a project and Integrate with this 5 elements. Example: Wi-Fi project, infrastructure project, server project and etc… Students are expected to:...
Section B –Answer ALL Questions: 50 Marks Question 1: 20 Marks Superior Manufacturing Company has the...
Section B –Answer ALL Questions: 50 Marks Question 1: 20 Marks Superior Manufacturing Company has the following cost and expense data for the year ending December 31, 2016: Raw materials, January 1 $30,000 Insurance—factory $ 14,000 Raw materials, December 31 20,000 Property taxes—factory building 6,000 Raw materials purchased 205,000 Sales (net) 1,500,000 Indirect materials 15,000 Delivery expenses 100,000 Work in process, January 1 80,000 Sales commissions 150,000 Work in process, December 31 50,000 Indirect labour 90,000 Finished goods, January 1...
Question 1 (Marks: 10) According to IAS33 – Earnings per share there are two types of...
Question 1 (Marks: 10) According to IAS33 – Earnings per share there are two types of shareholder, namely ordinary shareholders and preference shareholders. Q.1.1 Why do we call them “preference” shares or shareholders? Explain what advantages for the shareholder this implies. (5) Q.1.2 If an entity has issued cumulative redeemable preference shares to the market, discuss what effects this will have on the liabilities that the company will report in their financial statements. (5)
Question 2 Comprehensive Manufacturing Budget (40 marks) This question builds on prior studies and relates to...
Question 2 Comprehensive Manufacturing Budget This question builds on prior studies and relates to learning material and objectives from Topics 1, 2, 3 and 4. Links to specific resources provided for this question relating to Manufacturing Budgets and Excel spreadsheets are also available in the Assignment Resources section of the subject Interact site. You have been asked to prepare a 5 year budget forecast for the Kiewa Milk Dried Infant Formula canned product. The recently purchased Kiewa Milk Co utilises...
QUESTION 1 (50 MARKS) For the past two years, Adam and his family have operated a...
QUESTION 1 For the past two years, Adam and his family have operated a part-time business from their home. The business, received a lot of attentions from the public, quickly building its reputation as an environmentally-conscious delivery service provider. The business has grown enormously and Adam decided to expand his family business, thinking about possibilities of running the business on a full-time basis. On 1st Dec 2019, Adam decided to rent a shop and to operate the business known as...
Question 1 (50 marks) Paris planned to celebrate her birthday with a party on 27 November...
Question 1 Paris planned to celebrate her birthday with a party on 27 November 2017. On 1 November, she agreed with the Sun Hotel to hire its ‘Orangery’ annexe for the party. The contract required the payment of $5,000 immediately, which Paris paid, and a further payment of $10,000 by 14 November. On 4 November, the Sun Hotel spent $2,000 relocating orange trees in preparation for the event. On 8 November, a colony of bats settled in the Orangery. The...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT