Question

Question 1: IT Governance [50 marks]

According to a variety of studies, IT governance is usually implemented so as to ensure that IT operations and investments deliver more value to the business.

a) Discuss the activities that are required to setup IT governance in an organization. [25 marks]

b) With the aid of examples, discuss the factors that could affect IT governance. [25 marks]

Question 2: Strategic Management of IT [50 marks]

The strategic management of IT can be achieved through the use of various resources.

a) With the aid of examples, discuss the role played by policies and procedures in the strategic management of IT. [25 marks]

b) Propose and discuss the aspects that should be considered during the drafting of an Information Security policy document [25 marks]

Question 3: Risk Management [50 marks]

Risk management was identified in the NamCode as being an important activity during governance.

a) Outline how you would develop a risk management program in IT [25 marks]

b) Critically evaluate the strengths and weakness of the various risk analysis methods in IT. [25 marks]

Question 4: Business Continuity planning [50 marks]

Business Continuity planning involves the creation and validation of a logistical plan that outlines how an organization will recover from a disaster or extended disruption of operations.

a) Identify and discuss the phases of a Business Continuity life cycle. [25 marks]

b) With the aid of examples, discuss the various issues that could indicate that a Disaster Recovery Plan is not in order. [25 marks].

Answer 1

Question 1: IT Governance [50 marks]

According to a variety of studies, IT governance is usually implemented so as to ensure that IT operations and investments deliver more value to the business.

a) Discuss the activities that are required to setup IT governance in an organization. [25 marks]

b) With the aid of examples, discuss the factors that could affect IT governance. [25 marks]

Question 2: Strategic Management of IT [50 marks]

The strategic management of IT can be achieved through the use of various resources.

a) With the aid of examples, discuss the role played by policies and procedures in the strategic management of IT. [25 marks]

b) Propose and discuss the aspects that should be considered during the drafting of an Information Security policy document [25 marks]

A. What is Strategy management for IT services?
For IT services is a process of defining and maintaining the perspective, position, plans, and patterns of an organization with regards to its services and management of those services. The purpose of strategy management for IT services is to make sure that a strategy is defined properly, maintained and managed adequately to achieve its purpose.

Role played by policies and procedures in the strategic management of IT:

Example : The organization's IT policies, standards, and procedures.

An auditor can learn a great deal about an organization by simply reviewing the strategic plan and examining the company's policies and procedures. These documents reflect management's view of the company. Some might even say that policies are only as good as the management team that created them. Policies should exist to cover most every aspect of organizational control because companies have legal and business requirements to establish policies and procedures. The law dictates who is responsible and what standards must be upheld to meet minimum corporate governance requirements.

Management is responsible for dividing the company into smaller subgroups that control specific functions. Policies and procedures dictate how activities occur in each of the functional areas. One of the first steps in an audit is for the auditor to examine these critical documents. Any finding an auditor makes should be referenced back to the policy. This allows the auditor to establish a cause and specify how to rectify identified problems. Policies can be developed in either a top-down or a bottom-up method.

Policy Development:
Not all policies are created in the same way. The policy process can be driven from the top or from the bottom of the organization. Top-down policy development means that policies are pushed down from the top of the company. The advantage of a top-down policy development approach is that it ensures that policy is aligned with the strategy of the company. What it lacks is speed. It's a time-consuming process that requires a substantial amount of time to implement. A second approach is bottom-up policy development. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and builds on known risk. This is faster than a top-down approach but has a huge disadvantage in that it risks the lack of senior management support.

No matter what the development type is, policies are designed to address specific concerns:

Policies and Procedures :

Policies are high-level documents developed by management to transmit its guiding strategy and philosophy to employees. Management and business process owners are responsible for the organization and design of policies to guide it toward success. Policies apply a strong emphasis to the words of management. They define, detail, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders. Policies can be developed internally, or can be based on international standards such as Common Criteria or ISO 17799:

One specific type of policy is the organization's security policy. Security policy dictates management's commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. Figure 2.4 highlights these concerns.

An auditor must look closely at all policies during the audit process and should review these to get a better idea of how specific processes function. As an example, the auditor should examine policies that have been developed for disaster recovery and business continunity. Some questions to consider are what kind of hardware and software backup is used; whether the software backup media is stored off site, and if so, what kind of security does the offsite location have, and what type of access is available? These are just a few of the items an auditor will be tasked with reviewing. The disaster recovery policy is an important part of corrective control. Disaster recovery is discussed in detail in Chapter 9, "Disastor Recovery and Business Continuity."

During the audit, the auditor must verify how well policy actually maps to activity. You might discover that existing policy inhibits business or security practices. Operators might have developed better methods to meet specific goals. When faced with these situations, the auditor should identify the problem and look for ways to improve policy.

Policies don't last forever. Like most things in life, they need to be reviewed periodically to make sure they stay current. Technology becomes obsolete, new technology becomes affordable, and business processes change. Although it's sometimes easy to see that low-level procedures need to be updated, this also applies to high-level policies. Policies are just one level of procedural control. The next focus of discussion is on procedures.

Evaluate the organization's IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements.
Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards, and procedures.

Knowledge Statements :
Knowledge of the purpose of IT strategies, policies, standards, and procedures for an organization and the essential elements of each
Knowledge of generally accepted international IT standards and guidelines
Knowledge of the processes for the development, implementation, and maintenance of IT strategies, policies, standards, and procedures (for example, protection of information assets, business continuity and disaster recovery, systems and infrastructure lifecycle management, IT service delivery and support)
An auditor can learn a great deal about an organization by simply reviewing the strategic plan and examining the company's policies and procedures. These documents reflect management's view of the company. Some might even say that policies are only as good as the management team that created them. Policies should exist to cover most every aspect of organizational control because companies have legal and business requirements to establish policies and procedures. The law dictates who is responsible and what standards must be upheld to meet minimum corporate governance requirements.

Management is responsible for dividing the company into smaller subgroups that control specific functions. Policies and procedures dictate how activities occur in each of the functional areas. One of the first steps in an audit is for the auditor to examine these critical documents. Any finding an auditor makes should be referenced back to the policy. This allows the auditor to establish a cause and specify how to rectify identified problems. Policies can be developed in either a top-down or a bottom-up method.

Policy Development
Not all policies are created in the same way. The policy process can be driven from the top or from the bottom of the organization. Top-down policy development means that policies are pushed down from the top of the company. The advantage of a top-down policy development approach is that it ensures that policy is aligned with the strategy of the company. What it lacks is speed. It's a time-consuming process that requires a substantial amount of time to implement. A second approach is bottom-up policy development. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and builds on known risk. This is faster than a top-down approach but has a huge disadvantage in that it risks the lack of senior management support.

No matter what the development type is, policies are designed to address specific concerns:

Policies and Procedures :
Policies are high-level documents developed by management to transmit its guiding strategy and philosophy to employees. Management and business process owners are responsible for the organization and design of policies to guide it toward success. Policies apply a strong emphasis to the words of management. They define, detail, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders. Policies can be developed internally, or can be based on international standards such as Common Criteria or ISO 17799:

One specific type of policy is the organization's security policy. Security policy dictates management's commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. Figure 2.4 highlights these concerns.

An auditor must look closely at all policies during the audit process and should review these to get a better idea of how specific processes function. As an example, the auditor should examine policies that have been developed for disaster recovery and business continunity. Some questions to consider are what kind of hardware and software backup is used; whether the software backup media is stored off site, and if so, what kind of security does the offsite location have, and what type of access is available? These are just a few of the items an auditor will be tasked with reviewing. The disaster recovery policy is an important part of corrective control.

During the audit, the auditor must verify how well policy actually maps to activity. You might discover that existing policy inhibits business or security practices. Operators might have developed better methods to meet specific goals. When faced with these situations, the auditor should identify the problem and look for ways to improve policy.

Policies don't last forever. Like most things in life, they need to be reviewed periodically to make sure they stay current. Technology becomes obsolete, new technology becomes affordable, and business processes change. Although it's sometimes easy to see that low-level procedures need to be updated, this also applies to high-level policies. Policies are just one level of procedural control. The next focus of discussion is on procedures.

Procedures :
Procedures are somewhat like children—they are detailed documents built from the parent policy. Procedures provide step-by-step instruction. Like children, they are more dynamic than their parent policy. They require more frequent changes to stay relevant to business processes and the technological environment. Procedures are detailed documents tied to specific technologies and devices. Procedures change when equipment changes. The company might have a policy dictating what type of traffic can enter or leave the company's network, but a procedure would provide the step-by-step instruction on how the policy is to be carried out. As an example, if your company has a CheckPoint firewall, the procedure would provide step-by-step instruction on its configuration. If the company decided to migrate to a Cisco Adaptive Security Appliance (ASA), the policy would remain unchanged, but the procedure for configuration of the firewall would change.

During an audit, the auditor must review all relevant procedures and map them to employee behavior through direct observation or interview. Misalignment can mean that there are no existing procedures, that procedures don't map well to existing practices, or that employees have not had the proper or adequate training on the procedures.

B. The aspects that should be considered during the drafting of an Information Security policy document.

A security policy can be as broad as you want it to be from everything related to IT security and the security of related physical assets, but enforceable in its full scope. The following list offers some important considerations when developing an information security policy.

1. Purpose
First state the purpose of the policy which may be to:

2. Audience
Define the audience to whom the information security policy applies. You may also specify which audiences are out of the scope of the policy (for example, staff in another business unit which manages security separately may not be in the scope of the policy).

3. Information security objectives
Guide your management team to agree on well-defined objectives for strategy and security. Information security focuses on three main objectives:

5. Data classification
The policy should classify data into categories, which may include “top secret”, “secret”, “confidential” and “public”. Your objective in classifying data is:

To ensure that sensitive data cannot be accessed by individuals with lower clearance levels.
To protect highly important data, and avoid needless security measures for unimportant data.

Question 3: Risk Management [50 marks]

Risk management was identified in the NamCode as being an important activity during governance.

a) Outline how you would develop a risk management program in IT [25 marks]

b) Critically evaluate the strengths and weakness of the various risk analysis methods in IT. [25 marks]

Question 4: Business Continuity planning [50 marks]

Business Continuity planning involves the creation and validation of a logistical plan that outlines how an organization will recover from a disaster or extended disruption of operations.

a) Identify and discuss the phases of a Business Continuity life cycle. [25 marks]

b) With the aid of examples, discuss the various issues that could indicate that a Disaster Recovery Plan is not in order. [25 marks].

note: plzzz don't give dislike.....plzzz comment if you have any problem i will try to solve your problem.....plzzz give thumbs up i am in need....