IT Governance: Roles and Risk Analysis

Questions and Answers

Which of the following best describes the role of the IT steering committee?

• Overseeing project ownership and the resulting framework.
• Implementing and monitoring IT-related activities, involving roles such as CEO and CIO. (correct)
• Advising the board on IT strategy as members of the board.
• Defining the IS audit function.

When is accepting risk the most appropriate risk treatment strategy?

• When the cost of controlling the risk is greater than the impact of the risk. (correct)
• When risk reduction strategies are not available.
• When the risk can be transferred to an insurance company.
• When the risk can be completely avoided.

In the context of IT governance, what is the primary focus of policies?

• Defining project costs and schedules.
• Aligning IT activities with business objectives.
• Aligning IT with business and security requirements. (correct)
• Measuring customer satisfaction and internal process efficiency.

Which risk analysis method uses a qualitative scale of Low, Medium, and High?

Qualitative. (B)

What is the relationship between governance and management in Enterprise IT?

Governance refers to the direction, and management refers to the implementation of policies. (C)

What is the primary purpose of the Balanced Scorecard (BSC) in IT governance?

To align IT with business needs by measuring customer satisfaction and internal processes. (A)

In software development, what is the main focus of Quality Assurance (QA) compared to Quality Control (QC)?

QA is proactive and focused on preventing defects, while QC is reactive and focuses on finding defects. (C)

Which of the following methods is used to estimate the duration of a project?

Critical Path Method (CPM). (D)

What is the primary goal of Earned Value Analysis (EVA)?

To measure project progress and forecast completion date and cost. (D)

During which phase of the SDLC (Software Development Life Cycle) are the project's goals and feasibility assessed?

Feasibility Study. (C)

What is the purpose of using check digits?

To prevent transposition and transcription errors. (C)

Which type of system testing checks the system's ability to recover after a hardware or software failure?

Recovery Testing. (B)

Why is Regression Testing performed?

To ensure existing functionalities work correctly after changes. (D)

What is the purpose of a Configuration Management in network management?

To manage, control, and monitor configuration. (A)

What is the purpose of normalization in a relational database model?

To reduce duplicate data and data redundancy. (A)

What is the first step to take when developing a Business Continuity Plan (BCP)?

Project and scope planning. (A)

In disaster recovery testing, what does a tabletop test involve?

Practicing coordination of efforts and implementation communication. (D)

What type of control is an alternative power supply protecting against long-term electrical power unavailability?

Preventive. (A)

What is the main characteristic of Statistical Sampling?

Probability-based and non-judgmental. (A)

Why is it important that the 'write access to logs cannot be disabled'?

To enable accurate detection of security incidents and maintain audit trails. (C)

Flashcards

IT Governance

Aligning IT activities with overall business goals and objectives.

Policies hierarchy

Standards, Policies, Procedures, and Guidelines

IT Strategy Committee

Advises the board on IT strategy, as members of the board.

IT Steering Committee

Implementing and monitoring IT strategy. (CEO, CIO, etc.)

Qualitative Risk Analysis

Low, Medium, High

Semi-Quantitative Risk Analysis

Low (1), Medium (3), High (5)

Mitigate

Act to decrease the likelihood or impact of a risk.

Accept Risk

Acknowledgement of risk when risk control costs exceed potential impact.

Avoid Risk

Eliminating exposure to the risk.

Transfer Risk

Sharing risk burden through insurance or contracts.

Balanced Scorecard

Align IT with business needs; measures customer satisfaction, internal processes, innovation.

Benchmarking

Evaluation and comparison of business processes/metrics against best practices.

Quality Assurance (QA)

Proactive; prevents defects; process-focused.

Quality Control (QC)

Reactive; finds defects; product-focused.

Check Digits

Prevents transposition and transcription errors.

Cyclic Redundancy Checksums

Detects bursts of errors in network transmissions.

Regression Testing

Returns to a previous stage to confirm if the changes introduced errors

Volume Testing

Measures maximum volume of records that application can handle

Alternative Routing

Copper, fiber-optic cables (two entirely different cables)

Tabletop Test

Practicing coordination of efforts and implementation communication

Study Notes

IT Governance

• IT activities align with business objectives
• The Board of Directors/Senior Management are key

Governance vs Management

• Governance provides direction
• Management implements policies/procedures to achieve goals and direction set by the governance body
• Stakeholder involvement determines successful implementation

Policies

• Standards lead to Policy, which leads to Procedure, then Guidelines
• IS policy requires Board of Directors approval

Roles

• The Board of Directors handles IT Corporate Governance
• The IT strategy committee advises the board as members
• The IT steering committee implements and monitors with CEO, CIO involvement
• The project steering committee is responsible for all projects and costs
• User management entails project ownership and the resulting framework

Risk Analysis Methods

• Qualitative analysis uses Low, Medium, and High
• Semi-quantitative analysis uses Low (1), Medium (3), and High (5)
• Quantitative analysis uses #

Risk Treatment

• Mitigating something reduces risk directly
• Accepting risk occurs when the cost outweights the impact of the risk
• Avoiding is stopping activity to remove the risk
• Transferring risk is sharing. Often through insurance

Risk Management Process

• Asset identification is the first step
• The second action is identification of threats and vulnerabilities
• Evaluation of impact
• Risk calculation
• Risk response

Maturity Model

• The CMMI framework considers maturity levels and process areas

IT Management

• The purpose of IT Management is to ensure IT assets work correctly, efficiently, and align with business requirements

Outsourcing Benefits

• Big savings
• Leverage expert service
• Experience within the field

Monitoring

• Six Sigma & Lean uses a quantitative process analysis methodology to improve processes and reduce defects
• The BSC is a tool aligning IT with business needs via customer satisfaction, internal processes, and innovation abilities, but requires KPIs
• KPIs are attributes related to the organization's key business goals
• Benchmarking evaluates and compares business processes and metrics with best practices

Quality Assurance

• QA provides confidence that an item conforms to requirements
• Quality Control is a method that tests if a product meets requirements and is defect-free
• QA prevents defects proactively and focuses on processes
• QC finds defects reactively, focusing on products

Quality Management System

• Its purpose is continuous improvement

Software Size Estimation

• Source Lines of Code determines cost based on the number of lines
• Function Point Analysis is an indirect technique to size software
• COCOMO is SLOC's advanced version

CPM

• The Critical Path Method estimates project duration

PERT

• The Program Evaluation Review Technique also estimates project duration
• CPM only accounts for the critical path, while PERT considers optimistic, pessimistic and normal scenarios

PERT Scenarios

• Optimistic (Best)
• Pessimistic (Worst)
• Normal (Most Likely)
• PERT > CPM

Gantt Chart

• Tracks project progress based on the baseline plan with milestones

Earned Value Analysis

• The objective is to measure project progression, completion date, and final cost; also analyzes budget variance

Business Case

• Justification for projects

Feasibility Analysis

• Assesses if established budgets and schedule requirements are practical and achievable

SDLC Phases

• The first is Feasibility Study
• The second is Requirements
• The third is Software Selection and Acquisition
• The fourth is Development
• The fifth is Testing and Implementation
• The sixth is Post-Implementation

OOSD

• Object-Oriented Systems Development's main goal is reusable and maintainable code
• Encapsulation allows objects to interact (combining without interfacing)
• Polymorphism is the capacity for objects to interpret a message

Check Digits

• These prevent transcription errors

Parity Bits

• Add bits ensuring complete and accurate data transmission

Checksums

• Parity bits recognize complex errors using advanced mathematical formulas
• Cyclic Redundancy Checksums detects bursts of errors in networks by increasing arithmetic complexity
• Forward Error Control uses checksums and also corrects the errors

Data Integrity Principles

• Atomicity means each transaction processes completely, or not at all
• Consistency enforces integrity for all database transactions
• Isolation keeps each database transaction separate
• Durability ensures database resilience against system failures

Limit Checks

• Input controls prevent invalid data inputs

Automated System Balancing

• Reconciles total input with total output

Sequence Checks

• Prevents duplicate vouchers via ascending/descending sequences

Testing

• Unit tests target each separate program/module on its own
• Integration tests confirm connections between two or more system components
• System testing includes:
• Recovery testing checks the ability to recover from hardware or software failure
• Security testing checks security arrangements and vulnerabilities
• Load testing checks performance during peak hours
• Volume testing determines data volume capacity
• Stress testing determines concurrent users/service capacity
• Performance testing benchmarks system performance

User Acceptance Test

• UAT involves end users
• Regression Testing returns to an earlier stage

Testing Qualities

• Sociability Testing determines quality of interaction
• Pilot Testing proves the feasibility of a new system before full implementation
• Parallel Testing compares the results of the new system with an old system

Testing Participants

• Alpha Testing occurs before Beta Testing and uses internal users
• Beta Testing is after Alpha Testing and leverages external users
• Bottom-Up Approach finds faults in modules
• Top-Down Approach detects interface errors

Testing Phases

• Unit Testing on Individual Modules
• Integration Testing across Modules
• System Testing via stress, load, recovery, volume and security
• Final Acceptance Test via QAT and UAT

Post-Implementation Review

• Determine if the project met objectives
• Make a cost-benefit analysis and ROI
• Determine lessons learned

Server Types

• Print, File, Application/Program, Web, Proxy, Database

Performance Reports

• Availability, utilization, asset management, hardware reports

Software Licensing

• Open source licenses list, modify, and redistribute software as required
• Freeware is free, but the source code cannot be redistributed
• Shareware has limited functionality and trial periods

Security Source Code Management

• Escrow or Version Control System

Network Management Tools

• Response time reports measure time to address a user query
• Downtime reports track unavailability of telecommunication lines/circuits
• Help desk reports detail queries, turnaround time, and problem resolution
• Online monitors track data transmission errors and accuracy
• Network monitors relay real-time network node status
• Network protocol analyzers monitor data packets; produces network usage reports
• SNMP uses TCP/IP to manage and control configuration + collect data on performance and security

Key Component of Network Management

• Configuration management

Relational Database Model

• All tables are related through one or more connecting fields

Databases

• Normalization reduces redundancy
• Denormalization increases redundancy
• User spool improves space utilization and database query performance

DBA Restrictions

• DBAs do not capture logs or monitor DBA functions
• Activities and tasks of end users
• Updating security patches for the OS

Keys

• Primary keys are unique IDs for a record
• Foreign keys reference a primary key in another table

BIA

• Recovery strategies must leverage BIA data
• Business process owners determines the system criticality
• The main consideration is downtime

Backups

• Differential backups happen after the latest full backup
• Incremental backups happen after the latest incremental backup

Telecommunication Network Resiliency

• Alternative routing uses copper and fiber-optic cables
• Last-mile circuits provide redundancy for local communication
• Long-Haul Network Diversity provides redundancy for long-distance communication
• Diverse routing splits cables to route information

BCP

• BCP requires senior management to approve
• Involves Steps
  1. Scope and project planning
  2. Risk assessment and analysis
  3. Business Impact Analysis(BIA)
  4. BCP strategy
  5. BCP development
  6. BC awareness training
  7. BCP testing
  8. Monitoring, maintenance, and update
• Shadow file processing processes both files concurrently for time-sensitive transactions
• The Paper test, leads to preparedness, then a full operational test

DRP

• First use BIA. Then do DRP
• Backup intervals should be aligned with the Recovery Point Objective (RPO) for data synchronization
  1. The Checklist Review provides a checklist to all members
  2. The Structured Walkthrough reviews DRP on paper
  3. The Tabletop test practices coordination and implementation
  4. The Simulation test roleplays a disaster to determine DRP adequacy
  5. The Parallel test is when a recovery site is activated
  6. The most expensive and disruptive practice is the Full interruption test

Logical Access

• The Security Policy best practice is a yearly review

Control to Protect from Power Issues

• Long-term outages use alternative power supply
• Short-term outages use a power line conditioner
• Voltage spikes use surge protection devices
• A raised floor is used for safety of power and data cables

Access Control Categories

• Mandatory Access Control's approved policy governs the rules, and users/owners can't modify the access role
• Discretionary Access Control can be modified by the data owner

Access Management

• An inventory is the first step, and control passwords

Security Metrics

• The lowest CER/EER is the most effective system

Attack Traits

• REPLAY ATTACK: residual fingerprints
• BRUTE FORCE: using multiple fingerprints and large force
• CRYPTOGRAPHIC: targets algorithms or the encrypted data
• MIMIC: imitating voice or forging signature

Network Media

• Fiber-optic cables = not affected by EMI
• Twisted Pair:
• Shielded (STP) is more reliable than unshielded (UTP)
• Unshielded (UTP)
• Attenuation is signal loss or weakening
• The network diagram must be obtained first
• Dedicated leased lines provide the best security

Firewalls

• Packet filtering routers are the earliest versions, only tracking IP addresses and ports using predefined rules
• Stateful inspection tracks sessions
• Circuit-Level firewalls use a bastion host and a proxy server
• Application-Level firewalls control applications, such as FTP and HTTP

Firewall Implementation

• Dual-Homed Firewall: Uses 1 bastion host with 2 NIC, 1 packet filtering router
• Screened-Host Firewall: Uses 1 bastion host, 1 packet filtering router
• Screened-Subnet Firewall (DMZ): Utilizes 2 packet filtering routers, 1 bastion host

VPNs

• Encrypt packets with IP Security Standards (IPSec)

VOIP

• VLAN segregates VoIP from telephone systems
• RBAC manages VoIP access

VOIP Security

• A Session Border Controller is a traffic cop
• WPA-2 Encryption is the strongest

Wireless Security

• Implement these to secure wireless:
• MAC filtering
• Encryption
• Disable SSID
• Disable DHCP

Key Management

• Dyanmic keys > Static Keys because they change frequently
• Random PSK > MAC-based PSK because MACs are fixed access points

Alteration Attack

• Code is altered or modified without authorization, and attacks are prevented via cryptographic code

Buffer Overflow

• Software code that an attacker exploits

Juice Jacking

• Data copied from a charging port

Sampling Approaches

• Statistical sampling is probability-based, non-judgmental, and for sampling risk
• Non-statistical sampling is judgmental
• Attribute sampling conducts compliance testing
• Variable sampling conducts substantive testing
• Stop-or-go sampling shows very few errors
• Discovery sampling reveals fraud

Compliance Testing

• Check controls
• Detect presence of controls

Substantive Testing

• Verify data's completeness, accuracy, and validity

Audit Tools

• ITF uses tests in a production environment
• CIS identifies transactions based on predefined criteria in a complex environment
• Audit checks detect fraud/error early at a threshold
• Snapshots use pictures
• SCARF/EAM finds unusual patterns when regular processing is uninterrupted

Maintenance

• Preventive maintenance should ensure the process before scheduling

Additional Notes from CIS0041

• INTEGRITY: Sign with sender's private key, decrypt with sender's public one
• ENCRYPTION: Sign with receiver's public key, decrypt with receiver's private one
• PKI setups a framework/set of rules
• CA manages keys and verifies integrity
• Digital Certificates are digital IDs like keys
• RA verifies a person's identity to prevent fraud
• WEB OF TRUST includes small groups endorsing certifications

Testing

• BLACKBOX in real life knows no prior knowledge
• WHITEBOX knows architecture
• DOUBLEBLIND makes both parties unaware
• BLIND relies on a black box to be aware of an org

Emergency Testing

• Tabletop, then Functional, then Full-Scale

Continutity Testing

• Paper test, then preparedness, then continutity plan

Database

• FOREIGN KEY STRUCTURE creates "foreign" relationships with same data
• REFERENTIAL INTEGRITY makes sure values are consistent

Cryptography

• ELLIPTICAL CURVE CRYPTOGRAPHY encrypts mobile devices = fast computation speed
• A Cyclic Redundancy Check ensures values are added / check data during network transmission
• PARITY adds one data transmission bit
• CHECK DIGIT handles wrong transcriptions

Message Security

• NON-REPUDIATION prevents senders from denying message transmission
• Large PINGs cause denial of service
• Data Mining can find trends in transactions or data

Security Protocols

TLS for web traffic

HASH vs Encryption

• HASH is for authentication
• ENCRYPTION is for confidentiality
• HASH length is equal
• ENCRYPTION length may differ

Security Principles

• Enroll first to use biometrics
• WRITE ACCESS to logs: cannot be disabled
• Data Diddling (a security risk) only has compensating controls, since users are changing data manually

Watermarking

• Steganography

Cyber Attacks

• DNS hardening mitigates pharming
• Encapsulation encrypts VPNs
• The Debugging Tool is dangerous, used by developers
• Bad configuration creates a DoS

Data

• Metadata is resolution, size and camera model
• Data is the photo itself

Testing Phases

• Beta Testing is the final testing stage
• Stress Testing uses extreme load pressure

Testing Assurance

• REGRESSION ensures no errors for a continuous cycle

CICD

• The main benefit is the increase in speed of software delivered

Code

• Source code is readable by humans
• Object Code is only readable by computers

Integrity

A trusted source

OO Design

• How software is designed

Process

• RACE: 2 processes the same time
• COLLUSION: involves 2 employees or more that bypass controls
• PERT manages timelines
  • IMPLEMENTATION > REVIEW > ACCESS > FLOW
• SCOPE is linked to baselining
• BUFFERs are linked to code implementation

Modules

• TOP DOWN: interface early
• BOTTOM UP: critical modules early
• FUNCTION: relates to the method of size and complexity

Firewall Policy

• Identifying application networks

MOBILE - GSM

• VPN can encrypt what is considered to be good security

CMM

• Capability Maturity is a model for better organisation processes

Access

• Observations for review

Management

• Managing, prioritizes and value management

Security

• Systems for industry

Cross

• Redirection to another website

Tampering

• Useers fields for safety

Anti-spam

• HEURISTIC has some what suspicious phrases
• STATISTICAL = words, more based on statistics

Security

• Responsibility = CSA and importance

HA

• Hardware for vender to spec

Project mangement

• All delivers need project management

Seniors

Involement

Review

Assurance from quality

Directors

Governance within boards

Audit committe

Charter

Network. AI

• Pattern for suspicious issues. Can cause potential impact

Volp

• Using security and business requirements to separate volp

Payloads can be encrypated

• Esp

Replay attacks can give prints

• Re play can give fingerprints.

Passwords need more for the following aspects.

• Size
• Valitity
• Word

Data ensure

Do not cause excessive problems

Security diagram

Graphs. Data will travel the path

Mistake

Value or survival

Users

Diagram for data flow

Server

Performance and increase logins

Assuance consultant

Assurance for quality

Owners

Approve governance

Security- code

Follow instructions

Records

• Financial data in a good way

ML

• Predicts and values location, sizes and what’s numerical

Relations, clusters or people

• Classification for relationships and task
• Classifications for post principles

Implement, plan

• Sampling + analysis
• 10 customers for system

Strategy

• Control for corporate planning

Checklists

• Preventingundefined data

Before

Careful plans

Sub

Can’t pay

###Overview +Feasibility

Improvement

Cons to critical

Security

Alignments Downtime and costs

Control of personal.

Double for some code

Same as the main

Characters with sematics

Analyse security

Technology which will give you risk?

Performance check

• Stats and numbers is legal

####Copper Alternative route

Diverse rout

Double cables with split

Supports

• A base level for components

Plan test, implement

Backup is tested while you add them

Viable

• Test workflow

Numbers. CsA.

Numbers with quality numbers ?

Checks

Is sequence or nummerucak?

range test

Check for fall

Codes

Is substitution and data wrong?

Raws codes

detects errors

tranfer risk is sharing

• Transfer risks with KPI

Policies

Is pw strong?

Duplication

Is tested ####### LSM =

specifics SLMS

• Global standards

Voip issues

is a ddos

strategy - Ai -

Is an objectives stratagem

Accreditation

For security