Odd Semester, 2019-20

Sem-End Examinations, Nov-Dec 2019

KEY FOR EVALUATION
BCA, 2017 Batch, III/III, 1st Semester
15CA3121: IT GOVERNANCE, RISK, & INFORMATION SECURITY MANAGEMENT

1 A) Explain the importance of IT Governance 5M

1 B) Discuss about conceptual information security Governance 5M

1 C) Explain about the information System planning components. 5M

1 D ) Explain the Strategic System Development 5M
1 E ) List all steps in Risk Analysis 5M

1F) Explain the risk assessment methodologies 5M

1 G ) Identify any four categories of IT strategic planning 5M

1 H ) Make the use of Quantitative Risk analysis 5M
 PART B
2 a) What are the factors identified which effects IT governance 10M
2 B) Explain the Functions of committee role of IT strategy committee 10M

3 A ) List the benefits of information security governance 10M

3 B) Summarize the best practices of IT Governance 10M
4A) Discuss about committee membership of IT strategy committee 10M
4B) Summarize in detail about “Analyze the risk process” phase in risk
management 10M

5A) Explain in brief different types of IT risks 10M

 5b) Compare between various frameworks of COBIT, COSO and SAS

6A) Outline the process and procedure of Control Objectives for Information and
Related
Technologies; 4.1 & 5.0, Advantages and benefits of COBIT 5. 20M
Disadvantages of using COBIT to establish an IT management and governance frameworkIt is
costly, many organizations and businesses have avoided implementing it in their activities. The
major cost of this framework is that it needs a lot of knowledge and skill in order to implement
as a tool to provide support to information technology governance or in assessing the
performance of a company’s information technology. Additionally, the framework lacks
specifications concerning its connections especially between the determined benefits of an
activity and how it is reflected in the featured maturity model. The framework has all the
descriptions in terms of processes, activities, and responsibilities but it lacks the specification of
its connections (Moller, 2010). The maturity model provides a shallow analysis of the given
situation. Thus, it requires a very experienced analyst to conduct a credible maturity assessment
of an information technology organization using control objectives for information and related
technology (CobiT). Additionally, there is no evidence or assurance that the experienced
analystswould get the required solution regarding the maturity of an organization’s information
technology.OBJECTIVESAudit Objectives:It refers to specific goals of the audit and provides
basis for managing audit departments which could include the following:Ensures asset
safeguarding. Assets include the following 5 types of assets: data, application systems,
technology, facilities and peopleEnsures the seven attributes of data or information are
maintained: Accuracy, Validity, Reliability, Timeliness, Relevance, Completeness, Confidentiality
Compliance with regulations.( legal and regulatory requirements)CIA of information.
(Confidentiality, integrity, and availability)Compliance and Substantive Testing:Defining and
testing controls are important audit objectives. A control is a procedure or task that prevents staff
from failing to follow policy. For example, requiring the signature of the supervisor on every
employee time card is a way to stop people from getting paid for time they did not work. The
quality of the control, however, is based on the supervisor knowing where staffis and making
sure that the time card is accurate. THE SCOPE OF AN IS AUDITHowever, the normal scope of
an information systems audit still does cover the entire lifecycle ofthe technology under scrutiny,
including the correctness of computer calculations. The word "scope"is prefaced by "normal"
because the scope of an audit is dependent on its objective.Audits are always a result of some
concern over the management of assets. The concerned party may be a regulatory agency, an
asset owner, or any stakeholder in the operation of the systems environment, including systems
managers themselves. That party will have an objectivein commissioning the audit. The
objective may be validating the correctness of the systems

5 Common Mistakes in Adopting COBIT 5

1. Attempting to implement processes and practices in a one-size-fits-all
manner without customization. It helps to think of COBIT 5 as a tool kit. Having
knowledge of which tools to use for what purposes ensures a successful implementation.
When adopting COBIT 5, one must choose the right processes to meet the organization
needs. Use the goals cascade, the pain points and trigger events to identify the right
processes. Also, make sure to tailor COBIT 5 to suit the organization’s needs.
Remember, COBIT 5 is a framework (guidance), and it must be customized according to
an organization’s needs because every organization is unique.
2. Setting unrealistic or overly ambitious goals to complete the project within a short
period of time. Implementing GEIT is about cultural change; people behaving in a new
way or adopting new processes. Behavioral changes take time, so prioritize activities,
select a few of the most important and most beneficial processes, and make changes
incrementally. It can be very effective to achieve a quick win within 3 months to build
momentum within the organization and then keep moving forward with other areas of
improvement.
3. Treating COBIT 5 adoption as a one-time project or using a third party to
implement GEIT. GEIT implementation is a continuous journey. Projects can fail or be
terminated when key personnel move out of key implementation roles. Ensure that there
is buy-in from management and the team when initiating the project. Remember, GEIT
must be owned (accountability) by the board of directors (BoD). Ensure that team
members are motivated and see the benefits from the project. Use third parties to help set
up GEIT, but ensure that internal team members are trained to follow the new practices
and maintain the system.
4. Having the GEIT project owned by a single individual within IT. It is important to
remember, it is not a one-man show. GEIT is a business change and the ownership must
be with the business. IT personnel can initiate the journey, but there must be involvement
and participation from business executives and other stakeholders. Use the COBIT 5
Responsible, Accountable, Consulted and Informed (RACI) chart (customized to the
organization) to ensure that the responsibilities and accountabilities are defined and
agreed upon by the stakeholders. Remember to get approval for the GEIT project from
the senior executives who own the project.
5. Making implementation all about policy and process documentation. Many
organizations believe documenting their processes equals GEIT implementation. In
reality, documentation is only 10% or less of the overall GEIT journey. The remaining
90% is about managing the organizational changes by educating people, helping them to
follow new processes and practices, reviewing and refining the processes, and reviewing
the effectiveness of the change.
7 A). List the factors identified effectiveness of IT Governance 5M
b. Explain about importance and formation of Steering committee 5M
c) Indicate the objectives of IT Governance 5M

d) List the key terms of Val IT framework of ISACA 5M