Information Technology Governance for Emerging Digital Technologies
RMIT School of Accounting, Information Systems, and Supply Chain
INTE2412 Assignment Submission Sheet – Sem 1 2021
Family Name, Personal Name(s) Zhang, Sirui
Student Number S3751340
Telephone Number 0474482831
E-mail Address [email protected]
Tutor Dr. Jim McGovern
Course Coordinator Karlheinz Kautz
Assignment Title Assessment Task 1: Using an ISO Standard for IT Governance
Date Due 29/03/2021
Date Submitted 29/03/2021
Submission Check (Tick)
Citations and reference list All necessary evidence has been referenced and all citations comply with the preferred style guide.
(Tick)
Page margins, paragraph and line spacing Submission conforms to the formatting requirements set out in the course guide or the assignment submission specifications.
(Tick)
Electronic submission Using appropriate file naming conventions set out in the course guide or the assignment submission specifications.
(Tick)
Turnitin corrections If necessary, have made adjustments in response to Turnitin reports. (Tick)
1
Introduction 3
Critical analysis over issues 3
Rationales for changes 4
Recommendations and conclusion 7
Reference List 8
2
1. Introduction
This business report aims to identify and analyse under-performance in IT governance in
the WA government and provide recommendations on adopting relevant ISO standards and
changes. Key questions to be investigated include developing a principles-based system to guide
IT governance practice and suitability and feasibility of applying those IT governance tools,
reform considerations to strengthen compliance and fortification of due diligence and, conflict of
interest related ideas.
The business report will begin with a critical analysis of issues, further explain the
rationale of principles and tools, reforms and ideas proposed, and ends with a final
recommendation and conclusion.
2. Critical analysis over issues
According to the Information Systems Audit Report 2020, it states several weaknesses of
the six categories. For information security, information security policies and processes(identify
and patch IT infrastructure vulnerabilities) are inadequate or out of date; staff is not trained or
developed with security awareness; the highly privileged access to applications, databases and
networks is not reviewed; and passwords controls are weak with the absence of multifactor
authentication. Information security issues fail to meet the basic benchmark. With regards to
business continuity, Business Continuity Plan and Disaster Recovery Plan are lacking, meaning
that business functions and processes would suffer the risk of not being properly restored after a
disruption. Beyond those, IT risk management suffers weaknesses of lacking approved risk
management policies, procedures for risk identification, assessment, treatment, and risk registers.
It could make organisations less able to identify and mitigate risks in a prompt manner.
Furthermore, IT operations also suffer risks of lacking service level agreement with IT vendors,
weak IT operation governance, inadequate monitoring of cyber security events, weak maintenance
of asset registers, which could not support business requirements. Change problems identified
include lacking formal system change management policies of approval, document, and
assessment. Lacking the system could affect consistent, reliable, and efficient implementation of
IT changes. Finally, physical security weaknesses identified include a lack of review of staff and
contractors’ access and no humidity control or fire suppression system in the server room. In such
3
cases, there are high cases of unauthorised access to information systems and harm by the
environment.
Aside from that, a report from ABC also highlighted rising threat levels of information
system hacking (Borys, 2020). Information system hacking could significantly undermine the
financial security of the government and relevant agencies (Veiga & Eloff 2007, p.361). Besides
that, governance challenges of corruption emphasise the need to enhance governance control over
information technology service and project administration, mainly concerned with due diligence
and conflict of interest. Menagh (2020) reported that due to existing IT system problems (fail to
detect fake invoice scheme issues), civil servants' money laundry actions are not identified. The
case of Victoria public under corruption investigation given millions of dollars of work directed to
the company owned by him also suggested that conflict of interest problem is not identified in the
soonest manager. According to Belot (2020), WA’s North Metropolitan Health Service has issues
with due diligence over suppliers as well.
3. Rationales for changes
For WA, it is proposed that a principle-based system shall be first implemented.
According AS ISO/IEC 38500 (2016, p.11), six principles are included in the standards,
containing Responsibility Principle (individuals and groups shall accept their
responsibility in supply and demand of IT actions); Strategy Principle (connect it
capability with business strategy); Acquisition principle (valid reasons for IT acquisition
fully analyzed of benefits, opportunities, costs, and risks in a transparent manner);
Performance Principle (shall meet business requirements current and in future and support
organisation in delivering service); Conformance Principle (comply with mandatory
legislation and regulations based on defining and enforcing of policies and practices); and
Human Behavior Principle (IT policies, practices and decisions demonstrate respect for
Human Behavior). The principle-based approach is crucial in helping the WA government
to establish an overall framework of IT governance from staff awareness, business
strategy, IT acquisition, IT performance, IT related legislation and regulation, and human
behaviour perspective in an integrated manner. By focusing on the connection of IT
governance with business strategy and tasks in a more tailored manager and educating
4
staff to follow a well-designed framework, IT governance could be better assured than the
rule-based approach of simply designing common rules.
In the meantime, ISO/IEC 27000 (2018, p.19) focuses on policies, procedures,
guidelines as well as associated resources and activities protecting information assets
through a systematic approach, based on tactics to establish, implement, operate, monitor,
review and maintain information security in line with business objectives, The approaches
adopted include protecting private information from authorized access and adopting
security techniques and controls to secure critical information. This approach is also
critically linked to the issues faced by WA state, better-addressing information hack
through authorising access and adopting critical IT techniques and control mechanisms.
In the process of carrying out reforms, evaluate, direct and monitor frameworks
shall be used. More specifically, they should examine IT plans and supply arrangements
according to business needs and internal and external environment in a continuous
manner. They shall direct the preparation and implementation of strategies and policies to
establish proper behaviour in IT in line with the six principles mentioned earlier. Finally,
they shall also review IT performance in terms of its compliance to provide a basis for
adjustments.
It is proposed that reforms should be carried out in the above six aspects (as
mentioned by Information Systems Audit Report 2020) to strengthen IT governance.
Morespecifically, in the information security aspect, good security practice shall be
implemented, regularly tested and enforced among crucial computer systems; user access
to information shall be monitored and reviewed;, whereas cyber security training shall be
implemented among the staff. In this aspect, financial related information systems (bank
account) should be dealt with more focus. The above efforts are rational as information
security is crucial to business and should be based on sound systems and control, access
control and effective procedures involving all staff (Abu-Musa 2010, p.28). Through
better enhancing information security, chances of data hike could be better reduced to
better mitigate chances of information and financial losses. In the business continuity
aspect, it is suggested that the up-to-date business continuity plan, disaster recovery plan
5
and incident response plan shall be tested and implemented and monitored in a periodic
manner. The above efforts are crucially connected to the data’s back-up, avoiding chances
of process disruption in changing times. Regarding IT risks identification, it is supposed
that management should oversee IT risks identification, assessment and treatment within
time frames. Only through prioritising IT risk management in the oversight of
management shall the governance be more effective (Che Pa, Nora et al. 2015, p.185).
Concerning IT operations, IT strategic plans and frameworks for implementing certain
policies and procedures shall be established. Those are crucial frameworks guiding IT
operations and further governance. Concerning change control, change control processes
should be well planned, assessed for impact, and documented to ensure effective IT
governance change. The above are also needed given chances of change in IT
governance. Finally, for physical security, unauthorized access or accidental damage to
computing infrastructure should be well monitored with control mechanisms. Through
focusing on IT infrastructure security and access verification, the information could be
guaranteed internally (Abu-Musa 2010, p.28).
Beyond that, due diligence and dealing with conflicts of interest shall also be
involved in IT governance. Existing reports have revealed bribery and corruption among
civil servants as against due diligence and against conflict of interest, especially given IT
risks and IT projects. To better address this issue, it is recommended that information
technology projects administration be dealt with, with more transparent decision-making
systems and procedures and should involve more authorisation. Through transparent
decision making and multifactor authorisation focusing on the background detail of the IT
vendors, IT infrastructure and services could be arranged more to the advantage of
business organisations (Mistry 2012, p.41). Besides, it is also recommended that IT
governance should be elevated to detect any chance of bribery or corruption internally
through better access control and alert mechanisms. Through that, bribery and corruption
could be better detected from an IT perspective to reduce negative implications (Mistry
2012, p.41).
6
4. Recommendations and conclusion
Based on the above analysis, recommendations are drawn for WA state with
regards to IT governance. It is proposed that IT governance tool should contain overall
AS ISO/IEC 38500 as well as ISO/IEC 27000, as they offer integrated frameworks to
address WA IT governance problems. They are also feasible in guiding specific policies
and procedures in IT governance, especially with regards to information security.
All in all, this business report has first focused on six main problems as well as the
issues of due diligence and conflict of interest failures in the WA Government and its
agencies. It is suggested that AS ISO/IEC 38500, as well as ISO/IEC 27000, shall be
adopted, specific mechanisms shall be changed in six aspects and ideas with regards to
due diligence failure and conflict of interest shall be further fortified in a strategic manner.
7
5. Reference List
Abu-Musa, A. 2010, “Information security governance in Saudi organizations: an
empirical study”, Information Management & Computer Security, vol.18, no.4,
pp.226-276
Belot, H 2018, ‘Thousands of public servants say they’ve seen corruption as calls
for federal ICAC grow’, ABC News, viewed 15th August 2020,
<https://www.abc.net.au/news/2018-11-27/more-than-four-thousand-public-servants-repo
rt-corruption/10556368>
Borys S 2020, ‘Cyber attacks on Australian businesses on the rise but experts not
blaming state actors’, ABC News, viewed 15th August 2020,
<https://www.abc.net.au/news/2020-05-15/cyber-attacks-australian-businesses-increasing-
not-state-actors/12253842>
Che Pa, Noraini & Anthony Jnr, Bokolo & Nor, Rozi Nor & Murad, Masrah.
2015, “Risk Assessment of IT Governance: A Systematic Literature Review.” Journal of
Theoretical and Applied Information Technology, vol. 71, pp.184-193.
ISO/IEC 27000 2018, ‘Information technology – Security techniques –
Information security management systems – overview and vocabulary’, pp. 1-34.
ISO/IEC 38500 2016, ‘Information technology – Governance of IT for the
organization’, Australian Standard, pp. 1-21.
Menagh, J 2020, ‘Paul Whyte pleads guilty to corruption charges after $22 million
WA public sector’, ABC News, viewed 15th August 2020,
<https://www.abc.net.au/news/2020-06-17/paul-whyte-pleads-guilty-wa-public-sector-cor
ruption-scandal/12364530>
Mistry, Jamshed. 2012, “The Role of eGovernance in Mitigating Corruption.”,
Accounting and the Public Interest, vol. 12, no. 37-159. 10.2308/apin-10287.
Rollason, B 2020, ‘Corruption investigation finds Victorian public servant
directed millions of dollars of work to his own company’, ABC News, viewed 15th
August 2020,
https://www.abc.net.au/news/2020-05-27/victorian-public-servant-directed-government-w
ork-to-own-company/12291060
8
Veiga, Adéle Da & Eloff, Jan H. P. 2007, ”An Information Security Governance
Framework”, Information Systems Management, vol. 24, no.4, pp. 361-372
9