Information Technology Governance for Emerging Digital Technologies

profilerockshan19977
assignment1.pdf

RMIT School of Accounting, Information Systems, and Supply Chain

INTE2412 Assignment Submission Sheet – Sem 1 2021

Family Name, Personal Name(s) Zhang, Sirui

Student Number S3751340

Telephone Number 0474482831

E-mail Address [email protected]

Tutor Dr. Jim McGovern

Course Coordinator Karlheinz Kautz

Assignment Title Assessment Task 1: Using an ISO Standard for IT Governance

Date Due 29/03/2021

Date Submitted 29/03/2021

Submission Check (Tick)

Citations and reference list All necessary evidence has been referenced and all citations comply with the preferred style guide.

(Tick)

Page margins, paragraph and line spacing Submission conforms to the formatting requirements set out in the course guide or the assignment submission specifications.

(Tick)

Electronic submission Using appropriate file naming conventions set out in the course guide or the assignment submission specifications.

(Tick)

Turnitin corrections If necessary, have made adjustments in response to Turnitin reports. (Tick)

1

Introduction 3

Critical analysis over issues 3

Rationales for changes 4

Recommendations and conclusion 7

Reference List 8

2

1. Introduction

This business report aims to identify and analyse under-performance in IT governance in

the WA government and provide recommendations on adopting relevant ISO standards and

changes. Key questions to be investigated include developing a principles-based system to guide

IT governance practice and suitability and feasibility of applying those IT governance tools,

reform considerations to strengthen compliance and fortification of due diligence and, conflict of

interest related ideas.

The business report will begin with a critical analysis of issues, further explain the

rationale of principles and tools, reforms and ideas proposed, and ends with a final

recommendation and conclusion.

2. Critical analysis over issues

According to the Information Systems Audit Report 2020, it states several weaknesses of

the six categories. For information security, information security policies and processes(identify

and patch IT infrastructure vulnerabilities) are inadequate or out of date; staff is not trained or

developed with security awareness; the highly privileged access to applications, databases and

networks is not reviewed; and passwords controls are weak with the absence of multifactor

authentication. Information security issues fail to meet the basic benchmark. With regards to

business continuity, Business Continuity Plan and Disaster Recovery Plan are lacking, meaning

that business functions and processes would suffer the risk of not being properly restored after a

disruption. Beyond those, IT risk management suffers weaknesses of lacking approved risk

management policies, procedures for risk identification, assessment, treatment, and risk registers.

It could make organisations less able to identify and mitigate risks in a prompt manner.

Furthermore, IT operations also suffer risks of lacking service level agreement with IT vendors,

weak IT operation governance, inadequate monitoring of cyber security events, weak maintenance

of asset registers, which could not support business requirements. Change problems identified

include lacking formal system change management policies of approval, document, and

assessment. Lacking the system could affect consistent, reliable, and efficient implementation of

IT changes. Finally, physical security weaknesses identified include a lack of review of staff and

contractors’ access and no humidity control or fire suppression system in the server room. In such

3

cases, there are high cases of unauthorised access to information systems and harm by the

environment.

Aside from that, a report from ABC also highlighted rising threat levels of information

system hacking (Borys, 2020). Information system hacking could significantly undermine the

financial security of the government and relevant agencies (Veiga & Eloff 2007, p.361). Besides

that, governance challenges of corruption emphasise the need to enhance governance control over

information technology service and project administration, mainly concerned with due diligence

and conflict of interest. Menagh (2020) reported that due to existing IT system problems (fail to

detect fake invoice scheme issues), civil servants' money laundry actions are not identified. The

case of Victoria public under corruption investigation given millions of dollars of work directed to

the company owned by him also suggested that conflict of interest problem is not identified in the

soonest manager. According to Belot (2020), WA’s North Metropolitan Health Service has issues

with due diligence over suppliers as well.

3. Rationales for changes

For WA, it is proposed that a principle-based system shall be first implemented.

According AS ISO/IEC 38500 (2016, p.11), six principles are included in the standards,

containing Responsibility Principle (individuals and groups shall accept their

responsibility in supply and demand of IT actions); Strategy Principle (connect it

capability with business strategy); Acquisition principle (valid reasons for IT acquisition

fully analyzed of benefits, opportunities, costs, and risks in a transparent manner);

Performance Principle (shall meet business requirements current and in future and support

organisation in delivering service); Conformance Principle (comply with mandatory

legislation and regulations based on defining and enforcing of policies and practices); and

Human Behavior Principle (IT policies, practices and decisions demonstrate respect for

Human Behavior). The principle-based approach is crucial in helping the WA government

to establish an overall framework of IT governance from staff awareness, business

strategy, IT acquisition, IT performance, IT related legislation and regulation, and human

behaviour perspective in an integrated manner. By focusing on the connection of IT

governance with business strategy and tasks in a more tailored manager and educating

4

staff to follow a well-designed framework, IT governance could be better assured than the

rule-based approach of simply designing common rules.

In the meantime, ISO/IEC 27000 (2018, p.19) focuses on policies, procedures,

guidelines as well as associated resources and activities protecting information assets

through a systematic approach, based on tactics to establish, implement, operate, monitor,

review and maintain information security in line with business objectives, The approaches

adopted include protecting private information from authorized access and adopting

security techniques and controls to secure critical information. This approach is also

critically linked to the issues faced by WA state, better-addressing information hack

through authorising access and adopting critical IT techniques and control mechanisms.

In the process of carrying out reforms, evaluate, direct and monitor frameworks

shall be used. More specifically, they should examine IT plans and supply arrangements

according to business needs and internal and external environment in a continuous

manner. They shall direct the preparation and implementation of strategies and policies to

establish proper behaviour in IT in line with the six principles mentioned earlier. Finally,

they shall also review IT performance in terms of its compliance to provide a basis for

adjustments.

It is proposed that reforms should be carried out in the above six aspects (as

mentioned by Information Systems Audit Report 2020) to strengthen IT governance.

Morespecifically, in the information security aspect, good security practice shall be

implemented, regularly tested and enforced among crucial computer systems; user access

to information shall be monitored and reviewed;, whereas cyber security training shall be

implemented among the staff. In this aspect, financial related information systems (bank

account) should be dealt with more focus. The above efforts are rational as information

security is crucial to business and should be based on sound systems and control, access

control and effective procedures involving all staff (Abu-Musa 2010, p.28). Through

better enhancing information security, chances of data hike could be better reduced to

better mitigate chances of information and financial losses. In the business continuity

aspect, it is suggested that the up-to-date business continuity plan, disaster recovery plan

5

and incident response plan shall be tested and implemented and monitored in a periodic

manner. The above efforts are crucially connected to the data’s back-up, avoiding chances

of process disruption in changing times. Regarding IT risks identification, it is supposed

that management should oversee IT risks identification, assessment and treatment within

time frames. Only through prioritising IT risk management in the oversight of

management shall the governance be more effective (Che Pa, Nora et al. 2015, p.185).

Concerning IT operations, IT strategic plans and frameworks for implementing certain

policies and procedures shall be established. Those are crucial frameworks guiding IT

operations and further governance. Concerning change control, change control processes

should be well planned, assessed for impact, and documented to ensure effective IT

governance change. The above are also needed given chances of change in IT

governance. Finally, for physical security, unauthorized access or accidental damage to

computing infrastructure should be well monitored with control mechanisms. Through

focusing on IT infrastructure security and access verification, the information could be

guaranteed internally (Abu-Musa 2010, p.28).

Beyond that, due diligence and dealing with conflicts of interest shall also be

involved in IT governance. Existing reports have revealed bribery and corruption among

civil servants as against due diligence and against conflict of interest, especially given IT

risks and IT projects. To better address this issue, it is recommended that information

technology projects administration be dealt with, with more transparent decision-making

systems and procedures and should involve more authorisation. Through transparent

decision making and multifactor authorisation focusing on the background detail of the IT

vendors, IT infrastructure and services could be arranged more to the advantage of

business organisations (Mistry 2012, p.41). Besides, it is also recommended that IT

governance should be elevated to detect any chance of bribery or corruption internally

through better access control and alert mechanisms. Through that, bribery and corruption

could be better detected from an IT perspective to reduce negative implications (Mistry

2012, p.41).

6

4. Recommendations and conclusion

Based on the above analysis, recommendations are drawn for WA state with

regards to IT governance. It is proposed that IT governance tool should contain overall

AS ISO/IEC 38500 as well as ISO/IEC 27000, as they offer integrated frameworks to

address WA IT governance problems. They are also feasible in guiding specific policies

and procedures in IT governance, especially with regards to information security.

All in all, this business report has first focused on six main problems as well as the

issues of due diligence and conflict of interest failures in the WA Government and its

agencies. It is suggested that AS ISO/IEC 38500, as well as ISO/IEC 27000, shall be

adopted, specific mechanisms shall be changed in six aspects and ideas with regards to

due diligence failure and conflict of interest shall be further fortified in a strategic manner.

7

5. Reference List

Abu-Musa, A. 2010, “Information security governance in Saudi organizations: an

empirical study”, Information Management & Computer Security, vol.18, no.4,

pp.226-276

Belot, H 2018, ‘Thousands of public servants say they’ve seen corruption as calls

for federal ICAC grow’, ABC News, viewed 15th August 2020,

<https://www.abc.net.au/news/2018-11-27/more-than-four-thousand-public-servants-repo

rt-corruption/10556368>

Borys S 2020, ‘Cyber attacks on Australian businesses on the rise but experts not

blaming state actors’, ABC News, viewed 15th August 2020,

<https://www.abc.net.au/news/2020-05-15/cyber-attacks-australian-businesses-increasing-

not-state-actors/12253842>

Che Pa, Noraini & Anthony Jnr, Bokolo & Nor, Rozi Nor & Murad, Masrah.

2015, “Risk Assessment of IT Governance: A Systematic Literature Review.” Journal of

Theoretical and Applied Information Technology, vol. 71, pp.184-193.

ISO/IEC 27000 2018, ‘Information technology – Security techniques –

Information security management systems – overview and vocabulary’, pp. 1-34.

ISO/IEC 38500 2016, ‘Information technology – Governance of IT for the

organization’, Australian Standard, pp. 1-21.

Menagh, J 2020, ‘Paul Whyte pleads guilty to corruption charges after $22 million

WA public sector’, ABC News, viewed 15th August 2020,

<https://www.abc.net.au/news/2020-06-17/paul-whyte-pleads-guilty-wa-public-sector-cor

ruption-scandal/12364530>

Mistry, Jamshed. 2012, “The Role of eGovernance in Mitigating Corruption.”,

Accounting and the Public Interest, vol. 12, no. 37-159. 10.2308/apin-10287.

Rollason, B 2020, ‘Corruption investigation finds Victorian public servant

directed millions of dollars of work to his own company’, ABC News, viewed 15th

August 2020,

https://www.abc.net.au/news/2020-05-27/victorian-public-servant-directed-government-w

ork-to-own-company/12291060

8

Veiga, Adéle Da & Eloff, Jan H. P. 2007, ”An Information Security Governance

Framework”, Information Systems Management, vol. 24, no.4, pp. 361-372

9