"

MODULE 1: IT GOVERNANCE FRAMEWORKS

IT governance frameworks are the rules and guidelines that help organizations manage their IT resources and processes effectively. They help align IT goals with business objectives, ensure compliance with laws and regulations, and protect data from unauthorized access or loss. Some examples of IT governance frameworks are COBIT, ITIL, ISO 27001, and NIST.

IT compliance and regulatory standards are the requirements that organizations must follow to meet the expectations of external stakeholders, such as customers, auditors, or government agencies. They help ensure quality, security, privacy, and accountability of IT services and products. Some examples of IT compliance and regulatory standards are GDPR, HIPAA (Health Insurance Portability and Accountability), PCI DSS, and SOX.

Data retention and deletion are the policies and practices that decide how long and where organizations store their data, and when and how they dispose of it. They help balance the needs of data availability, performance, cost, and risk. Some examples of data retention and deletion factors are legal obligations, business value, storage capacity, and backup frequency.

In this module workshop, you will learn how to apply IT governance frameworks to your organization, how to comply with IT standards and regulations, and how to design and implement data retention and deletion policies. You will also learn how to assess the benefits and challenges of IT governance, compliance, and data management in different scenarios.

1.1. IT Governance Frameworks

There are several IT governance frameworks available, each with its own strengths, weaknesses, and applicability. Some of the most common frameworks are:

  • COBIT. This is a comprehensive framework that covers 37 IT processes, each with detailed objectives, practices, inputs, outputs, activities, and metrics. COBIT helps organizations achieve effective IT governance and management by linking IT goals to business goals, ensuring IT resources are optimized, and managing IT risks and performance.
  • AS8015-2005. This is a simple and concise framework developed in Australia that defines six principles for good IT governance: establish clearly understood responsibilities for IT; plan IT to best support the organization; acquire IT validly; ensure that IT performs well; ensure that IT conforms with formal rules; and respect human factors in IT.
  • ISO/IEC 38500. This is an international standard that provides high-level guidance on the principles, roles, and responsibilities for effective IT governance. ISO/IEC 38500 helps organizations evaluate, direct, and monitor their use of IT to achieve their business objectives and fulfill their legal and ethical obligations.
  • ITIL. This is a widely adopted framework that focuses on the delivery and management of quality IT services that meet the needs and expectations of customers and stakeholders. ITIL covers the entire service lifecycle from strategy to design, transition, operation, and improvement. ITIL helps organizations improve their service efficiency, effectiveness, reliability, and value.

Choosing the right IT governance framework depends on various factors such as the size, complexity, culture, industry, and maturity of the organization. It is also possible to adopt a hybrid or customized approach that combines elements from different frameworks to suit the specific needs and context of the organization.

IT governance frameworks are not static or one-size-fits-all solutions. They require regular review and adaptation to keep up with the changing business environment and technology landscape. They also require strong leadership commitment, stakeholder involvement, clear communication, and continuous improvement to ensure successful implementation and outcomes.

COBIT Orchestrating Control & Assurance

COBIT is a comprehensive framework for the governance and management of enterprise information and technology (I&T (Information Technology)). It helps organizations align their I&T goals with their business objectives, optimize their I&T resources and processes, and ensure effective control and assurance over their I&T activities.

COBIT consists of seven enablers: principles, policies and frameworks; processes; organizational structures; culture, ethics and behaviour; information; services, infrastructure and applications; and people, skills and competencies.

COBIT & IT Governance Frameworks

IT governance frameworks are essential for ensuring that I&T supports the achievement of enterprise goals, delivers value to stakeholders, manages risks and complies with external requirements.

COBIT provides a holistic and integrated approach to IT governance that covers all aspects of I&T from strategy to operations.

COBIT also provides a common language and terminology for I&T governance that can be understood by all stakeholders, including business executives, IT managers, auditors and regulators.

How COBIT controls and assures

One of the key benefits of COBIT is that it enables organizations to establish and maintain a system of internal control and assurance over their I&T activities.

COBIT defines control as “the means of managing risk to ensure that enterprise objectives will be achieved” and assurance as “the provision of objective evidence that the design and operation of the system of internal control meets the agreed-upon requirements”.

COBIT provides guidance on how to design, implement, monitor, evaluate and improve the system of internal control and assurance using the following processes:

MEA01: Managed Performance and Conformance Monitoring.

This process collects, validates, and evaluates enterprise and alignment goals and metrics, monitors that processes and practices are performing against agreed performance and conformance goals and metrics, provides systematic and timely reporting, and provides transparency of performance and conformance and drives achievement of goals.

MEA02: Managed System of Internal Control.

This process continuously monitors and evaluates the control environment, including self-assessments and self-awareness, enables management to identify control deficiencies and inefficiencies and to initiate improvement actions, plans, organizes and maintains standards for internal control assessment and process control effectiveness, obtains transparency for key stakeholders on the adequacy of the system of internal controls.

MEA03: Managed Compliance with External Requirements

This process evaluates that I&T processes and I&T-supported business processes are compliant with laws, regulations and contractual requirements, obtains assurance that the requirements have been identified and complied with; integrates IT compliance with overall enterprise compliance, ensures that the enterprise is compliant with all applicable external requirements.

MEA04: Managed Assurance

This process plans, scopes and executes assurance initiatives to comply with internal requirements, laws, regulations and strategic objectives, enables management to deliver adequate and sustainable assurance in the enterprise by performing independent assurance reviews and activities, enables the organization to design and develop efficient and effective assurance initiatives.

ITIL Elevating Service Management

ITIL is a library of best practices used in IT Service Management (ITSM). ITSM is the process of designing, delivering, managing and improving IT services that meet the needs and expectations of customers and stakeholders. ITSM covers a wide range of activities, such as incident management, change management, problem management, service level management, service design, service transition, service operation and continual service improvement.

ITIL provides a comprehensive and consistent framework for ITSM that is aligned with business goals and customer value. ITIL helps organizations to:

  • Improve customer satisfaction by delivering reliable and high-quality IT services.
  • Enhance IT services delivered using best practice procedures.
  • Reduce costs and risks by optimizing the use of resources and avoiding service disruptions.
  • Increase agility and innovation by enabling faster and more effective changes to IT services.
  • Support digital transformation by integrating ITSM with other frameworks such as DevOps, Agile and SRE.

Elevating service management with ITIL

To elevate service management with ITIL, you need to adopt a holistic and value-driven approach that encompasses the entire service lifecycle. You need to understand the needs and expectations of your customers and stakeholders, and design, deliver, manage, and improve IT services that create value for them. You need to establish clear and measurable service levels, and ensure that they are properly assessed, monitored and managed against these targets.

Collaborate with other teams and departments across the organization, and leverage the capabilities of people, processes, information and technology. You need to foster a culture of continual improvement that seeks feedback, learns from mistakes, identifies opportunities and implements changes.

Here are some practical steps you can take to elevate service management with ITIL:

Assess the current state of your ITSM practices and identify gaps and areas for improvement.

Define a vision and strategy for your ITSM that aligns with your organizational goals and customer value propositions.

Implement the ITIL Service Value System (SVS) that consists of five components: guiding principles, governance, service value chain, practices, and continual improvement.

Use the SVS to plan, engage, design, transition, obtain/build, deliver/support and improve your IT services.

Apply the seven guiding principles of ITIL to guide your decisions and actions: focus on value, start where you are, progress iteratively with feedback, collaborate and promote visibility, think and work holistically, keep it simple and practical, optimize and automate.

Establish a Service Management Office (SMO) that provides a central point for consistency and governance in organizational best practice.

Monitor and measure your service performance using relevant metrics and indicators.

Report and communicate your service achievements and challenges to your customers and stakeholders.

Review and evaluate your service outcomes and feedback using various methods such as surveys, audits, reviews, benchmarks etc.

Identify and prioritize improvement initiatives using techniques such as SWOT analysis, gap analysis, root cause analysis etc.

Implement improvement actions using methods such as PDCA cycle (plan-do-check-act), CSI approach (what is the vision? where are we now? where do we want to be? how do we get there? did we get there? how do we keep the momentum going?) etc.

ISO/IEC 38500 The Governing Standard

Advice on ISO/IEC 38500 The Governing Standard. ISO/IEC 38500 is an international standard for the corporate governance of information technology (IT), and provides guidance to those persons advising, informing or assisting directors on the effective and acceptable use of IT within the organization. It is based on six principles and a model for good governance of IT.

Principles

The six principles of ISO/IEC 38500 are:

Responsibility. Assigning roles and responsibilities for the use of IT.

Strategy. Aligning the use of IT with the organizational objectives.

Acquisition. Procuring IT solutions and services to meet the organizational needs.

Performance. Measuring and evaluating the contribution of IT to the organization

Conformance. Ensuring compliance with laws, regulations, and policies.

Human Behaviour. Considering the human aspects of IT use.

Model

The model of ISO/IEC 38500 has four main elements:

Governing Body. The individual or group of individuals responsible and accountable for the performance and conformance of the organization

Evaluation. The process of assessing the current and future use of IT

Direction. The process of deciding on the objectives and policies for the use of IT

Monitoring. The process of verifying that the use of IT meets the objectives and policies.

The governing body should evaluate, direct, and monitor the use of IT in a continuous cycle, considering the six principles and the stakeholders’ interests.

Benefits

The benefits of applying ISO/IEC 38500 include:

  • Improving the alignment of IT with the organizational strategy.
  • Enhancing the delivery of value from IT investments.
  • Reducing risks related to IT projects and operations.
  • Increasing transparency and accountability for IT decisions and outcomes.
  • Fostering a culture of trust and collaboration among IT stakeholders.
  • Supporting continuous improvement and innovation in IT.

Unifying Business & Technology

IT governance is a process that enables the IT staff to better manage risk and operate at its most efficient to the benefit of the organization. It is part of the corporate governance, which is a collection of processes that are designed to keep the entire corporation effective and efficient.

IT governance aims to:

  • Ensure business value is generated by information and technology.
  • Oversee the performance of IT managers.
  • Assess risks associated with the IT department and mitigate them as needed.

The significance of IT Governance

IT governance is important because it helps the organization to align its IT priorities, decisions and investments with its strategic goals and stakeholder requirements. It also helps the organization to comply with legal, contractual and policy obligations that impact IT. Furthermore, it supports the continuous improvement and optimization of IT services and resources.

Implementing IT Governance

There are different frameworks and standards that can guide the implementation of IT governance in an organization. Some of the most common ones are:

  • COBIT. This is a comprehensive framework that covers 37 IT processes, with each process having a set of objectives, inputs, outputs, activities, roles, and responsibilities. It also provides maturity models, performance indicators and best practices for each process.
  • AS8015-2005. This is a technical standard developed in Australia that defines six principles for good IT governance: establish clearly understood responsibilities for IT; plan IT to best support the organization; acquire IT validly; ensure that IT performs well, whenever required; ensure IT conforms with formal rules; ensure respect for human factors.
  • ISO/IEC 38500. This is an international standard that provides a high-level framework for effective governance of IT. It defines six principles for good IT governance: responsibility; strategy; acquisition; performance; conformance; human behaviour.

These frameworks and standards can be adapted to suit the specific needs and context of each organization. However, some common steps for implementing IT governance are:

  • Define the scope and objectives of IT governance.
  • Establish the roles and responsibilities of IT governance stakeholders.
  • Identify the key IT processes and activities that need to be governed.
  • Define the policies, procedures, guidelines, and standards that govern IT.
  • Establish the mechanisms and tools for monitoring, reporting, and evaluating IT performance and compliance.
  • Implement continuous improvement initiatives to enhance IT value and maturity.

Guidelines for Decision-Making

Guidelines for decision-making in IT governance frameworks, based on research and best practice:

  • What is IT governance and why is it important?
  • What are the key principles of IT governance?
  • What are the common IT governance frameworks and how do they support decision-making?
  • How to define the roles and responsibilities of decision-makers in IT governance?
  • How to ensure transparency, accountability, and compliance in IT governance decisions?

What is IT governance and why is it important?

IT governance is the process of defining the structures and processes that enable the organization to effectively oversee, direct and control its IT resources and processes. It involves evaluating stakeholder requirements, setting direction, prioritizing investments, monitoring performance, and ensuring compliance with legal, contractual and policy requirements that impact IT.

IT governance is important because it helps the organization to:

  • Achieve its strategic goals and objectives by aligning IT with the business needs and expectations.
  • Optimize the value of IT by delivering benefits to the organization and its stakeholders.
  • Manage the risks associated with IT by identifying, assessing, and mitigating them.
  • Enhance the performance of IT by improving the quality, efficiency, and effectiveness of IT services.
  • Foster a culture of continuous improvement by learning from feedback and best practices.

Ensuring compliance in IT governance decisions

Another key aspect of effective decision-making in IT governance is to ensure that the decisions are transparent, accountable and compliant with the relevant legal, contractual and policy requirements that impact IT.

Some of the ways to ensure transparency, accountability and compliance in IT governance decisions are:

  • Documenting and communicating the IT governance framework, including the principles, rules, processes, roles, responsibilities and authorities that guide decision-making.
  • Establishing and maintaining a repository of IT governance decisions, including the rationale, criteria, evidence, alternatives and impacts of each decision.
  • Implementing and monitoring a set of KPIs and metrics that measure the performance and outcomes of IT governance decisions.
  • Conducting regular audits and reviews of IT governance decisions to verify their validity, effectiveness and efficiency.
  • Reporting and disclosing IT governance decisions to relevant stakeholders, such as senior management, board of directors, regulators, customers and suppliers
  • Establishing and enforcing a mechanism for escalating, resolving and learning from issues, disputes and complaints related to IT governance decisions.

By following these steps, organizations can enhance the trust, confidence and satisfaction of their stakeholders regarding their IT governance decisions.

Risk Management & Mitigation

Risk management and mitigation is the process of identifying, analysing, evaluating, and treating the potential threats and vulnerabilities that could affect the performance, security, reliability, and compliance of IT systems and processes.

It also involves monitoring and reviewing the risk situation and taking corrective actions as needed.

Risk management and mitigation is important because it helps organizations to:

  • Protect their assets, data, reputation, and stakeholders from harm or loss.
  • Ensure the continuity and availability of their IT services and operations.
  • Achieve their strategic objectives and deliver value to their customers.
  • Comply with legal, regulatory, contractual, and ethical obligations.
  • Enhance their decision-making and innovation capabilities.
  • Reduce costs and optimize resources.

Implementing Risk Management & Mitigation?

To implement a successful risk management and mitigation strategy, organizations should follow these steps:

  • Establish a risk management framework that defines the scope, objectives, roles, responsibilities, policies, procedures, tools, and metrics for managing and mitigating risks.
  • Conduct a risk assessment that identifies and prioritizes the sources and impacts of risks for each IT system and process.
  • Develop a risk treatment plan that specifies the actions, resources, timelines, and owners for reducing or eliminating the risks or their consequences.
  • Implement the risk treatment plan by executing the actions and allocating the resources as planned.
  • Monitor and review the risk situation by measuring the performance, effectiveness, and efficiency of the risk treatment actions and reporting the results and progress.
  • Update the risk management framework, assessment, treatment plan, and actions as needed to reflect changes in the internal or external environment or feedback from stakeholders.

Ethical & Legal Compliance

An IT governance framework is a set of policies, processes, roles and responsibilities that guide the creation, use and management of information technology (IT) assets and services in an organisation. It helps to ensure that IT supports the organisation’s strategy, objectives and performance, while also managing the risks, costs and benefits of IT.

An IT governance framework should be aligned with the organisation’s overall governance framework, which provides a holistic overview of how the organisation creates and manages its enterprise-wide information assets (records, information and data).

Ethical and legal compliance is important for several reasons:

  • It helps to build trust and reputation among stakeholders, which can enhance customer loyalty, employee engagement, partner collaboration and social responsibility.
  • It helps to avoid or minimise legal liabilities, fines, sanctions or lawsuits that can result from violating laws, regulations or standards that apply to the organisation’s IT activities.
  • It helps to prevent or mitigate ethical issues or dilemmas that can arise from the use or misuse of IT, such as privacy breaches, data misuse, cyberattacks, bias or discrimination.
  • It helps to foster a culture of ethics and integrity in the organisation, which can encourage innovation, creativity and excellence in IT.

Achieving ethical & legal compliance

Some general steps that can be followed are:

Identify and understand the legal, regulatory and ethical requirements that apply to the organisation’s IT activities. These may include laws and regulations related to data protection, cybersecurity, intellectual property, consumer rights, human rights or environmental protection. They may also include ethical principles or codes of conduct that reflect the organisation’s values or industry standards.

Assess and document the current state of compliance in the organisation’s IT governance framework. This may involve conducting audits, reviews or surveys to evaluate how well the organisation’s IT policies, processes and practices comply with the relevant requirements. It may also involve identifying any gaps, weaknesses or risks that need to be addressed.

Develop and implement a plan to improve compliance in the organisation’s IT governance framework. This may involve updating or creating new IT policies, processes or practices that align with the relevant requirements. It may also involve providing training, guidance or support to staff or stakeholders on how to comply with the requirements. It may also involve monitoring, measuring or reporting on the progress or outcomes of compliance efforts.

Review and update the compliance plan regularly. This may involve revisiting the legal, regulatory or ethical requirements periodically to ensure they are up-to-date and relevant. It may also involve evaluating the effectiveness or impact of compliance efforts on the organisation’s performance or stakeholder satisfaction. It may also involve seeking feedback or input from staff or stakeholders on how to improve compliance.

1.2. IT Compliance & Regulatory Standards

Today’s business environment is becoming more complex, and organizations must negotiate the web of regulations and standards.

IT compliance and regulatory standards ensure that organizations adhere to a set of guidelines, laws, and best practices.

Organizations must define and implement policies that not only facilitate compliance but also engender ethical conduct, responsible innovation, and safeguards against risks.

The Regulatory Framework

The regulatory framework for IT and cybersecurity compliance and regulatory standards is the set of laws, rules, guidelines and best practices that govern how businesses use, store, process and transmit information technology (IT).

The framework varies depending on the type and nature of the data involved, such as personal data, health data, financial data or government data. The framework also depends on the geographic location of the business and its customers, as different regions and countries have different regulations.

IT and Cybersecurity compliance standards include:

GDPR: The General Data Protection Regulation (GDPR) is a set of IT regulations that the European Union (EU) enforces. It protects the security and privacy of data belonging to EU citizens and residents. It applies to any business that operates with such data, even if it is not located in the EU.

Under the GDPR it is legal to process someone’s data provided:

  • The data subject has given consent to the processing of his or her personal data,
  • Contractual obligations with a data subject have been fulfilled,
  • The data subject has complied with a data controller’s legal obligations,
  • The vital interests of a data subject are protected,
  • The processing is done in the public interest or official authority,
  • The processing is done in the legitimate interests of a data controller unless precedence is taken by the interests of the data subject.

For informed consent to be used as the lawful basis for processing, that consent must have been explicitly given for the data concerned. That consent must be a “specific, freely given, plainly worded, and unambiguous affirmation” given by the data subject. It is not acceptable to have consent given by default on a web-form, nor to bundle multiple types of processing into the one affirmation.

Under GDPR, data subjects must have the option to withdraw consent at any time. And it must not be harder to do so than it was to opt in. In the case of children less than 16 years, consent must be given by the child’s verified parent or custodian.

Data controllers must meet the principles of data protection by design and by default, which means data protection measures are designed into the business processes. This includes the pseudonymising of personal data as soon as possible.

When data is collected, data subjects must be unambiguously informed about the extent of the data collection, what is the legal basis for the proposed processing of personal data, how long the data will be retained, whether that data will be communicated to a third-party inside or outside the EU and must disclosure of any automated decision-making that is made on a solely algorithmic basis.

Anti-Money Laundering (AML) & Know Your Customer (KYC). The Office of the Australian Information Commissioner (OAIC) prescribe the legal framework applicable to the prevention of money laundering and associated Know Your Customer.

They refer to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and the Anti-Money Laundering and Counter-Terrorism Financing Rules which aim to prevent the practice and the financing of terrorism. They impose certain obligations on “reporting entities” which include the financial sector, gambling sector, remittance (money transfer) services, bullion dealers and other professionals or businesses that provide services with the potential for money laundering. These obligations include collecting and verifying certain ‘know your customer’ (KYC) information about a customer’s identity before providing those services.

Entities that are required to comply with the AML/CTF Act are likewise required to comply with the Privacy Act 1988 to safeguard the personal information collected for the purposes of compliance with their AML/CTF Act obligations.

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian Government agency responsible for ensuring compliance with the AML/CTF Act.

Privacy obligations of small business ‘reporting entities’. Small businesses (annual turnover of $3 million or less) are generally not covered by the Privacy Act. However, small businesses that are reporting entities for the purposes of AML/CTF Act are required to comply with the Privacy Act when handling personal information collected for the purposes of meeting their obligations under the AML/CTF Act. This includes those small businesses exempt from obligations under the Privacy Act.

If a small business is brought into the Privacy Act because they are reporting entities under the AML/CTF Act and then are later exempted from reporting obligations due to rules issued by AUSTRAC under the AML/CTF Act, the small business is still a reporting entity within the meaning of the Privacy Act. Therefore, in relation to activities it carried on for the purpose of complying with the AML/CTF Act or AML/CTF Rules, the small business continues to have all the Privacy Act obligations it had before the exemption was granted.

PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) governs the security of financial card data, such as credit card or debit card information. It applies to any business that stores, processes or transmits such data.

HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is an IT compliance standard for the health care industry. It regulates how medical organizations protect the sensitive information of their patients. It applies to any business that deals with health data.

NIST SP 800-171: The National Institute of Standards and Technology (NIST) Special Publication 800-171 is a set of IT security requirements for businesses that work with federal or state agencies. It ensures that government data is protected from unauthorized access or disclosure.

These are the most used IT compliance standards which includes cybersecurity. There are more that may apply to your business depending on your industry, location and data.

Implementing standards

To follow the regulatory framework for IT compliance and regulatory standards, you need to:

Identify the IT compliance standards that apply to your business. You can do this by researching the laws and regulations of your industry and location, consulting with legal experts or using online resources.

Assess your current level of compliance. You can do this by conducting an IT security audit, using tools or services that measure your compliance status or hiring external auditors.

Implement security measures to meet the compliance requirements. You can do this by adopting security policies and procedures, using secure software and hardware, training your staff on security best practices or outsourcing security tasks to professionals.

Monitor and maintain your compliance status. You can do this by regularly reviewing your security policies and procedures, updating your software and hardware, testing your security systems or reporting your compliance activities.

Following standards can help protect business from security threats, legal penalties and reputational damage. It can also help you improve your customer trust and satisfaction.

IT Compliance Policies

IT compliance policies matter for several reasons:

They help the organization meet its legal and contractual obligations, such as the Sarbanes-Oxley Act (SOX) for financial reporting, the Gramm-Leach-Bliley Act (GLBA) for financial data protection, or the Payment Card Industry Data Security Standard (PCI DSS) for credit card transactions .

They enhance the organization’s reputation and trustworthiness among its customers, partners, and regulators, by demonstrating its commitment to data security and privacy.

They reduce the likelihood and impact of cyberattacks, data breaches, and other incidents that could compromise the organization’s data and systems, by implementing preventive and corrective measures.

They improve the efficiency and effectiveness of the organization’s IT operations, by streamlining processes, reducing errors, and optimizing resources.

Creating IT Compliance Policies

To create effective IT compliance policies, an organization should follow these steps:

  • Identify the applicable laws, regulations, and standards that affect its IT activities, such as SOX, GLBA, PCI DSS, HIPAA, GDPR, ISO 27001, NIST 800-53, etc.
  • Assess the current state of its IT compliance posture, by conducting audits, gap analyses, risk assessments, and maturity assessments.
  • Define the desired state of its IT compliance posture, by setting goals, objectives, and metrics for each compliance area.
  • Develop the IT compliance policies that outline the roles, responsibilities, procedures, controls, and tools for achieving compliance in each area.
  • Implement the IT compliance policies across the organization, by communicating them to all stakeholders, providing training and awareness programs, enforcing them through monitoring and reporting mechanisms, and reviewing them periodically for improvement.

Risk Management & Mitigation

IT compliance and regulatory standards govern how organizations use, protect, and share information and technology. These standards may come from different sources, such as laws, regulations, industry codes, contracts, or ethical principles.

IT compliance and regulatory standards include:

The General Data Protection Regulation (GDPR), which is a European Union law that protects the privacy and rights of individuals in relation to their personal data.

The Payment Card Industry Data Security Standard (PCI DSS), which is a set of security requirements for organizations that process, store, or transmit credit card information.

The ISO/IEC 27000 series, which is a family of international standards for information security management systems.

Managing Risk in IT Compliance and Regulatory Standards?

Managing and mitigating risks in IT compliance and regulatory standards involves a systematic process of identifying, analysing, evaluating, treating, monitoring, and reviewing the risks. Some of the steps involved in this process are:

Establishing a governance framework for IT compliance and regulatory standards. This involves defining the roles, responsibilities, policies, procedures, and controls for ensuring that the organization meets its obligations and objectives in relation to information and technology.

Conducting a risk assessment for IT compliance and regulatory standards. This involves identifying the sources and causes of potential risks, estimating their likelihood and impact, and prioritizing them based on their severity.

Implementing risk treatment strategies for IT compliance and regulatory standards. This involves selecting and applying appropriate measures to avoid, reduce, transfer, or accept the risks. Some examples of risk treatment strategies are:

Implementing technical safeguards such as encryption, firewalls, antivirus software, or backup systems to protect information and technology from unauthorized access or damage.

Implementing administrative safeguards such as training, awareness, policies, procedures, or audits to ensure that staff follow the rules and requirements for information and technology.

Implementing legal safeguards such as contracts, agreements, or insurance to transfer or share the responsibility or liability for information and technology with other parties.

Monitoring and reviewing the effectiveness of risk management activities for IT compliance and regulatory standards. This involves measuring and reporting on the performance and outcomes of the risk management process, identifying any gaps or weaknesses, and adjusting or improvements as needed.

Ethical Considerations in Emerging Technologies

Emerging technologies such as artificial intelligence, cloud computing, big data, and cybersecurity have enormous potential to transform various domains of human activity.

Ethical Dilemmas and Principles in Data Retention and Deletion

Data retention and deletion involve ethical dilemmas that require careful balancing of competing values and interests. Some of the common ethical dilemmas are:

How long should data be retained? Retaining data for too long can increase the risk of data breaches, misuse, or abuse, while deleting data too soon can limit the potential benefits of data analysis or reuse.

How should data be deleted? Deleting data securely and completely can prevent unauthorized access or recovery, while retaining some traces of data can facilitate auditing or verification.

Who should decide on data retention and deletion? Data controllers and processors may have different incentives or preferences for data retention and deletion than data subjects or stakeholders, who may have different levels of awareness or consent.

What are the trade-offs between data retention and deletion? Data retention and deletion may involve trade-offs between efficiency and effectiveness, innovation and protection, individual and collective interests, or short-term and long-term goals.

Addressing ethical dilemmas

To address these ethical dilemmas, some ethical principles can guide the decision-making process. Some of the widely accepted ethical principles are:

Respect for human dignity. Data retention and deletion should respect the inherent worth and dignity of every human being, regardless of their characteristics or circumstances.

Fairness and justice. Data retention and deletion should ensure equal treatment and opportunity for all data subjects and stakeholders, without discrimination or bias.

Beneficence and non-maleficence. Data retention and deletion should maximize the benefits and minimize the harms for data subjects, stakeholders, and society at large.

Autonomy and consent. Data retention and deletion should respect the choices and preferences of data subjects, who should be informed and empowered to exercise their rights over their data.

Transparency and accountability. Data retention and deletion should be clear, consistent, and explainable to data subjects, stakeholders, and regulators, who should be able to monitor and evaluate their compliance and outcomes.

1.3. Zero trust Principles

Zero Trust is a modern approach to cybersecurity. It assumes that no one and nothing should be automatically trusted, even if they are inside the organization’s network. This is different from old security models that trusted everything inside the company’s walls.

Key Principles of Zero Trust

  • Verify Always: Check the identity of every user and device, every time they try to access resources.
  • Least Privilege Access: Give users only the access they need to do their job, nothing more.
  • Assume Breach: Act as if your network is already compromised. Always monitor for threats.

Implementation Strategies

1. Identity and Access Management (IAM):

  • Use strong authentication methods like multi-factor authentication (MFA).
  • Implement single sign-on (SSO) for better user experience and security.

2. Network Segmentation:

  • Divide the network into smaller parts.
  • Control access between these parts.

3. Continuous Monitoring and Validation:

  • Always watch for unusual activities.
  • Regularly check if users still need their current access levels.

4. Data Classification:

  • Categorize data based on its importance.
  • Apply different protection levels to each category.

5. Device Access Control:

  • Only allow known and approved devices to connect.
  • Ensure all devices meet security standards before granting access.

Challenges of Implementing Zero Trust

  • Complexity: Zero Trust systems can be complicated to set up and manage.
  • User Experience: Extra security steps might slow down work or frustrate users.
  • Legacy Systems: Old technology might not work well with Zero Trust principles.
  • Cost: Implementing new security measures can be expensive.
  • Cultural Shift: Employees need to change how they think about security.

Benefits of Zero Trust

  • Improved Security: Better protection against both external and internal threats.
  • Better Visibility: Clearer view of who is accessing what in your network.
  • Simplified Management: Consistent security rules across the entire organization.
  • Compliance Support: Helps meet many regulatory requirements.
  • Flexibility: Works well with modern technologies like cloud services and remote work.

Zero Trust is a powerful approach to cybersecurity. While it has challenges, its benefits make it increasingly popular among organizations. As cyber threats grow more complex, Zero Trust principles help create a strong, adaptable security posture.

1.4 Case Study: Suspicious behaviour linked to large-scale identity fraud operation

A bank teller submitted a report to AUSTRAC* detailing suspicious banking transactions. This report assisted authorities investigating a syndicate allegedly involved in large-scale identity fraud.

The report described over-the-counter transactions in which two people were involved – the account owner and the main suspect. The suspect was not connected to the account but controlled the transactions and would not allow the account owner to speak.

The pair transferred approximately AUD541,000 from a bank account in Jordan to an Australian account. They then withdrew approximately AUD394,000 from the Australian account in the form of a bank cheque. When the teller requested the account owner undertake this withdrawal, the suspect became agitated and aggressive. The pair also transferred approximately AUD147,000 from the Australian account to a third-party account.

These transactions left the account owner with an account balance of just AUD1,000. AUSTRAC information allowed authorities to link the suspect in this matter with the movement of funds to Jordan, the United Arab Emirates and Peru. Authorities continued their investigations and ultimately commenced proceeds of crime action against the suspect and members of the syndicate, and restrained approximately AUD1.6 million in assets, including real estate and cash.

*AUSTRAC or the Australian Transaction Reports and Analysis Centre is an Australian government financial intelligence agency that monitors financial transactions to detect money laundering, organised crime, tax evasion, welfare fraud and terrorism.

License

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

InfoTech Governance, Policy, Ethics & Law Copyright © 2025 by David Tuffley is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book