SlideShare a Scribd company logo

Code Galore Caselet Using COBIT® 5 for Information Security.docx

Download as DOCX, PDF
P
pickersgillkayne

1) Code Galore is a startup software company facing financial difficulties due to slow sales and pressure from investors to become profitable. It recently acquired another small company, Skyhaven Software, in an effort to boost its prospects. 2) This has introduced new security risks to Code Galore's network as Skyhaven employees now have access and their systems contained malware. Additionally, Skyhaven's source code and practices are less secure. 3) As CSO, you must update Code Galore's risk assessment to account for these new risks and priorities the most serious for mitigation, given limited security resources. This will allow requesting additional funds needed to properly secure the company's operations and source code.

Education
1 of 21
Code Galore Caselet: Using COBIT® 5 for Information Security Company Profile – Code Galore Background Information The Problems Your Role Your Tasks Figures Notes Questions 2 Agenda © 2013 ISACA. All rights reserved. Profile Start-up company founded in 2005 One office in Sunnyvale, California, USA 10 remote salespeople and a few with space at resellers’ offices Approximately 100 total staff; about one-third work in engineering 3 Company Profile – Code Galore 4 What we do Org. Structure Operational Industry
Products Sales Financials Background Information Building a comprehensive business function automation software that performs many functions (decision making in approaching new initiatives, goal setting and tracking, financial accounting, a payment system, and much more). The software is largely the joint brainchild of the Chief Technology Officer (CTO) and a highly visionary Marketing Manager who left the company a year ago 5 What we do Org. Structure Operational Industry Products Sales Financials Background Information – What We Do Financed 100% by investors who are extremely anxious to make a profit. Investors have invested more than US $35 million since inception and have not received any returns. The organization expected a small profit in the last two quarters. However, the weak economy led to the cancellation of several large orders. As a result, the organization was in the red each quarter by approximately US $250,000. 6 Background Information – Financials What we do
Org. Structure Operational Industry Products Sales Financials Code Galore is a privately held company with a budget of US $15 million per year. Sales last year totaled US $13.5 million (as mentioned earlier, the company came within US $250,000 of being profitable each of the last two quarters). The investors hold the preponderance of the company’s stock; share options are given to employees in the form of stock options that can be purchased for US $1 per share if the company ever goes public. Code Galore spends about five percent of its annual budget on marketing. Its marketing efforts focus on portraying other financial function automation applications as ‘point solutions’ in contrast to Code Galore’s product. 7 Background Information – Financials What we do Org. Structure Operational Industry Products Sales Financials 8 Background Information – Org. Structure Figure 1—Code Galore Organisational Chart CEO CSO
VP, Finance VP, Business CTO VP, Human Resources Security Administrator Sales Mgr Accounting Dir. Sr. Financial Analyst Infrastructure Mgr. Sys. Dev. Mgr. HR Manager What we do Org. Structure Operational Industry Products Sales Financials The board of directors:
Consists of seasoned professionals with many years of experience in the software industry Is scattered all over the world and seldom meets, except by teleconference Is uneasy with Code Galore being stretched so thin financially, and a few members have tendered their resignations within the last few months 9 Background Information – Org. Structure What we do Org. Structure Operational Industry Products Sales Financials The CEO: Is the former chief financial officer (CFO) of Code Galore that replaced the original CEO who resigned to pursue another opportunity two years ago Has a good deal of business knowledge, a moderate amount of experience as a C-level officer, but no prior experience as a CEO As a former CFO, tends to focus more on cost cutting than on creating a vision for developing more business and getting better at what Code Galore does best Background Information – Org. Structure 10 What we do Org. Structure Operational Industry Products
Sales Financials Engineers perform code installations. The time to get the product completely installed and customized to the customer’s environment can exceed one month with costs higher than US $60,000 to the customer. Labour and purchase costs are too high for small and medium- sized businesses. So far, only large companies in the US and Canada have bought the product. C-level officers and board members know that they have developed a highly functional, unique product for which there is really no competition. They believe that, in time, more companies will become interested in this product, but the proverbial time bomb is ticking. Investors have stretched themselves to invest US $35 million in the company, and are unwilling to invest much more. 11 Background Information – Operational What we do Org. Structure Operational Industry Products Sales Financials Business function automation software is a profitable area for many software vendors because it automates tasks that previously had to be performed manually or that software did not adequately support. The business function automation software arena has many
products developed by many vendors. However, Code Galore is a unique niche player that does not really compete (at least on an individual basis) with other business automation software companies. Background Information – Industry 12 What we do Org. Structure Operational Industry Products Sales Financials The product is comprehensive—at least four other software products would have to be purchased and implemented to cover the range of functions that Code Galore’s product covers. Additionally, the product integrates information and statistics throughout all functions—each function is aware of what is occurring in the other functions and can adjust what it does accordingly, leading to better decision aiding. Background Information – Products 13 What we do Org. Structure Operational Industry Products Sales Financials Sales have been slower than expected, mainly due to a combination of the economic recession and the high price and complexity of the product.
The price is not just due to the cost of software development; it also is due to the configuration labour required to get the product running suitably for its customers. Background Information – Sales 14 What we do Org. Structure Operational Industry Products Sales Financials Acquisition Code Galore is in many ways fighting for its life, and the fact that, four months ago, the board of directors made the decision to acquire a small software start-up company, Skyhaven Software, has not helped the cash situation. Skyhaven consists of approximately 15 people, mostly programmers who work at the company’s small office in Phoenix, Arizona, USA. Originally, the only connection between your network and Skyhaven’s was an archaic public switched telephone network (PSTN). Setting up a WAN Two months ago, your company’s IT director was tasked with setting up a dedicated wide area network (WAN) connection to allow the former Skyhaven staff to remotely access Code Galore’s internal network and vice versa. You requested that this implementation be delayed until the security implications of having this new access route into your network were better understood, but the CEO denied your request on the grounds that it would delay a critical business initiative, namely getting Skyhaven’s code integrated into Code Galore’s.
15 The Problems Information Security More recently, you have discovered that the connection does not require a password for access and that, once a connection to the internal network is established from outside the network, it is possible to connect to every server within the network, including the server that holds Code Galore’s source code and software library and the server that houses employee payroll, benefits and medical insurance information. Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive files, but a recent vulnerability scan showed that both servers have vulnerabilities that could allow an attacker to gain unauthorised remote privileged access. You have told the IT director that these vulnerabilities need to be patched, but because of the concern that patching them may cause them to crash or behave unreliably and because Code Galore must soon become profitable or else, you have granted the IT director a delay of one month in patching the servers. 16 The Problems – Overview Bots What now really worries you is that, earlier today, monitoring by one of the security engineers who does some work for you has shown that several hosts in Skyhaven’s network were found to have bots installed in them.
Source Code Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code (which is to be integrated into Code Galore’s source code as soon as the Skyhaven programmers are through with the release on which they are currently working) is on just about every Skyhaven machine, regardless of whether it is a workstation or server. 17 The Problems – Overview Code Galore vs. Skyhaven Employee knowledge Code Galore employees are, in general, above average in their knowledge and awareness of information security, due in large part to an effective security awareness programme that you set up two months after you started working at Code Galore and have managed ever since. You offer monthly brown bag lunch events in a large conference room, display posters reminding employees not to engage in actions such as opening attachments that they are not expecting, and send a short monthly newsletter informing employees of the direction in which the company is going in terms of security and how they can help. Very few incidents due to bad user security practices occurred until Skyhaven Software was acquired. Skyhaven’s employees appear to have almost no knowledge of information security. You also have discovered that the Skyhaven employee who informally provides technical assistance does not make backups and has done little in terms of security configuration and patch management. 18 The Problems – Overview
19 Your Role Hired two years ago as the only Chief Security Officer (CSO) this company has ever had. Report directly to the Chief Executive Officer (CEO). Attend the weekly senior management meeting in which goals are set, progress reports are given and issues to be resolved are discussed. The Information Security Department consists of just you; two members of the security engineering team from software are available eight hours each week. 10 years of experience as an information security manager, five of which as a CSO, but you have no previous experience in the software arena. Four years of experience as a junior IT auditor. Undergraduate degree in managing information systems and have earned many continuing professional education credits in information security, management and audit areas. Five years ago, you earned your CISM certification. The focus here is not on a business unit, but rather on Code Galore as a whole, particularly on security risk that could cripple the business. Due primarily to cost-cutting measures the CEO has put in place, your annual budget has been substantially less than you requested each year. Frankly, you have been lucky that no serious incident has occurred so far. You know that in many ways your company has been tempting fate. You do the best you can with what you have, but levels of
unmitigated risk in some critical areas are fairly high. Your Role and the Business Units 20 Mr. Wingate’s focus on cost cutting is a major reason that you have not been able to obtain more resources for security risk mitigation measures. He is calm and fairly personable, but only a fair communicator, something that results in your having to devote extra effort in trying to learn his expectations of your company’s information security risk mitigation effort and keeping him advised of risk vectors and major developments and successes of this effort. 21 Your Role and the CEO, Ernest Wingate Code Galore’s IT director is Carmela Duarte. She has put a system of change control into effect for all IT activities involving hardware and software. This system is almost perfect for Code Galore—it is neither draconian nor too lax and very few employees have any complaints against it. You have an excellent working relationship with her, and although she is under considerable pressure from her boss, the CTO, and the rest of C-level management to take shortcuts, she usually tries to do what is right from a security control perspective.
She is working hard to integrate the Skyhaven Software network into Code Galore’s, but currently, there are few resources available to do a very thorough job. She would also do more for the sake of security risk mitigation if she had the resources. Carmela has worked with Code Galore since 2006, and she is very much liked and respected by senior management and the employees who work for her. 22 Your Role and the IT Director, Carmela Duarte You believe that Code Galore’s (but not Skyhaven Software’s) security risk is well within the risk appetite of the CEO and the board of directors. You have a good security policy (including acceptable use provisions) and standards in place, and you keep both of them up to date. You have established a yearly risk management cycle that includes asset valuation, threat and vulnerability assessment, risk analysis, controls evaluation and selection, and controls effectiveness assessment, and you are just about ready to start a controls evaluation when you suddenly realise that something more important needs to be done right away (outlined in The Problem section). 23 Your Tasks © 2013 ISACA. All rights reserved. Using the figure 4 template, you need to modify the qualitative risk analysis that you performed six months ago to take into
account the risk related to Skyhaven Software. The major risk events identified during this risk analysis are shown in figure 2. You must not only head this effort, but for all practical purposes, you will be the only person from Code Galore who works on this effort. 24 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. Your revision of the last risk analysis will not only bring Code Galore up to date concerning its current risk landscape, but will also provide the basis for your requesting additional resources to mitigate new, serious risk and previously unmitigated or unsuitably mitigated risk. You may find that some risk events are lower in severity than before, possibly to the point that allocating further resources to mitigate them would not be appropriate. This may help optimise your risk mitigation investments. To the degree that you realistically and accurately identify new and changed risk, you will modify the direction of your information security practice in a manner that, ideally, lowers the level of exposure of business processes to major risk and facilitates growth of the business. Failure to realistically and accurately identify new and changed risk will result in blindness to relevant risk that will lead to unacceptable levels of unmitigated risk. 25 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved.
You must revise the most recent risk analysis, not only by reassessing all the currently identified major risk, but also by adding at least three risk events that were not previously identified. COBIT 5 provides tools that might be helpful in determining the best approach reassessing and prioritising the major risk events, in EDM03, Ensure risk optimisation. You must also provide a clear and complete rationale for the risk events, their likelihood, and impacts (outlined in the section Alternatives With Pros and Cons of Each section). 26 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. The rationale for each security-related risk that you select must include a discussion of the pros and cons associated with identifying and classifying each as a medium-low risk or higher. For example, suppose that you decide that a prolonged IT outage is no longer a medium- to low-level risk, but instead is now a low risk. The pros (purely hypothetical in this case) may be that outage- related risk events are now much lower than before due to, for example, the implementation of a new backup and recovery system that feeds data into an alternative data center (not true in this caselet). In this case allocating additional resources would therefore be a waste of time and money. 27 Your Tasks – Pros and Cons
© 2013 ISACA. All rights reserved. On the con side, lowering the severity of a prolonged IT outage risk may result in underestimation of this source of risk, which could result in failing to allocate resources and in a much higher amount of outage-related loss and disruption than Code Galore could take, given its somewhat precarious state. 28 Your Tasks – Pros and Cons © 2013 ISACA. All rights reserved. Exhibits – Major Risk 29 © 2013 ISACA. All rights reserved. Figure 2—Major Risk Figure 3—Network Diagram 30 © 2013 ISACA. All rights reserved. 31 Figure 4—Risk Analysis Template © 2013 ISACA. All rights reserved. Since Code Galore is in the business function automation software arena it should be consider using business process automation (BPA), a strategy an business uses to automate
processes in order to contain costs. It consists of integrating applications, restructuring labor resources and using software applications throughout the organization. Code Galore is in a very difficult situation. Its existence is uncertain, and money is critical right now. Yet, this company has opened itself up to significant levels of security risk because of acquiring Skyhaven Software and the need for former Skyhaven programmers to access resources within the corporate network. Worse yet, even if the chief security officer (CSO) in this scenario correctly identifies and assesses the magnitude of security risk from acquiring Skyhaven and opening the Code Galore network to connections from the Skyhaven network and prescribes appropriate controls, given Code Galore’s cash crunch, not many resources (money and labour) are likely to be available for these controls. 32 Notes © 2013 ISACA. All rights reserved. All the CSO may be able to do is document the risk and make prioritised recommendations for controls, waiting for the right point in time when the company’s financial situation gets better. If an information security steering committee exists, the CSO must keep this committee fully apprised of changes in risk and solicit input concerning how to handle this difficult situation. At the same time, the CSO should initiate an ongoing effort (if no such effort has been initiated so far) to educate senior management and key stockholders concerning the potential business impact of the new risk profile. (Note: The kind of
situation described in this caselet is not uncommon in real- world settings.) 33 Notes © 2013 ISACA. All rights reserved. What are the most important business issues and goals for Code Galore? What are the factors affecting the problem related to this case? What are the managerial, organizational, and technological issues and resources related to this case? What role do different decision makers play in the overall planning, implementing and managing of the information technology/security applications? What are some of the emerging IT security technologies that should be considered in solving the problem related to the case? 34 Discussion Questions 1-5 © 2013 ISACA. All rights reserved. In what major ways and areas can information security help the business in reaching its goals? Which of the confidentiality, integrity and availability (CIA) triad is most critical to Code Galore’s business goals, and why? Change leads to risk, and some significant changes have occurred. Which of these changes lead to the greatest risk? Imagine that three of the greatest risk events presented themselves in worst-case scenarios. What would be some of these worst-case scenarios? How can the CSO in this scenario most effectively communicate newly and previously identified risk events that have grown because of the changes to senior management?
35 Discussion Questions 6-10 © 2013 ISACA. All rights reserved. 1 Quantitative Analysis To: Chief Information officer From: Manager of Desktop Support Re: Report Introduction Computer and Mobile phone loss in NASA could cause great danger to the organization and expose the organization to all sorts of system vulnerabilities. As reported in (Melanie Pinola, 2012), 48 mobile devices were stolen between April 2009 and April 2011. A more worrying trend is the level of encryption within the organization. Only one percent of the organization is encrypted, leaving sensitive data exposed to vulnerabilities and potential losses. There is a need to review the business continuity and disaster management plan. This should be done with a deep understanding of the current problem. Currently, there are 700 laptops presently in service. These Single Loss Expectancy (SLE) This is a risk assessment tool, which is the monetary value experienced when there is a risk on an asset. It is a single loss
that the institution will suffer. SLE== Asset Value X Exposure Factor $49000 X 0.99 X 700 =$33,957,000 Annualized Rate of Occurrence (ARO) This is the projected frequency of a threat happening in a year. 48 computers lost between Apr 2009 and April 2011 Hence 24 computers lost in one year. Hence the threat on a single laptop or mobile is 24/700=0.034 Annualized Loss Expectancy (ALE) It is based on the probability of an event occurring. Therefore, you multiply the annualized rate of occurrence (ARO) by Loss of Expectancy (SLE) ALE =SLE X ARO ALE=$33,957,000 X 0.034 =US$1,154,538 Safeguard Value Risk mitigation controls monetary expense. This helps determine the financial feasibility and effectiveness. The assumption is that all the proposed risk control measures are implemented correctly. Safeguard value is based on the hardware and software cost that you invest in protecting your information in case of software theft. Software solutions Altiris Manageability toolkit is available hardware per every node is US$18 https://www.marketscreener.com/ALTIRIS-8486/news/Altiris- Altiris-Ships-New-Toolkit-to-Sucnet.com/products/altiris- manageability-toolkit-for-intel-vpro-technology-essential- support-renewal-series/pport-Intel-vPro-1-Technology-for- Efficient-IT-Service-Man-273906/?iCStream=1 $ 18 X700 =12600 Support license for the network
12600+$80000 Cost of software USD92,600 Value of Safeguard=ALE before the implementation of safeguard-ALE after safeguard -Annual cost of protection. Sheet1CategoryProbability(0.0-1.0)Impact(0-100)Risk Level(PXI)Description1Zombles0.02901.8Zombie Apocalypse causes wide spread panic and physical security threats to staff, property and business operations2Natural Disaster0.12607.2the location of business may expose it to particular national disasters. This may be long term or short term. Rains may inturupt power supply. 3Threat of Breach from consumer error0.43012Consumer may expose the system or account by commission or ommission. This puts own data and others data at risk. 4Breach Through Vendor Network0.454520.25A threat from the faults of the service providers security system may expose the data to threat. 5Malware0.87560Malwares will mostly be sent through other communication or may be brought . They pause the threat of data exposure6Inside Misuse0.78559.5Employees handle a lot of company data and can be threat to the organisation by sharing it or even exposing it accidentally7Fringe Threat0.88568The risks includes fires, electrical failure, physical theft, attack by mob from office. The impact of threat varies

Recommended

Inside The Buyers Head Tim Clark May 4
Inside The Buyers Head Tim Clark May 4Inside The Buyers Head Tim Clark May 4
Inside The Buyers Head Tim Clark May 4
SIIA12
 
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Dreamforce
 
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxGLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
budbarber38650
 
Kapstone CIO Insights
Kapstone CIO InsightsKapstone CIO Insights
Kapstone CIO Insights
WinWire Technologies Inc
 
ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...
ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...
ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...
ReidCarlberg
 
Game Changing IT Solutions
Game Changing IT SolutionsGame Changing IT Solutions
Game Changing IT Solutions
DMIMarketing
 
IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...
IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...
IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...
ReidCarlberg
 
How a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderHow a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a Leader
AutoRABIT
 

Recommended

Inside The Buyers Head Tim Clark May 4
Inside The Buyers Head Tim Clark May 4Inside The Buyers Head Tim Clark May 4
Inside The Buyers Head Tim Clark May 4
SIIA12
 
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Dreamforce
 
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxGLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
budbarber38650
 
Kapstone CIO Insights
Kapstone CIO InsightsKapstone CIO Insights
Kapstone CIO Insights
WinWire Technologies Inc
 
ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...
ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...
ThingsExpo: Enterprise Internet of Things (IoT) Patterns, Opportunities and P...
ReidCarlberg
 
Game Changing IT Solutions
Game Changing IT SolutionsGame Changing IT Solutions
Game Changing IT Solutions
DMIMarketing
 
IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...
IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...
IoT, M2M: Three Events, Three Takeaways, Three To-Dos (IoT & The Connected De...
ReidCarlberg
 
How a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderHow a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a Leader
AutoRABIT
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 
IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4
National Management Olympiad
 
Dreamforce 2013 - Pitfalls and solutions
Dreamforce 2013 - Pitfalls and solutionsDreamforce 2013 - Pitfalls and solutions
Dreamforce 2013 - Pitfalls and solutions
Vincent Spehner
 
Redefining Integration - The End of the Black Box
Redefining Integration - The End of the Black BoxRedefining Integration - The End of the Black Box
Redefining Integration - The End of the Black Box
dreamforce2006
 
Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.
David Bustin
 
Cloud Accounting for Fast Growing Companies
Cloud Accounting for Fast Growing CompaniesCloud Accounting for Fast Growing Companies
Cloud Accounting for Fast Growing Companies
Lindy Antonelli, CITP.CPA
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
budbarber38650
 
Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration
Mindfire LLC
 
Marketing Software Industry - Marketo, Inc Case Study
Marketing Software Industry - Marketo, Inc Case Study Marketing Software Industry - Marketo, Inc Case Study
Marketing Software Industry - Marketo, Inc Case Study
Jade Global
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
amburyj3c9
 
Top 10 Features Of Accounting Software You Should Know About!
Top 10 Features Of Accounting Software You Should Know About!Top 10 Features Of Accounting Software You Should Know About!
Top 10 Features Of Accounting Software You Should Know About!
Stuart Braud
 
Platform session 1 Innovation on the salesforce platform - speed vs control
Platform session 1 Innovation on the salesforce platform - speed vs controlPlatform session 1 Innovation on the salesforce platform - speed vs control
Platform session 1 Innovation on the salesforce platform - speed vs control
Salesforce - Sweden, Denmark, Norway
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 
Software Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival BenefitsSoftware Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival Benefits
Eric Chiu
 
Leading Digital Transformation Trends for 2024
Leading Digital Transformation Trends for 2024Leading Digital Transformation Trends for 2024
Leading Digital Transformation Trends for 2024
Armando Salvador Pérez
 
Pund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Pund-IT: Getting Things Right—Software and IBM’s Acquisition StrategyPund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Pund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Mauricio Godoy
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
Narola Infotech
 
Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)
Moshe Kaplan
 
Bullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docxBullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docx
CruzIbarra161
 
T-Bytes Platforms & Applications
T-Bytes Platforms & ApplicationsT-Bytes Platforms & Applications
T-Bytes Platforms & Applications
EGBG Services
 
CompetencyIn this project, you will demonstrate your mastery of .docx
CompetencyIn this project, you will demonstrate your mastery of .docxCompetencyIn this project, you will demonstrate your mastery of .docx
CompetencyIn this project, you will demonstrate your mastery of .docx
pickersgillkayne
 
CompetencyExplore advocacy opportunities in the community..docx
CompetencyExplore advocacy opportunities in the community..docxCompetencyExplore advocacy opportunities in the community..docx
CompetencyExplore advocacy opportunities in the community..docx
pickersgillkayne
 

More Related Content

Similar to Code Galore Caselet Using COBIT® 5 for Information Security.docx

IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4
National Management Olympiad
 
Redefining Integration - The End of the Black Box
Redefining Integration - The End of the Black BoxRedefining Integration - The End of the Black Box
Redefining Integration - The End of the Black Box
dreamforce2006
 
Cloud Accounting for Fast Growing Companies
Cloud Accounting for Fast Growing CompaniesCloud Accounting for Fast Growing Companies
Cloud Accounting for Fast Growing Companies
Lindy Antonelli, CITP.CPA
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
budbarber38650
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
amburyj3c9
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 
Software Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival BenefitsSoftware Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival Benefits
Eric Chiu
 
Pund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Pund-IT: Getting Things Right—Software and IBM’s Acquisition StrategyPund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Pund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Mauricio Godoy
 
Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)
Moshe Kaplan
 
Bullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docxBullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docx
CruzIbarra161
 

Similar to Code Galore Caselet Using COBIT® 5 for Information Security.docx (20)

What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releases
 
IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4
 
Dreamforce 2013 - Pitfalls and solutions
Dreamforce 2013 - Pitfalls and solutionsDreamforce 2013 - Pitfalls and solutions
Dreamforce 2013 - Pitfalls and solutions
 
Redefining Integration - The End of the Black Box
Redefining Integration - The End of the Black BoxRedefining Integration - The End of the Black Box
Redefining Integration - The End of the Black Box
 
Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.
 
Cloud Accounting for Fast Growing Companies
Cloud Accounting for Fast Growing CompaniesCloud Accounting for Fast Growing Companies
Cloud Accounting for Fast Growing Companies
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
 
Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration
 
Marketing Software Industry - Marketo, Inc Case Study
Marketing Software Industry - Marketo, Inc Case Study Marketing Software Industry - Marketo, Inc Case Study
Marketing Software Industry - Marketo, Inc Case Study
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Top 10 Features Of Accounting Software You Should Know About!
Top 10 Features Of Accounting Software You Should Know About!Top 10 Features Of Accounting Software You Should Know About!
Top 10 Features Of Accounting Software You Should Know About!
 
Platform session 1 Innovation on the salesforce platform - speed vs control
Platform session 1 Innovation on the salesforce platform - speed vs controlPlatform session 1 Innovation on the salesforce platform - speed vs control
Platform session 1 Innovation on the salesforce platform - speed vs control
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Software Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival BenefitsSoftware Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival Benefits
 
Leading Digital Transformation Trends for 2024
Leading Digital Transformation Trends for 2024Leading Digital Transformation Trends for 2024
Leading Digital Transformation Trends for 2024
 
Pund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Pund-IT: Getting Things Right—Software and IBM’s Acquisition StrategyPund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
Pund-IT: Getting Things Right—Software and IBM’s Acquisition Strategy
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)
 
Bullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docxBullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docx
 
T-Bytes Platforms & Applications
T-Bytes Platforms & ApplicationsT-Bytes Platforms & Applications
T-Bytes Platforms & Applications
 

More from pickersgillkayne

CompetencyIn this project, you will demonstrate your mastery of .docx
CompetencyIn this project, you will demonstrate your mastery of .docxCompetencyIn this project, you will demonstrate your mastery of .docx
CompetencyIn this project, you will demonstrate your mastery of .docx
pickersgillkayne
 
CompetencyExplore advocacy opportunities in the community..docx
CompetencyExplore advocacy opportunities in the community..docxCompetencyExplore advocacy opportunities in the community..docx
CompetencyExplore advocacy opportunities in the community..docx
pickersgillkayne
 
CompetencyEvaluate the role and impact of financial principl.docx
CompetencyEvaluate the role and impact of financial principl.docxCompetencyEvaluate the role and impact of financial principl.docx
CompetencyEvaluate the role and impact of financial principl.docx
pickersgillkayne
 
CompetencyEvaluate the impact of innovation on team success..docx
CompetencyEvaluate the impact of innovation on team success..docxCompetencyEvaluate the impact of innovation on team success..docx
CompetencyEvaluate the impact of innovation on team success..docx
pickersgillkayne
 
CompetencyEvaluate the role of identity, diverse segments, a.docx
CompetencyEvaluate the role of identity, diverse segments, a.docxCompetencyEvaluate the role of identity, diverse segments, a.docx
CompetencyEvaluate the role of identity, diverse segments, a.docx
pickersgillkayne
 
CompetencyExamine leaderships role in executing successful change.docx
CompetencyExamine leaderships role in executing successful change.docxCompetencyExamine leaderships role in executing successful change.docx
CompetencyExamine leaderships role in executing successful change.docx
pickersgillkayne
 
CompetencyEvaluate psychological theories and their insights.docx
CompetencyEvaluate psychological theories and their insights.docxCompetencyEvaluate psychological theories and their insights.docx
CompetencyEvaluate psychological theories and their insights.docx
pickersgillkayne
 
CompetencyEmploy contemporary economic principles that guide.docx
CompetencyEmploy contemporary economic principles that guide.docxCompetencyEmploy contemporary economic principles that guide.docx
CompetencyEmploy contemporary economic principles that guide.docx
pickersgillkayne
 
CompetencyDetermine how the environment and economies are in.docx
CompetencyDetermine how the environment and economies are in.docxCompetencyDetermine how the environment and economies are in.docx
CompetencyDetermine how the environment and economies are in.docx
pickersgillkayne
 
CompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docx
CompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docxCompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docx
CompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docx
pickersgillkayne
 
CompetencyDevelop examples of ethical and privacy concerns a.docx
CompetencyDevelop examples of ethical and privacy concerns a.docxCompetencyDevelop examples of ethical and privacy concerns a.docx
CompetencyDevelop examples of ethical and privacy concerns a.docx
pickersgillkayne
 
CompetencyAssess the causes and consequences of historical e.docx
CompetencyAssess the causes and consequences of historical e.docxCompetencyAssess the causes and consequences of historical e.docx
CompetencyAssess the causes and consequences of historical e.docx
pickersgillkayne
 
CompetencyApply data analytic methodologies to diverse popul.docx
CompetencyApply data analytic methodologies to diverse popul.docxCompetencyApply data analytic methodologies to diverse popul.docx
CompetencyApply data analytic methodologies to diverse popul.docx
pickersgillkayne
 
CompetencyAssess the development of societal standards in re.docx
CompetencyAssess the development of societal standards in re.docxCompetencyAssess the development of societal standards in re.docx
CompetencyAssess the development of societal standards in re.docx
pickersgillkayne
 
CompetencyAnalyze the evolution of social media standards an.docx
CompetencyAnalyze the evolution of social media standards an.docxCompetencyAnalyze the evolution of social media standards an.docx
CompetencyAnalyze the evolution of social media standards an.docx
pickersgillkayne
 
CompetencyAnalyze the evolution of social media standards and .docx
CompetencyAnalyze the evolution of social media standards and .docxCompetencyAnalyze the evolution of social media standards and .docx
CompetencyAnalyze the evolution of social media standards and .docx
pickersgillkayne
 
CompetencyAnalyze leadership and management roles in change ma.docx
CompetencyAnalyze leadership and management roles in change ma.docxCompetencyAnalyze leadership and management roles in change ma.docx
CompetencyAnalyze leadership and management roles in change ma.docx
pickersgillkayne
 
CompetencyAnalyze financial statements to assess performance a.docx
CompetencyAnalyze financial statements to assess performance a.docxCompetencyAnalyze financial statements to assess performance a.docx
CompetencyAnalyze financial statements to assess performance a.docx
pickersgillkayne
 
Competency Checklist and Professional Development Resources .docx
Competency Checklist and Professional Development Resources .docxCompetency Checklist and Professional Development Resources .docx
Competency Checklist and Professional Development Resources .docx
pickersgillkayne
 
CompetenciesDetermine the historical impact of art on mode.docx
CompetenciesDetermine the historical impact of art on mode.docxCompetenciesDetermine the historical impact of art on mode.docx
CompetenciesDetermine the historical impact of art on mode.docx
pickersgillkayne
 

More from pickersgillkayne (20)

CompetencyIn this project, you will demonstrate your mastery of .docx
CompetencyIn this project, you will demonstrate your mastery of .docxCompetencyIn this project, you will demonstrate your mastery of .docx
CompetencyIn this project, you will demonstrate your mastery of .docx
 
CompetencyExplore advocacy opportunities in the community..docx
CompetencyExplore advocacy opportunities in the community..docxCompetencyExplore advocacy opportunities in the community..docx
CompetencyExplore advocacy opportunities in the community..docx
 
CompetencyEvaluate the role and impact of financial principl.docx
CompetencyEvaluate the role and impact of financial principl.docxCompetencyEvaluate the role and impact of financial principl.docx
CompetencyEvaluate the role and impact of financial principl.docx
 
CompetencyEvaluate the impact of innovation on team success..docx
CompetencyEvaluate the impact of innovation on team success..docxCompetencyEvaluate the impact of innovation on team success..docx
CompetencyEvaluate the impact of innovation on team success..docx
 
CompetencyEvaluate the role of identity, diverse segments, a.docx
CompetencyEvaluate the role of identity, diverse segments, a.docxCompetencyEvaluate the role of identity, diverse segments, a.docx
CompetencyEvaluate the role of identity, diverse segments, a.docx
 
CompetencyExamine leaderships role in executing successful change.docx
CompetencyExamine leaderships role in executing successful change.docxCompetencyExamine leaderships role in executing successful change.docx
CompetencyExamine leaderships role in executing successful change.docx
 
CompetencyEvaluate psychological theories and their insights.docx
CompetencyEvaluate psychological theories and their insights.docxCompetencyEvaluate psychological theories and their insights.docx
CompetencyEvaluate psychological theories and their insights.docx
 
CompetencyEmploy contemporary economic principles that guide.docx
CompetencyEmploy contemporary economic principles that guide.docxCompetencyEmploy contemporary economic principles that guide.docx
CompetencyEmploy contemporary economic principles that guide.docx
 
CompetencyDetermine how the environment and economies are in.docx
CompetencyDetermine how the environment and economies are in.docxCompetencyDetermine how the environment and economies are in.docx
CompetencyDetermine how the environment and economies are in.docx
 
CompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docx
CompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docxCompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docx
CompetencyDescribe the atmosphere, biosphere, hydrosphere, g.docx
 
CompetencyDevelop examples of ethical and privacy concerns a.docx
CompetencyDevelop examples of ethical and privacy concerns a.docxCompetencyDevelop examples of ethical and privacy concerns a.docx
CompetencyDevelop examples of ethical and privacy concerns a.docx
 
CompetencyAssess the causes and consequences of historical e.docx
CompetencyAssess the causes and consequences of historical e.docxCompetencyAssess the causes and consequences of historical e.docx
CompetencyAssess the causes and consequences of historical e.docx
 
CompetencyApply data analytic methodologies to diverse popul.docx
CompetencyApply data analytic methodologies to diverse popul.docxCompetencyApply data analytic methodologies to diverse popul.docx
CompetencyApply data analytic methodologies to diverse popul.docx
 
CompetencyAssess the development of societal standards in re.docx
CompetencyAssess the development of societal standards in re.docxCompetencyAssess the development of societal standards in re.docx
CompetencyAssess the development of societal standards in re.docx
 
CompetencyAnalyze the evolution of social media standards an.docx
CompetencyAnalyze the evolution of social media standards an.docxCompetencyAnalyze the evolution of social media standards an.docx
CompetencyAnalyze the evolution of social media standards an.docx
 
CompetencyAnalyze the evolution of social media standards and .docx
CompetencyAnalyze the evolution of social media standards and .docxCompetencyAnalyze the evolution of social media standards and .docx
CompetencyAnalyze the evolution of social media standards and .docx
 
CompetencyAnalyze leadership and management roles in change ma.docx
CompetencyAnalyze leadership and management roles in change ma.docxCompetencyAnalyze leadership and management roles in change ma.docx
CompetencyAnalyze leadership and management roles in change ma.docx
 
CompetencyAnalyze financial statements to assess performance a.docx
CompetencyAnalyze financial statements to assess performance a.docxCompetencyAnalyze financial statements to assess performance a.docx
CompetencyAnalyze financial statements to assess performance a.docx
 
Competency Checklist and Professional Development Resources .docx
Competency Checklist and Professional Development Resources .docxCompetency Checklist and Professional Development Resources .docx
Competency Checklist and Professional Development Resources .docx
 
CompetenciesDetermine the historical impact of art on mode.docx
CompetenciesDetermine the historical impact of art on mode.docxCompetenciesDetermine the historical impact of art on mode.docx
CompetenciesDetermine the historical impact of art on mode.docx
 

Recently uploaded

Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 

Code Galore Caselet Using COBIT® 5 for Information Security.docx

  • 1. Code Galore Caselet: Using COBIT® 5 for Information Security Company Profile – Code Galore Background Information The Problems Your Role Your Tasks Figures Notes Questions 2 Agenda © 2013 ISACA. All rights reserved. Profile Start-up company founded in 2005 One office in Sunnyvale, California, USA 10 remote salespeople and a few with space at resellers’ offices Approximately 100 total staff; about one-third work in engineering 3 Company Profile – Code Galore 4 What we do Org. Structure Operational Industry
  • 2. Products Sales Financials Background Information Building a comprehensive business function automation software that performs many functions (decision making in approaching new initiatives, goal setting and tracking, financial accounting, a payment system, and much more). The software is largely the joint brainchild of the Chief Technology Officer (CTO) and a highly visionary Marketing Manager who left the company a year ago 5 What we do Org. Structure Operational Industry Products Sales Financials Background Information – What We Do Financed 100% by investors who are extremely anxious to make a profit. Investors have invested more than US $35 million since inception and have not received any returns. The organization expected a small profit in the last two quarters. However, the weak economy led to the cancellation of several large orders. As a result, the organization was in the red each quarter by approximately US $250,000. 6 Background Information – Financials What we do
  • 3. Org. Structure Operational Industry Products Sales Financials Code Galore is a privately held company with a budget of US $15 million per year. Sales last year totaled US $13.5 million (as mentioned earlier, the company came within US $250,000 of being profitable each of the last two quarters). The investors hold the preponderance of the company’s stock; share options are given to employees in the form of stock options that can be purchased for US $1 per share if the company ever goes public. Code Galore spends about five percent of its annual budget on marketing. Its marketing efforts focus on portraying other financial function automation applications as ‘point solutions’ in contrast to Code Galore’s product. 7 Background Information – Financials What we do Org. Structure Operational Industry Products Sales Financials 8 Background Information – Org. Structure Figure 1—Code Galore Organisational Chart CEO CSO
  • 4. VP, Finance VP, Business CTO VP, Human Resources Security Administrator Sales Mgr Accounting Dir. Sr. Financial Analyst Infrastructure Mgr. Sys. Dev. Mgr. HR Manager What we do Org. Structure Operational Industry Products Sales Financials The board of directors:
  • 5. Consists of seasoned professionals with many years of experience in the software industry Is scattered all over the world and seldom meets, except by teleconference Is uneasy with Code Galore being stretched so thin financially, and a few members have tendered their resignations within the last few months 9 Background Information – Org. Structure What we do Org. Structure Operational Industry Products Sales Financials The CEO: Is the former chief financial officer (CFO) of Code Galore that replaced the original CEO who resigned to pursue another opportunity two years ago Has a good deal of business knowledge, a moderate amount of experience as a C-level officer, but no prior experience as a CEO As a former CFO, tends to focus more on cost cutting than on creating a vision for developing more business and getting better at what Code Galore does best Background Information – Org. Structure 10 What we do Org. Structure Operational Industry Products
  • 6. Sales Financials Engineers perform code installations. The time to get the product completely installed and customized to the customer’s environment can exceed one month with costs higher than US $60,000 to the customer. Labour and purchase costs are too high for small and medium- sized businesses. So far, only large companies in the US and Canada have bought the product. C-level officers and board members know that they have developed a highly functional, unique product for which there is really no competition. They believe that, in time, more companies will become interested in this product, but the proverbial time bomb is ticking. Investors have stretched themselves to invest US $35 million in the company, and are unwilling to invest much more. 11 Background Information – Operational What we do Org. Structure Operational Industry Products Sales Financials Business function automation software is a profitable area for many software vendors because it automates tasks that previously had to be performed manually or that software did not adequately support. The business function automation software arena has many
  • 7. products developed by many vendors. However, Code Galore is a unique niche player that does not really compete (at least on an individual basis) with other business automation software companies. Background Information – Industry 12 What we do Org. Structure Operational Industry Products Sales Financials The product is comprehensive—at least four other software products would have to be purchased and implemented to cover the range of functions that Code Galore’s product covers. Additionally, the product integrates information and statistics throughout all functions—each function is aware of what is occurring in the other functions and can adjust what it does accordingly, leading to better decision aiding. Background Information – Products 13 What we do Org. Structure Operational Industry Products Sales Financials Sales have been slower than expected, mainly due to a combination of the economic recession and the high price and complexity of the product.
  • 8. The price is not just due to the cost of software development; it also is due to the configuration labour required to get the product running suitably for its customers. Background Information – Sales 14 What we do Org. Structure Operational Industry Products Sales Financials Acquisition Code Galore is in many ways fighting for its life, and the fact that, four months ago, the board of directors made the decision to acquire a small software start-up company, Skyhaven Software, has not helped the cash situation. Skyhaven consists of approximately 15 people, mostly programmers who work at the company’s small office in Phoenix, Arizona, USA. Originally, the only connection between your network and Skyhaven’s was an archaic public switched telephone network (PSTN). Setting up a WAN Two months ago, your company’s IT director was tasked with setting up a dedicated wide area network (WAN) connection to allow the former Skyhaven staff to remotely access Code Galore’s internal network and vice versa. You requested that this implementation be delayed until the security implications of having this new access route into your network were better understood, but the CEO denied your request on the grounds that it would delay a critical business initiative, namely getting Skyhaven’s code integrated into Code Galore’s.
  • 9. 15 The Problems Information Security More recently, you have discovered that the connection does not require a password for access and that, once a connection to the internal network is established from outside the network, it is possible to connect to every server within the network, including the server that holds Code Galore’s source code and software library and the server that houses employee payroll, benefits and medical insurance information. Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive files, but a recent vulnerability scan showed that both servers have vulnerabilities that could allow an attacker to gain unauthorised remote privileged access. You have told the IT director that these vulnerabilities need to be patched, but because of the concern that patching them may cause them to crash or behave unreliably and because Code Galore must soon become profitable or else, you have granted the IT director a delay of one month in patching the servers. 16 The Problems – Overview Bots What now really worries you is that, earlier today, monitoring by one of the security engineers who does some work for you has shown that several hosts in Skyhaven’s network were found to have bots installed in them.
  • 10. Source Code Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code (which is to be integrated into Code Galore’s source code as soon as the Skyhaven programmers are through with the release on which they are currently working) is on just about every Skyhaven machine, regardless of whether it is a workstation or server. 17 The Problems – Overview Code Galore vs. Skyhaven Employee knowledge Code Galore employees are, in general, above average in their knowledge and awareness of information security, due in large part to an effective security awareness programme that you set up two months after you started working at Code Galore and have managed ever since. You offer monthly brown bag lunch events in a large conference room, display posters reminding employees not to engage in actions such as opening attachments that they are not expecting, and send a short monthly newsletter informing employees of the direction in which the company is going in terms of security and how they can help. Very few incidents due to bad user security practices occurred until Skyhaven Software was acquired. Skyhaven’s employees appear to have almost no knowledge of information security. You also have discovered that the Skyhaven employee who informally provides technical assistance does not make backups and has done little in terms of security configuration and patch management. 18 The Problems – Overview
  • 11. 19 Your Role Hired two years ago as the only Chief Security Officer (CSO) this company has ever had. Report directly to the Chief Executive Officer (CEO). Attend the weekly senior management meeting in which goals are set, progress reports are given and issues to be resolved are discussed. The Information Security Department consists of just you; two members of the security engineering team from software are available eight hours each week. 10 years of experience as an information security manager, five of which as a CSO, but you have no previous experience in the software arena. Four years of experience as a junior IT auditor. Undergraduate degree in managing information systems and have earned many continuing professional education credits in information security, management and audit areas. Five years ago, you earned your CISM certification. The focus here is not on a business unit, but rather on Code Galore as a whole, particularly on security risk that could cripple the business. Due primarily to cost-cutting measures the CEO has put in place, your annual budget has been substantially less than you requested each year. Frankly, you have been lucky that no serious incident has occurred so far. You know that in many ways your company has been tempting fate. You do the best you can with what you have, but levels of
  • 12. unmitigated risk in some critical areas are fairly high. Your Role and the Business Units 20 Mr. Wingate’s focus on cost cutting is a major reason that you have not been able to obtain more resources for security risk mitigation measures. He is calm and fairly personable, but only a fair communicator, something that results in your having to devote extra effort in trying to learn his expectations of your company’s information security risk mitigation effort and keeping him advised of risk vectors and major developments and successes of this effort. 21 Your Role and the CEO, Ernest Wingate Code Galore’s IT director is Carmela Duarte. She has put a system of change control into effect for all IT activities involving hardware and software. This system is almost perfect for Code Galore—it is neither draconian nor too lax and very few employees have any complaints against it. You have an excellent working relationship with her, and although she is under considerable pressure from her boss, the CTO, and the rest of C-level management to take shortcuts, she usually tries to do what is right from a security control perspective.
  • 13. She is working hard to integrate the Skyhaven Software network into Code Galore’s, but currently, there are few resources available to do a very thorough job. She would also do more for the sake of security risk mitigation if she had the resources. Carmela has worked with Code Galore since 2006, and she is very much liked and respected by senior management and the employees who work for her. 22 Your Role and the IT Director, Carmela Duarte You believe that Code Galore’s (but not Skyhaven Software’s) security risk is well within the risk appetite of the CEO and the board of directors. You have a good security policy (including acceptable use provisions) and standards in place, and you keep both of them up to date. You have established a yearly risk management cycle that includes asset valuation, threat and vulnerability assessment, risk analysis, controls evaluation and selection, and controls effectiveness assessment, and you are just about ready to start a controls evaluation when you suddenly realise that something more important needs to be done right away (outlined in The Problem section). 23 Your Tasks © 2013 ISACA. All rights reserved. Using the figure 4 template, you need to modify the qualitative risk analysis that you performed six months ago to take into
  • 14. account the risk related to Skyhaven Software. The major risk events identified during this risk analysis are shown in figure 2. You must not only head this effort, but for all practical purposes, you will be the only person from Code Galore who works on this effort. 24 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. Your revision of the last risk analysis will not only bring Code Galore up to date concerning its current risk landscape, but will also provide the basis for your requesting additional resources to mitigate new, serious risk and previously unmitigated or unsuitably mitigated risk. You may find that some risk events are lower in severity than before, possibly to the point that allocating further resources to mitigate them would not be appropriate. This may help optimise your risk mitigation investments. To the degree that you realistically and accurately identify new and changed risk, you will modify the direction of your information security practice in a manner that, ideally, lowers the level of exposure of business processes to major risk and facilitates growth of the business. Failure to realistically and accurately identify new and changed risk will result in blindness to relevant risk that will lead to unacceptable levels of unmitigated risk. 25 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved.
  • 15. You must revise the most recent risk analysis, not only by reassessing all the currently identified major risk, but also by adding at least three risk events that were not previously identified. COBIT 5 provides tools that might be helpful in determining the best approach reassessing and prioritising the major risk events, in EDM03, Ensure risk optimisation. You must also provide a clear and complete rationale for the risk events, their likelihood, and impacts (outlined in the section Alternatives With Pros and Cons of Each section). 26 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. The rationale for each security-related risk that you select must include a discussion of the pros and cons associated with identifying and classifying each as a medium-low risk or higher. For example, suppose that you decide that a prolonged IT outage is no longer a medium- to low-level risk, but instead is now a low risk. The pros (purely hypothetical in this case) may be that outage- related risk events are now much lower than before due to, for example, the implementation of a new backup and recovery system that feeds data into an alternative data center (not true in this caselet). In this case allocating additional resources would therefore be a waste of time and money. 27 Your Tasks – Pros and Cons
  • 16. © 2013 ISACA. All rights reserved. On the con side, lowering the severity of a prolonged IT outage risk may result in underestimation of this source of risk, which could result in failing to allocate resources and in a much higher amount of outage-related loss and disruption than Code Galore could take, given its somewhat precarious state. 28 Your Tasks – Pros and Cons © 2013 ISACA. All rights reserved. Exhibits – Major Risk 29 © 2013 ISACA. All rights reserved. Figure 2—Major Risk Figure 3—Network Diagram 30 © 2013 ISACA. All rights reserved. 31 Figure 4—Risk Analysis Template © 2013 ISACA. All rights reserved. Since Code Galore is in the business function automation software arena it should be consider using business process automation (BPA), a strategy an business uses to automate
  • 17. processes in order to contain costs. It consists of integrating applications, restructuring labor resources and using software applications throughout the organization. Code Galore is in a very difficult situation. Its existence is uncertain, and money is critical right now. Yet, this company has opened itself up to significant levels of security risk because of acquiring Skyhaven Software and the need for former Skyhaven programmers to access resources within the corporate network. Worse yet, even if the chief security officer (CSO) in this scenario correctly identifies and assesses the magnitude of security risk from acquiring Skyhaven and opening the Code Galore network to connections from the Skyhaven network and prescribes appropriate controls, given Code Galore’s cash crunch, not many resources (money and labour) are likely to be available for these controls. 32 Notes © 2013 ISACA. All rights reserved. All the CSO may be able to do is document the risk and make prioritised recommendations for controls, waiting for the right point in time when the company’s financial situation gets better. If an information security steering committee exists, the CSO must keep this committee fully apprised of changes in risk and solicit input concerning how to handle this difficult situation. At the same time, the CSO should initiate an ongoing effort (if no such effort has been initiated so far) to educate senior management and key stockholders concerning the potential business impact of the new risk profile. (Note: The kind of
  • 18. situation described in this caselet is not uncommon in real- world settings.) 33 Notes © 2013 ISACA. All rights reserved. What are the most important business issues and goals for Code Galore? What are the factors affecting the problem related to this case? What are the managerial, organizational, and technological issues and resources related to this case? What role do different decision makers play in the overall planning, implementing and managing of the information technology/security applications? What are some of the emerging IT security technologies that should be considered in solving the problem related to the case? 34 Discussion Questions 1-5 © 2013 ISACA. All rights reserved. In what major ways and areas can information security help the business in reaching its goals? Which of the confidentiality, integrity and availability (CIA) triad is most critical to Code Galore’s business goals, and why? Change leads to risk, and some significant changes have occurred. Which of these changes lead to the greatest risk? Imagine that three of the greatest risk events presented themselves in worst-case scenarios. What would be some of these worst-case scenarios? How can the CSO in this scenario most effectively communicate newly and previously identified risk events that have grown because of the changes to senior management?
  • 19. 35 Discussion Questions 6-10 © 2013 ISACA. All rights reserved. 1 Quantitative Analysis To: Chief Information officer From: Manager of Desktop Support Re: Report Introduction Computer and Mobile phone loss in NASA could cause great danger to the organization and expose the organization to all sorts of system vulnerabilities. As reported in (Melanie Pinola, 2012), 48 mobile devices were stolen between April 2009 and April 2011. A more worrying trend is the level of encryption within the organization. Only one percent of the organization is encrypted, leaving sensitive data exposed to vulnerabilities and potential losses. There is a need to review the business continuity and disaster management plan. This should be done with a deep understanding of the current problem. Currently, there are 700 laptops presently in service. These Single Loss Expectancy (SLE) This is a risk assessment tool, which is the monetary value experienced when there is a risk on an asset. It is a single loss
  • 20. that the institution will suffer. SLE== Asset Value X Exposure Factor $49000 X 0.99 X 700 =$33,957,000 Annualized Rate of Occurrence (ARO) This is the projected frequency of a threat happening in a year. 48 computers lost between Apr 2009 and April 2011 Hence 24 computers lost in one year. Hence the threat on a single laptop or mobile is 24/700=0.034 Annualized Loss Expectancy (ALE) It is based on the probability of an event occurring. Therefore, you multiply the annualized rate of occurrence (ARO) by Loss of Expectancy (SLE) ALE =SLE X ARO ALE=$33,957,000 X 0.034 =US$1,154,538 Safeguard Value Risk mitigation controls monetary expense. This helps determine the financial feasibility and effectiveness. The assumption is that all the proposed risk control measures are implemented correctly. Safeguard value is based on the hardware and software cost that you invest in protecting your information in case of software theft. Software solutions Altiris Manageability toolkit is available hardware per every node is US$18 https://www.marketscreener.com/ALTIRIS-8486/news/Altiris- Altiris-Ships-New-Toolkit-to-Sucnet.com/products/altiris- manageability-toolkit-for-intel-vpro-technology-essential- support-renewal-series/pport-Intel-vPro-1-Technology-for- Efficient-IT-Service-Man-273906/?iCStream=1 $ 18 X700 =12600 Support license for the network
  • 21. 12600+$80000 Cost of software USD92,600 Value of Safeguard=ALE before the implementation of safeguard-ALE after safeguard -Annual cost of protection. Sheet1CategoryProbability(0.0-1.0)Impact(0-100)Risk Level(PXI)Description1Zombles0.02901.8Zombie Apocalypse causes wide spread panic and physical security threats to staff, property and business operations2Natural Disaster0.12607.2the location of business may expose it to particular national disasters. This may be long term or short term. Rains may inturupt power supply. 3Threat of Breach from consumer error0.43012Consumer may expose the system or account by commission or ommission. This puts own data and others data at risk. 4Breach Through Vendor Network0.454520.25A threat from the faults of the service providers security system may expose the data to threat. 5Malware0.87560Malwares will mostly be sent through other communication or may be brought . They pause the threat of data exposure6Inside Misuse0.78559.5Employees handle a lot of company data and can be threat to the organisation by sharing it or even exposing it accidentally7Fringe Threat0.88568The risks includes fires, electrical failure, physical theft, attack by mob from office. The impact of threat varies