SCHOOL OF INFORMATION SCIENCE AND TECHNOLOGY
UNIVERSITY EXAMINATION
BACHELOR DEGREE IN SOFTWARE ENGINEERING/INFORMATION TECHNOLOGY
SOEN 424/BIT 410: INFORMATION SYSTEMS AUDIT
Wanjiru Brian Meja
IN16/20415/17
YEAR FOUR SEMESTER TWO
CAT
QUESTION ONE
Giving justification, state why it is important for an organization to incorporate risk management
in there strategic planning of an enterprise. [10 Marks]
Challenge Assumptions to Identify Unknown Risks
Discovering enterprise risks to strategic goals involves a process. In order to unearth these
unknown risks, management should first identify the key assumptions that make the current
strategy successful. Protiviti suggests that asking questions like, “What needs to go right for a
strategy to be successful?” These assumptions include but not limited to consumer preference
trends, brand recognition, regulation, capital accessibility, capabilities of competitors, and
current technology. Once the key assumptions are identified, the next step in the process is to
develop contrarian statements that make the assumptions invalid. Lastly, management should
develop an implications statement designed to identify changes or events that could make the
assumptions invalid and then develop a response to that event.
The thought paper used the 2008 financial crisis and financial institutions as an example because
the institutions that focused on the unknowns were able to identify a change in the market 12-14
months ahead of their peers. This gave them the ability to react in time and stay in business.
Here is how challenging assumptions and thinking about contrarian views would be helpful in
assessing the lending strategies that got many banks in trouble.

Lending Strategy: Lend to the low-income housing sector at an accelerated pace and
high volume with the intent to sell these loans as collateralized mortgage obligations
(CMO).

Key Assumptions: Increasing and stable home prices, capital accessibility would be
constant and continued demand for CMOs.

Contrarian Statement: Housing market collapses nationwide, rendering CMOs
worthless.

Implications Statement: Monitor housing markets related to loan portfolio and decrease
or increase investment in CMOs as indicators indicate.
Adapt to Every Changing Environment
The longer a business is in operation, the more likely it will experience a fundamental change in
its operating environment. In order to deal with these changes, businesses need to become more
adaptable. By becoming more adaptable they become more resilient. An intelligence-gathering
process that is aligned to strategy will give direction as to what to pay attention to. The Protiviti
thought paper uses the bookstores, Boarders and Barnes & Noble, to demonstrate how aligning
the intelligence-gathering process to strategy can help businesses adapt to a fundamental
change.
In 2003, Boarders’ strategic growth initiative was to expand brick and mortar stores in the US
and abroad. The key assumptions were that Boarders’ extensive inventory and alternative types
of media (CDs and DVDs) would make Boarders’ “the place to go”. Boarders did not anticipate
a consumer preference shift to online shopping and downloadable media like mp3s or ebooks. However, Barnes & Noble did see a consumer shift coming as well as emerging
technology and decided to change its strategy in order to stay relevant. Barnes & Noble
decreased its square footage, developed an e-reader and offered titles online, and deceased its
inventory in CDs and DVDs. Barnes & Noble was able to adapt to the new market because it
anticipated and reacted to a fundamental change.
The thought paper also discusses the concept of “early mover status”. Like Barnes & Noble,
early movers not only recognize changes but also have the ability to react to changes by:
1. Adjusting their strategy
2. Creating new plans and processes
3. Promoting a culture that expedites information that can impact or disrupt the status
quo
Non-early movers tend to fear change and deny that a change is coming. They focus on today
instead of obsessing over new opportunities or risks tomorrow.
Manage Your Most Valuable Asset: Your Reputation
The thought paper explains that reputation risk can be avoided by risk management and
mitigated by crisis management. For instance, when assessing reputation risk, management
should consider the “big picture” approach by assessing risks to the entire value
chain. Executives should not only consider risks that directly affect their company but also risks
that could directly affect their suppliers, their supplier’s suppliers, distributers and retail
partners. When consumers are injured due to a faulty supply part, they don’t blame the supplier
who is in another country. Rather, they blame the company whose name is on the product. In
assessing end-to-end reputation risk, executives should consider environmental conditions that
could stop the flow of materials and inventory, labor conditions that could be embarrassing to the
company, or inadequate controls over raw materials that could be toxic to consumers. If these
conditions exist and continue, they will eventually be exposed and your reputation will suffer
because of it.
The other side of reputation risk is crisis management. Crisis management involves a quick
response time coupled with honest and open communications to consumers designed maintain
customer’s faith in the brand. Companies should have a crisis management team designated to
act quickly with a pre-determined plan when needed. For instance, Tylenol responded to its crisis
in 1982 perfectly. They responded quickly, informed consumers and acted with consumer’s best
interest at heart. As a result, Tylenol was able to protect their brand and reputation.
Promote a Risk Intelligent Culture
There are three aspects to developing a risk intelligent culture:
1. Having and listening to a contrarian voice. The thought paper uses Washington
Mutual as an example. In 2007, two former chief risk officers (CRO) attempted to limit
risky lending practices. When the CROs attempted to warn the other executives, they
were ignored at first and then eventually isolated. A strategically well-placed CRO with
a direct line to the board of directors could have changed Washington Mutualist lending
practices before the financial crisis.
2. Balancing value creation and value protection. As companies purse value they accept
risks. But how do companies know when they are taking on too much risk? In order to
answer this question, management should understand the risk appetite of the
company. In doing this, the management should develop a risk appetite statement, which
is approved by the board of directors, which creates a boundary for management to
operate in. The thought paper mentions Lehman Brothers as a perfect example, because
its executives defined their risk appetite but decided to ignore it and accept more risk than
the company could handle.
3. Develop forward-looking key risk indicators. Using retrospective performance
indicators are great for performance management, but these indicators, also known as
“lag-indicators”, tell us about the past. Companies should devote time looking forward
by assessing the business environment and how it is changing, using scenario analysis to
determine whether plans are in place, implement a risk identification and assessment
process, and defining situations in which the current business plan is no longer working.
Center Board’s Risk Focus on Critical and Emerging Risks
Critical and emerging should be the focal point of the board when it comes to the risk
management process. The thought paper states that the board should place risks into five
categories:
1. Governance Risks: board composition, CEO selection, executive compensation.
2. Critical Enterprise Risks: strategic risks.
3. Board-Approval Risks: requires the board and management to understand each other
concerning major decisions and activities that need board approval.
4. Business Management Risk: operational, compliance and financial risks.
5. Emerging Risks: a new competitor, new technology, changing regulation.
By placing risks into these categories, it will limit the board’s scope to concentrate on the bigger
issues instead of all the risks that each division faces. The board should be ensuring that
management has an effective risk management process in place that (1) identifies, assesses and
manages critical and emerging risks; (2) communicates these risks to the board.
QUESTION TWO
Discuss any FOUR factors that may compel a network administrator to implement network
monitoring and analysis in a network
[10 Marks]
Choosing what to monitor with a network monitoring software is just as important as deciding to
implement one in your business. You can use network monitoring to track a variety of areas in a
network, but monitoring usually focuses on the following four areas:

Bandwidth use: Monitoring network traffic, how much bandwidth your company uses
and how effectively it’s used helps ensure that everything runs smoothly. Devices or
programs that hog your bandwidth may need to be replaced.

Application performance: Applications running on your network need to function
properly, and network monitoring systems can test to be sure that they do. Network
monitoring systems can test the response time and availability of network-based
databases, virtual machines, cloud services and more to be certain that they are not
slowing down your network.

Server performance: Email servers, web servers, DNS Servers and more are the crux of
many functions in your business, so it’s essential to test the uptime, reliability and
consistency of each server.

Network configuration: Network monitoring systems can supervise many kinds of
devices, including cell phones, desktops and servers. Some systems include automatic
discovery, which allows them to log and track devices continuously as they are added,
changed or removed. These tools can also segregate devices according to their type,
service, IP address or physical location, which helps keep the network map updated and
helps plan for future growth.
QUESTION THREE
Discuss network authentication and suggest the most effective way of realizing it [10 Marks]
Put simply, network-level authentication is how a network confirms that users are who they say
they are. It’s a system for differentiating legitimate users from illegitimate ones. When a user
attempts to login to a network, they indicate their identity with a username. A system then crosschecks the username with a list of authorized users to ensure they are cleared to access the
network.
Yet this process is not sufficient to create a secure system. What if a nefarious party pretends to
be someone else by entering a username that’s not their own? Here’s where secure authentication
methods come in. Authentication is an additional step that verifies the person entering a
username is in fact the owner of that username. Once a user has been authenticated, it’s safe to
allow them access to the network.
As internet technology has evolved, a diverse set of network authentication methods have been
developed. These include both general authentication techniques (passwords, two-factor
authentication [2FA], tokens, biometrics, transaction authentication, computer recognition,
CAPTCHAs, and single sign-on [SSO]) as well as specific authentication protocols (including
Kerberos and SSL/TLS). We’ll now turn to the most common authentication methods, showing
how each one can work for your clients.
1) Password authentication
Anyone who uses the internet is familiar with passwords, the most basic form of authentication.
After a user enters his or her username, they need to type in a secret code to gain access to the
network. If each user keeps their password private, the theory goes, unauthorized access will be
prevented. However, experience has shown that even secret passwords are vulnerable to hacking.
Cybercriminals use programs that try thousands of potential passwords, gaining access when
they guess the right one.
To reduce this risk, users need to choose secure passwords with both letters and numbers, upper
and lower case, special characters (such as $, %, or &), and no words found in the dictionary. It’s
also important to use long passwords of at least eight characters; each additional character makes
it harder for a program to crack. Short, simple passwords such as “password” (one of the most
common) and “12345” are barely better than no password at all. The most secure systems only
allow users to create secure passwords, but even the strongest passwords can be at risk for
hacking. Security experts have therefore developed more sophisticated authentication techniques
to remedy the flaws of password-based systems.
2) Two-factor authentication (2FA)
Two-factor authentication builds on passwords to create a significantly more robust security
solution. It requires both a password and possession of a specific physical object to gain access
to a network—something you know and something you have. ATMs were an early system to
use two-factor authentication. To use an ATM, customers need to remember a “password”—their
PIN—plus insert a debit card. Neither one is enough by itself.
In computer security, 2FA follows the same principle. After entering their username and a
password, users have to clear an additional hurdle to login: they need to input a one-time code
from a particular physical device. The code may be sent to their cell phone via text message, or it
may be generated using a mobile app. If a hacker guesses the password, they can’t proceed
without the user’s cell phone; conversely, if they steal the mobile device, they still can’t get in
without the password. 2FA is being implemented on an increasing number of banking, email,
and social media websites. Whenever it’s an option, make sure to enable it for better security.
3) Token authentication
Some companies prefer not to rely on cell phones for their additional layer of authentication
protection. They have instead turned to token authentication systems. Token systems use a
purpose-built physical device for the 2FA. This may be a dongle inserted into the computer’s
USB port, or a smart card containing a radio frequency identification or near-field
communication chip. If you have a token-based system, keep careful track of the dongles or
smart cards to ensure they don’t fall into the wrong hands. When a team member’s employment
ends, for example, they must relinquish their token. These systems are more expensive since they
require purchasing new devices, but they can provide an extra measure of security.
4) Biometric authentication
Biometric systems are the cutting edge of computer authentication methods. Biometrics
(meaning “measuring life”) rely on a user’s physical characteristics to identify them. The most
widely available biometric systems use fingerprints, retinal or iris scans, voice recognition, and
face detection (as in the latest iPhones). Since no two users have the same exact physical
features, biometric authentication is extremely secure. It’s the only way to know precisely who is
logging in to a system. It also has the advantage that users don’t have to bring a separate card,
dongle, or cell phone, nor do they have to remember a password (though biometric
authentication is more secure when paired with a password).
Despite their security advantages, biometric systems also have considerable downsides. First,
they are expensive to install, requiring specialized equipment like fingerprint readers or eye
scanners. Second, they come with worrisome privacy concerns. Users may balk at sharing their
personal biometric data with a company or the government unless there is a good reason to do so.
Thus biometric authentication makes the most sense in environments requiring the highest level
of security, such as intelligence and defense contractors.
5) Transaction authentication
Transaction authentication takes a different approach from other web authentication methods.
Rather than relying on information the user provides, it instead compares the user’s
characteristics with what it knows about the user, looking for discrepancies. For example, say an
online sales platform has a customer with a home address in Canada. When the user logs in, a
transaction authentication system will check the user’s IP address to see if it’s consistent with
their known location. If the customer is using an IP address in Canada, all is well. But if they’re
using an IP address in China, someone may be trying to impersonate them. The latter case raises
a red flag that triggers additional verification steps. Of course, the actual user may simply be
traveling in China, so a transaction authentication system should avoid locking them out entirely.
Transaction authentication does not replace password-based systems; instead, it provides an
additional layer of protection.
6) Computer recognition authentication
Computer recognition authentication is similar to transaction authentication. Computer
recognition verifies that a user is who they claim to be by checking that they are on a particular
device. These systems install a small software plug-in on the user’s computer the first time they
login. The plug-in contains a cryptographic device marker. Next time the user logs in, the marker
is checked to make sure they are on the known device. The beauty of this system is that it’s
invisible to the user, who simply enters their username and password; verification is done
automatically. The disadvantage of computer recognition authentication is that users sometimes
switch devices. Such a system must enable logins from new devices using other verification
methods (e.g., texted codes).
7) CAPTCHAs
Hackers are using increasingly sophisticated automated programs to break into secure systems.
CAPTCHAs are designed to neutralize this threat. This authentication method is not focused on
verifying a particular user; rather, it seeks to determine whether a user is in fact human. Coined
in 2003, the term CAPTCHA is an acronym for “completely automated public Turing test to tell
computers and humans apart.” The system displays a distorted image of letters and numbers to
the user, asking them to type in what they see. Computers have a tough time dealing with these
distortions, but humans can typically tell what they are. Adding a CAPTCHA enhances network
security by creating one more barrier to automated hacking systems. Nevertheless, they can
cause some problems. Individuals with disabilities (such as blind people using auditory screen
readers) may not be able to get past a CAPTCHA. Even nondisabled users sometimes have
trouble figuring them out, leading to frustration and delays.
8) Single sign-on (SSO)
Single sign-on (SSO) is a useful feature to consider when deciding between device
authentication methods. SSO enables a user to only enter their credentials once to gain access to
multiple applications. Consider an employee who needs access to both email and cloud
storage on separate websites. If the two sites are linked with SSO, the user will automatically
have access to the cloud storage site after logging on to the email client. SSO saves time and
keeps users happy by avoiding repeatedly entering passwords. Yet it can also introduce security
risks; an unauthorized user who gains access to one system can now penetrate others. A related
technology, single sign-off, logs users out of every application when they log out of a single one.
This bolsters security by making certain that all open sessions are closed.
What are the most common authentication protocols?
Now that we have a sense of commonly used authentication methods, let’s turn to the most
popular authentication protocols. These are specific technologies designed to ensure secure user
access. Kerberos and SSL/TLS are two of the most common authentication protocols.
1) Kerberos
Kerberos is named after a character in Greek mythology, the fearsome three-headed guard dog of
Hades. It was developed at MIT to provide authentication for UNIX networks. Today, Kerberos
is the default Windows authentication method, and it is also used in Mac OS X and Linux.
Kerberos relies on temporary security certificates known as tickets. The tickets enable devices on
a nonsecure network to authenticate each other’s identities. Each ticket has credentials that
identify the user to the network. Data in the tickets is encrypted so that it cannot be read if
intercepted by a third party.
Kerberos uses a trusted third party to maintain security. It works as follows: First, the client
contacts the authentication server, which transmits the username to a key distribution center. The
key distribution center then issues a time-stamped access ticket, which is encrypted by the ticketgranting service and returned to the user. Now the user is ready to communicate with the
network. When the user needs to access another part of the network, they send their ticket to the
ticket-granting service, which verifies that it’s valid. The service then issues a key to the user,
who sends the ticket and service request to the actual part of the server they need to
communicate with.
This is all invisible to the user, happening behind the scenes. Kerberos has some
vulnerabilities—it requires the authentication server to be continuously available, and it requires
clocks on different parts of the network to always be synchronized. Still, it remains a widespread
and useful authentication technology.