Wednesday, February 13, 2008

Information technology governance

Information Technology Governance, IT Governance or ICT Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.

A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional handling of IT management by board-level executives is that due to limited technical experience and IT complexity, key decisions are deferred to IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected:

A board needs to understand the overall architecture of its company's IT applications portfolio … The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue… [1]


There are narrower and broader definitions of IT governance. Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT."[2]

In contrast, the IT Governance Institute expands the definition to include underpinning mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. [3]

While AS8015, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."


The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of IT related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer or other IT managers.

The primary goals for information technology governance are to (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications, infrastructure, etc.

Decision rights are a key concern of IT governance, being the primary topic of the book by that name by Weill and Ross.[4] According to Weill and Ross, depending on the size, business scope, and IT maturity of an organization, either centralized, decentralized or federated models of responsibility for dealing with strategic IT matters are suggested. In this view, the well defined control of IT is the key to success.

After the widely reported collapse of Enron in 2000, and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel-II in Europe have been catalysts for the development of the discipline of information technology governance since the early 2000s. However, the concerns of Sarbanes Oxley (in particular Section 404) have less to do with IT decision rights as discussed by Weill and Ross, and more to do with operational control processes such as Change management.

Following Corporate Collapses in Australia around the same time, working groups were established to develop standards for Corporate Governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:

  • Good Governance Principles (AS8000)
  • Fraud and Corruption Control (AS8001)
  • Organisational Codes of Conduct (AS8002)
  • Corporate Social Responsibility (AS8003)
  • Whistle Blower protection programs (AS8004)

In 2005, AS8015 Corporate Governance of ICT was published.

Options Trading Technology

The Optioneer strategy uses proprietary technology that has been formulated to give you two valuable indicators that identify trade entry and exit points.

  • Probability or "P" Factor: The probability of the market being outside the Strike price by contract expiration date.
  • Risk or "R" Factor: The risk associated with entering the market.

The tried formulas which enable both "R" and "P" factors to be determined are calculated daily by Optioneer Systems and posted on the web site. Without these two indicators we believe it is very difficult to assess one's position on a daily basis.

Through regular practice in smaller trades, skills can be honed, while at the same time gaining confidence and building market knowledge.

Trading Technology

Internet Trading

Internet Trading unleashes the potential of the Internet by providing the broking members of an exchange with the functionality to grant limited / full access to any of their clients.

When making this connection, the broker is guaranteed complete confidentiality and the rules of the exchange are strictly adhered to. The exchange receives bids and offers from the broker, acting as an agent on behalf of a client. Every such bid or offer is checked against limits, SET UP BY THE BROKER, and when any bid or offer is satisfied all other bids and offers are re-checked. Order authorization is totally unnecessary if the order is within the limits set by the broker, however, the facility is available.

The client has a restricted set of ATS functions, for example they cannot make a request for a double, or an RFQ. In real time however, they can bid, offer, hit a bid or offer, view their orders, trades, positions, and margin requirement.

As the Internet ATS server behaves just as a dealer would who receives a call from a client, a dealer who is logged in will see all the client orders as they are created and as they become trades and positions.

The Internet ATS software package consists of three separate modules, each performing specific functions.

ATS Inet server

Provides the interface between the client, broker and the appropriate exchange through which all deals take place. Stores a client database. The ATS Inet server runs at the broker. The broker can add new clients, delete clients or modify existing client data. Adding a client will grant them access to the relevant exchange system via the internet, if the client has the ATS Client Interface installed on their PC and has access to the internet. When a client is added the broker can choose to which degree the client is restricted to deal by setting the margin limits of the client, deciding whether the client can hit only, view depth and whether the client needs authorization to make deals. A client may also be denied dealing at all and will only be able to view the live data that is transmitted from the relevant exchange. If a client is deleted from the database, they will no longer be able to access the relevant financial market via the internet until they are added to the system again. The client's particulars may also be modified so that more/fewer restrictions are placed on them, according to the current wishes of the broker.

ATS Client Interface

Provides the means through which a client of the broker can view live exchange data, provides the means through which a client of the broker can make deals through the internet. The ATS Client Interface runs at the client. The client must be a registered exchange client, have access to the internet and have the ATS Client Interface installed on their PC. The client will have to supply their personal password before they are allowed to connect to the ATS Inet server. They will then be able to see live data streaming in from the relevant exchange on their terminal, and will be able to perform whatever functions their broker has allowed.


The main function of the Monitor is to enable the broker to authorize the deals that a client wishes to make. The Monitor runs at the broker. Brokers will be able to see all those deals for which they wish to deny or grant approval, according to the criteria set up in the ATS Inet server for each client. When a client attempts to make a bid or offer that requires such approval, the client's code and details of the transaction will appear on the screen. The broker can then accept or decline the proposed deal at the click of a button.

Security and data integrity

A number of security measures have been built into the Internet ATS:

Encryption / Decryption

Any deals (bids/offers), or password changes made by the client is sensitive data that needs to be secured. The sensitive data is encrypted at the Client Interface and decrypted at the Internet server by making use of a complex encryption/decryption algorithm. The data is encrypted using an untraceable key, which includes random elements and changes daily. The key is calculated independently at both the Client Interface and the Internet server, making use of identical formulae, and is therefore never transmitted with the sensitive data.

Time encapsulation

Potentially, a hacker can intercept a sensitive message and re-send it a number of times to the Inet server without tampering with the message itself. Any number of identical transactions, unwanted by the client, can be performed at the exchange in this way as long as the margin limit of the client is not transgressed. In order to prevent this, the current time is recorded as part of the sensitive message, and is subsequently encrypted at the Client Interface and decrypted at the Internet server.

When a valid sensitive message has been sent (for example a client has made a valid bid) the time that is encapsulated within the message is stored at the Internet server. When the client sends a subsequent sensitive message, the time that is encapsulated in the second message is compared to the time that had been stored previously. Logic dictates that the time encapsulated in the second message must be a copy of an earlier message. Since the time that is encapsulated is also encrypted within the sensitive message, this cannot be tampered with and the potential scenario, as described, will not occur.

Password Issues

Password lengths must be a certain length and must contain at least 5 different characters. The client must change their password regularly. Recent passwords are stored at the Internet server and new passwords are checked against these so that passwords are not re-used often. If consecutive logins are unsuccessful, it is assumed that someone is tampering with the client's system.

In this case the Internet server changes the client's password to a random number, and a message is sent to the client to contact their broker who will be able to notify them what their password had been changed to. The client will then be able to re-iogin and change their password again should they wish to do so. Each time that a sensitive message is sent (for example on making a bid), the client must provide their password. In this way tampering by other people is minimized when the client is away from their computer.

Set out below are our technological specifications for each module of our Internet Automated Trading System:

Internet SERVERS:

  • 100 % IBM compatible 350 Mhz Pentium
  • 64MB RAM
  • 1.4MB stiffy drive 1 GB Hard Drive VGA
  • Windows NT Server
  • Windows IIS or equivalent
  • Novell 32 Client


  • 100 % IBM compatible 200 Mhz Pentium
  • 32MB RAM
  • 1.4MB stiffy drive 1 GB Hard Drive
  • VGA
  • Windows 95/98/NT

Margin Monitor

The add-on tool which monitors margins, on Yield-X, real-time. Facilitating what-if inputs which enable you to check margin requirements prior to actual trade entry. Margin requirements are calculated on a trade for trade basis throughout the day. Margin contributions are calculated on trade level.

The Margin Monitor calculates the Risk Margin and the Settlement Margin for each participant of the market (Derivatives and Spot) that has Positions for the trading day. In addition, the Margin Monitor calculates the Margin for every Contract in the deals file per participant.

There is an option "What If" to calculate the margin of selected contracts, number of positions and Strike (only relevant for Option Contracts). These margins will either be calculated with offset - if there is a Participant of the market selected - or not, i.e. only the margin for the selected contracts.