a) The three main information security objectives, often referred to as the CIA triad, are critical for banks in Ghana, where cyber threats have risen amid digital banking growth. Banks implement controls to comply with BoG’s Cyber and Information Security Directive 2020, protect assets post-2019 cleanup, and maintain trust.

• Confidentiality: Ensures that sensitive information is accessible only to authorized users, preventing unauthorized disclosure. Banks implement controls like encryption to safeguard customer data, as breaches could lead to identity theft and regulatory penalties under Act 930.
• Integrity: Protects data from unauthorized modification or destruction, ensuring accuracy and reliability. Controls such as access logs help detect tampering, vital for financial transactions where errors could cause losses, as seen in governance failures at UT Bank.
• Availability: Guarantees that information and systems are accessible when needed. Redundancy measures prevent downtime from attacks like DDoS, ensuring continuous service, which is essential for liquidity management under BoG guidelines.

Reasons for implementing controls include mitigating operational risks (Basel-aligned), avoiding fines from BoG, enhancing competitive position (topic 3.1), and fostering ethical practices in a post-DDEP recovery phase.

b) Organizations, particularly banks, use various tools, techniques, and means to secure IT systems, integrating with risk management (topic 6.3) and data management (topic 3.4):

• Firewalls and Intrusion Detection Systems (IDS): Tools like next-gen firewalls block unauthorized access, while IDS monitors for anomalies. In Ghanaian banks like Ecobank, these align with BoG directives to prevent cyber intrusions.
• Encryption and Tokenization: Techniques to scramble data, ensuring confidentiality during transmission. Used in mobile banking apps, this complies with payment systems regulations (Act 987).
• Multi-Factor Authentication (MFA) and Access Controls: Means like biometrics or role-based access limit entry, reducing insider threats, as emphasized in corporate governance directives.
• Regular Audits and Penetration Testing: Techniques involving simulated attacks to identify vulnerabilities, mandatory under BoG’s security guidelines for proactive risk mitigation.
• Backup and Disaster Recovery Plans: Tools like cloud backups ensure availability, critical for business continuity in events like the 2022 economic disruptions.
• Employee Training and Awareness Programs: Human-focused means to combat phishing, integrating with IT impact on employee relations (topic 4.2).
• Antivirus Software and Patch Management: Automated tools to detect malware and update systems, preventing exploits in core banking software.

These ensure resilience, with cost-benefit analysis (topic 1.1) guiding implementation for profitability.