MIS 5170-Topic: Information Security Regulations

MIS 5170 - Section 003

Fox School of Business

Quizzes and Gradebook

By Leave a Comment

As a group you did rather well on the first quiz.  Jeff pointed out that I had a questions on “Compensating Controls” which really should have been in your Week 3 quiz.  Not sure how I did that but I eliminated it from the grading and based everything on four questions, instead of five.  The question that gave people the most trouble was the one about what organizations are looking for out of their IT systems.  About half of you put the easy answer, but the rest tried to explain it in other ways.

  • Effective
  • Efficient
  • Confidential
  • Integrity
  • Available
  • Compliant
  • Reliable

I gave points for each that I could identify in your answer.

Your quiz average and all grades are available at community.mis.temple.edu/gradebook.  Logon and check them out anytime, but generally it will be Monday or Tuesday before I update them.  If you did not do well on the first quiz, not to worry.  Remember I drop one from your final average.

Week 3: Reading Questions & Activity

By 47 Comments

Readings

  1. What is a compensating control?  When would you use one? Why? Can you give an example?
  2. If you had to rank the importance of the basic IT controls, how would you do it?  Which is most important, which least?
  3. What is segregation of duties and how does it play into basic administrative controls?  Give an example of two IT roles that should be segregated?

Your Neighborhood Grocer Case

Consider the following questions about the YNG case.  Ignore the questions at the end of the case.

  1. YNG has grown through acquisition resulting in a mess of systems.  Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
  2. Business application procurement seems to be a big problem.  IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures.  Why?  What controls can Larry put into place to ensure that it doesn’t continue into the future?
  3. The most recent IT Audit will produce a finding about the sorry state of access control in the company.  What controls should Larry be ready to recommend to reduce the impact of this finding?

Week 2 Wrap-up: Control Environment

By Leave a Comment

Great job on the discussion, this is what I want to see every week.   I think you raised all the salient points but let me summarize.

To be effective any organization needs to establish as certain structure, responsibilities and a strong sense of how they will operate.  A company’s board of directors is there to hold its most senior management accountable in terms of performance, compliance and managing risk.  Thus, the tone for how the corporation will behave starts at the top with the board of directors and flows down through senior management.

Most companies need information systems to operate, so they create an IT organization.  To be effective, that sub-organization (IT) needs certain things:

  • Terms of Reference or a Charter – What is its mission? Why is it there?  What is it trying to achieve?  On this last point, the COSO list of objectives for an IT organization (Confidentiality, Integrity, Availability and so on) is a good list.  You should learn it.
  • A basic organizational structure, arranged to insure that the work required to satisfy the Terms of Reference will get done.  This implies that resources are allocated to different tasks and that someone is responsible for leading each area of work.
  • Monitoring – there needs to be a “culture” of monitoring, each leader should be monitoring his/her people and each level should be monitoring the work of the level below in order to make sure the required work is being done.  Monitoring also implies that when problems arise, they are addressed.
  • Performance Metrics – You can only monitor if you can tell a good job from a bad job and you can only tell that if you have some way of measuring success.

If you have these things, you are off to a good start.  This coming week we will look at another level of administrative controls that all organizations have, not just IT organizations (things like budgets, HR policies, etc.

As for DentDel, I hope you all got the point.  Even the most basic controls like assigning responsibilities and monitoring were missing.  Yes the CIO picked a technology without doing due diligence, but why?  Because there was no expectation set that due diligence should be done on every project being initiated.  Note that they didn’t ask the client (in this case Sales) what they needed.  There was a much better project out there, but it never got visibility because there was no process to check.  Its all too easy to assume that governance at this level is being done correctly, but it often isn’t.  Always ask the basic questions first and then follow where they lead.