MIS 5170-Topic: Information Security Regulations

MIS 5170 - Section 003

Fox School of Business

Richard Flanagan

Week 3 Wrap-up: General IT Administrative Controls

by Leave a Comment

Another great discussion full of good analysis and some great examples from the real world.  Those of you who work, please continue to bring such good examples to each of our discussions. You illustrate the learnings for all of us since we each have a different point of view.   I will give you my experiences, but that’s only one person who worked primarily in one company.  The more views we have the better.

IT organizations are usually the largest administrative expense in a company.  In manufacturing companies they may be only 1% or 2% of revenue but still be the most expensive support service.  In banks and trading companies IT can get to 50% of revenue.  For this reason the IT organization is a target for cost cutting.  It must be incredibly well run with all of its administrative processes very tight or it will constantly be second guessed.

Some CIO’s and business writers lament that CIO’s should have a greater say in the strategy of the company.  I agree with this outlook but would add that CIO’s need to prove themselves as well.  If my budgeting, procurement or HR practices are a mess why should the owners of the business trust my opinion about other matters.  It really goes beyond this.  If IT’s projects are not being done on time and on budget while producing value for the corporation, why trust IT.  It may be unfair, but by being big and expensive IT puts a spot light on itself and needs to act accordingly.

For much of my career I thought all the administrative controls were nonsense.  Only later did I come to see that they are the table stakes for playing in the game of business leadership.

 

 

Quizzes and Gradebook

by Leave a Comment

As a group you did rather well on the first quiz.  Jeff pointed out that I had a questions on “Compensating Controls” which really should have been in your Week 3 quiz.  Not sure how I did that but I eliminated it from the grading and based everything on four questions, instead of five.  The question that gave people the most trouble was the one about what organizations are looking for out of their IT systems.  About half of you put the easy answer, but the rest tried to explain it in other ways.

  • Effective
  • Efficient
  • Confidential
  • Integrity
  • Available
  • Compliant
  • Reliable

I gave points for each that I could identify in your answer.

Your quiz average and all grades are available at community.mis.temple.edu/gradebook.  Logon and check them out anytime, but generally it will be Monday or Tuesday before I update them.  If you did not do well on the first quiz, not to worry.  Remember I drop one from your final average.

Week 3: Reading Questions & Activity

by 47 Comments

Readings

  1. What is a compensating control?  When would you use one? Why? Can you give an example?
  2. If you had to rank the importance of the basic IT controls, how would you do it?  Which is most important, which least?
  3. What is segregation of duties and how does it play into basic administrative controls?  Give an example of two IT roles that should be segregated?

Your Neighborhood Grocer Case

Consider the following questions about the YNG case.  Ignore the questions at the end of the case.

  1. YNG has grown through acquisition resulting in a mess of systems.  Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
  2. Business application procurement seems to be a big problem.  IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures.  Why?  What controls can Larry put into place to ensure that it doesn’t continue into the future?
  3. The most recent IT Audit will produce a finding about the sorry state of access control in the company.  What controls should Larry be ready to recommend to reduce the impact of this finding?

Week 2 Wrap-up: Control Environment

by Leave a Comment

Great job on the discussion, this is what I want to see every week.   I think you raised all the salient points but let me summarize.

To be effective any organization needs to establish as certain structure, responsibilities and a strong sense of how they will operate.  A company’s board of directors is there to hold its most senior management accountable in terms of performance, compliance and managing risk.  Thus, the tone for how the corporation will behave starts at the top with the board of directors and flows down through senior management.

Most companies need information systems to operate, so they create an IT organization.  To be effective, that sub-organization (IT) needs certain things:

  • Terms of Reference or a Charter – What is its mission? Why is it there?  What is it trying to achieve?  On this last point, the COSO list of objectives for an IT organization (Confidentiality, Integrity, Availability and so on) is a good list.  You should learn it.
  • A basic organizational structure, arranged to insure that the work required to satisfy the Terms of Reference will get done.  This implies that resources are allocated to different tasks and that someone is responsible for leading each area of work.
  • Monitoring – there needs to be a “culture” of monitoring, each leader should be monitoring his/her people and each level should be monitoring the work of the level below in order to make sure the required work is being done.  Monitoring also implies that when problems arise, they are addressed.
  • Performance Metrics – You can only monitor if you can tell a good job from a bad job and you can only tell that if you have some way of measuring success.

If you have these things, you are off to a good start.  This coming week we will look at another level of administrative controls that all organizations have, not just IT organizations (things like budgets, HR policies, etc.

As for DentDel, I hope you all got the point.  Even the most basic controls like assigning responsibilities and monitoring were missing.  Yes the CIO picked a technology without doing due diligence, but why?  Because there was no expectation set that due diligence should be done on every project being initiated.  Note that they didn’t ask the client (in this case Sales) what they needed.  There was a much better project out there, but it never got visibility because there was no process to check.  Its all too easy to assume that governance at this level is being done correctly, but it often isn’t.  Always ask the basic questions first and then follow where they lead.

Week 2: Reading Questions & Case

by 38 Comments

Readings

  1. In your own words, how would you define a control environment?
  2. Define the three kinds of common controls and give two examples of each from your everyday life.
  3. What is the difference between and IT Strategy committee and an IT Steering Committee?

The Dentdel Case

Think about the following questions before class on Tuesday.

  1. What processes were ineffective and allowed this situation to occur
  2. Where could stronger  IT Administrative controls  have helped Dentdel avoid this situation?

 

What to do this week (and all future weeks)

by Leave a Comment

OK, so now we get to the first week of the course when we will handle everything asynchronously.  I want to make sure that you know what I am expecting and what you need to do:

  1. Early tomorrow morning, I will post several questions for you to think about when you are reading about this week’s topic.
  2. Watch the video lecture, read the assignments and explore the additional materials.
  3. By Thursday evening at 11:59 you will need to answer one of my published questions by selecting the Leave a Reply option at the bottom of my post.  Remember, I must approve your first reply or comment so don’t expect to see it right away. After that it will be automatic.
  4. Also by Thursday evening at 11:59 pm, you will need to have made three (3) additional substantive replies to the comments of your peers.
  5. On Friday, I will post a wrap-up note to close out the week’s topic.
  6. On Saturday morning, a quiz on the topic will be published on Blackboard.  You have until 11:59 Sunday to take the quiz.  You will have 15 minutes to answer the five (5) questions.

To learn to the material well you need to be actively engaged in the online discussion.  Check it out and contribute everyday.  If you have questions, put them in a post or reply online so that everyone can see the answer.  If you find yourself confused, call me and we will talk about it (910 880 1254).

Week 1 Wrap-up: Defining IT Governance

by Leave a Comment

I think this case is wonderful as an opener for an IT Governance class.  Why?  Because there is no governance at STARS, at least nothing explicit.  If we use my “Right Things, Done Right” mantra, we can illustrate what I mean.  Khan is inheriting an IT organization that has no identifiable mission or charter.  Senior management doesn’t recognize the critical role that IT could play in its organization.  The implicit charter is probably something like, “Give the business what it needs to get the job done.”  That simply isn’t good enough leadership.  On the “Done Right” side, you all have pointed out the deficiencies of the effort (its not even a real organization). No organizational structure, runaway customers, out-of-control contractors, no technical standards, no project portfolio management etc.  The only good news for Khan is that the only way to go is up!

The key point for this class is to recognize that both things are necessary for true governance.  IT organizations, as a generalization, have tended to focus on the process of doing things extremely well and very efficiently.  This is important but it is only half of the game.  IT leadership and company leadership must work together to ensure that IT is doing the things that provide the most value to the company.  This is a political (small p) process and not one that is comfortable to most IT people.  Hence many CIO’s fail because, while they run good IT shops, they are not focused on, nor especially contributing to, the company’s goals.

Throughout this course and the program, keep the “Right Things, Done Right” model in mind.  Many CISA questions will give you three answers that urgently need doing and one that seems so obvious that it can be assumed and ask you which is MOST important.  Don’t fall for the trap, the one is usually about making sure that the organization is doing the right thing and must come first.

Weekly Posts and Deadlines

by Leave a Comment

I want to go over your weekly activities a second time to make sure there is no confusion.  Each Saturday, you will find a post with questions about that week’s readings and case.  Once you have finished the readings you should answer one of the weekly reading questions in a post (please use the correct category) on the class blog before 11:59pm on Wednesday ( you only need to answer one of the reading questions, not all of them.)

Then you should turn you attention to the weekly case or activity.  For our four Harvard Cases, you will need to post your answers to one of the case questions before class starts.  For ISACA cases, use the questions to guide your preparation for that week’s discussion in class.

Finally, once everyone’s readings comments are on the blog, I expect you to read them over and comment on them.  Comments on the readings need to be posted on class blog before 11:59pm on Friday (minimum of 4 comments each week).

 

Welcome to MIS 5202 Online

by Leave a Comment

Welcome to MIS 5202 Online!  I hope you are as excited to get started as I am.  We will begin on Monday, January 11th when we will go through the structure of the course, what I am expecting from you, and talk about the Stars Ambulance case.  This session will be the first of five Webex meetings.  I expect that you will join with full video working.   On Saturday of each week I will publish a list of readings questions for you to comment on using our class blog.  I am looking for you to write a one or two paragraph comment on one of the questions and then comment on each other’s submissions during the week.

Case questions are there to guide your analysis of the case that we will discuss on line most week.  For our remaining four Webex’s we will discuss a Harvard case live and you will have a little more preparation to do.  For this week ,all you need to do is read the Stars Ambulance case and think about these three questions

  • Identify three or four of the most critical challenges facing the new CIO?
  • What is the overall issue facing the new CIO?
  • How would you proceed as the new CIO?

See you all on Webex Monday night.

Rich