MIS 5202 Online
Temple University

Richard Flanagan

1 2 3 4

Week 10 Wrap-Up: STARS IT Balanced Scorecard

Published October 29, 2015 | By Richard Flanagan

There were a lot of good ideas in all your posts about what metrics to include.  A few of you focused too much on metrics that were internal to IT’s operation.  This is a common mistake for IT people.  The business is more interested in what IT is contributing, not how they do it.    The project portfolio is important because it is the overt link to business strategy.  If you are funding projects that don’t align your strategy or the business’ goals it should come out here.  ROI is very hard to measure you should try to, even if its by business process metrics, not dollars.  I liked that Colin highlighted the consultant fees problem and that Kacper proposed a business process metric that is tied to IT.  Well done.

Here are my thought:

Financial

  1. Current spend compared to budget, prior year and current re-forecast.
  2. Budget spending by run-the-engine and discretionary investments – Goal, reduce the former, increase the later
  3. Consulting Fees – RISK – Show consulting fees over time with goal to reduce them
  4. Asset inventory – RISK – Show the collection of IT asset and percentage out of support with goal to reduce.

Operations

  1. Current availability data ,goal is no unplanned downtime
  2. Disruptions this year and root causes of each – goal to eliminate all
  3. Helpdesk calls by type with analysis of key issues
  4. Current customer satisfaction metric overtime, goal to increase
  5. RISK – highlight calls/disruptions connected to out-of-support assets

Business Investments

  1. Listed by key business goal -Business process metrics highlighted for each goal overtime, IT projects and total funding related to each goal.  Goal is to show improvement on the business process metrics overtime.
  2. IT investments linked to goal, projected ROI, funded or not, goal is to show alignment of dollars
  3. IT Projects currently underway goal 100% on time,budget, scope
    1. Percentage on time
    2. Percentage on budget
    3. Percentage on scope
  4. Problem projects listed with issues goal is transparency – no surprises
Posted in | Leave a comment

Week 10: Reading Questions & Case

Published October 23, 2015 | By Richard Flanagan

Readings

  1. Why so much interest in measuring?  Isn’t it overkill to try to measurre everything?  How would  you want your organization to decide?
  2. If your were a CIO, what metrics would you want?  How many is reasonable to have?
  3. Assuming you have more metrics than can fit on one balanced scorecard what would you do? How would you handle it organizationally?

The Star Ambulance Case: Take Two

Reread the Star Ambulance Case and think about what metrics you would want on your BSC if you were the CIO.  Mock up what your BSC would look like and post it on the class blog by Tuesday night @ 11:59.

Posted in | 203 Comments

Week 9 Wrap-up: Outsourcing

Published October 22, 2015 | By Richard Flanagan

 

Once you start viewing what IT does as services, you then start thinking about a couple of questions:

  1. How well do we perfom this service compared to others?
  2. How much is it costing us?
  3. Could someone else do it cheaper? Better? Both?

Once that happens, you starting thinking about outsourcing, a very emotionally charged topic no matter level of outsourcing you are contemplating.  If you are just bringing in a specialist you might alienate one of your best technical people by not giving him the opportunity to learn a new skill.  If you are outsourcing an entire business process like Human Resources, you are talking about eliminating most of your own HR people and all of the IT people who supported the HR applications.  It’s never easy.

As an auditor you need to remember that all the original process risks remain and some new ones are added.  You need to think about the purpose for the relationship, is the organization realizing the value it anticipated?  Consider how the process is working, are the SLA’s being met?  How is the relationship being managed?  What are the procedures for reconciling a disput? Have they been used?  All of these make many organizations not consider outsourcing out of hand.

That’s unfortunate as often there are considerable advantages beyond cost.  Consider a small company like a $10MM mental health agency.  If the agency outsources all of its systems to a cloud provider they are still responsible for:

  • All the compliance risks
  • Desktop security risks
  • Data communication security (VPN?)
  • Account provisioning risks
  • General IS Security policy and employee compliance risks
  • Data quality risk, etc.

On the other hand, think of the risks that a professional IT shop are now managing.

  • Application availability risks
  • Application update risks
  • Infrastructure update risks
  • Network security risks
  • Infrastructure security risks
  • Backup and recovery risks, etc.

While different decision makers might legitimatly make different decisions in this case, I think most knowledgable IT professionals would conclude that outsourcing to the cloud provided represents the lowest total risk for the organization.

 

Posted in | Leave a comment

Week 9: Reading Questions & Case

Published October 16, 2015 | By Richard Flanagan

Readings

  1. What different kinds or IT outsourcing are there?
  2. What is business process outsourcing and how is it related to IT?
  3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
  4. What is the difference between an outsourcing contract and a statement of work?  Which should you be interested in as an auditor? Why?

Crafting and Executing an Offshore IT Sourcing Strategy: GlobShop’s Experience

Think about these questions as you prepare for Tuesday’s discussion:

  1. If you were auditing GlobShop’s move to offshoring how would you evaluate their decision? Did they do the right thing?  Why or why not? What evidence do you see?
  2. Briefly list the critical challenges that GlobShop faced in executing its offshore strategy? What would you look for if you were auditing the implementation of this outsourcing deal?
  3. Suppose GlobShop moved its more mission-critical activities offshore. How would your audit of the relationship change?
Posted in | 220 Comments

Week 8 Wrap-up: IT Services & Quality

Published October 15, 2015 | By Richard Flanagan

This is such an important topic that we dedicate one whole course (MIS 5205) to it in the IT audit track.  Any IT organization is, first and foremost, a service organization.  IT is there to provide services to the organization.  Once these services are identified, a definition of what quality should look like for that service is possible.  With it, you can distinguish a quality outcome from a defect.  Doing this allows you to identify a defect rate per 100 services, say 10% defects whenever the service is executed.  Is this good or bad?  It depends, but for IT operations even a 99+% rate is often not good enough.  Would you get on an airplane if they crashed 1 time in 100?

Total Quality Management (TQM) has impacted the world as much as information technology over the last 30-40 years.  The fact that they reinforce each other is one of the reasons why.  TQM started when an American engineer, Demming, was ignored in his own country and found a home for his ideas in Japan, and has since taken over the world.   Many of the improvements that we think of as every day assurances (will your Fedex package get there tomorrow) are thanks to the quality movement.

 

Burn these ideas into your memory and they will help you whatever you are doing (Reid, Chapter 5).

  • Customer focus – Goal is to identify and meet customer needs.
  • Continuous improvement – A philosophy of never-ending improvement.
  • Employee empowerment – Employees are expected to seek out, identify, and correct quality problems.
  • Use of quality tools – Ongoing employee training in the use of quality tools.
  • Product design – Products need to be designed to meet customer expectations.
  • Process management – Quality should be built into the process; sources of quality problems should be identified and corrected.
  • Managing supplier quality – Quality concepts must extend to a company’s suppliers
Posted in | Leave a comment

Week 8: Reading Questions & Case

Published October 9, 2015 | By Richard Flanagan

Readings

  1. Name 5 IT services and do a flow diagram of one.
  2. Who decides what quality looks like for an organization’s IT function?
  3. Why is empowerment so important to TQM? What would it look like in an IT function?
  4. What does all of this have to do with IT?

The Claim Proof Insurance Case

Change management is an essential control in any IT organization. What does quality mean in the context of change management and how well is Claim Proof doing in attaining a high quality change process?  Consider these questions for our discussion Tuesday.

Posted in | 186 Comments

Week 7 Wrap-up: Policy

Published October 6, 2015 | By Richard Flanagan

Up until now we have been talking mainly about doing the “Right Things”.  Policies is our first topic focused on “Done Right”.  The basic idea of policies is that they simplify decision making and encourage consistant orginzational behavior.  The idea works something like this:

  1. Senior management desires the organization to follow a certain objective behavior.
  2. It is impossibile, or impractical, for senior management to make all the decisions that are necessary to acheive this objective.
  3. Instead, management approves a policy that describes its objective and how they expect the organization to make related decisions and behave in a  compliant manner.  The policy may also set up a structure or role to which it delegates additional policy making responsibility in relation to this objective.
  4. The larger the organization, and the more complex the behavoir associated with the objective, the more likely it is that there will be several related policies organized under an overview policy.
  5. At the end of the day, an employee facing a decision on how to behave in a certain situation should be able to look at the policy and decide for him or her self what to do.

Once available, a policy is apt to generate any number of standards, guidelines and procedures that are intended to help realize the objective.  These can all be thought of as controls.  Thus, a security policy may say that employees will have unque userids (with least priviledge access)  and are accountable for how their userids are used.  This generates any number of controls from how userids are provisioned, who needs to approve a new role,  what tasks are not permitted in the same role, what passwords are acceptable, how often they need to be changed, etc.  These controls are then audited to see how the organization behaves in relation to the objective (sufficiency) and how well each control works (effectiveness).

Posted in | Leave a comment

Week 7: Reading Questions & Policy Project

Published October 2, 2015 | By Richard Flanagan

Readings

There will be no reading questions this week.

Policy Project

Work with yourteam and pick one of the security topics listed in the  syllabus that interests you.  Use the readings as a guide to writing your policy statement.  Then prepare a 5 minute or less video that introduces your new policy to your hypothetical company.

The possible topics are:

  • Acceptable Use Policy
  • Social Security Number Policy
  • Security Response Policy
  • Remote Access Policy
  • Web Application Security Policy
  • Work Station Encryption Policy
Posted in | 3 Comments
1 2 3 4
Weekly Topics
Readings
Weekly Videos
Video Slides
Recent Comments