Temple University

Week 12: The IPremier Case

Week 12 Wrap-up: IT Security

Great job everyone on the discussion.   If you enjoyed this case I have a few other things you might like:

I liked how you referred back to other topics that we have considered in the past 12 weeks.  Let me take you through my view of them:

IT Administrative Controls – really lax both inside both iPremier and at the ISP.  I get the sense that very little is actually in control here.  WoW on company equipment and company time?  Poorly organized and poorly run.

IT Governance – There appears to be little knowledge or interest in IT from the executive level of the company.  How can this be for a company that runs on an e-platform.  Inexcusable. Certainly, there is no conscious effort to guide IT as it supports the business.  Ad- hoc decision making and a culture of do what’s needed now and we’ll worry about the rest later seems to be a work here.

Enterprise Architecture, IT Strategy, Portfolio Management – There doesn’t seem to be any.

Policy – Again, if they exist, they seem to be on the shelf like the disaster recovery plans.  Even the CEO acknowledged that they needed a closer look at how they did things.

IT Services and Quality –  Again, there does not appear to be a disciplined look at what IT services they are using/providing.  Furthermore, there is no sense of continuous improvement or some of the Disaster Recovery plans problems would have been identified and fixed.

Outsourcing – They picked the ISP because they knew someone?  Really?

Monitoring – Doesn’t appear that they did much beyond the basics of operating a system.  But then, if you haven’t defined any IT services, how could you monitor them?

Risk – No risk culture in the organization, no risk culture in IT.  I’m tempted to say that they looked at Disaster Recovery planning as a compliance issue, not as a control.  They were required to have one, so someone wrote it and put it on the shelf for the auditors to see, but they never did anything with it.

All of this leads to a situation where a breach was eminently possible with a poor response guaranteed.

The whole idea of running an IT organization under control is that you have organizational discipline.  This doesn’t eliminate the potential problems of a security attack or any other risk.  It makes such risks much less likely to occur and it gives you a much better position from which to deal with them if they do occur.  This is the point of everything you will be learning in this program.

Week 12: Reading Questions & Case


  1. What are the risks associated with the 10 processes that Gartner says you must get right?  How do these controls help?
  2. Who or what do you think is the most significant risk to any organization?
  3. Security education is spoken of often.  Why is it important?

The iPremier Case

Read all three parts of the iPremier Case.  Consider these questions when you prepare for Tuesday’s class.

  1. How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?
  2. The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?
  3. Should iPremier have implemented Ripley’s suggestion to shut down the company and rebuild the production platforms? What were the pros and cons?
Weekly Topics