MIS 5202 IT Governance

Temple University

Richard Flanagan

Semester Wrap Up

by 1 Comment

A couple of things left to do for the semester:

  • I will drop your lowest quiz grade and use your revised average.
  • I will have your audit programs graded by Tuesday May  3rd.
  • Your Final exam will be available on Saturday morning, April  30 at 6:00 AM and is due by 11:59 PM on Monday May 2nd. You will have one try at the exam and must answer 75 questions in 120 minutes.    Set aside a quiet time to make sure you give yourself every advantage.  If you run into any system problems you must call me immediately at 910 880 1254 so that we can work them out.  Best of luck on the exam.
  • I will post your final grades by Friday, May 6.

Finally, I want to thank all of you for your hard work and interest in the topic.  I have been telling everyone in the department just how incredible your discussions have been.  You have brought a level of nuance and practicality that we rarely achieve in classroom discussions.  Well done!

Rich

Final Exam – Rich’s Section

by 1 Comment

The final exam will be on Blackboard and will be 75 questions.  I will post the exam on Saturday December  17th @ 6:00 AM and give you until Sunday night, at 11:59 PM to complete it.  You have 90 minutes to complete the exam, the same question/minute rate as the CISA exam.

If you have any problems with the software you must contact me immediately at 910 880 1254.  I recommend you find a quiet place with good connectivity at which to take the exam.

Good luck on the final and call me if you have any questions.

Rich

Week 13: Reading Questions & Case

by 89 Comments

Readings

  1. What would you do as an individual to be ready for an IT disaster?  A real world disaster?
  2. What is the difference between disaster recovery and business continuity?  How are they related?
  3. What makes this so complicated and difficult for organizations?

Activity:  Your only activity this week is to complete your team’s Audit Proposal Project

Week 12 Wrap-up: IT Security

by Leave a Comment

Great job everyone on the discussion.   If you enjoyed this case I have a few other things you might like:

I liked how you referred back to other topics that we have considered in the past 12 weeks.  Let me take you through my view of them:

IT Administrative Controls – really lax both inside both iPremier and at the ISP.  I get the sense that very little is actually in control here.  WoW on company equipment and company time?  Poorly organized and poorly run.

IT Governance – There appears to be little knowledge or interest in IT from the executive level of the company.  How can this be for a company that runs on an e-platform.  Inexcusable. Certainly, there is no conscious effort to guide IT as it supports the business.  Ad- hoc decision making and a culture of do what’s needed now and we’ll worry about the rest later seems to be a work here.

Enterprise Architecture, IT Strategy, Portfolio Management – There doesn’t seem to be any.

Policy – Again, if they exist, they seem to be on the shelf like the disaster recovery plans.  Even the CEO acknowledged that they needed a closer look at how they did things.

IT Services and Quality –  Again, there does not appear to be a disciplined look at what IT services they are using/providing.  Furthermore, there is no sense of continuous improvement or some of the Disaster Recovery plans problems would have been identified and fixed.

Outsourcing – They picked the ISP because they knew someone?  Really?

Monitoring – Doesn’t appear that they did much beyond the basics of operating a system.  But then, if you haven’t defined any IT services, how could you monitor them?

Risk – No risk culture in the organization, no risk culture in IT.  I’m tempted to say that they looked at Disaster Recovery planning as a compliance issue, not as a control.  They were required to have one, so someone wrote it and put it on the shelf for the auditors to see, but they never did anything with it.

All of this leads to a situation where a breach was eminently possible with a poor response guaranteed.

The whole idea of running an IT organization under control is that you have organizational discipline.  This doesn’t eliminate the potential problems of a security attack or any other risk.  It makes such risks much less likely to occur and it gives you a much better position from which to deal with them if they do occur.  This is the point of everything you will be learning in this program.

Week 12: Reading Questions & Case

by 103 Comments

Reading Questions

  1. What are the risks associated with the 10 processes that Gartner says you must get right?  How do these controls help?
  2. Who or what do you think is the most significant risk to any organization?
  3. Security education is spoken of often.  Why is it important?
  4. Refer back to Week 2’s article on Cybersecurity and Boards.  How do the topics there relate to Gartner’s top 10 security process?
  5. How much attention do you pay to the security of your device, data, and behaviors?

The iPremier Case

Read all three parts of the iPremier Case.  Consider these questions when you prepare for class (Jan’s section) or Webex (Rich’s section).

  1. How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?
  2. The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?

Happy Thanksgiving

by 1 Comment

Happy Thanksgiving everyone, I hope you and your families have an excellent holiday.

Ravi Sharma, an ITACS alumnus, shared this cyber security article with me and its most timely.  A little long, but I think it does a great job of laying out the variety of attack types in a understandable framework.  Have a look.

https://www.linkedin.com/pulse/20141007190806-36149934–cyber-terrain-a-model-for-increased-understanding-of-cyber-activity

Audit Proposal Project

by Leave a Comment

The Audit Proposal Projects are due on Monday, December 12.  The Fall Break is a great time for team’s to complete the project, or at least to get a good start.  You will have to submit your team’s Audit Program Proposals (both document and video) as posts and assign a category of week 14.

To help you get started here is a link to a previously submitted audit plan for an acceptable use policy.  Again the format is relatively unimportant but the coverage of key concepts like a policies goals, the controls that exist, how you can collect evidence of sufficiency and effectiveness, etc. are. http://community.mis.temple.edu/mis5202online2016/files/2016/07/JTT-and-WAT-Partnership-Proposal-2-2.pdf

 

Week 11: Wrap-up: IT Risk

by Leave a Comment

You all seem to have the notion of risk and response down well.  The three risk processes are

  • Risk Governance – setting the appetite and tolerance of risk for the organization.  The important point here is that IT risk should be treated like any other enterprise risk and the administration of IT risk governance should be part of the way the enterprise manages all its risk.
  • Risk Evaluation – What risks are you facing?  How likely are they?  How much impact will they have if they occur?  The expected outcome of a risk is equal to its likelihood X its impact.  The IT organization will need to deal with any IT Risk whose expected outcome is greater than the enterprise’s risk tolerance for risks of this sort.
  • Risk Response – your can address risks in four ways
    • Accept it – just go with it (which means raising you risk tolerance if the expected outcome is greater than your current risk tolerance.
    • Transfer it – get insurance so that you alone don’t feel all of the impact of the risk if it comes to be.
    • Mitigate it – put in controls to lessen the likelihood or impact of the risk.  Residual risk is the risk that remains after your mitigation and should be less than your risk tolerance.
    • Avoid it – change what the organization is doing so as not to face the risk anymore.  If you are worried about losing credit card information, don’t take credit cards.

FUD is a major player in all risk discussions and is evidenced in the AWA case.  FUD stands for Fear, Uncertainty and Doubt.  There are always things that we don’t know or haven’t experienced when thinking about making a change.  Its natural.  Both AWA and the EHR case we looked at earlier contained compliance risks.  Sure, outsourcing changes the nature of compliance risk although the ownership remains the same.  We feel comfortable with what we have always done (do everything ourselves) even if we know we don’t do it well.  It takes some courage and a lot of due diligence to look as a new arrangement and see that its no worse, maybe even better than what we had before.

This is where controls come in.  If you research what could go wrong, talk to others who have already made the move, design and review a set of controls that you think will work and put them in place, then, with audit, you should be able to make it work.   In the AWA case, the firms they were looking at are very experienced and professional.  Sabre works with over 400 airlines.  To us, the risk of doing a good outsourcing deal is minimal as long as AWA pays attention to what its doing.  The risk of continuing as is and underfunding IT to the point of ruin is far higher.

 

Week 10 Wrap-Up: STARS IT Balanced Scorecard

by Leave a Comment

There were a lot of good ideas about what metrics to include for Stars.  A few of you focused too much on metrics that were internal to IT’s operation.  This is a common mistake for IT people.  The business is more interested in what IT is contributing, not how they do it. The project portfolio is important because it is the overt link to business strategy.  If you are funding projects that don’t align your strategy or the business’ goals it should come out here.  ROI is very hard to measure but you should try to, even if its by business process metrics, not dollars.

Here are our thoughts:

Business Investments

  1. Listed by key business goal – Business process metrics highlighted for each goal over time, IT projects and total funding related to each goal.  Goal is to show improvement on the business process metrics overtime.
  2. IT investments linked to goal, projected ROI, funded or not, goal is to show alignment of dollars
  3. IT Projects currently underway goal is 100% on time, on budget, on scope
    1. Percentage on time
    2. Percentage on budget
    3. Percentage on scope
  4. Problem projects listed with issues, goal is transparency – no surprises

Financial

  1. Current spend compared to budget, prior year and current re-forecast.
  2. Budget spending by run-the-engine and discretionary investments – Goal, reduce the former, increase the later
  3. Consulting Fees – RISK – Show consulting fees over time with goal to reduce them
  4. Asset inventory – RISK – Show the collection of IT asset and percentage out of support with goal to reduce.

Operations

  1. Current availability data, goal is no unplanned downtime
  2. Disruptions this year and root causes of each – goal to eliminate all
  3. Most frequent help desk calls by type with analysis of key issues and response
  4. Current customer satisfaction metric overtime, goal to increase
  5. RISK – highlight calls/disruptions connected to out-of-support assets