MIS 5202 IT Governance

Temple University

Richard Flanagan

Week 11: Reading Questions & Case

by 133 Comments

Readings

  1. What is the difference between risk appetite and tolerance?
  2. What three types of IT risk are there? Can you give an example of each?
  3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
  4. How can an organization respond to any IT risk?

The All World Airlines Case

Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO.  Ignore the questions at the end of the case.  Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS?  Why or why not? Please post your answers on the class blog.

Week 10: Reading Questions & Case

by 138 Comments

Readings

  1. Why so much interest in measuring?  Isn’t it overkill to try to measurre everything?  How would  you want your organization to decide?
  2. If your were a CIO, what metrics would you want?  How many is reasonable to have?
  3. Assuming you have more metrics than can fit on one balanced scorecard what would you do? How would you handle it organizationally?
  4. How can measurements become obstacles to change?
  5. What measures are being used in your organization?  Do they make sense?

The Star Ambulance Case: Take Two

Reread the Star Ambulance Case and think about what metrics you would want on your BSC if you were the CIO.  Mock up what your BSC would look like and bring it to class (Jan’s Section) or post it on the class blog (Rich’s section).

Week 9 Wrap-up: Outsourcing

by Leave a Comment

Once you start viewing what IT does as services, you then start thinking about a couple of questions:

  1. How well do we perfom this service compared to others?
  2. How much is it costing us?
  3. Could someone else do it cheaper? Better? Both?

Once that happens, you starting thinking about outsourcing, a very emotionally charged topic no matter what level of outsourcing you are contemplating.  If you are just bringing in a specialist you might alienate one of your best technical people by not giving her the opportunity to learn a new skill.  If you are outsourcing an entire business process like Human Resources, you are talking about eliminating most of your own HR people and all of the IT people who supported the HR applications.  It’s never easy.

As an auditor you need to remember that all the original process risks remain and some new ones are added.  You need to think about the purpose for the relationship, is the organization realizing the value it anticipated?  Consider how the process is working, are the SLA’s being met?  How is the relationship being managed?  What are the procedures for reconciling a dispute? Have they been used?  These issues make many organizations not consider outsourcing out of hand.

That’s unfortunate as often there are considerable advantages beyond cost.  Consider a small company like a $10MM mental health agency.  If the agency outsources all of its systems to a cloud provider they are still responsible for:

  • All the compliance risks
  • Desktop security risks
  • Data communication security (VPN?)
  • Account provisioning risks
  • General IS Security policy and employee compliance risks
  • Data quality risk, etc.

On the other hand, think of the risks that a professional IT shop are now managing.

  • Application availability risks
  • Application update risks
  • Infrastructure update risks
  • Network security risks
  • Infrastructure security risks
  • Backup and recovery risks, etc.

While different decision makers might legitimatly make different decisions in this case, I think most knowledgable IT professionals would conclude that outsourcing to the cloud provided represents the lowest total risk for the organization.

 

Week 9: Reading Questions & Case

by 160 Comments

Readings

  1. What different kinds of IT outsourcing are there?
  2. What is business process outsourcing and how is it related to IT?
  3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
  4. What is the difference between an outsourcing contract and a statement of work?  Which should you be interested in as an auditor? Why?
  5. What are the different reasons a firm may wish to outsource a particular function or process?

Crafting and Executing an Offshore IT Sourcing Strategy: GlobShop’s Experience

Think about these questions as you prepare for next week’s class (Jan’s section) or Webex (Rich’s section).

  1. If you were auditing GlobShop’s move to offshoring how would you evaluate their decision? Did they do the right thing?  Why or why not? What evidence do you see?
  2. Briefly list the critical challenges that GlobShop faced in executing its offshore strategy? What would you look for if you were auditing the implementation of this outsourcing deal?
  3. Suppose GlobShop moved its more mission-critical activities offshore. How would your audit of the relationship change?

Week 8 Wrap-up: IT Services & Quality

by Leave a Comment

This is such an important topic that we dedicate one whole course (MIS 5205) to it in the IT audit track.  Any IT organization is, first and foremost, a service organization.  IT is there to provide valuable services to the organization.  Once these services are identified, a definition of what quality should look like for that service is possible.  With it, you can distinguish a quality outcome from a defect.  Doing this allows you to identify a defect rate per 100 services, say 10% defects whenever the service is executed.  Is this good or bad?  It depends, but for IT operations even a 99+% rate is often not good enough.  Would you get on an airplane if they crashed 1 time in 100?

Total Quality Management (TQM) has impacted the world as much as information technology over the last 30-40 years.  The fact that they reinforce each other is one of the reasons why.  TQM started when an American engineer, Demming, was ignored in his own country and found a home for his ideas in Japan.  They have since taken over the world.   Many of the improvements that we think of as every day assurances (Will your Fedex package get there tomorrow?) are thanks to the quality movement.

Burn these ideas into your memory and they will help you whatever you are doing (Reid, Chapter 5).

  • Customer focus – Goal is to identify and meet customer needs.
  • Continuous improvement – A philosophy of never-ending improvement.
  • Employee empowerment – Employees are expected to seek out, identify, and correct quality problems.
  • Use of quality tools – Ongoing employee training in the use of quality tools.
  • Product design – Products need to be designed to meet customer expectations.
  • Process management – Quality should be built into the process; sources of quality problems should be identified and corrected.
  • Managing supplier quality – Quality concepts must extend to a company’s suppliers

Week 7 Wrap-up: Policy

by Leave a Comment

Up until now we have been talking mainly about doing the “Right Things”.  Policies is our first topic focused on “Done Right”.  The basic idea of policies is that they simplify decision making and encourage consistant orginzational behavior.  The idea works something like this:

  1. Senior management desires the organization to follow a certain objective behavior.
  2. It is impossibile, or impractical, for senior management to make all the decisions that are necessary to acheive this objective.
  3. Instead, management approves a policy that describes its objective and how they expect the organization to make related decisions and behave in a  compliant manner.  The policy may also set up a structure or role to which it delegates additional policy making responsibility in relation to this objective.
  4. The larger the organization, and the more complex the behavoir associated with the objective, the more likely it is that there will be several related policies organized under an overview policy.
  5. At the end of the day, an employee facing a decision on how to behave in a certain situation should be able to look at the policy and decide for him or herself what to do.

Once available, a policy is apt to generate any number of standards, guidelines and procedures that are intended to help realize the objective.  These can all be thought of as controls.  Thus, a security policy may say that employees will have unque userids (with least priviledge access)  and are accountable for how their userids are used.  This generates any number of controls from how userids are provisioned, who needs to approve a new role,  what tasks are not permitted in the same role, what passwords are acceptable, how often they need to be changed, etc.  These controls are then audited to see if the organization’s controls, if followed,  will enable the objective to be meet (sufficiency) and how well each control works (effectiveness).

Week 8: Reading Questions & Case

by 157 Comments

Readings

  1. What do you think are the key principles of the total quality movement?
  2. Why is empowerment so important to TQM?
  3. Name 5 IT services and do a flow diagram of one.
  4. Who decides what quality looks like for an organization’s IT function?
  5. What does all of this have to do with IT?

The Claim Proof Insurance Case

Change management is an essential control in any IT organization. What does quality mean in the context of change management and how well is Claim Proof doing in attaining a high quality change process?  Consider these questions for discussion in Jan’s section or post your thoughts in Rich’s.

Week 7: The Policy Project

by Leave a Comment

Readings

There will be no reading questions this week.

Policy Project

Work with your team and pick one of the security topics listed below that interests you.  Use the readings as a guide to write a comprehensive policy statement for the topic..  They are usually on the order of 3-5 pages.  Then, prepare a 5 minute or less presentation (Jan’s section)/video(Rich’s section) that introduces your new policy to the employees of your hypothetical company.

The possible topics are:

  • Data Destruction Policy
  • Social Security Number Policy
  • Remote Access Policy
  • Electronic Document Retention Policy
  • Memory Drive Usage Policy

As a help to understanding what we want, here is a link to a acceptable use policy submitted in a previous semester.  You should not copy the format exactly, but think about what’s covered, the level of detail, references, etc.

http://community.mis.temple.edu/mis5202online2016/files/2015/10/Initech_Acceptable_Use_Policy.pdf

Week 6 Wrap-up: Portfolio Management

by Leave a Comment

For me, IT Portfolio Management is the most important one of the year.  Why?  Because this is where the organization turns from strategy to execution.   Up to this point, the business and IT have been able to talk about purpose and alignment, what an architecture should look like, how they are going to help the company.  Now its time to actually do something.  As Yogi Berra once said,

In theory there is no difference between theory and practice. In practice there is.

Portfolio management is where theory meets reality.

If a business is using portfolio management, it is probably being done by an IT Steering committee or similar body.  Senior business representives serving on the committee are essential. They must be able to examine projects from a corporate perspective so that decision are made on what is best for the company, not any particular interest.

The Gartner article asks five great questions that can serve as your guide to portfolio management.  Our discussion focused mainly on question #1 but the other four are also important.

  1. Are we investing in the right things? – Key techniques here include value orientation,business alignment, standardized business cases, reviewing multiple projects at each meeting, etc.
  2. Are we optimizing our capacity? – Key questions might be, do we have the right resources? Could we increase our capacity with selected outsourcing? Should we cancel an existing project to fund something new?
  3. How well are we executing? – This same group needs to be monitoring how existing projects are running.  Are they on time? On scope? On budget? Quality good?
  4. Can we absorb all the changes? – This is about the culture of the organization.  How much change can it handle?  Will people burn out?  Will we be confusing them with too many objectives?
  5. Are we realizing the promised benefits? – This is the least answered of the five questions.  Remember that ISACA sees two types of benefits:
    1. Business benefits – which contribute directly to value for the business
    2. Intermediate benefits – which do not directly create value for the business but may be of value to some stakeholders in the business.
  6. Usually IT has so much to do that it never stops to see if completed projects actually produce the anticipated value.  Unless a steering committee or senior executive is forcing the issue, value evaluation is not apt to happen.

Week 5 Wrap-up: IT Strategy

by Leave a Comment

Very interesting and diverse set of comments this week.  Did you notice how quickly the nice orderly world of ISACA  (basic and admin controls, enterprise architecture, strategy and steering teams and RACI  charts) became chaotic? There is an important point here, its called POLITICS.  Not the nation-state kind, nor necessarily the back stabbing kind.  The best definition I know of politics is “Who gets what, when, where, why and how.”   You can go into any organization, find its IT strategy, find a steering team and apparently they are doing the right things.  But, until you understand who the committee members are, what interests they represent, which groups have more power than others, you will not really know what is going on.  The Weill and Rose article should open your eyes to some of the possibilities.

The thing we want you to take away from this discussion is that implementing an IT strategy is also a political exercise.  Yes, having a great plan based on an excellent enterprise architecture is important, but you need to get it accepted throughout the organization.  This means you need to get buy in from anyone who is in a position to shut you down.  You need to get all the other players to understand, buy in, and support you when things go wrong. This will involve a lot of skills that IT people are not usually known for.  There are likely to be difficult negotiations, private lobbying, dramatic speeches, and lots of grass roots communicating.  Good CIO’s have these skills and have probably used them to define a comfortable status quo with the rest of the organization.  As an auditor, you may find a problem that has the potential to upset that status quo and hence threaten the CIO.  Be aware.