MIS 5202 IT Governance

Temple University

Richard Flanagan

Review Session Materials

by Leave a Comment

I thought we had a good review session last night.  For those that could not join us, here are two things that might prove useful.

First, here is the document I used to review the semester.

Second, here is the Webex recording of the session.  I normally don’t use record as I find it unreliable but several people asked and it worked so here it is.

Finally, I was also asked if I could make all the quizzes open again for your practice so I have done that on Blackboard.

Good luck studying.  I am around until Tuesday when I fly to Bogota to teach a course for the EMBA program.  Give me a call if you have any questions and leave a message if I don’t answer.  After that, send me an email and I will get back to you.

Rich

 

Final Exam Correrction

by Leave a Comment

I originally posted the final exam as being available this coming weekend (12/9-10) rather than the correct dates of 12/16-17.  I apologize, my weak excuse is just jet lag.  Unfortunately, I can’t give it to you this coming weekend even if everyone wanted me to.  The semester doesn’t end until Monday the 11th and school rules prohibit me giving an exam until after the study period.  I hope everyone understands.

Semester Wrap Up

by Leave a Comment

A couple of things left to do for the semester:

  • I will drop your lowest quiz grade and use your resulting average.
  • Your audit programs are due by Monday December 11th.
  • Your Final exam will be available on Saturday morning, December 16th at 6:00 AM and is due by 11:59 PM on Sunday December 17th.. You will have one try at the exam and must answer 75 questions in 90 minutes.    Set aside a quiet time to make sure you give yourself every advantage.  If you run into any system problems you must call me immediately at 910 880 1254 so that we can work them out.  Best of luck on the exam.
  • I will post your final grades by Tuesday, December 19th.

Finally, we want to thank all of you for your hard work and interest in the topic.  We have been telling everyone in the department just how incredible your discussions have been.  You have brought a level of nuance and practicality that we rarely achieve in classroom discussions.  Well done!

Rich

Final Exam

by Leave a Comment

The final exam will be on Blackboard and will be 75 questions.  I will post the exam on Saturday December  16th @ 6:00 AM and give you until Sunday night, at 11:59 PM to complete it.  You have 90 minutes to complete the exam.If you have any problems with the software you must contact me immediately at 910 880 1254.  I recommend you find a quiet place with good connectivity at which to take the exam.

Good luck on the final and call me if you have any questions.

Rich

Week 14: Readings and Case Questions

by 38 Comments

Reading Questions:

  1. What is the difference between a regulation, a standard, and a maturity model?
  2. Under what conditions might each of these be important to a company?
  3. Why might a company not try to meet all of these in its operation?

The activity for this week is to finish your audit plan project with your team.

Week 13: Readings and Case Questions

by 87 Comments

Readings

  1. What is the difference between disaster recovery and business continuity?  How are they related?
  2. What makes this so complicated and difficult for organizations?

Activity:  

  1. Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.).  Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure.  Post your plan online.

Rich

Week 12 Wrap-up: IT Security

by Leave a Comment

Great job everyone on the discussion.   If you enjoyed this case I have a few other things you might like:

I liked how you referred back to other topics that we have considered in the past 12 weeks.

Let me take you through our view of them:

IT Administrative Controls – really lax both inside both iPremier and at the ISP.  I get the sense that very little is actually in control here.  WoW on company equipment and company time?  Poorly organized and poorly run.

IT Governance – There appears to be little knowledge or interest in IT from the executive level of the company.  How can this be for a company that runs on an e-platform? Inexcusable. Certainly, there is no conscious effort to guide IT as it supports the business.  Ad- hoc decision making and a culture of do what’s needed now and we’ll worry about the rest later seems to be a work here.

Enterprise Architecture, IT Strategy, Portfolio Management – There doesn’t seem to be any.

Policy – Again, if they exist, they seem to be on the shelf like the disaster recovery plans.  Even the CEO acknowledged that they needed a closer look at how they did things.

IT Services and Quality –  Again, there does not appear to be a disciplined look at what IT services they are using/providing.  Furthermore, there is no sense of continuous improvement or some of the Disaster Recovery plans problems would have been identified and fixed.

Outsourcing – They picked the ISP because they knew someone?  Really?

Monitoring – Doesn’t appear that they did much beyond the basics of operating a system.  But then, if you haven’t defined any IT services, how could you monitor them?

Risk – No risk culture in the organization, no risk culture in IT.  I’m tempted to say that they looked at Disaster Recovery planning as a compliance issue, not as a control.  They were required to have one, so someone wrote it and put it on the shelf for the auditors to see, but they never did anything with it.

All of this leads to a situation where a breach was eminently possible with a poor response guaranteed.

The whole idea of running an IT organization under control is that you have organizational discipline.  This doesn’t eliminate the potential problems of a security attack or any other risk.  It makes such risks much less likely to occur and it gives you a much better position from which to deal with them if they do occur.  This is the point of everything you will be learning in this program.

Thu & Rich

Week 12: Reading Questions & Case

by 126 Comments

Reading Questions

  1. What are the risks associated with the 10 processes that Gartner says you must get right?  How do these controls help?
  2. Who or what do you think is the most significant risk to any organization?
  3. Security education is spoken of often.  Why is it important?
  4. Refer back to Week 2’s article on Cybersecurity and Boards.  How do the topics there relate to Gartner’s top 10 security process?
  5. How much attention do you pay to the security of your device, data, and behaviors?

The iPremier Case

Read the iPremier Case.  Consider these questions when you prepare for our Webex.

  1. How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?
  2. The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?

Rich

Week 11: Wrap-up: IT Risk

by Leave a Comment

You all seem to have the notion of risk and response down well.  The three risk processes are

  • Risk Governance – setting the appetite and tolerance of risk for the organization.  The important point here is that IT risk should be treated like any other enterprise risk and the administration of IT risk governance should be part of the way the enterprise manages all its risk.
  • Risk Evaluation – What risks are you facing?  How likely are they?  How much impact will they have if they occur?  The expected outcome of a risk is equal to its likelihood X its impact.  The IT organization will need to deal with any IT Risk whose expected outcome is greater than the enterprise’s risk tolerance for risks of this sort.
  • Risk Response – your can address risks in four ways
    • Accept it – just go with it (which means raising you risk tolerance if the expected outcome is greater than your current risk tolerance.
    • Transfer it – get insurance so that you alone don’t feel all of the impact of the risk if it comes to be.
    • Mitigate it – put in controls to lessen the likelihood or impact of the risk.  Residual risk is the risk that remains after your mitigation and should be less than your risk tolerance.
    • Avoid it – change what the organization is doing so as not to face the risk anymore.  If you are worried about losing credit card information, don’t take credit cards.

FUD is a major player in all risk discussions and is evidenced in the AWA case.  FUD stands for Fear, Uncertainty and Doubt.  There are always things that we don’t know or haven’t experienced when thinking about making a change.  Its natural.  Both AWA and the EHR case we looked at earlier contained compliance risks.  Sure, outsourcing changes the nature of compliance risk although the ownership remains the same.  We feel comfortable with what we have always done (do everything ourselves) even if we know we don’t do it well.  It takes some courage and a lot of due diligence to look as a new arrangement and see that its no worse, maybe even better than what we had before.

This is where controls come in.  If you research what could go wrong, talk to others who have already made the move, design and review a set of controls that you think will work and put them in place, then, with audit, you should be able to make it work.   In the AWA case, the firms they were looking at are very experienced and professional.  Sabre works with over 400 airlines.  To me, the risk of doing a good outsourcing deal is minimal as long as AWA pays attention to what its doing.  The risk of continuing as is and underfunding IT to the point of ruin is far higher.

Rich

Week 11: Readings and Case Questions

by 115 Comments

Readings

  1. What is the difference between risk appetite and tolerance?
  2. What three types of IT risk are there? Can you give an example of each?
  3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
  4. How can an organization respond to any IT risk?

The All World Airlines Case

Focus your analysis on identifying all of the risks in the five areas identified by the CFO.  Ignore the questions at the end of the case.  Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS?  Why or why not? Please post your answers on the class blog.

Rich