MIS 5202 IT Governance

Temple University

Richard Flanagan

Audit Proposal Project

by Leave a Comment

The Audit Proposal Projects are due on Monday, December 11.  The Fall Break is a great time for team’s to complete the project, or at least to get a good start.  You will have to submit your team’s Audit Program Proposals (both document and video) as posts and assign a category of week 14.

To help you get started here is a link to a previously submitted audit plan for an acceptable use policy.  Again the format is relatively unimportant but the coverage of key concepts like a policies goals, the controls that exist, how you can collect evidence of sufficiency and effectiveness, etc. are. http://community.mis.temple.edu/mis5202online2016/files/2016/07/JTT-and-WAT-Partnership-Proposal-2-2.pdf

 

Week 10 Wrap-Up: STARS IT Balanced Scorecard

by Leave a Comment

There were a lot of good ideas about what metrics to include for Stars.  A few of you focused too much on metrics that were internal to IT’s operation.  This is a common mistake for IT people.  The business is more interested in what IT is contributing, not how they do it. The project portfolio is important because it is the overt link to business strategy.  If you are funding projects that don’t align your strategy or the business’ goals it should come out here.  ROI is very hard to measure but you should try to, even if its by business process metrics, not dollars.

Here are our thoughts:

Business Investments

  1. Listed by key business goal – Business process metrics highlighted for each goal over time, IT projects and total funding related to each goal.  Goal is to show improvement on the business process metrics overtime.
  2. IT investments linked to goal, projected ROI, funded or not, goal is to show alignment of dollars
  3. IT Projects currently underway goal is 100% on time, on budget, on scope
    1. Percentage on time
    2. Percentage on budget
    3. Percentage on scope
  4. Problem projects listed with issues, goal is transparency – no surprises

Financial

  1. Current spend compared to budget, prior year and current re-forecast.
  2. Budget spending by run-the-engine and discretionary investments – Goal, reduce the former, increase the later
  3. Consulting Fees – RISK – Show consulting fees over time with goal to reduce them
  4. Asset inventory – RISK – Show the collection of IT asset and percentage out of support with goal to reduce.

Operations

  1. Current availability data, goal is no unplanned downtime
  2. Disruptions this year and root causes of each – goal to eliminate all
  3. Most frequent help desk calls by type with analysis of key issues and response
  4. Current customer satisfaction metric overtime, goal to increase
  5. RISK – highlight calls/disruptions connected to out-of-support assets

Rich

 

Class December 6th Cancelled

by Leave a Comment

As I mentioned in class, I have to attend a family commitment on the evening of December 6th so I will need to cancel that class.  As agreed Wednesday night, I will run a semester review session on Friday, December 8th at 6:30 pm to help you prepare for the final exam.

Week 10: Readings and Case Questions

by 133 Comments

Readings

  1. Why so much interest in measuring?  Isn’t it overkill to try to measurre everything?  How would  you want your organization to decide?
  2. If your were a CIO, what metrics would you want?  How many is reasonable to have?
  3. Assuming you have more metrics than can fit on one balanced scorecard what would you do? How would you handle it organizationally?
  4. How can measurements become obstacles to change?
  5. What measures are being used in your organization?  Do they make sense?

The Star Ambulance Case: Take Two

Reread the Star Ambulance Case and think about what metrics you would want on your BSC if you were the CIO.  Mock up what your BSC would look like and post it on the class blog .

Rich

Week 9 Wrap-up: Outsourcing

by Leave a Comment

Once you start viewing what IT does as services, you then start thinking about a couple of questions:

  1. How well do we perfom this service compared to others?
  2. How much is it costing us?
  3. Could someone else do it cheaper? Better? Both?

Once that happens, you starting thinking about outsourcing, a very emotionally charged topic no matter what level of outsourcing you are contemplating.  If you are just bringing in a specialist you might alienate one of your best technical people by not giving her the opportunity to learn a new skill.  If you are outsourcing an entire business process like Human Resources, you are talking about eliminating most of your own HR people and all of the IT people who supported the HR applications.  It’s never easy.

As an auditor you need to remember that all the original process risks remain and some new ones are added.  You need to think about the purpose for the relationship, is the organization realizing the value it anticipated?  Consider how the process is working, are the SLA’s being met?  How is the relationship being managed?  What are the procedures for reconciling a dispute? Have they been used?  These issues make many organizations not consider outsourcing out of hand.

That’s unfortunate as often there are considerable advantages beyond cost.  Consider a small company like a $10MM mental health agency.  If the agency outsources all of its systems to a cloud provider they are still responsible for:

  • All the compliance risks
  • Desktop security risks
  • Data communication security (VPN?)
  • Account provisioning risks
  • General IS Security policy and employee compliance risks
  • Data quality risk, etc.

On the other hand, think of the risks that a professional IT shop are now managing.

  • Application availability risks
  • Application update risks
  • Infrastructure update risks
  • Network security risks
  • Infrastructure security risks
  • Backup and recovery risks, etc.

While different decision makers might legitimatly make different decisions in this case, I think most knowledgable IT professionals would conclude that outsourcing to the cloud provided represents the lowest total risk for the organization.

Rich

Week 9: Readings and Case Questions

by 138 Comments

Readings

  1. What different kinds of IT outsourcing are there?
  2. What is business process outsourcing and how is it related to IT?
  3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
  4. What is the difference between an outsourcing contract and a statement of work?  Which should you be interested in as an auditor? Why?
  5. What are the different reasons a firm may wish to outsource a particular function or process?

Crafting and Executing an Offshore IT Sourcing Strategy: GlobShop’s Experience

Think about these questions as you prepare for next week’s Webex .

  1. If you were auditing GlobShop’s move to offshoring how would you evaluate their decision? Did they do the right thing?  Why or why not? What evidence do you see?
  2. Briefly list the critical challenges that GlobShop faced in executing its offshore strategy? What would you look for if you were auditing the implementation of this outsourcing deal?
  3. Suppose GlobShop moved its more mission-critical activities offshore. How would your audit of the relationship change?

Rich

Week 8 Wrap-up: IT Services and Quality

by Leave a Comment

This is such an important topic that I dedicate one whole course (MIS 5205) to it in the IT audit track.  Any IT organization is, first and foremost, a service organization.  IT is there to provide valuable services to the organization.  Once these services are identified, a definition of what quality should look like for that service is possible.  With it, you can distinguish a quality outcome from a defect.  Doing this allows you to identify a defect rate per 100 services, say 10% defects whenever the service is executed.  Is this good or bad?  It depends, but for IT operations even a 99+% rate is often not good enough.  Would you get on an airplane if they crashed 1 time in 100?

Total Quality Management (TQM) has impacted the world as much as information technology over the last 30-40 years.  The fact that they reinforce each other is one of the reasons why.  TQM started when an American engineer, Demming, was ignored in his own country and found a home for his ideas in Japan.  They have since taken over the world.   Many of the improvements that we think of as every day assurances (Will your Fedex package get there tomorrow?) are thanks to the quality movement.

Burn these ideas into your memory and they will help you whatever you are doing (Reid, Chapter 5).

  • Customer focus – Goal is to identify and meet customer needs.
  • Continuous improvement – A philosophy of never-ending improvement.
  • Employee empowerment – Employees are expected to seek out, identify, and correct quality problems.
  • Use of quality tools – Ongoing employee training in the use of quality tools.
  • Product design – Products need to be designed to meet customer expectations.
  • Process management – Quality should be built into the process; sources of quality problems should be identified and corrected.
  • Managing supplier quality – Quality concepts must extend to a company’s suppliers

Rich

Week 8: Readings and Case Questions

by 127 Comments

Readings

  1. What do you think are the key principles of the total quality movement?
  2. Why is empowerment so important to TQM?
  3. Name 5 IT services and do a flow diagram of one.
  4. Who decides what quality looks like for an organization’s IT function?
  5. What does all of this have to do with IT?

The Claim Proof Insurance Case

Change management is an essential control in any IT organization. What does quality mean in the context of change management and how well is Claim Proof doing in attaining a high quality change process?  Please post your responses.

Rich

Week 7 Wrap-up: Policy

by Leave a Comment

Up until now we have been talking mainly about doing the “Right Things”.  Policies is our first topic focused on “Done Right”.  The basic idea of policies is that they simplify decision making and encourage consistant orginzational behavior.  The idea works something like this:

  1. Senior management desires the organization to follow a certain objective behavior.  This may be because its required by the law or because its something they choose to do voluntarily.
  2. It is impossible, or impractical, for senior management to make all the decisions that are necessary to achieve this objective.
  3. Instead, management approves a policy that describes its objective and how they expect the organization to make related decisions and behave in a  compliant manner.  The policy may also set up a structure or role to which it delegates additional policy making responsibility in relation to this objective.
  4. The larger the organization, and the more complex the behavior associated with the objective, the more likely it is that there will be several related policies organized under an overview policy.
  5. At the end of the day, an employee facing a decision on how to behave in a certain situation should be able to look at the policy and decide for him or herself what to do.

Once available, a policy is apt to generate any number of standards, guidelines and procedures that are intended to help realize the objective.  These can all be thought of as controls.  Thus, a security policy may say that employees will have unique userids (with least priviledged access)  and are accountable for how their userids are used.  This generates any number of controls from how userids are provisioned, who needs to approve a new role,  what tasks are not permitted in the same role, what passwords are acceptable, how often they need to be changed, etc.  These controls are then audited to see if the organization’s controls, if followed,  will enable the objective to be meet (sufficiency) and how well each control works (effectiveness).

 

Rich

Week 7: The Policy Project

by 2 Comments

Readings

There will be no reading questions this week.

Policy Project

Work with your team and pick one of the security topics listed below that interests you.  Use the readings as a guide to write a comprehensive policy statement for the topic..  They are usually on the order of 3-5 pages.  Then, prepare a 5 minute or less presentation (Thu’s section)/video(Rich’s section) that introduces your new policy to the employees of your hypothetical company.

The possible topics are:

  • Data Destruction Policy
  • Social Security Number Policy
  • Remote Access Policy
  • Electronic Document Retention Policy
  • Memory Drive Usage Policy

As a help to understanding what we want, here is a link to a acceptable use policy submitted in a previous semester.  You should not copy the format exactly, but think about what’s covered, the level of detail, references, etc.

http://community.mis.temple.edu/mis5202online2016/files/2015/10/Initech_Acceptable_Use_Policy.pdf