MIS 5202 – IT Governance Fall 2017 Section 011
Office hours by appointment call: 215-866-8400
Community site- https://community.mis.temple.edu/mis5202sec001fall17/
Class Location and Time: Room A602 at 5:30PM – 8:00PM, Wednesdays
In this course you will learn the best practices about managing IT organizations in a controlled environment to deliver value to the organization. Students learn how to assess if an organization has created a control environment, aligned their efforts with corporate strategy, delivers projects/services efficiently and manages the risks IT system introduce to the organization.
In this course you will learn how to audit an organization’s use of its information technology assets. Key topics are:
- Is the organization using IT to further its business objectives?
- How does the organization align its IT investments to its business strategy?
- Does the organization have a strong control environment?
- Does the organization have information architecture and a technical direction?
- Is the organization assessing and managing its IT risks in a controlled way?
- Is the IT team optimized to deliver the services the organization is expecting?
- Is the organization getting the value it expects?
By examining how an organization makes IT investment decisions, implements new assets, delivers services, assesses risk and measures its own performance, the IT auditor can assure the organization is meeting its fiduciary, compliance and security responsibilities.
|Item||Percent of Total Points|
This class will held weekly cycle Wednesday for 14 weeks. All reading assignments for the respective class must be done prior class every Wednesdays. Submit answers to case studies by Tuesdays prior to class
The assignments, cases, and readings have been carefully chosen to bring the real world into class discussion while also illustrating fundamental concepts. Your participation in the online and class discussions is critical. Evaluation is based on you consistently demonstrating your engagement with the material. Assessment is based on what you contribute. The participation and quality of your contributions are equally important.
Weekly Case Analysis
Most of your weekly assignments will be case analyses. Instructions for each week’s assignment will be included in the Weekly post. Typically, I will post several questions about the case or instructions for an assignment. You must come to class prepared to discuss all of these questions in detail on weeks when we have a class. I expect you to discuss the case in class.
There is no one particular style for a good case study analysis. But, there are some common elements to excellent contributions.
- Be clear about the questions and your position on them. Take a position.
- Instead of general observations about IT governance or organizations that apply to any problem, draw details from the case study itself. Analyses, observations, and suggestions should be tied directly to those key facts and issues. You can also draw on the other readings in the course to inform and support your arguments.
- After analyzing the details of the case study, think about how its specific issues have broader application. In other words, use your analysis to provide some advice to managerial decision- makers that can be applied to other situations beyond this case.
- Provide a balanced perspective. For example, when making a recommendation explain the pros and cons, providing both the rationale (the why) as well as its feasibility (the how).
For our discussion of IT policies, your team will write a specific IT security policy on one of the topics listed below. Using what you have learned from the readings and your own research, you will:
- Write an appropriate policy for a hypothetical firm that does $50MM of sales with 100 employees and 10 IT people.
- Identify the controls that will need to be put in place to ensure the policy is followed.
- Create a short (maximum 5 minute) video that explains the policy and why it is vital to the employees of your hypothetical company.
Your team will post both the video and your policy document on the class blog. We will have in-class discussion on all audit programs created by each team.
You must choose to work on one of the following policies:
- Data Destruction Policy
- Social Security Number Policy
- Remote Access Policy
- Electronic Document Retention Policy
- Memory Drive Usage Policy
Audit Plan Project
One of the learning goals of this class is to prepare you to audit a company’s IT governance capabilities. Your team will prepare an audit program for one of the policy your peer wrote in Week 7. You will be auditing the same hypothetical firm that does $50MM of sales with 100 employees and 10 IT people. Since you are already an expert on one of the following policies, you will need to prepare your audit program to audit the controls (for both sufficiency and effectiveness) you suggested in week 7.
- Data Destruction Policy
- Social Security Number Policy
- Remote Access Policy
- Electronic Document Retention Policy
- Memory Drive Usage Policy
You will create:
- An outline (Excel or Word, max 3 pages) that covers all the goals of your audit, the areas you need to consider in your audit program and how you will gather evidence for each to justify your conclusion on each area.
- A similar short video that you would use to sell the company’s audit committee on the soundness of your audit plan.
Your team will post its audit program and video on the class blog for others to consider. We will have in-class discussion on all audit programs created by each team
For eleven weeks of the semester you will have a quiz to complete each week on the previous week’s material. These quizzes are on Blackboard and have a combination of five CISA or CISSP practice exam questions and/or short answer questions. You can take the quiz anytime between Thursdays at 6:00 AM and Tuesdays at 11:59 PM. Once you start the quiz you will have 15 minutes to complete it. You will not be able to stop, go back or otherwise extend the time. Be sure you are ready to go and have the time available before you start the quiz. Late work will not be accepted
The final exam will also be on Blackboard and will use all multiple-choice CISA practice examination questions. The exam will be comprehensive. Everything we cover during the semester could appear on the final. The final exam consists of 80 questions and you will have 90 minutes to complete. The Exam will be given during exam week.
The following are the criteria used for evaluating assignments. You can roughly translate a letter grade as the midpoint in the scale (for example, an A- equates to a 91.5).
|The assignment consistently exceeds expectations. It demonstrates originality of thought and creativity throughout. Beyond completing all of the required elements, new concepts and ideas are detailed that transcend general discussions along||A- or A|
|similar topic areas. There are few mechanical, grammatical, or organization issues that detract from the ideas.|
|The assignment consistently meets expectations. It contains all the information prescribed for the assignment and demonstrates a command of the subject matter. There is sufficient detail to cover the subject completely but not too much as to be distracting. There may be some procedural issues, such as grammar or organizational challenges, but these do not significantly detract from the intended assignment goals.||B-, B, B+|
|The assignment fails to consistently meet expectations. That is, the assignment is complete but contains problems that detract from the intended goals. These issues may be relating to content detail, be grammatical, or be a general lack of clarity.
Other problems might include not fully following assignment directions.
|C-, C, C+|
|The assignment constantly fails to meet expectations. It is incomplete or in some other way consistently fails to demonstrate a firm grasp of the assigned material.||Below C-|
Plagiarism, Academic Dishonesty and Citation Guidelines
If you use text, figures, and data in reports that was created by others you must identify the source and clearly differentiate your work from the material that you are referencing. If you fail to do so you are plagiarizing. There are many different acceptable formats that you can use to cite the work of others (see some of the resources below). The formats are not as important as the intent. You must clearly show the reader what is your work and what is a reference to somebody else’s work.
Plagiarism is a serious offence and could lead to reduced or failing grades and/or expulsion from the university. The Temple University Student Code of Conduct specifically prohibits plagiarism (see http://www.temple.edu/assistance/udc/coc.htm).
The following excerpt defines plagiarism:
Plagiarism is the unacknowledged use of another person’s labor, ideas, words, or assistance. Normally, all work done for courses — papers, examinations, homework exercises, laboratory reports, oral presentations — is expected to be the individual effort of the student presenting the work. There are many forms of plagiarism: repeating another person’s sentence as your own, adopting a particularly apt phrase as your own, paraphrasing someone else’s argument as your own, or even presenting someone else’s line of thinking in the development of a thesis as though it were your own. All these forms of plagiarism are prohibited both by the traditional principles of academic honesty and by the regulations of Temple University. Our education and our research encourage us to explore and use the ideas of others, and as writers we will frequently want to use the ideas and even the words of others. It is perfectly acceptable to do so; but we must never submit someone else’s work as if it were our own, rather we must give appropriate credit to the originator.
Source: Temple University Graduate Bulletin, 2000-2001. University Regulations, Other Policies, Academic Honesty. Available online at: http://www.temple.edu/gradbulletin/
- For a more detailed description of plagiarism:
- Princeton University Writing Center on Plagiarism:
- How to successfully quote and reference material:
- University of Wisconsin Writers Handbook
- How to cite electronic sources:
- Electronic Reference Formats by the American Psychological Association
|CISA Review Manual 2017, ISACA.org|
|COBIT 5: Enabling Processes, ISACA.org|
|The Risk IT Framework, ISACA.org|
|“What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities”, Tommie W. Singleton, Isaca Journal https://www.isaca.org/Journal/archives/2012/Volume-6/Pages/What-Every-IT-Auditor-Should-Know-About-Proper-Segregation-of-Incompatible-IT-Activities.aspx
“Segregating Your Technology Personnel”, Daniel Shaffer, SAN Institute https://www.giac.org/paper/gsec/261/segregating-technology-personnel/100853
|“From IT Governance to Value Delivery”, by Craig Symons, ISACA Journal http://www.isaca.org/Groups/Professional-English/it-value-delivery/GroupDocuments/From%20IT%20Governance%20to%20value%20delivery.pdf|
|“Audit of Outsourcing”, S. Anantha Sayana, Isaca Journal|
|“The IT Balanced Scorecard Revisited”, Alec Cram, , Isaca Journal|
|“What is Your Risk Appetite?”, Shirley Booker, Isaca Journal|
|“DoS Attacks—A Cyberthreat and Possible Solutions,”” Ajay Kumar, Isaca Journal|
|“Auditing Business Continuity”, S. Anantha Sayana Isaca Journal|
|Other||Uber’s Data Privacy & Security FTC suit case study|
|“Simple Ethics for Better Risk Management,” https://hbr.org/2016/11/simple-ethics-rules- for-better-risk-management|
|“Implementing Board Oversight of Cybersecurity”, Richard Flanagan & Janet Yeomans|
|“Roles and Responsibilities”,portal.hud.gov/hudportal/documents/huddoc?id=itm_roles.pdf|
|“Enterprise Architecture: Don’t be a Fool with a Tool”, Jason Bloomburg, http://www.forbes.com/sites/jasonbloomberg/2014/08/07/enterprise-architecture-dont-be-a-fool- with-a-tool/|
|“How enterprise architects can help ensure success with digital transformations“, http://how-enterprise-architects-can-help-ensure-success-with-digital- transformations|
|“Five Questions Boards should ask about…IT”, http://www.mckinsey.com/business- functions/business-technology/our-insights/five-questions-boards-should-ask-about-it-in-a-digital- world|
|“Policy and Policy Making” http://www.referenceforbusiness.com/encyclopedia/Per-Pro/Policies- and-Policy-Making.html|
|How to Write an Information Security Policy”, Jennifer Bayuk, http://www.csoonline.com/article/2124114/strategic-planning-erm/how-to-write-an-information- security-policy.html|
|“Project Portfolio Management”, http://community.mis.temple.edu/mis5202online2016/files/2016/07/ProjectPortfolioMgtTrenchesPen nypacker.pdf|
|“Managing Quality for Information Technology”,|
|“Total Quality Management, Chapter 5” Reid http://www.wiley.com/college/sc/reid/chap5.pdf|
|“5 Ways Your Vendor Management Program Leaves You In The Dark” https://drive.google.com/a/temple.edu/file/d/0B8S2SZTC04ViYkhJc2FtZG0zWHM/view?usp=sharin g|
|“Cybersecurity after WannaCry: How to Resist Future Attacks,” https://www.strategy- business.com/blog/Cybersecurity-After-WannaCry-How-to-Resist-Future-Attacks?gko=22163|
|“Cyber Terrain: A Model for Increased Understanding of Cyber
Activity”, https://www.linkedin.com/pulse/20141007190806-36149934–cyber-terrain-a-model-for- increased-understanding-of-cyber-activit
|Gartner||To get Gartner articles log onto TUPortal, select Gartner Gateway(left hand menu) and search for the article you want by name|
|“Understanding IT Controls and COBIT”|
|“Outsourcing Contract Terms and Conditions: An Understanding of the 19 Articles in a Master Service Agreement”|
|“Effective Communications: Performance Dashboards”|
|“Survey Analysis: Risk Management, 2013”
|“The Security Processes You Must Get Right”|
|”Foundations of Business Continuity”|
|Harvard Press||Harvard publications are available only as a course pack at: http://cb.hbsp.harvard.edu/cbmp/access/57243855|
|Strategic IT Transformation at Accenture, Mark Jeffery; Daniel Fisher; Mirron Granot; Anuj Kadyan; Albert Pho; Carlos Vasquez KEL471-PDF-ENG|
|IT Governance Archetypes for Allocating Decision Rights, Peter Weill, Jeanne W. Ross May 13, 2004 Product number: 8087BC-PDF-ENG|
|MDCM, Inc. (A & B): Strategic IT Portfolio Management, Mark Jeffery, Joseph F. Norton, Derek Yung , Jan 01, 2006, Product number: KEL172-PDF-ENG|
|Crafting And Executing An Offshore IT Sourcing Strategy: GlobShop’s Experience, C. Ranganathan; Poornima Krishnan; Ron Glickman, Product #: JIT015-PDF-ENG|
|iPremier: Denial of Service Attack (Graphic Novel Version A, B, C), Robert D. Austin, Jeremy
C. Short, Jun 25, 2009, Product number: 609092-PDF-ENG
|CISSP Manual Governance Materials||Chapter 1
· Security Frameworks 13-16
· Intellectual Property Laws 62-68
· Privacy 70-81
· Data Breach Laws 84-85
· Policy, Standards, Baselines,
Guidelines, Procedures 86-93
· Info System Risk Mgnt Policy 95
· Risk Management Frameworks 126-130
· Security Governance 159
· Ethics 165-168
• Retention Policy 206
• Key Mgnt 406-407
• Security Principles 723-724
• Reporting 905-907
• Management Review 908-911
• Roles of Operations Dept 924
• Administrative Mgnt 925-930
• Compliance 1060
|Week||Date||Topic||Reading & Assignments|
|1||8/30||Introduction to IT Governance
Knowledge gap quiz (blackboard)
Uber’s Data Privacy & Security FTC suit case study
|1. ISACA Manual (26th Edition) pgs 85-86 Sections 2.0 and 2.3.1
2. CISSP Manual Governance Materials: Policy, Standards, Baselines Guidelines, Procedures Pages 86-93. Security Governance – Pages 159
3. Star Information System Case Study
|2||9/6||IT’s Role & the Control Environment||1. ISACA Manual (26th Edition) pgs 91- 92; pgs 111-116- Sections 2.10.0 – 2.10.03
2. CISSP Manual Governance Materials: Security Frameworks pgs 13-16. Ethics pages 165-168. Roles of Operations Dept. pgs 924. Key Mgnt. pgs 406-407
3. “Segregating Your Technology Personnel”, Daniel Shaffer, SAN Institute https://www.giac.org/paper/gsec/261/segregating-technology-personnel/100853he
4. IPPF – Practice Guide Auditing the Control Environment pgs 1-5
5. “Enhancing IT Governance With a Simplified Approach to Segregation of Duties”, ISACA, Kevin Kobelsky
|3||9/13||IT Administration Controls||1. ISACA Manual (26th Edition) pgs 86-87 Sections 2.3.1- 2.3.3; pgs 94-95 Sections 2.5-2.6; pgs 109-111 Sections 2.9 pgs 256-258- Sections 4.2.3
2. CISSP Manual Governance Materials: Reporting pgs 905-907. Management Review 908-911.
3. “From IT Governance to Value Delivery”, by Craig Symons, ISACA Journal
4. ISACA Journal Volume 6 Podcast: “Performance Measurement Metrics for IT Governance” ISACA Journal, Sunil Bakshi https://www.isaca.org/Journal/archives/2016/volume-6/Pages/performance-measurement-metrics-for-it-governance.aspx
|4||9/20||Enterprise Architecture||1. “ Enterprise Architecture Plays a Key Role in IT Governance”, Gartner Webinar. https://www.gartner.com/webinar/1770316
2. “How enterprise architects can help ensure success with digital transformations”. Oliver Bossert and Jürgen Laartz
3. “Rethink EA as an Internal Management Consultancy to Rapidly Deliver Business Outcomes”. Gartner Marcus Blosch, Betsy Burton, Mike J. Walker
|5||9/27||IT Strategy||1. ISACA Manual (26th Edition) Information system Stagegy pgs 93-95 Sections 2.4
2. Read Effective Communication:IT Strategy
3. Read case study Caselet: DentDel Inc.
4. Read Getting Started with an Effective IT Strategic Planning Process
|6||10/4||Project Portfolio Management
|1. Read Service Portfolio Management Optimization
2. Read case study NDMC
|7||10/11||Policy||1. ISACA Manual (26th Edition) pgs 96-98 Sections 2.7.1
2. CISSP Manual Governance Materials: Policy, Standards, Baselines, Guidelines, Procedures pages 86-93
3. Read How to Write Info Security Policy
4. Read Policy and Policy Making
|8||10/18||IT Services & Quality||1.
2. “From IT Governance to Value Delivery”, by Craig Symons, ISACA Journal
3. ISACA Journal Volume 6 Podcast: “Performance Measurement Metrics for IT Governance” ISACA Journal, Sunil Bakshi https://www.isaca.org/Journal/archives/2016/volume-6/Pages/performance-measurement-metrics-for-it-governance.aspx
4. Read Four Key IT Service Management
6. Read Service Management ITIL and Process Optimizing IT Delivery Model
|9||10/25||Outsourcing||1. ISACA Manual (26th Edition) pgs 102-107 Sections 2.9.2;
2. CISSP Manual Governance Materials: Info System Risk Mgnt Policy pges 95
3. Read IT Offshoring Case study answer
|10||11/1||Monitoring and Evaluating IT||1. ISACA Manual (26th Edition) pgs 100-101 Sections 2.9
2. Read Case ISACA Claim proof Insurance
3. Read https://www.ftc.gov/news-events/audio-video/video/segment-monitor-your-network
|11||11/8||IT Risk||4. ISACA Manual (26th Edition) pgs 98-100 Sections 2.8
5. CISSP Manual Governance Materials. Risk Management Frameworks. Pgs 126-130
6. Read http://www.isaca.org/Knowledge-Center/Research/Documents/Information-Risks-Whose-Business-are-They_res_Eng_0510.pdf
1. ISACA Manual (26th Edition) pgs 89-91 Sections 2..3.4
2. CISSP Manual Governance Materials: Security Governance – Pages 159. Security Principles 723-724
3. Uber’s Data Privacy and Security FTC suit
4. iPremier case studies B & C
|13||11/29||Disaster Recovery and Business Continuity||1. ISACA Manual (26th Edition) pgs 119-130 Sections 2.12 and 2.13
|14||12/6||Laws, Regulations, and Standards of IT Systems & Critical infrastructures|