Instructor Information Rich Flanagan Richard.Flanagan@Temple.edu Office/Office Hours 209C Speakman Hall (215) 204-3077 (O) Office Hours: Tuesday/Thursday 1:00 2:00 and (267) 312-1813 (M) Monday 11:00 12:00 CRN 19834 Section 1 Location Alter 745 Time Tuesday 5:30 8:00 Course Objectives In this course you will learn how to audit an organization s use of its information technology assets. Key topics are: 1. Is the organization using IT to further its business objectives? 2. How does the organization align its IT investments to its business strategy? 3. Does the organization have a strong control environment? 4. Does the organization have an enterprise architecture and a technical direction? 5. Is the organization assessing and managing its IT risks in a controlled way? 6. Is the IT team optimized to deliver the services the organization is expecting? 7. Is the organization getting the value it expects? By examining how an organization makes IT investment decisions, implements new assets, delivers services, assesses risk and measures its own performance, the IT auditor can assure the organization is meeting its fiduciary, compliance and security responsibilities. Grading Participation Item Percent of Total Points Participation 20% Team Case/Reading/Policy 30% Exams (2) 25% Final Exam 25% Total 100% Much of your learning will occur as you prepare for and participate in discussions about the course material. The assignments, cases, and readings have has been carefully chosen to bring the real world into class discussion while also illustrating fundamental concepts. To encourage participation, 20% of the course grade is earned by preparing before class and discussing the topics between and in class. Evaluation is based on you consistently demonstrating your engagement with the material. Assessment is based on what you contribute, not simply what you know. 1) Preparation before class By Sunday midnight, you will send me a brief (1 page) summary of the readings, including the cases, assigned for the upcoming class period (see the course schedule). Bring a copy for your reference during the discussion. Your weekly summary will briefly address and summarize: a. One key point you took from each assigned reading. (Two or three sentences per reading) b. One key point you learned from the readings as a whole. (Two or three sentences maximum) c. One question that you would ask your fellow classmates that facilitates discussion. Page 1 of 10
2) Participation during class We will typically start each discussion with opening questions about the assigned readings and case study. I may ask for volunteers, or I may call on you. Students called on to answer should be able to summarize the key issues, opportunities, and challenges in the case study. All students should be prepared to answer these questions. Another important aspect of in-class participation is completion of in-class assignments and contribution to break out activities. 3) Participation between classes To facilitate ongoing learning of the course material, we will also discuss course material on the class blog in between class. Please ask any questions about the readings or cases on the blog so all can see the answers. Reading and commenting by all on these post will further the quality of our in-class discussions. Also, I will post a discussion question on the class blog every Thursday. The question will relate to the assigned reading, a topic discussed in class, or a relevant current event. Every student is expected to read and contribute to the online class discussion each week. The criteria for participation includes attendance, punctuality, level of preparation, professionalism, answering questions, discussing readings, discussing case studies, contributing to group activities, and contributing to a positive learning environment. Recognizing that students sometimes have unavoidable conflicts, the baseline for expected participation is assessed on one less week than the number of assigned weekly write-ups. Team Assignments All team assignments will be graded on a fail (70), pass (80), pass high (90) basis. You should read the description of my Grading Criteria (A,B,C) below in this document to understand what you need to achieve each grade. Case Study and Reading Analyses Each team will prepare an in-depth analysis of one case study and one reading assignment during the semester. Your team will lead the class review of that case or reading. I will provide a list assigning your team to its case and reading. Your team should focus on generating a rich discussion of the materials rather than lecturing on the materials. I expect that you will generate a Powerpoint presentation that covers the materials (with discussion) in 45-60 minutes. You will post your presentation, including notes, on the class blog immediately after class. In the notes section of your Powerpoint presentation I expect that you will document the key points that you want the discussion to cover. There is no one particular style for a good analysis. There are some common elements to excellent submissions (additional, grade-specific criteria are provided at the end of this syllabus): The opening of the analysis makes it immediately clear which material or case study you are covering. You have cited specific details regarding key concepts in the readings and key facts and issues about the case. Instead of general observations about information technology or organizations that apply to any problem, draw details from the reading or case study itself. Analyses, observations, and suggestions should be tied directly to the key concepts, key facts and issues you identified. You can also draw on the other readings in the course to inform and support your conclusions. Page 2 of 10
After analyzing the details of the reading or case study, discuss how its specific issues have broader application. In other words, use your analysis to provide some advice to managerial decision-makers that can be applied to other situations beyond this case. Provide a balanced perspective. For example, when making a recommendation explain the pros and cons, providing both the rationale (the why) as well as its feasibility (the how). Well-considered recommendations include discussion of potential issues with your solution and conditions that should be in place for your recommendation to be successful. Policy Project For our discussion of IT policies, your team will be assigned to write a specific IT policy topic. Using what you have learned from the Sisco reading, you will write an appropriate policy on the subject for a hypothetical firm that does $50MM of sales with 100 employees and 10 IT people. You will also create a short (maximum 3-5 slides) presentation explaining your policy to the class as if they were employees of the firm. Your team will post a paper copy of both the presentation and policy document that evening. Exams We will have two short exams during the semester. These will be multiple choice tests using practice CISA examination questions. Together these exams are weighted 25% of your final grade Final Exam The final exam will use all multiple-choice CISA practice examination questions. The exam will be comprehensive. Everything we cover during the semester could appear on the final. The final exam is weighted 25% of your final grade. Page 3 of 10
Class Readings ISACA Readings CISA Review Manual 2012, ISACA.org COBIT 5: Enabling Processes, ISACA.org The IT Risk Framework, ISACA.org IT GOVERNANCE USING COBIT AND VAL ITTM STUDENTBOOK, 2ND EDITION, ISACA.org COBIT Quick Start, 2 nd Edition, ISACA.org What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities, Tommie W. Singleton, Isaca Journal System Development Life Cycle & IT Audit, Tommie W. Singleton, Isaca Journal Audit of Outsourcing, S. Anantha Sayana, Isaca Journal IT Audits of Cloud and SAAS, Tommie W. Singleton, Isaca Journal What is Your Risk Appetite?, Shirley Booker, Isaca Journal What Every IT Auditor Should Know About Cyberforensics, Tommie W. Singleton, Isaca Journal DoS Attacks A Cyberthreat and Possible Solutions, Ajay Kumar, Isaca Journal What Every IT Auditor Should Know About Backup and Recovery, Tommie W. Singleton, Isaca Journal Auditing Business Continuity, S. Anantha Sayana Isaca Journal Other Gartner Disaster Recovery and Business Continuity Planning: Testing an Organization s Plans, Yusufali F. Musaji, Isaca Journal IT Strategic Management Audit/Assurance Program, ISACA Audit Template Information Technology Management Framework Roles and Responsibilities US Department of Housing and Urban Development, portal.hud.gov/hudportal/documents/huddoc?id=34201cioh.pdf "What is Portfolio Management?, Rad & Levin, AACE International Transactions; 2008; Managing Quality for Information Technology, http://www.qualitydigest.com/mar99/html/body_itech.html Total Quality Management, Chapter 5 Reid http://www.wiley.com/college/sc/reid/chap5.pdf Practical IT Policies & Procedures, M. Sisco Available only online through the library IT Service Management & ITIL, IT Governance To get Gartner articles log onto TUPortal, select Gartner Gateway(left hand menu) and search for the article you want by name Understanding IT Controls and COBIT "Effective Communications: Policies " Effective Communications: IT Strategy Running IT Like a Business" Analyze the Five Factors That Will Shape Your IT Organization Outsourcing Contract Terms and Conditions: An Understanding of the 19 Articles in a Master Service Agreement " Four Keys to Effective Compliance The Security Processes You Must Get Right "Effective Communications: Performance Dashboards" Effective Communication: Difficult Communications Page 4 of 10
Harvard Press Six IT Decisions You IT People Shouldn t Make, Weill and Ross, Harvard Business Review IT Governance Archetypes for Allocating Decision Rights, Peter Weill, Jeanne W. Ross May 13, 2004 Product number: 8087BC-PDF-ENG Implement the Operating Model through Enterprise Architecture Taking on the Challenge of IT Management in a Global Business Context: The Alcan Case - Part A, Line Dube, Carmen Bernier, Vital Roy, May 01, 2009, Product number: HEC020-PDF-ENG MDCM, Inc. (A): Strategic IT Portfolio Management, Mark Jeffery, Joseph F. Norton, Derek Yung, Jan 01, 2006, Product number: KEL172-PDF-ENG ipremier (A): Denial of Service Attack (Graphic Novel Version), Robert D. Austin, Jeremy C. Short, Jun 25, 2009, Product number: 609092-PDF-ENG The Harvard Business School Publishing articles and cases are available from HBSP at the following https://cb.hbsp.harvard.edu/cbmp/access/20308701 Page 5 of 10
Class Schedule When Topics Readings and Cases Due CISA & COBIT 5 Week 1: Course The Stars Air Ambulance Case 8/27 Introduction Week 2: 9/3 Week 3: 9/10 The Control Environment IT Governance The Tampa Bay Office Case IT Governance Using COBIT & Val IT (Chapters 1-3) Understanding IT Controls and COBIT The Dentdel Case Six IT Decisions your IT People Shouldn t Make Archetypes for Allocating Decision Rights Team 1 pp 45-48 COBIT 5: AP01 pp 82-88 COBIT 5: AP02, AP03 Week 4: 9/17 Week 5: 9/24 Week 6: 10/1 Week 7: 10/8 Week 8: 10/15 Week 9: 10/22 Week 10: 10/29 Week 11: 11/5 IT Strategy The IT Organization IT Policies 1 The Alcan Case Implement the Operating Model through Enterprise Architecture Effective Communications: IT Strategy Exam 1 Analyze the Five Factors That Will Shape Your IT Organization Information Technology Management Framework Roles and Responsibilities What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities Practical IT Policies & Procedures Effective Communications: IT Policies Teams 5 & 6 Exam 1 Team 2 IT policies 2 Individual Policy Project Presentations Policy Assignments The IT Project Portfolio The MDCM Case What is Portfolio Management? IT Services Total Quality Management: Chapter 5 Running IT Like a Business Managing Quality for Information Technology System Development Life Cycle & IT Audit Contracting IT Services Monitoring & the Balanced Score Card The EHR Case Outsourcing Contract Terms Audit of Outsourcing IT Audits of Cloud and SAAS Exam 2 Four Keys to Effective Compliance Effective Communications: Performance Dashboards Effective Communication: Difficult Communications Team 3 Team 4 Team 5 Exam 2 pp 90-91 COBIT 5: AP08 pp. 97-106, COBIT 5: AP07 pp. 92-94, pp. 91-92, COBIT 5: AP05, AP06 COBIT 5: AP11 COBIT 5: AP09, AP10 Page 6 of 10
Week 12: 11/12 Week 13: 11/19 Risk 1 Risk 2 The All World Airlines Case The IT Risk Framework, pp1-42 What is Your Risk Appetite? The Security Processes You Must Get Right What Every IT Auditor Should Know About Cyberforensics The ipremier Case DDoS Attacks A Cyberthreat and Possible Solutions What Every IT Auditor Should Know About Backup and Recovery Auditing Business Continuity Disaster Recovery and Business Continuity Planning: Testing an Organization s Plans Teams 3 & 4 Teams 2 & 6 pp 94-97 COBIT 5: AP12, AP1399-102, pp 113-126, No class: Thanksgiving Week Schedule Week 14: 12/3 Maturity Models The City Medical Case Self-assessment Guide: Using COBIT 5 IT Strategic Management Audit/Assurance Program Team 1 pp 61-64,91 12/5-6 No class: study period 12/10 Final exam 5:45 7:45 In our classroom Final exam Page 7 of 10
Grading Criteria The following are the criteria used for evaluating assignments. You can roughly translate a letter grade as the midpoint in the scale (for example, an A- equates to a 91.5). Grade Criteria A- or A The assignment consistently exceeds expectations. It demonstrates originality of thought and creativity throughout. Beyond completing all of the required elements, new concepts and ideas are detailed that transcend general discussions along similar topic areas. There are few mechanical, grammatical, or organization issues that detract from the ideas. B-, B, B+ C-, C, C+ Below C- The assignment consistently meets expectations. It contains all the information prescribed for the assignment and demonstrates a command of the subject matter. There is sufficient detail to cover the subject completely but not too much as to be distracting. There may be some procedural issues, such as grammar or organizational challenges, but these do not significantly detract from the intended assignment goals. The assignment fails to consistently meet expectations. That is, the assignment is complete but contains problems that detract from the intended goals. These issues may be relating to content detail, be grammatical, or be a general lack of clarity. Other problems might include not fully following assignment directions. The assignment constantly fails to meet expectations. It is incomplete or in some other way consistently fails to demonstrate a firm grasp of the assigned material. Additional Information Availability of Instructor Attendance Policy Please free to use office hours (without an appointment) to discuss any issues related to this class. While every student is encouraged to visit with me during office hours to help them gain a better understanding of material which they didn t fully understand when they were in class, office hours are NOT for helping students catch up on material they missed because they were absent. Class discussion in intended to be an integral part of the course. Accordingly, full attendance is expected by every member of the class. If you are absent from class, speak with your classmates to catch up on what you have missed. Page 8 of 10
Exams Class Etiquette Appropriate use of Technology in the classroom Please be respectful of the class environment. Class starts promptly at the start time. Please make EVERY effort to be on time, as I will communicate important information in the first few minutes of class. Cell phones must be turned off and put away during class. Refrain from personal discussions during class. Please leave the room if you need to speak to another student for more than a few words. If a student cannot refrain from engaging in private conversation and this becomes a pattern, the students will be asked to leave the classroom to allow the remainder of the students to work. There will be two examinations during the semester. The exams cannot be made up, regardless of the reason for absence. Please turn off cell phones at the start of class. If you have an urgent, personal situation and may be receiving an important phone call during class, please let me know this at the beginning of class, sit near the door, and step out of the classroom if you need to take a call. Please bring your laptop or tablet to class. We want to explore these topics and there is a wealth of materials available online. I do expect that you will use your laptop for our course only while in class. Plagiarism, Academic Dishonesty and Citation Guidelines If you use text, figures, and data in reports that was created by others you must identify the source and clearly differentiate your work from the material that you are referencing. If you fail to do so you are plagiarizing. There are many different acceptable formats that you can use to cite the work of others (see some of the resources below). The formats are not as important as the intent. You must clearly show the reader what is your work and what is a reference to somebody else s work. Plagiarism is a serious offence and could lead to reduced or failing grades and/or expulsion from the university. The Temple University Student Code of Conduct specifically prohibits plagiarism (see http://www.temple.edu/assistance/udc/coc.htm). The following excerpt defines plagiarism: Plagiarism is the unacknowledged use of another person s labor, ideas, words, or assistance. Normally, all work done for courses papers, examinations, homework exercises, laboratory reports, oral presentations is expected to be the individual effort of the student presenting the work. There are many forms of plagiarism: repeating another person s sentence as your own, adopting a particularly apt phrase as your own, paraphrasing someone else s argument as your own, or even presenting someone else s line of thinking in the development of a thesis as though it were your own. All these forms of plagiarism are prohibited both by the traditional principles of academic honesty and by the regulations of Temple University. Our education and our research encourage us to explore and use the ideas of others, and as writers we will frequently want to use the ideas and even the words of others. It is perfectly acceptable to do so; but we must never submit someone else s work as if it were our own, rather we must give appropriate credit to the originator. Source: Temple University Graduate Bulletin, 2000-2001. University Regulations, Other Policies, Academic Honesty. Available online at: http://www.temple.edu/gradbulletin/ For a more detailed description of plagiarism: o Princeton University Writing Center on Plagiarism: o http://web.princeton.edu/sites/writing/writing_center/wcwritingres.htm Page 9 of 10
How to successfully quote and reference material: o University of Wisconsin Writers Handbook o http://www.wisc.edu/writing/handbook/quotingsources.html How to cite electronic sources: o Electronic Reference Formats Recommended by the American Psychological Association o http://www.apastyle.org/elecmedia.html Page 10 of 10