IS 657: INFORMATION SYSTEMS GOVERNANCE
AND RISK MANAGEMENT
A. APPROACH TO COURSE DEVELOPMENT
This graduate course provides a survey on information systems (IS) governance and risk management, with the purpose of introducing to and establishing with the students the concepts and framework of an integrated, holistic approach to organization-wide governance and risk management. The approach will ensure that an organization acts ethically correct, and in accordance with its risk appetite and tolerance, and internal policies and external regulations, through the alignment of strategy, processes, technology, and people, result in efficiency and effectiveness in achieving the strategic goals of the organization.
In the course development process, reviews from internal and external colleagues on the content of the course materials and delivery and pedagogy will be solicited. A pilot study will be conducted on a focus group of potential students. Opinions and suggestions from regional businesses will be actively sought. Feedback from students and professionals on early class sessions will be incorporated to refine the future course content and pedagogy. Guest speakers will be invited to share with the class their insights on practices in the industry, which is significantly more prominent in and critical for this course, as compared to many other courses in the accounting and IS fields, due to its unique nature of covering a very wide spectrum of important information systems topical areas such as strategic alignment, structure and policy, ethics, security, risk management, project management, and architecture and infrastructure.
B. STUDENT LEARNING OBJECTIVES
On completion of this course, students should have a good understanding of the following:
• framework and standards for IS governance and IS risk management;
• alignment of IS with the strategic goals of business, and IS performance assessment;
• ethical issues in IS decision making and IS control;
• principles and procedures of IS project management;
• IS risk analysis and risk mitigation;
• IS security management: principles, control structure, procedure, and infrastructure.
These Course SLOs are mapped to objectives 1, 2, 3, 4, and 6 of the MSA Program SLOs.
Student performance in the course will be assessed through a variety of methods, including homework assignments, case analyses, research papers, tests, and class participation.
C. PRELIMINARY SYLLABUS
COURSE DESCRIPTION
Prerequisite: IS 628 or IS 630. Provides an overview of information systems (IS) governance and information risk management. The course stresses the importance of the alignment of IS governance to business objectives and the role of IS in achievement of organizational strategy. Topics discussed include contemporary compliance initiatives; strategic IS decision making; IS performance assessment, control structure and accountability; IS project management; IS policy definition and enforcement; risk analysis and mitigation; and IS security management (i.e., security planning, policy, and controls). Established frameworks and standards for IS governance and control are discussed.
LEARNING OBJECTIVES
On completion of this course, students should have a good understanding of the following:
• framework and standards for IS governance;
• framework for IS risk management;
• alignment of IS with the strategic goals of business, and IS performance assessment;
• ethical issues in IS decision making and IS control;
• principles and procedures of IS project management;
• IS risk analysis and risk mitigation;
• IS security management: principles, control structure, procedure, and infrastructure.
Student performance in the course will be assessed through a variety of methods, including homework assignments, case analyses, research papers, tests, and class participation.
TENTATIVE SCHEDULE & TOPICS COVERED
Week / Topics / Date1 / · Overview of the program
· Introduction to ISACA
· Introduction to IT Governance and COBIT5
· Homework #1 (Individual; 5%) due July 17 by 4 PM through email (detailed instruction will be given in class) - Complete reading the “Information Security Governance, Guidance for Information Security Managers”, Write a one page summary of the guidance and prepare at least 5 questions to interview security executive(s) for class 2 on the second page.
· Homework #2 (Teams of 3-4; 15%) due July 24 - Risk IT Framework Process Presentation (15 minute overview with examples)
· Team Project Presentation (30%) due August 14 - IT Governance case study (teams of 3-4 for a 30 minutes presentation during the last class) / July 10
Online / · Debrief the previous class, what were your key learnings and what are still questions outstanding that your colleagues may be able to help you with
· Describe and discuss the 5 IT governance focus areas? What would be key concerns that an organization would have in these areas?
· What are your initial thoughts and questions on the COBIT5 framework?
· Discuss your thoughts on reading the Security Governance briefing and possible questions you would like to ask of the guest speaker(s). / July 15
2 / · Homework #1 (Individual; 5%) due today by noon- Complete reading the “Information Security Governance, Guidance for Information Security Managers”, Write a one page summary of the guidance and prepare at least 5 questions to interview security executive(s) for class 2 on the second page.
· IT Risk Management Life Cycle and the Risk IT framework
· IT Risk identification, assessment, evaluation, response, monitoring and reporting
· Security Governance – Interviewing guest speaker (s) with questions from Homework #2 plus additional questions.
· Homework #2 (Teams of 3-4; 15%) due July 24 - Risk IT Framework Process Presentation (15 minute overview with examples) / July 17
Online / · Debrief the previous class, what were your key learnings and what are still questions outstanding that your colleagues may be able to help you with
· What was new and interesting about the Security governance that the guest speaker(s) discussed?
· Discuss various aspects of risk management. What aspect of risk management is interesting to you?
· What is your opinion of the Risk IT framework? / July 22
3 / ü Homework #2 (Team; 15%) assigned in July 10 to be presented today
· A closer review of the IT Governance Institute’s framework
· Strategic Alignment – strategy development, IS decision making and utilizing balance scorecards
· Value Delivery – the governance of IT investments including portfolio management and project management
· Resource management to achieve IT strategies
· IS performance measurement and reporting, key performance indicators (KPIs) and balance scorecard
Ø #1 Class Exercise (Team; 5%) - Developing an IT Strategy
Ø Homework #3 (Individual; 10%) – Review COBIT framework, summarize the principles and enablers on two pages due July 31 / July 24
Online / · Debrief the previous class, what were your key learnings and what are still questions outstanding that your colleagues may be able to help you with
· Discuss how you would use a balance scorecard to develop the IT strategy of an organization to make sure IT is aligned with the business strategy.
· Discuss how you would govern and prioritize IT investments for an organization.
· Discuss the importance of resource management and performance measurement in governance. / July 29
4 / Ø Homework #3 (Individual; 10%) due today – Review COBIT framework, summarize the principles and enablers on two pages due today.
· Overview of the COBIT5 – business framework for the governance and management of enterprise IT
Ø Homework #4 (Team; 10%) due August 7 – Select a COBIT domain and an IT process, develop an IT process using the COBIT enablers / July 31
Online / · Debrief the previous class, what were your key learnings and what are still questions outstanding that your colleagues may be able to help you with
· Now that you’re taking a closer look at COBIT5, what questions do you have?
· How would you apply the 7 enablers in developing a process? / August 5
5 / ü Homework #4 (Team; 10%) assigned in previous class due today
· IS Controls Design, Implementation, Monitoring and Maintenance
· IS Process, Risk and Control (PRC) structures and mapping to other frameworks such as ISO, ITIL, PMBOK, TOGAF etc.
· Sample Compliance requirements – SOX, HIPAA, GLBA, FFEIC, NAIC, PCI
· Guest Speaker - TBD
Ø #2 Class Exercise (10%) - develop a IS PRC matrix (teams of 3-4) to be presented at the end of the class. / August 7
Online / · Debrief the previous class, what were your key learnings and what are still questions outstanding that your colleagues may be able to help you with
· Discuss current compliance requirements for Security.
· What controls would you design and implement to address a security breach at an organization?
· How would you test them to make sure that they are working?
· Now that all 5 governance focus areas have been reviewed in class, discuss how all of them are interrelated.
· What do you think are the challenges of implementing governance for each of the focus areas? / August 12
6 / ü Team Project Presentation (30%) due today – send group project (ppt) prior to start of class
· Summary and overview of Implementing IT Governance and risk management
· Team Presentations / Aug 14
PROPOSED TEXTBOOKS
1. Board Briefing of IT Governance, Second Edition, IT Governance Institute
2. COBIT 5.0 Framework, ISACA/IT Governance Institute
3. The RISK IT Framework, ISACA/IT Governance Institute
4. The Val IT Framework, ISACA/IT Governance Institute
5. Information Security Governance, Guidance for Information Security Managers, ISACA/IT Governance Institute
Additional materials may be selected from academic journals and trade magazines in the topical fields of IS/IT governance, IS/IT ethics, IS/IT risk management, IS/IT compliance, and IS/IT security.
METHOD OF EVALUATION
The course delivery will be a combination of lectures, cases, and readings from textbook and related literature. Students are expected to actively participate in the discussions and all associated class activities.
The course grade is composed of:
- Homework assignment (4) 40%
- Class assignments (2) 15%
- Group project/term paper 30%
- Online participation 10%
- Class participation 5%
July 17 - Homework #1 (Individual) due (by noon) . Security Governance questions - 5%
July 24 - Homework #2 (Group) - Risk IT process presentation - 15%
- Classroom Exercise #1 (Group) - IT Strategy development - 5%
July 31 - Homework #3 (Individual) - COBIT5 Overview on two pages - 10%
Aug 7 - Homework #4 (Group) - Applying COBIT5 enablers in designing governance and management IT processes - 10%
- Classroom Exercise #2 (Group) - Developing a Process, Risk and Control Matrix - 10%
Aug 14 - Team Project - 30%
7