IT Governance, Information Trust, and Risk Management

(The course was offered in Spring 2006 as Trustworthy Computing sponsored by Microsoft Research under its Trustworthy Computing Initiative. The course is offered to graduate students as BA590 and undergraduate students as BA395.)


Professor Michael J. Shaw
Department of Business Administration
College of Business, University of Illinois at Urbana-Champaign
 
 Overview


This course is partly sponsored by a grant from Microsoft. As Information Technology (IT) has become the foundation that supports the infrastructure, transactions, processes, and customer service of any business large or small, so has managing the trustworthiness of enterprise IT effectively emerged as a high priority for business administration. This focus on trustworthy computing is analogous to total quality management widely used in manufacturing and distribution a decade ago, except that the impact is potentially more pronounced because of the greater reliance on IT not only by businesses but also by the broader society. The course will provide students with a core body of knowledge-- for IT applications, management, and research-- concerning:

  • The state of research and business practice of trustworthy computing 
  • Managerial issues for the prevention of business frauds and threats
  • The multiple perspectives of trustworthy computing and how to integrate them
  • The key technology for trustworthy computing for users and for businesses
  • Issues concerning integrity, privacy, ethics, risk management, and reliability
  • Best practices concerning regulatory compliance requirements
  • Enterprise information management issues, policies and practices
 Course Objectives


This course is designed for students who are interested in pursuing a professional career in research, applications, or management-- in the business administration or information technology fields-- with additional skills and knowledge to manage information security, risk assessment, privacy, and recent regulatory compliance requirements. Since no prior technical background is needed, this course is also suitable for students not in the IT career path but just want to know more about business issues concerning information security, privacy management, and compliance practices. The course format will be such that students are allowed to explore their professional interest by selecting their projects and interacting with executive speakers. Students from various programs will bring their varying disciplinary perspectives to the class. This diverse approach to course delivery can create valuable synergy by integrating the various perspectives to broaden the outlook of all of the students. The topics to be covered will follow the following structure:
 
 Course Topics
 
Introduction: Trustworthy Computing and Business Administration
1. Introduction: The Importance of Trustworthy Computing to Enterprise Management
2. Building Trust in Enterprise IT: Integration of IT and Business Perspectives
 
Business Integrity, Privacy management, and Fraud Prevention
3. The Integrity Requirement for Enterprise Accounting and Financial Data
4. Prevention of Financial Frauds
5. Case Study: IT, Sarbanes-Oxley Compliance, and Trustworthy Computing;  HIPPA and the Healthcare Industry
6. IT and Privacy Issues (Discussion: Managing Privacy for Competitive Advantages)
 
Management of Threats and Vulnerabilities
7. Sources of Enterprise IT Vulnerabilities
8. Trustworthy Computing and Electronic Commerce
9. Risk Assessment
 

Survey of Related Technology and Business Issues: A Multidisciplinary Approach

10. Survey of Enterprise IT Security: Issues, Technology, Infrastructure and Management
11. Developments in Electronic Evidence and Computer Forensics
 

Enhancing Reliability and Integrity in Enterprise IT

12. The Life-Cycle Methodology for Trustworthy Computing & Risk Management
13. Trustworthy Computing in the Development, Adoption, Deployment, and Diffusion of IT
 

Trust Management in the Globalization of IT

14. Managing Trust in the Diffusion of Enterprise IT
15. Case Study: Trustworthy Computing in the IT infrastructure for Global Supply Chains
16. Trust Enhancing Information Policies and Practices

  Guest Speakers


One of the features of the new course will be the group of guest speakers from the industry and major companies that are thought leaders on the practice of trustworthy computing, Information presented and collected will be used as the basis for a series of industrial best practices reports by the students as part of the course requirements. A number of IT managers from major organizations will visit and talk to the class as guest speakers.
 
  Class Lectures
 
1. Introduction & Overview
Chapter 1. Security in a Globally Connected Economy
Trustworthy Computing Microsoft White Paper, Craig Mundie et al., 2003
Dependable Pervasive Systems, C. Jones and B. Randell, Technical Report CS-TR-839, University of Newcastle upon Tyne, April 2004.
The Myth of Secure Computing R. Austin and C. Darby, Harvard Business Review, June 2003.
 
2. Business Risk Management

Jason Weile, Manager, Systems and Process Assurance, PWC -- Risk Management
Chapter 2. Sources of Digital Liability
Trust in Cyberspace, F. B. Schneider (Ed.), Computer Science and Telecommunications Board, National Research Council, National Academic Press, 1999.
Assessing Accounting Risk (D. Hawkins), Harvard Business School Case 9-105-054, Nov. 2005.

 
3. Vulnerability Management and Assessment

Andrew Petrum, Protiviti -- Vulnerability Management
Chapter 3. Threats, Vulnerabilities, and Risk Exposure
The iPremier Company (A): Denial of Service Attack (A. Austin), Harvard Business School Case 9-601-114
Threat Modeling, F. Swiderski and W. Snyder, Microsoft Press, Redmond WA, 2004.

 

4. Critical Infrastructure

Roy H. Campbell, Sohaib and Sara Abbasi Professor, Siebel Center for Computer Science, UIUC -- Critical Infrastructure for the Power Grid
Chapter 4. An Affirmative Model of Defense
Predictable Surprises, M. Bazerman and M. Watkins, Harvard Business School Press, Boston, MA 2004.

 

5. Information Trust and Compliance Issues

Deron Grzetich, Protiviti -- IT and Sarbines-Oxley Compliance Issues
The Sabine-Oxley Act (L. Paine), Harvard Business School Case 9-304-079, July 2004.
Guide to the Sarbines-Oxley Act: IT Risks and Controls: Frequently Asked Questions Protiviti White Paper (32 pages).
Information Nation: Seven Keys to Information Management Compliance, R. A. Kahn and B. T. Blair, AIIM, 2004. Chapter 5. Models for Estimating Risks

 

6. Dependable & Trustworthy Enterprises Systems

Chapter 6 Acceptable-Use Policies: Human Defenses
Framing the Domain of Information Technology Management, R. W. Zmud (Ed.)
Dependable Pervasive Systems, C. Jones and B. Randell, Technical Report CS-TR-839, University of Newcastle upon Tyne, April 2004.

 

7. Enterprise Information Security Policy

Peter Siegel, CIO, UIUC -- Enterprise Information Security Issues: The Case of Higher Education Institutions
Chapter 7 Acceptance Use Practices: Defense Best Practices
Colleges Protest Call to Upgrade Online Systems, New York Times, October 23, 2005.

 

8. Trustworthy Systems Development

The Trustworthy Computing Security Development Lifecycle, S. Lipner and M. Howard, Microsoft Research. 2005.
Chapter 8 Technology & Auditing Systems: Hardware and Software Defenses

 

9. Technology & Auditing Systems: Hardware and Software Defenses 

Mike Corn, Director, Security and Privacy Services, UIUC -- IT Security Issues
Case: University Security Infrastructure
 

10. Computer Forensics

Jim Murray, Grant Thornton -- Computer Forensics
Chapter 9 Electronic Evidence and Electronic Record Management

 

11. Privacy Issues  

Thomas Kleyle, Senior Manager, Systems and Process Assurance, PWC -- Privacy Issues and Regulation
Chapter 11 Privacy and Data Protection
A New Covenant with Stakeholders: Managing Privacy as a Competitive Advantage, KPMG Whitepaper
Google Inc.: Launching Gmail (D. Darren), Ivey School of Business, Case 904E19, 2004.

 

12. Managing Security in a Multinational Enterprise

Bill Boni, Chief Security Officer, Motorola
Dan Swartwood, Privacy Protection Officer, Motorola
Talking Security with Motorolas William Boni, Network World, 2004.
From IT Security to Information Management (M. Rasmussen), Forrester Report on Best Practices, June 2005.

 

13. Crisis Management and Emergency Response

Richard Jaehne, Director, the Illinois Fire Service Institute -- Emergency Response and Unified Command Systems
Assessing Your Organizations Crisis Response Plans (M. Watkins), Harvard Business School Note 9-902-064, 2001.
Chapter 10. Computer Crime, Computer Fraud, and Cyber Terrorism

 

14. Risk Metrics and Models  
Greg Hedges, Managing Director, Protiviti -- Risk Management and the Identity Theft
Anthony Cutilletta, MD, Managing Director, Protiviti -- Healthcare-Industry Issues and Privacy Management Concerning HIPAA
Combating Fraud in Financial Services (P. Gillespie and M. Rasmussen), Forrester Report on Best Practices, April 2004.
Phishing Concerns Impact Consumer Online Financial Behavior, (C. Graeber), Forrester Report on Best Practices, December 2004.
Chapter 11 Privacy and Data Protection
Appendix. HIPAA

 
  Guest Speakers Schedule

 
Name Institution Topic
Jason Weile Manager, Systems and Process Assurance, PWC Risk Management
Andrew Petrum Protiviti Vulnerability Management
  Roy H. Campbell Sohaib and Sara Abbasi Professor
Siebel Center for Computer Science, UIUC		 Critical Infrastructure for the Power Grid
Deron Grzetich Protiviti IT and Sarbines-Oxley Compliance Issues
Peter Siegel CIO, UIUC Enterprise Information Security Issues: The Case of Higher Education Institutions
Mike Corn Director, Security and Privacy Services, UIUC Security and Privacy
  James Murray Grant Thornton Computer Forensics
Thomas Kleyle Senior Manager, Systems and Process Assurance, PWC Privacy Issues and Regulation
Bill Boni Chief Security Officer, Motorola Enterprise and Supply-Chain Security Management
Dan Swartwood Motorola Privacy Issues and Regulation
Richard Jaehne Director, the Illinois Fire Service Institute Emergency Response and Unified Command Systems
Greg Hedges Managing Director, Protiviti Risk Management and the Identity Theft
Anthony Cutilletta MD, Managing Director, Protiviti HIPAA and the Healthcare Industry

  Readings List
 
Articles

1. The Myth of Secure Computing R. Austin and C. Darby, Harvard Business Review, 2003.
2. The iPremier Company (A): Denial of Service Attack (A. Austin), Harvard Business School Case 9-601-114, Oct 2005.
3. Google Inc.: Launching Gmail (D. Darren), Ivey School of Business, Case 904E19, 2004.
4. Assessing Accounting Risk (D. Hawkins), Harvard Business School Case 9-105-054, Nov. 2005.
5. Assessing Your Organizations Crisis Response Plans (M. Watkins), Harvard Business School Note 9-902-064, 2001.
6. The Sabine-Oxley Act (L. Paine), Harvard Business School Case 9-304-079, July 2004.
7. From IT Security to Information Management (M. Rasmussen), Forrester Report on Best Practices, June 2005.
8. Guide to the Sarbines-Oxley Act: IT Risks and Controls: Frequently Asked Questions Protiviti White Paper (32 pages).
9. Combating Fraud in Financial Services (P. Gillespie and M. Rasmussen), Forrester Report on Best Practices, April 2004.
10. Phishing Concerns Impact Consumer Online Financial Behavior, (C. Graeber), Forrester Report on Best Practices, December 2004.
11. The Trustworthy Computing Security Development Lifecycle, S. Lipner and M. Howard, Microsoft Research. 2005.
12. Dependable Pervasive Systems, C. Jones and B. Randell, Technical Report CS-TR-839, University of Newcastle upon Tyne, April 2004.
13. A New Covenant with Stakeholders: Managing Privacy as a Competitive Advantage, KPMG Whitepaper (36 pages), 2001.
14. Trustworthy Computing Microsoft White Paper, Craig Mundie et al., 2003 (10 pages)
15. Principles and Practices of Information Security, Volonino, L., and Robinson, S., 2004, Pearson Prentice Hall: New Jersey.

 
References Books
(These books will be reserved in the Library. They provide more substantial discussions on the topics as referenced in the course schedule).

1. Framing the Domain of Information Technology Management, R. W. Zmud (Ed.), Pinnaflex Educational Resources: Cincinnati OH, 2000.
2. Information Nation: Seven Keys to Information Management Compliance, R. A. Kahn and B. T. Blair, AIIM, 2004.
3. Trust in Cyberspace, F. B. Schneider (Ed.), Computer Science and Telecommunications Board, National Research Council, National Academic Press, 1999.
4. Threat Modeling, F. Swiderski and W. Snyder, Microsoft Press, Redmond WA, 2004.
5. Digital Defense, T. Parenty, Harvard Business School Press, Boston, MA 2003.
6. Predictable Surprises, M. Bazerman and M. Watkins, Harvard Business School Press, Boston, MA 2004.
7. Principles and Practices of Information Security, Volonino, L., and Robinson, S., 2004, Pearson Prentice Hall: New Jersey.

 
  Project


Students are required to complete a report focused on a selected topic. There will be flexibility in the focus in terms of the disciplinary coverage (e.g., technical vs. managerial) and also the orientation (e.g., application vs. research). Since the underlying vision of the course content is about integrating technical and managerial perspectives, there will be room for diverse approaches for you to take in this project.

You can choose your project from the list of the topics to be discussed in this course:
1. Business Risk Management
2. Vulnerability Management and Assessment
3. Critical Infrastructure
4. Information Trust and Compliance Issues (SOX)
5. Dependable & Trustworthy Enterprises Systems
6. Enterprise Information Security Policy
7. Trustworthy Systems Development
8. Technology & Auditing Systems: Hardware and Software Defenses
9. Privacy Issues
10. Trustworthy supply chains in multinationals
11. Crisis Management and Emergency Response
12. HIPAA

Completed student project reports from this course in spring 2006
 

® Copyright 2006 University of Illinois at Urbana-Champaign