Course Outline



TITLE:                  CMGT/585 – CIS Risk Management and Strategic Planning

INSTRUCTOR:       Kurt Madsen

SCHEDULE:          May 5th through June 16th, 2003

CAMPUS:              University of Phoenix, Tampa, Florida Campus




This course outline has been adapted from the CMGT/585r1 course module from the University of Phoenix.


This course first focuses on the a) need for control and protection of organizational data, b) the need for reliability in information systems (fault tolerance considerations), c) the identification of potential impacts present in the risks to information assets, and d) the development of contingency plans and the role fulfilled by the implementation of security measures.  Second, this course provides the knowledge and skills to develop effective short, intermediate, and long-range strategic information systems plans, which include risk management considerations.  This includes a) the need and responsibilities of an Information Management Steering Committee; b) the relationship of information systems planning to overall organizational goals; c) assessment of the organization's current state; determination of information technology, project, and management requirements; and d) the means of prioritizing and selecting systems projects.


1.     The Role of Disaster Recovery and Business Resumption Planning

2.     Security and Risk and Impact Analysis. Service Level Agreements and Escalation Mgt.

3.     Fault Tolerance and Disaster Recovery Plan

4.     The Role of Information Systems Business Planning and Current State Assessment

5.     Information Technology Project Planning and Prioritization

6.     Information Technology Vision and planning. Developing the Business Resumption Plan

Workshop One (May 5th)

The Role of Disaster Recovery and Business Resumption Planning in the Organization

·       Define the roles of security and business resumption planning in the organizational environment.

·       Identify common goals, benefits, and advantages of integrating the security and disaster recovery functions in a business environment.

·       Describe the activities associated with managing, administering and controlling the security program within an enterprise or business environment.

Workshop Content

1.     The role of security in an organization

a.     Various levels of security that need to be addressed in an organization

1)     Access security (physical plant and system)

2)     Applications

3)     Data  (Discuss the related management considerations.)

b.     Virus protection and removal is just a small part of security

1)     Student knowledge about the types of viruses

2)     What each virus type does (Boot sector, macro, polymorphic, etc.)

2.     The role of disaster recovery business resumption planning in an organization

a.     Importance of sustaining a business in the event of a disaster or business interruption

b.     Characteristics of today’s business and its dependence on information systems. 

c.     Related management considerations

1)     The business and information systems areas which must be addressed by a disaster recovery/business resumption planning effort, such as:

2)     Recovering hardware, software, and data resources.

3)     Relocation to an alternative business location.

4)     Personnel management during the recovery and restoration efforts.

5)     Managing and acquiring recovery resources.  Identifying vendors and suppliers to assist with the recovery effort.

6)     Personnel matters such as employees who may be killed and injured.

7)     Determining how management will interact with local authorities in the event of major property damage, including interaction with local media.

3.     Integrating Questions

Are information technology and disaster planning alternatives being fully considered?  Provide examples.

Workshop Two (May 12th)

Security (Facilities and Computer Information Systems) and Risk and Impact Analysis

·       Examine the techniques for risk assessment in an organization, and the costs and benefits associated with this assessment.

·       Identify and examine the different types of security exposures that must be addressed and overcome. 

·       Identify and describe the methods for determining levels of criticality in systems and the approach for developing a recovery strategy.

·       Service Level Management and Escalation Planning

Workshop Content

1.     The costs, benefits and selection of information safeguards.

a.     Alternatives available to safeguard information assets. 

b.     Safeguards can begin with controlling physical access to the organization’s facilities (buildings, PCs, workstations, and terminals). 

c.     Access to computer applications, data, and information processing tools are equally as important.

d.     Describe the costs and benefits that can be incurred or achieved with each of the safeguards considered. 

1)     Security guard services.

2)     Access controls (combination locks, security cards, and keys).

3)     Leading–edge technologies (palm readers, retina scans, voice scans, fingerprint scans, and smart cards).

2.     Security considerations associated with a variety of distributed computing environments.

a.  Similarities and differences of different networks and network operating systems. 

b.  The development of a table or matrix on the board showing the similarities and differences would be helpful. 

c.   The introduction of the Internet/Intranet into mainstream computing and its inherent ramifications on security. 

1)     Firewalls, proxy servers, and viruses. 

2)     Have the students discuss the consequences of risks that are associated with projects. 

3)     Categories and degrees of risk should be discussed as a way to raise the awareness of the implementation risks associated with a project.

3.     Mittigating risks due to 3rd parties

a.   Service Level Agreements

b.   Escalation Plans

4.     Integrating Questions

Must all risks be eliminated? Why or why not?

Workshop Three (May 19th)

Fault Tolerance (System Dependability and Continuous Processing) and Disaster Recovery Plan

·       Define the considerations and general design features that are necessary to enable a network, a computer application, and a distributed processing system to continue functioning.

·       Define/examine the different types of fault tolerance and identify fault tolerance design alternatives.

·       Identify and use the tools, staffing, strategy methods, and planning procedures necessary to design and implement a practical disaster recovery or business resumption plan.

Workshop Content

1.     Unix and Windows NT security considerations

a.     UNIX such as physical security, authentication, controls, and weaknesses.

b.     Discuss the experiences and observations the class has seen regarding typical abuses in security controls in the UNIX environment. 

c.     Conclude the coverage of UNIX with a discussion of solutions which may address the existence of security issues.

d.     Examine the security aspects related to the Windows NT operating system.

e.     Examine the strengths and weaknesses of Window NT from a security aspect.

2.     Distributed processing security considerations.

a.  Security Concerns

b.  Authentication

c.   Authorizations

d.  Distributed Database considerations

e.  Data Warehousing considerations

f.   Online transaction processing systems

3.     Fault Tolerance material

a.     Discuss the considerations for evaluating and implementing fault tolerance capabilities within the technical infrastructure of an organization. 

b.     Survey the students for an identification of situations where fault tolerance capabilities are necessary and justified. 

c.     Review the requirements for the individual Fault Tolerance paper. 

d.     Assist each student with the selection of a subject area to avoid having two students covering the same subject.

4.     Integrating Question

How much fault tolerance is enough?  Explain your answer.

Workshop Four (June 2nd)

The Role of Information Systems Business Planning in the Organization and Current Status Assessment

·       Identify the key issues impacting the use of information technology within the organization.

·       Analyze the effects of environmental challenges on the organization's business and how information technology plays a role in meeting these challenges.

·       Examine the role of information technology in helping the organization gain strategic advantage or attain a state of strategic maintenance.

·       Define the components of the Current Status Assessment and the role that it plays in the development of the information technology plans.

·       Review the means of establishing an information technology plan through fostering an attitude of change or active maintenance and strategic and measurable change.

Workshop Content

1.     Current Status Assessment

a.     Examine the need and value of a Current Status Assessment to define the current effectiveness of information systems within an organization. 

b.     Point out that the management in many organizations is not fully aware of the extent of the hardware, software, and application expenditures associated with the use of information technology throughout the organization. 

c.     A vocal minority of personnel, who are unhappy with certain attributes of the information systems applications, may give management the impression that the information systems environment is in worse shape than is actually the case.

d.     The Current Status Assessment provides an opportunity to establish a baseline for the information systems function by inventorying the quantity and quality of components of the information systems environment.

e.     The Current Status Assessment should identify, at a minimum, the following components of the information technology environment within the organization:

1)     Installed hardware and software, with an estimate of actual usage.

2)     Applications currently installed, with an estimate of actual usage.

3)     Personnel assigned to the development, support, and maintenance of information systems applications.

4)     Other costs and resources associated with information systems applications.

5)     A measure of user satisfaction with the effectiveness of the information systems environment.

f.      The Current Status Assessment should be reviewed with management to ensure that management is fully aware of the current baseline situation. 

g.     Management can then identify key areas for improvement. 

h.     It is also essential to have this baseline in order to identify the activities and resources required to move from this current state to the organization's vision of what the information technology environment should be in the future.


2.     IT Architecture, environmental and competitive challenges.

a.  Discuss the evolution of the IT organizational architecture within the organization and the issues associated with the organization's ability to assimilate and effectively organize the IT function. 

b.  Stress the importance of aligning the IT function with business goals  and how management control and planning efforts can ensure that the pieces are working together.

c.   Discuss suppliers, customers, competitors, new products, and new entrants into the marketplace affecting an organization, the effects of these challenges, and how information technology can play a role in meeting these challenges. 

d.  Key concepts to be addressed include:

1)     Michael Porter's Five Forces Analysis.

2)     Generic business strategies related to competitive advantage.

3)     Value Chain Analysis.

e.  Discuss the use of various analysis tools to identify and define opportunities for the use of information technology to either provide strategic advantage for the organization or to support the organization in keeping up with its competition (Strategic Maintenance).

3.     Integrating Questions

Is the primary function of the business to produce products and services or run an information technology function?


Workshop Five (June 9th)

Information Technology Project Planning and Prioritization

·       Analyze the organization's business goals and objectives and their implications with respect to the application of information technology within the organization.

·       Identify the reasons for providing management with a current, accurate inventory and an assessment of the hardware, software, systems, human resources, and support environment within an organization.

·       Identify the issues and apply the techniques associated with developing an unbiased and constructive organizational assessment of the information technology management function within an organization.

·       Define a project portfolio and examine various methods for prioritizing projects within that portfolio.

Workshop Content

1.     IT Leadership and IT Operations

a.     Discuss the challenges facing IT management in effectively organizing, leading, and operating the Information Technology function within the organization. 

b.     Discuss the issue of balancing user satisfaction with control and administration of information assets.

c.     Address issues related to planning the IT technical infrastructure in a rapidly changing marketplace. 

d.     The issues related to capacity planning, security, and privacy should also be discussed.

2.     Transnational IT policy issues.

a.     Discuss various aspects, advantages, disadvantages, and issues related to transnational IT operations.

b.     Address transfer of work, quality issues, global networking, and service levels. 

c.     The considerations of cultural diversity, language, technological infrastructure, local customs, and control issues should be addressed.

d.     Relate your own experience as well as drawing on the experiences of the class in this area. 

e.     Discuss the different ventures and the experienced levels of success should enable the class to more fully appreciate this component of IT management.

3.     Portfolio Approach

a.  Discuss establishing a portfolio of projects to be considered for development or execution within the IT environment. 

b.  The projects in the portfolio can be evaluated and compared as to their level of risk and value to the organization.

c.   Discuss with the students the advantages of evaluating and informing business management of the potential risks associated with each project in the portfolio.

d.  The students should provide examples of the risks associated with projects they have seen succeed and fail. 

e.  Using the examples provided by the students, the class should discuss which of the projects might not have proceeded had the level of risk been understood before the project commenced.

4.     Prioritizing, justifying IT projects in-class exercise.

a.  Evaluate, organize and justify the following projects list:

1)     New corporate accounts receivables software. 

2)     Upgraded billing system.

3)     Employee locator software.

4)     New monitors for the Executive desktop computers

b.  Add any other projects that are deemed appropriate.

c.  Have the groups “score” and justify their rankings.

5.     Integrating Questions

What kind of politics exist when IT projects are rated as to their worth?

Workshop Six (June 16th)

Information Technology Vision for the Organization, Information Technology Plan, and Business Resumption Plan

·       Define the parameters inherent in developing an organizational information technology vision.

·       Examine the components of the future information technology environment within the organization.

·       Review the means of establishing an information technology plan through implementation of cost effective change, and through organizational and educational change support.

·       Identify the operational, organizational, and political requirements for implementing the model of a future technology environment.

·       Construct and defend a Strategic IT/Business Resumption Plan and provide an oral presentation of the same.

Workshop Content

1.     Parameters inherent in developing an organizational information technology vision

2.     Components of the future information technology environment within the organization

3.     Establishing an information technology plan through implementation of cost effective change, and through organizational and educational change support

4.     Requirements for implementing the model of a future technology environment

a.     Operational

b.     Organizational

c.     Political