Fall 2007 Call 14092, Thursday 6:00-8:30 PM, Stevenson Hall 220
Yair M. Babad, UH 2403, Phone 312-996-8094, Cell 310-431-6729, Fax 312-413-0385
e-mail: ybabad@uic.edu, URL: http://www.uic.edu/~ybabad
Office Hours Thursday 5:00-6:00 PM
Co-teacher: Mr. Joe Wolke, Principal Consultant, Forsythe Solutions Group, Inc.
Updated: 9/26/2007
12:21:37
COURSE OBJECTIVE & PHILOSOPHY
The need to comply with an array of complex data
laws dominates the business environment and privacy and security agenda. The challenge will be dealing with regulatory requirement
and laws such as the Sarbanes-Oxley Act, the HIPAA, Gramm-Leach-Bliley Act,
This class will be devoted to these
compliance issues, their impact on the organization, and how to manage and
audit them. Consequently, this is essentially a class in corporate management
and audit, even though it is presented within the information technology
curriculum. Much of the class time will be devoted to discussions and case
studies, as active participation and individual critical thinking are essential
for development of “compliance mentality”.
To assure effective compliance, management – directly or through its internal and external auditors - must control and audit systems whose "internals" are understood only by highly-trained expert professionals. This course discusses the philosophy and describes some of the tools and methods used for control and auditing of such systems and the organizations that use them. Eventually, this will lead to increased awareness, better understanding, and more secured and effective accomplishment of the organization’s objective and use of its technology; thus, the course will be beneficial to all future managers and users, and not only to information technology professional or auditors.
TEXTBOOK & COURSE MATERIALS
This course is based on Ron Weber's Information Systems Control and Audit, Prentice Hall 1999, ISBN 0-13-947870-1, which emphasizes the controls approach to systems audit and security. The methodology is applicable to all systems, including internet, web-based and e-commerce systems.
Recommended texts are Sarbanes-Oxley and the New Internal Auditing Rules by Robert R. Moeller, Wiley, 2005, ISBN 0-471-48306-0, and Ethics and Information Technology by Anderson and Goodman, Springer, 2002, ISBN 0-387-95308-6; in particular, the Ethics book will be used for homework and quizzes.
Many security-oriented books are available today, and the following are recommended as supplements: Information Assurance for the Enterprise by Corey Schou and Dan Shoemaker, McGraw-Hill / Irwin, 2007, ISBN 0-07-225524-2, goes byond the technical coverage of security measures to provide an overarching model of information assurance for organizations needing a comprehensive plan; Control and Security of E-Commerce by Gordon E. Smith, Wiley, 2004, ISBN 0-471-18090-4, with risk-based approach to e-commerce security and control (out of print at the publisher, but still can be ordered from Amazon.com); and Computer Security Handbook, 4th edition, edited by Seymour Bosworth and M. E. Kabay, Wiley, 2002, ISBN 0-471-41258-9 with comprehensive discussion of main frame systems and PC networks security, vulnerabilities, and threats detection and prevention. Additional reading material will be announced during the class.
My web page has PowerPoint presentations for all the material that I will introduce in class. These summarize the contents of the textbook, in addition to other material that will be discussed in class. You are advised to print these presentations (probably with 3 or 6 slides per page, framed, in black and white printing format) prior to class, so that you can use them in class in lieu of notes. You are responsible for knowing the contents of these transparencies as well as the textbook’s material (and of course whatever is discussed in class).
COMMUNICATIONS, HOMEWORK & PREREQUISITES
I believe that open communications channels between all of us add significantly to the value of the class. You are welcome to contact me – preferably via e-mail. In particular, ALL questions and comments are welcome. All communications between us will use electronic mail. The assignments and other course materials can be printed out from the World Wide Web, at my URL given above.
All assignments and other submissions sent to me will have a filename in the format
523_AssignmentDescription_LastName_MMDDYY.extension
where “MMDDYY” is the submission date. Similarly, all e-mail message to me should have as the subject line
523_LastName_SubjectDescription.
The approach taken in this course is pragmatic, rather than theoretical or technical, with the objective of increasing your familiarity with the course topics on the one hand, and your critical understanding of the material on the other. I do not intend to "read the text in class". Rather, I will emphasize certain issues, and will respond to your questions. You must read on your own and be familiar IN ADVANCE OF EACH CLASS with the assigned material as given in the schedule, and with the class notes available in my web page. The course will be discussion oriented, with emphasis on discussions geared to the case studies at the end of each chapter.
A common theme in my courses is the development of your communications skills and use of available computer technology and common software tools. Assignments should all be typed (using computerized office tools) and be professionally presentable; hand-written assignments will not be graded. Your work must follow the standards specified in the PRESHINT.DOC file in my web site. You are expected to submit your work using word-processing and spreadsheet tools.
All homework will be submitted electronically via e-mail. It must be in the TurnItIn (an anti-plagiarism system – instructions will be provided in the first class; class ID is 1955683 , and the password is 14092 - the call number of the course) reader midnight Tuesday preceding the class in which it must be submitted, at the latest. Assignment due-dates as given above or in class will be strictly adhered to and late assignments will not be accepted, unless prearranged with me. Virus infected submissions will be deleted and not graded with no opportunity for resubmission.
I maintain a web page for this class. To this end, get to my URL listed above, select this class, and you will find yourself in an "announcement file" for this course. This file includes references to related documents, such as this syllabus, homework, and PowerPoint presentation of class material, in addition to the latest announcements related to the class.
The course assumes that different students have different levels of understanding and background of the course's topics, yet we will present the topics at advanced level. Students with little familiarity of the material are expected to prepare themselves to fully understand the material and contribute to course work and discussions. You are always welcome to discuss this (and all other issues) with me.
ASSIGNMENTS, QUIZZES AND EXAMS
Assignments will be based on the case studies at the end of the text's chapters, and will be announced in class. Homework solutions will be discussed in class at the date they are due; therefore, late submissions of homework assignments will not be accepted. Note that homework will be based, to a large extent, on material you are supposed to read for the next class, and will be discussed in class only after you submit the homework, in order to let you exercise your own judgment and understanding.
Note that I tend to assign "open ended" problems, which can be answered in many different ways according to the underlying assumptions. Consequently, be very careful to always specify your assumptions; if this is not done, I have the right to evaluate your work based on what ever assumptions I have. Further, when presenting your arguments and conclusions, "link" them to these assumptions. I will evaluate your work as developed, to the extent possible, in light of these assumptions; of course, I may challenge your assumptions, if it is appropriate.
There will be no exams in this course. Rather, each class session (except the first one) may include a brief open book quiz, which stress understanding of the required reading material and the material covered in the last class. This system allows timely grade progress feedback, and motivates to prepare for each session (and thus increase the probability of quality participation and getting the most from the class sessions).
CLASS ATTENDANCE and HONOR CODE
You are expected to attend all classes, and are responsible for all announcements made in class or in the announcement file. Makeup of quizzes or reports will be given only by approval PRIOR to the quiz or report, except for extreme circumstances. Punctuality is highly regarded; no student, if arriving late, will be given any extra time to complete a quiz, nor will makeup quizzes be offered.
The university's honor code will be adhered to. Submitted reports and homework may from time-to-time be checked for plagiarism. Cheating, plagiarism or copying will result in an automatic failing grade for the problem, quiz, exam or project for all those participating in the cheating or copying, and may lead to a failing grade in the course for all those students who are deemed to have consciously contributed to the cheating. To help maintaining the anti-plagiarism policy, you will be required to submit all your homework and reports to TurnItIn, a plagiarism assessment program, from which I will download your homework and reports. Note also that since I will be downloading this material only once a week, you must adhere to the submission timing requirements.
GRADING
Grades will be based on homework assignments (60% - equally weighted, and possibly dropping the worst one) and the quizzes (40% - equally weighted, and possibly dropping the worst one, but not more than 5% per quiz). Final grades will be assigned on a curve, and I will exercise my judgment as to the cut points, as well as to the grading of students who miss or come late to many of the classes. Separate final grade curves will be used for undergraduate and graduate students.
Don't nitpick about the grading. Persons who complain will not be rewarded for it; those who have the decency not to complain would deserve the same break. A request to look at one problem leads to re-grading of the whole paper, which often leads to a lower grade.
No "extra credit" opportunities will be offered or assigned to specific individuals under any circumstances; all students' grades will be based on the same components - this is an equal opportunity course.
TENTATIVE
& APPROXIMATE COURSE SCHEDULE
(actual schedule will be determined by class advancement and availability of additional guest speakers, and changes will be announced)
|
Class Date |
Topic |
Chapter |
|
|
1 |
Aug 30 |
Introduction, Compliance Environment |
Ch. 1-2 |
|
2 |
Sep 6 |
Sarbanes-Oxley
and HIPAA |
|
|
|
Sep 13 |
*** No class – High Holidays *** |
|
|
3 |
Sep 20 |
Compliance and
Internal Controls |
|
|
4 |
Sep 27 |
Risk
Based Capital (RBC) and |
|
|
5 |
Oct 4 |
Guest
speaker: Joe Wolke, Principal Consultant; of
Forsythe: Information
Assets Protection |
|
|
6 |
Oct 11 |
Data
Resources Management Controls |
|
|
7 |
Oct 18 |
Guest
speaker: Mike Tulig, GM, Infotechnics: System Development & program
Management Controls |
Ch. 4-5 |
|
8 |
Oct 25 |
Quality
Assurance Management Controls and Application Boundary Controls and Input Controls |
|
|
9 |
Nov 1 |
Guest speaker:
Ellen Barry, CIO; of Metropolitan Pier and Expo Authority: Disaster Recovery and
Business Continuity |
|
|
10 |
Nov 8 |
Guest
speaker: Prof. Elie Geisler,
IIT:
Evaluating System Performance, Effectiveness and Efficiency |
|
|
11 |
Nov 15 |
Application
Database and Output Controls
|
|
|
|
Nov 22 |
*** No class - Thanksgiving *** |
|
|
12 |
Nov 29 |
Guest
speakers: Susan Gajda, VP Audit & Performance;
and John Gatto, Senior Director of IT Audit &
Advisory Services; of HCHS: Advisory business case –IT resources for a major project |
|
|
13 |
Dec 6 |
Guest
speakers: Julie Zemaitis, Executive Director; Neal
Crowley, Director, UIC; and Gene Fruit, Assistant Director of IT Audit; of UI
Office of University Audit:
Audit work |
|
|
*** |
|
*** Exams Week - No Final Exam *** |
|