Research and Project Topics in IT Governance, Information Trust, and Risk Management (2008)

List of Topics
Research and Project Description
Guest Lecturers

Center for IT and e-Business Management
Course Home
Sponsored By

Microsoft Trustworthy Computing Home


     Professor Michael J. Shaw
     Department of Business Administration
     College of Business, University of Illinois at Urbana-Champaign



      This course is partly sponsored by a grant from Microsoft. As Information Technology (IT) has become the foundation that supports the infrastructure, transactions, processes, and customer service of any business large or small, so has managing the trustworthiness of enterprise IT effectively emerged as a high priority for business administration. This focus on trustworthy computing is analogous to total quality management widely used in manufacturing and distribution a decade ago, except that the impact is potentially more pronounced because of the greater reliance on IT not only by businesses but also by the broader society. The course will provide students with a core body of knowledge-- for IT applications, management, and research-- concerning:

  • The state of research and business practice of trustworthy computing
  • Managerial issues for the prevention of business frauds and threats
  • The multiple perspectives of trustworthy computing and how to integrate them
  • The key technology for trustworthy computing for users and for businesses
  • Issues concerning integrity, privacy,ethics, risk management, and reliability
  • Best practices concerning regulatory compliance requirements
  • Enterprise information management issues, policies and practices
 List of Topics in Trustworthy Computing, Information Trust, and Management


  1. Business Risk Management

  2. Vulnerability Management and Assessment

  3. Information Security Policy

  4. Trustworthy Computing

  5. IT Portfolio Management

  6. CIO Roles

  7. Health Insurance Portability and Accountability Act (HIPAA)


 Research and Project Description
1.     Business Risk Management
- Enteprise Risk Management, by Portia Woodhouse (report)

Every business is challenged with uncertainties that would present threats to its success. This, known to many as risk, "is defined as the probability of an event and its consequences" (Cranfield School of Management). The main categories of risk to consider in a business environment are strategic, compliance, financial, and operational. All of the aforementioned categories are different branches of a business that drives a company's success. If one area faces risk, it could put the whole company at danger. Companies are challenged with questions on how to mitigate risk with every decision that they make. Most businesses strive to keep their stakeholders happy by growing and changing in order to compete with other firms. Every time the business makes a decision to increase its offerings, take on new employees, revise marketing tactics, expand into new areas of business beyond its core business, a degree of risk does arise.  Various tools, methods, and assessments are performed to control such threats. This is known as risk management.

Organizations have for many years practiced various methods of risk management. It has evolved from traditional risk management, to now, what most companies are practicing, enterprise risk management. There is a fine distinction between the two approaches. This research report will focus on the most recent approach used throughout many companies today, enterprise risk management. As this approach is explained, the following topics will be addressed: evolution of risk management, enterprise risk management framework, driving forces behind enterprise risk management, and enterprise risk management best practices.

- Risk Management Metrics and Risk Assessments, by Tom Lee (report)

In the ever-changing information world where risk is greater, security is becoming more vital to business organizations. However, the business value of security is often questioned.  While, Information Technology holds great potential for companies, security risks and privacy issues are a significant limitation. Enterprise Risk Management includes risk management metrics and risk assessments to determine the business value of security. ERM in itself is a framework of risk management which helps identifying instances of risks and opportunities as well as the magnitude of impact and response strategy.

This paper will detail and outline Enterprise Risk Management pertaining to a generic major personal computer manufacturer that is comparable to Dell or Hewlett-Packard called Tom Lee Computers (TLC). Analysis of risk assessment for this fictitious company will serve as a model to demonstrate that risk is extremely significant in the ever-changing industry of computing services and products. The research plan will follow an exploration of the overview of the risks of a similar company such as Dell and from those risks, develop basic guidelines of a metrics management system. Some major risks that are faced include general economic and business environment risks, product/service demand, competition, risks from new technology, and ability to manage operating costs effectively. It is important to analyze the risks of a major industry player in the ever-changing and consumer-driven computer manufacturing company. Risks have forced firms in this industry to be unable to compete and these risks have true business value and a real impact in whether an organization can be successful or not. The target is an investigation into the measures of Enterprise Risk Management and how a metrics management system can be implemented at a personal computing manufacturer.

2.     Vulnerability Management and Assessment
- Guide to Vulnerability Management for Small Companies, by Andrew Tan (report)
Vulnerability management is a risk management discipline that addresses the dangers of IT systems. It can be defined as the regular auditing of hardware and software components in IT systems to discover and remediate weaknesses. Keeping the systems safe from rapidly evolving malicious intent is critical. A security breach on a company’s IT systems can be devastating, causing unrecoverable financial and information loss as well as damage to the company’s reputation, all of which are extremely difficult to recover from. While large companies have specialized IT teams and sophisticated tools dedicated to IT vulnerability management, small companies, with their limited resources, can ill-afford such luxuries. As a result, many small companies do not have any vulnerability management program in place. This guide seeks to enable small companies to establish and maintain a simple vulnerability management program.

- Latest News and Developments in Vulnerability Management, by Min Soo Choi (report)

Vulnerability management is the overall responsibility of managing risks that are associated with the vulnerabilities of an organization. It involves identifying possible threats and making decisions based upon the costs of each threat. When companies uncover these threats, they attempt to eliminate, mitigate, or tolerate each problem depending on the risks and costs of implementing a solution.
There are three primary ways in assessing vulnerability management, which are vulnerability assessment, patch management, and ethical hacking. Out of these three methods, companies use vulnerability assessment the most to handle their IT securities. Nonetheless, the two remaining approaches are important sectors to vulnerability management and should not be neglected. Ignoring these two areas can compromise an organization’s security.

-A Guide to Managing Internal and External Threats, by Johnny Leung (report)

As the information technology becomes easier use and implement for business, it becomes easier for intruders, both within and outside the firm, to steal and use that information for personal gain.  Firms should have a vulnerability management program so that they can avoid various losses due to a breach in security.  This paper will give an overview of the NIST Special Publication 800-40 v2 framework and gives several recommendations as to how to manage internal and external threats.

3.     Information Security Policy

Effective security policy is an imperative for every IT-conscious, modern enterprise. From the commercial vantage point, good security policy can be a business enabler. A company stands to gain significantly from first mover and early mover advantages if they can harness online supply chains or add customer value through IT. These incentives drive organizations' ambitions to connect their partners, staff, customers, and suppliers directly online to their enterprise network. On the other hand, poor security policy implemented in the rush to be first-to-market can often does result in code maintenance nightmares, recurring security issues, potential contingencies to the firm and real realized losses, etc. The list goes on. This has repercussions for management both financially and intangibly through damaged reputations. If organizations want to effectively harvest, the financial rewards associated with IT they need to develop adequate security policies and low-level IT controls to mitigate and cope with the risks of IT vulnerability. The objective of this report is to supply the reader with a general high-level overview of network security concepts and a more in-depth look into the field of network security assessment, and penetration testing.

FERPA, Student Privacy, and Information Technology in Higher Education, by Susan Thomas (report)
The Family Educational Rights and Privacy Act (FERPA) of 1974 requires higher education institutions to “limit the disclosure” of certain types of student information contained in education records (Hillison et al. 301).  Colleges and universities trying to comply with FERPA universally have policies and procedures aimed at protecting student privacy.  However, constantly changing technologies continually pose new obstacles to this protection.  In this paper, I explain what FERPA is, and provide examples of FERPA violations.  I also discuss the risks that information technology (IT) poses as well as the best practices and controls that higher education institutions can enact to mitigate FERPA IT risks.  Finally, I explore whether FERPA goes too far (or not far enough) and the balance for colleges between protecting students’ privacy while also effectively meeting students’ educational needs.

4.     Trustworthy Computing
- Distributed Denial of Service Attacks: The Biggest Threat on the Internet, by Craig Kitching (report)

Viruses, spyware, and all sorts of other internet malware exist in cyberspace to try to turn a computer into a bedding ground for illegal activity. With all of the malicious content out there it is easy to get overwhelmed, it is easy for some individuals and companies to lose sight of exactly how powerful some of these threats can be. In this report, I will discuss the largest threat on the internet today, the Distributed Denial of Service attack. Specifically, I will be discussing this form of attack with a focus on ‘BotNets,’ which are the main tool producing much of the malicious and viral content seen on the internet today. The prevention of such attacks, and the mediation once attacks occur, can be the difference between the life and death of a real life organization. The proliferation and magnitude of cyber attacks can have affects reaching much further out than simply the internet, and understanding how truly devastating a network lurks out there can help a corporation or even an individual be prepared.

- Cyber Crime, by Kuo Liang Chen (report)

Unlike most of traditional crime, cyber-crime doesn’t need a physical contact between victim and criminal. Even the criminal can attack the victim from the other side of the world. Cyber-crime can’t be restricted by time and distance and its damage may be as huge as anyone can image. In a current issue of BusinessWeek, a special report of cyber-espionage states the issues of series cyber-attacks to the U.S. government. Also, some authorities suspect that the attack might potentially be supported by governments such as Russia and China.

The cyber crime is not only intimidating individuals but also threading companies and governments. For governments, the losing control of cyber crime may result in a
damage of state security and suspecting of international relationship. Companies may also endanger their reputation and property, if they can not efficiently avoid the cyber attacks.

5.     IT Portfolio Management
- IT Portfolio Management, by Arhant Rawal (report)

With the IT budgets of organizations increasing in the recent years, IT Portfolio Management has experienced significant attention. It has also become one of the main items for concern for the CIOs. This paper will encompass the details about the need for IT Portfolio Management in organizations, how it is aligns with the business strategy and research on best practices in the field of IT Portfolio Management. Also, it will address the issue of IT portfolio management maturity. With the help of a detailed example, the report will mention how IT Portfolio Management is implemented within an organization and the results that have been achieved.

- A survey of the state-of-the-art methodology, practices, and trends of financial measures apply to IT projects, by Pablo Barreda (report)

In the current corporate IT environment the challenge is to bring down the wall that exists in some or most organizations between the IT department and the rest of the organization. The idea of getting rid of the wall is that the successful organization in the 21st century has to align IT closer the business needs of the organization.
In a recent article the wall street journal explained that the wall has five primary reasons for its existence, Mid-set differences, language differences, social influences, flaws in IT governance and the difficulty in managing a rapidly changing environment.

In this paper, I am attempting to assist in the first two parts (different mind-set and different language) by exploring the different financial measurements for projects and possibly providing a tool that can serve as a guide for project managers, IT managers and executives who may not be familiar with the language or mid-set of IT and rest of the organization.

The main findings are that even as some organizations in the general business and the government have been implementing the financial measures we talk about in this paper, the main issue is that we still need to get in to habit of using these metrics, from start to finish, so that IT aligns better with the strategies of the organization.  

- IT Portfolio Management, by Sanju Varghese (report)
Diversification has been a staple of the financial world for half a century. But the idea of IT portfolio management has been tossed around academic circles only since the 1980s. As its name implies, project portfolio management groups projects so they can be managed as a portfolio, much as an investor would manage his stocks, bonds and mutual funds.

In the IT world, the obvious benefit of project portfolio management is that it gives executives a bird’s-eye view of projects so they can spot redundancies, spread resources appropriately and keeps close tabs on progress. But what's most appealing to many CIOs is the focus on projects as a portfolio of investments. Discussions aren't just about how much a project will cost, but also about its anticipated risks and returns in relation to other projects. This way, entire portfolios can be jiggered to produce the highest returns based on current conditions.
6.  CIO Roles
Chief Information Officer, Redefined: a closer look at the impact of changing business landscape, by Willi Sun (report)

Internal and external stakeholders of companies have greatly increased their expectations from CIOs and their information technology (IT) departments. Information technology is not considered as a risk anymore, where it was managed through IT governance and management, data governance and regulatory compliance. Moreover, information technology is no longer looked upon as a cost. Where, it has to be managed to increase cost efficiency and create higher return on investment. Information Technology has been taken on as a business function within an enterprise. Information Technology is considered as an added value to a firm; it increases shareholders’ value and return on investments. Moreover, information technology improves information security and data quality, as well as enhances communication within a company’s different business functions.  Therefore, leaders from information technology face large obstacles, where they have to constantly find the balance between IT and business alignment, compliance, risks, costs and effectiveness of delivery.

7.  Health Insurance Portability and Accountability Act (HIPAA)

This mission of healthcare has long been the aspiration to combat disease and illness.  In today’s world of electronic prosperity and growth, this healthcare mission has formed an alliance with information technology extending the battle against “electronic” diseases that threaten and scrutinize privacy of patient information.  The Health Insurance Portability and Accountability Act, better known as HIPAA, is a broad federal legislation requiring, among additional things, that healthcare providers and beneficiaries implement and utilize electronic safeguards insuring patients’ data protection.  This protection scheme encompasses many electronic components requiring consistent confidentiality, integrity, and availability (accountability connotation of HIPAA).  In addition, HIPAA enactment and alignment with IT systems significantly reduces paperwork and paper database utilization.  Of course, with this push toward “losing a paper trail” comes heightened awareness over secure layering of IT applications interfacing and protecting healthcare information.

- Healthcare Applications and HIPPA, by Ross Pierson (report)

The healthcare industry faces many policies and regulations and is also one of the fastest growing areas for technology. These two characteristics may not seem to be related but they are because these regulations have had a great impact on IT in the healthcare industry. The health care industry has had to adopt new IT systems very quickly to meet the many challenges that they are facing. They must try to reduce their cost, improve patient care, and meet these strict regulations.
The Health Insurance Portability and Accountability Act of 1996 is one of the regulations that must be complied with. It was originally put in place to help to keep patients data private, make it easier for Americans to keep health insurance when they changed jobs, and standardize healthcare-related information systems.
Although HIPAA has increased the use of IT and expanded the possibilities for these healthcare companies, it has also created many challenges. Healthcare providers are now using electronic records instead of paper records. These health care companies must make sure that these records are easily accessible to authorized medical personnel but not to unauthorized people. They also must make sure that the information is secure when being transferred between different organizations. It is important to recognize how HIPAA has affected the different business processes and IT systems and analyze how health care companies can continue to drive change while still complying with HIPAA.





  Pablo Barreda Undergrad in Business Administration

Kuo Liang Chen
MS in Technology Management

Min Soo Choi
Undergrad in Business Administration

Michael Elkind
Undergrad in Business Administration

Craig Kitching

Johnny Leung

Ross Pierson
Undergrad in Business Administration

Arhant Rawal

Nour Sharabash

Willi Sun
Undergrad in Finance

Andrew Tan
MS in Technology Management

Susan Thomas

Sanju Varghese
MS in Technology Management


  Guest Lecturers

Name Institution Topic

Jason Weile Manager, Systems and Process Assurance, PWC Risk Management

Andrew Petrum Protiviti IT Governance and Control
  Nick Kula
Protiviti IT Governance and Control

Jon Herzburg
Principal, Grant Thronton
IT Management and Control

Ronald Markham
IT Management and Control

Dean Haacker
Motorola Security and Privacy
  Mark Showers
CIO, Monsanto
IT Governance: CIO Perspective
  Sam Howard
State Farm IT Governance at State Farm
  Jason Weile Manager, Systems and Process Assurance, PWC Risk Management
  Carol Waldron
State Farm IT Portfolio Leadership at State Farm

Deron Grzetich
IT Security Manager, Sidley Austin Law Firm
Vulnerability Management

Richard Jaehne Director, the Illinois Fire Service Institute Emergency Response and Unified Command Systems

Dan Swartwood Motorola Privacy Issues and Regulation

Grant Hellwarth Partner, PWC
The Enterprise and Auditor Perspectives

John Heller
CIO, Caterpillar
The Enterprise and Auditor Perspectives

Andrew Smith
Managing Partner, Protiviti IT Serivice and Governance

John Bingham
Protiviti IT Serivice and Governance

® Copyright 2006 University of Illinois at Urbana-Champaign