Instructor: 徐立群 (LihChyun Shu, shulc@mail.ncku.edu.tw)

Office: 63323研究室

Course objective:

In recent years, information technology (IT) has inspired the reengineering of traditional business operations. As global networks expand the interconnection of the world, the smooth operation of communication and computing systems becomes vital. The immediate need for organizations to protect critical information continues to increase. IT advances have introduced new risks* that require unique internal controls and also have had great influences on auditing. In this course, we will first present an overview of information systems audit (or information technology autid). We then discuss alternative audit approaches and review the internal control concerns.

We will give a basic introduction to the broader field of information security, defining key terms and explaining essential concepts. Will then examine the business drivers behind the security analysis design process. We will look into key laws that shape the field of information security, as well as computer ethics necessary to better educate those implementing security. We then study key areas of potential computer risk. An overview of relevant technology and systems issues will also be provided. Finally, students will learn to use computer assisted audit tools in order to have a hands-on experience.

   *Risk: danger; possibility that something harmful or undesirable may happen. (Longman dictionary of contemporary English)

Course content:

1.         Auditing, Assurance, and Internal Control

2.         Computer Assisted Audit Tools and Technologies (CAATT)

3.         CAATTs for Data Extraction and Analysis

4.         Introduction to Information Security

5.         The Need for Security

6.         Legal, Ethical and Professional Issues in Information Security

7.         Risk Management: Identifying and Assessing Risk

8.         Risk Management: Assessing and Controlling Risk

9.         Blueprint for Security

Texts:

• ü James A. Hall. “Information Systems Auditing and Assurance,” South Western College Publishing, 1999.

• ü Michael E. Whitman and Herbert J. Mattord. “Principles of Information Security,” Thomson Course Technology, 3rd Ed., 2008.

Course slides:

• Auditing, assurance, internal control (Chap1 of Hall 99)   Relevant links

• Computer assisted audit tools and techniques (Chap 6 of Hall 99) 1 2 Relevant links

• CAATTs for Data Extraction and Analysis (Chap 7 of Hall 99)     Relevant links

• Introduction to information security (Chap 1 of Whitman & Mattord '03) Relevant links  Info security related news

• The need for security (Chap 2 of Whitman & Mattord '03) Relevant links

• Risk management: identifying and assessing risk (Chap 4 of Whitman & Mattord '03)    Relevant links

• Risk management: assessing and controlling risk (Chap 5 of Whitman & Mattord '03)

Supplemental slides:

• 會計及稽核人員與資訊安全 (slides talk by 致遠徐敏玲)

In-class presentation by students

Evaluation (subject to change):

• Class participation (5%)

• Exercises (37%)

• Exam (20%)

• Case discussion (8%)

• Book chapter/paper oral and written presentation (30%)

Links:

•     Illustrative Risks to the Public in the Use of Computer Systems and Related Technology   (Risks-illustrative.pdf)

•     Risks-List: Risk-Forum Digest 

•     Software Engineering Notes

•      Sarbanes-Oxley Act on Computerworld     Financial law may force IT systems overhaul   Sarbanes-Oxley Act (Wiki)

•     The University of Waterloo Centre for Information Systems Assurance

•     Hawaii International Conference on System Sciences

• Journal of Information Systems (accessible via NCKU-Journal)

• International Journal of Accounting Information Systems (accessible via NCKU-Journal)

•     CNS 17799   CNS 17800

•     Why Information Security is Hard -- An Economic Perspective (Ross Anderson) Orange Book Summary