Ch 12: Information Security Management

Q1: What are the threats to information security?

A security threat is a challenge to the integrity of information systems that arises from one of three sources: human error and mistakes, malicious human activity, and natural events and disasters. These can cause five types of security problems: unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure.

	Human Error	Malicious Activity	Natural Disasters
Unauthorized data disclosure	Procedural mistakes	Pretexting, phishing, spoofing, sniffing	Disclosure during recovery
Incorrect data modification	Procedural mistakes, incorrect procedures, ineffective acct control, system errors	Hacking, computer crime	Incorrect data recovery
Faulty service	Procedural mistakes, development and installation errors	Computer crime, usurpation	Service improperly restored
Denial of service	Accidents	DOS attacks	Service interruption
Loss of infrastructure	Accidents	Theft, terrorist activity	Property loss

Q2: What is senior management’s security role?

Senior managements security role is to set the security policy, balance the costs of a security system against the risk of security threats.  A security policy has three elements:  the first is a general statement of the organization’s security program. It becomes the foundation for more specific security measures throughout the organization. The second element is the issue-specific policy. Third is the system-specify policy, which concerns specific information systems. Risk is the likelihood of an adverse occurrence.  Management can limit the security consequences of an attack by creating a backup processing facility at a remote location. 

Q3: What technical safeguards are available?

Technical safeguards involve the hardware and software components of an information system. The primary technical safeguards are: identification and authentication, encryption, firewalls, malware protection, and design for secure application. Identification and authentication involve passwords, smart cards, biometric authentication, and single sign-on for multiple systems.  Encryption types include symmetric, asymmetric, SSL/TLS, digital signatures, and digital certificates. A firewall is a computing device that prevents unauthorized network access. A firewall can be a special-purpose computer or it can be a program on a general-purpose computer or on a router.  Malware his viruses, worms, Trojan horses, spyware, and adware.

Q4: What data safeguards are available?

Data safeguards are measures used to protect databases and other organizational data. The organization should specify user data rights and responsibilities and those rights should be enforced by user accounts that are authenticated at least by passwords. A key escrow is when a copy is kept of the encryption key.

Q5: What human safeguards are available?

There are safeguards for employees where positions are well-defined; there are hiring procedures, dissemination and enforcement, and friendly termination. Safeguards for nonemployee personnel are hardening a site, to take extraordinary measures to reduce a system’s vulnerability.

Q6: How should organizations respond to security incidents?

Computer facilities should be in locations that are not prone to natural disasters.  Also, the organization should create backups for the critical resources at the remote processing center. A hot site is an expensive utility company that can take over another company’s processing with no forewarning. Cold sites provide computers and office space. Incident response that includes: Have plan in place, centralized reporting, specific responses, and practice.

Q7: What is the extent of computer crime?

It is not known to the full extent just how much computer crime there really is.  Of reported events, the highest average incident cost is $463,100 and losses due to bots averages $345,600.

Q8: 2020?

Computer criminals find vulnerability and exploit it. Computer security forces discover that vulnerability and create safeguards to thwart it. And it goes on and one. The next challenge is how to protect smart phones and other mobile devices from computer criminals.  The number of computer security jobs is projected to increase by 27% by 2016.

Kroenke, David. "Chapter 12: Information Security Management." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 442-471. Print

Ch. 11: Information Systems Management

Q1: What are the functions and organization of the IS department?
The major functions of the IS department are:

·         Plan the use of IS to accomplish organizational goals and strategy

·         Develop, operate, and maintain the organization’s computing infrastructure

·         Develop, operate, and maintain enterprise applications

·         Protect information assets

·         Manage outsourcing relationships

The title of the principal manager of the IS department varies from organization to organization. A common title is chief information officer, or CIO. Other common titles are vice president of information services, director of information services, and director of computer services. The CIO reports to the CEO. A typical IS department has four groups and a data administration staff function. There is usually a technology office, operations, development, and outsourcing relations.  

Q2:  How do organizations plan the use of IS?

The major IS planning functions are: Align information systems with organizational strategy, communicate issues to the executive group, develop priorities and enforce them within the IS department, and sponsor the steering committee.

Q3: What tasks are necessary for managing computing infrastructure?

The tasks necessary for managing computing infrastructure are the most visible of all of the IS department’s functions. The structure of the IS infrastructure must mirror the structure of the organization. Three more tasks are to create and maintain infrastructure for end-user computing; create, operate, and maintain networks; and to create, operate, and maintain data centers, data warehouses, and data marts.  The IS department also needs to establish technology and product standards, track problems and monitor resolutions, and manage computing infrastructure.  

Q4: What tasks are necessary for managing enterprise applications?

Developing new applications is a major application management functions. The process of creating new applications begins when the IS department aligns its priorities with the organization’s strategy. Then using priorities that arise from alignment, the IS dept. develops system plans and proposals and submits them to the steering committee for approval. Besides this, the IS dept must also maintain (legacy) systems. A legacy information system is one that has outdated technologies and techniques but is still used, despite its age. They arise because organizations cannot afford to replace an IS just because better technology has been developed. Other tasks are to integrate enterprise applications, manage development staff. Administer data is also a task-data and database administration functions sound similar but are quite different. Data administration describes a function that pertains to all of an organization’s data assets. Database administration describes a function that pertains to a particular database.  Data standards are definitions, or metadata, for data items shared across the organization.  A data dictionary is a file or database that contains data definitions.

Q5:  What are the advantages and disadvantages of outsourcing?

Advantages of outsourcing are management advantages, cost reduction, and risk reduction. The risks are loss of control, benefits outweighed by long-term costs, and no easy exit.

Q6: What are your user rights and responsibilities?

Your user rights are the right to computer hardware and programs that you need.  You have a right to a reliable network and a secure computing environment. You have a right to participate in requirements meetings for new applications that you will use and for major changes to applications that you currently use.  You also have the right to receive prompt attention to your problems and concerns about information services. Your responsibilities are to learn basic computer skills and to learn the basic techniques and procedures for the applications you use. You have a responsibility to follow security and backup procedures, and for using your computer resources in a manner that is consistent with your employer’s policy. You also have a responsibility to make no unauthorized hardware modifications to your computer and to install only authorized programs. You also have to install computer patches and fixes when asked to do so and to treat information systems professionals professionally.

Q7:  2020?

Cloud computing is a form of hardware/software outsourcing in which organizations offer flexible plans for customers to lease hardware and software facilities. Virtualization is the process whereby multiple operating systems share the same computer hardware, usually a server. Green computing is environmentally friendly computing consisting of three major components: power management, virtualization, and e-waste management. Finally, green computing is concerned with e-trash, or computers and related devices that are no longer in use.

Kroenke, David. "Chapter 11: Information Systems Management." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 408-433. Print

Ch. 10: Managing Development

Q1: What is systems development?

Systems development, also known as systems analysis and design is the process of creating and maintaining information systems. Systems development has a broader scope than computer program development. The most important criterion for information systems success is for users to take ownership of their systems.

Q2: Why is systems development difficult and risky?

Systems development is difficult and risky because requirements are difficult to determine and besides that, requirements change as well.  Scheduling and budgeting difficulties and changing technology are also something that makes systems development difficult.  Another problem is diseconomies of scale, or as Brooks Law points out: Adding more people to a late project makes the project later.

Q3: How do businesses use the systems development life cycle (SDLC) process?

The systems development life cycle (SDLC) is the process used to develop information systems. The five-phase process is:

1.       System definition-define the goals and scope of the new information system. Once the projects goals have been defined, the next step is feasibility. Feasibility has four dimensions: cost, schedule, technical, and organizational feasibility. Then a project team is formed.

2.       Requirements analysis-determine requirements. This is the most important phase because if the requirements are wrong, the whole project is wrong. Once the requirements are established, the users must review and approve them before the project continues.

3.       Component design-Each of the five components is designed in this stage: Hardware program, database, procedure, and design of job descriptions.

4.       Implementation-Once developers have constructed and tested all of the components, they integrate the individual components and test the system. A test plan consists of sequences of actions that users will take when using the new system. Beta testing is the process of allowing future system users to try out the new system on their own. Once the system has passed integrated testing, the organization installs the new system. The term system conversion is often used for this activity. Pilot installation is when the organization implements the entire system on a limited portion of its customers. Phased installation is when the new system is installed in phases across the organizations. Final stage is plunge/direct installation when the organization shuts off the old system and starts the new system.

5.       System maintenance (fix or enhance)-record requests for change: failures or enhancements. Prioritize requests. Fix failures: patches, service packs, and new releases.

Q4: How does systems development vary according to project scales?

Small-scale projects have relatively simple requirements. Large-scale projects have many more requirements. They vary in duration, budget, and personnel.

Q5: What are the trade-offs among requirements, schedule, and cost?

Systems development projects, especially large ones, require the trade-offs or balancing of three critical drivers:  requirements, cost, and time.  We can trade-off requirements against time and against cost. The relationship between time and cost is more complicated. Normally we can reduce time by increasing cost only to a point. For example, to cut down on time more laborers can be hired, but at some point it will create diseconomies of scale. In some projects, costs can be reduced by increasing time.  In most projects, trade-off decisions cannot be made without a plan called the baseline.

Q6: What are the major challenges when planning IS projects?

The key strategy for any project is to break up large tasks into smaller tasks and continue breaking up the tasks until they are small enough to manage, thus enabling you to estimate time and costs. Each task should culminate in one or more results or deliverables such as documents, designs, prototypes, data models, etc. Without a deliverable it is impossible to know if the task was accomplished.  Teams create a work-breakdown structure (WBS), which is a hierarchy of the task required to complete a project. A Gantt chart shows tasks, dates, and dependencies.  The critical path is the sequence of activities that determine the earliest date by which the project can be completed. Critical path analysis is the process by which project managers compress the schedule by moving resources, typically people, from noncritical path tasks onto critical path tasks.

Q7:  What are the major challenges when managing IS projects?

1.       Coordination-coordinating the work of independent groups can be difficult, especially if they’re not geographically in the same place.
2.       Diseconomies of scale-the number of possible interactions among team members rises exponentially with the number of team members. Ultimately, no matter how well managed a project is, diseconomies of scale will set in.
3.       Configuration control-AS the project proceeds, controlling the configuration becomes more difficult. For example, the development team produces an initial statement of requirements.  Meetings with users produce an adjusted set of requirements. And then soon there are multiple sets of requirements and if the changes to the requirements are not managed, the versions will get mixed up, and confusion will result.
4.       Unexpected events-The larger and longer the project takes to complete, the greater the chance of disruption due to an unanticipated event.

Q8: 2020?

Requirements creep is the process by which users agree to one set of requirements, then add a bit more, add a bit more, and so forth. Over time, the requirements creep so much that they describe a completely new project. But the development team is left with the budget and plan of the original project.

Kroenke, David. "Chapter 10: Managing Development." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 370-397. Print