Ch 12: Information Security Management

Q1: What are the threats to information security?

A security threat is a challenge to the integrity of information systems that arises from one of three sources: human error and mistakes, malicious human activity, and natural events and disasters. These can cause five types of security problems: unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure.

	Human Error	Malicious Activity	Natural Disasters
Unauthorized data disclosure	Procedural mistakes	Pretexting, phishing, spoofing, sniffing	Disclosure during recovery
Incorrect data modification	Procedural mistakes, incorrect procedures, ineffective acct control, system errors	Hacking, computer crime	Incorrect data recovery
Faulty service	Procedural mistakes, development and installation errors	Computer crime, usurpation	Service improperly restored
Denial of service	Accidents	DOS attacks	Service interruption
Loss of infrastructure	Accidents	Theft, terrorist activity	Property loss

Q2: What is senior management’s security role?

Senior managements security role is to set the security policy, balance the costs of a security system against the risk of security threats.  A security policy has three elements:  the first is a general statement of the organization’s security program. It becomes the foundation for more specific security measures throughout the organization. The second element is the issue-specific policy. Third is the system-specify policy, which concerns specific information systems. Risk is the likelihood of an adverse occurrence.  Management can limit the security consequences of an attack by creating a backup processing facility at a remote location. 

Q3: What technical safeguards are available?

Technical safeguards involve the hardware and software components of an information system. The primary technical safeguards are: identification and authentication, encryption, firewalls, malware protection, and design for secure application. Identification and authentication involve passwords, smart cards, biometric authentication, and single sign-on for multiple systems.  Encryption types include symmetric, asymmetric, SSL/TLS, digital signatures, and digital certificates. A firewall is a computing device that prevents unauthorized network access. A firewall can be a special-purpose computer or it can be a program on a general-purpose computer or on a router.  Malware his viruses, worms, Trojan horses, spyware, and adware.

Q4: What data safeguards are available?

Data safeguards are measures used to protect databases and other organizational data. The organization should specify user data rights and responsibilities and those rights should be enforced by user accounts that are authenticated at least by passwords. A key escrow is when a copy is kept of the encryption key.

Q5: What human safeguards are available?

There are safeguards for employees where positions are well-defined; there are hiring procedures, dissemination and enforcement, and friendly termination. Safeguards for nonemployee personnel are hardening a site, to take extraordinary measures to reduce a system’s vulnerability.

Q6: How should organizations respond to security incidents?

Computer facilities should be in locations that are not prone to natural disasters.  Also, the organization should create backups for the critical resources at the remote processing center. A hot site is an expensive utility company that can take over another company’s processing with no forewarning. Cold sites provide computers and office space. Incident response that includes: Have plan in place, centralized reporting, specific responses, and practice.

Q7: What is the extent of computer crime?

It is not known to the full extent just how much computer crime there really is.  Of reported events, the highest average incident cost is $463,100 and losses due to bots averages $345,600.

Q8: 2020?

Computer criminals find vulnerability and exploit it. Computer security forces discover that vulnerability and create safeguards to thwart it. And it goes on and one. The next challenge is how to protect smart phones and other mobile devices from computer criminals.  The number of computer security jobs is projected to increase by 27% by 2016.

Kroenke, David. "Chapter 12: Information Security Management." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 442-471. Print

Ch. 11: Information Systems Management

Q1: What are the functions and organization of the IS department?
The major functions of the IS department are:

·         Plan the use of IS to accomplish organizational goals and strategy

·         Develop, operate, and maintain the organization’s computing infrastructure

·         Develop, operate, and maintain enterprise applications

·         Protect information assets

·         Manage outsourcing relationships

The title of the principal manager of the IS department varies from organization to organization. A common title is chief information officer, or CIO. Other common titles are vice president of information services, director of information services, and director of computer services. The CIO reports to the CEO. A typical IS department has four groups and a data administration staff function. There is usually a technology office, operations, development, and outsourcing relations.  

Q2:  How do organizations plan the use of IS?

The major IS planning functions are: Align information systems with organizational strategy, communicate issues to the executive group, develop priorities and enforce them within the IS department, and sponsor the steering committee.

Q3: What tasks are necessary for managing computing infrastructure?

The tasks necessary for managing computing infrastructure are the most visible of all of the IS department’s functions. The structure of the IS infrastructure must mirror the structure of the organization. Three more tasks are to create and maintain infrastructure for end-user computing; create, operate, and maintain networks; and to create, operate, and maintain data centers, data warehouses, and data marts.  The IS department also needs to establish technology and product standards, track problems and monitor resolutions, and manage computing infrastructure.  

Q4: What tasks are necessary for managing enterprise applications?

Developing new applications is a major application management functions. The process of creating new applications begins when the IS department aligns its priorities with the organization’s strategy. Then using priorities that arise from alignment, the IS dept. develops system plans and proposals and submits them to the steering committee for approval. Besides this, the IS dept must also maintain (legacy) systems. A legacy information system is one that has outdated technologies and techniques but is still used, despite its age. They arise because organizations cannot afford to replace an IS just because better technology has been developed. Other tasks are to integrate enterprise applications, manage development staff. Administer data is also a task-data and database administration functions sound similar but are quite different. Data administration describes a function that pertains to all of an organization’s data assets. Database administration describes a function that pertains to a particular database.  Data standards are definitions, or metadata, for data items shared across the organization.  A data dictionary is a file or database that contains data definitions.

Q5:  What are the advantages and disadvantages of outsourcing?

Advantages of outsourcing are management advantages, cost reduction, and risk reduction. The risks are loss of control, benefits outweighed by long-term costs, and no easy exit.

Q6: What are your user rights and responsibilities?

Your user rights are the right to computer hardware and programs that you need.  You have a right to a reliable network and a secure computing environment. You have a right to participate in requirements meetings for new applications that you will use and for major changes to applications that you currently use.  You also have the right to receive prompt attention to your problems and concerns about information services. Your responsibilities are to learn basic computer skills and to learn the basic techniques and procedures for the applications you use. You have a responsibility to follow security and backup procedures, and for using your computer resources in a manner that is consistent with your employer’s policy. You also have a responsibility to make no unauthorized hardware modifications to your computer and to install only authorized programs. You also have to install computer patches and fixes when asked to do so and to treat information systems professionals professionally.

Q7:  2020?

Cloud computing is a form of hardware/software outsourcing in which organizations offer flexible plans for customers to lease hardware and software facilities. Virtualization is the process whereby multiple operating systems share the same computer hardware, usually a server. Green computing is environmentally friendly computing consisting of three major components: power management, virtualization, and e-waste management. Finally, green computing is concerned with e-trash, or computers and related devices that are no longer in use.

Kroenke, David. "Chapter 11: Information Systems Management." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 408-433. Print

Ch. 10: Managing Development

Q1: What is systems development?

Systems development, also known as systems analysis and design is the process of creating and maintaining information systems. Systems development has a broader scope than computer program development. The most important criterion for information systems success is for users to take ownership of their systems.

Q2: Why is systems development difficult and risky?

Systems development is difficult and risky because requirements are difficult to determine and besides that, requirements change as well.  Scheduling and budgeting difficulties and changing technology are also something that makes systems development difficult.  Another problem is diseconomies of scale, or as Brooks Law points out: Adding more people to a late project makes the project later.

Q3: How do businesses use the systems development life cycle (SDLC) process?

The systems development life cycle (SDLC) is the process used to develop information systems. The five-phase process is:

1.       System definition-define the goals and scope of the new information system. Once the projects goals have been defined, the next step is feasibility. Feasibility has four dimensions: cost, schedule, technical, and organizational feasibility. Then a project team is formed.

2.       Requirements analysis-determine requirements. This is the most important phase because if the requirements are wrong, the whole project is wrong. Once the requirements are established, the users must review and approve them before the project continues.

3.       Component design-Each of the five components is designed in this stage: Hardware program, database, procedure, and design of job descriptions.

4.       Implementation-Once developers have constructed and tested all of the components, they integrate the individual components and test the system. A test plan consists of sequences of actions that users will take when using the new system. Beta testing is the process of allowing future system users to try out the new system on their own. Once the system has passed integrated testing, the organization installs the new system. The term system conversion is often used for this activity. Pilot installation is when the organization implements the entire system on a limited portion of its customers. Phased installation is when the new system is installed in phases across the organizations. Final stage is plunge/direct installation when the organization shuts off the old system and starts the new system.

5.       System maintenance (fix or enhance)-record requests for change: failures or enhancements. Prioritize requests. Fix failures: patches, service packs, and new releases.

Q4: How does systems development vary according to project scales?

Small-scale projects have relatively simple requirements. Large-scale projects have many more requirements. They vary in duration, budget, and personnel.

Q5: What are the trade-offs among requirements, schedule, and cost?

Systems development projects, especially large ones, require the trade-offs or balancing of three critical drivers:  requirements, cost, and time.  We can trade-off requirements against time and against cost. The relationship between time and cost is more complicated. Normally we can reduce time by increasing cost only to a point. For example, to cut down on time more laborers can be hired, but at some point it will create diseconomies of scale. In some projects, costs can be reduced by increasing time.  In most projects, trade-off decisions cannot be made without a plan called the baseline.

Q6: What are the major challenges when planning IS projects?

The key strategy for any project is to break up large tasks into smaller tasks and continue breaking up the tasks until they are small enough to manage, thus enabling you to estimate time and costs. Each task should culminate in one or more results or deliverables such as documents, designs, prototypes, data models, etc. Without a deliverable it is impossible to know if the task was accomplished.  Teams create a work-breakdown structure (WBS), which is a hierarchy of the task required to complete a project. A Gantt chart shows tasks, dates, and dependencies.  The critical path is the sequence of activities that determine the earliest date by which the project can be completed. Critical path analysis is the process by which project managers compress the schedule by moving resources, typically people, from noncritical path tasks onto critical path tasks.

Q7:  What are the major challenges when managing IS projects?

1.       Coordination-coordinating the work of independent groups can be difficult, especially if they’re not geographically in the same place.
2.       Diseconomies of scale-the number of possible interactions among team members rises exponentially with the number of team members. Ultimately, no matter how well managed a project is, diseconomies of scale will set in.
3.       Configuration control-AS the project proceeds, controlling the configuration becomes more difficult. For example, the development team produces an initial statement of requirements.  Meetings with users produce an adjusted set of requirements. And then soon there are multiple sets of requirements and if the changes to the requirements are not managed, the versions will get mixed up, and confusion will result.
4.       Unexpected events-The larger and longer the project takes to complete, the greater the chance of disruption due to an unanticipated event.

Q8: 2020?

Requirements creep is the process by which users agree to one set of requirements, then add a bit more, add a bit more, and so forth. Over time, the requirements creep so much that they describe a completely new project. But the development team is left with the budget and plan of the original project.

Kroenke, David. "Chapter 10: Managing Development." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 370-397. Print

Ch. 9: Business Intelligence Systems

Q1: Why do organizations need business intelligence?

Business Intelligence is information containing patterns, relationships, and trends that needs to be found and produced. Businesses use business intelligence systems to process this data to produce patterns, relationships, and other forms of information; and to deliver that information on a timely basis to users who need it.

Q2: What business intelligence systems are available?

A business intelligence system is an information system that employs business intelligence tools to produce and deliver information. The characteristics of a particular BI system depend on the tool in use.

A business intelligence tool is one of more computer programs that implement a particular BI technique. These tools can be categorized in three ways: reporting tools, data-mining tools, and knowledge-management tools.

Reporting tools are programs that read data from a variety of sources, process that data, format it into structured reports, and deliver those reports to the users who need them. Data are sorted and grouped, and simple totals and averages are calculated. These tools are primarily used for assessment.

Data-mining tools process data using statistical process data using statistical techniques, many of which are sophisticated and mathematically complex. Data mining involves searching for patterns and relationships among data. In most cases, data-mining tools are used to make predictions.

Knowledge-management tools are used to store employee knowledge and to make that knowledge available to employees, customers, vendors, auditors, and others who need it. It’s different from data-mining tools because the source of their data is human knowledge, rather than recorded facts and figures.

Q3: What are typical reporting applications?

 A reporting application is a BI application that inputs data from one or more sources and applies a reporting tool to that data to produce information. The resulting information is then delivered to users by a reporting system, which is a BI system that delivers reports to authorized users at appropriate times. Reporting tools produce information from data using five basic operations: sorting, grouping, calculating, filtering, and formatting.

RFM Analysis is a technique readily implemented using reporting tools, is used to analyze and rank customers according to their purchasing patterns.  RFM considers how recently (R) a customer has ordered, how frequently (F) a customer ordered, and how much money (M) the customer has spent. To produce an RFM score, the RFM reporting tool first sorts customer purchases records by the data of their most recent (R) purchase. The tool then re-sorts the customers based on how frequently (F) they ordered. Finally, the tool sorts the customers again according to the amount spent on their orders.

Online analytical processing (OLAP) is more generic than RFM. It provides the ability to sum, count, average, and perform other simple arithmetic operations on groups of data. The viewer of the report can change the format, hence the term online.  OLAP has measures and dimensions. A measure is the data item of interest. It is the item to be summed or averaged or otherwise processed in the OLAP report. Total sales, average sales, and average cost are examples of measures. A dimension is a characteristic of a measure. Purchases data, customer type, customer location, and sales region are all examples of dimensions.  With an OLAP report, it’s possible to drill down. An OLAP report is also known as an OLAP cube because some software products show these displays using three axes, like a cube in geometry. OLAP servers have been developed to perform OLAP analysis.

Q4: What are typical data-mining applications?

Data mining is the application of statistical techniques to find patterns and relationships among data for classification and prediction. It’s also known as knowledge discovery in databases (KDD).

With unsupervised data mining, analysts do not create a model or hypothesis before running the analysis. Instead, they apply the data-mining technique to the data and observe the results. With this method, analysts create hypotheses after the analysis, in order to explain the patterns found. One common technique of unsupervised data mining is cluster analysis where statistical techniques identify groups of entities that have similar characteristics. A common use is to find groups of similar customers from customer order and demographic data.

With supervised data mining, data miners develop a model prior to the analysis and apply statistical techniques to data to estimate parameters of the model.  One type of analysis is called regression analysis, which measures the impact of a set of variables on another variable. Neural networks are another popular technique used to predict values and make classifications such as “good prospect” or “poor prospect” customers.

A market-basket analysis is a data-mining technique for determining sales patterns. It shows the products that customers tend to buy together. In market-basket terminology, support is the probability that two items will be purchased together.  The ratio of confidence to the base probability of buying an item is called lift.

A decision tree is a hierarchical arrangement of criteria that predict a classification or a value. Decision-tree analyses are an unsupervised data-mining technique: the analyst sets up the computer program and provides the data to analyze, and the decision-tree program produces the tree. The basic idea of a tree is to select attributes that are most useful for classifying entities on some criterion. Then the data is input into the program. The program analyzes all of the attributes and selects an attribute that creates the most disparate groups. The program then examines other criteria to further subdivide.   

Q5: What is the purpose of data warehouses and data marts?

Many organizations choose to extract operational data into facilities called data warehouses and data marts, both of which prepare, store, and manage data specifically for data mining and other analyses.  This is because of problems with operational data.  The data could be dirty data, missing values, inconsistent, or the data is not integrated. Also, it could have the wrong granularity: too fine or not fine enough.  There could also be too much data: too many attributes, or too many data points.  A data warehouse is like a distributor in a supply chain. A data mart is a data collection, smaller than the warehouse that addresses a particular component or functional area of the business.

Q6: What are typical knowledge-management applications?

Knowledge management is the process of creating value from intellectual capital and sharing that knowledge with employees, managers, suppliers, customers, and others who need it. Whereas reporting and data mining are used to create new information from data, knowledge-management systems concern the sharing of knowledge that is known to exist.

Knowledge management is concerned with maximizing content use. Indexing is the most important function in knowledge management applications. Users needs an easily accessible and robust means of determining whether content they need exists, and if so, a link to obtain that content.

Real simple syndication (RSS) is a standard for subscribing to content sources. With RSS reader, you can subscribe to magazines, blogs, sites, and other content sources. In order to subscribe, the data source must provide what is termed an RSS feed, which means that the site posts changes according to one of the RSS standards.

Expert systems attempt to capture human expertise and put it into a format that can be used by non-experts. However, many of these systems were created in the late 80s and early 90s, and a few of them have been very successful.  There are three disadvantages: they are difficult and expensive to develop, they are difficult to maintain, and they have been unable to live up to the high expectations set by their name.

Q7: How are business intelligence applications delivered?

A business intelligence (BI) application server delivers those results in a variety of formats to devices for consumption by BI users. Some BI servers are simply web sites from which users can download, or pull, BI application results.  Another option is for the BI server to operate as a portal server, or as part of one.  Portal servers are like web servers except that they have a customizable user interface.

Q8: 2020?

Simple business intelligence systems like RFM and OLAP can successfully add value and even complicated and expensive data-mining applications can generate tremendous return if they are applied to appropriate problems and are well-designed and implemented.

  Kroenke, David. "Chapter 9: Business Intelligence Systems." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 318-347. Print.

Chapter 8: E-Commerce and Web 2.0

Q1: How do companies use e-commerce?

E-commerce is the buying and selling of goods and services through public and private computer networks.  On e-commerce activity, merchant companies are defined as those that take title to the goods they sell; they buy goods and resell them. Nonmerchant companies are those that arrange for the purchase and sale of goods without ever owning or taking title to those goods.

There are three main types of merchant companies, which are: those that sell directly to consumers (B2C), those that sell to companies (B2B), and those that sell to government (B2G). 

There are also three types of nonmerchant e-commerce companies. E-commerce auctions match buyers and sellers by using an e-commerce version of a standard auction (eBay).  Clearinghouses provide goods and services at a stated price and arrange for the delivery of the goods, but they never take title. An electronic exchange is another type of clearinghouse but it matches buyers and sellers-the process is similar to that of a stock exchange.

E-commerce improves market efficiency by leading to disintermediation, which is the elimination of middle layers of distributors and suppliers. Flow of price information is also improved. From the seller’s side, e-commerce provides information about price elasticity (measure of amount that demand rises or falls with changes in price) that has not been available before.

Economic factors that disfavor e-commerce are channel conflict, price conflict, logistics expense, and customer-service expense.

Q2: What technology is needed for e-commerce?

Almost all e-commerce applications use the three-tier architecture. The three tiers refer to three different classes of computers. The user tier consists of computers that have browsers that request and process web pages. The server tier consists of computers that run Web servers and process application programs. The database tier consists of computers that run a DBMS that processes SQL requests to retrieve and store data.

Hypertext Transfer Protocol (HTTP) is a protocol that is a set of rules for transferring documents and data over the internet. A web page is a document, coded in one of the standard page markup languages, that is transmitted using HTTP. Web servers are programs that run on a sever tier computer and that manage HTTP traffic by sending and receiving Web pages to and from clients. A browser is a computer program on the client computer that processes Web pages.  A commerce server is an application program that runs on a server tier computer; it receives requests from users via the Web server.

A Hypertext Markup Language (HTML) tag is a notation used to define a data element for display or other purposes. Hyperlinks are pointers to other Web pages; they contain the URL of the Web page to find when the user clicks the hyperlink.

Q3: How can information systems enhance supply chain performance?

A supply chain is a network of organizations and facilities that transforms raw materials into products delivered to customers.  At each level an organization can work with many organizations both up and down the supply chain, a supply chain is a network.  Four factors that driver supply chain performance are: facilities, inventory, transportation, and information.  Supply chain profitability is the difference between the sum of the revenue generated by the supply chain and the sum of the costs that all organizations in the supply chain incur to obtain that revenue. The bullwhip effect is when the variability in the size and timing of orders increases at each stage up the supply chain, from customer to supplier.

Q4: Why is Web 2.0 important to business?

It refers to a loose grouping of capabilities, technologies, business models, and philosophies. Many Web 2.0 programs are classified as “beta” –a pre-release version of software that is used for testing; it becomes obsolete when the final version is released. Businesses can benefit from this because it promotes advertising, social networking, and mashups.

Q5: How can organizations benefit from social networking?

Social Networking is the interaction of people connected by friendship, interests, business associations, or some other common trait that is supported by Web 2.0 technology. Social network applications are computer programs that interact and process information in a social network.  They run on servers provided by the application’s creator. 

Q6: How can organizations benefit from Twitter?

Twitter allows users to publish 140 character descriptions of anything. They can follow other Twitter users, and they can be followed. It is an example of a category of applications called microblogs, a web site on which users can publish their opinions, just like a web blog, but the opinions are restricted to small amounts of text, like Twitter’s 140 characters. Benefits from this are market research, relationship sales, and public relations.

Q7: What are the benefits and risks of user-generated content (UGC)?

Most common types of UGC are: ratings and surveys, opinions, customer stories, discussion groups, wikis, blogs, and video. Crowdsourcing is the process by which organizations involve their users in the design and marketing of their products. It combines social networking, viral marketing, and open-source design, saving considerable cost while cultivating customers.  Risks of using social networking and UGC are: junk and crackpots, inappropriate content, unfavorable reviews, mutinous movements, and dependency on the SN vendor.

Q8: 2020?

Perhaps the future technology will enable voice and video to be integrated into social networking. Perhaps with social networking, management styles will change and instead of only being able to manage 10 to 12 employees, managers will be in charge of 50 or 100.

  Kroenke, David. "Chapter 8: E-Commerce and Web 2.0." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 272-317. Print.

Chapter 7: Business Process Management

Q1: Why is business process management important to organizations?

Through Business Process Management (BPM), an organization can create, can assess, and alter business processes.  There are four stages to the process: Implement Processes, Assess Results, Model Processes, and Create Components, which for the most part, include all five elements of every information system. There are three types of processes that organization can plan or develop through BPM.  Functional processes involve activities within a single department or function, but the problem with this process is that they lead to islands of automation, sometimes called information silos because they work in isolation from one another. Cross-Functional Processes involve activities among several business departments.  This type of function eliminates the problems of isolated systems and data. The last type of process is an Interorganizational Process, where a business process crosses into multiple companies.

Q2: How do organizations solve business problems?

Diagrams are drawn out to illustrate the way that processes will be carried out, by who, how, and how the entire system connects. There’s the “assemble and ship equipment” process and the “top-level” business process.  There are three ways of changing business processes: changing a process by adding or removing resources without changing its structure, changing a process by altering process structure, or a business can do both.

Q3: What role do information systems play in business processes?

They provide an alternative for implementing the register clients activity and they facilitate linkages among activities.

Q4: What are the most common functional applications used today?

 A functional application is a computer program that supports or possibly automates the major activities in a functional process. Few businesses develop their own applications, so to reduce costs they license functional application software from a vendor and then adapt. The most functional applications used today are sales and marketing, operations, manufacturing, customer service, human resources, and accounting.

Q5: What are the problems with functional information systems?

One of the main problems is that data is duplicated because each application has its own database. When applications are isolated, processes are disjointed and as a consequence there is lack of integrated enterprise information.

Q6: What are the functions and characteristics of customer relationship management (CRM) information systems?

A customer relationship management (CRM) is a cross-functional application that tracks all interactions with the customer from prospect through follow-up service and support. They integrate all of the primary business activities. There are four phases of the customer life cycle: marketing, customer acquisition, relationship management, and loss/churn. CRM applications store data in a single database.

Q7: What are the functions and characteristics of enterprise resource planning (ERP) information systems?

Enterprise resource planning (ERP) applications provide even more integration than CRM. It integrates the primary value chain activities with human resources and accounting. The primary users are manufacturing companies through the software from SAP.  Major characteristics are that it is cross-functional, has a formal approach based on formal business models, maintains data in a centralized database; offers large benefits but is difficult with challenges & can be slow to implement, and it is often very expensive. The benefits of ERP are that it is successful in business processes, inventory reduction, lead-time reduction, improved customer service, greater real-time insight into organization, and higher profitability.

Q8: 2020?

Service-oriented architecture (SOA) is a design philosophy in which every activity is modeled as an encapsulated service and exchanged among those services are governed by standards. 

  Kroenke, David. "Chapter 7:Business Process Management." Using MIS. Upper Saddle River, NJ: Prentice Hall, 2011. 232-265. Print.