Upload
claud-wells
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Course - DT249/1Course - DT249/1
Subject - Information Systems in Organisations
MANAGING INFORMATION SYSTEMS OPERATION
INFORMATION SYSTEMS SECURITY
Semester 1, Week 9
2
Textbooks?Textbooks?The Laudon and Laudon book,
‘Management Information Systems’ (Seventh Edition) –
Management:Chapters 5 (5.4), 6 (6.5), 9 (9.5)
Security: all of Chapter 14.
3
Background to Managing Information Background to Managing Information SystemsSystemsManaging information systems is a
complex subject. The information systems themselves have changed over the years and have evolved to include:◦Hardware of varying specifications◦Software of different types◦Networking (with related hardware
and software)◦The Internet and intranets
4
Background to Managing Information Background to Managing Information Systems (2)Systems (2)
Traditionally, Information Systems have been managed by an IS or IT (Information Systems or Information Technology) Department in an ‘average’ business organisation.
That model still exists, but there have been issues of ‘end-user computing’ and ‘ownership’ that have altered that traditional image.
5
Who Manages Information Who Manages Information Technology?Technology?The person or people who take
responsibility for management of information systems varies – depending on the size and nature of the organisation.
This lecture opts to exemplify an Information Technology Department with one main manager.
6
The Role of the IT The Role of the IT DepartmentDepartmentThe IT Department is responsible for
organisation-level and shared resources and for using IT to solve end users’ application problems. (Mentioned before, yes.)
End users are responsible for their own computing resources and departmental resources.
The IT Department and end users often work together as partners to manage the IT resources.
7
The Role of the IT The Role of the IT Department (2)Department (2)The IT Department has changed from
a purely technical support role to a more managerial and strategic one.
In many modern cases, the IT Manager’s role has changed from a technical manager to a senior executive called the Chief Information Officer (CIO).
8
Project Manager or IT Project Manager or IT Manager?Manager?Is the Project Manager, as mentioned in
the last lecture, the same as an IT Manager?
Properly and strictly speaking, no.
What is the difference, then?
A Project Manager manages a technical project – at a project level.
An Information Technology Manager manages all aspects of IT – at a departmental level.
9
Project Manager or IT Project Manager or IT Manager? (2)Manager? (2)What is common to both Project Manager
and IT Manager is that they control hardware, software, network (probably) and personnel assets for their ‘area’.
A project manager may manage low-level, technical hardware, software and people for project development while an IT Manager manages ‘broad-ranging’ hardware, software and people for keeping the affected departments running smoothly with their systems in place.
10
What IT Management What IT Management InvolvesInvolvesInformation Technology management
can be generalised as:the support of a core function:
producing and distributing ‘Information Technology solutions’…
… to users throughout the organisation
while ensuring solutions are cost effective
and avoiding Information Technology problems.
11
What IT Management What IT Management Involves (2)Involves (2)A general view of Information
Technology management is the management of information systems in terms of ‘assets’ – or ‘resources’ - but there are many issues and concerns surrounding this overview.
There are decisions to be made and risks to take.
Many ‘general’ features of Middle Management belong to IT management.
12
Managerial RolesManagerial RolesHenry Mintzberg cites three managerial
roles:◦Interpersonal roles; where managers
act as figureheads and leaders for the organisation
◦Informational roles; where managers act as the nerve centres of their organisations, receiving and disseminating critical information.
◦Decisional roles; where managers initiate activities, handle disturbances, allocate resources, and negotiate conflicts.
13
Managerial Roles (2)Managerial Roles (2)IT Managers:
◦Interpersonal role – figurehead and leader for the members of the IT Department, liaison for other organisational members.
◦Informational role - receiving and disseminating critical information about IT and the rest of the organisation to Department members, being experts in their field (IT).
◦Decisional role - initiating activities, handling disturbances, allocating resources, and negotiating conflicts in the IT Department.
14
Examples of Failure in IT Examples of Failure in IT ManagementManagementIT is not being used effectively by
organisations that use IT primarily to computerise traditional business processes, instead of using it for innovative e-business processes.
15
Examples of Failure in IT Examples of Failure in IT Management (2)Management (2)IT is not being used efficiently by
information systems that provide poor response times and frequent down times or when application development projects are not managed properly.
16
Potential Failure in IT Potential Failure in IT ManagementManagementManagement involvement and
governance…
An organisation’s Senior Management needs to be involved in critical business/IT decisions to optimise the business value and performance of the IT function. This requires development of governance structures that encourage active participation in planning and controlling the business uses of IT.
17
Traditional IT FunctionsTraditional IT FunctionsManaging systems development and
systems project management.
Managing computer operations, including the computer centre (if there is one).
Staffing, training and developing information systems skills.
Provide technical services to users.
Infrastructure planning, development and control.
18
New (Consultative) IT (IS) New (Consultative) IT (IS) FunctionsFunctionsInitiating and designing specific
strategic information systems.
Incorporating the Internet and e-commerce into the business.
Managing system integration including the Internet, intranets and extranets.
Educating the non-Information Systems managers about IT.
Educating the IT staff about the business.
19
New (Consultative) IT Functions New (Consultative) IT Functions (2)(2)Supporting end-user computing.
Partnering with the executives.
Managing outsourcing.
Proactively using business and technical knowledge to ‘seed’ innovative ideas about IT.
Creating business alliances with vendors and IT departments in other organisations.
20
Tasks inTasks in Managing the Managing the Information Systems FunctionInformation Systems FunctionManaging information systems
operations:Operational activities requiring management include:
Computer systems operations Network management Systems and services production
control Systems and services production
support
21
Tasks inTasks in Managing the IS Managing the IS Function (2)Function (2)Managing information systems
operations (continued)Managers must take part in system performance monitoring:
Monitor the processing of computer jobs
Help develop a planned schedule Produce detailed statistics for
planning and control of computing capacity
Help control chargeback systems Help Process Control
22
Tasks inTasks in Managing the IS Managing the IS Function (3)Function (3)Human Resource Management of IT –
Managers should:◦Recruit qualified personnel for the IT
Department◦Develop, organise and direct the
capabilities of existing personnel◦Train employees◦Design career paths and set salary
and wage levels for IT Department members
23
Tasks inTasks in Managing the IS Managing the IS Function (4)Function (4)The CIO and other IT executives
The Chief Information Officer (CIO):◦Oversees all use of IT in many
organisations.◦Brings the IT function into alignment
with organisational goals and strategies
◦Concentrates on business/IT planning and strategy
◦Helps develop strategic uses of IT in e-business and e-commerce
24
Tasks inTasks in Managing the IS Managing the IS Function (5)Function (5)Technology Management:
All IT must be managed as a technology platform for integrated e-business and e-commerce systems.
An organisation may assign a Chief Technology Officer (CTO) to be in charge of all IT planning and deployment.
25
Reviewing Managerial Reviewing Managerial RolesRoles
26
More Management TasksMore Management TasksManaging user services:
Functions may be put in place to support and manage end-user and workgroup computing.
These services provide both opportunities and problems for departmental managers.
Help desks might be established to take opportunities for improvement in service.
A manager might establish and enforce policies to avoid problems.
27
Examples of Tasks For IT Examples of Tasks For IT ManagerManagerBuild on customised software or off-the-
shelf products wherever possible.Leave hardware infrastructure in the hands
of specialist group – such as engineers.Promote training activities as an integral
part of an IT development strategy.Emphasise the importance of
documentation.Learn from past performance of systems
and the experiences of other, similar organisations.
28
When an IT Manager Opts for When an IT Manager Opts for OutsourcingOutsourcingOutsourcing – as mentioned before:
◦Outsourcing is often the best solution when commercial products and services can be adapted to IT requirements.
◦Market competition brings innovation and reduces the costs of popular hardware and software.
◦Because specialised skills found among vendors are difficult to maintain ‘in-house’.
◦Risks are usually shared with vendors.
29
When an IT Manager Opts for When an IT Manager Opts for Outsourcing (2)Outsourcing (2)When opting for Outsourcing a
manager should:◦not jeopardise core functions or
confidentiality of information◦maintain a healthy business
relationship with the commercial vendors
◦balance risk sharing Versus rewards sharing (penalties/incentives)
◦develop the necessary management skills for outsourcing
…/ continued
30
When an IT Manager Opts for When an IT Manager Opts for Outsourcing (3)Outsourcing (3)
◦Look for continually new and different IT capabilities and products (facts or claims)
◦Accept or reject lobbying by internal staff for a product
◦Accept or reject pressure (from higher management) to reduce costs and improve delivery of products
31
More Tasks For the IT More Tasks For the IT ManagerManagerAn IT Manager should:
◦Involve top-level management in decision-making
◦Employ effective risk analysis in guiding the direction of products and services
◦Avoid untried leading-edge technologies (if possible, especially in high-risk scenarios)
◦Opt for delineated (properly planned) tasks where possible
◦Involve end-users in systems development
32
More Tasks For the IT More Tasks For the IT Manager (2)Manager (2)To formulate explicit and detailed IT
plans a manager should:◦analyse return on investment◦identify risks and mitigation strategies◦ensure modular development – if
possible - to avoid large-scale failures ◦provide for oversight and review
developments at crucial steps along the way
33
More Tasks For the IT More Tasks For the IT Manager (3)Manager (3)When purchasing IT products a
manager should:◦avoid new or immature technologies◦assess the results of others who have
applied the product◦determine product compatibility with
the existing IT architecture of the organisation
◦assess any risks and the price/performance measurement of the product
34
End of Part 1 - End of Part 1 - ‘Management’‘Management’That covers Information Technology
and Information Systems Management.
The second half of this lecture reviews Information Systems Security.
35
SecuritySecurityIntegrated security and privacy
requirements are critical to IT management and protecting an organisation’s information.
An organisation may be required by organisational policy or compliance to the law to have an information security programme in place.
A security programme may be put in place to insure against identified problems or risks.
36
Security (2)Security (2)A security programme may be
managed by named individuals in Management positions in any part of the organisation.
The context of this presentation is information security cited with the IT Department through the proper implementation of information systems.
37
Security (3)Security (3)The goal of a security programme is to
provide assurance that there exists security to:◦Provide for timely and reliable availability of information and systems
◦Preserve confidentiality of data◦Safeguard integrity of data
38
Those Involved with Those Involved with SecuritySecurityExecutives authorise plans, ensure security
and privacy protections are integrated, and accept risks to information systems in the organisation.
Managers (information owners) develop requirements, assess information sensitivity and privacy needs, develop security plans and work with IT and security on monitoring and ‘remedial activities’. (More on remedials later.)
IT staff provide, document and monitor technical security controls and are considered the owners of the infrastructure of information systems.
39
Those Involved with Those Involved with Security (2)Security (2)Security staff manage the security
programme, assess risks, consult and review the security plan and privacy impact assessments (as documents) and manage the monitoring and compliance of reporting activities.
Auditors review security programmes and systems for compliance according to organisational policy or legal requirement.
Supervisors assure staff compliance with security and privacy training and awareness requirements.
40
A Security Programme Combines A Security Programme Combines People, Processes and TechnologyPeople, Processes and Technology
41
Security ControlsSecurity ControlsA security control is a specific action or
procedure that is provided to protect confidentiality, integrity and availability of information/systems.
Security controls are described in International Organisation for Standardisation (for Technology) (Refer to ISO 17799, a document describing IT security)
42
Security Controls (2)Security Controls (2)Management Controls
Focus on the management of the computer security system and the management of risk for a system.
Operational Controls Focus on mechanisms that primarily
are implemented and executed by people (as opposed to systems).
Technical Controls Focus on security controls that the
computer system executes.
43
Management ControlsManagement ControlsManagement Controls
The management of the computer security system and management of risk appears as policy in directives (documented) – so are written down somewhere.
44
Operational ControlsOperational ControlsOperational Controls
Mechanisms implemented and executed by people are procedures that may follow from the Management Control policy documents.
The mechanisms need to be described – so are written down somewhere.
45
Technical ControlsTechnical ControlsTechnical Controls
Security controls that the computer system executes might well be documented but, more importantly, can be coded into software.Many software programs contain integrity (security) features or are specifically for security - providing diagnostics or providing solutions to security problems.
46
Security TypesSecurity TypesTo continue in an examination of the
differences in the ‘controls’ let us take a look at three security types;◦Physical controls◦Administrative controls◦Computational controls
47
Physical ControlsPhysical ControlsPhysical security
These controls ensure that hardware is secure. They check for equipment malfunction. These may include access to hardware and an example might be the restriction of access to a computer room to operational personnel or the taking of back-up copies of files in case of accidents. Hardware controls should take account of fire and environmental hazards.
48
Administrative ControlsAdministrative ControlsAdministrative disciplines, standards
and proceduresThese controls are formalised standards, rules, procedures and control disciplines to ensure that the organisation's other controls are properly executed and enforced. Examples of these controls are:
segregation of functionswritten policies and procedures supervision
49
Administrative Controls Administrative Controls (2)(2)Controls over the system implementation
processImplementation controls audit the system development process at various points in time to ensure that the project in hand is being properly controlled and managed. An example of such a control is a 'sign-off' at the end of each stage of the development process where a developer offers a section of the project to a user or manager to sign off, thereby documenting their approval of the development stage offered.
50
Administrative Controls Administrative Controls (3)(3)Computer operations controls
These controls apply to the work of the computer department and help to ensure that programmed procedures are consistently and correctly applied to the storage and retrieval of data. They include, for example, controls over set-up, operations software, computer operations and backup and recovery procedures.
51
Computational ControlsComputational ControlsSoftware controls
These controls monitor the use of system software and prevent unauthorised access to software programs. System software controls govern the software for the operating system. Program security controls are used to prevent unauthorised changes to programs on the system.
52
Computational Controls Computational Controls (2)(2)Internal system security
This might include validation and verification checks on input data, authorisation procedures for some types of input data, the provision of an audit trail of file changes and the use of control totals. In systems that need a very high level of security it may be necessary to include such things as encryption, which is coding of data held on files, multi-level password systems including the use of magnetic keys, voice recognition access and the monitoring of the identity and access time of each user on the system.
53
Computational Controls Computational Controls (3)(3)Data security controls
Data security controls ensure that data files on disk or tape are not subject to unauthorised access, change or destruction. These controls are needed for when the data is in use (active) and when being held for storage.
54
Computational Controls Computational Controls (4)(4)Application controls
Application controls are specific controls within each computer application. They include automated and manual procedures that ensure that only authorised data are processed by a particular application. Application controls have these objectives:
Completeness of inputAccuracy of inputValidity of dataMaintenance (where data on files
continue to be correct and current).
55
Computational Controls Computational Controls (5)(5)Application controls are usually in one
of three categories:1.Input controls2.Processing controls3.Output controls
56
AuditsAuditsAuditing information systems
An information system audit identifies all of the controls that govern individual information systems and assess their effectiveness.
57
Audits (2)Audits (2)For this the auditor must make value
judgements about◦operations,◦physical facilities,◦telecommunications,◦control systems,◦data security objectives,◦organisational structure,◦personnel,◦manual procedures and individual
applications.
58
Audits (3)Audits (3)The audit is a matter of collecting and
analysing the details on an information system including ◦user and system documentation,◦sample inputs,◦sample outputs,◦documentation on integrity controls (to
compare the details) and ◦anything else that might be lying
around that might give an indication of how the system is being used.
59
Audits (4)Audits (4)Application controls, integrity controls
and control disciplines are examined.
It may be necessary to run test data through the system to test systems and applications software and any disciplines surrounding them.
60
Managing SecurityManaging SecuritySecurity needs to be managed.
In the case of information security where the information system is the centre point for security it falls (very often) to the IT Manager to manage security of this sort.
The next two slides list the issues and considerations of security management.
61
Issues and Considerations of Issues and Considerations of Security ManagementSecurity ManagementAccess controlAwareness and trainingAudit and accountabilityCertification, accreditation, and
security assessmentsConfiguration managementContingency planningIdentification and authenticationIncident response
62
Issues and Considerations of Issues and Considerations of Security Management (2)Security Management (2)MaintenanceMedia protection Physical and environmental protectionPlanningPersonnel securityRisk assessmentSystem and services acquisitionSystem and communications
protectionSystem and information integrity
63
Security During the Life Security During the Life CycleCycleSuccessful information security
programs address risk throughout the Systems Development Life Cycle. Often at these stages of the Life Cycle:◦Initiation◦Acquisition/Development◦Implementation◦Operations/Maintenance◦Disposal
64
Security During the Life Security During the Life Cycle (2)Cycle (2)Security is less expensive if it is
planned and implemented from the start; it is more costly to add security features to a system after it has been designed.
If not addressed in the initial phases, security controls added at the last minute can diminish performance and delay implementation.
65
RisksRisksRisk management is the total process of
identifying, controlling, and minimising the impact of uncertain events against an information resource.
The risk management process can be broken down into three main areas:◦Risk assessment◦Risk mitigation◦On-going evaluation
It is impossible to eliminate risk; the goal of risk management is to minimise residual risk.
These flaws (vulnerabilities) can be exploited and result in a breach or violation of the system’s security policy.
66
Risks (2)Risks (2)Examples of types of vulnerabilities
include:◦Poorly communicated or
implemented policy◦Poorly trained personnel◦Misconfigured systems or controls◦Poorly designed and implemented
commercial off-the shelf (COTS) or custom components
◦Lack of access controls◦Lack of physical controls◦Lack of visitor policy
67
ConsequencesConsequencesThe consequences of ignoring risk – or
having inadequate security may result in:◦Loss of data◦Disclosure of sensitive information◦Disruption or denial of service◦Loss of competitive edge◦Monetary loss◦Damage to reputation or public trust◦Lawsuits◦Death (in extreme cases)
68
Management Responsibilities Management Responsibilities for Riskfor RiskDocument the criticality and sensitivity
of the information in the risk assessment
Define and document the appropriate controls needed to mitigate the risk
Use the appropriate security requirements
Develop Plans of Action and Milestones (POA & M) to mitigate risks
Monitor and reassess risks, security and related policy regularly
69
Steps for Managers to Steps for Managers to TakeTakeStep 1: Develop policy statementStep 2: Conduct Business Impact
Assessment (BIA)Step 3: Identify preventive controlsStep 4: Develop recovery strategiesStep 5: Develop IT contingency plansStep 6: Conduct plan testing, training
and exercises for staffStep 7: Maintain the plan
70
What Next?What Next? That’s it for Managing Information
Systems operation and Information Systems security.
Next time:IT Regulation and Compliance
along withInteracting with Computers
(Reminder – TODAY - Tuesday 12th is deadline for the coursework essay hand-in and sign-in)