Course - DT249/1Course - DT249/1

Subject - Information Systems in Organisations

MANAGING INFORMATION SYSTEMS OPERATION

INFORMATION SYSTEMS SECURITY

Semester 1, Week 9

2

Textbooks?Textbooks?The Laudon and Laudon book,

‘Management Information Systems’ (Seventh Edition) –

Management:Chapters 5 (5.4), 6 (6.5), 9 (9.5)

Security: all of Chapter 14.

3

Background to Managing Information Background to Managing Information SystemsSystemsManaging information systems is a

complex subject. The information systems themselves have changed over the years and have evolved to include:◦Hardware of varying specifications◦Software of different types◦Networking (with related hardware

and software)◦The Internet and intranets

4

Background to Managing Information Background to Managing Information Systems (2)Systems (2)

Traditionally, Information Systems have been managed by an IS or IT (Information Systems or Information Technology) Department in an ‘average’ business organisation.

That model still exists, but there have been issues of ‘end-user computing’ and ‘ownership’ that have altered that traditional image.

5

Who Manages Information Who Manages Information Technology?Technology?The person or people who take

responsibility for management of information systems varies – depending on the size and nature of the organisation.

This lecture opts to exemplify an Information Technology Department with one main manager.

6

The Role of the IT The Role of the IT DepartmentDepartmentThe IT Department is responsible for

organisation-level and shared resources and for using IT to solve end users’ application problems. (Mentioned before, yes.)

End users are responsible for their own computing resources and departmental resources.

The IT Department and end users often work together as partners to manage the IT resources.

7

The Role of the IT The Role of the IT Department (2)Department (2)The IT Department has changed from

a purely technical support role to a more managerial and strategic one.

In many modern cases, the IT Manager’s role has changed from a technical manager to a senior executive called the Chief Information Officer (CIO).

8

Project Manager or IT Project Manager or IT Manager?Manager?Is the Project Manager, as mentioned in

the last lecture, the same as an IT Manager?

Properly and strictly speaking, no.

What is the difference, then?

A Project Manager manages a technical project – at a project level.

An Information Technology Manager manages all aspects of IT – at a departmental level.

9

Project Manager or IT Project Manager or IT Manager? (2)Manager? (2)What is common to both Project Manager

and IT Manager is that they control hardware, software, network (probably) and personnel assets for their ‘area’.

A project manager may manage low-level, technical hardware, software and people for project development while an IT Manager manages ‘broad-ranging’ hardware, software and people for keeping the affected departments running smoothly with their systems in place.

10

What IT Management What IT Management InvolvesInvolvesInformation Technology management

can be generalised as:the support of a core function:

producing and distributing ‘Information Technology solutions’…

… to users throughout the organisation

while ensuring solutions are cost effective

and avoiding Information Technology problems.

11

What IT Management What IT Management Involves (2)Involves (2)A general view of Information

Technology management is the management of information systems in terms of ‘assets’ – or ‘resources’ - but there are many issues and concerns surrounding this overview.

There are decisions to be made and risks to take.

Many ‘general’ features of Middle Management belong to IT management.

12

Managerial RolesManagerial RolesHenry Mintzberg cites three managerial

roles:◦Interpersonal roles; where managers

act as figureheads and leaders for the organisation

◦Informational roles; where managers act as the nerve centres of their organisations, receiving and disseminating critical information.

◦Decisional roles; where managers initiate activities, handle disturbances, allocate resources, and negotiate conflicts.

13

Managerial Roles (2)Managerial Roles (2)IT Managers:

◦Interpersonal role – figurehead and leader for the members of the IT Department, liaison for other organisational members.

◦Informational role - receiving and disseminating critical information about IT and the rest of the organisation to Department members, being experts in their field (IT).

◦Decisional role - initiating activities, handling disturbances, allocating resources, and negotiating conflicts in the IT Department.

14

Examples of Failure in IT Examples of Failure in IT ManagementManagementIT is not being used effectively by

organisations that use IT primarily to computerise traditional business processes, instead of using it for innovative e-business processes.

15

Examples of Failure in IT Examples of Failure in IT Management (2)Management (2)IT is not being used efficiently by

information systems that provide poor response times and frequent down times or when application development projects are not managed properly.

16

Potential Failure in IT Potential Failure in IT ManagementManagementManagement involvement and

governance…

An organisation’s Senior Management needs to be involved in critical business/IT decisions to optimise the business value and performance of the IT function. This requires development of governance structures that encourage active participation in planning and controlling the business uses of IT.

17

Traditional IT FunctionsTraditional IT FunctionsManaging systems development and

systems project management.

Managing computer operations, including the computer centre (if there is one).

Staffing, training and developing information systems skills.

Provide technical services to users.

Infrastructure planning, development and control.

18

New (Consultative) IT (IS) New (Consultative) IT (IS) FunctionsFunctionsInitiating and designing specific

strategic information systems.

Incorporating the Internet and e-commerce into the business.

Managing system integration including the Internet, intranets and extranets.

Educating the non-Information Systems managers about IT.

Educating the IT staff about the business.

19

New (Consultative) IT Functions New (Consultative) IT Functions (2)(2)Supporting end-user computing.

Partnering with the executives.

Managing outsourcing.

Proactively using business and technical knowledge to ‘seed’ innovative ideas about IT.

Creating business alliances with vendors and IT departments in other organisations.

20

Tasks inTasks in Managing the Managing the Information Systems FunctionInformation Systems FunctionManaging information systems

operations:Operational activities requiring management include:

Computer systems operations Network management Systems and services production

control Systems and services production

support

21

Tasks inTasks in Managing the IS Managing the IS Function (2)Function (2)Managing information systems

operations (continued)Managers must take part in system performance monitoring:

Monitor the processing of computer jobs

Help develop a planned schedule Produce detailed statistics for

planning and control of computing capacity

Help control chargeback systems Help Process Control

22

Tasks inTasks in Managing the IS Managing the IS Function (3)Function (3)Human Resource Management of IT –

Managers should:◦Recruit qualified personnel for the IT

Department◦Develop, organise and direct the

capabilities of existing personnel◦Train employees◦Design career paths and set salary

and wage levels for IT Department members

23

Tasks inTasks in Managing the IS Managing the IS Function (4)Function (4)The CIO and other IT executives

The Chief Information Officer (CIO):◦Oversees all use of IT in many

organisations.◦Brings the IT function into alignment

with organisational goals and strategies

◦Concentrates on business/IT planning and strategy

◦Helps develop strategic uses of IT in e-business and e-commerce

24

Tasks inTasks in Managing the IS Managing the IS Function (5)Function (5)Technology Management:

All IT must be managed as a technology platform for integrated e-business and e-commerce systems.

An organisation may assign a Chief Technology Officer (CTO) to be in charge of all IT planning and deployment.

25

Reviewing Managerial Reviewing Managerial RolesRoles

26

More Management TasksMore Management TasksManaging user services:

Functions may be put in place to support and manage end-user and workgroup computing.

These services provide both opportunities and problems for departmental managers.

Help desks might be established to take opportunities for improvement in service.

A manager might establish and enforce policies to avoid problems.

27

Examples of Tasks For IT Examples of Tasks For IT ManagerManagerBuild on customised software or off-the-

shelf products wherever possible.Leave hardware infrastructure in the hands

of specialist group – such as engineers.Promote training activities as an integral

part of an IT development strategy.Emphasise the importance of

documentation.Learn from past performance of systems

and the experiences of other, similar organisations.

28

When an IT Manager Opts for When an IT Manager Opts for OutsourcingOutsourcingOutsourcing – as mentioned before:

◦Outsourcing is often the best solution when commercial products and services can be adapted to IT requirements.

◦Market competition brings innovation and reduces the costs of popular hardware and software.

◦Because specialised skills found among vendors are difficult to maintain ‘in-house’.

◦Risks are usually shared with vendors.

29

When an IT Manager Opts for When an IT Manager Opts for Outsourcing (2)Outsourcing (2)When opting for Outsourcing a

manager should:◦not jeopardise core functions or

confidentiality of information◦maintain a healthy business

relationship with the commercial vendors

◦balance risk sharing Versus rewards sharing (penalties/incentives)

◦develop the necessary management skills for outsourcing

…/ continued

30

When an IT Manager Opts for When an IT Manager Opts for Outsourcing (3)Outsourcing (3)

◦Look for continually new and different IT capabilities and products (facts or claims)

◦Accept or reject lobbying by internal staff for a product

◦Accept or reject pressure (from higher management) to reduce costs and improve delivery of products

31

More Tasks For the IT More Tasks For the IT ManagerManagerAn IT Manager should:

◦Involve top-level management in decision-making

◦Employ effective risk analysis in guiding the direction of products and services

◦Avoid untried leading-edge technologies (if possible, especially in high-risk scenarios)

◦Opt for delineated (properly planned) tasks where possible

◦Involve end-users in systems development

32

More Tasks For the IT More Tasks For the IT Manager (2)Manager (2)To formulate explicit and detailed IT

plans a manager should:◦analyse return on investment◦identify risks and mitigation strategies◦ensure modular development – if

possible - to avoid large-scale failures ◦provide for oversight and review

developments at crucial steps along the way

33

More Tasks For the IT More Tasks For the IT Manager (3)Manager (3)When purchasing IT products a

manager should:◦avoid new or immature technologies◦assess the results of others who have

applied the product◦determine product compatibility with

the existing IT architecture of the organisation

◦assess any risks and the price/performance measurement of the product

34

End of Part 1 - End of Part 1 - ‘Management’‘Management’That covers Information Technology

and Information Systems Management.

The second half of this lecture reviews Information Systems Security.

35

SecuritySecurityIntegrated security and privacy

requirements are critical to IT management and protecting an organisation’s information.

An organisation may be required by organisational policy or compliance to the law to have an information security programme in place.

A security programme may be put in place to insure against identified problems or risks.

36

Security (2)Security (2)A security programme may be

managed by named individuals in Management positions in any part of the organisation.

The context of this presentation is information security cited with the IT Department through the proper implementation of information systems.

37

Security (3)Security (3)The goal of a security programme is to

provide assurance that there exists security to:◦Provide for timely and reliable availability of information and systems

◦Preserve confidentiality of data◦Safeguard integrity of data

38

Those Involved with Those Involved with SecuritySecurityExecutives authorise plans, ensure security

and privacy protections are integrated, and accept risks to information systems in the organisation.

Managers (information owners) develop requirements, assess information sensitivity and privacy needs, develop security plans and work with IT and security on monitoring and ‘remedial activities’. (More on remedials later.)

IT staff provide, document and monitor technical security controls and are considered the owners of the infrastructure of information systems.

39

Those Involved with Those Involved with Security (2)Security (2)Security staff manage the security

programme, assess risks, consult and review the security plan and privacy impact assessments (as documents) and manage the monitoring and compliance of reporting activities.

Auditors review security programmes and systems for compliance according to organisational policy or legal requirement.

Supervisors assure staff compliance with security and privacy training and awareness requirements.

40

A Security Programme Combines A Security Programme Combines People, Processes and TechnologyPeople, Processes and Technology

41

Security ControlsSecurity ControlsA security control is a specific action or

procedure that is provided to protect confidentiality, integrity and availability of information/systems.

Security controls are described in International Organisation for Standardisation (for Technology) (Refer to ISO 17799, a document describing IT security)

42

Security Controls (2)Security Controls (2)Management Controls

Focus on the management of the computer security system and the management of risk for a system.

Operational Controls Focus on mechanisms that primarily

are implemented and executed by people (as opposed to systems).

Technical Controls Focus on security controls that the

computer system executes.

43

Management ControlsManagement ControlsManagement Controls

The management of the computer security system and management of risk appears as policy in directives (documented) – so are written down somewhere.

44

Operational ControlsOperational ControlsOperational Controls

Mechanisms implemented and executed by people are procedures that may follow from the Management Control policy documents.

The mechanisms need to be described – so are written down somewhere.

45

Technical ControlsTechnical ControlsTechnical Controls

Security controls that the computer system executes might well be documented but, more importantly, can be coded into software.Many software programs contain integrity (security) features or are specifically for security - providing diagnostics or providing solutions to security problems.

46

Security TypesSecurity TypesTo continue in an examination of the

differences in the ‘controls’ let us take a look at three security types;◦Physical controls◦Administrative controls◦Computational controls

47

Physical ControlsPhysical ControlsPhysical security

These controls ensure that hardware is secure. They check for equipment malfunction. These may include access to hardware and an example might be the restriction of access to a computer room to operational personnel or the taking of back-up copies of files in case of accidents. Hardware controls should take account of fire and environmental hazards.

48

Administrative ControlsAdministrative ControlsAdministrative disciplines, standards

and proceduresThese controls are formalised standards, rules, procedures and control disciplines to ensure that the organisation's other controls are properly executed and enforced. Examples of these controls are:

segregation of functionswritten policies and procedures supervision

49

Administrative Controls Administrative Controls (2)(2)Controls over the system implementation

processImplementation controls audit the system development process at various points in time to ensure that the project in hand is being properly controlled and managed. An example of such a control is a 'sign-off' at the end of each stage of the development process where a developer offers a section of the project to a user or manager to sign off, thereby documenting their approval of the development stage offered.

50

Administrative Controls Administrative Controls (3)(3)Computer operations controls

These controls apply to the work of the computer department and help to ensure that programmed procedures are consistently and correctly applied to the storage and retrieval of data. They include, for example, controls over set-up, operations software, computer operations and backup and recovery procedures.

51

Computational ControlsComputational ControlsSoftware controls

These controls monitor the use of system software and prevent unauthorised access to software programs. System software controls govern the software for the operating system. Program security controls are used to prevent unauthorised changes to programs on the system.

52

Computational Controls Computational Controls (2)(2)Internal system security

This might include validation and verification checks on input data, authorisation procedures for some types of input data, the provision of an audit trail of file changes and the use of control totals. In systems that need a very high level of security it may be necessary to include such things as encryption, which is coding of data held on files, multi-level password systems including the use of magnetic keys, voice recognition access and the monitoring of the identity and access time of each user on the system.

53

Computational Controls Computational Controls (3)(3)Data security controls

Data security controls ensure that data files on disk or tape are not subject to unauthorised access, change or destruction. These controls are needed for when the data is in use (active) and when being held for storage.

54

Computational Controls Computational Controls (4)(4)Application controls

Application controls are specific controls within each computer application. They include automated and manual procedures that ensure that only authorised data are processed by a particular application. Application controls have these objectives:

Completeness of inputAccuracy of inputValidity of dataMaintenance (where data on files

continue to be correct and current).

55

Computational Controls Computational Controls (5)(5)Application controls are usually in one

of three categories:1.Input controls2.Processing controls3.Output controls

56

AuditsAuditsAuditing information systems

An information system audit identifies all of the controls that govern individual information systems and assess their effectiveness.

57

Audits (2)Audits (2)For this the auditor must make value

judgements about◦operations,◦physical facilities,◦telecommunications,◦control systems,◦data security objectives,◦organisational structure,◦personnel,◦manual procedures and individual

applications.

58

Audits (3)Audits (3)The audit is a matter of collecting and

analysing the details on an information system including ◦user and system documentation,◦sample inputs,◦sample outputs,◦documentation on integrity controls (to

compare the details) and ◦anything else that might be lying

around that might give an indication of how the system is being used.

59

Audits (4)Audits (4)Application controls, integrity controls

and control disciplines are examined.

It may be necessary to run test data through the system to test systems and applications software and any disciplines surrounding them.

60

Managing SecurityManaging SecuritySecurity needs to be managed.

In the case of information security where the information system is the centre point for security it falls (very often) to the IT Manager to manage security of this sort.

The next two slides list the issues and considerations of security management.

61

Issues and Considerations of Issues and Considerations of Security ManagementSecurity ManagementAccess controlAwareness and trainingAudit and accountabilityCertification, accreditation, and

security assessmentsConfiguration managementContingency planningIdentification and authenticationIncident response

62

Issues and Considerations of Issues and Considerations of Security Management (2)Security Management (2)MaintenanceMedia protection Physical and environmental protectionPlanningPersonnel securityRisk assessmentSystem and services acquisitionSystem and communications

protectionSystem and information integrity

63

Security During the Life Security During the Life CycleCycleSuccessful information security

programs address risk throughout the Systems Development Life Cycle. Often at these stages of the Life Cycle:◦Initiation◦Acquisition/Development◦Implementation◦Operations/Maintenance◦Disposal

64

Security During the Life Security During the Life Cycle (2)Cycle (2)Security is less expensive if it is

planned and implemented from the start; it is more costly to add security features to a system after it has been designed.

If not addressed in the initial phases, security controls added at the last minute can diminish performance and delay implementation.

65

RisksRisksRisk management is the total process of

identifying, controlling, and minimising the impact of uncertain events against an information resource.

The risk management process can be broken down into three main areas:◦Risk assessment◦Risk mitigation◦On-going evaluation

It is impossible to eliminate risk; the goal of risk management is to minimise residual risk.

These flaws (vulnerabilities) can be exploited and result in a breach or violation of the system’s security policy.

66

Risks (2)Risks (2)Examples of types of vulnerabilities

include:◦Poorly communicated or

implemented policy◦Poorly trained personnel◦Misconfigured systems or controls◦Poorly designed and implemented

commercial off-the shelf (COTS) or custom components

◦Lack of access controls◦Lack of physical controls◦Lack of visitor policy

67

ConsequencesConsequencesThe consequences of ignoring risk – or

having inadequate security may result in:◦Loss of data◦Disclosure of sensitive information◦Disruption or denial of service◦Loss of competitive edge◦Monetary loss◦Damage to reputation or public trust◦Lawsuits◦Death (in extreme cases)

68

Management Responsibilities Management Responsibilities for Riskfor RiskDocument the criticality and sensitivity

of the information in the risk assessment

Define and document the appropriate controls needed to mitigate the risk

Use the appropriate security requirements

Develop Plans of Action and Milestones (POA & M) to mitigate risks

Monitor and reassess risks, security and related policy regularly

69

Steps for Managers to Steps for Managers to TakeTakeStep 1: Develop policy statementStep 2: Conduct Business Impact

Assessment (BIA)Step 3: Identify preventive controlsStep 4: Develop recovery strategiesStep 5: Develop IT contingency plansStep 6: Conduct plan testing, training

and exercises for staffStep 7: Maintain the plan

70

What Next?What Next? That’s it for Managing Information

Systems operation and Information Systems security.

Next time:IT Regulation and Compliance

along withInteracting with Computers

(Reminder – TODAY - Tuesday 12th is deadline for the coursework essay hand-in and sign-in)