Q1: What Is the Goal of Information Systems Security?
A threat is a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner's permission and often without the owner's knowledge. A vulnerability is an opportunity for threats to gain access to individual or organizational assets. A safeguard is some measure that individuals or organizations take to block the threat from obtaining the asset. Finally, the target is the asset that's desired by the threat. Sources of threats are human error, computer crime, and natural events and disasters. Types of security loss are unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure.
Q2: How Big Is the Computer Security Problem?
The full extent of the financial and data losses due to computer security threats is unknown. The losses due to human error are enormous but few organizations compute these losses and even fewer publish them. Losses due to natural disasters are also enormous and impossible to compute. Furthermore, no one knows the cost of computer crime. Second, all studies on the cost of computer crime are based on surveys. Different respondents interpret terms differently, some organizations don't report all their losses, and some won't report computer crime losses at all.
Q3: How Should You Respond to Security Threats?
An intrusion detection system (IDS) is a computer program that senses when another computer is attempting to scan the disk or otherwise access a computer. Don't use any word as part of your password. Use passwords with a mixture of upper and lower case letters and numbers and special characters. Such nonword passwords are still vulnerable to brute force attack in which the password cracker tries every possible combination of characters. Use different passwords for different sites, never send passwords, credit card data, or any other valuable data in email or IM, buy only from reputable vendors, and remove high-value assets from your computers. Cookies are small files that your browser stores on your computer when you visit Web sites.
Q4: How Should Organizations Respond to Security Threats?
Senior management needs to address two critical security functions: security policy and risk management. Senior management must establish a company wide security policy that states the organization's posture regarding data that it gathers about its customers, suppliers, partners, and employees. Senior management must also proactively balance the trade-off between risk and cost.
Q5: How Can Technical Safeguards Protect Against Security Threats?
Technical safeguards involve the hardware and software components of an information system. Every information system today should require users to sign on with a user name and password. The user name identifies the user (the process of identification), and the password authenticates that user (the process of authentication). Passwords have important weaknesses. Because of these problems, some organizations choose to use smart cards and biometric authentication in addition to passwords.
Q6: How Can Data Safeguards Protect Against Security Threats?
Data safeguards protect databases and other organizational data. Data administration refers to an organization-wide function that is in charge of developing data policies and enforcing data standards. Database administration refers to a function that pertains to a particular database. ERP, CRM, and MRP databases each have a database administration function. Data administration should define data policies. Then data administration and database administrations work together to specify user data rights and responsibilities. Third, those rights should be enforced by user accounts that are authenticated at least by passwords.
Q7: How Can Human Safeguards Protect Against Security Threats?
Human safeguards involve the people and procedure components of information systems. In general, human safeguards result when authorized users follow appropriate procedures for system use and recovery. Security considerations for employees are positive definitions, hiring and screening, dissemination and enforcement, and termination. The administration of user accounts, passwords, and help-desk policies and procedures are account management, password management, and help-desk policies.
Q8: How Should Organizations Respond to Security Incidents?
Every organization should have an incident-response plan as part of the security programs. No organization should wait until some asset has been lost or compromised before deciding what to do. The plan should include how employees are to respond to security problems, whom they should further contact, the reports they should make, and steps they can take to reduce further loss. The plan should provide centralized reporting of all security incidents. Such reporting will enable an organization to determine if it is under systematic attack or whether an incident is isolated.
Monday, August 3, 2015
Chapter 11 Summary
Q1: What Are the Functions and Organization of the IS Department?
The major functions of the information systems department are plan the use of IS to accomplish organizational goals and strategy, manage outsourcing relationships, protect information assets, develop, operate, and maintain the organization's computing infrastructure, and develop, operate, and maintain applications. The title of the principal manager of the IS department is chief operating officer, or CIO. Most IS departments include a technology office that investigates new information systems technologies and determines how the organization can benefit from them. An individual called the chief technology officer, or CTO often heads the technology group.
Q2: How Do Organizations Plan the Use of IS?
The purpose of an information system is to help the organization accomplish its goals and objectives. In order to do so, all information systems must be aligned with the organization's competitive strategy. Adapting IS to new versions of business processes is neither easy nor quick. The CIO is the representative for IS and IT issues within the executive staff. The CIO must also ensure that priorities consistent with the overall organizational strategy are developed and then communicated to the IS department and at the same time, must also ensure that the department evaluates proposals and projects for using new technology in light of those communicated priorities. A steering committee, a group of senior managers from the major business functions that works with the CIO to set the IS priorities and decide among major IS projects and alternatives, serves as important communication function between IS and the users.
Q3: What Are the Advantages and Disadvantages of Outsourcing?
Outsourcing is the process of hiring another organization to perform a service. Outsourcing is done to save cost, to gain expertise, and to free management time. Outsourcing can be an easy way to gain expertise, it can reduce costs, and reduce risks. Outsourcing, however, can cause loss of control, the benefits are outweighed by long-term costs, and there's no easy exit.
Q4: What Are Your User Rights and Responsibilities?
People have the right to have the computing resources they need to perform their work as proficiently as they want, they have the right to the computer hardware and programs that they need, and they have the right to reliable network and Internet services. People also have the right to a secure computing environment, the right to participate in requirements meetings for new applications that they will use and for major changes to applications they currently use. People have the right to reliable systems development and maintenance and the right to receive prompt attention to their problems and concerns. Finally, people have the right to effective training. People have responsibilities to learn basic computer skills and to learn the techniques and procedures for the applications they use. They have the responsibility to follow security and backup procedures, to use computer resources in a manner that's consistent with their employer's policy, and to make no unauthorized hardware modifications to their computer and to install only authorized programs.
The major functions of the information systems department are plan the use of IS to accomplish organizational goals and strategy, manage outsourcing relationships, protect information assets, develop, operate, and maintain the organization's computing infrastructure, and develop, operate, and maintain applications. The title of the principal manager of the IS department is chief operating officer, or CIO. Most IS departments include a technology office that investigates new information systems technologies and determines how the organization can benefit from them. An individual called the chief technology officer, or CTO often heads the technology group.
Q2: How Do Organizations Plan the Use of IS?
The purpose of an information system is to help the organization accomplish its goals and objectives. In order to do so, all information systems must be aligned with the organization's competitive strategy. Adapting IS to new versions of business processes is neither easy nor quick. The CIO is the representative for IS and IT issues within the executive staff. The CIO must also ensure that priorities consistent with the overall organizational strategy are developed and then communicated to the IS department and at the same time, must also ensure that the department evaluates proposals and projects for using new technology in light of those communicated priorities. A steering committee, a group of senior managers from the major business functions that works with the CIO to set the IS priorities and decide among major IS projects and alternatives, serves as important communication function between IS and the users.
Q3: What Are the Advantages and Disadvantages of Outsourcing?
Outsourcing is the process of hiring another organization to perform a service. Outsourcing is done to save cost, to gain expertise, and to free management time. Outsourcing can be an easy way to gain expertise, it can reduce costs, and reduce risks. Outsourcing, however, can cause loss of control, the benefits are outweighed by long-term costs, and there's no easy exit.
Q4: What Are Your User Rights and Responsibilities?
People have the right to have the computing resources they need to perform their work as proficiently as they want, they have the right to the computer hardware and programs that they need, and they have the right to reliable network and Internet services. People also have the right to a secure computing environment, the right to participate in requirements meetings for new applications that they will use and for major changes to applications they currently use. People have the right to reliable systems development and maintenance and the right to receive prompt attention to their problems and concerns. Finally, people have the right to effective training. People have responsibilities to learn basic computer skills and to learn the techniques and procedures for the applications they use. They have the responsibility to follow security and backup procedures, to use computer resources in a manner that's consistent with their employer's policy, and to make no unauthorized hardware modifications to their computer and to install only authorized programs.
Chapter 10 Summary
Q1: How Are Business Processes, IS, and Applications Developed?
An application is a combination of hardware, software, and data components that accomplishes a set of requirements. Business processes, information systems, and applications have different characteristics and components. The relationship of business processes to information systems is many-to-many. A business process need not relate to any information system, but an information system relates to at least one business process. Every IS has at least one application because every IS has a software component. A business analyst is someone who is well versed in Porter's models and in the organization's strategies and who focus, primarily, on ensuring that business processes and information systems meet the organization's competitive strategies. Systems analysts are IS professionals who understand both business and information technology.
Q2: How Do Organizations Use Business Process Management (BPM)?
A business process is a network of activities, repositories, roles, resources, and flows that interact to accomplish a business function. Roles are collections of activities, and resources, which are people or computer applications that are assigned to roles. A flow is either a control flow that directs the order of activities or a data flow that shows the movement of data among activities and repositories. Businesses need management to improve process quality, changes in technology, and changes in business fundamentals. A business process management (BPM) is a cyclical process for systematically creating, assessing, and altering business processes. This cycle begins by creating a model of the existing business process, called an as-is model.
Q3: How Is Business Process Modeling Notation (BPMN) Used to Model Processes?
Object Management Group (OMG), a software-industry standards organization, created a standard set of terms and graphical notations for documenting business processes. The swim-land layout gives each role in the business process is given its own lane. It simplifies the process diagram and draws attention to interactions among components of the diagram.
Q4: What Are the Phases in the Systems Development Life Cycle (SDLC)?
The systems development life cycle (SDLC) is the traditional process used to develop information systems and applications. The systems development life cycle consists of a five-phrase process: define systems, determine requirements, design system components, implement system, and maintain system. In defining systems, the first step is to define system goals and scope. The second step is to access feasibility. The third step is to form a project team. In determining requirements, the steps needed to be taken are determine sources of requirement, determine the role of a prototype, and approve requirements. In designing system components, each of the five components is designed in this stage. In system implementation, testing and system conversion are done. In maintaining systems, the work done is either to fix the system or adapt it to changes in requirements.
Q5: What Are the Keys for Successful SDLC Projects?
There are five keys to success: create a work breakdown structure, estimate time and costs, create a project plan, adjust the plan via trade-offs, and manage development challenges. The key strategy for SDLC projects is to divide and conquer. Successful project managers break projects into smaller and smaller tasks until each task is small enough to estimate and to manage. Every task should culminate in one or more results called deliverables.
Q6: How Can Scrum Overcome the Problems of the SDLC?
According to the SDLC, progress goes in a linear sequence from requirements to design to implementation. Sometimes this is called the waterfall method because the assumption is that once you've finished a phase, you never go back. The SDLC is very risky. The people for whom the system is being constructed cannot see what they have until the very end. Numerous alternatives to the SDLC include rapid application development, the unified process, extreme processing, scrum, and others.
An application is a combination of hardware, software, and data components that accomplishes a set of requirements. Business processes, information systems, and applications have different characteristics and components. The relationship of business processes to information systems is many-to-many. A business process need not relate to any information system, but an information system relates to at least one business process. Every IS has at least one application because every IS has a software component. A business analyst is someone who is well versed in Porter's models and in the organization's strategies and who focus, primarily, on ensuring that business processes and information systems meet the organization's competitive strategies. Systems analysts are IS professionals who understand both business and information technology.
Q2: How Do Organizations Use Business Process Management (BPM)?
A business process is a network of activities, repositories, roles, resources, and flows that interact to accomplish a business function. Roles are collections of activities, and resources, which are people or computer applications that are assigned to roles. A flow is either a control flow that directs the order of activities or a data flow that shows the movement of data among activities and repositories. Businesses need management to improve process quality, changes in technology, and changes in business fundamentals. A business process management (BPM) is a cyclical process for systematically creating, assessing, and altering business processes. This cycle begins by creating a model of the existing business process, called an as-is model.
Q3: How Is Business Process Modeling Notation (BPMN) Used to Model Processes?
Object Management Group (OMG), a software-industry standards organization, created a standard set of terms and graphical notations for documenting business processes. The swim-land layout gives each role in the business process is given its own lane. It simplifies the process diagram and draws attention to interactions among components of the diagram.
Q4: What Are the Phases in the Systems Development Life Cycle (SDLC)?
The systems development life cycle (SDLC) is the traditional process used to develop information systems and applications. The systems development life cycle consists of a five-phrase process: define systems, determine requirements, design system components, implement system, and maintain system. In defining systems, the first step is to define system goals and scope. The second step is to access feasibility. The third step is to form a project team. In determining requirements, the steps needed to be taken are determine sources of requirement, determine the role of a prototype, and approve requirements. In designing system components, each of the five components is designed in this stage. In system implementation, testing and system conversion are done. In maintaining systems, the work done is either to fix the system or adapt it to changes in requirements.
Q5: What Are the Keys for Successful SDLC Projects?
There are five keys to success: create a work breakdown structure, estimate time and costs, create a project plan, adjust the plan via trade-offs, and manage development challenges. The key strategy for SDLC projects is to divide and conquer. Successful project managers break projects into smaller and smaller tasks until each task is small enough to estimate and to manage. Every task should culminate in one or more results called deliverables.
Q6: How Can Scrum Overcome the Problems of the SDLC?
According to the SDLC, progress goes in a linear sequence from requirements to design to implementation. Sometimes this is called the waterfall method because the assumption is that once you've finished a phase, you never go back. The SDLC is very risky. The people for whom the system is being constructed cannot see what they have until the very end. Numerous alternatives to the SDLC include rapid application development, the unified process, extreme processing, scrum, and others.
Subscribe to:
Posts (Atom)