Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 151 Information Technology For Management 5 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by A. Lekacos, Stony Brook University John.

Published byCatherine Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 151 Information Technology For Management 5 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by A. Lekacos, Stony Brook University John."— Presentation transcript:

1 Chapter 151 Information Technology For Management 5 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by A. Lekacos, Stony Brook University John Wiley & Sons, Inc. Managing Information Resources and Security

2 Chapter 152 Learning Objectives Recognize the difficulties in managing information resources. Understand the role of the IS department and its relationships with end users. Discuss the role of the chief information officer. Recognize information systems ’ vulnerability, attack methods, and the possible damage from malfunctions. Describe the major methods of defending information systems. Describe the security issues of the Web and electronic commerce. Describe business continuity and disaster recovery planning. Understand the economics of security and risk management. Describe the role of IT in supporting counterterrorism.

3 Chapter 153 The IS Department The reporting relationship of the ISD is important in that it reflects the focus of the department. If the ISD reports to the accounting or finance areas, there is often a tendency to emphasize accounting or finance applications at the expense of those in the marketing, production, and logistics areas. The name of the ISD is also important. Data Processing (DP) Department. Management Information Systems (MIS) Department Information Systems Department (ISD) Another important characteristic is the status of the ISD IT resources are very diversified; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users. The division of responsibility depends on many factors.

4 Chapter 154 The End-User Relationship To improve collaboration, the ISD and end users may employ three common arrangements: the steering committee service-level agreements the information center. Since the ISD is a service organization that manages the IT infrastructure needed to carry on end-user IT applications. It is extremely important to have a good relationship with the end users. The development of end-user computing and outsourcing was motivated in part by the poor service that end users felt they received. However, this is not an easy task since the ISD is basically a technical organization that may not understand the business and the users. While the users, may not understand information technologies.

5 Chapter 155 The End-User Relationship - continued ISD and Four approaches 1.Let them sink or swim. Don ’ t do anything; let the end user beware. 2.Use the stick. Establish policies and procedures to control end- user computing so that corporate risks are minimized, and try to enforce them. 3.Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks. 4.Offer support. Develop services to aid end users in their computing activity

6 Chapter 156 The CIO (Chief Information Officer) The changing role of the ISD highlights the fact that the CIO is becoming an important member of the firm's top management team. Realization of the need for IT-related disaster planning and the importance of IT to the firm ’ s activities. Aligning IT with the business strategy Implementing state-of-the-art solutions Providing information access Being a business visionary who drives business strategy Coordinating resources Managing the ISD is similar to managing any other organizational unit. The unique aspect of the ISD is that it operates as a service department in a rapidly changing environment, thus making the department’s projections and planning difficult.

7 Chapter 157 The Transition Environment

8 Chapter 158 IS Vulnerability Information resources (physical resources, data, software, procedures, and other information resources) are scattered throughout the firm. Information is transmitted to and from the firm’s components. Therefore vulnerabilities exist at many points and at any time.

9 Chapter 159 IT Security Terms

10 Chapter 1510 System Vulnerability  A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service.  An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.

11 Chapter 1511 System Vulnerability Continued These threats can be classified as: Unintentional Human errors Environmental hazards Computer system failures Intentional Theft of data Inappropriate use of data Theft of mainframe com ­ puter time Theft of equipment and/or programs The vulnerability of information systems is increasing as we move to a world of networked and especially wireless computing. Theoretically, there are hundreds of points in a corporate information system that can be subject to some threats.

12 Chapter 1512 System Vulnerability Continued Intentional continued Deliberate manipulation in handling Entering data Processing data Transferring data Programming data Labor strikes Riots Sabotage Malicious damage to computer resources Destruction from viruses and similar attacks Miscellaneous computer abuses Internet fraud. Terrorists ’ attack

13 Chapter 1513 Programming Attack – One method Programming attack is implemented through the modification of a computer program.

14 Chapter 1514 Viruses – One method The most common attack method is the virus a program that attaches itself to (“infect”) other computer programs, without the owner of the program being aware of the infection. It spreads, causing damage to that program and possibly to others. When a virus is attached to a legitimate software program, the legitimate software is acting as a Trojan horse, a program that contains a hidden function.

15 Chapter 1515 Protecting Information Resources Aligned. The program must be aligned with organizational goals. Enterprisewide. Everyone in the organization must be included. Continuous. The program must be operational all the time. Proactive. Use innovative, preventive, and protective measures. Validated. The program must be tested to ensure it works. Formal. It must include authority, responsibility & accountability. Information security problems are increasing rapidly, causing damage to many organizations. Protection is expensive and complex. Therefore, companies must not only use controls to prevent and detect security problems, they must do so in an organized manner. An approach similar to TQM (total quality management) would have the following characteristics:

16 Chapter 1516 Corporate Security Plan - Protecting

17 Chapter 1517 Difficulties - Protecting

18 Chapter 1518 Defense Strategy - Protecting The major objectives of a defense strategy are: 1.Prevention and deterrence. 2.Detection. 3.Limitation of damage. 4.Recovery. 5.Correction 6.Awareness and compliance Knowing about potential threats to IS is necessary, but understanding ways to defend against these threats is equally critical. Because of its importance to the entire enterprise, organizing an appropriate defense system is one of the major activities of the CIO. It is accomplished by inserting controls (defense mechanisms) and developing awareness.

19 Chapter 1519 Defense Strategy - Controls Any defense strategy involves the use of several controls. These controls are divided into two categories general controls that protect the system regardless of the specific application and application controls that safeguard specific applications. General Application

20 Chapter 1520 Defense Strategy – Biometric

21 Chapter 1521 Defense Strategy – Internet Security Security Layers The major objective of border security is access control. Then authentication or proof of identity and finally authorization which determine the action or activities a user is allowed to perform.

22 Chapter 1522 Business Continuity An important element in any security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster. The purpose of a business continuity plan is to keep the business running after a disaster occurs. Recovery planning is part of asset protection. Planning should focus on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. All critical applications must be identified and their recovery procedures addressed. The plan should be written so that it will be effective in case of disaster.

23 Chapter 1523 Business Continuity continued The plan should be kept in a safe place; copies should be given to all key managers; or it should be available on the Intranet and the plan should be audited periodically. One of the most logical ways to deal with loss of data is to back it up. A business continuity plan should include backup arrangements were all copies of important files are kept offsite.

24 Chapter 1524 Auditing Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task. There are two types of auditors: An internal auditor is usually a corporate employee who is not a member of the ISD. An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit. There are two types of audits. The operational audit determines whether the ISD is working properly. The compliance audit determines whether controls have been implemented properly and are adequate.

25 Chapter 1525 Risk Management It is usually not economical to prepare protection against every possible threat. Therefore, an IT security program must provide a process for assessing threats and deciding which ones to prepare for and which ones to ignore.

26 Chapter 1526 IT Security Trends Increasing the reliability of systems Self-healing computers Intelligent systems for early intrusion detection Intelligent systems in auditing and fraud detection Artificial intelligence in biometrics Expert systems for diagnosis, prognosis, and disaster planning Smart cards

27 Chapter 1527 MANAGERIAL ISSUES To whom should the IS department report? This issue is related to the degree of IS decentralization and to the role of the CIO. Having the IS department reporting to a functional area may introduce biases in providing IT priorities to that functional area, which may not be justifiable. Having the IS report to the CEO is very desirable. Who needs a CIO? This is a critical question that is related to the role of the CIO as a senior executive in the organization. Giving a title without authority can damage the ISD and its operation. Asking the IS director to assume a CIO ’ s responsibility, but not giving the authority and title, can be just as damaging. Any organization that is heavily dependent on IT should have a CIO. End users are friends, not enemies, of the IS department. The relationship between end users and the ISD can be very delicate. In the past, many ISDs were known to be insensitive to end-user needs. This created a strong desire for end-user independence, which can be both expensive and ineffective. Successful companies develop a climate of cooperation and friendship between the two parties. Ethical issues. The reporting relationship of the ISD can result in some un ­ ethical behavior. For example, if the ISD reports to the finance department, the finance department will have access to information about individuals or other departments that could be misused.

28 Chapter 1528 MANAGERIAL ISSUES Continued Responsibilities for security should be assigned in all areas. The more organizations use the Internet, extranets, and intranets, the greater are the security issues. It is important to make sure that employees know who is responsible and accountable for what information and that they understand the need for security control. The vast majority of information resources is in the hands of end users. Therefore, functional managers must understand and practice IT security management and other proper asset management tasks. Security awareness programs are important for any organization, especially if it is heavily dependent on IT. Such programs should be corporate wide and supported by senior executives. In addition, monitoring security measures and ensuring compliance with administrative controls are essential to the success of any security plan. For many people, following administrative controls means additional work, which they prefer not to do. Auditing information systems should be institutionalized into the organizational culture. Organizations should audit IS because it can save considerable amounts of money. Conversely, over-auditing is not cost-effective.

29 Chapter 1529 MANAGERIAL ISSUES Continued Multinational corporations. Organizing the ISD in a multinational corporation is a complex issue. Some organizations prefer a complete decentralization, having an ISD in each country or even several ISDs in one country. Others keep a minimum of centralized staff. Some companies prefer a highly centralized structure. Legal issues, government constraints, and the size of the IS staff are some factors that determine the degree of decentralization. Sarbanes-Oxley. The Sarbanes-Oxley Act, according to the CSI/FBI survey (Gordon et al., 2004) is having a major impact on IT, especially in the financial, utility, and telecommunications sectors (see Minicase 2).

30 Chapter 1530 Chapter 15 Copyright © 2005 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back- up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Download ppt "Chapter 151 Information Technology For Management 5 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by A. Lekacos, Stony Brook University John."

Similar presentations

Information Security EDU 5815 1. IT Security Terms EDU 5815 2.

Information Security EDU IT Security Terms EDU
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
Auditing Computer Systems

Auditing Computer Systems
Chapter 61 Information Technology For Management 6 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John.

Chapter 61 Information Technology For Management 6 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John.
Www.sims.monash.edu.au 1 IMS9043 - INFORMATION TECHNOLOGY IN ORGANISATIONS Week 9 Control, audit and security.

1 IMS INFORMATION TECHNOLOGY IN ORGANISATIONS Week 9 Control, audit and security.
1 Average: 85%, Median: 90%…Good Work!. 2 Chapter 15 Managing Information Resources & Security.

1 Average: 85%, Median: 90%…Good Work!. 2 Chapter 15 Managing Information Resources & Security.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
POKOK BAHASAN Pertemuan 4 Matakuliah: Sistem Informasi Manajemen Tahun: 2008.

POKOK BAHASAN Pertemuan 4 Matakuliah: Sistem Informasi Manajemen Tahun: 2008.
POKOK BAHASAN Pertemuan 25 Matakuliah: Sistem Informasi Manajemen Tahun: 2008.

POKOK BAHASAN Pertemuan 25 Matakuliah: Sistem Informasi Manajemen Tahun: 2008.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Chapter 101 Information Technology For Management 6 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John.

Chapter 101 Information Technology For Management 6 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John.
Schermerhorn- Chapter 61 Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Schermerhorn- Chapter 61 Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.
Chapter 12 Managing Team Performance. 12- 2 Management 1e 12- 2 Management 1e 12- 2 Management 1e - 2 Management 1e Learning Objectives  Describe why.

Chapter 12 Managing Team Performance Management 1e Management 1e Management 1e - 2 Management 1e Learning Objectives  Describe why.
Chapter 151 Information Technology For Management 4 th Edition Turban, McLean, Wetherbe John Wiley & Sons, Inc. Managing Information Resources and Security.

Chapter 151 Information Technology For Management 4 th Edition Turban, McLean, Wetherbe John Wiley & Sons, Inc. Managing Information Resources and Security.
Copyright 2004 John Wiley & Sons, Inc.21 - 1 Information Technology: Strategic Decision Making For Managers Henry C. Lucas Jr. John Wiley & Sons, Inc Dinesh.

Copyright 2004 John Wiley & Sons, Inc Information Technology: Strategic Decision Making For Managers Henry C. Lucas Jr. John Wiley & Sons, Inc Dinesh.
Chapter 171 Stabilizing the Quality System Chapter 17 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published by.

Chapter 171 Stabilizing the Quality System Chapter 17 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published by.
12-1 Planning for Information Technology and Systems.

12-1 Planning for Information Technology and Systems.
Evaluating and Terminating the Project

Evaluating and Terminating the Project
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Similar presentations

Ads by Google