• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PPT Slides
 

PPT Slides

on

  • 682 views

 

Statistics

Views

Total Views
682
Views on SlideShare
682
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    PPT Slides PPT Slides Presentation Transcript

    • Management, Planning and Organization of IS 11% ~ 22 questions
    • Objectives
      • Evaluate IS strategy to ensure it aligns with business strategies
      • Evaluate IS policies to ensure it supports IS strategy
      • Evaluate IS management practices to ensure compliance with IS policies
      • Evaluate IS organization to ensure adequate support of organization’s biz requirements
      • Evaluate management of outsourced services to ensure they support IS strategy
    • Evaluate the followings……. IS Management Practices IS Policies, standards and Procedures IS Strategy Business Objectives
    • IS Strategy
      • Strategic Planning
        • IS strategy aligns with organization’s business plan
      • Steering Committee
        • Oversee IS department
        • Consists of senior management, IS staff and user department management
        • Chairman – a member of board of directors
    • Steering Committee
      • Duties and responsibilities
        • Formalized in charter
        • Members well-understand IS policies, practices and procedures
        • Each member has his/her own area of responsibilities
        • Should NOT become involved in routine operations
    • Steering Committee
      • Review long and short term plans
      • Review and approve major purchase of h/w and s/w within limits
      • Approve and monitor major projects, set priorities, and monitor overall IS performance
      • Provide liaison between IS and user department
      • Approve budget and review allocation
      • Decide on centralization Vs decentralization
    • Policies and Procedures
      • Policies
        • High level documents
        • Corporate philosophy
        • Clear and concise
        • Fully explain to staff affected
        • Lower level policies are defined accordingly
        • Top-down Vs bottom-up approach
    • Procedures
      • Detailed documents
        • Derived from parent policy
        • Realize corresponding policy
        • Easily and properly understood
        • More dynamic
        • Frequent reviews and updates required
    • Human Resources Policies/Practices
      • Background checks
      • Confidentiality agreements
      • Conflict of interest agreements
      • Non-compete agreements
      • Control risks
        • NOT suitable for position
        • Reference checks NOT carried out
    • Employee Handbook
      • Security policies and procedures
      • Company expectations
      • Employee benefits
      • Vacation policies
      • OT rules
      • Outside employment
      • Performance evaluations
    • Employee Handbook
      • Disciplinary actions
        • Excessive absence
        • Breach of confidentiality or security
        • Non-compliance with policies
    • Termination Policies
      • Voluntary termination
      • Immediate termination
      • Return of keys, ID cards and badges
      • Deletion of log-in ID
      • Notification to other staff and security personnel
      • Arrangement of final payment
      • Termination interview
    • Outsourcing Practices
      • Increasing important in many organizations
        • Desire to focus on core activities
        • Pressure on profit margin
        • Increasing competition that requires cost cut
        • Flexibility in terms of organization and structure
    • Outsourcing Practices
      • Contractor services
        • Data entry (banks, airlines)
        • Design and development of new systems (ASP)
        • Maintenance of existing applications
        • Conversion of legacy applications to new platforms (web-based migration)
    • Outsourcing Practices
      • Possible disadvantages
        • Costs higher than expected
        • Loss of internal IS experience
        • Loss of control
        • Vendor failure
        • Difficulty in reversing or changing outsourcing agreement
    • Outsourcing Practices
      • Business risks
        • Hidden costs
        • Contract terms not being met
        • Service costs not competitive over time
        • Obsolescence of vendor systems
        • Decrease in bargaining power
    • Outsourcing Practices
      • To minimize business risks
        • Establish measurable partnership-enacted-shared goals and rewards
        • Utilize multiple suppliers or withhold a piece of business as incentive
        • Formation of cross-functional contract management team
        • Contract performance metrics
        • Periodic benchmarking
    • Service Level Agreement (SLA)
      • Well-balanced
      • Instrument of control
      • Include means, methods, processes and structure to measure performance
      • Quantifiable
      • Enforceable
    • Audit Concerns of Outsourcing
      • Contract protection
        • Adequately protect company
      • Audit rights
        • Right to audit vendor operations
      • Continuity of operations
        • Continued service in case of disaster (disaster recovery plan)
      • Integrity, confidentiality and availability of company’s data
    • Audit Concerns of Outsourcing
      • Access control/security administration
      • Violation reporting and follow up
      • Change control and testing
      • Network controls
      • Performance management – load-balancing
    • IS Management Practices
      • Traditional role of IS department – service department, is changing
      • Management principles
        • People management
          • Personnel are highly qualified and paid and have less concern in job security
          • Flat organization
          • Junior level personnel often have major responsibilities and authorities
    • IS Management Practices
      • Management of Change
        • Always new applications and technologies
        • Stay abreast of technology and proactively embrace change
      • Focus on good processes
        • Documented procedures
        • Programming standards, testing, data backup
        • Quality control and assurance
    • IS Management Practices
      • Security
        • The Internet
        • Business continuity (plan)
        • Disaster recovery (plan)
      • Handling 3 rd parties
        • Many vendors work together on 1 system
        • Management matters
    • IS Assessment Methods
      • IS budgets
      • Capacity and growth planning
      • User satisfaction
        • SLA with internal user departments
        • System availability
        • Product distribution time
      • Industry standards/benchmarking
    • IS Assessment Methods
      • Financial management practices
        • User pays scheme
        • Chargeback – man-hours, computer time and other resources
          • Measure effectiveness and efficiency
      • Goal accomplishment
        • Measure effectiveness
        • Logging system
    • IS Assessment Methods
        • Example of log
          • Data entry staff keep full details of each batch (duration and errors)
          • Data entry staff keep full details of each batch (duration and errors)
          • Computer operators maintain logs of all batch jobs and time taken
          • Off-site backups and data storage logged
          • Problem in h/w and s/w identified in daily logs
          • Applications generate own error logs
    • IS Assessment Methods
      • Functionality
        • Existence of functions that satisfy stated needs
      • Reliability
        • Capability of software to maintain level of performance under state conditions
      • Usability
        • Effort needed for use and on individual assessment of such use by users
    • IS Assessment Methods
      • Efficiency
        • Relationship between level of performance of software and amount of resources used
      • Maintainability
        • Effort needed to make specified modifications
      • Portability
        • Ability of software to be transferred from one platform to another
    • IS Organization Structure and Responsibilities
      • Management structures (line Vs project)
      • Line management
        • Head – CIO
        • Systems development manager
          • Responsible for programmers and analysts
        • End-user support manager
        • Data manager
          • Data architect and manage data as resource
    • IS Organization Structure and Responsibilities
        • Technical support manager
          • Responsible for system programmers
        • Security administrator
          • Provide enough logical and physical security
        • Network manager/administrator
        • Operations manager
          • Responsible for computer operators, librarians, schedules and data control personnel
        • Quality assurance manager
        • Segregation of Duties
    • IS Responsibilities and Duties
      • Information Processing (IP) Vs System Development and Enhancement
      • IP – operational aspects, e.g. computer operations, systems programming, telecomm and librarian functions
      • Systems development – analysis and programming, e.g. development, acquisition and maintenance of application systems
    • IP
      • Operations = information processing facility (IPF)
      • Operation management control
        • Physical security
          • Protect from theft, fire, flood, malicious destruction, mechanical and power failures
        • Data security
          • Physical security of hardware that process data
          • Employee education – data security and privacy
    • IP
        • Processing controls
          • Ensure timely, complete, accurate and secure processing
          • Data control (more details in Business Process Evaluation and Risk Management)
          • Production control – job scheduling, job submission and media management
    • IP
      • Data entry
        • Batch Vs Online
        • Data control unit
          • Receive source documents from user departments and ensure proper safekeeping until processing is done and source documents and outputs are returned
          • Prepare batches of source documents with accurate control totals
          • Schedule and set up jobs
    • IP
      • Librarian
        • Record, issue, receive and safeguard programs and data files on tapes and disks
        • Crucial position
      • Security administration
        • Ensure users comply with security policy and controls are adequate
        • Maintain access rules
        • Maintain security and confidentiality over passwords
    • IP
        • Monitor security violations and take corrective action
        • Review and evaluate security policy
        • Prepare and monitor security awareness program for employees
        • Test security architecture to detect threats
      • Quality assurance
        • Quality Assurance Vs Quality Control
    • IP
      • Quality Assurance
        • Ensure personnel follow prescribed quality processes
        • E.g. ensure programs and documentation adhere to standards and naming conventions
      • Quality Control
        • Conduct tests or reviews to ensure software is free from defects and meet user expectations
        • Must be done before moved into production
        • Check accuracy and authenticity of input, processing and output
    • IP
      • Database administration
        • Define and maintain data structure in db
        • Understand organization and user data and data relationship
        • Responsible for security and information classification
        • Responsible for actual design, definition and maintenance
    • IP
      • Control over DBA
        • Segregation of duties
        • Management approval
        • Supervisor review of access logs
        • Detective controls
    • IP
      • Systems analysis
        • Design systems based on user needs
        • Involved in initial phase of SDLC
        • Like an interpreter
      • Application programming
        • Develop new and maintain systems
        • NO access to production programs
        • Work in test only environment
    • IP
      • Systems programming
        • Maintain system software
        • Unrestricted access to whole system
        • Monitored by keeping logs and allowed to access relevant system libraries
      • Network management
        • LAN or WAN
        • Responsible for technical and administrative control
    • IP
        • Ensure correct functioning of transmission links
        • Backups of system
        • S/w and h/w authorized to purchase and installed probably
        • Could be security administrator in small installations
        • NO application programming rights but end-user responsibilities
      • Help desk administration
    • Segregation of Duties w/i IS
      • Transaction authorization
        • Responsibility of user department
        • Must perform periodic checks
      • Reconciliation
        • Responsibility of user department
      • Custody of assets
        • Data owner is user dept.
        • Owner has responsibility for determining authorization levels
    • Segregation of Duties w/i IS
      • Access to data
        • Physical + system + application security in BOTH user area and IPF
        • System and application securities are additional layers to prevent unauthorized access
        • The Internet has posed greater threat
          • extranet
    • Segregation of Duties w/i IS
      • Authorization forms
        • User managers define WHO should have access to WHAT
        • Forms must be approved
        • Some organizations maintain signature authorization logs
        • Access privileges periodically reviewed
      • User authorization tables
        • Use authorization form data to build authorization tables
        • Update, modify, delete and/or view
    • Segregation of Duties w/i IS
      • Exception reporting
        • Ensure properly and timely handled
      • Audit trails
        • Map to retrace flow of transaction
        • Recreate actual transaction flow from origin to updated file
        • Audit trail could be compensating control
      • Transaction logs
    • How to Identify Potential Problems with IPF
      • Indicators
        • Unfavorable end use attitudes
        • Excessive costs
        • Budget overruns
        • Late projects
        • High turnover
        • Inexperienced staff
    • How to Identify Potential Problems with IPF
        • Excessive backlog of user requests
        • Slow computer response time
        • Numerous aborted or suspended development projects
        • Unsupported or unauthorized h/w or s/w purchases
        • Frequent h/w or s/w upgrades
        • Extensive exception reports
        • Exception reports which were not followed up on
    • How to Identify Potential Problems with IPF
      • Documentation review
        • IS strategies, plans, budgets
        • Security policy documentation
          • Confidential
          • Preventive controls, WHO is responsible for WHAT
        • Organizational chart
        • Job descriptions
        • Steering committee reports
        • System development and program change procedures
        • Operations procedures
    • How to Identify Potential Problems with IPF
      • Interview and observe
        • Actual performance
        • Security awareness
        • Reporting relationships
      • Review contractual agreements
        • Development of contract agreements
        • Contract bidding process
        • Contract selection process
        • Contract acceptance
        • Contract maintenance
    • Management, Planning and Organization of IS End