Management, Planning and Organization of IS 11% ~ 22 questions
Objectives <ul><li>Evaluate  IS strategy to ensure it aligns with business strategies </li></ul><ul><li>Evaluate  IS polic...
Evaluate  the followings……. IS Management Practices IS Policies, standards and Procedures IS Strategy Business Objectives
IS Strategy <ul><li>Strategic Planning </li></ul><ul><ul><li>IS strategy aligns with organization’s business plan </li></u...
Steering Committee <ul><li>Duties and responsibilities </li></ul><ul><ul><li>Formalized in charter </li></ul></ul><ul><ul>...
Steering Committee <ul><li>Review long and short term plans </li></ul><ul><li>Review and approve major purchase of h/w and...
Policies and Procedures <ul><li>Policies </li></ul><ul><ul><li>High level documents </li></ul></ul><ul><ul><li>Corporate p...
Procedures  <ul><li>Detailed documents </li></ul><ul><ul><li>Derived from parent policy </li></ul></ul><ul><ul><li>Realize...
Human Resources Policies/Practices <ul><li>Background checks </li></ul><ul><li>Confidentiality agreements </li></ul><ul><l...
Employee Handbook <ul><li>Security policies and procedures </li></ul><ul><li>Company expectations </li></ul><ul><li>Employ...
Employee Handbook <ul><li>Disciplinary actions </li></ul><ul><ul><li>Excessive absence </li></ul></ul><ul><ul><li>Breach o...
Termination Policies <ul><li>Voluntary termination </li></ul><ul><li>Immediate termination </li></ul><ul><li>Return of key...
Outsourcing Practices <ul><li>Increasing important in many organizations </li></ul><ul><ul><li>Desire to focus on core act...
Outsourcing Practices <ul><li>Contractor services </li></ul><ul><ul><li>Data entry (banks, airlines) </li></ul></ul><ul><u...
Outsourcing Practices <ul><li>Possible disadvantages </li></ul><ul><ul><li>Costs higher than expected </li></ul></ul><ul><...
Outsourcing Practices <ul><li>Business risks </li></ul><ul><ul><li>Hidden costs </li></ul></ul><ul><ul><li>Contract terms ...
Outsourcing Practices <ul><li>To minimize business risks </li></ul><ul><ul><li>Establish measurable partnership-enacted-sh...
Service Level Agreement (SLA) <ul><li>Well-balanced </li></ul><ul><li>Instrument of control </li></ul><ul><li>Include mean...
Audit Concerns of Outsourcing <ul><li>Contract protection </li></ul><ul><ul><li>Adequately protect company </li></ul></ul>...
Audit Concerns of Outsourcing <ul><li>Access control/security administration </li></ul><ul><li>Violation reporting and fol...
IS Management Practices <ul><li>Traditional role of IS department – service department, is changing </li></ul><ul><li>Mana...
IS Management Practices <ul><li>Management of Change </li></ul><ul><ul><li>Always new applications and technologies </li><...
IS Management Practices <ul><li>Security </li></ul><ul><ul><li>The Internet </li></ul></ul><ul><ul><li>Business continuity...
IS Assessment Methods <ul><li>IS budgets </li></ul><ul><li>Capacity and growth planning </li></ul><ul><li>User satisfactio...
IS Assessment Methods <ul><li>Financial management practices </li></ul><ul><ul><li>User pays scheme </li></ul></ul><ul><ul...
IS Assessment Methods <ul><ul><li>Example of log </li></ul></ul><ul><ul><ul><li>Data entry staff keep full details of each...
IS Assessment Methods <ul><li>Functionality </li></ul><ul><ul><li>Existence of functions that satisfy stated needs </li></...
IS Assessment Methods <ul><li>Efficiency </li></ul><ul><ul><li>Relationship between level of performance of software and a...
IS Organization Structure and Responsibilities <ul><li>Management structures (line Vs project) </li></ul><ul><li>Line mana...
IS Organization Structure and Responsibilities <ul><ul><li>Technical support manager </li></ul></ul><ul><ul><ul><li>Respon...
IS Responsibilities and Duties <ul><li>Information Processing (IP) Vs System Development and Enhancement </li></ul><ul><li...
IP <ul><li>Operations = information processing facility (IPF) </li></ul><ul><li>Operation management control </li></ul><ul...
IP <ul><ul><li>Processing controls </li></ul></ul><ul><ul><ul><li>Ensure timely, complete, accurate and secure processing ...
IP <ul><li>Data entry </li></ul><ul><ul><li>Batch Vs Online </li></ul></ul><ul><ul><li>Data control unit </li></ul></ul><u...
IP <ul><li>Librarian </li></ul><ul><ul><li>Record, issue, receive and safeguard programs and data files on tapes and disks...
IP <ul><ul><li>Monitor security violations and take corrective action </li></ul></ul><ul><ul><li>Review and evaluate secur...
IP <ul><li>Quality Assurance </li></ul><ul><ul><li>Ensure personnel follow prescribed quality processes </li></ul></ul><ul...
IP <ul><li>Database administration </li></ul><ul><ul><li>Define and maintain data structure in db </li></ul></ul><ul><ul><...
IP <ul><li>Control over DBA </li></ul><ul><ul><li>Segregation of duties </li></ul></ul><ul><ul><li>Management approval </l...
IP <ul><li>Systems analysis </li></ul><ul><ul><li>Design systems based on user needs </li></ul></ul><ul><ul><li>Involved i...
IP <ul><li>Systems programming </li></ul><ul><ul><li>Maintain system software </li></ul></ul><ul><ul><li>Unrestricted acce...
IP <ul><ul><li>Ensure correct functioning of transmission links </li></ul></ul><ul><ul><li>Backups of system </li></ul></u...
Segregation of Duties w/i IS <ul><li>Transaction authorization </li></ul><ul><ul><li>Responsibility of user department </l...
Segregation of Duties w/i IS <ul><li>Access to data </li></ul><ul><ul><li>Physical + system + application security in BOTH...
Segregation of Duties w/i IS <ul><li>Authorization forms </li></ul><ul><ul><li>User managers define WHO should have access...
Segregation of Duties w/i IS <ul><li>Exception reporting </li></ul><ul><ul><li>Ensure properly and timely handled </li></u...
How to Identify Potential Problems with IPF <ul><li>Indicators </li></ul><ul><ul><li>Unfavorable end use attitudes </li></...
How to Identify Potential Problems with IPF <ul><ul><li>Excessive backlog of user requests </li></ul></ul><ul><ul><li>Slow...
How to Identify Potential Problems with IPF <ul><li>Documentation review </li></ul><ul><ul><li>IS strategies, plans, budge...
How to Identify Potential Problems with IPF <ul><li>Interview and observe </li></ul><ul><ul><li>Actual performance </li></...
Management, Planning and Organization of IS End
Upcoming SlideShare
Loading in …5
×

PPT Slides

533 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
533
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PPT Slides

  1. 1. Management, Planning and Organization of IS 11% ~ 22 questions
  2. 2. Objectives <ul><li>Evaluate IS strategy to ensure it aligns with business strategies </li></ul><ul><li>Evaluate IS policies to ensure it supports IS strategy </li></ul><ul><li>Evaluate IS management practices to ensure compliance with IS policies </li></ul><ul><li>Evaluate IS organization to ensure adequate support of organization’s biz requirements </li></ul><ul><li>Evaluate management of outsourced services to ensure they support IS strategy </li></ul>
  3. 3. Evaluate the followings……. IS Management Practices IS Policies, standards and Procedures IS Strategy Business Objectives
  4. 4. IS Strategy <ul><li>Strategic Planning </li></ul><ul><ul><li>IS strategy aligns with organization’s business plan </li></ul></ul><ul><li>Steering Committee </li></ul><ul><ul><li>Oversee IS department </li></ul></ul><ul><ul><li>Consists of senior management, IS staff and user department management </li></ul></ul><ul><ul><li>Chairman – a member of board of directors </li></ul></ul>
  5. 5. Steering Committee <ul><li>Duties and responsibilities </li></ul><ul><ul><li>Formalized in charter </li></ul></ul><ul><ul><li>Members well-understand IS policies, practices and procedures </li></ul></ul><ul><ul><li>Each member has his/her own area of responsibilities </li></ul></ul><ul><ul><li>Should NOT become involved in routine operations </li></ul></ul><ul><ul><li>Act as review board of major IS projects </li></ul></ul>
  6. 6. Steering Committee <ul><li>Review long and short term plans </li></ul><ul><li>Review and approve major purchase of h/w and s/w within limits </li></ul><ul><li>Approve and monitor major projects, set priorities, and monitor overall IS performance </li></ul><ul><li>Provide liaison between IS and user department </li></ul><ul><li>Approve budget and review allocation </li></ul><ul><li>Decide on centralization Vs decentralization </li></ul><ul><li>Review and approve outsourcing plans </li></ul>
  7. 7. Policies and Procedures <ul><li>Policies </li></ul><ul><ul><li>High level documents </li></ul></ul><ul><ul><li>Corporate philosophy </li></ul></ul><ul><ul><li>Clear and concise </li></ul></ul><ul><ul><li>Fully explain to staff affected </li></ul></ul><ul><ul><li>Lower level policies are defined accordingly </li></ul></ul><ul><ul><li>Top-down Vs bottom-up approach </li></ul></ul>
  8. 8. Procedures <ul><li>Detailed documents </li></ul><ul><ul><li>Derived from parent policy </li></ul></ul><ul><ul><li>Realize corresponding policy </li></ul></ul><ul><ul><li>Easily and properly understood </li></ul></ul><ul><ul><li>More dynamic </li></ul></ul><ul><ul><li>Frequent reviews and updates required </li></ul></ul>
  9. 9. Human Resources Policies/Practices <ul><li>Background checks </li></ul><ul><li>Confidentiality agreements </li></ul><ul><li>Conflict of interest agreements </li></ul><ul><li>Non-compete agreements </li></ul><ul><li>Control risks </li></ul><ul><ul><li>NOT suitable for position </li></ul></ul><ul><ul><li>Reference checks NOT carried out </li></ul></ul><ul><ul><li>Temp staff and contractors introduce uncontrolled risks </li></ul></ul>
  10. 10. Employee Handbook <ul><li>Security policies and procedures </li></ul><ul><li>Company expectations </li></ul><ul><li>Employee benefits </li></ul><ul><li>Vacation policies </li></ul><ul><li>OT rules </li></ul><ul><li>Outside employment </li></ul><ul><li>Performance evaluations </li></ul><ul><li>Emergency procedures </li></ul>
  11. 11. Employee Handbook <ul><li>Disciplinary actions </li></ul><ul><ul><li>Excessive absence </li></ul></ul><ul><ul><li>Breach of confidentiality or security </li></ul></ul><ul><ul><li>Non-compliance with policies </li></ul></ul>
  12. 12. Termination Policies <ul><li>Voluntary termination </li></ul><ul><li>Immediate termination </li></ul><ul><li>Return of keys, ID cards and badges </li></ul><ul><li>Deletion of log-in ID </li></ul><ul><li>Notification to other staff and security personnel </li></ul><ul><li>Arrangement of final payment </li></ul><ul><li>Termination interview </li></ul><ul><li>Escort from premises </li></ul>
  13. 13. Outsourcing Practices <ul><li>Increasing important in many organizations </li></ul><ul><ul><li>Desire to focus on core activities </li></ul></ul><ul><ul><li>Pressure on profit margin </li></ul></ul><ul><ul><li>Increasing competition that requires cost cut </li></ul></ul><ul><ul><li>Flexibility in terms of organization and structure </li></ul></ul>
  14. 14. Outsourcing Practices <ul><li>Contractor services </li></ul><ul><ul><li>Data entry (banks, airlines) </li></ul></ul><ul><ul><li>Design and development of new systems (ASP) </li></ul></ul><ul><ul><li>Maintenance of existing applications </li></ul></ul><ul><ul><li>Conversion of legacy applications to new platforms (web-based migration) </li></ul></ul><ul><ul><li>Help desk or call center </li></ul></ul>
  15. 15. Outsourcing Practices <ul><li>Possible disadvantages </li></ul><ul><ul><li>Costs higher than expected </li></ul></ul><ul><ul><li>Loss of internal IS experience </li></ul></ul><ul><ul><li>Loss of control </li></ul></ul><ul><ul><li>Vendor failure </li></ul></ul><ul><ul><li>Difficulty in reversing or changing outsourcing agreement </li></ul></ul>
  16. 16. Outsourcing Practices <ul><li>Business risks </li></ul><ul><ul><li>Hidden costs </li></ul></ul><ul><ul><li>Contract terms not being met </li></ul></ul><ul><ul><li>Service costs not competitive over time </li></ul></ul><ul><ul><li>Obsolescence of vendor systems </li></ul></ul><ul><ul><li>Decrease in bargaining power </li></ul></ul><ul><ul><li>Locked-in </li></ul></ul>
  17. 17. Outsourcing Practices <ul><li>To minimize business risks </li></ul><ul><ul><li>Establish measurable partnership-enacted-shared goals and rewards </li></ul></ul><ul><ul><li>Utilize multiple suppliers or withhold a piece of business as incentive </li></ul></ul><ul><ul><li>Formation of cross-functional contract management team </li></ul></ul><ul><ul><li>Contract performance metrics </li></ul></ul><ul><ul><li>Periodic benchmarking </li></ul></ul><ul><ul><li>Implement short-term contracts </li></ul></ul>
  18. 18. Service Level Agreement (SLA) <ul><li>Well-balanced </li></ul><ul><li>Instrument of control </li></ul><ul><li>Include means, methods, processes and structure to measure performance </li></ul><ul><li>Quantifiable </li></ul><ul><li>Enforceable </li></ul>
  19. 19. Audit Concerns of Outsourcing <ul><li>Contract protection </li></ul><ul><ul><li>Adequately protect company </li></ul></ul><ul><li>Audit rights </li></ul><ul><ul><li>Right to audit vendor operations </li></ul></ul><ul><li>Continuity of operations </li></ul><ul><ul><li>Continued service in case of disaster (disaster recovery plan) </li></ul></ul><ul><li>Integrity, confidentiality and availability of company’s data </li></ul>
  20. 20. Audit Concerns of Outsourcing <ul><li>Access control/security administration </li></ul><ul><li>Violation reporting and follow up </li></ul><ul><li>Change control and testing </li></ul><ul><li>Network controls </li></ul><ul><li>Performance management – load-balancing </li></ul>
  21. 21. IS Management Practices <ul><li>Traditional role of IS department – service department, is changing </li></ul><ul><li>Management principles </li></ul><ul><ul><li>People management </li></ul></ul><ul><ul><ul><li>Personnel are highly qualified and paid and have less concern in job security </li></ul></ul></ul><ul><ul><ul><li>Flat organization </li></ul></ul></ul><ul><ul><ul><li>Junior level personnel often have major responsibilities and authorities </li></ul></ul></ul><ul><ul><ul><li>Training, development and challenging work </li></ul></ul></ul>
  22. 22. IS Management Practices <ul><li>Management of Change </li></ul><ul><ul><li>Always new applications and technologies </li></ul></ul><ul><ul><li>Stay abreast of technology and proactively embrace change </li></ul></ul><ul><li>Focus on good processes </li></ul><ul><ul><li>Documented procedures </li></ul></ul><ul><ul><li>Programming standards, testing, data backup </li></ul></ul><ul><ul><li>Quality control and assurance </li></ul></ul>
  23. 23. IS Management Practices <ul><li>Security </li></ul><ul><ul><li>The Internet </li></ul></ul><ul><ul><li>Business continuity (plan) </li></ul></ul><ul><ul><li>Disaster recovery (plan) </li></ul></ul><ul><li>Handling 3 rd parties </li></ul><ul><ul><li>Many vendors work together on 1 system </li></ul></ul><ul><ul><li>Management matters </li></ul></ul>
  24. 24. IS Assessment Methods <ul><li>IS budgets </li></ul><ul><li>Capacity and growth planning </li></ul><ul><li>User satisfaction </li></ul><ul><ul><li>SLA with internal user departments </li></ul></ul><ul><ul><li>System availability </li></ul></ul><ul><ul><li>Product distribution time </li></ul></ul><ul><li>Industry standards/benchmarking </li></ul>
  25. 25. IS Assessment Methods <ul><li>Financial management practices </li></ul><ul><ul><li>User pays scheme </li></ul></ul><ul><ul><li>Chargeback – man-hours, computer time and other resources </li></ul></ul><ul><ul><ul><li>Measure effectiveness and efficiency </li></ul></ul></ul><ul><li>Goal accomplishment </li></ul><ul><ul><li>Measure effectiveness </li></ul></ul><ul><ul><li>Logging system </li></ul></ul>
  26. 26. IS Assessment Methods <ul><ul><li>Example of log </li></ul></ul><ul><ul><ul><li>Data entry staff keep full details of each batch (duration and errors) </li></ul></ul></ul><ul><ul><ul><li>Computer operators maintain logs of all batch jobs and time taken </li></ul></ul></ul><ul><ul><ul><li>Off-site backups and data storage logged </li></ul></ul></ul><ul><ul><ul><li>Problem in h/w and s/w identified in daily logs </li></ul></ul></ul><ul><ul><ul><li>Applications generate own error logs </li></ul></ul></ul><ul><ul><ul><li>Security log details who did what and when </li></ul></ul></ul>
  27. 27. IS Assessment Methods <ul><li>Functionality </li></ul><ul><ul><li>Existence of functions that satisfy stated needs </li></ul></ul><ul><li>Reliability </li></ul><ul><ul><li>Capability of software to maintain level of performance under state conditions </li></ul></ul><ul><li>Usability </li></ul><ul><ul><li>Effort needed for use and on individual assessment of such use by users </li></ul></ul>
  28. 28. IS Assessment Methods <ul><li>Efficiency </li></ul><ul><ul><li>Relationship between level of performance of software and amount of resources used </li></ul></ul><ul><li>Maintainability </li></ul><ul><ul><li>Effort needed to make specified modifications </li></ul></ul><ul><li>Portability </li></ul><ul><ul><li>Ability of software to be transferred from one platform to another </li></ul></ul>
  29. 29. IS Organization Structure and Responsibilities <ul><li>Management structures (line Vs project) </li></ul><ul><li>Line management </li></ul><ul><ul><li>Head – CIO </li></ul></ul><ul><ul><li>Systems development manager </li></ul></ul><ul><ul><ul><li>Responsible for programmers and analysts </li></ul></ul></ul><ul><ul><li>End-user support manager </li></ul></ul><ul><ul><li>Data manager </li></ul></ul><ul><ul><ul><li>Data architect and manage data as resource </li></ul></ul></ul><ul><ul><li>Database administrator </li></ul></ul>
  30. 30. IS Organization Structure and Responsibilities <ul><ul><li>Technical support manager </li></ul></ul><ul><ul><ul><li>Responsible for system programmers </li></ul></ul></ul><ul><ul><li>Security administrator </li></ul></ul><ul><ul><ul><li>Provide enough logical and physical security </li></ul></ul></ul><ul><ul><li>Network manager/administrator </li></ul></ul><ul><ul><li>Operations manager </li></ul></ul><ul><ul><ul><li>Responsible for computer operators, librarians, schedules and data control personnel </li></ul></ul></ul><ul><ul><li>Quality assurance manager </li></ul></ul><ul><ul><li>Segregation of Duties </li></ul></ul>
  31. 31. IS Responsibilities and Duties <ul><li>Information Processing (IP) Vs System Development and Enhancement </li></ul><ul><li>IP – operational aspects, e.g. computer operations, systems programming, telecomm and librarian functions </li></ul><ul><li>Systems development – analysis and programming, e.g. development, acquisition and maintenance of application systems </li></ul>
  32. 32. IP <ul><li>Operations = information processing facility (IPF) </li></ul><ul><li>Operation management control </li></ul><ul><ul><li>Physical security </li></ul></ul><ul><ul><ul><li>Protect from theft, fire, flood, malicious destruction, mechanical and power failures </li></ul></ul></ul><ul><ul><li>Data security </li></ul></ul><ul><ul><ul><li>Physical security of hardware that process data </li></ul></ul></ul><ul><ul><ul><li>Employee education – data security and privacy </li></ul></ul></ul><ul><ul><ul><li>Logical security, e.g. unauthorized access </li></ul></ul></ul>
  33. 33. IP <ul><ul><li>Processing controls </li></ul></ul><ul><ul><ul><li>Ensure timely, complete, accurate and secure processing </li></ul></ul></ul><ul><ul><ul><li>Data control (more details in Business Process Evaluation and Risk Management) </li></ul></ul></ul><ul><ul><ul><li>Production control – job scheduling, job submission and media management </li></ul></ul></ul>
  34. 34. IP <ul><li>Data entry </li></ul><ul><ul><li>Batch Vs Online </li></ul></ul><ul><ul><li>Data control unit </li></ul></ul><ul><ul><ul><li>Receive source documents from user departments and ensure proper safekeeping until processing is done and source documents and outputs are returned </li></ul></ul></ul><ul><ul><ul><li>Prepare batches of source documents with accurate control totals </li></ul></ul></ul><ul><ul><ul><li>Schedule and set up jobs </li></ul></ul></ul><ul><ul><ul><li>Verifies, logs and distributes output to appropriate department </li></ul></ul></ul>
  35. 35. IP <ul><li>Librarian </li></ul><ul><ul><li>Record, issue, receive and safeguard programs and data files on tapes and disks </li></ul></ul><ul><ul><li>Crucial position </li></ul></ul><ul><li>Security administration </li></ul><ul><ul><li>Ensure users comply with security policy and controls are adequate </li></ul></ul><ul><ul><li>Maintain access rules </li></ul></ul><ul><ul><li>Maintain security and confidentiality over passwords </li></ul></ul>
  36. 36. IP <ul><ul><li>Monitor security violations and take corrective action </li></ul></ul><ul><ul><li>Review and evaluate security policy </li></ul></ul><ul><ul><li>Prepare and monitor security awareness program for employees </li></ul></ul><ul><ul><li>Test security architecture to detect threats </li></ul></ul><ul><li>Quality assurance </li></ul><ul><ul><li>Quality Assurance Vs Quality Control </li></ul></ul>
  37. 37. IP <ul><li>Quality Assurance </li></ul><ul><ul><li>Ensure personnel follow prescribed quality processes </li></ul></ul><ul><ul><li>E.g. ensure programs and documentation adhere to standards and naming conventions </li></ul></ul><ul><li>Quality Control </li></ul><ul><ul><li>Conduct tests or reviews to ensure software is free from defects and meet user expectations </li></ul></ul><ul><ul><li>Must be done before moved into production </li></ul></ul><ul><ul><li>Check accuracy and authenticity of input, processing and output </li></ul></ul>
  38. 38. IP <ul><li>Database administration </li></ul><ul><ul><li>Define and maintain data structure in db </li></ul></ul><ul><ul><li>Understand organization and user data and data relationship </li></ul></ul><ul><ul><li>Responsible for security and information classification </li></ul></ul><ul><ul><li>Responsible for actual design, definition and maintenance </li></ul></ul><ul><ul><li>A very powerful administrator, e.g. can access to production data </li></ul></ul>
  39. 39. IP <ul><li>Control over DBA </li></ul><ul><ul><li>Segregation of duties </li></ul></ul><ul><ul><li>Management approval </li></ul></ul><ul><ul><li>Supervisor review of access logs </li></ul></ul><ul><ul><li>Detective controls </li></ul></ul>
  40. 40. IP <ul><li>Systems analysis </li></ul><ul><ul><li>Design systems based on user needs </li></ul></ul><ul><ul><li>Involved in initial phase of SDLC </li></ul></ul><ul><ul><li>Like an interpreter </li></ul></ul><ul><li>Application programming </li></ul><ul><ul><li>Develop new and maintain systems </li></ul></ul><ul><ul><li>NO access to production programs </li></ul></ul><ul><ul><li>Work in test only environment </li></ul></ul>
  41. 41. IP <ul><li>Systems programming </li></ul><ul><ul><li>Maintain system software </li></ul></ul><ul><ul><li>Unrestricted access to whole system </li></ul></ul><ul><ul><li>Monitored by keeping logs and allowed to access relevant system libraries </li></ul></ul><ul><li>Network management </li></ul><ul><ul><li>LAN or WAN </li></ul></ul><ul><ul><li>Responsible for technical and administrative control </li></ul></ul>
  42. 42. IP <ul><ul><li>Ensure correct functioning of transmission links </li></ul></ul><ul><ul><li>Backups of system </li></ul></ul><ul><ul><li>S/w and h/w authorized to purchase and installed probably </li></ul></ul><ul><ul><li>Could be security administrator in small installations </li></ul></ul><ul><ul><li>NO application programming rights but end-user responsibilities </li></ul></ul><ul><li>Help desk administration </li></ul>
  43. 43. Segregation of Duties w/i IS <ul><li>Transaction authorization </li></ul><ul><ul><li>Responsibility of user department </li></ul></ul><ul><ul><li>Must perform periodic checks </li></ul></ul><ul><li>Reconciliation </li></ul><ul><ul><li>Responsibility of user department </li></ul></ul><ul><li>Custody of assets </li></ul><ul><ul><li>Data owner is user dept. </li></ul></ul><ul><ul><li>Owner has responsibility for determining authorization levels </li></ul></ul><ul><ul><li>Data security adm. Implement and enforce security system </li></ul></ul>
  44. 44. Segregation of Duties w/i IS <ul><li>Access to data </li></ul><ul><ul><li>Physical + system + application security in BOTH user area and IPF </li></ul></ul><ul><ul><li>System and application securities are additional layers to prevent unauthorized access </li></ul></ul><ul><ul><li>The Internet has posed greater threat </li></ul></ul><ul><ul><ul><li>extranet </li></ul></ul></ul>
  45. 45. Segregation of Duties w/i IS <ul><li>Authorization forms </li></ul><ul><ul><li>User managers define WHO should have access to WHAT </li></ul></ul><ul><ul><li>Forms must be approved </li></ul></ul><ul><ul><li>Some organizations maintain signature authorization logs </li></ul></ul><ul><ul><li>Access privileges periodically reviewed </li></ul></ul><ul><li>User authorization tables </li></ul><ul><ul><li>Use authorization form data to build authorization tables </li></ul></ul><ul><ul><li>Update, modify, delete and/or view </li></ul></ul>
  46. 46. Segregation of Duties w/i IS <ul><li>Exception reporting </li></ul><ul><ul><li>Ensure properly and timely handled </li></ul></ul><ul><li>Audit trails </li></ul><ul><ul><li>Map to retrace flow of transaction </li></ul></ul><ul><ul><li>Recreate actual transaction flow from origin to updated file </li></ul></ul><ul><ul><li>Audit trail could be compensating control </li></ul></ul><ul><li>Transaction logs </li></ul>
  47. 47. How to Identify Potential Problems with IPF <ul><li>Indicators </li></ul><ul><ul><li>Unfavorable end use attitudes </li></ul></ul><ul><ul><li>Excessive costs </li></ul></ul><ul><ul><li>Budget overruns </li></ul></ul><ul><ul><li>Late projects </li></ul></ul><ul><ul><li>High turnover </li></ul></ul><ul><ul><li>Inexperienced staff </li></ul></ul><ul><ul><li>Frequent h/w and/or s/w errors </li></ul></ul>
  48. 48. How to Identify Potential Problems with IPF <ul><ul><li>Excessive backlog of user requests </li></ul></ul><ul><ul><li>Slow computer response time </li></ul></ul><ul><ul><li>Numerous aborted or suspended development projects </li></ul></ul><ul><ul><li>Unsupported or unauthorized h/w or s/w purchases </li></ul></ul><ul><ul><li>Frequent h/w or s/w upgrades </li></ul></ul><ul><ul><li>Extensive exception reports </li></ul></ul><ul><ul><li>Exception reports which were not followed up on </li></ul></ul>
  49. 49. How to Identify Potential Problems with IPF <ul><li>Documentation review </li></ul><ul><ul><li>IS strategies, plans, budgets </li></ul></ul><ul><ul><li>Security policy documentation </li></ul></ul><ul><ul><ul><li>Confidential </li></ul></ul></ul><ul><ul><ul><li>Preventive controls, WHO is responsible for WHAT </li></ul></ul></ul><ul><ul><li>Organizational chart </li></ul></ul><ul><ul><li>Job descriptions </li></ul></ul><ul><ul><li>Steering committee reports </li></ul></ul><ul><ul><li>System development and program change procedures </li></ul></ul><ul><ul><li>Operations procedures </li></ul></ul><ul><ul><li>HR manuals </li></ul></ul>
  50. 50. How to Identify Potential Problems with IPF <ul><li>Interview and observe </li></ul><ul><ul><li>Actual performance </li></ul></ul><ul><ul><li>Security awareness </li></ul></ul><ul><ul><li>Reporting relationships </li></ul></ul><ul><li>Review contractual agreements </li></ul><ul><ul><li>Development of contract agreements </li></ul></ul><ul><ul><li>Contract bidding process </li></ul></ul><ul><ul><li>Contract selection process </li></ul></ul><ul><ul><li>Contract acceptance </li></ul></ul><ul><ul><li>Contract maintenance </li></ul></ul><ul><ul><li>Contract compliance </li></ul></ul>
  51. 51. Management, Planning and Organization of IS End

×