Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PPT Slides

519 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

PPT Slides

  1. 1. Management, Planning and Organization of IS 11% ~ 22 questions
  2. 2. Objectives <ul><li>Evaluate IS strategy to ensure it aligns with business strategies </li></ul><ul><li>Evaluate IS policies to ensure it supports IS strategy </li></ul><ul><li>Evaluate IS management practices to ensure compliance with IS policies </li></ul><ul><li>Evaluate IS organization to ensure adequate support of organization’s biz requirements </li></ul><ul><li>Evaluate management of outsourced services to ensure they support IS strategy </li></ul>
  3. 3. Evaluate the followings……. IS Management Practices IS Policies, standards and Procedures IS Strategy Business Objectives
  4. 4. IS Strategy <ul><li>Strategic Planning </li></ul><ul><ul><li>IS strategy aligns with organization’s business plan </li></ul></ul><ul><li>Steering Committee </li></ul><ul><ul><li>Oversee IS department </li></ul></ul><ul><ul><li>Consists of senior management, IS staff and user department management </li></ul></ul><ul><ul><li>Chairman – a member of board of directors </li></ul></ul>
  5. 5. Steering Committee <ul><li>Duties and responsibilities </li></ul><ul><ul><li>Formalized in charter </li></ul></ul><ul><ul><li>Members well-understand IS policies, practices and procedures </li></ul></ul><ul><ul><li>Each member has his/her own area of responsibilities </li></ul></ul><ul><ul><li>Should NOT become involved in routine operations </li></ul></ul>
  6. 6. Steering Committee <ul><li>Review long and short term plans </li></ul><ul><li>Review and approve major purchase of h/w and s/w within limits </li></ul><ul><li>Approve and monitor major projects, set priorities, and monitor overall IS performance </li></ul><ul><li>Provide liaison between IS and user department </li></ul><ul><li>Approve budget and review allocation </li></ul><ul><li>Decide on centralization Vs decentralization </li></ul>
  7. 7. Policies and Procedures <ul><li>Policies </li></ul><ul><ul><li>High level documents </li></ul></ul><ul><ul><li>Corporate philosophy </li></ul></ul><ul><ul><li>Clear and concise </li></ul></ul><ul><ul><li>Fully explain to staff affected </li></ul></ul><ul><ul><li>Lower level policies are defined accordingly </li></ul></ul><ul><ul><li>Top-down Vs bottom-up approach </li></ul></ul>
  8. 8. Procedures <ul><li>Detailed documents </li></ul><ul><ul><li>Derived from parent policy </li></ul></ul><ul><ul><li>Realize corresponding policy </li></ul></ul><ul><ul><li>Easily and properly understood </li></ul></ul><ul><ul><li>More dynamic </li></ul></ul><ul><ul><li>Frequent reviews and updates required </li></ul></ul>
  9. 9. Human Resources Policies/Practices <ul><li>Background checks </li></ul><ul><li>Confidentiality agreements </li></ul><ul><li>Conflict of interest agreements </li></ul><ul><li>Non-compete agreements </li></ul><ul><li>Control risks </li></ul><ul><ul><li>NOT suitable for position </li></ul></ul><ul><ul><li>Reference checks NOT carried out </li></ul></ul>
  10. 10. Employee Handbook <ul><li>Security policies and procedures </li></ul><ul><li>Company expectations </li></ul><ul><li>Employee benefits </li></ul><ul><li>Vacation policies </li></ul><ul><li>OT rules </li></ul><ul><li>Outside employment </li></ul><ul><li>Performance evaluations </li></ul>
  11. 11. Employee Handbook <ul><li>Disciplinary actions </li></ul><ul><ul><li>Excessive absence </li></ul></ul><ul><ul><li>Breach of confidentiality or security </li></ul></ul><ul><ul><li>Non-compliance with policies </li></ul></ul>
  12. 12. Termination Policies <ul><li>Voluntary termination </li></ul><ul><li>Immediate termination </li></ul><ul><li>Return of keys, ID cards and badges </li></ul><ul><li>Deletion of log-in ID </li></ul><ul><li>Notification to other staff and security personnel </li></ul><ul><li>Arrangement of final payment </li></ul><ul><li>Termination interview </li></ul>
  13. 13. Outsourcing Practices <ul><li>Increasing important in many organizations </li></ul><ul><ul><li>Desire to focus on core activities </li></ul></ul><ul><ul><li>Pressure on profit margin </li></ul></ul><ul><ul><li>Increasing competition that requires cost cut </li></ul></ul><ul><ul><li>Flexibility in terms of organization and structure </li></ul></ul>
  14. 14. Outsourcing Practices <ul><li>Contractor services </li></ul><ul><ul><li>Data entry (banks, airlines) </li></ul></ul><ul><ul><li>Design and development of new systems (ASP) </li></ul></ul><ul><ul><li>Maintenance of existing applications </li></ul></ul><ul><ul><li>Conversion of legacy applications to new platforms (web-based migration) </li></ul></ul>
  15. 15. Outsourcing Practices <ul><li>Possible disadvantages </li></ul><ul><ul><li>Costs higher than expected </li></ul></ul><ul><ul><li>Loss of internal IS experience </li></ul></ul><ul><ul><li>Loss of control </li></ul></ul><ul><ul><li>Vendor failure </li></ul></ul><ul><ul><li>Difficulty in reversing or changing outsourcing agreement </li></ul></ul>
  16. 16. Outsourcing Practices <ul><li>Business risks </li></ul><ul><ul><li>Hidden costs </li></ul></ul><ul><ul><li>Contract terms not being met </li></ul></ul><ul><ul><li>Service costs not competitive over time </li></ul></ul><ul><ul><li>Obsolescence of vendor systems </li></ul></ul><ul><ul><li>Decrease in bargaining power </li></ul></ul>
  17. 17. Outsourcing Practices <ul><li>To minimize business risks </li></ul><ul><ul><li>Establish measurable partnership-enacted-shared goals and rewards </li></ul></ul><ul><ul><li>Utilize multiple suppliers or withhold a piece of business as incentive </li></ul></ul><ul><ul><li>Formation of cross-functional contract management team </li></ul></ul><ul><ul><li>Contract performance metrics </li></ul></ul><ul><ul><li>Periodic benchmarking </li></ul></ul>
  18. 18. Service Level Agreement (SLA) <ul><li>Well-balanced </li></ul><ul><li>Instrument of control </li></ul><ul><li>Include means, methods, processes and structure to measure performance </li></ul><ul><li>Quantifiable </li></ul><ul><li>Enforceable </li></ul>
  19. 19. Audit Concerns of Outsourcing <ul><li>Contract protection </li></ul><ul><ul><li>Adequately protect company </li></ul></ul><ul><li>Audit rights </li></ul><ul><ul><li>Right to audit vendor operations </li></ul></ul><ul><li>Continuity of operations </li></ul><ul><ul><li>Continued service in case of disaster (disaster recovery plan) </li></ul></ul><ul><li>Integrity, confidentiality and availability of company’s data </li></ul>
  20. 20. Audit Concerns of Outsourcing <ul><li>Access control/security administration </li></ul><ul><li>Violation reporting and follow up </li></ul><ul><li>Change control and testing </li></ul><ul><li>Network controls </li></ul><ul><li>Performance management – load-balancing </li></ul>
  21. 21. IS Management Practices <ul><li>Traditional role of IS department – service department, is changing </li></ul><ul><li>Management principles </li></ul><ul><ul><li>People management </li></ul></ul><ul><ul><ul><li>Personnel are highly qualified and paid and have less concern in job security </li></ul></ul></ul><ul><ul><ul><li>Flat organization </li></ul></ul></ul><ul><ul><ul><li>Junior level personnel often have major responsibilities and authorities </li></ul></ul></ul>
  22. 22. IS Management Practices <ul><li>Management of Change </li></ul><ul><ul><li>Always new applications and technologies </li></ul></ul><ul><ul><li>Stay abreast of technology and proactively embrace change </li></ul></ul><ul><li>Focus on good processes </li></ul><ul><ul><li>Documented procedures </li></ul></ul><ul><ul><li>Programming standards, testing, data backup </li></ul></ul><ul><ul><li>Quality control and assurance </li></ul></ul>
  23. 23. IS Management Practices <ul><li>Security </li></ul><ul><ul><li>The Internet </li></ul></ul><ul><ul><li>Business continuity (plan) </li></ul></ul><ul><ul><li>Disaster recovery (plan) </li></ul></ul><ul><li>Handling 3 rd parties </li></ul><ul><ul><li>Many vendors work together on 1 system </li></ul></ul><ul><ul><li>Management matters </li></ul></ul>
  24. 24. IS Assessment Methods <ul><li>IS budgets </li></ul><ul><li>Capacity and growth planning </li></ul><ul><li>User satisfaction </li></ul><ul><ul><li>SLA with internal user departments </li></ul></ul><ul><ul><li>System availability </li></ul></ul><ul><ul><li>Product distribution time </li></ul></ul><ul><li>Industry standards/benchmarking </li></ul>
  25. 25. IS Assessment Methods <ul><li>Financial management practices </li></ul><ul><ul><li>User pays scheme </li></ul></ul><ul><ul><li>Chargeback – man-hours, computer time and other resources </li></ul></ul><ul><ul><ul><li>Measure effectiveness and efficiency </li></ul></ul></ul><ul><li>Goal accomplishment </li></ul><ul><ul><li>Measure effectiveness </li></ul></ul><ul><ul><li>Logging system </li></ul></ul>
  26. 26. IS Assessment Methods <ul><ul><li>Example of log </li></ul></ul><ul><ul><ul><li>Data entry staff keep full details of each batch (duration and errors) </li></ul></ul></ul><ul><ul><ul><li>Data entry staff keep full details of each batch (duration and errors) </li></ul></ul></ul><ul><ul><ul><li>Computer operators maintain logs of all batch jobs and time taken </li></ul></ul></ul><ul><ul><ul><li>Off-site backups and data storage logged </li></ul></ul></ul><ul><ul><ul><li>Problem in h/w and s/w identified in daily logs </li></ul></ul></ul><ul><ul><ul><li>Applications generate own error logs </li></ul></ul></ul>
  27. 27. IS Assessment Methods <ul><li>Functionality </li></ul><ul><ul><li>Existence of functions that satisfy stated needs </li></ul></ul><ul><li>Reliability </li></ul><ul><ul><li>Capability of software to maintain level of performance under state conditions </li></ul></ul><ul><li>Usability </li></ul><ul><ul><li>Effort needed for use and on individual assessment of such use by users </li></ul></ul>
  28. 28. IS Assessment Methods <ul><li>Efficiency </li></ul><ul><ul><li>Relationship between level of performance of software and amount of resources used </li></ul></ul><ul><li>Maintainability </li></ul><ul><ul><li>Effort needed to make specified modifications </li></ul></ul><ul><li>Portability </li></ul><ul><ul><li>Ability of software to be transferred from one platform to another </li></ul></ul>
  29. 29. IS Organization Structure and Responsibilities <ul><li>Management structures (line Vs project) </li></ul><ul><li>Line management </li></ul><ul><ul><li>Head – CIO </li></ul></ul><ul><ul><li>Systems development manager </li></ul></ul><ul><ul><ul><li>Responsible for programmers and analysts </li></ul></ul></ul><ul><ul><li>End-user support manager </li></ul></ul><ul><ul><li>Data manager </li></ul></ul><ul><ul><ul><li>Data architect and manage data as resource </li></ul></ul></ul>
  30. 30. IS Organization Structure and Responsibilities <ul><ul><li>Technical support manager </li></ul></ul><ul><ul><ul><li>Responsible for system programmers </li></ul></ul></ul><ul><ul><li>Security administrator </li></ul></ul><ul><ul><ul><li>Provide enough logical and physical security </li></ul></ul></ul><ul><ul><li>Network manager/administrator </li></ul></ul><ul><ul><li>Operations manager </li></ul></ul><ul><ul><ul><li>Responsible for computer operators, librarians, schedules and data control personnel </li></ul></ul></ul><ul><ul><li>Quality assurance manager </li></ul></ul><ul><ul><li>Segregation of Duties </li></ul></ul>
  31. 31. IS Responsibilities and Duties <ul><li>Information Processing (IP) Vs System Development and Enhancement </li></ul><ul><li>IP – operational aspects, e.g. computer operations, systems programming, telecomm and librarian functions </li></ul><ul><li>Systems development – analysis and programming, e.g. development, acquisition and maintenance of application systems </li></ul>
  32. 32. IP <ul><li>Operations = information processing facility (IPF) </li></ul><ul><li>Operation management control </li></ul><ul><ul><li>Physical security </li></ul></ul><ul><ul><ul><li>Protect from theft, fire, flood, malicious destruction, mechanical and power failures </li></ul></ul></ul><ul><ul><li>Data security </li></ul></ul><ul><ul><ul><li>Physical security of hardware that process data </li></ul></ul></ul><ul><ul><ul><li>Employee education – data security and privacy </li></ul></ul></ul>
  33. 33. IP <ul><ul><li>Processing controls </li></ul></ul><ul><ul><ul><li>Ensure timely, complete, accurate and secure processing </li></ul></ul></ul><ul><ul><ul><li>Data control (more details in Business Process Evaluation and Risk Management) </li></ul></ul></ul><ul><ul><ul><li>Production control – job scheduling, job submission and media management </li></ul></ul></ul>
  34. 34. IP <ul><li>Data entry </li></ul><ul><ul><li>Batch Vs Online </li></ul></ul><ul><ul><li>Data control unit </li></ul></ul><ul><ul><ul><li>Receive source documents from user departments and ensure proper safekeeping until processing is done and source documents and outputs are returned </li></ul></ul></ul><ul><ul><ul><li>Prepare batches of source documents with accurate control totals </li></ul></ul></ul><ul><ul><ul><li>Schedule and set up jobs </li></ul></ul></ul>
  35. 35. IP <ul><li>Librarian </li></ul><ul><ul><li>Record, issue, receive and safeguard programs and data files on tapes and disks </li></ul></ul><ul><ul><li>Crucial position </li></ul></ul><ul><li>Security administration </li></ul><ul><ul><li>Ensure users comply with security policy and controls are adequate </li></ul></ul><ul><ul><li>Maintain access rules </li></ul></ul><ul><ul><li>Maintain security and confidentiality over passwords </li></ul></ul>
  36. 36. IP <ul><ul><li>Monitor security violations and take corrective action </li></ul></ul><ul><ul><li>Review and evaluate security policy </li></ul></ul><ul><ul><li>Prepare and monitor security awareness program for employees </li></ul></ul><ul><ul><li>Test security architecture to detect threats </li></ul></ul><ul><li>Quality assurance </li></ul><ul><ul><li>Quality Assurance Vs Quality Control </li></ul></ul>
  37. 37. IP <ul><li>Quality Assurance </li></ul><ul><ul><li>Ensure personnel follow prescribed quality processes </li></ul></ul><ul><ul><li>E.g. ensure programs and documentation adhere to standards and naming conventions </li></ul></ul><ul><li>Quality Control </li></ul><ul><ul><li>Conduct tests or reviews to ensure software is free from defects and meet user expectations </li></ul></ul><ul><ul><li>Must be done before moved into production </li></ul></ul><ul><ul><li>Check accuracy and authenticity of input, processing and output </li></ul></ul>
  38. 38. IP <ul><li>Database administration </li></ul><ul><ul><li>Define and maintain data structure in db </li></ul></ul><ul><ul><li>Understand organization and user data and data relationship </li></ul></ul><ul><ul><li>Responsible for security and information classification </li></ul></ul><ul><ul><li>Responsible for actual design, definition and maintenance </li></ul></ul>
  39. 39. IP <ul><li>Control over DBA </li></ul><ul><ul><li>Segregation of duties </li></ul></ul><ul><ul><li>Management approval </li></ul></ul><ul><ul><li>Supervisor review of access logs </li></ul></ul><ul><ul><li>Detective controls </li></ul></ul>
  40. 40. IP <ul><li>Systems analysis </li></ul><ul><ul><li>Design systems based on user needs </li></ul></ul><ul><ul><li>Involved in initial phase of SDLC </li></ul></ul><ul><ul><li>Like an interpreter </li></ul></ul><ul><li>Application programming </li></ul><ul><ul><li>Develop new and maintain systems </li></ul></ul><ul><ul><li>NO access to production programs </li></ul></ul><ul><ul><li>Work in test only environment </li></ul></ul>
  41. 41. IP <ul><li>Systems programming </li></ul><ul><ul><li>Maintain system software </li></ul></ul><ul><ul><li>Unrestricted access to whole system </li></ul></ul><ul><ul><li>Monitored by keeping logs and allowed to access relevant system libraries </li></ul></ul><ul><li>Network management </li></ul><ul><ul><li>LAN or WAN </li></ul></ul><ul><ul><li>Responsible for technical and administrative control </li></ul></ul>
  42. 42. IP <ul><ul><li>Ensure correct functioning of transmission links </li></ul></ul><ul><ul><li>Backups of system </li></ul></ul><ul><ul><li>S/w and h/w authorized to purchase and installed probably </li></ul></ul><ul><ul><li>Could be security administrator in small installations </li></ul></ul><ul><ul><li>NO application programming rights but end-user responsibilities </li></ul></ul><ul><li>Help desk administration </li></ul>
  43. 43. Segregation of Duties w/i IS <ul><li>Transaction authorization </li></ul><ul><ul><li>Responsibility of user department </li></ul></ul><ul><ul><li>Must perform periodic checks </li></ul></ul><ul><li>Reconciliation </li></ul><ul><ul><li>Responsibility of user department </li></ul></ul><ul><li>Custody of assets </li></ul><ul><ul><li>Data owner is user dept. </li></ul></ul><ul><ul><li>Owner has responsibility for determining authorization levels </li></ul></ul>
  44. 44. Segregation of Duties w/i IS <ul><li>Access to data </li></ul><ul><ul><li>Physical + system + application security in BOTH user area and IPF </li></ul></ul><ul><ul><li>System and application securities are additional layers to prevent unauthorized access </li></ul></ul><ul><ul><li>The Internet has posed greater threat </li></ul></ul><ul><ul><ul><li>extranet </li></ul></ul></ul>
  45. 45. Segregation of Duties w/i IS <ul><li>Authorization forms </li></ul><ul><ul><li>User managers define WHO should have access to WHAT </li></ul></ul><ul><ul><li>Forms must be approved </li></ul></ul><ul><ul><li>Some organizations maintain signature authorization logs </li></ul></ul><ul><ul><li>Access privileges periodically reviewed </li></ul></ul><ul><li>User authorization tables </li></ul><ul><ul><li>Use authorization form data to build authorization tables </li></ul></ul><ul><ul><li>Update, modify, delete and/or view </li></ul></ul>
  46. 46. Segregation of Duties w/i IS <ul><li>Exception reporting </li></ul><ul><ul><li>Ensure properly and timely handled </li></ul></ul><ul><li>Audit trails </li></ul><ul><ul><li>Map to retrace flow of transaction </li></ul></ul><ul><ul><li>Recreate actual transaction flow from origin to updated file </li></ul></ul><ul><ul><li>Audit trail could be compensating control </li></ul></ul><ul><li>Transaction logs </li></ul>
  47. 47. How to Identify Potential Problems with IPF <ul><li>Indicators </li></ul><ul><ul><li>Unfavorable end use attitudes </li></ul></ul><ul><ul><li>Excessive costs </li></ul></ul><ul><ul><li>Budget overruns </li></ul></ul><ul><ul><li>Late projects </li></ul></ul><ul><ul><li>High turnover </li></ul></ul><ul><ul><li>Inexperienced staff </li></ul></ul>
  48. 48. How to Identify Potential Problems with IPF <ul><ul><li>Excessive backlog of user requests </li></ul></ul><ul><ul><li>Slow computer response time </li></ul></ul><ul><ul><li>Numerous aborted or suspended development projects </li></ul></ul><ul><ul><li>Unsupported or unauthorized h/w or s/w purchases </li></ul></ul><ul><ul><li>Frequent h/w or s/w upgrades </li></ul></ul><ul><ul><li>Extensive exception reports </li></ul></ul><ul><ul><li>Exception reports which were not followed up on </li></ul></ul>
  49. 49. How to Identify Potential Problems with IPF <ul><li>Documentation review </li></ul><ul><ul><li>IS strategies, plans, budgets </li></ul></ul><ul><ul><li>Security policy documentation </li></ul></ul><ul><ul><ul><li>Confidential </li></ul></ul></ul><ul><ul><ul><li>Preventive controls, WHO is responsible for WHAT </li></ul></ul></ul><ul><ul><li>Organizational chart </li></ul></ul><ul><ul><li>Job descriptions </li></ul></ul><ul><ul><li>Steering committee reports </li></ul></ul><ul><ul><li>System development and program change procedures </li></ul></ul><ul><ul><li>Operations procedures </li></ul></ul>
  50. 50. How to Identify Potential Problems with IPF <ul><li>Interview and observe </li></ul><ul><ul><li>Actual performance </li></ul></ul><ul><ul><li>Security awareness </li></ul></ul><ul><ul><li>Reporting relationships </li></ul></ul><ul><li>Review contractual agreements </li></ul><ul><ul><li>Development of contract agreements </li></ul></ul><ul><ul><li>Contract bidding process </li></ul></ul><ul><ul><li>Contract selection process </li></ul></ul><ul><ul><li>Contract acceptance </li></ul></ul><ul><ul><li>Contract maintenance </li></ul></ul>
  51. 51. Management, Planning and Organization of IS End

×