Week 7 - Choices in Systems Acquisition and Risks, Security, and Disaster Recovery
Sousa, K., & Oz, E. (2015). Management Information Systems, 7th Edition. Cengage Learning.
ISBN-13: 978-1285186139
Read:
· Chapter 13
· Chapter 14
Week 7 Lecture 1 - Choices in Systems Acquisition and Risks, Security
Management of Information Systems
Choices in Systems Acquisition and Risks, Security
Systems Acquisition
Options to consider when acquiring a new system are, development in-house, outsourcing, licensing, software as a service (SaaS), and having users develop the system. There are trade-offs to consider for each option. In-house development has several advantages to consider such as a good fit to organizational need and culture, dedicated maintenance, since the developers are accessible within the company, seamless interface, when the system is custom-made for an organization special requirements can be implemented to ensure that it has proper interfaces with other systems, and specialized security, special security measures can be integrated into an application. Additionally, there is a potential for strategic advantage. Some of the disadvantages of in-house development are, high cost, a long wait for development personnel, who might be busy with other projects and the application may be excessively organization specific to integrate with other systems.
Outsourcing
Advantages of outsourcing are improved financial planning sense outsourcing enables a client to know the exact costs of IT functions over the period of a contract. Another advantage is reduced license and maintenance fee discounts. Outsourcing gives businesses an opportunity to increase their attention to the core business by letting experts manage IT. Outsourcing also provides shorter implementation time as IT vendors can in most cases complete a new application in less time than in-house development. A reduction in personnel as another advantage as IS salaries and benefits are expensive. Outsourcing increases access to highly qualified knowledge. Clients can tap into the IT vendor’s knowledge and experience gained by working with many clients in different environments.
Some of the risks of outsourcing IT services are a loss of control, a loss of experienced employees, outsourcing involves transferring organizations employees to the highest vendor, the risk of losing competitive advantage outsourcing the development of strategic systems is the same as disclosing trade secrets. Another disadvantage is high price despite careful pre-contractual calculations companies find that outsourcing cost them significantly more than if they had spent their resources on in-house development.
Licensing
Benefits of licensing software are immediate system availability, low price (the license fee), available support, and high quality. Immediate availability shortens the time from when a decision is made to acquire the new system and when the new system begins to be productive. The product is high qual ...
Week 7 - Choices in Systems Acquisition and Risks, Security,.docx
1. Week 7 - Choices in Systems Acquisition and Risks, Security,
and Disaster Recovery
Sousa, K., & Oz, E. (2015). Management Information Systems,
7th Edition. Cengage Learning.
ISBN-13: 978-1285186139
Read:
· Chapter 13
· Chapter 14
Week 7 Lecture 1 - Choices in Systems Acquisition and Risks,
Security
Management of Information Systems
Choices in Systems Acquisition and Risks, Security
Systems Acquisition
Options to consider when acquiring a new system are,
development in-house, outsourcing, licensing, software as a
service (SaaS), and having users develop the system. There are
trade-offs to consider for each option. In-house development
has several advantages to consider such as a good fit to
organizational need and culture, dedicated maintenance, since
the developers are accessible within the company, seamless
interface, when the system is custom-made for an organization
special requirements can be implemented to ensure that it has
proper interfaces with other systems, and specialized security,
special security measures can be integrated into an application.
Additionally, there is a potential for strategic advantage. Some
of the disadvantages of in-house development are, high cost, a
long wait for development personnel, who might be busy with
other projects and the application may be excessively
3. Some of the risks of licensing software are that the software is a
loose fit to the needs of the organization and culture software’s
ready-made and developed for the widest common denominator
another risk is that modifications to the software can be
difficult and complicated to maintain. There is a chance that the
vendor could dissolve or stop supporting the software. Changes
in the vendor’s organization can influence the support and the
quality of software upgrades.
Software as a service (SaaS)
An application service provider (ASP) is an organization that
offers use of software over a network such as the Internet or a
private network. Applications provided by ASPs are referred to
as software as a service (SaaS). The application is not installed
on the client’s computer. However, the client can choose to save
data to their local computer. Benefits of software as a service
are, the elimination of the need to maintain application
software, elimination of reliance on experts for installation and
maintenance, there’s no need to purchase hardware for
installation, there’s a significant reduction in implementation
time, there’s no financial risk, and the support is provided by
the SaaS vendor.
Caveat emptor, buyer, beware. ASPs can disappoint
organizations by not providing the scope of services and level
of reliability expected. Before deciding on an ASP thoroughly
research its history, validate the ASP’s financial strength,
ensure that you understand the price structure, get a list of the
ASP’s infrastructure, and carefully craft a service contract. An
important aspect to check is the uptime of the ASP systems. An
appropriate uptime percentage would be 99.999%. An
inappropriate percentage would be 99.9% that allows 500
minutes per year of downtime which would be unacceptable in
most cases.
User application development
Another alternative to software development is user application
development which is sometimes appropriate when
organizations do not wish to purchase or rent an application that
4. is not very complex. User application development is performed
by nonprogrammers for their own use. These applications tend
to be fairly simple and limited in scope, and can be maintained
by the end-users. These applications are usually used for a brief
period of time and then discarded end-user should not develop
complex applications that interface with other systems. An
advantage of end-user development is sure to lead times.
Another advantages user application development is a good fit
to the organizational needs. User application development
complies with the organizational culture, and it can be an
efficient use of resources, and it also frees up information
systems staff time.
A disadvantage of user application development is that the
applications are can be poorly developed. Another disadvantage
is that an organization that relies on users development runs a
risk of creating islands of information or private databases.
Sometimes users will develop applications that are identical to
existing systems elsewhere in the organization. Security issues
could arise, particularly if the user developer is given access to
organizational databases to develop the application.
Additionally, user-developed applications tend to be poorly
documented.
Week 7 Lecture 2 - Disaster Recovery
Management of Information Systems
Disaster Recovery
Risks and Security
As companies have increased their dependency on the Internet,
the risk to information has increased. Information technology
has connected individuals and organizations, and threats have
increased proportionately. Security and data breaches associated
with information technology has eroded trust in business
organizations and government entities. Although hardware and
software are expensive investments and should be protected,
security of data is far more critical for an organization.
5. Controls
Controls are actions taken to minimize damage to or loss of
data, software, or hardware. Controls are applied in the form of
hardware, procedures, and software. A control is a constraint.
The challenge is to apply a constraint that poses minimal delay
and inconvenience to legitimate users of data, hardware, and
software.
Recovery plans
Increasingly businesses are creating business recovery plans or
business continuity plans, or business resumption plans. These
plans detail what should be done if critical systems go down.
Business recovery plans should not focus on the damage to an
organization’s assets, but to its business. The plan should
contain contingencies in the case of a disaster that would enable
resumption of business operations.
Experts have proposed nine steps to a business recovery plan.
Obtain management’s commitment to the plan
Establish a planning committee
Perform risk assessment and implement analysis
Prioritize recovery needs
Select a recovery plan
Selected vendors
Develop and implement the plan
Test the plan
Continually test and evaluate
Some companies choose not to develop fully their own recovery
plan and choose to outsource it to companies that specialize in
either disaster recovery planning or provision of alternative
sites. Some companies provide both planning and software for
disaster recovery. Duplicate databases and applications are
maintained for clients.
11. Major goals of information security are to
Reduce the risk of systems ceasing operation,
Maintain information confidentiality,
Ensure the integrity and reliability of data resources,
Ensure the uninterrupted availability of resources,
And Ensure compliance with policies and laws
Laws passed by U.S. Congress setting standards for protecting
privacy
Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Sarbanes-Oxley Act of 2002 (SOX)
CIA triad: foundational concepts of information systems
security
Confidentiality
Integrity
Availability
Risks associated with cloud computing and data storage
Downtime: the period of time during which an IS is not
available
$26 billion lost annually in the U.S. due to downtime
Costs of downtime vary depending on industry, the size of the
company, and other factors
There are also risk to hardware.
The #1 cause of system downtime is hardware failure
Major causes of hardware damage
Natural disasters
Fires, floods, earthquakes, hurricanes, tornadoes, and lightning
Blackouts and brownouts
Blackout: total loss of electricity
Brownout: partial loss of electricity
Uninterruptible power supply (UPS): backup power for a short
time
Major causes of hardware damage
Vandalism
Deliberate destruction
12. Deliberate alteration or destruction is often done as a prank, but
has a high cost
Online vandal’s target may be a company’s website
Hacking: unauthorized access
Honeytoken: a bogus record in a networked database used to
combat hackers
Honeypot: a server containing a mirrored copy of a database or
a bogus database
Educates security officers about vulnerable points
Virus: spreads from computer to computer
Worm: spreads in a network without human intervention
Antivirus software: protects against viruses
Trojan horse: a virus disguised as legitimate software
Logic bomb: software that is programmed to cause damage at a
specific time
Unintentional, non-malicious damage can be caused by:
Poor training
Lack of adherence to backup procedures
Unauthorized downloading and installation of software may
cause damage
Human error
There are risks to online operations. Many hackers try daily to
interrupt online businesses
Some types of attacks
Unauthorized access
Data theft
Defacing of webpages
Denial of service
Hijacking computers
Denial of service (DoS): an attacker launches a large number of
information requests
Slows down legitimate traffic to site
Distributed denial of service (DDoS): an attacker launches a
14. And Digital certificates
Firewall: hardware and software that blocks access to
computing resources
The best defense against unauthorized access over the Internet
Firewalls are now routinely integrated into routers
DMZ: demilitarized zone approach
One end of the network is connected to the trusted network, and
the other end to the Internet
Connection is established using a proxy server
Proxy server: “represents” another server for all information
requests from resources inside the trusted network
Can also be placed between the Internet and the trusted network
when there is no DMZ
Authentication: the process of ensuring that you are who you
say you are
Encryption: coding a message into an unreadable form
Messages are encrypted and authenticated to ensure security
Important when communicating confidential information, e.g.,
financial and medical records
A message may be text, image, sound, or other digital
information
Encryption programs scramble the transmitted information
Plaintext is the original message
Ciphertext is the encoded message
Encryption uses a mathematical algorithm and a key
A Key is a unique combination of bits that will decipher the
ciphertext
Public-key encryption uses two keys, one public and one private
Symmetric encryption is when the sender and the recipient use
the same key
Asymmetric encryption is when both a public and a private key
are used
16. 7
Security measures may reduce mishaps, but no one can control
all disasters
Recovery measures are preparation for uncontrolled disasters
that require recovery of data and information.
Redundancy may be used
It is Very expensive, especially in distributed systems
Other measures must be taken
A Business recovery plan is a detailed plan about what should
be done and by whom if critical systems go down
Also called a disaster recovery plan, business resumption plan,
or business continuity plan
To develop a business recovery plan
Obtain management’s commitment to the plan
Establish a planning committee
Perform risk assessment and impact analysis
Prioritize recovery needs
Mission-critical applications: those without which the business
cannot conduct operations
Select a recovery plan
Select vendors
Develop and implement the plan
Test the plan
Continually test and evaluate
Can outsource recovery plans to firms that specialize in disaster
recover planning
Hot sites are alternative sites that a business can use when a
disaster occurs
Backup sites provide desks, computer systems, and Internet
links
Companies that implement hot sites
IBM
Hewlett-Packard
SunGard Availability Services