1 Management, Planning and Organization of IS 11% ~ 22 questions
1
Management, Planning and Organization of IS
11% ~ 22 questions
2
Objectives Evaluate IS strategy to ensure it aligns with
business strategies Evaluate IS policies to ensure it supports IS
strategy Evaluate IS management practices to
ensure compliance with IS policies Evaluate IS organization to ensure
adequate support of organization’s biz requirements
Evaluate management of outsourced services to ensure they support IS strategy
3
Evaluate the followings…….
IS Management Practices
IS Policies, standards and Procedures
IS Strategy
Business Objectives
4
IS Strategy Strategic Planning
IS strategy aligns with organization’s business plan
Steering Committee Oversee IS department Consists of senior management, IS staff
and user department management Chairman – a member of board of
directors
5
Steering Committee Duties and responsibilities
Formalized in charter Members well-understand IS policies,
practices and procedures Each member has his/her own area of
responsibilities Should NOT become involved in routine
operations Act as review board of major IS projects
6
Steering Committee Review long and short term plans Review and approve major purchase of h/w
and s/w within limits Approve and monitor major projects, set
priorities, and monitor overall IS performance Provide liaison between IS and user
department Approve budget and review allocation Decide on centralization Vs decentralization Review and approve outsourcing plans
7
Policies and Procedures Policies
High level documents Corporate philosophy Clear and concise Fully explain to staff affected Lower level policies are defined
accordingly Top-down Vs bottom-up approach
8
Procedures Detailed documents
Derived from parent policy Realize corresponding policy Easily and properly understood More dynamic Frequent reviews and updates
required
9
Human Resources Policies/Practices Background checks Confidentiality agreements Conflict of interest agreements Non-compete agreements Control risks
NOT suitable for position Reference checks NOT carried out Temp staff and contractors introduce
uncontrolled risks
10
Employee Handbook Security policies and procedures Company expectations Employee benefits Vacation policies OT rules Outside employment Performance evaluations Emergency procedures
11
Employee Handbook Disciplinary actions
Excessive absence Breach of confidentiality or security Non-compliance with policies
12
Termination Policies Voluntary termination Immediate termination Return of keys, ID cards and badges Deletion of log-in ID Notification to other staff and security
personnel Arrangement of final payment Termination interview Escort from premises
13
Outsourcing Practices Increasing important in many
organizations Desire to focus on core activities Pressure on profit margin Increasing competition that requires
cost cut Flexibility in terms of organization
and structure
14
Outsourcing Practices Contractor services
Data entry (banks, airlines) Design and development of new
systems (ASP) Maintenance of existing applications Conversion of legacy applications to
new platforms (web-based migration) Help desk or call center
15
Outsourcing Practices Possible disadvantages
Costs higher than expected Loss of internal IS experience Loss of control Vendor failure Difficulty in reversing or changing
outsourcing agreement
16
Outsourcing Practices Business risks
Hidden costs Contract terms not being met Service costs not competitive over
time Obsolescence of vendor systems Decrease in bargaining power Locked-in
17
Outsourcing Practices To minimize business risks
Establish measurable partnership-enacted-shared goals and rewards
Utilize multiple suppliers or withhold a piece of business as incentive
Formation of cross-functional contract management team
Contract performance metrics Periodic benchmarking Implement short-term contracts
18
Service Level Agreement (SLA) Well-balanced Instrument of control Include means, methods,
processes and structure to measure performance
Quantifiable Enforceable
19
Audit Concerns of Outsourcing Contract protection
Adequately protect company Audit rights
Right to audit vendor operations Continuity of operations
Continued service in case of disaster (disaster recovery plan)
Integrity, confidentiality and availability of company’s data
20
Audit Concerns of Outsourcing Access control/security
administration Violation reporting and follow up Change control and testing Network controls Performance management – load-
balancing
21
IS Management Practices Traditional role of IS department –
service department, is changing Management principles
People management Personnel are highly qualified and paid
and have less concern in job security Flat organization Junior level personnel often have major
responsibilities and authorities Training, development and challenging
work
22
IS Management Practices Management of Change
Always new applications and technologies
Stay abreast of technology and proactively embrace change
Focus on good processes Documented procedures Programming standards, testing, data
backup Quality control and assurance
23
IS Management Practices Security
The Internet Business continuity (plan) Disaster recovery (plan)
Handling 3rd parties Many vendors work together on 1
system Management matters
24
IS Assessment Methods IS budgets Capacity and growth planning User satisfaction
SLA with internal user departments System availability Product distribution time
Industry standards/benchmarking
25
IS Assessment Methods Financial management practices
User pays scheme Chargeback – man-hours, computer
time and other resources Measure effectiveness and efficiency
Goal accomplishment Measure effectiveness Logging system
26
IS Assessment Methods Example of log
Data entry staff keep full details of each batch (duration and errors)
Computer operators maintain logs of all batch jobs and time taken
Off-site backups and data storage logged Problem in h/w and s/w identified in daily
logs Applications generate own error logs Security log details who did what and when
27
IS Assessment Methods Functionality
Existence of functions that satisfy stated needs
Reliability Capability of software to maintain level
of performance under state conditions Usability
Effort needed for use and on individual assessment of such use by users
28
IS Assessment Methods Efficiency
Relationship between level of performance of software and amount of resources used
Maintainability Effort needed to make specified
modifications Portability
Ability of software to be transferred from one platform to another
29
IS Organization Structure and Responsibilities Management structures (line Vs
project) Line management
Head – CIO Systems development manager
Responsible for programmers and analysts End-user support manager Data manager
Data architect and manage data as resource Database administrator
30
IS Organization Structure and Responsibilities
Technical support manager Responsible for system programmers
Security administrator Provide enough logical and physical security
Network manager/administrator Operations manager
Responsible for computer operators, librarians, schedules and data control personnel
Quality assurance manager
Segregation of DutiesSegregation of Duties
31
IS Responsibilities and Duties Information Processing (IP) Vs System
Development and Enhancement IP – operational aspects, e.g. computer
operations, systems programming, telecomm and librarian functions
Systems development – analysis and programming, e.g. development, acquisition and maintenance of application systems
32
IP Operations = information processing
facility (IPF) Operation management control
Physical security Protect from theft, fire, flood, malicious
destruction, mechanical and power failures Data security
Physical security of hardware that process data
Employee education – data security and privacy
Logical security, e.g. unauthorized access
33
IP Processing controls
Ensure timely, complete, accurate and secure processing
Data control (more details in Business Process Evaluation and Risk Management)
Production control – job scheduling, job submission and media management
34
IP Data entry
Batch Vs Online Data control unit
Receive source documents from user departments and ensure proper safekeeping until processing is done and source documents and outputs are returned
Prepare batches of source documents with accurate control totals
Schedule and set up jobs Verifies, logs and distributes output to
appropriate department
35
IP Librarian
Record, issue, receive and safeguard programs and data files on tapes and disks
Crucial position Security administration
Ensure users comply with security policy and controls are adequate
Maintain access rules Maintain security and confidentiality
over passwords
36
IP Monitor security violations and take
corrective action Review and evaluate security policy Prepare and monitor security
awareness program for employees Test security architecture to detect
threats Quality assurance
Quality Assurance Vs Quality Control
37
IP Quality Assurance
Ensure personnel follow prescribed quality processes
E.g. ensure programs and documentation adhere to standards and naming conventions
Quality Control Conduct tests or reviews to ensure software is
free from defects and meet user expectations Must be done before moved into production Check accuracy and authenticity of input,
processing and output
38
IP Database administration
Define and maintain data structure in db
Understand organization and user data and data relationship
Responsible for security and information classification
Responsible for actual design, definition and maintenance
A very powerful administrator, e.g. can access to production data
39
IP Control over DBA
Segregation of duties Management approval Supervisor review of access logs Detective controls
40
IP Systems analysis
Design systems based on user needs Involved in initial phase of SDLC Like an interpreter
Application programming Develop new and maintain systems NO access to production programs Work in test only environment
41
IP Systems programming
Maintain system software Unrestricted access to whole system Monitored by keeping logs and allowed to
access relevant system libraries Network management
LAN or WAN Responsible for technical and administrative
control
42
IP Ensure correct functioning of
transmission links Backups of system S/w and h/w authorized to purchase
and installed probably Could be security administrator in
small installations NO application programming rights
but end-user responsibilities Help desk administration
43
Segregation of Duties w/i IS Transaction authorization
Responsibility of user department Must perform periodic checks
Reconciliation Responsibility of user department
Custody of assets Data owner is user dept. Owner has responsibility for determining
authorization levels Data security adm. Implement and enforce
security system
44
Segregation of Duties w/i IS Access to data
Physical + system + application security in BOTH user area and IPF
System and application securities are additional layers to prevent unauthorized access
The Internet has posed greater threat extranet
45
Segregation of Duties w/i IS Authorization forms
User managers define WHO should have access to WHAT
Forms must be approved Some organizations maintain signature
authorization logs Access privileges periodically reviewed
User authorization tables Use authorization form data to build
authorization tables Update, modify, delete and/or view
46
Segregation of Duties w/i IS Exception reporting
Ensure properly and timely handled Audit trails
Map to retrace flow of transaction Recreate actual transaction flow from
origin to updated file Audit trail could be compensating
control Transaction logs
47
How to Identify Potential Problems with IPF Indicators
Unfavorable end use attitudes Excessive costs Budget overruns Late projects High turnover Inexperienced staff Frequent h/w and/or s/w errors
48
How to Identify Potential Problems with IPF
Excessive backlog of user requests Slow computer response time Numerous aborted or suspended
development projects Unsupported or unauthorized h/w or
s/w purchases Frequent h/w or s/w upgrades Extensive exception reports Exception reports which were not
followed up on
49
How to Identify Potential Problems with IPF Documentation review
IS strategies, plans, budgets Security policy documentation
Confidential Preventive controls, WHO is responsible for WHAT
Organizational chart Job descriptions Steering committee reports System development and program change
procedures Operations procedures HR manuals
50
How to Identify Potential Problems with IPF Interview and observe
Actual performance Security awareness Reporting relationships
Review contractual agreements Development of contract agreements Contract bidding process Contract selection process Contract acceptance Contract maintenance Contract compliance
51
Management, Planning and Organization of IS
End