Module 9: IS operational and security issues

Size: px
Start display at page:

Download "Module 9: IS operational and security issues"


1 file:///f /Courses/ /CGA/MS2/06course/m09intro.htm Module 9: IS operational and security issues Overview Firms that make extensive use of information systems must contend with a number of ongoing challenges. Planning for systems, then building and implementing them, accounts for only about 20% of an IS department s budget. Maintaining systems and dealing with ongoing operations reflect the largest expenses of the IS department. There are many IS operations issues. Strategic planning, data quality, and the management of IS personnel, which relate to ongoing operations, were covered in Module 2. This module focuses on some other important operational and security issues, which can be categorized into three classes: structuring of the IS function, particularly the ownership of IS resources protecting IS resources from accidental or intentional threats addressing ethical challenges associated with IS operations Topic 9.1 deals with the ownership of resources. Decisions about what functions to outsource, what functions to own, and what kinds of providers to work with when outsourcing are critical to the structuring of the IS function. Not all resources have to be owned by the firm, and making these choices is an important general management role. Topics 9.2 to 9.4 address IS security issues, and Topic 9.5 provides an overview of the issues surrounding the ethics of IS. This module will help you develop the following professional competencies: Advise on the development of IT strategy. Prepare and advise on contract structure and enforcement. Advise on the financial implications of IT acquisitions and vendor selection, in this case, outsourcing. Identify and analyze risk factors. Implement and advise on measures to mitigate risk. Make recommendations to safeguard IT assets so as to ensure organizational ability to meet business objectives. Advise on the development of business continuity planning. Make recommendations and develop an IT disaster recovery plan. Evaluate and consult on the organization s assurance needs. Apply professional ethical standards. Assess and advise on the organization s policy of privacy of personal and corporate information. 9.1 Outsourcing and outsourcing models 9.2 IS security: Threats and vulnerability 9.3 Dealing with security issues 9.4 Role of auditing in IS security 9.5 Ethical issues file:///f /Courses/ /CGA/MS2/06course/m09intro.htm (1 of 2) [20/08/ :32:01 AM]

2 file:///f /Courses/ /CGA/MS2/06course/m09intro.htm Module Summary Print this module file:///f /Courses/ /CGA/MS2/06course/m09intro.htm (2 of 2) [20/08/ :32:01 AM]

3 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm 9.1 Outsourcing and outsourcing models Learning objectives Evaluate the advantages and disadvantages of outsourcing information systems, and assess different outsourcing models. (Level 1) Evaluate the key factors to address when considering an outsourcing arrangement. (Level 1) Required reading Chapter 11, Section 11.4, Technology Issues and Opportunities for Global Value Chains Review Chapter 9, Section 9.3, Alternative Systems Development Approaches LEVEL 1 The text provides a brief overview of the advantages and disadvantages of outsourcing in the context of alternative systems development approaches. Outsourcing is an effective way to provide a portion of a firm s information systems services. Outsourcing can result in lower costs and better performance, if managed well. But managing outsourcing arrangements is complex. It depends more on partnership management than on control, and there are many risks to be considered. Smart planning for outsourcing deals is an important way to improve the chances of productive and profitable relationships. Activity 9.1-1: Financial systems outsourcing CGAs with IS expertise have many opportunities in financial systems outsourcing projects. In this episode of Living It, you ll be introduced to a successful CGA practitioner who has made this his focus. (This presentation is approximately eight minutes long.) Print version What is outsourcing? Outsourcing is defined as "the practice of contracting computer centre operations, telecommunications networks, or applications development to external vendors." 1 Two aspects of this definition of outsourcing need further explanation. First, many texts describe outsourcing as an alternative to traditional systems development methods. Yet, to think about outsourcing as a systems development approach puts a great deal of emphasis on applications development while ignoring computer centre operations and telecommunications. Outsourcing is at least as much about the management of the function and dealing with operational issues as it is about systems development. Second, the definition does not explicitly acknowledge that outsourcing involves contracting for all or part of the functions described. Too many managers think about outsourcing as being about turning over the entire IS function, or at least the vast majority of it, to an external provider. Yet recent research suggests that there are only a handful of total outsourcing deals around the world. The most common paradigm for outsourcing is selective outsourcing. Outsourcing history Outsourcing has its historical roots in the timesharing systems of the late 1960s and early 1970s. In the earliest days of corporate computing, hardware was extremely expensive and there were relatively few specialists capable of designing and file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (1 of 8) [20/08/ :32:03 AM]

4 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm building systems. Most of the applications were highly structured (for example, payroll and general ledger), and it was common to purchase access to systems through a timesharing firm. For many firms, this was the only way they could ensure reliable processing of business data. As computer prices dropped dramatically (especially with the development of the minicomputer and then the PC), the financial incentive to pursue timesharing became less potent. Moreover, specialists became more common as educational institutions designed programs to teach them. At the same time, companies began to recognize that there were other things they could do with the information in their systems, things that might be best handled in proprietary ways to provide strategic advantage. The majority of companies began to build their own internal systems, own their own hardware, and control all (or nearly all) aspects of their IS operations. By the mid-1980s, IS costs were spiralling out of control (according to many senior managers), and it was not clear what benefits were being achieved. A few notable firms (for example, Eastman Kodak and First Fidelity Bancorporation) started to pursue outsourcing of their systems a new take on timesharing with new partners. One key difference was that the systems being outsourced were not generic applications but those that had previously been considered "strategic" by the firms. The accepted wisdom that you had to own resources that were considered strategic began to be questioned. Outsourcing models The following are different models and variations of outsourcing. The outsourcing market is worth more than $150B annually, with 7% annual growth expected through The top three players are still IBM Global Services, HP Enterprise Services, and Accenture, but India-based firms like Infosys Technologies, Tata Consulting and Wipro Technologies are growing at a faster pace and may soon challenge for the top spots. Traditional outsourcing model The traditional outsourcing model involves an outsourcing provider who runs custom designed applications for a firm. The outsourcing provider may maintain specific hardware for that firm or may have multiple firms using the same hardware (for example, a large mainframe running applications for three different firms). Telecommunications connections often include dedicated leased lines to ensure high performance through the network. The outsourcing provider adds value through its expertise, its ability to attract skilled professionals, and the economies of scale that accrue from combining applications on single hardware platforms. ASP model Today, outsourcing includes both traditional outsourcing and new models. The application service provider (ASP) model has had a rocky start, but appears to be emerging as a viable option for many firms. In the ASP approach, the provider runs relatively generic applications accessed through the Internet. Firms contracting with ASPs get very little choice in their application design, but can get very low rates for monthly access. ASP services were initially provided by third-party companies. These organizations would purchase applications from software companies and then offer to own and run them for clients. Many of these early firms struggled financially, and now the ASP market is dominated by software companies who seek alternative ways of marketing their products (such as leasing rather than licensing). Shared service facilities Other variations on the outsourcing model are common in web operations. Shared service facilities, where a provider and its customers work as a team in maintaining and operating systems, are used in both traditional data processing and e- commerce. Because of security concerns, many companies (correctly) want to run their website off computers separate from their in-house production systems. Limiting the points of connectivity between these systems limits the risk of outsiders gaining access to those internal systems. Also, when web operations were first becoming popular, many firms lacked the expertise in developing and managing websites. For both of these reasons, web hosting, which is contracting a company to design and/or operate a website, became a common practice. Various kinds of hosting facilities exist, ranging from those that only provide a place to store and operate hardware and a connection to the Internet (co-location facilities) to those that provide sophisticated development, implementation, and operational assistance, including performance monitoring, security, and disaster recovery services (shared and dedicated hosting facilities). The difference between shared and dedicated hosting facilities is whether your organization s applications are on a separate server from the other customers of the provider. Outsourcing in a global marketplace file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (2 of 8) [20/08/ :32:03 AM]

5 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm In the last ten years or so, new competitors in the outsourcing arena have emerged in the developing economies. India represents a key location of outsourcing suppliers, with clients based around the world. Historically, the motivation for offshore outsourcing has been largely financial. Estimates of the wage differential between North America and India suggest it might be five times cheaper to locate IS tasks in India. Even factoring in the so-called "hidden costs" of offshore outsourcing, (higher costs of negotiating and monitoring contracts, challenges in dealing with language, and so on) the savings can still be significant. In a global marketplace, however, chasing the lowest wage rate to gain high savings is ultimately a losing game. As Indian firms have become more globally competitive, their volume of work has increased and their staff needs have increased to the point where there is competition for key talent. As a result, salaries in the sector have increased, and new offshore destinations such as China and Korea have started to develop. Theoretically, over a long period of time, wage rates around the world will even out until there is little wage-rate benefit to any particular location. Indian software firms understand this challenge and have expended significant resources to become more than just a low cost player. The investment by Indian firms in developing capability maturity model (CMM) certification is one of the means by which they attempt to distinguish themselves as suppliers of choice. Not all IS jobs are amendable to offshore outsourcing; programming work is easily sent overseas since it can be done reasonably independently from the work of the organization (assuming good specifications are written). But some IS work is tightly coupled with the business processes it supports. The work of business analysts, for example, depends on regular interaction with users. While it is theoretically possible to do this work at a distance using technology mediated communications, it is practically quite difficult. Interestingly, in some of these areas that are closer to the user, Canada has become an offshore destination for U.S. companies. The practice is referred to as near-shoring. The financial savings are not as great as they would be with offshoring to an emerging economy, but there are benefits in terms of cultural similarity and ease of communication (for example, less significant time zone differences, and more potential for occasional face-to-face interaction). Outsourcing advantages and disadvantages Outsourcing offers many advantages to firms that pursue it as an IS management approach. Many risks and limitations are also associated with the approach. These pros and cons must be evaluated for each firm and each task that is considered a candidate for outsourcing. Advantages The key advantages of outsourcing can be summarized as follows: cost savings through economies of scale and scope infusion of cash through liquidation of computer assets facilitation of the transition of data centre from cost centre to profit/loss centre ability to rapidly introduce new technology and access IS talent focus on core competencies Cost savings Cost savings accrue from economies of scale (sharing a large mainframe computer across multiple different clients) and economies of scope (working across a larger range of projects and processes and allowing fixed cost resources to be spread over more kinds of work). The ability to save costs is a key management motivator for outsourcing and can be a very real benefit. Forrester estimates that firms can save between 12 and 17% of their current IT spending by effectively outsourcing some elements. 2 Infusion of cash The infusion of cash that often occurs at the start of an outsourcing deal, when assets are liquidated (often they are sold to the outsourcing provider), is a short-term benefit. On its own, it is a poor reason to pursue a long-term business arrangement such as outsourcing, but it can have a nice effect on the cash balance in the year in which the outsourcing deal is completed. Cost centre operation file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (3 of 8) [20/08/ :32:03 AM]

6 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm IS departments in organizations tends to operate as cost centres rather than as profit centres (in other words, because they are support services for the organization and do not generate revenue, they are evaluated based on their ability to control costs rather than based on profits). This is fine in principle, but there is a danger that costs will not be managed well enough because there is no revenue or "benefit" figure against which to compare them. Outsourcing arrangements, on the other hand, require an explicit comparison between revenues and costs and can thus result in more efficient operations within the IS function. This seems to be especially true with respect to data centre operations. Access to new technology and IS talent The next two benefits of outsourcing come from the expertise developed by the outsourcer. Because these firms are in the business of providing effective and efficient IS services to clients, it is in their business interest to develop deep expertise in technology and its application. An outsourcer may be able to more rapidly develop and implement a new technology. Moreover, outsourcers have better access to new technology and new IS talent because of their focus on IS. Focus on core competencies Finally, outsourcing arrangements, by turning over the IS operations to a firm that specializes in those tasks, allow the organization to focus its internal resources on its own core competencies. For most firms, IS is not a core competency. Working in partnership with a firm for whom it is a core competency frees up management attention to focus on other priorities. Risks and limitations The critical risks and limitations of outsourcing include loss of direct managerial control potential for lock-in (difficulty in reversing decision) dependence on the outsourcer s viability (financial strength, responsiveness, service, and so on) diluted strength of in-house staff lack of knowledge of the business by the vendor (outsourcer) lack of flexibility untenable long-term contracts; fixed price versus service trade-off requirement for skills in partnership management strategic factors Loss of direct management control The loss of direct management control concerns many managers. While control does not necessarily result in higher performance (especially when the outsourcer has better expertise and can take advantage of scale or scope economies), the loss of control does necessitate a new way of thinking about how to manage the function. Potential for lock-in and vendor dependence Outsourcing arrangements can be difficult to undo once they are started. IT assets have been liquidated, staff have gone to work at the outsourcer or have left altogether, and there is no easy way to get out of the arrangement if things aren t going well. As a result, there is a tendency towards creeping lock-in and dependence on the vendor. The organization s vulnerability increases over time as the arrangement continues, and its bargaining position worsens as its dependence increases. Viability of the outsourcer Dependency on the outsourcer plays a role in the ability to negotiate contracts, but it also exposes the organization to the business risks of the outsourcer. What happens if the outsourcer goes bankrupt, as happened to several ASPs in 2001? How file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (4 of 8) [20/08/ :32:03 AM]

7 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm will you deal with issues of data and resource ownership and ensure that your systems keep operating? What happens if the outsourcer decides to change its market focus? The outsourcer may continue to provide service, but the expertise you have come to rely on may not be maintained as other options are pursued. Understanding the viability and strategy of your outsourcing partner is a critical element of developing this kind of partnership. Dilution of in-house IT staff One of the reasons dependency increases is that the strength of your in-house IS staff is diluted over time. If data centre operations are outsourced, for example, most of your staff in this function will leave. They will either be "acquired" by the outsourcer along with your hardware and software, or they will leave the firm to work elsewhere, voluntarily or not. This is a necessary part of the outsourcing arrangement if cost savings are to be achieved. A small staff may be kept to act as relationship managers with the outsourcer, but the skills required of these employees will be different than those required in the past. As a result, much of your internal technical expertise will vanish. Not only does this decrease your ability to walk away from the arrangement, but it also makes it more difficult to manage the outsourcer, as it now has more expertise than you. Lack of knowledge of your business While a key advantage of outsourcing arrangements is the expertise that the outsourcer has in the management of IS, these firms lack detailed knowledge of your business. Because success in IS comes from matching IT opportunities with firm needs, understanding both the technology and business is necessary. This relates back to the strategic focus of the outsourcer. Companies that specialize in providing services in your industry or related industries likely have a better sense of the issues you will face. Without this expertise, there will be a greater education and communication requirement between the two firms to ensure that needs are understood and met. Reduced flexibility If economies of scale and scope are key reasons why outsourcers are able to charge lower prices for the same services, it stands to reason that they will try to limit the options for any one firm to increase similarity across organizations. The result is reduced flexibility in how applications are operated. Flexibility may also be lost in the provision of support services (for example, your help desk operations are merged with the outsourcer s central help desk), the handling of maintenance processes, and in other aspects of IS operations. The importance of this flexibility to the firm must be critically examined to determine whether it is worth the added cost that it usually involves. Risks of a fixed-price contract A related issue is the trade-off between fixed-price contracts and fee-for-service contracts, especially when the contracts are long-term. Deciding how to price an outsourcing contract is complex. The organization buying the contract would, ideally, like to have a known price that cannot be easily changed to protect it from the dependencies described earlier. Many outsourcing contracts are like this. However, if the costs of providing the service turn out to be substantially higher than expected, the outsourcer faced with a fixed-price contract will have little choice but to reduce service levels as much as possible. If such situations are not handled well, there is a risk that the IS operations will not provide adequate support to the business. Skills in partnership management Many of these factors point to the need for skills in partnership management in order to make outsourcing work successfully. Dealing with contract issues requires the development of a trusting relationship and a set of mechanisms for determining when the conditions of the contract have changed sufficiently to warrant renegotiation. Dealing with management of the outsourcer, when the resources are outside of your direct control, also requires partnership management skills. This is not really a limitation of outsourcing, but you should realize its importance in dealing with many of the limitations presented. Strategic factors A final concern with outsourcing relates to "strategic factors." This broad category refers to the idea that applications and processes that are core to the company may not be best handled by an outsourcer. This is not a simple decision. It may still be that outsourcing is the best approach, even for strategic applications such as supply chain and customer relationship management. The question is whether the way the processes are handled is sufficiently novel to warrant keeping direct control. ASP advantages and disadvantages file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (5 of 8) [20/08/ :32:03 AM]

8 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm The ASP approach to outsourcing is slightly different than the traditional approach. Along with the general advantages and disadvantages of outsourcing that have already been covered, there are some specific benefits and limitations relevant to the ASP approach. Advantages of ASP With the ASP approach, you access applications and data through any web browser worldwide, using a low-cost connection through the Internet. This results in simpler access, which may be particularly valuable to small firms who cannot afford the infrastructure to maintain their own communications platform and to firms with a high number of mobile workers. The ASP approach is a pay-as-you-use pricing model. Applications are leased rather than licensed. Like traditional outsourcing, this turns capital costs into operating costs. But ASP contracts tend to be much more usage-based than traditional outsourcing contracts. This is valuable to organizations that are growing rapidly, because they often need to buy services now that can be scaled up as additional capacity is needed. Finally, the ASP approach, relying on relatively more generic implementations of software applications, can result in a much faster implementation time. Limitations of ASP The primary limitation of the ASP approach is that the applications tend to be generic because they service so many clients. In fact, the value proposition of the ASP is access to generic applications at a very low cost. However, this limits the flexibility of the firm even more than a traditional outsourcing arrangement and may be unacceptable for organizations with more complex processes. Performance of an ASP application depends on Internet loading and outages, as well as on the transaction loads of other ASP clients. Finally, ASP applications are susceptible to Internet hackers worldwide. Security challenges must be carefully dealt with. Negotiating outsourcing contracts Most of the downsides of outsourcing relate to risk. There is the risk that you will become dependent on an outsourcer who will then take advantage of you or that you will partner with a company that will subsequently go out of business. You must create an arrangement (that is, select a partner and negotiate a contract) to try to minimize these risks, and thereby maximize the likelihood that the advantages will be obtained. A number of factors have been shown to lead to more successful outsourcing contracts, measured by the degree to which cost savings are realized. Selective outsourcing arrangements More successful experiences tend to happen with selective, rather than total, outsourcing arrangements. Selective outsourcing arrangements allow a firm to make function-by-function decisions about which functions to keep in the firm and which to outsource. They also minimize the risks of dependence and staff dilution by keeping a significant amount of functionality in-house. Involving IS and senior management Joint decision making by IS management and senior executives about how to implement outsourcing is also important to success, as is the consideration of formal internal and external bids. For many senior managers, outsourcing seems like an easy way to deal with the "problem" that they perceive IS to be. They see spending they don t understand, they hear from a vendor that it can be reduced by 20% or more, and they are tempted to leap at the opportunity to get rid of a headache. Because they think IS will resist, they may not involve senior IS management in the decision making, and they will not allow the internal group to make a competitive bid for services along with outside providers. This lack of trust results in decision making that may ignore critical variables that drive costs and may miss the opportunities to provide performance improvements in other ways. Astute IS managers will not resist selective outsourcing. They will understand it as a viable option for providing some services that can enhance their overall performance and value to the firm. Contract length file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (6 of 8) [20/08/ :32:03 AM]

9 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm The earliest outsourcing deals were 12 to 15 years in length. It was thought that such long deals were important to ensure that this valuable infrastructure was protected, and not subject to frequent changes. Moreover, longer deals would keep vendors from raising prices as soon as the deal was settled. Today, however, shorter term contracts (such as seven years) are becoming more common. There is a recognition that too many business variables change over time to make it sensible for either the vendor or the adopter to commit to such a long-term arrangement. Fee-for-service contracts Contracts should be detailed fee-for-service contracts as opposed to standard or "loose" contracts. Even though outsourcing involves the creation of a partnership, there must be sufficient detail in the contracts for both parties to feel comfortable with their protections and the inability of their partners to abuse them. Fee-for-service contracts are preferred to fixed-price contracts because they allow changes in service levels (either up or down) to be reflected in the costs. Standard contracts rarely contain sufficient information to handle dispute resolution and loose contracts leave too much room for interpretation. Some outsourcers offer value-pricing models. That is, they ask to be compensated based on specifics of performance improvements, in order to create aligned incentives with their clients. This can be a good form of arrangement, but it depends on having good baseline measurements against which to compare future performance. Details to include in an outsourcing contract Among the details that should be included in any outsourcing contract are service levels data protection and ownership change control mechanisms dispute resolution termination transition, including data migration, changing software licenses, testing, training, and providing specifications Clear statements about service levels make it apparent what exactly is being promised and paid for. Rules about data protection and ownership are essential to minimize the vulnerability associated with providing a third party with direct access to valuable corporate information. Change control and dispute resolution mechanisms are important to specify in advance, in recognition of the fact that over the course of a multi-year contract, things are going to change for both parties. Knowing in advance what things will cause the contract to be renegotiated and what procedures are in place to protect both parties can prevent a lot of problems later. Finally, it is critical to specify in advance the processes by which the contract can be terminated and the arrangements that are in place to ensure continuity of service during any transition to a new provider. If you make an outsourcing deal without such provisions and later decide not to renew the contract with a vendor, you want to know that you have already worked through how your systems will be operated during that changeover period. Expecting a partner you have just terminated to be responsive to a request for additional services beyond what was planned for is unrealistic. Example 9.1-1: The ASP model in a company An example of a large software company attempting to align some of its software offerings to an ASP model is Oracle. The company is perhaps best known for its enterprise-class database management systems (DBMS). Implementing an Oracle DBMS is normally associated with large organizations and relatively large IS budgets. Later, the company became involved with a venture called Oracle Small Business Suite, which is directed to growing and medium-sized businesses. The target market is those companies who are interested in Oracle software to help manage their businesses but cannot afford or don t need a large-scale, in-house implementation. Note that Oracle only licenses its name as part of the venture, and the actual service provider is NetLedger, Inc. For more details, go to the Oracle website. The extent to which services such as these will be accepted is, as yet, uncertain. file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (7 of 8) [20/08/ :32:03 AM]

10 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm 1 Kenneth C. Laudon, Jane P. Laudon, and Mary Elizabeth Brabston, Management Information Systems: Managing the Digital Firm, Second Canadian Edition, 2002, page Roehrig, P., Ferrusi Ross, C., Thresher, A. (2007). Outsourcing Clients Can Expect 12% To 17% Savings 30, Forrester Research Report, August file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (8 of 8) [20/08/ :32:03 AM]

11 file:///f /Courses/ /CGA/MS2/06course/m09t02.htm 9.2 IS security: Threats and vulnerability Learning objective Assess the different threats to information systems security, including physical and electronic threats and intentional and unintentional threats. (Level 1) Required reading Chapter 8, Sections 8.1, System Vulnerability and Abuse, and 8.2, Business Value of Security and Control LEVEL 1 Your textbook provides a brief overview of the vulnerabilities of firms to security failures and the sources of those problems. Exhibit describes and categorizes the various risks to computer systems. Exhibit 9.2-1: The columns separate physical from electronic threats. Not all security failings involve accessing files electronically. Breaking in to computing facilities to steal equipment or destroy sensitive information is as much a threat as is hacking into the data centre. A security plan must consider both kinds of risks. The rows in the matrix reflect the fact that risks to the security of information systems can be both intentional and unintentional. It is tempting to equate IT security with computer crime, but in reality, it involves all threats, including those that result from accidents. Threats to security from deliberate and inadvertent actions file:///f /Courses/ /CGA/MS2/06course/m09t02.htm (1 of 2) [20/08/ :32:03 AM]

12 file:///f /Courses/ /CGA/MS2/06course/m09t02.htm IS security is defined in the IBM Dictionary of Computing 1 (McDaniel, 1994) as Concepts, techniques, technical measures, and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use. This is very close to the definition in the text, except that it explicitly recognizes the risk from both deliberate and inadvertent actions. In Exhibit 9.2-1, you can see that human error plays a big role in threats to security. The biggest single security vulnerability in most firms is, in fact, the users. Even beyond the explicit categories labeled human error, user mistakes account for many other security vulnerabilities. System errors caused by bugs are ultimately a form of human error on the part of the programmer. Social engineering is also a threat to IS security. This would include situations where a computer criminal tries to convince a system user to provide him or her with access to either facilities or systems. For example, if you wanted to gain access to sensitive systems in an organization, you might call employees and tell them you work for their IS department, are doing some routine maintenance, and require their password to check the status of their account. Or you might phone the help desk and impersonate the employee, asking for help with a password that cannot be remembered. In either case, if sensitive information is revealed, there is error on the part of the employee. Passwords should not be divulged to anyone for any reason. A critical element of any organizational security plan must be employee education (see Topic 9.3). Computer crime Computer crime is the most sensational aspect, though not necessarily the biggest risk, of computer security. Stories of denial of service (DoS) attacks and viruses are regular fodder for news outlets. Less common are reports of fraud perpetrated on companies through their information systems, though these themes are common in Hollywood movies (for example, Firewall, Entrapment, and Minority Report ). The statistics on computer crime give some clue as to the magnitude of the problem and the challenges in understanding it. Example 9.2-1: Computer crime and security survey Read about the latest CSI computer crime and security survey at the Computer Security Institute. Review the types and costs of security threats, and the methods used to combat them. The lack of reporting of computer crime makes it more difficult to deal with the problem, but it is understandable. After all, if you just found out that your corporate systems were vulnerable to attack (because you had been attacked) would you want to announce this fact to the world and potentially expose the organization to further attacks? What would happen to consumer confidence? Investor confidence? It is easy to see why many attacks go unreported. Manager s role in IS security As a manager, you must recognize the wide variety of threats to information systems security. It is easy to overlook things like human error in designing a security policy, even though human errors are by far the most common threat to security. It is also easy to think of security as dealing with "high tech" electronic threats and overlook vulnerabilities in physical facilities. Security measures should be determined by business need and should be designed to protect key business processes. As a manager, you must realize that your data is at risk. You should be involved in ensuring that it is protected from the various risks that have been identified. A well-designed security policy will address all of these risks. 1 George McDaniel, IBM Dictionary of Computing, ISBN , The McGraw-Hill Companies Inc., copyright file:///f /Courses/ /CGA/MS2/06course/m09t02.htm (2 of 2) [20/08/ :32:03 AM]

13 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm 9.3 Dealing with security threats Learning objectives Assess an organization s IS risks using the risk assessment framework. (Level 1) Formulate the critical elements of an organization s security plan. (Level 1) Explain the purpose and scope of a disaster recovery plan. (Level 1) Required reading Chapter 8, Sections 8.3, Establishing a Framework for Security and Control, and 8.4, Technologies and Tools for Security LEVEL 1 Dealing with security threats requires establishing detailed plans and procedures to both minimize the risks and deal with problems when they occur. Security policies have technological and human aspects. Training and education about the role of security and the ways of protecting vital resources are necessary because even the most secure systems can be defeated by users who do not adhere to the policies designed to protect them. Plans must also be updated constantly to deal with changing threats and emerging technologies and rehearsed in order to identify weaknesses and prepare people for crisis situations. As more organizations conduct business over telecommunications networks and the Internet, their vulnerability to both intentional and accidental security breaches increases. The consequences of a possible attack also increase because the company is increasingly dependent on IS for carrying out business procedures. (If you have doubts, try going to a bank or grocery store when their computer systems are down!) What can you do about it? Abandoning computer-based information systems or refusing to allow access to the Internet are extreme solutions and probably not workable for most companies. What is needed is a sensible approach to IS security. Exhibit 9.3-1: "8 Keys to a Sane Security Strategy" Steve Andriole (2001) developed the following 8 Keys to a Sane Security Strategy: 1. Linking the [security] strategy to the organization s business strategy 2. Creating a clear written policy that covers access to data, applications and networks, software, privacy, recovery, and systems development 3. Establishing procedures for user authentication, such as password schemes 4. Establishing clear user authorizations to define which users can access which resources 5. Monitoring usage (errors, violations, activity reporting) on an ongoing basis to enforce the security policies 6. Maintaining a disaster recovery plan and running simulations to test it out on a regular basis 7. Ensuring that security personnel have broad and deep skills, outsourcing where necessary to provide those skills 8. Monitoring developments in security technology, such as firewalls, anti-virus, certificate authority, biometrics, encryption, and privacy Andriole s approach shows a nice balance of technological and human elements, which is important because technology cannot solve all of the security challenges. It is also clearly tied to the business importance of security, which ensures that security decisions are made based on organizational realities. One area where it is lacking is in the process of setting security policy. It offers little guidance on who should be involved, what policies and procedures could be implemented, and how they should be determined. file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (1 of 6) [20/08/ :32:04 AM]

14 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm Do you agree with Andriole s eight elements of a successful security strategy? The following sections deal with each element in Andriole s approach in more detail, complementing the material in the text. Linking to the organization s business strategy As with all IS decisions, the determination of an appropriate security strategy demands consideration of business strategy and business issues. Faced with the security risks and consequences described above, it is tempting for managers to want to apply lots of security the highest level available to organizational processes, but this can be unnecessarily costly and can get in the way of doing work. Each security measure you put in place requires system users to add a step in their daily work. Each step may be small, but when you put them all together, security can seem like so much "red tape." It also encourages users to circumvent security policies, thus defeating their purpose. Security policies should be matched to the critical nature of the business processes being supported. Is it worth it to spend thousands of dollars on biometric identification for a small professional services firm? Not likely. But it probably is worthwhile in a high security weapons facility. Risk assessment The text describes risk assessment as a critical part of determining the costs and benefits of IT security. Risk assessment involves identifying possible threats, then evaluating both the likelihood and probability of each occurring and its consequence or impact should it occur. Exhibit shows a simplified version of how this might work. Exhibit 9.3-2: In practice, you may want to evaluate risks more finely low, medium, and high, or on a scale of 1 to 5. It is also valuable to assess your certainty about your judgments. If you think something is unlikely to happen (low probability) but have little to base that on, you may want to adjust your scoring. Common ways of obtaining guidance about relevant risks and their probabilities include referencing technical publications and government statistics, reviewing historical information from your own organization and industry, and consulting security specialists. file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (2 of 6) [20/08/ :32:04 AM]

15 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm Clear written policy Thinking in general terms about security as you make decisions is good, but it is not a substitute for having a clear written policy. The policy should cover each of the areas from this topic, as well as rules about software (controls), privacy (covered in Module 10), and systems development. The text describes software controls (Section 8.4) and the link between systems development practices and security (Section 8.3). You should review these sections to understand their role in ensuring the security of organizational information systems. A written policy forces you to think through the issues fully and makes it more difficult to gloss over important factors. It forces you to assign responsibilities for various factors to people or roles so that it will be clear to all how security is being maintained. Finally, it gives a greater weight to the decisions that have been made. People respond more seriously to a written document than to a lot of talk because the documentation demonstrates the value management places on the topic. Given the range of security threats discussed in Topic 9.2, it is important to remember that the written policy needs to cover not just high technology controls, but also controls on paper-based materials (what types of documents can go in a recycling bin and what types need to be shredded) and other low technology controls (security guards, training, and so on). In larger organizations, the written security policies are likely to be contained in a separate, specific document, whereas smaller organizations may incorporate security components within their standard policies and procedures manuals. Whatever the form, security policies are meant to be taken seriously and should be presented as such. Procedures for user authentication Procedures for user authentication are one of the most important aspects of security. When someone tries to log on to a network, it is important to be able to determine if the person is allowed to log on (authorization through a recognized username) if they are who they purport to be (authentication by providing the password associated with the given username; username is a form of identification) Bruce Schneier (Secrets & Lies: Digital Security in a Networked World, 2000, page 136) states Authentication is determined through a challenge to one, or a combination, of three factors, something you know (for example, a password or passphrase), something you have (for example, an access card or key), or something you are (for example, a physical characteristic). Something you know Passwords Passwords are the most common security mechanism for user authentication. You probably know the basic rules of secure passwords: They should include both upper and lower case letters, numbers, and symbols in seemingly random patterns. Longer passwords are also more secure. They should be changed frequently (every 30 days or so), and repetition of recently used passwords should not be allowed. They should not be words found in the dictionary because one password cracking technique is simply to try every word in the dictionary. They should not be names or other things that are easily guessed (important dates, phone numbers, and so on). Of course, all of these rules amount to passwords that are difficult for users to remember. Many people write down their passwords so that they re accessible, which defeats the purpose of passwords. There is a trade-off between the theoretical level of security enforced on passwords and their usability and security in practice. Passphrases file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (3 of 6) [20/08/ :32:04 AM]

16 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm Another alternative is the use of passphrases. These are short phrases of normal words that are assembled in a seemingly nonsensical way, such as "sheclimbed5.ten." The advantage of these passphrases is that they can be easier to remember than a completely random string of characters and symbols, but they are still difficult to crack (the example passphrase would be meaningful to rock climbers 5.10 is a difficulty rating, and the capitalized letters spell HELMET). Notice that the passphrase example here still complies with the basic rules. Single sign-on A goal in many organizations and a worthwhile one is single sign-on. When an organization has several different systems, each with its own security, users may be required to sign on to each system as they enter it. This, however, creates red tape for the user and frustrates them with the security requirements of the organization. Single sign-on involves creating programs that can pass sign-on information from one system to the next so that once a user is authenticated on the network, their access privileges and password information can be automatically given to the other systems they access. There are a number of challenges with this type of approach. First, a single point of attack may give an outsider access to multiple systems. Second, building single sign-on capability into unintegrated legacy systems can be an enormous programming challenge. Finally, implementing single sign-on often requires authorization information to be stored on the client PC, which is a security risk itself. Something you have Access cards can also be an important tool for security. Access cards can be required to access places, providing for physical security, but they can also be used with systems. Users have to insert a card into a reader and then give a password to access the system. This means that even if a password is guessed, it is unusable without the access card, or if an access card is lost, it is unusable without the password. Such overlapping schemes enhance the security of authentication tools. Something you are While authentication establishes "you are who you say you are," most security measures focus on "something you know and something you have." These are really indirect measures of who you are and can be circumvented. Biometric identification techniques are becoming more popular and less expensive, focusing more directly on authentication based on something you are. Because they measure physical characteristics (for example, fingerprints, hand scans, retinal scans, and handwriting), biometric identification techniques tend to be more secure. The disadvantages of biometrics include sometimes using intrusive measurement techniques (for example, retinal scans) concerns about data privacy (for example, storage of highly personal user data that is itself subject to access) the relative permanence of biometric data (for example, you only have two retinas; if their characteristics are digitally copied, they can no longer reliably be used for authentication). Biometric measures are still more costly than other authentication techniques, such as password schemes, and must be more closely evaluated from a risk management perspective. A useful website to learn more about biometrics is the United States government s Biometric Consortium. User authorizations Authentication procedures are used to allow access to resources (such as data, applications, and networks) that users need to perform their jobs, even though not all users need the same level of access. The concept of having different levels of access to resources depending on user requirements is called authorization. For example, although most users should probably have access to the office telephone numbers of their colleagues, they should not have access to their home telephone numbers or their salaries. Thus, different users require different levels of data access. Similarly, not all users would need access to an order entry system because not all users would be expected to process customer orders. They require different levels of application access. Finally, on a LAN, users should have access to file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (4 of 6) [20/08/ :32:04 AM]

17 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm their own files, but not to those of other users unless the files are intended to be shared. This requires different network access. All these levels of access must be formally defined by the organization. Designing access rules is part of the systems development process (systems design). You should start by considering organizational roles and the functionality needs driven by those roles. There are two basic ways to approach this sort of access identification inclusion and exclusion. Inclusion is the more secure approach. You begin with zero access for every user and then add access as needed to specific data, applications, or networks. The danger with this approach is that if it is not done well, users will be frustrated in their attempts to work on systems to which they have not been granted required access and calls to the IS group to change access rules will increase. Exclusion involves starting with access to everything and then excluding things that are not needed. It is easier to implement (less danger of forgetting to give users access to something they need) but far less secure. It is too easy to forget something that the user has no need for but that compromises security. As a result, security specialists recommend the inclusion approach, even though it may take more adjusting to ensure it is complete. Monitoring usage Having a security plan is not sufficient. Knowing that certain users are only allowed to access certain functions and that the system has been designed to accomplish this is great, but monitoring the network to ensure that it is working as intended is essential. The text describes intrusion detection systems that can be used to monitor unexpected network traffic. Network logging software can also be used to monitor who is logged on at any given time, what processes (applications) they are using, and what changes they are making. This log should be monitored to ensure security policies are being followed and violations are followed up. One technique for monitoring hackers is the creation of a honey pot. A honey pot is a dummy network set up to attract and monitor hackers. To improve defences on their production systems, organizations implement, maintain, and monitor these systems to track common intrusion techniques, popular service and port targets, trojans delivered, intruder source IP addresses, and so on. Honey pots are subjected to somewhat less security than production networks, but enough to make them credible to wouldbe intruders. However, their monitoring facilities are very sophisticated in order to track intrusions as they occur. Because monitoring takes system resources, it might not be practical to implement the same degree of monitoring on a production system as it might compromise overall performance. But on the honey pot, there is not the same volume of transaction processing, so the high level of monitoring is feasible. Of course, if implemented poorly, a honey pot could actually compromise security by providing an easy target and point of entry into corporate systems. In addition, the cost of creating and maintaining such a system makes it an impractical approach for small businesses. Business continuity planning Planning to minimize the likelihood of security failures is essential. Authentication and authorization procedures, as well as the controls described in the text, are all designed to minimize the probability that something will go wrong. But probability is only one aspect of risk; impact is the other crucial factor. Business continuity planning (or disaster recovery planning) deals with what happens when things do go wrong. Even a low probability event can sometimes occur. So what do you do when it does happen? For example, what do you do if your website is subject to a denial of service attack? Who is notified of the problem? What steps do they take, in what order, to end the attack, resume services when it is ended, and identify the source of the attack to undertake legal action? As another example, what do you do when a tornado or earthquake takes out your data centre? Your response may be that an organization should not put its data centre in a high tornado or earthquake activity location, but these things don t just happen where they are likely. Once it has happened, what are your policies for getting things back up and running? Backup data centres Most companies that rely heavily on information systems for business operations maintain backup data centres. This may be done internally within the firm in situations where processing is regionally separated. In such a case, the Manitoba data centre, for example, may be able to take on processing for the Nova Scotia data centre in the event of a catastrophic loss. Alternatively, firms may contract with outside providers for access to either a hot site (a site with office equipment and file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (5 of 6) [20/08/ :32:04 AM]

18 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm hardware already installed, set up and running a recent backup of applications that can be ready in a matter of hours) or a cold site (a facility that is available but will require more setup, likely days). The choice of a hot or cold site depends on the degree to which immediate recovery is necessary. Hot sites are significantly more expensive to maintain and should only be considered in cases where the business losses associated with an outage would be very high. Regular data backups Data backup and recovery procedures are also an important element of a disaster recovery plan. Regular backups are necessary, daily for user files and in real-time for transaction data. Backups should be periodically tested to ensure that they are correct. More than one organization has found out only after a data loss that their backup processes did not work correctly. Test the plan Testing business continuity plans through simulations is also essential. Having the plan written down is only half the battle. Acting it out periodically ensures that people understand their responsibilities and can react effectively in times of crisis. Security personnel Security is a complex, highly specialized area of IS. It requires an in-depth understanding of hardware, software, and networks, and a strong analytical ability. Not all IS personnel are suited to working in this area. An organization should ensure that it has access to the right kind of person. This is harder for small organizations that require people to fulfill multiple roles. Outsourcing some parts of security planning and management is a realistic option if the right capabilities are not present in the organization or the cost of employing someone full-time is not justified based on the security risks. For smaller organizations, outsourcing of security planning and management is likely to be the preferred option. Monitoring developments in security technology Security technology and security risks change relatively quickly. Computer criminals seem to have an insatiable need to find new ways to circumvent systems, and keeping up with their attacks requires changes in the means of protecting resources. Once established, security procedures need to be regularly revisited to account for new developments. This is part of the responsibility of security personnel, either internal or external. file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (6 of 6) [20/08/ :32:04 AM]

19 file:///f /Courses/ /CGA/MS2/06course/m09t04.htm 9.4 Role of auditing in IS security Learning objective Evaluate the role of auditing in a security plan. (Level 2) Required reading Review Chapter 8, Section 8.3 (subsection on "The Role of Auditing") LEVEL 2 The techniques for dealing with security threats all require an understanding of the current levels of security risk in organizational systems and ongoing monitoring of those risks against the security plan. IT changes too quickly to expect risks and plans to be stable. Monitoring organizational risk levels is the role of the IT/IS audit function. IS audit is a highly specialized function, often provided by public accounting firms and specialty consulting firms, but it is also not uncommon for internal audit departments to perform this function. As in all audits, it is important that the auditor be independent of the systems being audited. Security audits Security audits involve identifying every organizational process and the systems that support them, then tracking the security of those systems. Not all processes can be audited every year, so schedules based on criticality of processes are made to ensure a reasonable timeframe for dealing with all of an organization s processes. Regular audits of security processes are essential to ensure the correct procedures exist and that they are being implemented as intended. Auditing looks at computer facilities, such as data centres, and applications. It assesses employee understanding of security, as well as the technology in place. It involves using computer-based tools to test for security weaknesses (for example, ethical hacking or penetration testing), as well as simple non-technological tests (such as social engineering). For example, an external auditor may test for physical security procedures by trying to walk into a secure area and sitting down to use a computer without authorization. In a hospital years ago, the auditor was able to access the system without anyone in the facility recognizing her as an "intruder." She looked official, carrying a clipboard and acting as if she belonged, and no one wanted to challenge her. Once problems are identified, and they likely will be, a plan for addressing them needs to be constructed. The auditor makes recommendations about what is to be done, the urgency with which the problems need to be addressed, and sets some kind of process to ensure that it is undertaken perhaps certain functions will be added back into next year s audit to ensure that they are addressed. There is no sense in using resources to identify vulnerabilities if a plan and subsequent action is not undertaken to address deficiencies. file:///f /Courses/ /CGA/MS2/06course/m09t04.htm [20/08/ :32:05 AM]

20 file:///f /Courses/ /CGA/MS2/06course/m09t05.htm 9.5 Ethical issues Learning objectives Describe the five key ethical challenges related to information technology and interpret different ethical principles, including the CGA-Canada Code of Ethical Principles and Rules of Conduct, in guiding decision making about these challenges. (Level 1) Assess the importance of stakeholder analysis and involvement in ethical decision making. (Level 1) Required reading Chapter 4, Social, Legal and Ethical Issues in the Digital Firm Review Ethics Readings Handbook, Section A and Units C1, C2, C3, and C11 (For all ethics-related readings in this course, it is assumed that you are already familiar with Section A and Units C1, C2, C3, C4, and C6 of Section C of the Ethics Readings Handbook. ERH readings are provided electronically.) Notes on the textbook: Chapter 4, page 116 The last paragraph on page 116 of the textbook states: The only province with a privacy law governing the private sector is Quebec. It is also the only province that meets European Union private-sector privacy law standards. Both of these statements are out of date. BC, Alberta, and Quebec all have private sector legislation and all of Canada meets the European Union privacy law standards. For more current information, see the following websites: Office of the Privacy Commissioner of Canada European Commission LEVEL 1 Information technology, through its unique characteristics and applications, has demonstrated the power to radically reshape the social world. Coupled with other forces, IT has resulted in significant changes in the structuring of organizations, the patterns of employment throughout society, and the commercial and social relationships of millions of people. No change of this size can occur without creating difficult ethical or moral issues. The text provides an excellent overview of the challenges in IS ethics. This topic highlights and extends the text coverage. Ethics in context Ethical and moral choices are always defined within the context of a political and social environment. For example, in Victorian England, it was considered appropriate to lock up the mentally ill in asylums where they were treated like animals. In early Mayan civilizations, human sacrifice was considered not only moral, but a religious duty. From a contemporary perspective, both of these look like terribly one-sided codes of ethics that ignored the perspectives of those confined to asylums or offered as human sacrifices. As we look back on these historical periods, we cannot help but apply the frameworks of our own social and political environments to these situations and question the correctness of those choices. It is much harder, however, to look beyond our current environment. When large-scale change occurs, our social and political imperatives do not provide sufficient guidance on how to behave. For example, in the past, organizations did not have the capability to profile customers to determine shopping and product preferences. The technology simply did not exist to create the kinds of large databases that are becoming increasingly common. file:///f /Courses/ /CGA/MS2/06course/m09t05.htm (1 of 4) [20/08/ :32:06 AM]

How to Decide to Use the Internet to Deliver Government Programs and Services

How to Decide to Use the Internet to Deliver Government Programs and Services How to Decide to Use the Internet to Deliver Government Programs and Services 1 Internet Delivery Decisions A Government Program Manager s Guide How to Decide to Use the Internet to Deliver Government

More information

Good Business for Small Business. Handbook Best financial practices for Canadian businesses

Good Business for Small Business. Handbook Best financial practices for Canadian businesses Good Business for Small Business Handbook Best financial practices for Canadian businesses Table of Contents Introduction ii I. Financing: Getting money to start and run your

More information


ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of

More information

Standards for Internal Control

Standards for Internal Control Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty

More information

Exploiting the Experience of Transformation. IT Outsourcing A BuyIT Supply Chain Guideline

Exploiting the Experience of Transformation. IT Outsourcing A BuyIT Supply Chain Guideline Exploiting the Experience of Transformation IT Outsourcing 2006 IT World Limited on behalf of the BuyIT Best Practice Network Page 1 P12 IT Outsourcing May 2006 Forewords One of the prime objectives of

More information

Information Technology Governance

Information Technology Governance New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller

More information

The Definitive IP PBX Guide

The Definitive IP PBX Guide The Definitive IP PBX Guide Understand what an IP PBX or Hosted VoIP solution can do for your organization and discover the issues that warrant consideration during your decision making process. This comprehensive

More information

IP ASSETS MANAGEMENT SERIES. Successful Technology Licensing


More information


HEALTH INFORMATION TECHNOLOGY HEALTH INFORMATION TECHNOLOGY This transcript of the Health Information Technology online modules is provided for information purposes only. To obtain your AMA PRA Category 1 Credit for these modules,

More information

Get the Right People:

Get the Right People: WHITEPAPER Get the Right People: 9 Critical Design Questions for Securing and Keeping the Best Hires Steven Hunt & Susan Van Klink Get the Right People: 9 Critical Design Questions for Securing and Keeping

More information

Cyber-Security Essentials

Cyber-Security Essentials Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For

More information

Common Sense Guide to Cyber Security for Small Businesses. Recommended Actions for Information Security 1 st Edition March 2004

Common Sense Guide to Cyber Security for Small Businesses. Recommended Actions for Information Security 1 st Edition March 2004 Common Sense Guide to Cyber Security for Small Businesses Recommended Actions for Information Security 1 st Edition March 2004 Internet Security Alliance Officers Dr. Bill Hancock, Chairman, ISAlliance

More information

Making Smart IT Choices

Making Smart IT Choices Making Smart IT Choices Understanding Value and Risk in Government IT Investments Sharon S. Dawes Theresa A. Pardo Stephanie Simon Anthony M. Cresswell Mark F. LaVigne David F. Andersen Peter A. Bloniarz

More information


HOW SAAS CHANGES AN ISV S BUSINESS HOW SAAS CHANGES AN ISV S BUSINESS A GUIDE FOR ISV LEADERS Sponsored by Microsoft Corporation Copyright 2012 Chappell & Associates Contents Understanding the Move to SaaS... 3 Assessing SaaS...3 Benefits

More information


A PRAGMATIC, EFFECTIVE AND HYPE-FREE APPROACH FOR STRATEGIC ENTERPRISE DECISION MAKING An Essential Guide to Possibilities and Risks of Cloud Computing An Essential Guide to Possibilities and Risks of Cloud Computing By 2011, early technology adopters will forgo capital expenditures and

More information

Cyber Security Planning Guide

Cyber Security Planning Guide Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise

More information


BUILDING A BUSINESS CASE Page 29 Friday, January 30, 2004 10:34 AM CHAPTER 2 BUILDING A BUSINESS CASE FOR VOIP To leap or to hide Trust evidence to decide; Faith makes risky guide. James Coggins Taking Charge of Your

More information

Roadmap for an IPO. A guide to going public

Roadmap for an IPO. A guide to going public Roadmap for an IPO A guide to going public Contents Introduction 2 01 The going-public decision 4 02 Preparing for a successful offering 13 03 Current regulatory and disclosures issues 26 04 The going

More information


Audit Manual PART TWO SYSTEM BASED AUDIT Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7

More information

A Simpler Plan for Start-ups

A Simpler Plan for Start-ups A Simpler Plan for Start-ups Business advisors, experienced entrepreneurs, bankers, and investors generally agree that you should develop a business plan before you start a business. A plan can help you

More information

Cyber Security Planning Guide

Cyber Security Planning Guide Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise

More information

Is There a Security Problem in Computing?

Is There a Security Problem in Computing? 1 Is There a Security Problem in Computing? In this chapter: The risks involved in computing The goals of secure computing: confidentiality, integrity, availability The threats to security in computing:

More information



More information



More information

Internet Security Essentials for Business 2.0

Internet Security Essentials for Business 2.0 Internet Security Essentials for Business 2.0 U.S. CHAMBER OF COMMERCE 1615 H Street, NW, Washington, DC 20062 The STOP. THINK. CONNECT. messaging convention

More information



More information

Securing Microsoft s Cloud Infrastructure

Securing Microsoft s Cloud Infrastructure Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for

More information

SPECIAL REPORT. 5 Mistakes Everyone Makes with Job Descriptions And How to Avoid Them

SPECIAL REPORT. 5 Mistakes Everyone Makes with Job Descriptions And How to Avoid Them SPECIAL REPORT 5 Mistakes Everyone Makes with Job Descriptions And How to Avoid Them 30611060 SPECIAL REPORT 5 Mistakes Everyone Makes with Job Descriptions And How to Avoid Them 30611000 Publisher and

More information


ICT SYSTEMS MARKETING PLAN ICT SYSTEMS MARKETING PLAN by Ladan Mehrabi Graduate Diploma in Business Administration, Simon Fraser University, 2006 Bachelors Degree in Electronics Engineering, Tehran Azad University, 2001 PROJECT

More information

Impact of Mobile Technologies on Enterprises: Strategies, Success Factors, Recommendations

Impact of Mobile Technologies on Enterprises: Strategies, Success Factors, Recommendations Reports & Publications Impact of Mobile Technologies on Enterprises: Strategies, Success Factors, Recommendations A study by Stefan Stieglitz and Tobias Brockmann published by the Vodafone Institute for

More information