Title | ISTM 410 Final Exam Notes |
---|---|
Course | ISTM |
Institution | Texas A&M University |
Pages | 14 |
File Size | 513.4 KB |
File Type | |
Total Downloads | 113 |
Total Views | 147 |
Notes from the recommended study guide...
Chapter 7: Security Opening Case ● What are some important lessons from the opening case? The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure. ● How long did the theft take? How did the theft likely occur? ● The theft took place over a year, and the hackers stole a password. ● How long did it take Office of Personnel Management (OPM) to detect the theft? ● It took many months for OPM to detect the theft. ● How damaging are the early reports of the data theft for the OPM? ● Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information. ● How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? ○ Several seconds ○ Several minutes ○ Several hours ○ Several days ○ Several months ■ A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! ■ The record is 2,982 which is 11 years! IT Security Decision Framework Decision
Who is Responsible
Why?
Otherwise?
Information Security Strategy
Business Leaders
They know business strategies
Security is an afterthought and patched on
Information Security Infrastructure
IT Leaders
Technical knowledge is needed
Incorrect infrastructure decisions
Information Security Policy
Shared: IT and Business Leaders
Trade-offs need to be handled correctly
Unenforceable policies that don’t fit the IT and the users
SETA (training)
Shared: IT and Business Leaders
Business buy-in and technical correctness
Insufficient training; errors
Information Security Investments
Shared: IT and Business Leaders
Evaluation of business goals and technical requirements
Over- or under-investment in security
Password Breaches ● 80% of breaches are caused by stealing a password. ● You can steal a password by: ○ Phishing attack ○ Key logger (hardware or software) ○ Guessing weak passwords (123456 is most common) ○ Evil twin wifi
Insecurity of Wifi - A Dutch Study ● “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.” ● Had WiFi transmitter broadcasting “Starbucks” as ID → Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops + saw passwords and could lock them out of their own accounts. ● The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.” Cost of Breaches ● Estimated at $145 - $154 per stolen record ● Revenue lost when sales decline ● Some costs can be recouped by insurance Can you be safe? ● No, unless the information is permanently inaccessible ● 97% of all firms have been breached ● Sometimes security makes systems less usable What Motivates the Hackers? ● Sell stolen credit card numbers for up to $50 each ● 2 million Target card numbers were sold for $20 each on avg ● Street gang members usually get $400 out of a card ● Some kits sell up to $1000 ● Stolen cards can be sold for bitcoin on the Deep Web What should Management Do? ● Security strategy ● Infrastructure ○ Access tools ○ Storage and transmission tools ● Security policies ● Training ● Investments Storage and Transmission Tools Tool
Ubiquity
Advantages
Disadvantages
Antivirus/ antispyware
Very high
•Blocks many known threats •Blocks some “zero-day” threats
•Slow down operating system •“Zero day” threats can be missed
Firewall
High
•Can prevent some targeted traffic
•Can only filter known threats •Can have well-known “holes”
System logs
Very high
•Can reveal IP address of attacker •Can estimate the extent of the breach
•Hackers can conceal their IP address •Hackers can delete logs •Logs can be huge •Irregular inspections
Classic Signs of Phishing ● Account is being closed ● Email inbox is full ● Winning a contest or lottery ● Inheritance or commission to handle funds ● Product delivery failed ● Odd url when hovering ● Familiar name but strange email address ● Poor grammar/spelling ● Impossibly low prices ● Attachment with exe, zip, or bat Chapter 8: The Business of Information Technology The Alcoa Lesson: Business Demands ● IT offerings need to be aligned with business demands ● IT complexities should be translated to business needs What a manager can expect from the IT organization ● Developing and Maintaining IS ● Managing Supplier relationships ● Managing Data, Information, Knowledge ● Managing Internet and Network services ● Managing human resources ● Operating the data center ● Providing general support ● Planning for business discontinuities ● Innovating current processes ● Establishing architecture platforms and standards ● Promoting enterprise security ● Anticipating new technologies ● Participating in setting and implementing strategic goals ● Integrating social IT CIO (most senior) ● Responsible for technology vision ● Leads design, development, implementation, and management of IT initiatives ● Is business technology strategist or strategic business leader ● Uses technology as the core tool in ○ Creating competitive advantage ○ Aligning business and IT strategies CIO Focus ● From efficiency to effectiveness in a constantly changing/competitive marketplace ● Formerly: reported to the CFO → reports to CEO ● Shift over time towards helping executive team formulate business strategy Building a business case - components ● Executive Summary ● Overview and Introduction ● Assumptions and Rationale ● Project Summary ● Financial Discussion and Analysis ● Benefits and Business Impacts ● Schedule and Milestones
● Risk and Contingency Analysis ● Conclusion and Recommendation ● Appendices Asset Classes ● Weill and Aral say that there are 4 asset classes of IT investments ○ Transactional Systems - systems that streamline or cut costs on business operations ○ Informational Systems - any system that provides information used to control, manage, communicate, analyze or collaborate ○ Strategic Systems - any system used to gain competitive advantage in the marketplace ○ Infrastructure Systems - the base foundation or shared IT services used for multiple application Valuing IT Investments ● Soft benefits - makes it difficult to measure the payback of IT investment ○ Expensive, Complex ● Valuation Methods available Valuation Method
Description
Return on Investment (ROI)
ROI= (Revenue -Investment)/Investment
Net Present Value (NPV)
Discount the costs and benefits for each year of the system’s lifetime using present value factor 1/(1+Discount rate)years
Economic Value Added (EVA)
EVA = net operating profit after taxes (capital x cost of capital)
Payback Analysis
Time that will lapse before accrued benefits overtake accrued and continuing costs
Internal Rate of Return (IRR)
Return of the IT investment compared to the corporate policy on rate of return
Weighted Scoring Methods
Costs and revenues/savings are weighted based on their strategic importance, accuracy/confidence, other opportunities
The Balanced Scorecard ● Focuses attention on the organization’s value drivers ● Asses the full impact of corporate strategies on customers and workforce, financial performance ● Allows managers to look at a business from 4 related perspectives ○ Financial ○ Internal ○ Learning ○ Customer IT Dashboards ● Snapshot of metrics at a given point in time ● Offer “at a glance” idea of how things are going ● Often colors depict conditions ○ Red - problems ○ Green - good shape ○ Yellow - average
Comparison of IT funding methods Funding Method
Description
Why do it?
Why not do it?
Chargeback
Charges are calculated based on actual usage
Fairest method for recovering costs since it is based on actual usage
Must collect details on usage; often expensive and difficult
Allocation
Expenditures are divided by non-usage basis (revenues, headcount, etc.)
Less bookkeeping for IT
Users can question rates & basis of allocation Free riders
Corporate Budget
Corporate allocates funds to IT in annual budget - to general P&L
No billing to the businesses. No rates to compute. Encourages use of new technologies.
Have to compete with all other budgeted items for funds. Potential for overspending.
Total Cost of Ownership (TCO) ● Has become the industry standards ● Looks beyond initial capital investments to include costs often forgotten ○ Technical support ○ Administration ○ Training ● Estimates total annual costs per user for each potential infrastructure choice ● Provide the best foundation for comparing to other IT or non-IT investments ● Shared components (servers and printers) ○ TCO divided among all users who access each ● When only certain group of users possess certain components, segment the hardware analysis by platform ● Soft cost important to include Chapter 9: Governance of the Information Systems Organization IT Governance ● Governance (in business) is all about making decisions that ○ Define expectations ○ Grant authority ○ Ensure performance ● Empowerment and monitoring will help align behavior with business goals ○ Empowerment - granting the right to make right decisions ○ Monitoring - evaluating performances ● Focuses on how decision rights can be distributed differently to facilitate three possible modes of decision making ● Organization structure plays a major role Centralized vs. Decentralized Organizational Structures ● Centralized - bring together all staff, hardware, software, data, and processing into a single location ● Decentralized - the components in the centralized structure are scattered in different locations to address local business needs ● Federalism - a hybrid of centralized and decentralised structure
Five Major Categories of IT Decisions Category
Description
Examples of Affected IS Activities
IT Principles
How to determine IT assets that are needed
Participating in setting strategic direction
IT Architecture
How to structure IT assets
Establishing architecture and standards
IT Infrastructure Strategies
How to build IT assets
Managing Internet and network services; data; human resources; mobile computing
Business Application Needs
How to acquire, implement and maintain IT (insource or outsource)
Developing and maintaining information systems
IT Investment and Prioritization
How much to invest and where to invest in IT assets
Anticipating new technologies
IT governance Archetype
Mechanism for Making Decisions ● Policies and Standards (60%) ● Review board or committee ● Steering Committee ( governance council) ○ Key stakeholders ○ Can be different levels: ■ Higher level (focus on CIO effectiveness) ■ Lower level (focus on details of various projects) Sarbanes - Oxley Act (SoX) ● To increase regulatory visibility and accountability of public companies and their financial health ○ All companies subject to the SEC are subject to SoX. ○ CEOs and CFOs must personally certify and be accountable for their firm’s financial records and accounting. ○ Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance. ○ 20 year jail term is the alternative. ○ IT departments play a major role in ensuring the accuracy of financial data. Control Components ● Control Environment ● Assessment of most critical risk to internal controls ● Control processes that outline important processes and guidelines ● Communications of those procedures ● Monitoring of internal controls by management Chapter 10: Information System Sourcing Kellwood Opening Case 1. Why did Kellwood outsource? They wanted to integrate 12 acquisitions with different systems 2. Why did Kellwood decide to backsource after 13 years? Purchased by Sun Capital Partners. COO wanted to consolidate to reduce costs and standardize 3. What was the result? Results was savings of 3.6 million per year (17% of total IS expenses) Insourcing ● A firm provides IS services or develops IS in its own in-house IS organization
Insourcing Drivers
Insourcing Challenges
Core competencies related to systems Confidentiality or sensitive system components or services Time available in-house to develop software Expertise for software development in-house
Inadequate support from top management to acquire needed resources Temptation from finding a reliable, competent outsourcing provider
IT Outsourcing ● With IT, there is equipment and personnel involved ● Equipment and facilities are sold to outside vendors ● Personnel might be hired by outside vendors ● Services are hired from the vendors ● Common length of agreement: 10 years
Drivers
Disadvantages
•Offer cost savings •Offer service quality •Ease transition to new technologies •Offer better strategic focus •Provide better mgmt of IS staff •Handle peaks •Consolidate data centers •Infusion of cash
•Abdication of control •High switching costs •Lack of technological innovation •Loss of strategic advantage •Reliance on outsourcer •Problems with security/confidentiality •Evaporation of cost savings
Decisions about how to outsource successfully ● Decisions about whether or not to outsource need care and deliberation. ● Requires numerous other decisions about mitigating outsourcing risks. ● Three major decision areas: selection, contracting, and scope. ● Selection: find compatible providers ● Contracting: ○ Try for flexible management terms ○ Try for shorter (3-5 year) contracts ○ Try for SLAs (service level agreements on performance) ● Scope – Determine if full or partial outsourcing Offshoring ● Short for outsourcing offshore ● Definition: When the MIS organization uses contractor services in a distant land. (Insourcing offshore would be your own dept offshore) ● Substantial potential cost savings through reduced labor costs. ● Some countries offer a very well educated labor force. ● Implementation of quality standards: ○ Six Sigma ○ ISO 9001 ● SELECTION ○ About 100 countries are now exporting software services and products. ○ What makes countries attractive for offshoring? ■ High English language proficiency. ■ Countries that are peaceful/politically stable. ■ Countries with lower crime rates. ■ Countries with friendly relationships. ■ Security and/or trade restrictions. ■ Protects intellectual property ■ Level of technical infrastructure available. ■ Good, efficient labor force ○ Once a country is selected, the particular city in that country needs to be assessed as well. ○ Countries like India make an entire industry of offshoring. Nearshoring ● Definition: sourcing service work to a foreign, lower-wage country that is relatively close in distance or time zone. ● Client company hopes to benefit from one or more ways of being close: ○ geographically, temporally, culturally, linguistically, economically, politically or from historical linkages. ● Distance and language matter. ● There are three major global nearshore clusters: ○ 20 nations around the U.S., and Canada ○ 27 countries around Western Europe ○ smaller cluster of three countries in East Asia
Captive Center ● An overseas subsidiary that is set up to serve the parent company. ● Alternative to offshoring or nearshoring. ● Four major stategies that are being employed: ○ Hybrid Captive – performs core business processes for parent company but outsources noncore work to offshore provider ○ Shared Captive - performs work for both parent company and external customers. ○ Divested captive - have a large enough scale and scope that it could be sold for a profit by the parent company. ○ Terminated Captive - has been shut down, usually because its inferior service was hurting the parent company’s reputation. Backsourcing ● When a company takes back in-house, previously outsourced, IS assets, activities, and skills. ● Partial or complete reversal ● Many companies have backsourced such as Continental Airlines, Cable and Wireless, and Halifax Bank of Scotland. ● 70% of outsourcing clients have had negative experiences and 25% have backsourced. ● 4% of 70 North American companies would not consider backsourcing. Deciding Where? ● New option: cloud computing ● Works when outsourcing or insourcing ● Infrastructure as a Service (IaaS). ○ Infrastructure through grids or clusters of virtualized servers, networks, storage, and systems software. ○ Designed to augment or replace the functions of an entire data center. ○ The customer may have full control of the actual server configuration. ○ More risk management control over the data and environment. ● Platform as a Service (PaaS). ○ Virtualized servers ○ Clients can run existing applications or develop new ones ○ Provider manages the hardware, operating system, and capacity ○ Limits the enterprise risk management capabilities. ● Software as a Service (SaaS) or Application Service Provider (ASP). ○ Software application functionality through a web browser. ○ The platform and infrastructure are fully managed by the cloud provider. ○ If the operating system or underlying service isn’t configured correctly, the data at the higher application layer may be at risk. ● The most widely known and used form of cloud computing. ○ Some managers shy away from cloud computing because they are concerned about: ○ security—specifically about external threats from remote hackers and security breaches as the data travels to and from the cloud & data privacy Chapter 11: Managing IT Projects Failed IS Projects ● Standish Group found that: ○ 67% of all software projects are “challenged!” ■ Late, or ■ Over budget, or ■ Don’t perform ● Even one failure could endanger a firm!
Definition of “Project” ● “[A] project is a temporary endeavor undertaken to create a unique product or service.” ● Temporary — every project has a definite beginning and a definite end. ● Unique — the product or service is different in some distinguishing way from all similar products or services.” Project Triangle ● Can only pick two
● ● ●
Fast and cheap: It won’t be good! ○ Slapped together or using interns Fast and good: It won’t be cheap! ○ Purchase solution/hire “rock star” skilled team Cheap and good: It won’t be fast! ○ This option is possible if you would wait for open source solution or use
Project Management Office ● Project support ● Project management process and methods ● Training ● Project management home base ● Internal consulting and mentoring ● Project management software tools and support ● Portfolio management (managing multiple projects) Essential Elements ● Project management ● Project team ● Project cycle plan ● Common project vocabulary Systems Development Life Cycle ● SDLC typically consists of typical phases such as: ○ Initiation of the project ○ The requirements definition phase ○ The functional design phase ○ The system is actually built ○ Verification phase ○ The “cut over:” The new system is put in operation ○ The maintenance and review phase ● Different models have different numbers of phases What Makes a Project Risky? ● Risk Framework ○ Complexity: Many parts? Impacts on rest of system? Global? Unfamiliar hardware/software/databases? Changing requirements? ○ Clarity...