ISTM 410 Final Exam Notes PDF

Preview

Summary

Notes from the recommended study guide...

Description

Chapter 7: Security Opening Case ● What are some important lessons from the opening case? The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure. ● How long did the theft take? How did the theft likely occur? ● The theft took place over a year, and the hackers stole a password. ● How long did it take Office of Personnel Management (OPM) to detect the theft? ● It took many months for OPM to detect the theft. ● How damaging are the early reports of the data theft for the OPM? ● Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information. ● How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? ○ Several seconds ○ Several minutes ○ Several hours ○ Several days ○ Several months ■ A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! ■ The record is 2,982 which is 11 years! IT Security Decision Framework Decision

Who is Responsible

Why?

Otherwise?

Information Security Strategy

Business Leaders

They know business strategies

Security is an afterthought and patched on

Information Security Infrastructure

IT Leaders

Technical knowledge is needed

Incorrect infrastructure decisions

Information Security Policy

Shared: IT and Business Leaders

Trade-offs need to be handled correctly

Unenforceable policies that don’t fit the IT and the users

SETA (training)

Shared: IT and Business Leaders

Business buy-in and technical correctness

Insufficient training; errors

Information Security Investments

Shared: IT and Business Leaders

Evaluation of business goals and technical requirements

Over- or under-investment in security

Password Breaches ● 80% of breaches are caused by stealing a password. ● You can steal a password by: ○ Phishing attack ○ Key logger (hardware or software) ○ Guessing weak passwords (123456 is most common) ○ Evil twin wifi

Insecurity of Wifi - A Dutch Study ● “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.” ● Had WiFi transmitter broadcasting “Starbucks” as ID → Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops + saw passwords and could lock them out of their own accounts. ● The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.” Cost of Breaches ● Estimated at $145 - $154 per stolen record ● Revenue lost when sales decline ● Some costs can be recouped by insurance Can you be safe? ● No, unless the information is permanently inaccessible ● 97% of all firms have been breached ● Sometimes security makes systems less usable What Motivates the Hackers? ● Sell stolen credit card numbers for up to $50 each ● 2 million Target card numbers were sold for $20 each on avg ● Street gang members usually get $400 out of a card ● Some kits sell up to $1000 ● Stolen cards can be sold for bitcoin on the Deep Web What should Management Do? ● Security strategy ● Infrastructure ○ Access tools ○ Storage and transmission tools ● Security policies ● Training ● Investments Storage and Transmission Tools Tool

Ubiquity

Advantages

Disadvantages

Antivirus/ antispyware

Very high

•Blocks many known threats •Blocks some “zero-day” threats

•Slow down operating system •“Zero day” threats can be missed

Firewall

High

•Can prevent some targeted traffic

•Can only filter known threats •Can have well-known “holes”

System logs

Very high

•Can reveal IP address of attacker •Can estimate the extent of the breach

•Hackers can conceal their IP address •Hackers can delete logs •Logs can be huge •Irregular inspections

Classic Signs of Phishing ● Account is being closed ● Email inbox is full ● Winning a contest or lottery ● Inheritance or commission to handle funds ● Product delivery failed ● Odd url when hovering ● Familiar name but strange email address ● Poor grammar/spelling ● Impossibly low prices ● Attachment with exe, zip, or bat Chapter 8: The Business of Information Technology The Alcoa Lesson: Business Demands ● IT offerings need to be aligned with business demands ● IT complexities should be translated to business needs What a manager can expect from the IT organization ● Developing and Maintaining IS ● Managing Supplier relationships ● Managing Data, Information, Knowledge ● Managing Internet and Network services ● Managing human resources ● Operating the data center ● Providing general support ● Planning for business discontinuities ● Innovating current processes ● Establishing architecture platforms and standards ● Promoting enterprise security ● Anticipating new technologies ● Participating in setting and implementing strategic goals ● Integrating social IT CIO (most senior) ● Responsible for technology vision ● Leads design, development, implementation, and management of IT initiatives ● Is business technology strategist or strategic business leader ● Uses technology as the core tool in ○ Creating competitive advantage ○ Aligning business and IT strategies CIO Focus ● From efficiency to effectiveness in a constantly changing/competitive marketplace ● Formerly: reported to the CFO → reports to CEO ● Shift over time towards helping executive team formulate business strategy Building a business case - components ● Executive Summary ● Overview and Introduction ● Assumptions and Rationale ● Project Summary ● Financial Discussion and Analysis ● Benefits and Business Impacts ● Schedule and Milestones

● Risk and Contingency Analysis ● Conclusion and Recommendation ● Appendices Asset Classes ● Weill and Aral say that there are 4 asset classes of IT investments ○ Transactional Systems - systems that streamline or cut costs on business operations ○ Informational Systems - any system that provides information used to control, manage, communicate, analyze or collaborate ○ Strategic Systems - any system used to gain competitive advantage in the marketplace ○ Infrastructure Systems - the base foundation or shared IT services used for multiple application Valuing IT Investments ● Soft benefits - makes it difficult to measure the payback of IT investment ○ Expensive, Complex ● Valuation Methods available Valuation Method

Description

Return on Investment (ROI)

ROI= (Revenue -Investment)/Investment

Net Present Value (NPV)

Discount the costs and benefits for each year of the system’s lifetime using present value factor 1/(1+Discount rate)years

Economic Value Added (EVA)

EVA = net operating profit after taxes (capital x cost of capital)

Payback Analysis

Time that will lapse before accrued benefits overtake accrued and continuing costs

Internal Rate of Return (IRR)

Return of the IT investment compared to the corporate policy on rate of return

Weighted Scoring Methods

Costs and revenues/savings are weighted based on their strategic importance, accuracy/confidence, other opportunities

The Balanced Scorecard ● Focuses attention on the organization’s value drivers ● Asses the full impact of corporate strategies on customers and workforce, financial performance ● Allows managers to look at a business from 4 related perspectives ○ Financial ○ Internal ○ Learning ○ Customer IT Dashboards ● Snapshot of metrics at a given point in time ● Offer “at a glance” idea of how things are going ● Often colors depict conditions ○ Red - problems ○ Green - good shape ○ Yellow - average

Comparison of IT funding methods Funding Method

Description

Why do it?

Why not do it?

Chargeback

Charges are calculated based on actual usage

Fairest method for recovering costs since it is based on actual usage

Must collect details on usage; often expensive and difficult

Allocation

Expenditures are divided by non-usage basis (revenues, headcount, etc.)

Less bookkeeping for IT

Users can question rates & basis of allocation Free riders

Corporate Budget

Corporate allocates funds to IT in annual budget - to general P&L

No billing to the businesses. No rates to compute. Encourages use of new technologies.

Have to compete with all other budgeted items for funds. Potential for overspending.

Total Cost of Ownership (TCO) ● Has become the industry standards ● Looks beyond initial capital investments to include costs often forgotten ○ Technical support ○ Administration ○ Training ● Estimates total annual costs per user for each potential infrastructure choice ● Provide the best foundation for comparing to other IT or non-IT investments ● Shared components (servers and printers) ○ TCO divided among all users who access each ● When only certain group of users possess certain components, segment the hardware analysis by platform ● Soft cost important to include Chapter 9: Governance of the Information Systems Organization IT Governance ● Governance (in business) is all about making decisions that ○ Define expectations ○ Grant authority ○ Ensure performance ● Empowerment and monitoring will help align behavior with business goals ○ Empowerment - granting the right to make right decisions ○ Monitoring - evaluating performances ● Focuses on how decision rights can be distributed differently to facilitate three possible modes of decision making ● Organization structure plays a major role Centralized vs. Decentralized Organizational Structures ● Centralized - bring together all staff, hardware, software, data, and processing into a single location ● Decentralized - the components in the centralized structure are scattered in different locations to address local business needs ● Federalism - a hybrid of centralized and decentralised structure

Five Major Categories of IT Decisions Category

Description

Examples of Affected IS Activities

IT Principles

How to determine IT assets that are needed

Participating in setting strategic direction

IT Architecture

How to structure IT assets

Establishing architecture and standards

IT Infrastructure Strategies

How to build IT assets

Managing Internet and network services; data; human resources; mobile computing

Business Application Needs

How to acquire, implement and maintain IT (insource or outsource)

Developing and maintaining information systems

IT Investment and Prioritization

How much to invest and where to invest in IT assets

Anticipating new technologies

IT governance Archetype

Mechanism for Making Decisions ● Policies and Standards (60%) ● Review board or committee ● Steering Committee ( governance council) ○ Key stakeholders ○ Can be different levels: ■ Higher level (focus on CIO effectiveness) ■ Lower level (focus on details of various projects) Sarbanes - Oxley Act (SoX) ● To increase regulatory visibility and accountability of public companies and their financial health ○ All companies subject to the SEC are subject to SoX. ○ CEOs and CFOs must personally certify and be accountable for their firm’s financial records and accounting. ○ Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance. ○ 20 year jail term is the alternative. ○ IT departments play a major role in ensuring the accuracy of financial data. Control Components ● Control Environment ● Assessment of most critical risk to internal controls ● Control processes that outline important processes and guidelines ● Communications of those procedures ● Monitoring of internal controls by management Chapter 10: Information System Sourcing Kellwood Opening Case 1. Why did Kellwood outsource? They wanted to integrate 12 acquisitions with different systems 2. Why did Kellwood decide to backsource after 13 years? Purchased by Sun Capital Partners. COO wanted to consolidate to reduce costs and standardize 3. What was the result? Results was savings of 3.6 million per year (17% of total IS expenses) Insourcing ● A firm provides IS services or develops IS in its own in-house IS organization

Insourcing Drivers

Insourcing Challenges

Core competencies related to systems Confidentiality or sensitive system components or services Time available in-house to develop software Expertise for software development in-house

Inadequate support from top management to acquire needed resources Temptation from finding a reliable, competent outsourcing provider

IT Outsourcing ● With IT, there is equipment and personnel involved ● Equipment and facilities are sold to outside vendors ● Personnel might be hired by outside vendors ● Services are hired from the vendors ● Common length of agreement: 10 years

Drivers

Disadvantages

•Offer cost savings •Offer service quality •Ease transition to new technologies •Offer better strategic focus •Provide better mgmt of IS staff •Handle peaks •Consolidate data centers •Infusion of cash

•Abdication of control •High switching costs •Lack of technological innovation •Loss of strategic advantage •Reliance on outsourcer •Problems with security/confidentiality •Evaporation of cost savings

Decisions about how to outsource successfully ● Decisions about whether or not to outsource need care and deliberation. ● Requires numerous other decisions about mitigating outsourcing risks. ● Three major decision areas: selection, contracting, and scope. ● Selection: find compatible providers ● Contracting: ○ Try for flexible management terms ○ Try for shorter (3-5 year) contracts ○ Try for SLAs (service level agreements on performance) ● Scope – Determine if full or partial outsourcing Offshoring ● Short for outsourcing offshore ● Definition: When the MIS organization uses contractor services in a distant land. (Insourcing offshore would be your own dept offshore) ● Substantial potential cost savings through reduced labor costs. ● Some countries offer a very well educated labor force. ● Implementation of quality standards: ○ Six Sigma ○ ISO 9001 ● SELECTION ○ About 100 countries are now exporting software services and products. ○ What makes countries attractive for offshoring? ■ High English language proficiency. ■ Countries that are peaceful/politically stable. ■ Countries with lower crime rates. ■ Countries with friendly relationships. ■ Security and/or trade restrictions. ■ Protects intellectual property ■ Level of technical infrastructure available. ■ Good, efficient labor force ○ Once a country is selected, the particular city in that country needs to be assessed as well. ○ Countries like India make an entire industry of offshoring. Nearshoring ● Definition: sourcing service work to a foreign, lower-wage country that is relatively close in distance or time zone. ● Client company hopes to benefit from one or more ways of being close: ○ geographically, temporally, culturally, linguistically, economically, politically or from historical linkages. ● Distance and language matter. ● There are three major global nearshore clusters: ○ 20 nations around the U.S., and Canada ○ 27 countries around Western Europe ○ smaller cluster of three countries in East Asia

Captive Center ● An overseas subsidiary that is set up to serve the parent company. ● Alternative to offshoring or nearshoring. ● Four major stategies that are being employed: ○ Hybrid Captive – performs core business processes for parent company but outsources noncore work to offshore provider ○ Shared Captive - performs work for both parent company and external customers. ○ Divested captive - have a large enough scale and scope that it could be sold for a profit by the parent company. ○ Terminated Captive - has been shut down, usually because its inferior service was hurting the parent company’s reputation. Backsourcing ● When a company takes back in-house, previously outsourced, IS assets, activities, and skills. ● Partial or complete reversal ● Many companies have backsourced such as Continental Airlines, Cable and Wireless, and Halifax Bank of Scotland. ● 70% of outsourcing clients have had negative experiences and 25% have backsourced. ● 4% of 70 North American companies would not consider backsourcing. Deciding Where? ● New option: cloud computing ● Works when outsourcing or insourcing ● Infrastructure as a Service (IaaS). ○ Infrastructure through grids or clusters of virtualized servers, networks, storage, and systems software. ○ Designed to augment or replace the functions of an entire data center. ○ The customer may have full control of the actual server configuration. ○ More risk management control over the data and environment. ● Platform as a Service (PaaS). ○ Virtualized servers ○ Clients can run existing applications or develop new ones ○ Provider manages the hardware, operating system, and capacity ○ Limits the enterprise risk management capabilities. ● Software as a Service (SaaS) or Application Service Provider (ASP). ○ Software application functionality through a web browser. ○ The platform and infrastructure are fully managed by the cloud provider. ○ If the operating system or underlying service isn’t configured correctly, the data at the higher application layer may be at risk. ● The most widely known and used form of cloud computing. ○ Some managers shy away from cloud computing because they are concerned about: ○ security—specifically about external threats from remote hackers and security breaches as the data travels to and from the cloud & data privacy Chapter 11: Managing IT Projects Failed IS Projects ● Standish Group found that: ○ 67% of all software projects are “challenged!” ■ Late, or ■ Over budget, or ■ Don’t perform ● Even one failure could endanger a firm!

Definition of “Project” ● “[A] project is a temporary endeavor undertaken to create a unique product or service.” ● Temporary — every project has a definite beginning and a definite end. ● Unique — the product or service is different in some distinguishing way from all similar products or services.” Project Triangle ● Can only pick two

● ● ●

Fast and cheap: It won’t be good! ○ Slapped together or using interns Fast and good: It won’t be cheap! ○ Purchase solution/hire “rock star” skilled team Cheap and good: It won’t be fast! ○ This option is possible if you would wait for open source solution or use

Project Management Office ● Project support ● Project management process and methods ● Training ● Project management home base ● Internal consulting and mentoring ● Project management software tools and support ● Portfolio management (managing multiple projects) Essential Elements ● Project management ● Project team ● Project cycle plan ● Common project vocabulary Systems Development Life Cycle ● SDLC typically consists of typical phases such as: ○ Initiation of the project ○ The requirements definition phase ○ The functional design phase ○ The system is actually built ○ Verification phase ○ The “cut over:” The new system is put in operation ○ The maintenance and review phase ● Different models have different numbers of phases What Makes a Project Risky? ● Risk Framework ○ Complexity: Many parts? Impacts on rest of system? Global? Unfamiliar hardware/software/databases? Changing requirements? ○ Clarity...