BEC - Unit 6
Automated Control
-a control performed by an automated system without interference of a person -value: accuracy, timeliness, efficiency, and security
Enterprise Resource Planning System
-a cross-functional enterprise system that integrates and automates the many business processes and systems that must work together in the manufacturing, logistics, distribution, accounting, project management, finance and human resources functions of a business -comprises a number of modules that can function independently or as an integrated system to allow data and information to be shared among all of the different departments and divisions of large businesses -manages the various functions within a business related to manufacturing, -does not offer anything in the way of planning -considered a back-office system from the customer order to fulfillment of that order
Platform as a Service (PaaS)
-allows customers to rent virtual servers and related services that can be used to develop and test new software applications
Gross Revenue
-an appropriate measure for sales or other measures of revenue volume in sales-driven organizations
Stakeholders or Participants in Business Process Design
includes management, accountants, information systems steering committee
Performance Measures
-putting structure around measuring business performance -popular method is instituting an IT balanced scorecard
Types of Tests
-an effective testing strategy includes automated, manual, and exploratory test to efficiently reduce risk and tighten release cycles includes... -unit tests -integration tests -validation tests -acceptance tests -system testing
Policies
-statements of management's intent
Software Testing
intended to accomplish the following: 1. Find defects created during the development of the software 2. Determine the level of quality of the software 3. Ensure that the end product meets the business and user requirements
Business Process Management Activities
1. Design 2. Modeling 3. Execution 4. Monitoring 5. Optimization
Manual Control
-a control performed by a person without making direct use of automated systems
Uses of Data Analytics
-Customer analytics: supports digital marketing and allows the company to deliver timely, relevant, and anticipated offers to customers -Operational analytics: uses data mining and data collection tools to plan for more effective business operations; normally used to observe and analyze business operations in real time -Risk and Compliance analytics: used in Enterprise Risk Management activities such as continuous monitoring, continuous auditing, and fraud detection -New Products and Services Innovation Analytics: new products and service innovations analytics are used to determine where innovation is needed and to isolate product qualities that are most important to customers
New Product or Business Process Development (DMADV)
-Define design goals: design goals that are consistent with customer demands -Measure CTQ (Critical to Quality Issues): analyze the value chain to determine the features that provide value to the customer and the production capabilities that are available -Analyze design alternatives: develop different methodologies to produce the new product -Design optimization: use modeling techniques to determine optimization of the proposed process -Verify the design: implement and test the plan
Existing Product and Business Process Improvements (DMAIC)
-Define the problem: based on customer comments, failed project goals, or other issues, determine the existence of a problem -Measure key aspects of the current process: collect relevant data -Analyze data: examine the relationships between data elements -Improve or Optimize Current Processes: use models and data to determine how the process can be optimized -Control: develop a statistical control process to monitor results
Continuous Improvement (Kaizen)
-Kaizen refers to continuous improvement efforts that improve the efficiency and effectiveness of organizations through greater operational control -Kaizen occurs at the manufacturing stage where the ongoing search for cost reductions takes the form of analysis of production processes to ensure that resource usage stays within target costs
Plan, do, check, act (PDCA) - ie process management
-Plan - design the planned process improvement -Do - implement the process improvement -Check - monitor the process improvement -Act - continuously commit to the process and reassess the degree of improvement
Outsourcing - Risks
-Quality Risk: an outsourced product or service might be defective as suppliers might provide substantiated products and services -Quality of Service: poorly designed service agreements may impede the quality of service -Productivity: real productivity may be reduced even though service provider employees are paid less -Staff Turnover: experienced and valued staff whose functions have been outsourced may leave the organization -Language Skills: outsourced services may go offshore; language barriers may reduce the quality of service -Security: security of information with a third party might be compromised -Qualification of Outsourcers: credentials of service providers may be flawed; offshore degrees may not include the same level of training as domestic degrees -Labor Insecurity: increases when jobs move to an external service provide or, as a result of globalization, out of the country
Security Administrator vs. Computer Operators and Computer Programmers
-Security Administrators are responsible for restricting access to systems, applications or databases to the appropriate personnel -if the secuiryt administrator were also a programmer or an operator for that system, that person could give themselves or others access to areas they are not authorized to enter to steal information or assets
Governance Objectives
-Strategic alignment: linkage between business and IT plans is referred to as a strategic alignment and includes defining, maintaining, and validating the IT value proposition -Value creation: includes the provision by IT of promised benefits to the org while satisfying customers and optimizing costs and risk (most important) -Resource Management: focuses on the optimization of knowledge and infrastructure -Risk Management: risk awareness by senior management, they can choose to avoid, mitigate, share or ignore the risk -Performance Measurement: include tracking and monitoring strategy implementation, project completion, resource usage, process performance, and service delivery
Workforce Involvement
-TQM organizations are characterized by team approaches and worker input to process development and improvement -small groups of workers that use team approaches to process improvement are called quality circles
Information Security Policy
-a document that states how an organization plans to protect its tangible and intangible information assets includes... 1. Management instructions indicating a course of action, a guiding principle or an appropriate procedure 2. High-level statements that provide guidance to workers who must make present and future decisions 3. Generalized requirements that must be written and communicated to certain groups of people inside and, in some cases, outside the organization
Warm Site
-a facility that is already stocked with all the hardware that it takes to create a reasonable facsimile of the primary data center -to restore the organization's service, the latest backups must be retrieved and delivered to the backup site -next, a bare-metal restoration of the underlying operating system and network must be completed before recovery work can be done
M3 - Big Data
-a fast-evolving concept in data management and in information technology in general -focused on finding marketing and sales patterns, discovering previously unknown relationships, detecting new market trends, and being able to ferret out actual customer preferences -to benefit from this, companies need to have the systems and people to mine it and refine it so that is useful in making decisions -increasing the individuals that work with this are data scientists, statisticians, programmers, data analysts, and database engineers
Electronic Fund Transfers
-a form of electronic payment for banking and retailing industries -uses a variety of technologies to transact, process, and verify money transfers and credits between banks, businesses, and consumers -used frequently to reduce the time and expense required to process checks and credit transactions -often provided by a third party vendor who acts as the intermediary between the company and the banking system -reduces the need for manual data entry, thus reducing the occurrence of data entry errors -05813
M2 - Information Technology Governance
-a formal structure for how organizations align IT and business strategies, ensuring that companies stay on track to accomplish their strategies and goals, and implementing their performance measures for IT -an IT governance framework should answer key questions, like how is the IT department functioning, what key metrics does management need, and what does IT return to the business -needs to be viewed as a critical component of strategy development and not simply a back-office support function
Business Process Management
-a management approach that seeks to coordinate the functions of an organization toward an ultimate goal of continuous improvement in customer satisfaction -customers may be internal or external to an organization -seeks effectiveness and efficiency through promotion of innovation, flexibility, and integration with technology -attempts to improve processes continuously -by focusing on processes, an organization becomes more nimble and responsive than hierarchal organizations that are managed by function
Backdoor
-a means of access to a program or system that bypasses normal security mechanisms -these should be eliminated
Software as a Service (SaaS)
-a method of software distribution in which applications are hosted by a vendor or service provider and made available to customers over the internet -this is another name for the ASP -exmaple is Salesforce
Information Technology Controls
-a plan of organization that includes appropriate seg of duties to reduce opportunities for anyone to be in a position to both perpetrate and conceal error or irregularities in the normal course or his or her duties -procedures that include the design and use of adequate documents and records to help ensure the proper recording of transactions and events -limits to asset access in accordance with management's authorization -effective performance management, with clear definitions of performance goals and effective metrics to monitor achievement of goals -information processing controls are applied to check for proper authorization, accuracy, and completeness of individual transactions -the proper design and use of electronic and paper documents and records help ensure the accurate and complete recording of all relevant transaction data -implementation of security measures and contingency plans
Warm Site - Pros and Cons
-a restoration can be accomplished in a reasonable amount of time -there is a continued cost associated with the warm backup site because a contract must be maintained with the facility to keep it up-to-date -compromise between the hot backup site and cold backup site
Information Security
-a strategy including the processes, tools, and policies necessary to prevent, document, and counter threats to both digital and physical information
Quality Audits
-a technique used as part of the strategic positioning function in which management assesses the quality practices of the organization -quality audits produce the following: analysis that identifies strengths and weaknesses, a strategic quality improvement plan that identifies the improvement steps that will produce the greatest return to the organization in the short term and long term
Defining and managing planning data
-a wealth of data flows throughout the strategic planning process -to lend focus to the process and avoid wasted efforts, deliverables for each step of the process must be clearly defined from the start -this helps ensure that the correct data is developed for effective decision making and also builds support for the process by informing stakeholders of the expected output of each step
Audit Trail
-a well-designed AIS creates an audit trail for accounting transactions -allows a user to trace a transaction from source documentation to the ledger and to trace from the ledger back to source documents (ability to trace in both directions is important in auditing)
Timely Recognition
-acknowledgement of TQM achievements (in terms of compensation and general recognition) must occur to encourage the ongoing involvement of the workforce
Cost Identification
-activity-based costing and management systems highlight the costs of activities; the availability of cost data by activity makes the identification of costs of quality and value-added activities more obvious
Issue-Specific Policy
-address specific issues of concern to the organization (e.g. cloud computing)
Data Processing Schedule
-all data processing tasks should be organized according to this schedule
Data Encryption
-an essential foundation for electronic commerce -encryption involves using a password or digital key to scramble a readable (plaintext) message into an unreadable (ciphertext) message -the intended recipient of the message then uses another digital key to decrypt or decipher the ciphertext message back into plaintext
Full Backup
-an exact copy of the entire database -these are time-consuming so typically are only done weekly and supplement them with daily partial back ups
Decision Support System
-an extension of an MIS that provides interactive tools to support decision making -may provide information, facilitate the preparation of forecasts, or allow modeling of various aspects of a decision -it is sometimes called an expert system -examples: financial modeling application, sensitivity analysis applications, and database query applications -03487, 03486
Cold Site
-an off-site location that has all the electrical connections and other physical requirements for data processing, but it does not have the actual equipment -cold sites usually require one to three days to be made operational because equipment has to be acquired -organizations that utilize this, typically utilize generic hardware that can be readily (and quickly) obtained for hardware vendors -cheapest form of offsite location
Hot Site
-an off-site location that is equipped to take over the company's data processing -backup copies of essential data files and programs may also be maintained at the location or a nearby data storage facility -in the event of a disaster, the organization's personnel need to be shipped to the disaster recovery facility to load the backup data onto the stand by equipment
Digital Certificates
-another form of data security -electronic documents created and digitally signed by a trusted party that certify the identity of the owners of a particular public key -the digital certificate contains the party's public key
Just-in-time Management
-anticipates achievement of efficiency by scheduling the deployment of resources just-in-time to meet customer or production requirements -underlying concept is that inventory does NOT ad value; the maintenance of inventory on-hand produces wasteful costs -usually results in a reduction of the number of suppliers since there is a greater dependency on supplier performance
Dynamic Content
-any content that changes frequently and can include video, audio, and animation -in the context of HTML and internet, refer to website content that constantly or regularly changes based on user interactions, timing and other parameters that determine what content is delivered to the user -ex: facebook
Constraint
-anything that impedes the accomplishment of an objective -constraints for purposes of TOC are limited in total and sometimes organization may face only one constraint
Corrective Controls
-applying operating system upgrades, backup data restore and vulnerability mitigation and other controls to make sure that systems are configured correctly and can prevent the irretrievable loss of data
Split-Mirror Backup
-as the amount of data needed to support many large companies grows, so do the time and resources that it takes those companies to back up and recover their data -this method is useful when the main system must always be online -uses a remote server to back up large amounts of data offline that can be restored in the event of a disaster
Header Record
-at the beginning of each file and contains the file name, expiration date, and other identification data
Trailer Record
-at the end of a file and contains the batch totals calculated during input
Symmetric Encryption
-both parties use the same key to encrypt and decrypt the message so that key must be shared
Write-Protections Mechanisms
-common file protections guard against the accidental writing over or erasing of data files stored on magnetic media -however, it is important to remember that although these provide protection from accidental erasure, most write-protection mechanisms are easily removed
Recalculation of Batch Totals
-comparison of amounts input to amounts output ensures that the volume of transactions processed is correct -hash totals like a sum of invoice numbers also can be used to confirm that the correct source documents are included -if someone substituted a different invoice with the same amount, the batch total would agree but the hash total would not
Correctly Functioning Controls
-completeness, accuracy, and continuous processing integrity are the goals of correctly functioning controls 1. Completeness means to be whole and have nothing missing 2. Accuracy means to be correct and precise 3. Continuous processing integrity means to have data integrity that is consistent and accurate throughout the processing cycle
Security Objectives
-consist of a series of statements to describe meaningful actions about specific resources -typically based on system functionality or mission requirements -could relate to confidentiality, data integrity, authorization, access, resource protection and other issues
Program Modification Controls
-controls over changes to program being used in production applications -these controls include both controls designed to prevent changes by unauthorized personnel and controls that track program changes so that there is a record of what versions of what programs are running in production at any specific point in time
Differential Backup
-copies all changes made since the last full backup thus each new differential backup file contains the cumulative effects of all activity since the last full backup -consequently, except for the first day following a full backup, daily differential backups take longer than incremental backups -restoration is simpler and often times this is done daily
Communicating data and messages well
-effectively communicating the strategic planning messages and associated data to middle and first-line managers helps them educate their personnel -well-informed employees are most likely to commit to and support the plan
Data Librarian
-in large companies, the data librarian has custody of and maintains the entity's data and ensures that production data is released only to authorize individuals when needed
Clearly defining roles and responsibilities
-core team members include a business process manager who defines, communicates, facilitates, and improves the process through each cycle -subject matter experts develop the data, analysis, and ideas that are used throughout the process -best to have a broad virtual team from across the organization participating in the process to make sure the output is challenged and supported from a number of different perspectives -decision makers should review, discuss, and debate the strategic planning data and set the direction for the organization -clearly defining the decision makers early on helps avoid organizational conflict later
Analytical CRM
-creates and exploits knowledge of a company's current and future customers to drive business decisions
Control
-dashboards and other measurement reports are used to monitor the improvement in real time and apply the data to the model for improvement
Backup Files
-data backups are necessary both for recovery in a disaster scenario and for recovery from processing problems -copies of key masters files and records should be stored in safe places located outside of the company -copies of files kept on site should be stored in fireproof containers or rooms
Database Processing Integrity Procedures
-database systems use database administrators, data dictionaries, and concurrent update controls to ensure processing integrity 1. The administrator establishes and enforces procedures for accessing and updating the database 2. The data dictionary ensures that data items are defined and used consistently 3. Concurrent update controls protect records from errors that occur when two or more users attempt to update the same record simultaneously (which is accomplished by locking out one user until the system has finished processing the update entered by another)
Implementation Lessons learned by major corps
-define the integration points to the governance processes -defining and managing planning data -defining and publicizing the planning calendar -realizing that timing is essential -clearly defining roles and responsibilities -communicating data and messages well
Outsourcing
-defined as the contracting of services to an external provider where a contractual relationship exist between the business and its service provider -ex: payroll service, call center, etc
Cloud Computing
-defined as virtual servers available over the internet -includes nay subscription-based or pay-per-use service that extends an entity's existing information technology on a real time basis over the internet -public cloud sells services to anyone on the internet, while private cloud is a private network or data center that provides services to a limited number of customers -offers the advantage of professional management of hardware and software -generally have sophisticated backup procedures as well as high level security for customer data -usually has lower up-front costs for equipment and maintenance (08533)
Operational Security
-defines the manner in which a specific data operation would remain secure (e.g. operational security for data integrity might consider a definition of authorized and unauthorized modification: the individuals authorized to make modifications, by job category, by organization placement, by name, etc.)
Demand Flow - Relationship to Just-in-Time
-demand flow is akin to just-in-time processes that focus on the efficient coordination of demand for goods in production with the supply of goods in production -kanban systems, which visually coordinate demand requirements on the manufacturing floor with suppliers are used to coordinate demand flow
Demand Flow - Relationship to Lean
-demand flow is designed to maximize efficiencies and reduce waste; one piece flow manufacturing environments, in which components move progressively from production function to production function, benefit from demand flow ideas
1) Descriptive Analytics
-describes events that have already occurred such as financial reports and historical operations reports, which enable learning from past behaviors
Execution
-design changes are implemented and key indicators of success are developed
Diagnostic Controls
-designed to achieve efficiency in operations of the firm to get the most from resources used
General Controls
-designed to ensure that an organization's control environment is stable and well-managed and includes: 1. System development standards 2. Security management controls 3. Change management procedures 4. Software acquisition, development, operations and maintenance controls
Malware Detection Software
-detects the threat of viruses, worms, and file infectors to protect information
Corporate-Level Strategy
-developed by senior management and encompasses new business opportunities, the closing of old business units, and the allocation of resources among departments
Risks Related to New Technology
-developing high quality, error-free software is difficult, expensive and time consuming -an established fact in business is that most software projects deliver less, cost more and take longer than expected -this does NOT address the projects that get canceled before completion
Certificate Authority
-digital certificates intended for e-business use are typically issued by commercial certificate authorities like Comodo and Verisign -they hash the information stored on a digital certificate and then encrypts that hash with its private key -that digital signature is then appended to the digital certificate, which provides the means for validating the authenticity of the certicificate
Internal Customers
-each link in the value chain (and within the value chain) represents an internal customer
Realizing that timing is essential
-each step in the planning process must support the next stage -direct influence is lost if there are timing missteps along the way
Backup of Systems that Do Not Shut Down
-effective backups are more difficult when an information system cannot be shut down -recovery often includes applying a transaction log and reapplying those transactions to get back to the point immediately before the failure
Detective Controls
-employing a blend of technical controls like anti-virus, intrusion detections systems, system monitoring, file integrity monitoring, change control, log management, and incident alerting can help to track how and when system intrusions are being attempted
Management Information Systems
-enable companies to use data as part of their strategic planning process as well as the tactical execution of that strategy -often have subsystems called decision support systems and executive information systems (EIS) -provides users predefined reports that support effective business decisions; could provide feedback on daily operations, financial and non-financial info to support decision making across functions and both internal and external info
End User
-end users are any workers in an organization who enter data into a system or who use the information processed by the system -end users now routinely enter much of their own data or transactions
Point of Sale System
-ensures that each time an item is sold, one of that item is removed from the inventory count
File Labels
-ensures that the correct and most current files are updated -external labels are readable by humans while internal labels are written in machine-readable form on the data recording media -both internal and external labels are more secure -two types of labels are header and trailer records
Objectives of BIA
-estimate the financial impacts for each business unit, assuming a worst-case scenario -estimate the intangible, operational impacts for each business unit, assuming a worst=case scenario -identify the organization business unit processes and the estimated recovery time frame for each business unit
Effectiveness of Control Policies
-evaluate the ongoing effectiveness of control policies and procedures provided added assurance that controls are operating as prescribed and achieving their intended purpose -a diagnostic control system compares actual performance with planned performance
User Review of Output
-examination by users of system output for reasonableness, completeness, and verification that the output is provided to the intended recipient
Integration Tests
-exercise an entire subsystem and ensure that a set of components operates smoothly together -done in two ways: 1. Bottom-up Integration Testing 2. Top-down Integration Testing
External Constraints
-exist when the system produces more than the market requires
System-Specific Policy
-focus on policy issues that exist for a specific system (e.g. the payroll system)
Security Measures
-focus on preventing and detecting threats -data security controls should be designed to ensure that authorization is required to access, change, or destroy storage media
Validation Tests
-focus on visible users actions and user-recognizable outputs from the system -these tests answer the question "did we build the right thing?" -based on the use-case scenarios, the behavior model, and the event flow diagram created in the analysis phase of the development -tests must ensure that each function or performance characteristics conforms to its specification -deviations (deficiencies) must be negotiated with the customer to establish a means for resolving the errors -configuration review or audit is used to ensure that all elements of the software configuration have been properly developed, cataloged, and documented to allow its support during its maintenance phase
System Performance Measurements
-for a system to be evaluated properly, it must be assessed using these -common measurements include throughput (output per unit of time), utilization (% of time the system is being productively used), and response time (how long it takes the system to respond)
Steering Committee
-formed to guide and oversee systems development and acquisition
Queries
-frequently on-demand responses to data inquires on line -frequently, no hard copy document is produced with a query
Business Information System
-general term for information technology that includes hardware, software, network, people and data
Offshore Operations - Risk
-generally, the same as outsourcing, but with greater emphasis on the lack of controls associated with proximity, as well as potential language issues
Documents
-hard copy data outputs like checks and purchase requisitions that are used for business operations
Categorize information resources by impact
-helps determine the criteria for categorizing the list of information resources as high, medium, or low related to the effect on day-to-day operations -criteria could include characteristics such as criticality, costs of a failure, publicity, legal and ethical issues
Infrastructure-as-a-Service (IaaS)
-ie Hardware-as-a-Service (HaaS), outsources storage, hardware, services, and networking components to customers, generally on a per-use basis -ex: Amazon, Microsoft, Google and Rackspace
Computer Operator vs. Computer Programmers
-if a person is performing both functions, they could make unauthorized and undetected program changes
Pros and Cons of Disaster Recovery and Business Continuity
-if an organization does not have a disaster recovery and business continuity plan, the organization may go out of business -the disadvantage is the cost and effort required to establish and maintain a disaster recovery plan
Cryptography
-if encrypted content is communicated by an entity (a person or a machine) using this method, the sender is the entity that encrypts and the receiver is the entity that decrypts the content -when encrypted content is stored rather than transferred between a sender and a receiver, authorized users have the ability to encrypt and decrypt the content so they can use it for authorized purposes
Asymmetric Encryption
-in asymmetric encryption, the private key is not shared and the public key provides the other half necessary to encrypt/decrypt -anyone can encrypt message, but only the intended recipient can decrypt the message
Dependency on Insecure Platform
-in some cases, a legacy product may only run in a legacy environment -even if the legacy product in question does not itself pose a security risk, the fact that it forces you to continue using a highly exploited platform can put an organization in a vulnerable position
Information Technology Professionals
-include administrators, librarians, computer operators, and developers -IT professionals roles and responsibilities are defined individually by each organization
Computer Programmer
-include application programmers and system programmers
Strategic risk
-includes the risk of choosing inappropriate technology -for example, an organization may choose a web-based program to share data between remote offices in different parts of the world -if one of the offices is in a location that does not have access to high-speed internet connections, it will not be able to enter data at the same speed as the other offices -this problem may lead to the generation of reports thought to be up-to-date but actually missing data from the office that does not have high speed access
Operating Risk
-includes the risk of doing the right things in the wrong way -for example, assume that a payroll manager is supposed to run the bi-weekly payroll after the HR manager enters newly hired employees into the system -if the payroll manager runs the payroll too early (i.e. before the newly hired employees are entered), the newly hired employees do not get paid and the payroll report is inaccurate
Financial Risk
-includes the risk of having financial resources lost, wasted, or stolen -for example, an inventory report lists several laptop computers, but some of the laptops were not returned when employees left the organization -this problem could lead to inaccurate financial reports that report assets that no longer exist
Information Risk
-includes the risk of loss of data integrity, incomplete transactions, or hackers -if a network system that is connected to the internet does not have a secure firewall or another type of security measure, hackers may enter the system and corrupt or destroy data
Monitoring
-information is gathered and tracked and compared with expected performance
Risk Management
-instituting a formal risk framework that puts some rigor around how IT measures, accepts, and manages risk as well as reporting on what IT is managing in terms of risk
Purchased System
-integrates the application with existing internal and purchased applications -provides training to end users
Modeling
-introduces variables to the conceptual design for what-if analysis
Reasons for persistence of legacy systems
-investment in deployment: the company already paid for the product so there is an incentive to use it for as long as possible -investment in training: the employees have already invested time in learning the product so again there is a built-in incentive to leverage that -dependencies on supportive technology: the legacy software might only run on a legacy system, which would be burdensome to upgrade -dependencies built on the legacy product: the organization may have built custom products using the legacy software, creating a huge disincentive to abandon it and risk having to re-build in-house software -risk over reward: saving time and money by continuing to use legacy software might seem like a reward, but it is often illusory; a security breach easily can result in a disaster, which is far more time-consuming and potentially costly than maintaining up to date software
Incremental Backup
-involves copying only the data items that have changed since the last backup -this produces a set of incremental backup files, each containing the results of one day's transactions -restoration involves first loading the last full backup and then installing each subsequent incremental backup in the proper sequence
Functional-Level Strategy
-involves establishing strategies for marketing, manufacturing, IT, and finance -an effective strategy at the functional level improves the entity's ability to execute its business-level and corporate-level strategies
Mitigating Risk in Legacy Systems
-isolating the system: one of the many great uses of virtualization is to sandbox a risky platform to keep it isolated from your important systems -it is possible to run legacy apps within a self-contained window on a modern, secure system -in addition, the virtual system can be cut off from network access to the outside world Virtual Patches: sometimes, no security patch is available to directly modify and harden a legacy product; a virtual patch can address a known vulnerability upstream of the insecure application -a virtual patch could consist of rules in a firewall packet inspector or web server that look for and detect SQL injection syntax and block the request before it ever reaches the vulnerable legacy product
Lack of Vendor Support
-it costs money for a vendor to continue updating a product; eventually, support may end and new vulnerabilities may not be caugh -vendors concentrate more of their resources on developing, updating, and promoting new products rather than maintaining old ones
Definition of IT Governance
-it is about how leadership accomplishes the delivery of mission-critical business capability using IT strategies, goals and objectives -concerned with the strategic alignment between the goals and objectives of the business and the utilization of its IT resources to effectively achieve the desired results -considered the duty of executive management and the board of directors -crucial to the governance of the entire organization -comprises leadership, organizational structures, policies and processes, IT strategy and IT objectives -establishes chains of responsibility, authority and communication -also establishes measurement, policy, standards and control mechanisms to enable people to carry out their roles and responsibilities
Risks of Legacy Systems
-lack of vendor support -old threatscape -code reutilization -educated hackers -patch lag -evolving hacker tools -dependency on insecure platform
Regulations
-laws, rules, and regulations generally represent governmentally imposed restrictions passed by regulators and lawmakers
Strategic Alignment
-linking business and IT so they work well together -starting point is the planning process
Information resources, associated risks, and corrective actions
-list the high impact info resources and document the risks associated with each info resource -supply comments where needed to clarify a specific situation (denote risk likelihood) -finally, indicate the action decision by the team to mitigate each specified risk 1) High Action - take corrective action asap 2) Medium Action - implement corrective actions within a reasonable time frame 3) Low Action - take no corrective action, accept the level of risk
Acceptance Tests
-make sure that software works correctly for the intended users in his or her normal work environment -conducted by a quality assurance team that gauges whether the application meets the intended specifications and satisfies the client's requirement -QA team will have a set of pre-written scenarios and test cases that will be used to test the application -includes alpha and beta test
Value Deliver
-making sure the IT department does what is necessary to deliver the benefits promised at the beginning of a project or investment
IT Supervisors
-manage the functions and responsibilities of the IT department
Operational Statistics
-manufacturing operations might use operational statistics such as throughput times, delivery times, or other logistical measures to determine the efficiency of a process
Patch Lag
-many organizations are slow to install patches, allowing legacy products to remain exposed for a long period during which the knowledge about those flaws is increasingly available
Data Matching
-matching two or more items of data before taking an action improves transaction processing (e.g. controls should include matching information on vendor invoice to both the purchase order and the receiving report before paying a vendor)
Objective Measures
-measures of quality must be unambiguous, clearly communicated, and consistently reported
Accounting Information Systems
-most important -a type of management information system that may also be partly a transaction processing system and partly a knowledge system -there may be separate systems (often called modules) for each accounting function such as accounts receivable, accounts payable, etc or there may be one integrated system that performs all of the accounting functions, culminating in the general ledger and the various accounting reports
Code Reutilization
-often, software products incorporate some amount of code from a predecessor or other products -this can incorporate security vulnerabilities that predate even the legacy product
Old Threatscape
-older products possess less sophisticated security mechanisms -legacy software was by definition developed at a time when the understanding of the security threatscape was less advanced than the present -many of the techniques developed by hackers to compromise systems as well as strategies created by security professionals to protect them were less mature in the past
Resource Management
-one way to manage resources more effectively is to organize staff more efficiently
Customer Satisfactoin
-organizations use relationship marketing techniques may consider customer satisfaction measures
Implementation
-organizations with ABC and ABM programs are more likely to have the information they need to implement a TQM program -process improvement results from a detailed process management program (sometimes referred to as an activity-based management system, or ABM)
Strong Password Management Policy
-password length: longer passwords are generally more effective; many organizations require a minimum of seven or eight characters -password complexity: complex passwords are more effective and generally feature three of the following characteristics: 1. uppercase characters 2. lowercase characters 3. numeric characters 4. ASCII characters -password age: passwords should be changed frequently (every 90 days is good policy) -two-factor authentication: this method allows for a second authentication key from a secondary device such as a smartphone or other key generator that is based on time of log-in
Managing Passwords
-passwords are designed to protect access to secure sites and information -1st rule is that every account must have a password
Disadvantages of ASP
-possible risks to the security and privacy of the organization's data, the financial viability or lack thereof of the ASP, and possible poor support by the ASP (a concern anytime anything is outsourced)
Applications Controls
-prevent, detect, and correct transaction error and fraud and application-specific, providing reasonable assurance as to system: 1) Accuracy 2) Completeness 3) Validity
Application Service Providers (ASP)
-provide access to application programs on a rental basis -allows smaller companies to avoid the extremely high cost of owning and maintaining today's application systems by allowing them to pay only for what is used -the ASPs own and host the software and users access it via the internet -responsible for software updaters and will usually provide backup services for the user's data -provided software may be referred to as service, apps on tap, or on-demand software
Executive Information Systems
-provide senior executives with immediate and easy access to internal and external information to assist in strategic decision making -consolidates information internal and external to the enterprise and reports it in a format and level of detail appropriate to senior executives -07112
Guidelines
-provides hints, tips and best practices in implementation
Customer Relationship Management Systems
-provides sales force automation and customer services in an attempt to manage customer relationships -these capture every interaction a company has with a customer -they record and manage customer contacts, manage salespeople, forecast sales, manage sales leads, provide and manage online quotes, product specifications, and pricing and analyze sales data
Business Impact Analysis
-purpose is to identify which business units, departments, and processes are essential to the survival of an entity -identifies how quickly essential business units and/or processes need to return to full operation following a disaster situation `
Continuous Improvement
-quality is not viewed as an achievement in a TQM organization; the organization constantly strives to improve its product and processes -quality is not just goal, it is embedded in the process
External Data Reconciliation
-reconciliation of database totals with data maintained outside the system (e.g. the number of employee records in the payroll file should be compared with the total from HR to detect attempts to add fictitious employees to the payroll database
Reconciliation Procedures
-reconciliation of individual transactions and other system updates to control reports, file status, or update reports (e.g. reconcile input control totals to output control totals)
Steps in System Testing
-recovery testing: checks the system's ability to recover from failures -security testing: verifies that system protection mechanisms prevent improper penetration or data alteration -stress testing: program is checked to see how well it deals with abnormal resource demands (i.e. quantity, frequency, or volume) -performance testing: designed to test the run-time performance of software, especially real-time software -deployment (or configuration) testing: exercises the software in each of the environments in which it is to operate
Current Status
-reengineering is not as popular as it was when introduced in the mid-1990s; the technique has been criticized for what some believe was an overaggressive downsizing -in addition, the programs have not produced the benefits that were originally anticipated
Preventive Controls
-refer to using administrative controls such as security awareness training, technical controls such as firewalls and anti-virus software to stop attacks from penetrating the network -most industry and government experts agree that security configuration management is probably the best way to ensure the best security configuration allowable, along with automated patch management and updating anti-virus software
Shared Services
-refers to seeking out redundant services, combining them and then sharing those services within a group of organizations -the distinguishing feature of shared services is that they are shared within an organization or group of affiliates
Business Process Reengineering
-refers to techniques to help organizations rethink how work is done to dramatically improve customer satisfaction and service, cut costs of operations, and enhance competitiveness -development of sophisticated information technology systems and networks have driven many reengineering efforts -this is NOT synonymous with business process management as it seeks radical changes whereas BPM seeks incremental changes
Public Key Infrastructure
-refers to the system and processes used to issue and manage asymmetric keys and digital certificates -the organization that issues public and private keys and records the public key in a digital certificate is called a certificate authority
Offshore Operations
-relate to outsourcing of services or business functions to an external party in a different country -ex: call centers in India for a U.S. company -most common types of offshore outsourcing are: information technology, business process (call centers, acct. operations, tax compliance), software research and development, knowledge process (like reading x-rays)
Lean Manufacturing (ie Lean Production)
-requires the use of only those resources required to meet the requirements of customers; it seeks to invest resources only in value-added activities -focused mainly on waste reduction
Web Administrators
-responsible for information on a website
System Programmer
-responsible for installing, supporting (troubleshooting), monitoring, and maintaining the operating system -also may perform capacity planning functions -in complex computing environments, a considerable amount of time can be spent testing and applying operating system upgrades
Database Administrators
-responsible for maintaining and supporting the database software and performing certain security functions -perform functions for database software that are similar to those systems programmers perform for the operating system as a whole -differ from data administrators as a database administrator is responsible for the actual database software and a data administrator is responsible for the definition, planning, and control of the data within a database
Computer Operators
-responsible for scheduling and running processing jobs -much of the job of scheduling and running jobs can be automated and, in large computing environments, must be automated due to the sheer volume of information processed
Security Administrator
-responsible for the assignment of initial passwords and often the maintenance of those passwords (if the end users, do not maintain their own passwords) -responsible for the overall operation of the various security systems and the security software in general
Identify and categorize risks by likelihood
-risks must be tangible and specific with respect to one or more resources; when finalizing the list, eliminate duplicates, combine risks as appropriate, and include only the risks that team members agree are valid -high likelihood: the risk (threat) source is highly motivated and sufficiently capable and controls to prevent the vulnerability are ineffective -medium likelihood: the risk source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability -low likelihood: the risk source lacks motivation or capability or controls are in place to prevent or significantly impede successful exercise of the vulnerability
Policy Implementation
-security is normally enforced through a combination of technical and traditional management methods Examples - -intrusion detection software can alert system administrators to suspicious activity or take action to stop the activity -personal computers can be configured to prevent booting from an external drive
Shared Services - Risks
-service flow disruption: the consolidation of work to a single location can create waste in the transition, rework, and duplication as well as increases in the time it takes to deliver a service -failure demand: the demand for a shared service caused by a failure to do something or to do something right for a customer is called failure demand and it results when a task must be performed for a second time b/c it was incorrectly performed the first time
Internal Disaster Recovery
-some organizations with the requirement for instantaneous resumption of processing after a disaster (e.g. banks and houses) provide their own duplicate facilities in separate locations -data might be mirrored (i.e. updated and stored in both locations) and processing can be switched almost instantaneously from one location to another -a duplicate data center and data mirroring are expensive and most organizations adopt cheaper solutions
Guidelines for Successful Testing
-specify testing objectives explicitly; for example, load testing is a process of testing the behavior of software by applying maximum load in terms of accessing and manipulating large input data; this type of testing identifies the maximum capacity of software and its behavior at peak time -identify categories of users for the software and develop a profile for each; develop a test plan that emphasizes rapid cycle testing -build robust software that is designed to test itself -use effective formal reviews as a filter prior to testing -conduct formal technical reviews as a filter prior to testing -conduct formal technical reviews to assess the test strategy and test cases -develop a continuous improvement approach for the testing process
Procedures
-step by step instructions on how to perform a specific security activity (configure a firewall, install an operating system, and others)
File Librarian
-store and protect programs from damage and unauthorized use and file librarians control the file libraries; in large computing environments, much of this work is automated
Defining the integration points to the governance processes
-successfully moving a strategic plan from concept to reality depends on clear, well-defined integration points with the budgeting, governance, and decision-making processes within IT -decision makers must understand the strategic directions and make decisions consistent with their intent -if localized, sub-optimal decisions will be made and the plan will not succeed
Network Administrator
-support computer networks through performance monitoring and trouble shooting -sometimes network administrators are called telecommunication analysts or network operators
Benefits of JIT Management
-synchronization of production scheduling with demand -arrival of supplies at regular intervals throughout the production day -improved coordination and team approach with suppliers -more efficient flow of goods between warehouses and production -reduced set-up time -greater efficiency in the use of employees with multiple skills
System Analysts vs. Computer Programmers
-system analysts design an information system to meet user needs, whereas computer programmers use that design to create an inforamtion system by writing computer programs -analysts are often in charge of hardware and programmers are in charge of application software -lack of this makes embezzling of funds likely as security is easily bypassed
Importance of System Testing
-system testing is the first step in the software development life cycle where the application is tested as a whole -the application is tested thoroughly to verify that it meets the functional and technical specifications -the application is tested in an environment that is very close to the production environment in which the application will be deployed -system testing enables QA to test, verify, and validate both the business requirements as well as the application architecture
Tone at the Top
-technology plays a crucial role in enabling the flow of information in an organization -the selection of specific technologies to support an organization typically is a reflection of the: 1. entity's approach to risk management and its degree of sophistication 2. types of events affecting the entity 3. entity's overall information technology architecture 4. degree of centralization of supporting technology
Cross-footing and Zero-balance Tests
-testing the sum of a column of row totals to the sum of a row of column totals to verify identical results which provides some assurances as to accuracy -a zero-balance test requires the use of control accounts
System Testing
-tests the system as a whole -once all the components are integrated, the application as a whole is tested rigorously to determine whether it meets the specified quality standards -this type of testing is performed by a specialized testing team
Customer Focus
-the TQM organization is characterized by the recognition that each function of the corporation exists to satisfy the customer -customers are identified as both external customers and internal customers
Brute-Force Attack
-the attacker simply tries every possible key until the right one is found -when encryption keys are longer in length it is less likely that the message or transaction be decrypted by the wrong party and the less likely the key is to be broken by this type of attack
Output Encryption
-the authenticity and integrity of data outputs must be protected during transmission -encryptions reduce the chance for data interception -controls should be designed to minimize the risk of data transmission errors -when a receiving unit detects a data transmission error, it requests the sending unit to retransmit that data; generally, the system will do this automatically and the user is unaware that it has occurred -parity checking and message acknowledgement are two basic types of data transmission controls
Backup of Systems that can be shutdown
-the backup process is relatively simple when a system can be shut down for backup and maintenance -when this is the case, files or databases that have changed since the last backup can be backed up using the son-father-grandfather or similar concept
Fresh Start
-the basic premise of business process reengineering is the idea that management will wipe the slate clean and reassess how business is done from the ground up -reengineering uses benchmarking and best practices to evaluate success
Benefits of Process Management
-the benefits of a studied and systematic approach to process management allow the company to monitor the degree to which process improvements are: -efficiency: fewer resources are used to accomplish organizational objectives -effectiveness: objectives are accomplished with greater predictability -agility: responses to change are faster and more reliable
Advantage of ASP
-the benefits of utilizing an ASP are lower costs (from a hardware, software, and people standpoint), and greater flexibility -small businesses especially benefit because they do not need to hire system experts to provide the services performed by ASP
IT Risk
-the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise -it consists of IT related events that could potentially affect the business -examples are: late project delivery, not achieving enough value from IT, compliance, obsolete or inflexible IT architecture, IT service delivery problems, and security issues
Electronic Data Interchange
-the exchange of business transaction documents from one computer to another -reduces likelihood of stockout costs since inventory can be re-ordered and ultimately received much faster -it is NOT a tool used for collaboration between humans
External Customers
-the external customer is the ultimate recipient or consumer of an organization's product or service
Default-Allow Policy
-the firewall administrator lists network services that are not allowed and everything else is accepted -the default-deny approach to firewall security is by far the more secure method, but due to difficulty in configuring and managing a network in that fashion, many networks instead use this approach
Default-Deny Policy
-the firewall administrator lists the allowed network services and everything else is denied
Initial Passwords and Authorization for System Access
-the first point of contact for for a new employee is generally the human resources department -HR should generate the request for a user account and system access rights -depending on the level of access being granted, the information security officer also may need to approve the account
Waste Reduction
-the focus of lean is on waste reduction and efficiency -the concept of preserving value while expending only the effort necessary is not uncommon and has a long history in business and economics -Kaizen and activity-based management initiatives are waste-reduction methodologies that use empirical data to measure and promote efficiencies
M5 - Input Controls
-the following source data controls regulate the integrity of input, which is crucial to accurate and complete output 1. Data validation at the field level (edit checks, meaningful error messages, input masks, etc) 2. Pre-numbering forms, making it possible to verify that all input is accounted for and that no duplicate entries exist 3. Well-defined source data preparation procedures, which are used to collect and prepare source documents
Top-down Integration Testing
-the highest-level modules are tested first and progressively lower-level modules are tested thereafter
Improve
-the improvement is selected and implemented
Risks related to legacy systems
-the incentives to stick with legacy software do not negate the risks -one of the most powerful disincentives is the unguarded security vulnerabilities of legacy products
Measure
-the indicators that will show a change to the process (e.g. reduced time, increased customer contacts, etc) are determined
Supply Chain Management
-the integration of business processes from the original supplier to the customer and includes purchasing, materials handling, production planning and control, logistics and warehousing, inventory control, and product distribution and delivery
Data Backup and Recovery Procedures - Challenges
-the most difficult aspect of recovery is often the telecommunications network -floor space and equipment determination: disaster recovery service providers normally have an extensive amount of floor space and an extensive amount of equipment, but they would have nowhere near enough if all customers declare a disaster at the same time -how much is needed is determined on a probabilistic basis; to a disaster recovery services provider, geographic and industry diversification of customer is extremely important -personnel issues: effective recovery and especially rapid effective recovery is often a function of having knowledgeable personnel involved
Technology Risk
-the need for technology risk management has intensified in recent years due to the speed of technological change, the degree to which technology is driving business, and the adoption of emerging and disruptive technologies that change the way business is done like cloud, connected devices, and mobile -includes strategic risk, operating risk, financial risk, and information risk
CRM Benefits
-the objective of CRM is to increase customer satisfaction and thus increase revenue and profitability -it attempts to do this by appearing to market to each customer individually -the assumptions are that 20% of customers generate 80% of sales and that it is 5 to 10 times more expensive to acquire a new customer than to obtain repeat business from an existing customer -also attempts to reduce sales costs and customer support costs -it attempts to identify the best customers and possibly provide those best customers with increased levels of service or simply drop the worst customers
Major Players in Disaster Recovery Plans
-the organization itself and the disaster recovery service provide (ex: IBM) -if application software packages are utilized, the package vendors may be involved -for distributed processing, hardware vendors may be involved -senior management support is absolutely necessary for an effective disaster recovery plan
Define
-the original process is defined as a baseline for current process functioning or process improvement
Supply Chain Management - Objectives
-the overall objectives of SCM are achieving flexibility and responsiveness in meeting the demands of customers and business partners -it might incorporate the following functions: 1. Planning - demand forecasting, product pricing, and inventory management 2. Sourcing - procurement and credit and collections 3. Making - product design, production scheduling, and facility management 4. Delivery - order management and delivery scheduling
Identify information resources
-this includes any hardware, software, systems, services, people, databases, and related resources important to the department
Operational CRM
-this is the automation of customer contacts or contact points
Application Programmer
-the person responsible for writing and/or maintaining application programs -a considerable number of the new ideas for the IT industry have been devoted to techniques to minimize or facilitate program maintenance -for internal control purposes, application programmers should not be given write/update access to data in production systems or unrestricted/uncontrolled access to application program change management systems
Hashing
-the process of changing a series of characters into a shorter, fixed length that represents the original string of characters
Parity Checking
-the process of taking the sum of the bits in a byte and adding either a zero or one to make the byte even for even parity or odd for odd parity -if the message arrives and a bit has changed during transmission then it is recognized and the message can be resent
E-Commerce
-the trading or facilitation of trading in products or services using computer networks like the internet -highly dependent upon robust communication systems to ensure continuous service
Mirroring
-the use of a backup computer to duplicate all of the processes and transactions on the primary computer -mirroring, which can be expensive, is sometimes used by banks and other organizations for which downtime is unacceptable
Categories of IT Risk
-there are three categories of IT risk which are defined as separate from but interrelated to general business risks 1. IT Benefit/Value Enablement Risk: related to missed opportunities to use technology to improve business processes 2. IT Program and Project Delivery Risk: related to the contribution of IT to new or improved business solutions 3. IT Operations and Service Delivery Risk: related to all aspects of the performance of IT systems and services
Irrational Methods - Improvement Initiatives
-these are intuitive and emotional; they lack structure and systematic evaluation -typically based on fashion, fad, or trend -they may result from an immediate need for cost reduction and stem from a very short-term viewpoint
Measures or Process Metrics
-these can be financial or non-financial and should correlate directly to the managed process -the measures are compared with expectations to monitor progress -examples of measures: gross revenue, customer contacts, customer satisfaction, operational statistics
Physical Controls
-these controls monitor and control the environment of the workplace and computing facilities -they also monitor and control access to and from such facilities
Contingency Plans
-these detail the procedures to be implemented when threats are encountered -one goal would be to minimize disruption of processing while ensuring the integrity of data input and processing
Performance Improvement
-these philosophies and techniques seek to provide the highest-quality goods and services in the most efficient and effective manner possible
Changes in Position
-these require coordination of effort between HR and IT -it is important to have procedures to address changes in jobs/roles and to remove access that is no longer needed -there must be a mechanism to disable accounts when an employee leaves an organization -the ideal scenario is for HR to alert IT prior to termination or otherwise as soon as possible
Access Control Lists
-these specify which users or system processes are granted access to objects as well as what operations are allowed on given objects
Network Intrusion Detection Systems
-these systems comprise devices or software programs that monitor network or system activities for malicious activities or policy violations and produce electronic reports for management
Inventory Management Systems
-these track the quantity of each item a company maintains, triggering an order when quantities fall below a pre-determined level -these are best used when the inventory management system is connected to the point of sale system
Logical Controls
-these use software and data to monitor and control access to information and computing systems
Why are information security management programs considered key?
-they are considered key for protecting the confidentiality, integrity, and availability of IT systems and business data
Monitoring and Control of Access to and from Facilities
-this can include the following examples: doors, locks with retina or fingerprint scanners, secure pass-throughs called mantraps, heating and air-conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. -separating the network and workplace into functional areas are also physical controls
Buffer
-this concept is used throughout TOC -managers add buffers before and after each constraint to ensure that enough resource to accommodate the constraint exist -these can eliminate the effect of the constraint on work flow
Disaster Recovery
-this consists of an entity's plans for restoring and continuing operations in the event of the destruction of program and data files as well as processing capability -short-term problems or outages do not normally constitute disasters -if processing can be quickly re-established at the original processing location, then disaster recovery is not necessary -if processing cannot be quickly re-established at the original processing site, then disaster recovery is necessary
Gap Analysis
-this determines the gap or difference between industry best practices and the current practices of the organization -this analysis produces the following: target areas for improvement and a common objective database from which to develop strategic quality improvement
Segregation of Duties
-this ensures that an individual cannot complete a critical task by himself
Program-Framework Policy
-this establishes the overall approach to computer security (i.e. a computer security framework) -it adds detail to the program by describing the elements and organizations of the program and department that will carry out the security mission -06455
Optimization
-using the monitoring data and the original design, the process manager continues to refine the process
Demand Flow
-this manages resources using customer demand as the basis for resource allocation -it contrasts with resource allocations based on sales forecasts or master scheduling
Top Management Support
-this must actively describe and demonstrate support for the quality mission of the organization -management can communicate support by meaningful delegation of authority to quality circles and involvement of suppliers
Design
-this phase involves the identification of existing processes and the conceptual design of how processes should function oney have been improved
Virtual Private Network
-this provides an encrypted communication tunnel across the internet that allows remote users secure access to a network
Total Quality Management
-this represents an organizational commitment to customer-focused performance that emphasizes both quality and continuous improvement -total quality management identifies seven critical factors: 1) customer focus 2) continuous improvement 3) workforce improvement 4) top management support 5) objective measures 6) timely recognition 7) ongoing training
Ongoing Training
-this should occur on a recurring basis to ensure workforce understanding and involvement
Theory of Constraints
-this states that organizations are impeded from achieving objectives by the existence of one ore more constraints -the organization or project must be consistently operated in a manner that either works around or leverages the constraint -concerned with maximizing throughput by identifying and alleviating constraints
Bottom-up Integration Testing
-this testing begins with unit testing followed by tests of progressively higher-level combinations of units called modules or builds
Strategic Master Plan
-to align an organization's information system with its business strategies, a multi-year strategic master plan should be developed and updated annually -the plan should show the projects that must be completed to achieve long-range company goals and address the company's hardware, software, personnel, and infrastructure requirements
Rapid Cycle Testing
-to identify major bugs early in the development process, requiring integration of test planning, execution and reporting throughout the life cycle
Security Policy Goal
-to require people to protect information which in turn protects the organization, its employees and its customers
Standards and Baselines
-topic-specific and system-specific documents that describe overall requirements for security
Communication
-typically email is the principal means of communication between employees -may also include chat systems, online meeting tools and videoconferencing systems
Business-Level Strategy
-typically found in organizations that have autonomous departments with the need to develop their own strategies (not found in small businesses)
Segregation of Duties (IT)
-typically revolves around granting or restricting access to production programs and to production data
Digital Signatures
-use asymmetric encryption to create legally binding electronic documents -web-based e-signatures are an alternative and are provided by vendors as a software product -e-signature is a cursive-style imprint of a person's name that is applied to an electronic document -e-signatures are legally binding
3) Prescriptive Analytics
-use optimization and simulation algorithms to affect future decisions (most complex)
2) Predictive Analytics
-use statistical techniques and forecasting models to predict what could happen
Stand-alone Web Stores
-used by small companies mainly -Not integrated with larger accounting systems. Such stores are typically hosted by shopping cart software. Financial reports are generated as needed by the software . The reports are then imported into general accounting software
Program-Level Policies
-used for creating a management-sponsored community security program -this might prescribe the need for information security and may delegate the creation and management of the program to a role within the IT department
Customer Contacts
-used in sales driven organizations
Integrated Web Stores
-used mainly by larger companies -ERP systems that integrate all the major accounting functions, as well as the web store, into a single software system
Reasonableness Check
-used to verify the data input before acceptance by a syst
User Access
-user accounts are the first target of a hacker, care must be used when designing procedures for creating accounts and granting access to information
Biometric Device
-uses characteristics such as voice recognition or fingerprints to identify and authenticate an individuals -this would be the best control to mitigate the risk of unauthorized users accessing an IT system b/c voices and fingerprints are unique -08764
Six Sigma
-uses rigorous metrics in the evaluation of goal achievement -this is a continuous quality-improvement program that requires specialized training -the program expands on the Plan-Do-Check-Act model of process management described earlier and outlines methodologies to improve current processes and develop new processes
Unit Tests
-uses to validate the smallest components of the system, ensuring that they handle known input and output correctly -performed by developers before the setup is handed over to the testing team to formally execute the test cases -goal is to isolate each part of the program and show that individual parts are correct in terms of requirements and functionality
Multiple Data Center Backups
-using a data center to back up another or back up to a cloud provider, assuming that there is enough capacity to process the essential applications -orgs must decide what types of backups to perform in order to recover lost data
Use of a Disaster Recovery Service
-various levels and types of services can be provided, which could be one empty room or even complete facilities across the country where end users could be located -the major emphasis is on hardware and telecommunication services
Output Controls
-verification of system output provides additional control over processing integrity -includes... user review of output, reconciliation procedures, external data reconciliation, and output encryption
Beta Test
-version of the complete software is tested by the customer at his or her own site without the developer being present
Alpha Test
-version of the complete software is tested by the customer under the supervision of the developer at the developer's site
Mash-ups
-web pages that are collages of other webpages and other information -google maps is an example of this as it allows the user to view various sources of info superimposed on a single map
Evolving Hacker Tools
-when a new security flaw is discovered in a contemporary products, many times it can be exploited only by the most sophisticated hackers with a high degree of technical savvy -over time the hacker toolkit evolves and compromises which once required the most advanced knowledge can be executed by more rudimentary hackers using simple tools, often guided by online tutorials
Defining and publicizing the planning calendar
-when multiple levels of planning occur simultaneously, publicizing a planning calendar lets everyone know what's happening -- and when -- so that everyone involved is on the same page
Educated Hackers
-when security flaws are discovered in software, they are published so they can be known and acted on -this also educates the hackers and for a legacy product the known vulnerabilities have been exposed for years, providing ample time for hackers to learn, understand, and develop tools to exploit them
Internally Developed System
-works with end users to determine system requirements -designs the overall application system -determines the type of network needed
Steps in Disaster Recovery
1) Assess the risks 2) Identify mission-critical applications 3) Develop a plan for handling the mission-critical applications 4) Determine the responsibilities of the personnel involved in disaster recovery 5) Test the disaster recovery plan -main goal: to restore a company's operations
Data Analytics Processes
1) Descriptive Analytics 2) Predictive Analytics 3) Prescriptive Analytics
Risk Assessment Process
1) Prepare a Business Impact Analysis 2) Identify information resources 3) Categorize information resources by impact 4) Identify and categorize risks by likelihood 5) Information resources, associated risks, and corrective actions 6) Recommendations for mitigating risks
Five Areas of Focus - IT Governance
1) Strategic Alignment 2) Value Delivery 3) Resource Management 4) Risk Management 5) Performance Measures
Four Dimensions of Big Data
1) Volume: the volume of data is too large for traditional database software to store; storage is a huge challenge 2) Velocity: the flow of data is continuous, so the real value is in being able to analyze data in real time 3) Variety: the best big data comes from a variety of sources, including customer relationship management systems, social media feedback, point-of-sale records, and other sources 4) Veracity: biases or irrelevant data must be mined from big data in order to minimize the chance of making decisions based on the wrong data
Techniques of Process Management
1) define 2) measure 3) analyze 4) improve 5) control
Organizations constantly improve or replace information systems for any of the following reasons:
1. Changes in needs of a business unit (b/c of growth, downsizing, mergers, new regulations, etc.) 2. Technological advances resulting in more effective, but less costly systems 3. Improvements in business processes leading to shorter processing times 4. Competitive advantages as the result of improvements in quality, quantity, and speed of information gathering 5. Productivity gains due to automation of clerical tasks 6. System age and need for replacement
ERP Operations
1. ERP systems store information in a central repository so that data may be entered once and then accessed and used by the various departments 2. ERP systems act as the framework for integrating and improving an organization's ability to monitor and track sales, expenses, customer services, distribution, and many other business functions 3. ERP systems can provide vital cross-functional information quickly to managers across the organization in order to assist them in the decision-making process
Theory of Constraints - Five Steps
1. Identification of the Constraint: use of process charts or interview results in identification of the constraint that produces sub-optimal performance 2. Exploitation of the Constraint: planning around the constraint uses capacity that is potentially wasted by making or selling the wrong products, improper procedures in scheduling, etc. 3. Subordinate everything else to the above decisions - management directs its efforts to improving the performance of the constraint 4. Elevate the constraint: add capacity to overcome the constraint 5. Return to the first step: reexamine the process to optimize the results; remain cognizant that inertia can be a constraint
Recommendations for mitigating risks
1. Identify each recommendation that might be implemented and documented 2. Provide a justification for each proposed recommendation 3. Develop a cost-benefit analysis for each proposed recommendation (includes capital and direct costs, staff costs, training and support and any ongoing operating costs) 4. Specify any known implementation plans or specific dates for the recommendations
Development and Management of Security Policies
1. Security Objectives 2. Operational Security 3. Policy Implementation
Principles of Technology-Driven Strategy Development
1. Technology is a core input to the development of strategy 2. Strategy development must be a continual process since technology changes quickly 3. Innovative emerging business opportunities must be managed separately and differently from core businesses 4. Technology has the power to change long-held business assumptions; managers and executives must be open to this 5. Technology must be managed from two perspectives: -the ability of tech to create innovation in existing businesses -the ability of emerging technologies to create new markets/products 6. The focus should be on customer priorities, internal efficiencies, and ways that IT can be maximized for the advantage of the entity
Supply Chain Management - Characteristics
1. The goods received should match the goods ordered 2. The goods should be delivered on or before the date promised 3. The goods should be delivered to the location requested 4. The COGS should be as low as possible
Sequence of Events in an AIS
1. The transaction data from source documents is entered into the AIS by an end user (or by a customer) 2. The original source documents if they exist are filed 3. The transactions are recorded in the appropriate journal 4. The transactions are posted to the general and subsidiary ledgers 5. Trial balances are prepared 6. Adjustments, accruals, and corrections are entered; financial reports are generated -03476
Risk Assessment
1. identify threats 2. evaluate the probability that the threat will occur 3. evaluate the exposure in terms of potential loss from each threat 4. identify the controls that could guard against the threats 5. evaluate the costs and benefits of implementing controls 6. implement controls that are determined to be cost effective
Objectives of AIS
1. record valid transactions 2. properly classify those transactions 3. record the transactions at their proper value 4. record the transactions in the proper accounting period 5. properly present the transactions and related info in the f/s of the organization
Uninterrupted Power Supply (UPS)
A device that maintains a continuous supply of electrical power to connected equipment. AKA battery backup -used to prevent a system from shutting down inappropriately during an outage -prevents data loss and can protect the integrity of a backup while it is being performed -when a power failure occurs, the UPS switches to its own power source instantaneously so that there is no interruption in power to the system -this is NOT a backup standby generator as the battery will run out sooner or later -since a backup generator will not provide protection from a momentary power interruption, it is critical that the UPS be able to provide power without any interruption so that data will not be corrupted
Rational Methods - Improvement Initiatives
These are structured and systematic and involve the following: -strategic gap analysis: external (environmental) assessments and internal (organizational) assessments performed to create a strategic gap analysis -review competitive priorities (specifically price, quality, or other considerations) -review production objectives: review of performance requirements -choose improvement program: decide how to proceed for improvement
Processing Controls
includes data matching, file labels, recalculation of batch tools, cross-footing and zero-balance tests,
Organization of IT Governance Structure
includes... -tone at the top -key stakeholders (including steering committees) -governance objectives and policies -IT strategies and oversight
Implementing Improvement Initiatives
successful implementation activities include... -internal leadership: senior management must provide direction and commit resources to the implementation -inspections: ongoing implementation must be monitored and measured -executive support: executive management must be visible supportive of the initiative -internal process ownership: the individuals most deeply involved with process management must be committed to the need for process improvement and have the resources to carry it out
Internal Constraints
these are evident when the market demands more than the systems can produce examples: -equipment may be inefficient or used inefficiently -people may lack the necessary skills or mind-set necessary to produce required efficiencies -policies may prevent the efficient use of resources
High Impact
under a high impact category, the department: -cannot operate without this information resource for even a short period of time -may experience a high recovery cost -may realize har or obstruction to achieving one's mission or to maintaining one's reputation
Low Impact
under a low impact category, the department: -could operate without this info resource for an extended (although perhaps finite) period of time, during which particular units or individuals may be inconvenienced and/or need to identify alternatives -may notice an effect on achieving one's mission or maintaining one's reputation
Medium Impact
under a medium impact category, the department: -could work around the loss of this info resource for days or a week but eventually restoration of the resource must occur -may experience some cost of recovery -may realize harm or obstruction to achieving one's mission or to maintaining one's reputation
Risk IT Framework
used with other frameworks to achieve the following three objectives: 1. Integrate the management of IT risk into the overall risk management of the enterprise 2. Make well-informed decisions about the nature and extent of the risk, the risk appetite, and the risk tolerance of the enterprise 3. Develop a response to the risk
Analyze
various simulations or models are used to determine the targeted or optimal improvement