info systems chapter objectives

Identify two key management responsibilities in implementing successful information systems.

Managers of the business functions most affected by the new information system have a key responsibility to ensure that the people, processes, and human structure components are fully addressed.

Identify six non-technical skills needed to be an effective information system worker.

communication knowledge management leadership personal accountability time management understanding of business functions

Describe four fundamental information system types based on their sphere of influence

personal information system- information systems that improve the productivity of individual users in performing stand-alone tasks. word-processing, presentation, time management, and spreadsheet software. workgroup information system- supports teamwork and enables people to work together effectively, whether team members are in the same location or dispersed around the world. instant messaging software, electronic conferencing software, and collaboration software used to move groups through the steps of a process toward their goals. enterprise information system- used to meet organization-wide business needs and typically shares data with other enterprise applications used within the organization. logistics, manufacturing, human resources, marketing and sales, order processing, accounting, inventory control, customer relationship management, and other essential business functions. interorganizational information system- enables the sharing of information across organizational boundaries. provides benefits such as lower costs, reduced manual effort, and decreased time to conduct business

Identify eight steps that must be taken to perform a thorough security risk assessment.

-Step 1—Identify the set of IT assets about which the organization is most concerned. Priority is typically given to those assets that support the organization's mission and the meeting of its primary business goals -Step 2—Identify the loss events or the risks or threats that could occur, such as a DDoS attack or insider fraud. -Step 3—Assess the frequency of events or the likelihood of each potential threat; some threats, such as insider fraud, are more likely to occur than others. -Step 4—Determine the impact of each threat occurring. Would the threat have a minor impact on the organization, or could it keep the organization from carrying out its mission for a lengthy period of time? -Step 5—Determine how each threat can be mitigated so that it becomes much less likely to occur or, if it does occur, has less of an impact on the organization. For example, installing virus protection on all computers makes it much less likely that a computer will contract a virus. Due to time and resource limitations, most organizations choose to focus on just those threats that have a high (relative to all other threats) probability of occurrence and a high (relative to all other threats) impact. In other words, first address those threats that are likely to occur and that would have a high negative impact on the organization. -Step 6—Assess the feasibility of implementing the mitigation options. -Step 7—Perform a cost-benefit analysis to ensure that your efforts will be cost effective. No amount of resources can guarantee a perfect security system, so organizations must balance the risk of a security breach with the cost of preventing one. The concept of reasonable assurance in connection with IT security recognizes that managers must use their judgment to ensure that the cost of control does not exceed the system's benefits or the risks involved. -Step 8—Make the decision on whether or not to implement a particular countermeasure. If you decide against implementing a particular countermeasure, you need to reassess if the threat is truly serious and, if so, identify a less costly countermeasure.

Define the term computer forensics.

A discipline that combines elements of law and computer science to identify, collect, examine, and preserve data from computer systems, networks, and storage devices in a manner that preserves the integrity of the data gathered so that it is admissible as evidence in a court of law.

Identify four benefits of creating a strategic plan.

A framework and a clearly defined direction to guide decision making at all levels and across all organizational units The most effective use of the organization's resources by focusing those resources on agreed-on key priorities The ability of the organization to be proactive and to take advantage of opportunities and trends, rather than passively reacting to them Improved communication among management, employees, the board of directors, shareholders, and other interested parties

State three reasons why organizations employ the Leavitt's Diamond model to introduce new systems into the workplace.

An organization's information system operates within a context of people, technology infrastructure, structure, and processes Organizations use this model to introduce new systems into the workplace in a manner that lowers stress, encourages teamwork, and increases the probability of a successful implementation.

Identify four classes of perpetrators mostly likely to initiate a cyberattack.

Careless insider- An inside (employee, business partner, contractor, consultant) who does not follow the organization's security polices and enables a cyberattack to occur Malicious employees- An insider who deliberately attempts to gain access to and/or disrupt a company's information systems and business operationsAn insider who deliberately attempts to gain access to and/or disrupt a company's information systems and business operations Cybercriminal-Someone who attacks a computer system or network for financial gain Hacktivist-An individual who hacks computers or Web sites in order to promote a political ideology Lone wolf attacker- Someone who violates computer or Internet security maliciously or for illegal personal gain Cyberterrorist- State-sponsored individual or group who attempts to destroy the infrastructure components of governments, financial institutions, corporations, utilities, and emergency response units

Identify five federal laws that address computer crime.

Computer Fraud and Abuse Act (U.S. Code Title 18, Section 1030)- Addresses fraud and related activities in association with computers, including the following: Accessing a computer without authorization or exceeding authorized access Transmitting a program, code, or command that causes harm to a computer Trafficking of computer passwords Threatening to cause damage to a protected computer Fraud and Related Activity in Connection with Access Devices Statute (U.S. Code Title 18, Section 1029)- Covers false claims regarding unauthorized use of credit cards Identity Theft and Assumption Deterrence Act (U.S. Code Title 18, Section 1028)- Makes identity theft a federal crime, with penalties of up to 15 years of imprisonment and a maximum fine of $250,000 Stored Wire and Electronic Communications and Transactional Records Access Statutes (U.S. Code Title 18, Chapter 121)- Focuses on unlawful access to stored communications to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage USA Patriot Act- Defines cyberterrorism and associated penalties

Identify five consequences of a successful cyberattack.

DIRECT IMPACT This is the value of the assets (cash, inventory, equipment, patents, copyrights, trade secrets, data) stolen or damaged due to the cyberattack. BUSINESS DISRUPTION A successful cyberattack may make it impossible for the organization to operate in an effective manner for several hours or days. RECOVERY COST It may take people from the IS organization and business areas days or weeks to repair affected systems and recover lost or compromised data. LEGAL CONSEQUENCES There is the prospect of monetary penalties for businesses that fail to comply with data protection legislation. REPUTATION DAMAGE A successful cyberattack can erode the trust your organization has established with your customers, suppliers, business partners, and shareholders.

Describe the role of a managed security service provider.

For example, members of the finance department should have different authorizations from members of the human resources department.

Identify two benefits of obtaining a certification in an IS subject area.

Getting certified from a software, database, or network company may open the door to new career possibilities or result in an increase in pay. 65 percent of employers use IT certifications to differentiate between equally qualified candidates, while 72 percent of employers require some form of IT certification for certain job roles

Identify at least three commonly used attack vectors.

Spam- The use of email systems to send unsolicited email to large numbers of people. Virus- A piece of programming code, usually disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner. Advanced persistent threat- A network attack in which an intruder gains access to a network and stays there—undetected—with the intention of stealing data over a long period of time.

Define the term attack vector.

The technique used to gain unauthorized access to a device or a network.

Discuss how the CIA security triad can be implemented at the organizational, network, application, and end user levels to safeguard against cyberattacks.

a layered security solution makes cyberattacks so difficult that an attacker eventually gives up or is detected before much harm is inflicted

Describe five actions an organization must take in response to a successful cyberattack.

authentication methods firewall routers encryption and proxy server virtual private networks

Identify four drivers that help set the information system organizational strategy.

corporate strategy technology innovations innovative thinking business unit strategy

Identify three ways the IS organization can be perceived by the rest of the organization, and how each can influence the IS strategy

cost center- inward looking, Control/reduce IS costs; improve IS operations and services. React to strategic plans of business units. Eliminate redundant or ineffective IS services. business partner- business focused. Improve IS/business partnership. Control IS costs; expand IS services. Execute IS projects to support plans of business. Implement new systems and technology infrastructure; redesign business processes game changer- outward looking, Drive business innovation; deliver new products and services. Use IS to achieve competitive advantage. Provide new ways for customers to interact with organization

State four reasons why computer incidents have become so prevalent.

increasing computing complexity- the number of possible entry points to a network expands continually as more devices are added, further increasing the possibility of security breaches. In addition, organizations are constantly adding new applications, modifying existing applications, and replacing older, legacy information systems. increase in the prevalence of bring your own device- this practice raises many potential security issues as it is highly likely that such devices are also used for nonwork activity, such as browsing Web sites, blogging, shopping, and visiting social networks. This nonwork activity exposes the devices to malware much more frequently than a device that is used strictly for business purposes. (The malware may then be spread throughout the company.) In addition, BYOD makes it extremely difficult for IT organizations to adequately safeguard the wide range of portable devices with various operating systems and a myriad of applications. growing reliance on software with known vulnerabilities- Any delay in installing a patch (that would resolve an exploit) exposes the system to a potential security breach. The need to install a fix to prevent a hacker from taking advantage of a known system vulnerability can create a time-management dilemma for system support personnel trying to balance a busy work schedule. increasing sophistication of those who would do harm- today's computer attacker has the depth of knowledge, financial wherewithal, and expertise to get around computer and network security safeguards. glorified because they may be part of an organized group (such as Anonymous, Chaos Computer Club, Lizard Squad, TeslaTeam)

Identify five cyberthreats that pose a serious threat for organizations.

ransomware- malware that stops you from using your computer or accessing the data on your computer until you meet certain demands, such as paying a ransom or, in some cases, sending compromising photos to the attacker. distributed denial-of-service attacks- A cyberattack in which a malicious hacker takes over computers via the Internet and causes them to flood a target site with demands for data and other small tasks. data breaches- The unintended release of sensitive data or the access of sensitive data by unauthorized individuals. cyberespionage- The deployment of malware that secretly steals data in the computer systems of organizations. cyberterrorism- The intimidation of government or civilian population by using information technology to disable critical national infrastructure (e.g., energy, transportation, financial, law enforcement, emergency response) to achieve political, religious, or ideological goals.

Discuss the traditional and contemporary view of the role that information systems play in an organization's value chains.

traditional- holds that organizations use information systems to control and monitor processes and to ensure effectiveness and efficiency. contemporary- holds that information systems are often so intimately involved that they are part of the process itself.