BEC Section 6
Techniques - Business Process Management
-Define - original process is defined as a baseline for current process functioning or process improvement -Measure - the indicators that will show a change to the process (reduced time, increased customer contacts, etc) are determined -Analyze - various simulations or models are used to determine the targeted or optimal improvement -Improve - improvement is selected and implemented -Control - dashboards and other measurement reports are used to monitor the improvement in real time and apply the data to the model for improvement.
New Product or Business Process Development (DMADV)
-Define Design Goals: design goals that are consistent with customer demands -Measure CTQ (Critical to Quality Issues): Analyze the value chain to determine the features that provide value to the customer and the production capabilities that are available. -Analyze Design Alternatives: develop different methodologies to produce the new product. -Design Optimization: use modeling techniques to determine optimization of the proposed process -Verify the Design: implement and test the plan.
Existing Product and Business Process Improvements (DMAIC)
-Define the problem: based on customer comments, failed project goals or other issues determine the existence of a problem -Measure key aspects of the current process: collect relevant data. -Analyze Data: examine the relationships between data elements -Improve or Optimize Current Processes: use models and data to determine how the process can be optimized -Control: Develop a statistical control process to monitor results.
Risks of Legacy Systems
-Lack of Vendor Support: support may end and new vulnerabilities may not be caught (apple with updates) -Old "Threatscape": developed at time when understanding of the security threatscape was less advanced than the present. -Code Reutilization: can incorporate security vulnerabilities that predate even the legacy product -Educated Hackers: ample time for hackers to learn understand and develop tools to exploit them -Patch Lag: organizations are slow to install patches -Evolving Hacker Tools: compromises which once required the most advanced knowledge can be executed by more rudimentary hackers using simple tools often guided by online tutorials -Dependency of Insecure Platform:
Information Resources Associated Risks and Corrective Actions
-List the high impact information resources and document the risks associated with each information resource. -Supply comments where needed to clarify a specific situation. Denote the risk likelihood. -Finally indicate the action decision by the team to mitigate each specified risk. Definitions for risk actions are as follows: 1. High Action (H) - take corrective actions as soon as possible 2. Medium Action (M) - implement corrective actions within a reasonable time frame. 3. Low Action (L) - take no corrective actions. Accept the level of risk.
Policy Support Documents
-Regulations: laws, rules, and regulations generally represent governmentally imposed restrictions passed by regulators and lawmakers -Standards and Baseline : topic specific and system specific documents that describe overall requirements fro security. -Guidelines: hints, tips and best practices -Procedures: step by step instructions
Governance Objectives - IT
-Strategic Alignment - defining, maintaining and validating IT value. -Value Creation - promised benefits to organization while satisfying customers and optimizing costs. -Resource Management -Risk Management - risk awareness by senior management, understanding risk appetite and responsibilities. -Performance Measurement - tracking and monitoring strategy implementation, project completion, resource usage, performance and service delivery
Input Controls
1. Data validation at the field level (edit checks, meaningful error messages) 2. Prenumbering forms, making it possible to verify that all input is account for and no duplicate entries exist. 3. Well defined source data preparation procedures
Activities - Business Process Management
1. Design - involves identification of existing processes and the conceptual design of how processes should function once that have been improved. 2. Modeling - introduces variables to the conceptual design of what if analysis 3. Execution - design changes are implemented and key indicators of success are developed 4. Monitoring - information is gather and tracked and compared with expected performance 5. Optimization - Using the monitoring data and the original design, the process manager continues to refine the process
Five Steps of TOC
1. Identification of constraint - use process charts or interviews results in identification of the constraint that produces sub optimal performance. 2. Exploitation of the Constraint - planning around the constraint uses capacity that is potentially wasted by making or selling the wrong products improper procedures in scheduling. 3. Subordinate Everything else to the above decisions - management direct its efforts to improving the performance of the constraint 4. Elevate the constraint - add capacity to overcome the constraint 5. Return to the first step - reexamine the process to optimize the results. Remain cognizant the inertia can be a constraint.
Objective of an AIS (Accounting information system)
1. Record valid transactions 2. Properly classify those transactions 3. Record the transaction at their proper value 4. Record the transactions in the proper accounting period 5. Properly present the transaction and related information in the financial statements of the organization
Five Areas of Focus - IT Governance
1. Strategic Alignment - linking business and IT so they work well together 2. Value Delivery - Making sure that the IT department does what is necessary to deliver the benefits promise at the beginning of a project or investment. 3. Resource Management - one way to manage resources more effectively is to organize staff more efficiently 4. Risk Management - instituting a formal risk framework that puts some rigor around how IT measure, accepts and manages risk 5. Performance Measures - putting structure around measuring business performance.
Principles of Technology Driven strategy Development
1. Technology is a core input to the development of strategy just as much as customers markets and competitors. 2. Because of the speed with which technology changes strategy development must be a continual process rather than something that is revisited every three to five years 3. Innovative emerging business opportunities must be managed separately and different from core businesses 4. Technology has the power to change long held business assumptions managers executives must be open to this. 5. Technology must be managed from two perspectives: ability of technology to create innovation and ability of emerging technologies to create new markets 6. The focus should be on customer priorities, internal efficiencies and way that IT can be maximized for that advantage of the entity.
Sequence of Events in an AIS
1. The transaction data from source documents is entered into the AIS by an end user. Alternatively an order may be entered through the internet by a customer. 2. The original source documents if they exist are filed 3. The transaction are recorded in the appropriate journal 4. The transaction are posted to the general and subsidiary ledgers 5. Trial balances are prepared 6. Adjustments, accruals, and corrections are entered. Financial reports are generated.
Steps in Disaster Recovery
1. assess the risks 2. identify mission critical applications and data 3. develop a plan for handling the mission critical applications 4. determine the responsibilities of the personnel involved in disaster recover and 5. test the disaster recover plan Depending on the organization the disaster recovery plan may be limited to the restoration of IT processing or may extend to restoration of functions in end user areas. One factor that must be considered in business continuity is the paper records the might normally be maintain in end user areas and that might be lost in a disaster. Disadvantage is the cost and effort required to establish and maintain a disaster recovery plan.
Risk Assessment
1. identify threats 2. evaluate the probability that the threat will occur 3. evaluate the exposure in terms of potential loss from each threat 4. identify the controls that could guard against the threats 5. evaluate the costs and benefits of implementing controls 6. implement controls that are determined to be cost effect
Constraints - (TOC)
A constraint is anything that impedes the accomplishment of an objective. Constraints for purposes of TOC are limited in total and sometimes organizations may face only one constraint. Internal Constraints - are evident when the market demands more than the system can produce. Equipment may be inefficient or used inefficiently. People may lack the necessary skills or mind set necessary to produce required efficiencies. Policies may prevent the efficient use of resources. External Constraints - exist when the system produces more than the market requires.
Effectiveness of Control Policies
A diagnostic control system compares actual performance with planned performance. Diagnostic controls are designed to achieve efficiency in operations of the firm to get the most from resources used. Control Effectiveness: -Strategic Master Plan: to align organizations information system with its business strategies, a multiyear strategic master plan should be developed and updated annually. -Data Processing Schedule: all data processing tasks should be organized according to a data processing schedule -Steering Committee: should be formed to guide and oversee systems development and acquisition. -System Performance Measurements: common measurements include throughput, utilization, and response time.
Introduction to Business Process Management
A management approach that seeks to coordinate the function of an organization toward an ultimate goal of continuous improvement in customer satisfaction. Customers may be internal or external to an organization. Process management seeks effectiveness and efficiency through promotion of innovation, flexibility, and integration with technology. Attempts to improve processes continuously. By focusing on processes an organization becomes more nimble and responsive than hierarchical organizations that are managed by function
Process Improvements/Activity Based Management
Activity based costing (ABC) and activity based management (ABM) are highly compatible with process improvements and total quality management (TQM) Cost Identification - activity based costing and management systems highlight the costs of activities. The availability of cost data by activity makes the identification of costs of quality and value added activities more obvious. Implementation - organizations with ABC and ABM programs are more likely to have the information they need to implement a TQM program. Process improvement results from a detailed process management program (sometime referred to as an activity based management system or ABM)
Recommendations for Mitigating Risks
All high and medium risk actions associated with high impact information resources need documented recommendation or plan for mitigating each risk. 1. Identify each recommendation 2. Provide a justification for each proposed recommendation 3. Develop a cost benefit analysis for reach proposed recommendation 4. Specify any known implantation plans or specific dates for the recommendations
Dynamic Content
Any content that changes frequently and can include video audio and animation. Dynamic content in the context of HTML and the World Wide Web refers to website content that constantly or regularly changes based on user interactions, timing, and other parameters that determine what content is delivered to the user. Means that the content of the site may differ for every user because of different parameters. Facebook is an example of a site the delivers dynamic content, as every user gets different content based on friends and social interactions
Computer Programmer
Application Programmer/Software Developer -application programmer is the person responsible for writing and/or maintaining application programs. A considerable number of the new ides for IT industry have been devoted to techniques to minimize or facilitate program maintenance -for internal control purposes, application programmers should not be given write/update access to data in productions systems or unrestricted and uncontrolled access to application program change management systems. System Programmer -system programmer is responsible for installing, supporting (troubleshooting), monitoring, and maintaining the operating system. -for internal control purposes, system programmers should not be given write/update access to data in production systems or access to change management systems.
Application Service Providers (ASP)
Application programs on a rental basis. Allow smaller companies to avoid the extremely high cost of owning and maintaining today's applications system by allowing the to pay only what is used. ASP own and host the software and users access it via a web browser. Advantages of ASP - lower costs from a hardware software and people standpoint and greater flexibility. Disadvantages of ASP - possible risk to the security and privacy of the organizations data, the financial viability or lack thereof of the ASP and possible poor support
Split-Mirror Backup
As the amount of data needed to support many large companies grows, so do the time and resources that it takes those companies to back up and recover their data. One often used effective backup method is known as a split mirror backup, which is useful when the main systems must always be online. A split mirror backup uses a remote server to back up large amounts of data offline that can be restored in the event of a disaster.
What is Big Data
Big data analytics is focused on finding marketing and sales patterns, discovering previously unknown relationships, detecting new market trends and being able to ferret out actual customer preferences. In order to benefit from big data companies must have the systems and people to mine it and refine it so that it is useful for making decisions.
Alternative Processing Facilities
Cold Site - off site location that has all the electrical connections and other physical requirements for data processing, but it does not have the actual equipment. Cold sites usually require one to three days to be made operational because equipment has to be acquired. Hot Site - off site location that is equipped to take over the company's data processing. Backup copies of essential data files and programs may also be maintained at the location or nearby data storage facility Warm Site - site is a facility that is already stocked with all the hardware that it takes to crate a reasonable facsimile of the primary data center.
Supply Chain Management Systems (SCM)
Concerned with the four important characteristics of every sale: what, when where and how much. 1. Goods received should match the goods ordered 2. Goods should be delivered on or before the date promised 3. Goods should be delivered to that location requested 4. Cost of the goods should be as low as possible Integration of business processes from the original supplier to the customer and includes purchasing, materials handling, production, logistics and warehousing. Objectives and Functions - achieving flexibility and responsiveness in meeting the demands of customers. Incorporates: Planning, Sourcing, Making, Delivery.
Disaster Recovery
Consists of an entity's plans for restoring and continuing operations in the event of the destruction of program and data files, as well as processing capability. Short-term problems or outages do not normally constitute disasters. IF processing can be quickly reestablished at the original processing location, then disaster recovery is not necessary. If processing cannot be quickly reestablished at the original processing site then disaster recovery is necessary.
Outsourcing
Contracting of services to an external provider. Can provide efficiencies but there are also risks. -Quality Risk (product) -Quality of Service -Productivity -Staff turnover -Language Skills -Security -Qualification of Outsourcers -Labor Insecurity
Program Modification Controls
Controls over changes to programs being used in production applications. Program modification controls include both controls designed to prevent changes by unauthorized personnel and controls that track program changes so that there is a record of what version of what programs are running in production at any specific point in time.
Enterprise Resource Planning Systems (ERP)
Cross-functional enterprise system that integrates and automates. Comprises a number of modules that can function independently or as an integrated system. Normally does not offer anything in the way of planning. Considered a back office system. ERP Operations: 1. Store information in a central repository 2. Act as the framework fro integrating and improving an organizations ability to monitor and track sales 3. Provide vital cross functional information quickly to managers.
Total Quality Management Factors
Customer Focus -each function of the corporation exists to satisfy the customer. External customer is the ultimate recipient or consumer of product or service. Internal customers - each link in value chain represents internal customer. Continuous Improvement - quality is not just the goal it is embedded in the process Workforce Involvement - team approaches and worker input to process development and improvement. Top Management Support - actively describe and demonstrate support Objective Measures - unambiguous clearly communicated and consistently reported Timely Recognition - compensation and general recognition. Ongoing training - occur on recurring basis to ensure workforce understanding and involvement.
Use of Data Analytics
Customer analytics - supports digital marketing and allows the company to deliver timely relevant and anticipated offers to customers. Operational Analytics - use data mining and data collection tools to plan for more effective business operations normally used to observe and analyze business operations in real time Risk and Compliance Analytics - used in Enterprise risk management activities such as continuous monitoring continuous auditing and fraud detection New Product and services innovation analytics - used to determine where innovation is needed and to isolate product qualities that are must important to customers.
Demand Flow
Customer demand is the basis for resource allocation. Demand flow contrasts with resource allocations based on sales forecast or master scheduling. Relationship to Just in Time - demand flow is akin to just in time processes that focus on the efficient coordination of demand for goods in production with the supply of goods in production. Kanban systems which visually coordinate demand requirements on the manufacturing floor with suppliers are used to coordinate demand flow. Relationship to Lean - demand flow is designed to maximize efficiencies and reduce waste. One piece flow manufacturing environments in which components move progressive from production function to production function benefit from demand flow ideas.
Processing Controls
Data Matching - matching two or more items of data before taking an action improves transaction processing. (Matching vendor invoice to purchase order) File Labels - ensures that the correct and most current files are updated. Recalculation of Batch Totals - comparison of amounts input to amounts output. Hash totals also can be used to confirm that the correct source documents are included. Cross footing and Zero Balance tests
Backup Files
Data backups are necessary both for recovery in a disaster scenario and for recovery from processing problems. Backup of Systems That Can Be Shut Down: back up process is relatively simple when a system can be shut down for backup and maintenance. Files or databases that have changed since the last backup can be backed up using the son-father-grandfather concept. Backups of Systems That Do Not Shut Down - applying a transaction log and reapplying those transactions to get back to the point immediately before the failure. Mirroring: backup computer to duplicate all of the processes and transactions on the primary computer.
System Administrator & End User
Database Administrator (DBA) - responsible for maintaining and supporting the database software and performing certain security functions. Network Administrator - support computer networks through performance monitoring and troubleshooting. Wed Admins - responsible for information on a website. End User - any workers in organisation who enter data into a system or who use the information processed by the system.
Database Processing Integrity Procedures
Database systems use database administrators, data dictionaries, and concurrent update controls to ensure processing integrity. 1. The admin establishes and enforces procedures 2. data dictionary ensures that data items are defined 3. Concurrent update controls protect records from errors that occur when two or more users attempt to update the same record simultaneously.
Network and Host-Based Firewalls
Default-Deny - lists the allowed network services, and everything else is denied. More secure. Default-Allow - lists network services that are not allowed and everything else is accepted. More common and easier. Network Intrusion Detection Systems - monitor network or system activities fro malicious activity or policy violations Access Controls List: Specify which users or system processes are granted access to objects as well as what operations are allowed on given objects
Data Analytics Processes
Descriptive Analytics - describes events that have already occurred such as financial reports and historical operations reports which enable learning from past behaviors. Predictive Analytics - use statistical techniques and forecasting models to predict what could happen. Prescriptive Analytics - use optimization and simulation algorithms to affect future decisions. This is most complex of the three to implement.
Gap Analysis
Determine the gap, or difference between industry best practices and the current practices of the organization. Gap analysis produces the following: -Target areas for improvement -A common objective database from which to develop strategic quality improvement.
Corporate Level Strategy - IT
Developed by senior management. IT encompasses new business opportunities, the closing of old business units and the allocation of resources among departments.
Risks Related to New Technology
Developing high quality error free software is difficult, expensive, and time consuming. Most software projects deliver less, cost more, and take longer than expected. -Defining the integration points to the governance processes -Defining and managing planning data: deliverables for each step of the process must be clearly defined from the start. -Defining and publicizing the planning calendar -Realizing that timing is essential -Clearly defining roles and responsibilities -Communicating data and messages well
Uninterrupted Power Supply
Device that maintains a continue supply of electrical power to connected equipment. A UPS can prevent data loss and can protect the integrity of a backup while it is being performed. When power failure occurs the UPS switches to its own power source instantaneously so that there is no interruption. Not a backup standby generator, the battery will run out sooner or later.
Digital Certificates/Signatures
Electronic documents created and digitally signed by a trusted party that certify the identity of the owners. Electronic version of a "police badge" Digital signatures use asymmetric encryption to create legally binding electronic documents. E-signature is a cursive style imprint of a persons name that is applied to an electronic document.
Data Encryption
Essential foundation for electronic commerce. Involves using a password or a digital key to scramble a readable (plain text) message into an unreadable (cipher text) message. The intended recipient of the message then uses another digital key to decrypt or decipher the cipher text message back into plain text. Longer the length of the key, the less likely is the message or transaction to be decrypted by the wrong party and the less likely the key is to be broken by a brute-force attacked (software that tries every possible key until its right)
Integration Tests - Information System Testing Strategies
Exercise an entire subsystem and ensure that a set of components operates smoothly together. Integration testing can be done in two ways: 1. Bottom-Up integration Testing - this testing begins with unit testing, followed by tests of progressively higher-level combinations of units called modules or builds 2. Top-down integration Testing - the highest level modules are tested first and progressively lower level modules are tested thereafter.
Decision Support Systems (DSS)
Extension of MIS that provides interactive tools to support decision making. A DSS may provide information, facilitate and preparation of forecasts or allow modeling of various aspects of a decision. It is sometimes called an expert system.
Managing Passwords
First rule in password policy that every account must have a password. -Password length: seven to eight characters -Password complexity: uppercase, lowercase, number, and special character ASCII -Password Age: every 90 days is good policy or more frequently -Password Reuse: passwords should not be reused until a significant amount of time has passed -Two Fact Authentication: second authentication key (secure ID)
Validation Tests - Information System Testing Strategies
Focus on visible user actions and user recognizable outputs from the system. "Did we build the right thing" -Validation tests are based on the use case scenarios, the behavior model, and the event flow diagram. Tests must ensure that each function or performance characteristic conforms to its specification. Deviations must be negotiated with the customer. -Configuration review or audit is used to ensure that all elements of the software configuration have been properly developed, cataloged, and documented
Communication - Role of Information Systems
For many companies email is the principal means of communication between employees, suppliers and customers. Other communications tools have evolved such as live chat systems, online meeting tools and videoconferencing systems. Voice over internet protocol telephones and smartphone offer additional ways to facilitate communication within the organization.
Electronic Funds Transfers
Form of electronic payment for banking and retailing industries. EFT uses a variety of technologies to transact, process and verify money transfers and credits between banks, businesses, and customers. The Federal Reserves financial services systems are used frequently in EFT. Often provided by a third party vendor who acts as the intermediary between the company and banking systems.
Business Level Strategy
Found in organizations that have autonomous departments with the need to develop their own strategies. Business strategy should function within the broader aims of the corporate strategy. This level of strategy is typically not found in small businesses.
General Controls and Application Controls
General Controls designed to ensure that an organization's control environment is stable and well managed and include: 1. Systems development standards 2. Security management controls 3. Change management procedures 4. Software acquisition, development, operations and maintenance controls Application Controls prevent, detect, and correct transaction error and fraud and are application specific, providing reasonable assurance as to system: 1. Accuracy 2. Completeness 3. Validity
Write-protection mechanisms
Guard against the accidental writing over or erasing of data files stored on magnetic media. Floppy disk cover.
Definition: IT governance.
IT governance is about how leadership accomplishes the delivery of mission critical business capability using IT strategies, goals, and objectives. IT governance is concerned with the strategic alignment between the goals and objectives of the business and the utilization of its IT resources to effectively achieve the desired results. IT governance is the duty of executive management and the board of directors. IT governance is crucial to the governance of the entire organization. IT governance comprises leadership organization structures policies and processes, IT strategy and IT objectives. IT governance established chains of responsibility authority and communication. It also establishes measurement, policy standards and control mechanism to enable people to carry out their roles and responsibilities.
Information Technology Controls
Important to establish controls related to use of information technology resources. Budgets should be established for acquisition of equipment and software, for operating costs and for usage. -Appropriate segregation of duties -Procedures that include the design and use of adequate documents and records to help ensure the proper recording of transaction and events. -Limits to asset access in accordance with management's authorization. -Effective performance management with clear definition of performance goals and effective metrics to monitor achievement of goals. -Information processing controls are applied to check for proper authorization, accuracy and completeness of individual transactions. -Proper design and use of electronic and paper documents -Security measures focus on preventing and detecting threats. -Contingency plans detail the procedures to be implemented when threats are encountered.
Data Librarian
In large companies the data librarian has custody of and maintains the entity's data and ensures that production data is released only to authorized individuals when needed.
Roles and Responsibilities of Information Technology Professionals
Include administrators, librarians, computer operators, and developers. The roles and responsibilities of IT professionals are defined individual by each organization and as indicated previously job titles and responsibilities can vary widely depending on the needs of the organization and in some cases the personal preferences of IT management.
IT Supervisor
Manage the functions responsibilities of the IT department
System Analyst
Internally Developed System -Works with end users to determine system requirements. -Designs the overall application system. -Determines the type of network needed. Purchased System -Integrates the application with existing internal and purchased applications. -Provides training to end users.
Inventory Management
Inventory management systems track the quantity of each item a company maintains, triggering an order when quantities fall below a predetermined level. These systems are best used when the inventory management system is connected to the point of sale (POS) system. The POS system ensures that each time an item is sold, one of that item is removed from the inventory count.
Functional Level Strategy
Involves establishing strategies for marketing, manufacturing, IT and finance. An effective Strategy at the functional level improves the entity's ability to execute its business level and corporate level strategies.
Selecting Improvement Initiatives
Irrational - are intuitive and emotional. They lack structure and systematic evaluation. The irrational methods are based on fashion, fad, or trend. They may result from an immediate need for cost reduction, and stem from a very short term viewpoint. Rational - structured and systematic: -Strategic Gap Analysis: external (environment) assessments and internal (organizational) assessments performed to create a strategic gap analysis -Review Competitive priorities: review of price, quality, or other considerations -Review production objectives: review of performance requirements. -Choose improvement Program: decide how to proceed for improvement.
Computer Operators vs. Computer Programmers
It is important that computer operators and computer programmers be segregated because a person performing both functions could make unauthorized and undetected program changes.
Just in Time (JIT)
Just in time management anticipates achievement of efficiency by scheduling the deployment of resources just in time to meet customer or production requirements Inventory does not add value. The maintenance of inventory on hand produces wasteful costs. Benefits -Synchronization of production schedule with demand -Arrival of supplies at regular intervals throughout the production day. -Improved coordination and team approach with suppliers -More efficient flow of goods between warehouses and production -Reduced setup time -Greater efficiency in the use of employees with multiple skills
Acceptance Tests - Information System Testing Strategies
Make sure the software works correctly for the intended user in his or her normal work environment. this is arguably the most important type of testing as it is conducted by quality assurance (QA) team. The QA team will have a set of prewritten scenarios and test cases that will be used to test the application. -Alpha Test - version of the complete software is tested by the customer under the supervision of the developer at the developers site -Beta Test - version of the complete software is tested by the customer at his or her own site without the developer being present.
Stakeholders or Participants in Business Process Design
Management - providing support and encouragement. Aligning information systems with corporate strategies. Accountants - determine the information needs and system requirements and communicate these system developers (AIS). Help manage system development. Active role in designing system controls. Information Systems Steering Committee - plan and oversee the information system function. Consist of high level management. Setting governing policies, ensuring top management participation, guidance and control, coordination and integration of information system activities. Project Development Team - responsible for successful design and implementation. Both technical and user acceptance. Monitor project, manage human element, frequent communication, risk management and escalating issues that cannot be resolved within the team. External Parties - customers, vendors, auditors, government entities.
Manual vs. Automated Controls
Manual control is a control performed by a person without making direct use of automated systems. An automated control is a control performed by an automated system without interference of a person. Value of Automated Controls -Accuracy -Timeliness -Efficiency -Security
Measures - Business Process Management
Measures or process metrics can be financial or nonfinancial. Should correlate directly to manage process. -Gross Revenue - for sales -Customer Contracts - for sales driven organizations -Customer Satisfaction - organizations using marketing techniques -Operational Statistics - manufacturing operations
Benefits - Business Process Management
Monitor the degree to which process improvements have been achieved -Efficiency - fewer resources are used to accomplish organizational objectives -Effectiveness - objectives are accomplished with greater predictability -Agility - responses to change are faster and more reliable
Risks Related to Legacy Systems
One of the most powerful disincentives is the unguarded security vulnerabilities of legacy products. Reasons for Persistence of Legacy Systems -Investment in deployment -Investment in training -dependencies on supportive technology -dependencies built on the legacy product -risk over reward Mitigating Risk in Legacy Systems -Isolating the system -Virtual Patches
Multiple Data Center Backups
Organizations also must decide what types of backups to perform in order to recover lost data. Full back up is an exact copy of the entire database. Time consuming so most organization only do full backups weekly and supplement with dial partial back ups. Two Types of partial backups: -Incremental backup involves coping only the data items that have changed since the last backup. -Differential back up copies all changes made since the last full backup
Fundamental Risks Related to Systems Development and Maintenance
Organizations constantly improve or replace information systems for any of the following: 1. Changes in needs of a business unit (because of growth, downsizing, mergers, new regulations). 2. Technological advances resulting in more effective but less costly systems. 3. Improvements in business processes leading to shorter processing times. 4. Competitive advantages as the result of improvements in quality, quantity, and speed of information gathering. 5. Productivity gains due to automation of clerical tasks. 6. System age and need for replacement.
Offshore Operations
Outsourcing services or business functions to an external party in a different country. Common types of offshore outsourcing are: -Information technology -Business process (call centers, accounting operations, tax compliance) -Software research and development (software development) -Knowledge process (processes requiring advanced knowledge and specialized skill sets such as reading x-rays)
Physical Controls
Physical controls monitor and control the environment of the workplace and computing facilities Segregation of Duties - ensures individual cannot complete a critical task Control of Access to and From the Facilities - can include doors, locks with retina or fingerprint scanners, secure pass through called mantraps, heating and air conditioning, smoke and fire alarms, etc.
Plan, Do, Check, Act (PDCA)
Plan - Design the planned process improvement Do - Implement the process improvement Check - Monitor the process improvement Act - continuously commit to the process and reassess the degree of improvement Repeat
Controls Can Be Preventive, Detective, and Corrective
Preventive - refers to using administrative controls such as security awareness training, technical controls such as firewalls and anti virus software to stop attacked from penetrating the network. Detective - employing a blend of technical controls such as anti virus intrusion detection systems, system monitoring, file integrity monitoring change control log management and incident alerting can help to track how and when system intrusions are being attempted. Corrective - applying operating system upgrades backup data restore and vulnerability mitigation and other controls to make sure that systems are configured correctly and can prevent the irretrievable loss of data.
Types of Policies
Program Level Policy - creating a management sponsored computer security program. At the highest level might prescribe the need for information security and may delegate the creation and management of the program to a roll within IT department. Is the mission statement for the IT security program. Program Framework Policy - gives overall approach to computer security describing the elements and organization of the program and department that will carry out the security mission. -Issue Specific Policy (cloud computing) -System Specific Policy (payroll system)
Customer Relationship Management System (CRM)
Provide sales force automation and customer services in an attempt to manage customer relationship. Capture every interaction a company has with a customer. Benefits - appearance to market to each customer individually. 20% of customers generate 80% of sales. 5 to 10 times more expensive to acquire a new customer than to obtain repeat business from existing customer. Reduce sales cost and customer support costs. Attempts to identify the best customers. Categories: Analytical CRM - drive business decisions Operational CRM - automation of customer contracts or contract points.
Executive Information Systems (EIS)
Provide senior executives with immediate and easy access to internal and external information to assist in strategic decision making. An EIS consolidates information internal and external to the enterprise and reports it in a format and level of detail appropriate to senior executives
Business Impact Analysis - Risk Assessment
Purpose of BIA is to identify which business units, departments, and processes are essential to the survival of an entity. Will identify how quickly essential business units and/or processes need to return to fill operating following a disaster situation. Will also identify the resources required to resume business operations. Three objectives: 1. Estimate the financial impacts of each business unit assuming a worst case scenario. 2. Estimate the intangible (operational) impacts for each business unit, assuming worst case scenario 3. Identify the organization business unit processes and the estimated recovery time frame for each business unit.
Information System Testing Strategies
Purpose of Testing 1. Find defects created during the development of the software 2. Determine the level of quality of the software 3. Ensure that the end product meets the business and user requirements Guideline for Successful Testing -Specify testing objectives explicitly. -Identify categories of users for the software and develop a profile for each. -Build robust software that is designed to test itself. -Use effective formal reviews as a filter prior to testing. -Conduct formal technical reviews to assess the test strategy and test cases. -Develop a continuous improvement approach for the testing process.
Major Players in Disaster Recovery
Recovery plan are the organization itself and the disaster recovery services provider. If application software packages are utilized, the package vendors may be involved. For distributed processing, hardware vendors may be involved. Senior management support is absolutely necessary fro an effective disaster recover plan.
Shared Services
Refers to seeking out redundant services, combing them and then sharing those services within a group or organization. Consolidation of redundant services creates efficiency but might also result in: -Service Flow Disruption: consolidation of work to a single location can create waste in transition, rework, and duplication as well as increase time it takes to deliver a service. -Failure Demand - demand for shares service caused by a failure to do something or to do something right for a customer is called failure demand. Results when a task much be performed for a second time because it was incorrectly performed the first time.
Business Process Reengineering (BPR)
Refers to techniques to help organizations rethink how work is done to dramatically improve customer satisfaction and service, cut costs of operations and enhance competitiveness. Development of sophisticated information technology systems and networks have driven many reengineering efforts. Fresh Start - the basic premise of business process reengineering is the idea that management will wipe the slate clean and reassess how business is done from the ground up. Reengineering uses benchmarking and best practices to evaluate success. Current Status - reengineering is not as popular as it was when introduced in the mid 1990s. The technique has been criticized for what some believe was overaggressive downsizing. In addition the programs have not produced the benefits that were originally anticipated.
Total Quality Management Overview
Represents an organizational commitment to customer focused performance that emphasizes both quality and continuous improvement. Total quality management identifies seven critical factors. Customer focus, continuous improvement, workforce involvement, top management support, objective measures, timely recognition, ongoing training.
Security Administrators vs Computer Operators and Computer Programmers
Responsible for restricting access to systems, applications, or databases to the appropriate personnel. If the security administrator were also a programmer or an operator for that system , that person could give himself or another person access to areas they are not authorized to enter. This security bypass also would allow that person to steal organization information or assets.
Computer Operator
Responsible for scheduling and running processing jobs. Much of the job of scheduling and running jobs can be automated and in large computing environments must be automated due to the sheer volume of information processed.
Security Administrator
Responsible for the assignment of initial passwords and often the maintenance of those passwords (if the end users of not maintain their own passwords). Security administrators are responsible for the overall operation of the various security systems and the security software in general.
Managing IT RIsk
Risk IT Framework - Integrate the management of IT risk into the overall risk management of the enterprise. Make well informed decisions about the nature and extent of the risk, the risk appetite and the risk tolerance of the enterprise. Develop a response to the risk. IT Risk Defined - is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT. Categories of IT Risk: -IT Benefit.Value Ennoblement Risk - related to missed opportunities to use technology to improve business processes. -IT Program and Project Delivery Risk - related to the contribution of IT to new or improved business solutions -IT Operations and Service Delivery Risk - related to all aspects of the performance if IT systems and services.
Development and Management of Security Policies
Security Objectives - first step is to define the objecting. Based on system functionality or mission requirements and also state the security actions to support the requirements. Operational Security - should define the manner in which a specific data operation would remain secure. Policy Implementation - enforced through a combination of technical and traditional management methods.
Implementing Improvement Initiatives
Several crucial features of successful implementation activities -Internal Leadership - senior management must provide direction and commit resources to the implementation -Inspections - ongoing implementation must be monitored and measured -Executive Support - executive management must be visibly supportive of the initiative -Internal Process Ownership - the individuals most deeply involved with process management must be committed to the need for process improvement and have the resources to carry it out.
Malware Detection
Software on servers and clients detects the threat of viruses, worms, and file infectors to protect information.
Web Stores
Stand-alone web stores - small companies have stand alone web stores that are not integrated with larger accounting systems. Typically hosted by shopping cart software that managers product catalog Integrated web stores - larger companies ERP system that integrate all major accounting functions as well as the web store into a single software system.
Four General Types of Risks
Strategic Risk - risk of choosing inappropriate technology Operating Risk - risk of doing the right things in the wrong way Financial Risk - risk of having financial resources lost, wasted, or stolen. Information Risk - risk of loss of data integrity, incomplete transactions, or hackers.
Protection of Information
Strategy including the processes, tools and policies necessary to detect prevent document and country threats to both digital and physical information. Security Policy Defined - management instructions indicating course of action, guiding principle, or appropriate procedure. High level statements that provide guidance to workers who make present and future decisions. Generalized requirements. Security Policy Goal - require people to protect information, which in turn protects the organization, its employees and its customers.
System Analysts vs. Computer Programmers
System analysts design an information system to meet user needs, whereas computer programmers use that design to create an information system by writing computer programs. Analysts often are in charge of hardware and programmers are in charge of application software. Theoretically, if the same person is in charge of hardware and software that person could easily bypass security systems without anyone knowing and steal organization information or assets (embezzling of funds).
Quality Audits
Technique used as part of the strategic positioning function in which management assesses the quality practices of the organization. Quality audits produce and following: -Analysis that identifies strengths and weaknesses -Strategic quality improvement plan that identifies the improvement steps that will produce the greatest return to the organization in the short term and long term.
Vision and Strategy
Technology and an entity's objectives are interconnected. The design of an information technology department's strategy has traditionally supported that of the overall organization. Technology decisions should be an input to the strategic process, defining innovations and helping to increase revenue.
The Tone at the Top - IT Governance
Technology plays a crucial role in enabling the flow of information in an organization. The selection of specific technologies to support an organization typically is a reflection of the: -entity's approach to risk management and its degree of sophistication -types of events affecting the entity -entity's overall information technology architecture -degree of centralization of supporting technology
System Tests - Information System Testing Strategies
Tests the system as a whole. Steps in System Testing: -Recovery testing: ability to recover from failures -Security testing: prevent improper penetration of data alteration -Stress Testing: how well it deals with abnormal resource demands -Performance Testing: run-time performance -Deployment (or Configuration) Testing: each of the environments in which it is to operate Importance of System Testing - system testing is the first step in the software development life cycle. Application is tested thoroughly to verify that it meets functional and technical specifications. Tested in environment very close to production environment.
Accounting Information Systems
The business information system that is most important to an accountant is the accounting information system (AIS). An accounting information system is a type of management information system it also may be partly a transaction processing system and partly a knowledge system. There may be separate systems (often called modules) for each accounting function such as accounts receivable, accounts payable, etc., or there may be one integrated system that performs all of the accounting functions, culminating in the general ledger and the various accounting reports. A well-designed AIS creates an audit trail for accounting transactions. The audit trail allows user to trace a transaction from source documents to the ledger and to trace from the ledger back to source documents. The ability to trace in both direction is important in auditing.
Buffer
The concept of buffers is used throughout TOC. Managers add buffers before and after each constraint to ensure that enough resources to accommodate the constraint exist. Buffers, therefore, eliminate the effect of the constraint on work flow.
Technology Risk
The need for technology risk management has intensified in recent years due to speed of technological change, the degree to which technology is driving business and the adoption of emerging and disruptive technologies that change the way business is done such as cloud connected devices and mobile. There are four general types of risk associated with information technology systems, whether the system is in development or in use.
IT Governance - Overview
The role of the information technology (IT) in an organization has evolved. The early focus was on automating transactions and reducing costs. Decision support system (DSS) improved managers decision making. Historically, IT was view as a support function for an organization. Today IT is a strategic drive, making the IT governance function even more crucial and elevating it to the executive and board levels. IT governance is a formal structure for how organizations align IT and business strategies, ensuring that companies stay on track to accomplish their strategies and goals and implementing performance measures for IT. An IT governance framework should answer key question such as how is the IT department functioning what key metrics does management need and what does IT return to the business.
Theory of Constraints (TOC)
Theory of constraints states that organizations are impeded from achieving objectives by the existence of one or more constraint. The organization or project must be consistently operated in a manner that either works around or leverages the constraint.
Identify Information Resources
This includes any hardware, software, systems, services, people, databases and related resources important to the department. these resources should be identified in a manner such that overlap is minimized. It might also be appropriate to have some clear point of accountability (that is, an individual who is responsible for specific hardware, a software package or an office process).
Identify and Categorize Risks by Likeihood
Threats or things that could go wrong. High Likelihood (H) - the risk (threat) source is highly motivated and sufficiently capable and controls to prevent the vulnerability are ineffective. Medium Likelihood (M) - the risk (threat) source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Low Likelihood (L) - the risk (threat) source lacks motivation or capability or controls are in place to prevent or significantly impede successful exercise of the vulnerability.
Data Backup and Recovery Procedures
Use of a Disaster Recovery Service - some organizations contract outside providers fro disaster recovery services. Various levels and types of services can be provided. Internal Disaster Recovery - some organizations with the requirement for instantaneous resumption of processing after a disaster provide their own duplicate facilities in separate locations. May be data mirror but expenses and most organizations adopt cheaper solutions.
Logical Controls
Use software and data to monitor and control access to information. HR should generate request for a user account and system access rights. Changes in position require coordination of effort between HR and IT. Remove access that is no longer needed. Mechanism to disable accounts when employee leaves organization.
Unit Tests - Information System Testing Strategies
Used to validate the smallest components of the system, ensuring that they handle known input and output correctly. This type of testing is performed by developers before the setup is handed over to the testing team to formally execute the test cases. The goal of unit testing is to isolate each part of the program and show that individual parts are correct in terms of requirements and functionality.
Output Controls
User Review Output - examination by users of system output for reasonableness, completeness, and verification that the output is provided to the intended recipient. Reconciliation Procedures - reconciliation of individual transactions and other system updates to control report, file status, or update reports External Data Reconciliation - reconciliation of database totals with data maintained outside the system. (number of employee records in the payroll file should be compared with the total from HR to detect attempts to add fictitious employees to the payroll database. Output Encryption - authenticity and integrity of data outputs must be protected during transmission. Encryption techniques reduce chance of data interception.
Six Sigma
Uses rigorous metrics in the evaluation of goal achievement. Six sigma is a continuous quality improvement program that requires special training. The program expands on the Plan-Do-Check-Act model of process management descried earlier, and outlines methodologies to improve current processes and develop new processes.
Cloud Computing
Virtual servers available over the Internet. Includes subscription based or pay per use service that extends an entity's existing information technology capabilities on a real time basis over the internet. Services can be dividend three categories: 1. Infrastructure-as-a-Service (Iaas): outsources storage, hardware, services and networking components to customers generally on a per use basis. Amazon, Microsoft, Google. 2. Platform-as-a-Service (PaaS): allows customers to rent virtual services and related services that can be used to develop and test new software application 3. Software-as-a-Service (SaaS): method of software distribution in which applications are hosted by a vendor or service provider and made available to customers over the Internet.
Dimensions of Big Data
Volume: too large for traditional database software to store Velocity: able to analyze data in real time Variety: coming from a variety of sources Veracity: biases or irrelevant data must be mined
Mash-ups
Web pages that are collages of other Web pages and other information. Google Maps is an example of a mash up. Google maps allows the user to view various sources of information (places of interest and street names) superimposed on a single map.
Categorize Information Resources by Impact
criteria include characteristics such as criticality, cost of failure, publicity, legal and ethical issues. High Impact (H) - cannot operate without it, high recovery cost, harm or obstruction to achieving ones mission or to maintaining ones reputation Medium Impact (M) - could work around for days or perhaps a week, some cost of recovery, may realize harm or obstruction to achieving ones mission or to maintaining ones reputation. Low Impact (L) - could operate without for extended period of time, may notice effect on achieving ones mission or maintaining ones reputation
Management Information Systems
enable companies to use data to part of their strategic planning process as well as the tactical execution of that strategy. Management information systems often have subsystems called decision support systems (DSS) and executive information systems (EIS) A management information system provides users predefined reports and support effective business decisions. MIS reports may provide feedback on daily operations, financial and non financial information to support decision making across functions and both internal and external information
Lean Manufacturing
or lean production requires the use of only those resources required to meet the requirement of customers. Waste Reduction - the focus of lean is on waste reduction and efficiency. The concept of preserving value while expending only the effort necessary is not uncommon and has a long history in business and economics. Kaizen and activity based management initiatives are waste reduction methodologies that use empirical data to measure and promote efficiencies. Continuous Improvement (Kaizen) - Kaizen refers to continuous improvement efforts that improve the efficiency and effectiveness organizations through greater operational control. Kaizen occurs at the manufacturing stage, where the ongoing search for cost reductions takes the form of analysis of production processes to ensure that resource usage stays within target costs.
File Librarian
store and protect programs from damage and unauthorized use and file librarians control the file libraries. In large computer environments, must of this work is automated.