Management, Planning and Organization of IS

1
Management, Planning and Organization of IS

• 11 22 questions

2
Objectives

• Evaluate IS strategy to ensure it aligns with
  business strategies
• Evaluate IS policies to ensure it supports IS
  strategy
• Evaluate IS management practices to ensure
  compliance with IS policies
• Evaluate IS organization to ensure adequate
  support of organizations biz requirements
• Evaluate management of outsourced services to
  ensure they support IS strategy

3
Evaluate the followings.
Business Objectives
IS Strategy
IS Policies, standards and Procedures
IS Management Practices
4
IS Strategy

• Strategic Planning
• IS strategy aligns with organizations business
  plan
• Steering Committee
• Oversee IS department
• Consists of senior management, IS staff and user
  department management
• Chairman a member of board of directors

5
Steering Committee

• Duties and responsibilities
• Formalized in charter
• Members well-understand IS policies, practices
  and procedures
• Each member has his/her own area of
  responsibilities
• Should NOT become involved in routine operations

6
Steering Committee

• Review long and short term plans
• Review and approve major purchase of h/w and s/w
  within limits
• Approve and monitor major projects, set
  priorities, and monitor overall IS performance
• Provide liaison between IS and user department
• Approve budget and review allocation
• Decide on centralization Vs decentralization

7
Policies and Procedures

• Policies
• High level documents
• Corporate philosophy
• Clear and concise
• Fully explain to staff affected
• Lower level policies are defined accordingly
• Top-down Vs bottom-up approach

8
Procedures

• Detailed documents
• Derived from parent policy
• Realize corresponding policy
• Easily and properly understood
• More dynamic
• Frequent reviews and updates required

9
Human Resources Policies/Practices

• Background checks
• Confidentiality agreements
• Conflict of interest agreements
• Non-compete agreements
• Control risks
• NOT suitable for position
• Reference checks NOT carried out

10
Employee Handbook

• Security policies and procedures
• Company expectations
• Employee benefits
• Vacation policies
• OT rules
• Outside employment
• Performance evaluations

11
Employee Handbook

• Disciplinary actions
• Excessive absence
• Breach of confidentiality or security
• Non-compliance with policies

12
Termination Policies

• Voluntary termination
• Immediate termination
• Return of keys, ID cards and badges
• Deletion of log-in ID
• Notification to other staff and security
  personnel
• Arrangement of final payment
• Termination interview

13
Outsourcing Practices

• Increasing important in many organizations
• Desire to focus on core activities
• Pressure on profit margin
• Increasing competition that requires cost cut
• Flexibility in terms of organization and structure

14
Outsourcing Practices

• Contractor services
• Data entry (banks, airlines)
• Design and development of new systems (ASP)
• Maintenance of existing applications
• Conversion of legacy applications to new
  platforms (web-based migration)

15
Outsourcing Practices

• Possible disadvantages
• Costs higher than expected
• Loss of internal IS experience
• Loss of control
• Vendor failure
• Difficulty in reversing or changing outsourcing
  agreement

16
Outsourcing Practices

• Business risks
• Hidden costs
• Contract terms not being met
• Service costs not competitive over time
• Obsolescence of vendor systems
• Decrease in bargaining power

17
Outsourcing Practices

• To minimize business risks
• Establish measurable partnership-enacted-shared
  goals and rewards
• Utilize multiple suppliers or withhold a piece of
  business as incentive
• Formation of cross-functional contract management
  team
• Contract performance metrics
• Periodic benchmarking

18
Service Level Agreement (SLA)

• Well-balanced
• Instrument of control
• Include means, methods, processes and structure
  to measure performance
• Quantifiable
• Enforceable

19
Audit Concerns of Outsourcing

• Contract protection
• Adequately protect company
• Audit rights
• Right to audit vendor operations
• Continuity of operations
• Continued service in case of disaster (disaster
  recovery plan)
• Integrity, confidentiality and availability of
  companys data

20
Audit Concerns of Outsourcing

• Access control/security administration
• Violation reporting and follow up
• Change control and testing
• Network controls
• Performance management load-balancing

21
IS Management Practices

• Traditional role of IS department service
  department, is changing
• Management principles
• People management
• Personnel are highly qualified and paid and have
  less concern in job security
• Flat organization
• Junior level personnel often have major
  responsibilities and authorities

22
IS Management Practices

• Management of Change
• Always new applications and technologies
• Stay abreast of technology and proactively
  embrace change
• Focus on good processes
• Documented procedures
• Programming standards, testing, data backup
• Quality control and assurance

23
IS Management Practices

• Security
• The Internet
• Business continuity (plan)
• Disaster recovery (plan)
• Handling 3rd parties
• Many vendors work together on 1 system
• Management matters

24
IS Assessment Methods

• IS budgets
• Capacity and growth planning
• User satisfaction
• SLA with internal user departments
• System availability
• Product distribution time
• Industry standards/benchmarking

25
IS Assessment Methods

• Financial management practices
• User pays scheme
• Chargeback man-hours, computer time and other
  resources
• Measure effectiveness and efficiency
• Goal accomplishment
• Measure effectiveness
• Logging system

26
IS Assessment Methods

• Example of log
• Data entry staff keep full details of each batch
  (duration and errors)
• Data entry staff keep full details of each batch
  (duration and errors)
• Computer operators maintain logs of all batch
  jobs and time taken
• Off-site backups and data storage logged
• Problem in h/w and s/w identified in daily logs
• Applications generate own error logs

27
IS Assessment Methods

• Functionality
• Existence of functions that satisfy stated needs
• Reliability
• Capability of software to maintain level of
  performance under state conditions
• Usability
• Effort needed for use and on individual
  assessment of such use by users

28
IS Assessment Methods

• Efficiency
• Relationship between level of performance of
  software and amount of resources used
• Maintainability
• Effort needed to make specified modifications
• Portability
• Ability of software to be transferred from one
  platform to another

29
IS Organization Structure and Responsibilities

• Management structures (line Vs project)
• Line management
• Head CIO
• Systems development manager
• Responsible for programmers and analysts
• End-user support manager
• Data manager
• Data architect and manage data as resource

30
IS Organization Structure and Responsibilities

• Technical support manager
• Responsible for system programmers
• Security administrator
• Provide enough logical and physical security
• Network manager/administrator
• Operations manager
• Responsible for computer operators, librarians,
  schedules and data control personnel
• Quality assurance manager
• Segregation of Duties

31
IS Responsibilities and Duties

• Information Processing (IP) Vs System Development
  and Enhancement
• IP operational aspects, e.g. computer
  operations, systems programming, telecomm and
  librarian functions
• Systems development analysis and programming,
  e.g. development, acquisition and maintenance of
  application systems

32
IP

• Operations information processing facility
  (IPF)
• Operation management control
• Physical security
• Protect from theft, fire, flood, malicious
  destruction, mechanical and power failures
• Data security
• Physical security of hardware that process data
• Employee education data security and privacy

33
IP

• Processing controls
• Ensure timely, complete, accurate and secure
  processing
• Data control (more details in Business Process
  Evaluation and Risk Management)
• Production control job scheduling, job
  submission and media management

34
IP

• Data entry
• Batch Vs Online
• Data control unit
• Receive source documents from user departments
  and ensure proper safekeeping until processing is
  done and source documents and outputs are
  returned
• Prepare batches of source documents with accurate
  control totals
• Schedule and set up jobs

35
IP

• Librarian
• Record, issue, receive and safeguard programs and
  data files on tapes and disks
• Crucial position
• Security administration
• Ensure users comply with security policy and
  controls are adequate
• Maintain access rules
• Maintain security and confidentiality over
  passwords

36
IP

• Monitor security violations and take corrective
  action
• Review and evaluate security policy
• Prepare and monitor security awareness program
  for employees
• Test security architecture to detect threats
• Quality assurance
• Quality Assurance Vs Quality Control

37
IP

• Quality Assurance
• Ensure personnel follow prescribed quality
  processes
• E.g. ensure programs and documentation adhere to
  standards and naming conventions
• Quality Control
• Conduct tests or reviews to ensure software is
  free from defects and meet user expectations
• Must be done before moved into production
• Check accuracy and authenticity of input,
  processing and output

38
IP

• Database administration
• Define and maintain data structure in db
• Understand organization and user data and data
  relationship
• Responsible for security and information
  classification
• Responsible for actual design, definition and
  maintenance

39
IP

• Control over DBA
• Segregation of duties
• Management approval
• Supervisor review of access logs
• Detective controls

40
IP

• Systems analysis
• Design systems based on user needs
• Involved in initial phase of SDLC
• Like an interpreter
• Application programming
• Develop new and maintain systems
• NO access to production programs
• Work in test only environment

41
IP

• Systems programming
• Maintain system software
• Unrestricted access to whole system
• Monitored by keeping logs and allowed to access
  relevant system libraries
• Network management
• LAN or WAN
• Responsible for technical and administrative
  control

42
IP

• Ensure correct functioning of transmission links
• Backups of system
• S/w and h/w authorized to purchase and installed
  probably
• Could be security administrator in small
  installations
• NO application programming rights but end-user
  responsibilities
• Help desk administration

43
Segregation of Duties w/i IS

• Transaction authorization
• Responsibility of user department
• Must perform periodic checks
• Reconciliation
• Responsibility of user department
• Custody of assets
• Data owner is user dept.
• Owner has responsibility for determining
  authorization levels

44
Segregation of Duties w/i IS

• Access to data
• Physical system application security in BOTH
  user area and IPF
• System and application securities are additional
  layers to prevent unauthorized access
• The Internet has posed greater threat
• extranet

45
Segregation of Duties w/i IS

• Authorization forms
• User managers define WHO should have access to
  WHAT
• Forms must be approved
• Some organizations maintain signature
  authorization logs
• Access privileges periodically reviewed
• User authorization tables
• Use authorization form data to build
  authorization tables
• Update, modify, delete and/or view

46
Segregation of Duties w/i IS

• Exception reporting
• Ensure properly and timely handled
• Audit trails
• Map to retrace flow of transaction
• Recreate actual transaction flow from origin to
  updated file
• Audit trail could be compensating control
• Transaction logs

47
How to Identify Potential Problems with IPF

• Indicators
• Unfavorable end use attitudes
• Excessive costs
• Budget overruns
• Late projects
• High turnover
• Inexperienced staff

48
How to Identify Potential Problems with IPF

• Excessive backlog of user requests
• Slow computer response time
• Numerous aborted or suspended development
  projects
• Unsupported or unauthorized h/w or s/w purchases
• Frequent h/w or s/w upgrades
• Extensive exception reports
• Exception reports which were not followed up on

49
How to Identify Potential Problems with IPF

• Documentation review
• IS strategies, plans, budgets
• Security policy documentation
• Confidential
• Preventive controls, WHO is responsible for WHAT
• Organizational chart
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures

50
How to Identify Potential Problems with IPF

• Interview and observe
• Actual performance
• Security awareness
• Reporting relationships
• Review contractual agreements
• Development of contract agreements
• Contract bidding process
• Contract selection process
• Contract acceptance
• Contract maintenance

51
Management, Planning and Organization of IS

• End