Managing Information Technology

1
Managing Information Technology

• MBA820
• Information Technology
• for Decision Making

2
Case Cyber Crime

• On Feb. 6, 2000 - the biggest EC sites were hit
  by cyber crime. (Yahoo!, eBay, Amazon.com,
  ETrade)
• The attacker(s) used a method called denial of
  service (DOS).
• By hammering a Web sites equipment with too many
  requests for information, an attacker can
  effectively clog a system.
• The total damage worldwide was estimated at 5-10
  billion (U.S.).
• The alleged attacker, from the Philippines, was
  not prosecuted because he did not break any law
  in the Philippines.

3
Lessons Learned from the Case

• Protection of networked systems can be a complex
  issue.
• Attackers can zero on a single company, or can
  attack many companies, without discrimination.
• Attackers use different attack methods.
• Although variations of the attack methods are
  known, the defence against them is difficult
  and/or expensive.

4
Vulnerability Abuse

• Telecommunication Advances
• Hackers
• Viruses
• Software Advances
• Fourth Generation Languages
• Multi-user databases
• The Threat from Within

5
Concerns for System Builders

• Disaster
• Fault tolerant systems
• Security
• Facilities, consoles, logs, virus scans
• Errors
• Data entry, operations, hardware

6
System Controls

• Implementation Controls
• Software Controls
• Security Reliability
• Hardware Controls
• Physical Security
• Data Controls
• Batch vs. on-line systems

7
Developing Control Structures

• Importance of Standing Data
• Efficiency, complexity, and expense of control
  structures
• Statistical sampling for errors
• Risk Assessment

8
Cost/Benefit Analysis
Cost
Cost of Security
Cost of Potential Damage
Optimal
Security
9
Auditing Information Systems

• Auditing the Control Process
• Review controls assess effectiveness
• Data Quality Audits
• Cross checks of files, data formats
• Checking Standing Data

10
Organizing IT Resources

• Fitting IT Within the Organization
• Organization-wide perspective
• Steering Committees
• End-user Computing
• Centralization vs. Decentralization

11
Steering Committees

• The corporate steering committee is a group of
  managers and staff representing various
  organizational units. The committees major tasks
  are
• ? Direction setting ? Staffing
• ? Rationing ? Communication
• ? Structuring ? Evaluating

12
End-User Computing

• Let them sink or swim.
• Dont do anythinglet the end-user beware.
• Use the stick. Establish policies and procedures
  to control end-user computing so that corporate
  risks are minimized.

• Use the carrot. Create incentives to encourage
  certain end-user practices that reduce
  organizational risks.
• Offer support. Develop services to aid end-users
  in their computing activities.

13
Centralization

• Centralize
• Alleviates potential problems with system
  software differences
• Control uniformity
• Economies of Scale

• Decentralize
• IT staff aligned closer to end users
• Responsiveness
• Cost controls are enhanced when depts must budget
  for computing resources

14
Management Challenges

• Controlling large, distributed databases
  (security)
• Balancing control with efficiency and cost (risk
  analysis)
• Centralization vs. Decentralization
• End-user computing policies procedures