Chapter 14

Managing and Controlling Information Systems

14.1 Managing Information Services in a Firm [Figure 14.1a / 14.1b]

The corporate Information Services (IS) department is the unit responsible for providing or coordinating the delivery of computer-based information services in an organization. These services include:

1. Developing, maintaining, and maintaining organizational information systems

2. Facilitating the acquisition and adaptation of software and hardware.

3. Coordinates the delivery of many of these services, rather than providing all of them itself.

Firms organize their Information Services function in very different ways, reflecting the nature of their business, their general structure and business strategy, their history, and the way they wish to provide information services to the business units. Most of the IS departments remain centralized. Traditional organization chart shown a functional structure is shown in Figure 14.1a. Figure 14.1b shows a more contemporary structure of a centralized IS unit. This structure is far better suited to servicing a firm's business units with specialized consulting and end-user oriented services.

Centralized IS departments are giving way in many firms to the IS function decentralized to the business units of the firm [Figure 14.2]. In a decentralized structure:

1. The corporate IS department is principally responsible for the corporate information system infrastructure - telecommunications network and management of corporate databases.

2. Developing and maintaining corporate information systems standards

3. Supervising systems integrators who perform information services for the firm under outsourcing arrangements

4. Interacting with vendors to ensure quantity discounts and other benefits of corporate scale.

Many companies have created a senior management position, the Chief Information Officer (CIO), to oversee the use of information technology. Responsibilities include ensuring the

coordination of the overall corporate information technology effort.

The primary advantage of decentralization is that it contains departmental IS groups who report directly to the heads of their business units. These members are familiar with the units specific needs and are responsive to its concerns. Members of the Information Service units possess a wide variety of skills. Most of these people combine their technology expertise with an understanding of the corporate business lines they serve.

Trend: With the increasing role of outsourcing and acquisition of software packages, the IS units of most firms are expected to become smaller over time, yet its specialists will have to offer enhanced expertise in both technology and business processes.

Information Systems Specialists

Two principal occupations of IS specialists include: analysts and programmers.

1. Responsibilities of analysts include:

a. Analyze the users' information requirements, develops systems prototypes, and often designs information systems based on the requirements specification.

b. Play the key role in translating business problems and opportunities into information systems

c. Provide a liaison between the users and other IS specialists

d. Problem solver who can perform a variety of tasks relating to defining, developing, and exploiting information systems. They must combine business knowledge with a keen understanding of the potential of technology in order to communicate effectively with end users on the one hand and technical specialists or programmers on the other.

e. Senior analysts act as project managers during system development

2. Responsibilities of the programmers include:

a. Implement the analyst's specifications. A systems designer translates these specifications of what the system is expected to do into high-level specifications for the needed system components.

b. Develop and test the programs that satisfy the requirements established by the analysts, using the design specifications worked up by the designer.

c. Maintain the programs. These applications programmers are supported by systems programmers who maintain systems software and have considerable technical expertise.

Many organizations have created a senior management position, the Chief Information Officer (CIO) who is responsible for information services. The CIO has the following responsibilities:

1. Coordinates the entire corporate IS effort and has the primary responsibility for linking the IS plans and implementation to the company's business plans.

2. Focus the attention of top corporate management on the contribution that information technology can make to the firm's business.

14.2 Managing Information Systems Operations

The objective of the IS operations staff is to keep information systems running smoothly: to process transactions with an acceptable response time, deliver reports on time, and ensure reliable and efficient operation of data centers and telecommunications networks. In the fact of the general trend toward distribution of the information processing function and the growth of end-user computing, corporate data centers retain their vital role as repositories of corporate database. Like any other major corporate asset, information systems must be controllable.

Functions of IS Operations

The principal concern of IS operations is to ensure that information services are delivered in an uninterrupted, reliable, and secure fashion. Challenges include:

1. Managing the distributed hardware environment

2. Variety of possible organizational designs for the IS function itself (centralization and decentralization, partial or total outsourcing).

3. Design of the system must be selected to match corporate objectives and then this design must be modified as the objectives change.

Major functions of IS operations include:

1. Data entry

2. Operations of computer systems in data centers

3. Operational support for the equipment in the hands of end users and support of end users with information centers and help desks

4. Maintenance of wide area telecommunications links and local area networks

5. Maintenance of databases, including periodic reorganizations for efficiency's sake

6. Production control in data centers

7. Production support

8. Ensuring the physical security of operations, including the operation of firewalls against unauthorized access over the Internet

9. Controlled distribution of information output, such as reports, perhaps in an electronic form

10. Dealing with vendors and consultants, in particular, supervising the vendors to whom services have been outsourced.

11. Planning the necessary processing and telecommunications capacities

12. Protecting the systems from a variety of threats to its security

14.3 Threats to Security, Privacy, and Confidentiality in IS Operations [Figure 14.4]

It is necessary for an organization to identify the nature of possible threats to its information systems and establish a set of measures, called controls, to ensure their security (and, beyond that, to also ensure the privacy and confidentiality of information stored in the systems). It is then necessary to continually control the controls with the auditing process.

Information system security is the integrity and safety of its resources and activities.

Privacy is an individual's right to retain certain information about himself or herself without disclosure. Comprehensive security safeguards are a prerequisite for the privacy of individuals with respect to the information stored about them in information systems.

Confidentiality is the status accorded to data, limiting its use and dissemination. Thus, we can keep certain data confidential to enforce our privacy policies.

Information Systems Security and Threats to It

The security of information systems is maintained by measures taken to prevent threats to these systems or to detect and correct the effects of any damage. Information system security aims to protect corporate assets or, at least, to limit their loss. Security measures limit access to information to authorized individuals; there can be no privacy or confidentiality of data records without adequate security.

Security threats have four principal sources which include:

1. Human error

2. Computer abuse or crime

3. Natural and political disasters

4. Failures of hardware or software

Computer Crime and Abuse

Computer crime is defined as any illegal act in which a computer is used as the primary tool. Computer abuse is unethical use of a computer.

Security threats related to computer crime or abuse include:

1. Impersonation: Gaining access to a system by identifying oneself as another person. Having defeated the identification and authentication controls employed by the system, the impersonator enjoys the privileges of a legitimate user.

2. Trojan horse method: Concealing within an authorized program a set of instructions that will cause unauthorized actions.

3. Logic bomb: Unauthorized instructions, often introduced with the Trojan horse technique, which stay dormant until a specific event occurs (or until a specific time comes, as the instructions may keep checking the computer's internal clock), at which time they effect an unauthorized act.

4. Computer Viruses Segments of code that are able to perform malicious acts and insert copies of themselves into other programs in the system and onto the diskettes placed in the Ainfected@ PC. Because of this replication, a virus will progressively infect Ahealthy@ programs and systems. Close relatives of viruses are worms: independent programs that make and transmit copies of themselves through telecommunications networks. Computer viruses have become a pervasive threat in personal computing.

5. Denial of Service Rendering the system unusable by legitimate users.

6. Dial Diddling: Changing data before or during input, often to change the contents of a database.

7. Salami Technique: Diverting small amounts of money from a large number of accounts maintained by the system. These small amounts will not be noticed.

8. Spoofing: Configuring a computer system to masquerade as another system over the network in order to gain unauthorized access to the resources the system being mimicked is entitled to.

9. Superzapping: Using a systems program that can bypass regular system controls to perform unauthorized acts.

10. Scavenging: Unauthorized access to information by searching through the residue after a job has been run on a computer. Techniques range from searching wastebaskets or dumpsters for printouts to scanning the contents of a computer's memory.

11. Data Leakage: V variety of methods for obtaining the data stored in a system. The data may be encoded into an innocuous report in sophisticated ways, for example, as the number of characters per line.

12. Wiretapping: Tapping computer telecommunications lines to obtain information.

Some of the techniques listed may be used for a direct gain of financial resources, others for industrial espionage, while yet others simply for destructive purposes.

Probably the most important unrecognized threat today is the theft of portable computers, with access codes and information in their memories. Also to be considered are the losses due to the theft of intellectual property, such as software, product development information, customer information, or internal corporate documents.

Computer Viruses [Figure 14.5]

Computer viruses are the most frequently encountered threats to end-user computing and the best-known form of computer threat. A computer virus is a piece of program code that attaches copies of itself to other programs and thus replicates itself.

Characteristics of computer viruses:

1. The attacked program may work properly, but, at some point, will perform a malicious or destructive act intended by the attacker who write the virus.

2. Although a computer virus may attack a multi-user system with shared disk facilities, viruses are best known for their rapid spread in a personal computer environment. In this environment, they proliferate through infected diskettes or programs downloaded from the Internet or other networks.

3. Most viruses are insidious, and their presence is not obvious after the infection. In the meantime, they infect other programs.

4. Two principal types of viruses are boot infectors and program infectors.

a. Boot infectors replace the contents of the first sector of the diskette or hard disk. These are the viruses that most commonly occur in personal computing.

b. Program infectors copy themselves into the executable files stored on the hard disk.

Protection against viruses requires the following measures:

1. Only original manufacturers diskettes or reliable Internet sites should be used for any program introduced into the system. Pirated software can also lead to the spread of viruses.

2. Commercial Aantiviral@ software should be used regularly to scan the system. Moreover, recent versions of such software should be used, since every new virus strains are being spread by attackers.

3. To guard against viruses in files downloaded from the Internet, one should use utilities which can work with browsers.

4. Regular backup of files will help restore them if a virus is detected

5. A contingency plan for a virus attack is necessary

Risk Assessment in Safeguarding Information Systems [Figure 14.7]

In a distributed systems environment, with virtually every employee of an organization having some form of access to systems, security threats are an extremely serious concern. Multiple connections to the Internet open the field to interlopers all over the world.

Methods of assessing vulnerabilities include:

1. Risk assessment procedure: a methodical evaluation of the probability of losses due to security exposures and the extent of these losses. Risk is defined as the product of the amount that may be lost due to a security exposure and the probability that such a loss will occur. This probability can be estimated by the frequency of such occurrences in the past.

2. Scenario analysis: a method of system control which involves simulated attacks on the system in order to determine its vulnerability

14.4 Information Systems Controls: General Controls

The Role of Information Systems Controls

To ensure secure operations of information systems and thus safeguard assets and the data stored in these systems, and to ensure that applications achieve their objectives in an efficient manner, an organization needs to institute a set of policies, procedures, and technological measures, collectively called controls.

IS controls may be designed to:

1. Prevent an error or an attack from taking effect

2. Detect a violation

3. Detect and correct an exceptional situation.

Information systems controls are classified as:

1. General controls - controls applying to the whole of an organizations IS activity

2. Application controls - controls which are specific to a given application (payroll)

Types of General Controls [Table 14.3]

General controls cover all the systems of an organization or one of its subunits.

Administrative Controls

Administrative controls aim to ensure that the entire control framework is instituted, continually supported by management, and enforced with proper procedures, including audits.

Administration controls include:

1. Published controls policy

2. Formal procedures

3. Screening of personnel

4. Continuing supervision of personnel

5. Separation of duties

Systems Development and Maintenance Controls

Internal IS auditors should be involved through the entire systems development process. They should:

1. Participate in major milestones and sign off on the appropriate deliverables. They need to ensure that the system is secure, and also auditable.

2. Participants in the postimplementation review that follows the system being placed in operation.

3. Must check that the appropriate system documentation is developed and maintained

4. During systems maintenance, ensure that only authorized changes are made to the system and that the appropriate version of the system goes into operation

Operations Controls

Operations controls are the policies, procedures, and technology established to ensure that data centers are operated in a reliable fashion. Included among these controls are:

1. Controls over access to the data center

2. Control over operations personnel

3. Control over maintenance of computer equipment

4. Control over archival storage

Physical Protection of Data Centers

Operations controls in data centers must be supplemented by a set of controls that will protect these centers from the elements and from environmental attacks. Some of these controls include:

1. Environmental controls (air conditioning, humidification etc.) as required by the equipment.

2. Emergency power sources must be available. A battery-based uninterruptible power supply (UPS) should be installed to provide continuous operation in case of total or partial power failure.

3. The more secure the data is, the more of a requirement for shielding the radiation to contain it from being detected outside the data center.

Hardware Controls

A computer's central processor contains circuitry for detection and, in some cases, correction of certain processing errors. Some of these include:

1. Parity check in which each byte of data in storage contains an additional bit, called a parity bit, which helps detect an erroneous change in the value of a single bit during processing.

2. Processor hardware usually has at least two states:

a. Privileged state - in which any operation can be performed. A user cannot enter privileged state, as it is reserved for system software.

b. User state - in which only some operations can be done.

3. Fault-tolerant computer systems - these systems continue to operate after some of their processing components fail. Fault-tolerant computer systems are built with redundant components; they generally include several processors in a multiprocessing configuration. If one of the processors fail, the other (others) can provide degraded, yet effective, service.

Identification, Authentication, and Firewalls: Controlling Access to Corporate Computer Systems

In today's computing environment, users as well as interlopers may attempt to access a computer system from virtually anywhere. We need to ensure that only authorized accesses take place.

Characteristics of identification and authentication:

1. A user first identified themselves to the system, typically with a name or an account number

2. The system then looks up the authentication information stored for the identified user and does a double-check

3. The system requests the user to provide a password or another means by which they can be authenticated.

A variety of security features are implemented to increase the effectiveness of passwords. The features include:

1. Regular and frequent password changes

2. Use of a combination of letters and digits

3. Prevention of the use of a common word, easily associated with the user

Biometric security features are also implemented. These systems rely on using the personal characteristics. Features include:

1. Voice verification

2. Fingerprints

3. Hand geometry

4. Signature dynamics

5. Keystroke analysis

6. Retina scanning

7. Face recognition

8. Genetic pattern analysis

A firewall is a hardware and software facility that prevents access to a firm's Intranet from the public Internet, but allows access to the Internet. The use of a firewall is to insure that only authorized traffic passes through.

Encryption: Controlling Access to Information [Figure 14.9]

A different way to prohibit access to information is to keep it in a form that is not intelligible to an unauthorized user. Encryption is the transformation of data into a form that is unreadable to anyone without an appropriate decryption key. Encryption is gaining particular importance as electronic commerce over telecommunications networks is gaining momentum.

Encryption renders access to encoded data useless to an interloper who has managed to gain access to the system by masquerading as a legitimate user, or to an industrial spy who can employ a rather simple receiver to pick up data sent over a satellite telecommunications link. Thus, the technique is important not only in the protection of the system boundary but also in the communications and database controls.

The two most important encryption techniques are the:

1. Private-key Data Encryption Standard (DES)

2. Public-key encryption

Encryption is scrambling data, or any text in general, into a cipher that can be decoded only if one has the appropriate key (i.e., bit pattern). It renders the encoded data useless to an interloper. The major disadvantage of the DES is that keys must be distributed in a secure manner. Since the keys must be changed frequently, this represents significant exposure. Also, a prior relationship between the sender and the receiver is necessary in order for them to share the same private key.

In a public-key systems, two keys are needed to ensure secure transmission; one is the encoding key and the other is the decoding key. Because the secret decoding key cannot be derived from the encoding key, the encoding key can be made public therefore, they do not require secure distribution of keys between parties prior to their communication. Drawback of public-key encryption and decryption is that they are more time-consuming than the private key systems, and can significantly degrade performance of transaction processing systems.

Controls of Last Resort: Disaster Recovery Planning

Two controls of last resort should be available:

1. Adequate insurance for the residual risk

2. A disaster recovery plan

A disaster recovery plan specifies how a company will maintain the information services necessary for its business operations in the face of disaster.

In disaster recovery planning, the first task is to identify the necessary business functions to be supported by the plan, since covering less vital functions is, in general, too costly.

A disaster recovery plan for these functions should contain four components:

1. An emergency plan

- specifies the situation when a disaster is to be declared and the actions to be taken by various employees

2. A backup plan

- specifies how information processing will be carried out during the emergency. It details how backup computer tapes or disks are to be maintained and specifies the facility, called the recovery site, where they can be run on very short tine notice. Also, backup telecommunications facilities need to be specified. Some companies maintain a telecommunications link between their data centers and the recovery site in order to have access to the latest data if disaster strikes.

Alternatives for a recovery site include:

a. A company owned backup facility, distant geographically from the data center.

b. A reciprocal agreement with a company that runs a compatible computer system

c. A hot site or a shell (cold site) offered by a disaster recovery firm under contract. A hot site is a facility that operates computers compatible with the client's, who may use the site within 24 hours of disaster. Shells (or cold sites) are computer-ready buildings, available to accept equipment on very short notice.

3. A recovery plan

- specifies how processing will be restored on the original site, including detailed personnel responsibilities

4. A test plan

- specifies how the other components of the disaster-recovery plan will be tested.

14.5 Applications Controls [Figure 14.10]

Application controls are controls implemented specifically for a particular information system, for example, accounts payable or an order processing system. Both the automated and the manual aspects of processing need to be controlled.

The principal areas of concern of application control are:

1. Telecommunications

2, Input

3. Output

4. Database

Principle measures undertaken in application control include:

Input Controls

The purpose of input controls is to prevent the entry of incomplete, erroneous, or otherwise inappropriate data into the information system. These controls must ensure the following results:

5. Accuracy of data

6. Completeness of input

7. Validation of input

Processing Controls

The primary concern is to ensure that systems processing does not contain errors.

Processing controls include:

1. Crossfooting

2. Reasonableness check

3. Rounding off

4. Functional checks

Database Controls

Information systems files and databases hold the very data we seek to protect form destruction and from improper access or modification. The following are the principal measures for safeguarding data stored in systems.

1. Backup and recovery

2. File handling controls

3. Access authorization

Telecommunications Controls

Telecommunications are the most vulnerable component of information systems. The technique for securing telecommunications is to render any intercepted information useless to the attacker by encrypting it.

Output Controls

Output controls are largely manual procedures aimed at ensuring that the information presented in reports and screens is of high quality, complete, and available only to authorized individuals.

14.6 Auditing Information Systems

An audit process consists of two fundamental steps:

1. Compliance testing

2. Substantive testing

What is an Information Systems Audit?

The effectiveness of information systems controls is evaluated through a process known as IS auditing.

Information systems are audited by external auditors, who render their opinion on the veracity of corporate financial statements, and by internal auditors, who work for the organization itself. In addition to performing financial audits to determine the financial health of various corporate units, internal auditors perform operational audits to evaluate the effectiveness and efficiency of IS operations.

A trend has developed toward strengthening internal auditing as a means of management control. An independent audit departments exists in most of the country's large businesses. Such a department now often includes a group that performs information systems audits as well.

Information systems have to be auditable by design. This means that every transaction can be traced to the total figures it affects, and each total figure can be traced back to the transactions which gave rise to it. In other words, a audit trail must exist, making it possible to establish where each transaction originated and how it was processed. Transaction logs provide a basic audit trail.

How is an Information Systems Audit Conducted?

IS auditors primarily concentrate on evaluating information system controls, on the assumption that if a system has adequate controls that are consistently applied, then the information produced by it is also reliable. The perform both scheduled and unscheduled audits.

Characteristics of the compliance auditing include:

1. Auditors study the information system and its documentation, inputs and outputs, and interview the key users and IS personnel. They study both the general and application controls in detail.

2. Auditors select a sample of the transactions processed by the system and trace their processing form the original documents on to the totals they affect.

3. Auditors replicate the processing done by the system, and if the results they obtain are in compliance with those produced by the system, they gain some confidence in the controls the system is supposed to have.

Characteristics of substantive test auditing include:

1. Substantive testing is used to independently validate the totals contained in the financial records.

2. The extent of testing depends on the results of compliance testing. If controls are found operative, then a limited substantive testing will be sufficient. In areas where controls were inadequate, extensive validation of financial totals is necessary.