chapter 13 information resource management the mcgraw-hill companies, inc. 2002. all rights...

Chapter 13

Information Resource Management

The McGraw-Hill Companies, Inc. 2002. All rights reserved. Irwin/McGraw-Hill

2

Chapter Objectives

• To fully appreciate the vulnerability organizations have to full or partial failure of their information systems.

• To understand the relevance of information systems and digital content as important corporate resources.

• To appreciate the role of information systems planning.

• To understand the importance of security and disaster recovery planning for protecting information resources.

3

Hershey’s Big Dud

• In 1999 Hershey implemented a $112 million dollar computer system.

• System was to automate and modernize everything.– Within 2 months serious problems developed.

– Orders were delayed and competitors benefited.

– Hershey used “big bang” approach.

– Vendors cited complexity of the situation as the reason for system failure.

4

Corporate Resources

• I/T should be viewed as a corporate resource.– Organizations need to invest in I/S.

– Organizations need to manage their I/S.

• Content should be viewed as a corporate resource.– Data needs to be

• Captured

• Processed

• Stored

• Communicated

5

Organizational Assets

• Employees

• Loyal Customers

• Capital (money)

• Physical Assets

• Information systems

• Content (data and knowledge)

6

Information Systems Planning

1. Business Strategy

2. I/T Strategy

3. I/T Portfolio– I/S Planning is an on-going activity.

• Environmental issues.

• Technological changes.

7

Questions for I/S Planning

• Where are we? What are we doing?

• Where do we want to go? What are our competitors doing? What are customers asking for?

• How do we get there; that is what is the role of I/T in enabling the necessary capabilities to delivery what customers want better than the competition?

• When will it be done?

• Who will do it; do we have the necessary skills and resources internally to deliver what we need?

• How much will it cost? Does it make economic sense?

8

Management and I/S

• Information Systems as perceived by management.– Infrastructure – Transactional – Informational – Strategic (Competitive)

9

Organization of the Information Services Department

• What are the information management functions that need to be performed?

– Centralized or decentralized

• What is the best way to organize the information systems specialist to perform these functions?

10

Cost and Resource Management

• Information Systems have – Tangible costs– Intangible costs

• Methods to control costs of I/S vary.– Chargeback allows the I/S department to

charge business units for services rendered.

11

Typical Responsibilities for an Information Services Department

• Developing a comprehensive I/T strategy.

• Documenting, operating, and maintaining the existing inventory of corporate hardware, software, and information systems.

• Setting standards for telecommunications and installing and maintaining local and wide area networks.

• Developing, maintaining, and protecting organizational databases and critical applications.

• Evaluating, acquiring, and integrating new hardware and software products.

12

Typical Responsibilities for an Information Services Department

• Training and supporting internal customers.

• Developing procedures to negotiate with and oversee outside information systems consultants and vendors in the acquisition and development of new information technology and systems.

• Facilitating the transfer of technology across organizational units.

• Initiating and managing outsourcing vendor and service provider relationships.

13

Disaster Recovery Planning

• Disaster recovery plans have become more of a management priority now that more industries are more dependant on data. – Includes all business systems.– Need to identify all critical systems.– Off-site storage is critical.

• Some businesses are pursuing business continuity planning, which covers all aspects needed to ensure that the business would be able to operate regardless of the disaster.

14

Process for Planning Off-Site Storage

1. Analyzing and classifying data.

2. Reviewing existing backup procedures.

3. Selecting a storage vendor.

4. Formalizing the schedules for routine removal of data to storage.

15

Sample Strategies for Backup & Recovery

Strategy Description

Replacement Suspend operations or revert to manual systems until new I/S is up and running.

Cold site An off-site facility without a computer, able to serve as an alternate processing site.

Reciprocal agreement

Two companies with similar systems agree to let the other share their facilities if necessary.

Hot site A free standing, fully equipped site used by multiple companies.

Redundant system An identical, fully operational data center, typically in a separate geographical location.

16

When Disaster Strikes

1. Assess damage.

2. Get communications and application systems operational as soon as possible.

3. Ensure appropriate employees are located and notified.

17

Systems Security

• Companies must protect themselves against natural disasters, vandalism, cyberterrorism, and internal sabotage.– Viruses are a major source of computer systems

failures.• Viruses are transmitted electronically.• Antiviral products are available.

• Human intelligence is a key component in system security.

18

Common Systems Vulnerabilities

Default software installations:

Operating systems and applications are often installed with extra features that users are unaware of and hence don’t monitor for security flaws.

Accounts with no passwords:

Computer passwords are easy to steal or guess using automate password testing procedures.

Inadequate backups: Many companies back up data but don’t test to see if the backups are adequate.

Too many open doors:

Computer systems exchange data using connection points known as ports: Some companies leave ports open, creating opportunities for hackers.

19

Common Systems Vulnerabilities

False addresses:

Attackers try to hide their tracks by spoofing the addresses contained in packets of data that they send.

Bad record keeping:

I/S can log most activities but sometimes the record keeping function is not turned on. Logs are critical to discovering what happened in an attack.

Vulnerable web programs:

Common gateway interface programs (CGI scripts) are common in web pages. CGI scripts make it possible for a hacker to manipulate the OS of the server.

E-mail attachments:

Common vulnerability is email attachments that are executable program files containing viruses.