management control and security mis 503 management information systems mba program 1
TRANSCRIPT
Management Control and Security
MIS 503 Management Information Systems
MBA Program
1
2
When It Comes to IT, What Has to be Managed?
• Relationships• Strategy• Infrastructure• Human Capital• Innovation• Solutions Delivery• Provisioning of Service• Financial Performance
How do we manage all these interrelated functions and tasks?
• Organizations need to think about technology as an enabling force and incorporate IT in strategic, tactical, and operational decision making
• Several questions need to be addressed– Decide how the IT function should be organized– Deal with organizational design issues that will affect IT
implementation and use– Decide how to manage the future of the IT function– Decide how to plan for IT– Decide how to control and secure IT
3
How should the IT function be organized?
• Two extreme structures for the IT group– Centralized:
• Results in the lowest operational costs for the organization
• Allows the greatest control over the IT resources– Decentralized:
• Allows the greater flexibility • IT is managed closer to home, which should result in
better service and greater innovation• Has the greatest potential for security problems
4
Factors Effecting IT Design: Organizational Politics
Information PoliticsTechnocratic Utopianism Technology Positivism; If we build it, they
will use it. Model the firm’s IT structure and rely on new technologies
Anarchy No overall information management policy
Feudalism Management of IT by individual business units; limited reporting to the organization
Monarchy Strong control by senior management; information may not be shared with lower levels of the firm
Federalism Management through consensus and negotiation about key IT decisions and structures
5
Factors Effecting IT Design: Organizational Culture
• “Competing Values” Perspective on Organizational Culture: 4 categories of organizational effectiveness defined by organizational structure and focus– Structure:
• Flexible• Control Oriented
– Focus• Internal• External
6
Factors Effecting IT Design: Organizational Culture
7
External Positioning
Control-Oriented Processes
Flexible Processes
Internal Maintenance
Type: Group Dominant Attribute:
Cohesiveness, participation, teamwork, sense of family
Leadership Style: Mentor, facilitator, paretn-figure
Bonding: Loyalty, tradition, interpersonal cohesion
Strategic Emphasis: Toward developing human resources, committment, and morale
Type: Adhocracy Dominant Attribute:
Entrepreneurship, creativity, adaptability, dynamism
Leadership Style: Innovator, entrepreneur, risk taker
Bonding: Flexibility, risk, entrepreneur
Strategic Emphasis: Toward innovation, growth, new resources
Type: Hierarchy Dominant Attribute: Order, rules
and regulations, uniformity, efficiency
Leadership Style: Coordinator, organizer, administrator Bonding: Rules, policies and
procedures, clear expectations Strategic Emphasis:Toward
stability, predictability, smooth operations
Type: Market Dominant Attribute: Goal
achievement, environment exchange, competitiveness
Leadership Style: production- & achievement-oriented, decisive
Bonding: Goal orientation, production, competition
Strategic Emphasis: Toward competitive advantage and market superiority
The Competing Values Framework (after Quinn & Rohrbaugh, 1981)
Organizational Models for IT
• Models for Organizing IT for Innovation– The Partner Model: IT personnel are partners in IT
innovation– The Platform Model: Build the infrastructure and
let users focus on developing IT innovations– The Scalable Model: Fast and quick; IT relies on
external experts to develop innovations and bring them to the firm
8
Organizational Models for ITThree Models for the IT Organization
Partner Platform Scalable
Strategic position IT is an active business partner for innovation
IT provides infrastructure for the entire business
IT remains flexible and able to undertake new initiatives quickly
Characteristics IT managers in divisions, corporate IT for leadership, matrix reporting in IT
Corporate IT supervises overall infrastructure, businesses “own” IT innovations, IT account manager in each business
Centralize IT to encourage commonality and reduce duplication, IT in business units
Most applicable Senior executives lack in-depth knowledge of IT, firm needs to promote IT innovation, solid IT leadership
Global companies with diverse lines of business; company managers knowledgeable about IT
Cyclical businesses, global businesses with similar subsidiaries, e.g., oil retailer
9
Managing the IT Function
• Regardless of the organizational structure, culture, and innovative focus, the IT function needs to be managed in a coordinated way
• Two Extreme View of Managing the organization– Focus on rules and procedures– Enabling emphasis on be fluid and flexible
10
Managing the IT Function: The CIO
• In many firms, the best way to manage the IT function is to have a Chief Information Officer (CIO)– The CIO is in charge of IT in the firm and a senior member
of management• CIOs participate in planning and campaigning for the effective use
of technology and for the appropriate level of investment in IT• CIOs provide leadership and control over the IT function• CIOs help the firm develop a competitive edge with the strategic
use of IT
11
12
How CIOs Add Value• They have an obsessive and continuous focus on
business imperatives• They relay external IT success stories and show how
they represent potential models for success in the firm
• They establish and maintain relationships with other executives and their own personnel
• They establish and communicate the IS performance record
• They focus on making IS development efforts successful
• They develop and share a challenging vision of the role of IT
13
Questions CEOs Need to Address
• Some CEOs see IT as a strategic resource while others see IT as a cost. Common concerns that CIOs need to respond to include:– Are we getting value for money invested in IT?– How important is IT?– How do we plan for IT?– Is the IS function doing a good job?– What is the IT strategy?– What is my vision for the role of IT?– What do we expect of the CIO?
14
A Vision and Plan for IT
• A vision is a general statement of what the organization is trying to become. – It needs to be sufficiently compelling to create
enthusiasm for the plan to achieve it
• The IT plan combines the vision of IT with strategy to guide IT decision making– The vision and strategy provide goals for the IT
plan which describes how to achieve them
15
Contents of an IS Plan
• Executive summary• Goals – general and specific• Assumption• Scenario – vision of the firm• Applications areas – status, cost, schedule, priorities• Operations• Maintenance and enhancements• Organizational structure – pattern of computing• Effects of plan on the organization – financial impact• Implementation – risks, obstacles
Planning for Security and Control
• In today’s net-enabled environment, an increasingly important part of planning involved planning to control and secure the IT resource
16
Control Systems
• The components of control systems are– Standards for performance– Sensory determination of actual conditions– Comparison of standard with actual conditions– Compensatory action if the deviation is too great
17
18
When there are Failures of Control
• Examples of control breakdowns– Worldcom– Qwest– Global Crossing
• What caused these? Probably, it was in part the reward systems for senior managers that consisted of stock options. Managers were rewarded for inflating the bottom line.
• IS has an important role to play in strengthening control systems– Audits– Monitoring– Information dissemination– Reporting
19
Control of the Systems Development Process
• It is difficult to predict development time and development cost for new systems– Package implementation can reduce this uncertainty
• Projects slip for a number of reasons– Lack of user input– Too few resource– Too few individuals working on the project– Lack of top management support– Poor project management
20
Control of Operations• The Foreign Corrupt Practices Act requires publicly held
companies to devise and maintain a system of internal accounting controls pertaining to several operational components– Execution of transactions based on managerial authorization– Recording of transactions so that financial statements can be properly
created– Records of assets are kept and audited for accuracy– Managers sign-off on financial statements and certify the correctness
of the statements (Sarbanes-Oxley Act)• The Sarbanes-Oxley Act: created to protect investors by improving the
accuracy and reliability of corporate disclosures. The act covers issues such as auditor independence, corporate responsibility, and enhanced financial disclosure.
21
Vulnerability of Systems: Where Does Control Fail?
• Errors in and intrusion of the operating system• Errors in application programs• Problems with database security• Lack of network reliability and security• Problems with adequate control of manual procedures• Failure of management to maintain proper organizational
control• Open networks and connectivity• Misuse or mistakes made by users
22
23
Vulnerability of Systems: Where Does Control Fail?
Control in the Organization: Controls can be created through…
• The structure of the organization– Decentralized or
centralized
• Rewards• Management committee• Budget• Direct supervision• Routine audits
• Establish and enforce standards and procedures
• Develop a plan and policy for managing database resources– Data Backup/Recovery– Data Concurrency
Management– Data Security
24
25
Control in the Organization
A Key Requirement for Control is Establishing IT Security
• Without security, the integrity of organizational IT resources will be at risk – therefore, security is everyone’s business
• Security is an increasingly important issue because of an increasing number of threats– According to the statistics reported to CERT/CC over the past several
years (CERT/CC 2003) the number of cyber attacks grew from approximately 22,000 in 2000 to 137,529 2003
– According to the 2004 E-Crime Watch Survey, 43% of respondents report an increase in e-crimes and intrusions versus the previous year and 70% reported at least one e-crime or intrusion was committed against their organization
26
Security Concepts• Authentication: The process by which one entity verifies that
another entity is who they claim to be • Authorization: The process that ensures that a person has the
right to access certain resources• Confidentiality: Keeping private or sensitive information from
being disclosed to unauthorized individuals, entities, or processes
• Integrity: Being about to protect data from being altered or destroyed in an unauthorized or accidental manner
• Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes
• Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature
27
28
Types of Threats and Attacks
• Nontechnical attack: An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network
29
Types of Threats and Attacks (cont.)
• Social engineering: A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access
30
Types of Threats and Attacks (cont.)
• Multiprong approach used to combat social engineering:
1. Education and training
2. Policies and procedures
3. Penetration testing
31
Types of Threats and Attacks (cont.)
• Technical attack: An attack perpetrated using software and systems knowledge or expertise
32
Types of Threats and Attacks (cont.)
• Denial-of-service (DoS) attack: An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources
33
Types of Threats and Attacks (cont.)
• Distributed denial-of-service (DDoS) attack: A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer
34
Types of Threats and Attacks (cont.)
• Malware: A generic term for malicious software– The severity of virus attacks are increasing
substantially, requiring much more time and money to recover
– 85% of survey respondents said that their organizations had been the victims of e-mail viruses in 2002
35
Types of Threats and Attacks– Malware takes a variety of forms - both pure and
hybrid• Virus: A piece of software code that inserts itself into a host,
including the operating systems, to propagate; it requires that its host program be run to activate it
• Worm: A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine
• Macro virus or macro worm: A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed
• Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk
CERT: Recommendations for Governing Organizational Security
• Questions to ask:– What is at risk?– How much security is enough– How should an organization …
• Develop policies on security• Achieve and sustain proper security
36
The CERT recommendations are derived from a report written by Julia Allen entitled Governing for Enterprise Security, which may be found at http://www.cert.org/archive/pdf/05tn023.pdf
CERT: Recommendations for Governing Organizational Security
• What is at risk?– Trust that the public has in your organization– Reputation and brand– Shareholder value– Market confidence – Regulatory compliance
• Fines• Jail time
– Market share– Customer privacy– Ongoing, uninterrupted operations– Morale of organizational members
37
CERT: Recommendations for Governing Organizational Security
• How Much Security is Enough?– “Management’s perspective needs to shift
From ToScope: Technical problem Enterprise problemOwnership: Enterprise ITFunding: Expense InvestmentFocus: Intermittent IntegratedDriver: External EnterpriseApplication: Platform/practice ProcessGoal: IT security Enterprise
38
CERT: Recommendations for Governing Organizational Security
• Good Security Strategy Questions– What needs to be protected?
• Why does it need to be protected? • What happens if it is not protected?
– What potential adverse consequences need to be prevented?
• What will be the cost? • How much of a disruption can we stand before we take action?
– How do we effectively manage the residual risk when protection and prevention actions are not taken?
39
CERT: Recommendations for Governing Organizational Security
• What is Adequate Security?– The condition where the protection strategies for an organization's
critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances
• Adequacy depends On . . .– Enterprise factors: size, complexity, asset criticality, dependence on
IT, impact of downtime– Market sector factors: provider of critical infrastructure, openness of
network, customer privacy, regulatory pressure, public disclosure– Principle-based decisions: Accountability, Awareness, Compliance,
Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.
40
CERT: Recommendations for Evolving the Security Approach
41
CERT: Recommendations for Evolving the Security Approach
42
CERT: Recommendations for Evolving the Security Approach
• What Does Effective Security Look Like at the Enterprise Level?– It’s no longer solely under IT’s control– Achievable, measurable objectives are defined and
included in strategic and operational plans– Functions across the organization view security as part of
their job (e.g., Audit) and are so measured– Adequate and sustained funding is a given– Senior executives visibly sponsor and measure this work
against defined performance parameters– Considered a requirement of being in business
43