Abstract image of a woman sitting on books and studying on a laptop

Submission Requirements Format Microsoft Word (or compatible).docx

Download as DOCX, PDF
D
david4611

The document outlines submission requirements for a security recommendations report for a company expanding its network, emphasizing the need for enhanced network controls that comply with the defense in depth approach. It also specifies formatting guidelines, citation styles, and emphasizes the importance of plagiarism checks prior to grading. Additionally, it mentions the global edition of an IT strategy textbook catering to students outside North America, highlighting significant updates and a focus on current IT management issues.

Education
1 of 52
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Submission Requirements ? Format: Microsoft Word (or compatible) ? Font: Arial, size 12, double-space ? Citation Style: Follow your school�s preferred style guide ? Length: 2 page ? APA Format ? No resources before 2015 ? Must complete all parts to answer the questions *** will be reviewed for plagiarism prior to all grading “Your Company” is expanding. The company wants additional network controls to protect their growing network. Tasks
Consider the Windows servers and workstations in the domains of a typical IT infrastructure. Based on your understanding of network security controls, recommend at least four possible controls that will enhance the network’s security. Focus on ensuring that controls satisfy the defense in depth approach to security. Summarize your network security controls in a summary report to management. You must provide rationale for your choices by explaining how each control makes the environment more secure and what potential flaws the controls have as well. Global editionGlo b a l ed it io n
this is a special edition of an established title widely used by colleges and universities throughout the world. Pearson published this exclusive edition for the benefit of students outside the United States and Canada. if you purchased this book within the United States or Canada you should be aware that it has been imported without the approval of the Publisher or author. Pearson Global Edition Global edition For these Global editions, the editorial team at Pearson has collaborated with educators across the world to address a wide range of subjects and requirements, equipping students with the best possible learning tools. this Global edition preserves the cutting-edge approach and pedagogy of the original, but also features alterations, customization, and adaptation from the north american version. it Strategy: Issues and Practices M cK een Sm ith
it Strategy Issues and Practices tHiRd edition James D. McKeen • Heather A. Smith t H iR d e d it io n McKeen_1292080264_mech.indd 1 28/11/14 12:56 PM IT STraTegy: ISSueS and PracTIceS A01_MCKE0260_03_GE_FM.indd 1 26/11/14 9:32 PM A01_MCKE0260_03_GE_FM.indd 2 26/11/14 9:32 PM
IT STraTegy: ISSueS and PracTIceS T h i r d E d i t i o n G l o b a l E d i t i o n James D. McKeen Queen’s University Heather A. Smith Queen’s University Boston Columbus Indianapolis New York San Francisco Hoboken Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montréal Toronto Delhi Mexico City São Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo A01_MCKE0260_03_GE_FM.indd 3 26/11/14 9:32 PM Editor in Chief: Stephanie Wall Head of Learning Asset Acquisition, Global Edition: Laura Dent Acquisitions Editor: Nicole Sam Program Manager Team Lead: Ashley Santora Program Manager: Denise Vaughn Editorial Assistant: Kaylee Rotella Assistant Acquisitions Editor, Global Edition: Debapriya Mukherjee Associate Project Editor, Global Edition: Binita Roy Executive Marketing Manager: Anne K. Fahlgren Project Manager Team Lead: Judy Leale
Project Manager: Thomas Benfatti Procurement Specialist: Diane Peirano Senior Manufacturing Controller, Production, Global Edition: Trudy Kimber Cover Image: © Toria/Shutterstock Cover Designer: Lumina Datamantics Full Service Project Management: Abinaya Rajendran at Integra Software Services, Pvt. Ltd. Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on appropriate page within text. Pearson Education Limited Edinburgh Gate Harlow Essex CM20 2JE England and Associated Companies throughout the world Visit us on the World Wide Web at: www.pearsonglobaleditions.com © Pearson Education Limited 2015 The rights of James D. McKeen and Heather A. Smith to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. Authorized adaptation from the United States edition, entitled IT Strategy: Issues and Practices, 3rd edition, ISBN 978-0-13-354424-4, by James D. McKeen and Heather A. Smith, published by Pearson Education © 2015.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without either the prior written permission of the publisher or a license permitting restricted copying in the United Kingdom issued by the Copyright Licensing Agency Ltd, Saffron House, 6–10 Kirby Street, London EC1N 8TS. All trademarks used herein are the property of their respective owners. The use of any trademark in this text does not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such trademarks imply any affiliation with or endorsement of this book by such owners. ISBN 10: 1-292-08026-4 ISBN 13: 978-1-292-08026-0 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library 10 9 8 7 6 5 4 3 2 1 Typeset in 10/12 Palatino LT Std by Integra Software Services, Pvt. Ltd. Printed and bound in Great Britain by Clays Ltd, Bungay, Suffolk. A01_MCKE0260_03_GE_FM.indd 4 26/11/14 9:32 PM ConTEnTS
Preface 13 About the Authors 21 Acknowledgments 22 Section I Delivering Value with IT 23 Chapter 1 The IT Value ProPoSITIon 24 Peeling the Onion: Understanding IT Value 25 What Is IT Value? 25 Where Is IT Value? 26 Who Delivers IT Value? 27 When Is IT Value Realized? 27 The Three Components of the IT Value Proposition 28 Identification of Potential Value 29 Effective Conversion 30 Realizing Value 31 Five Principles for Delivering Value 32 Principle 1. Have a Clearly Defined Portfolio Value Management Process 33 Principle 2. Aim for Chunks of Value 33 Principle 3. Adopt a Holistic Orientation to Technology Value 33
Principle 4. Aim for Joint Ownership of Technology Initiatives 34 Principle 5. Experiment More Often 34 Conclusion 34 • References 35 Chapter 2 DelIVerIng BuSIneSS Value Through IT STraTegy 37 Business and IT Strategies: Past, Present, and Future 38 Four Critical Success Factors 40 The Many Dimensions of IT Strategy 42 Toward an IT Strategy-Development Process 44 Challenges for CIOs 45 Conclusion 47 • References 47 Chapter 3 MakIng IT CounT 49 Business Measurement: An Overview 50 Key Business Metrics for IT 52 5 A01_MCKE0260_03_GE_FM.indd 5 26/11/14 9:32 PM 6 Contents Designing Business Metrics for IT 53 Advice to Managers 57 Conclusion 58 • References 58
Chapter 4 effeCTIVe BuSIneSS–IT relaTIonShIPS 60 The Nature of the Business–IT Relationship 61 The Foundation of a Strong Business–IT Relationship 63 Building Block #1: Competence 64 Building Block #2: Credibility 65 Building Block #3: Interpersonal Interaction 66 Building Block #4: Trust 68 Conclusion 70 • References 70 Appendix A The Five IT Value Profiles 72 Appendix B Guidelines for Building a Strong Business–IT Relationship 73 Chapter 5 BuSIneSS–IT CoMMunICaTIon 74 Communication in the Business–IT Relationship 75 What Is “Good” Communication? 76 Obstacles to Effective Communication 78 “T-Level” Communication Skills for IT Staff 80 Improving Business–IT Communication 82 Conclusion 83 • References 83 Appendix A IT Communication Competencies 85 Chapter 6 effeCTIVe IT leaDerShIP 86
The Changing Role of the IT Leader 87 What Makes a Good IT Leader? 89 How to Build Better IT Leaders 92 Investing in Leadership Development: Articulating the Value Proposition 95 Conclusion 96 • References 97 MInI CaSeS Delivering Business Value with IT at Hefty Hardware 98 Investing in TUFS 102 IT Planning at ModMeters 104 A01_MCKE0260_03_GE_FM.indd 6 26/11/14 9:32 PM Contents 7 Section II IT governance 109 Chapter 7 effeCTIVe IT ShareD SerVICeS 110 IT Shared Services: An Overview 111 IT Shared Services: Pros and Cons 114 IT Shared Services: Key Organizational Success Factors 115 Identifying Candidate Services 116 An Integrated Model of IT Shared Services 117
Recommmendations for Creating Effective IT Shared Services 118 Conclusion 121 • References 121 Chapter 8 SuCCeSSful IT SourCIng: MaTurITy MoDel, SourCIng oPTIonS, anD DeCISIon CrITerIa 122 A Maturity Model for IT Functions 123 IT Sourcing Options: Theory Versus Practice 127 The “Real” Decision Criteria 131 Decision Criterion #1: Flexibility 131 Decision Criterion #2: Control 131 Decision Criterion #3: Knowledge Enhancement 132 Decision Criterion #4: Business Exigency 132 A Decision Framework for Sourcing IT Functions 133 Identify Your Core IT Functions 133 Create a “Function Sourcing” Profile 133 Evolve Full-Time IT Personnel 135 Encourage Exploration of the Whole Range of Sourcing Options 136 Combine Sourcing Options Strategically 136 A Management Framework for Successful
Sourcing 137 Develop a Sourcing Strategy 137 Develop a Risk Mitigation Strategy 137 Develop a Governance Strategy 138 Understand the Cost Structures 138 Conclusion 139 • References 139 Chapter 9 BuDgeTIng: PlannIng’S eVIl TwIn 140 Key Concepts in IT Budgeting 141 The Importance of Budgets 143 The IT Planning and Budget Process 145 A01_MCKE0260_03_GE_FM.indd 7 26/11/14 9:32 PM 8 Contents Corporate Processes 145 IT Processes 147 Assess Actual IT Spending 148 IT Budgeting Practices That Deliver Value 149 Conclusion 150 • References 151 Chapter 10 rISk ManageMenT In IT 152 A Holistic View of IT-Based Risk 153
Holistic Risk Management: A Portrait 156 Developing a Risk Management Framework 157 Improving Risk Management Capabilities 160 Conclusion 161 • References 162 Appendix A A Selection of Risk Classification Schemes 163 Chapter 11 InforMaTIon ManageMenT: STageS anD ISSueS 164 Information Management: How Does IT Fit? 165 A Framework For IM 167 Stage One: Develop an IM Policy 167 Stage Two: Articulate the Operational Components 167 Stage Three: Establish Information Stewardship 168 Stage Four: Build Information Standards 169 Issues In IM 170 Culture and Behavior 170 Information Risk Management 171 Information Value 172 Privacy 172
Knowledge Management 173 The Knowing–Doing Gap 173 Getting Started in IM 173 Conclusion 175 • References 176 Appendix A Elements of IM Operations 177 MInI CaSeS Building Shared Services at RR Communications 178 Enterprise Architecture at Nationstate Insurance 182 IT Investment at North American Financial 187 A01_MCKE0260_03_GE_FM.indd 8 26/11/14 9:32 PM Contents 9 Section III IT-enabled Innovation 191 Chapter 12 TeChnology-DrIVen InnoVaTIon 192 The Need for Innovation: An Historical Perspective 193 The Need for Innovation Now 193 Understanding Innovation 194 The Value of Innovation 196 Innovation Essentials: Motivation, Support,
and Direction 197 Challenges for IT leaders 199 Facilitating Innovation 201 Conclusion 202 • References 203 Chapter 13 when BIg DaTa anD SoCIal CoMPuTIng MeeT 204 The Social Media/Big Data Opportunity 205 Delivering Business Value with Big Data 207 Innovating with Big Data 211 Pulling in Two Different Directions: The Challenge for IT Managers 212 First Steps for IT Leaders 214 Conclusion 215 • References 216 Chapter 14 effeCTIVe CuSToMer exPerIenCe 217 Customer Experience and Business value 218 Many Dimensions of Customer Experience 219 The Role of Technology in Customer Experience 221 Customer Experience Essentials for IT 222 First Steps to Improving Customer Experience 225 Conclusion 226 • References 226 Chapter 15 BuSIneSS InTellIgenCe: an oVerVIew 228 Understanding Business Intelligence 229 The Need for Business Intelligence 230
The Challenge of Business Intelligence 231 The Role of IT in Business Intelligence 233 Improving Business Intelligence 235 Conclusion 238 • References 238 A01_MCKE0260_03_GE_FM.indd 9 26/11/14 9:32 PM 10 Contents Chapter 16 TeChnology-enaBleD CollaBoraTIon 240 Why Collaborate? 241 Characteristics of Collaboration 244 Components of Successful Collaboration 247 The Role of IT in Collaboration 249 First Steps for Facilitating Effective Collaboration 251 Conclusion 253 • References 254 MInI CaSeS Innovation at International Foods 256 Consumerization of Technology at IFG 261 CRM at Minitrex 265 Customer Service at Datatronics 268 Section IV IT Portfolio Development and Management 273
Chapter 17 ManagIng The aPPlICaTIon PorTfolIo 274 The Applications Quagmire 275 The Benefits of a Portfolio Perspective 276 Making APM Happen 278 Capability 1: Strategy and Governance 280 Capability 2: Inventory Management 284 Capability 3: Reporting and Rationalization 285 Key Lessons Learned 286 Conclusion 287 • References 287 Appendix A Application Information 288 Chapter 18 IT DeManD ManageMenT: SuPPly ManageMenT IS noT enough 292 Understanding IT Demand 293 The Economics of Demand Management 295 Three Tools for Demand management 295 Key Organizational Enablers for Effective Demand Management 296 Strategic Initiative Management 297 Application Portfolio Management 298 Enterprise Architecture 298
Business–IT Partnership 299 Governance and Transparency 301 Conclusion 303 • References 303 A01_MCKE0260_03_GE_FM.indd 10 26/11/14 9:32 PM Contents 11 Chapter 19 TeChnology roaDMaP: BenefITS, eleMenTS, anD PraCTICal STePS 305 What is a Technology Roadmap? 306 The Benefits of a Technology Roadmap 307 External Benefits (Effectiveness) 307 Internal Benefits (Efficiency) 308 Elements of the Technology Roadmap 308 Activity #1: Guiding Principles 309 Activity #2: Assess Current Technology 310 Activity #3: Analyze Gaps 311 Activity #4: Evaluate Technology Landscape 312 Activity #5: Describe Future Technology 313 Activity #6: Outline Migration Strategy 314
Activity #7: Establish Governance 314 Practical Steps for Developing a Technology Roadmap 316 Conclusion 317 • References 317 Appendix A Principles to Guide a Migration Strategy 318 Chapter 20 eMergIng DeVeloPMenT PraCTICeS 319 The Problem with System Development 320 Trends in System Development 321 Obstacles to Improving System Development Productivity 324 Improving System Development Productivity: What we know that Works 326 Next Steps to Improving System Development Productivity 328 Conclusion 330 • References 330 Chapter 21 InforMaTIon DelIVery: PaST, PreSenT, anD fuTure 332 Information and IT: Why Now? 333 Delivering Value Through Information 334 Effective Information Delivery 338 New Information Skills 338 New Information Roles 339
New Information Practices 339 A01_MCKE0260_03_GE_FM.indd 11 26/11/14 9:32 PM 12 Contents New Information Strategies 340 The Future of Information Delivery 341 Conclusion 343 • References 344 MInI CaSeS Project Management at MM 346 Working Smarter at Continental Furniture International 350 Managing Technology at Genex Fuels 355 Index 358 A01_MCKE0260_03_GE_FM.indd 12 26/11/14 9:32 PM PrEFACE Today, with information technology (IT) driving constant business transformation, overwhelming organizations with information, enabling 24/7 global operations, and undermining traditional business models, the challenge for business leaders is not simply to manage IT, it is to use IT to deliver business value. Whereas until fairly recently,
decisions about IT could be safely delegated to technology specialists after a business strategy had been developed, IT is now so closely integrated with business that, as one CIO explained to us, “We can no longer deliver business solutions in our company without using technology so IT and business strategy must constantly interact with each other.” What’s New in This Third Edition? • Six new chapters focusing on current critical issues in IT management, including IT shared services; big data and social computing; business intelligence; manag- ing IT demand; improving the customer experience; and enhancing development productivity. • Two significantly revised chapters: on delivering IT functions through different resourcing options; and innovating with IT. • Twonew mini cases based on real companies and real IT management situations: Working Smarter at Continental Furniture and Enterprise Architecture at Nationstate Insurance. • A revised structure based on reader feedback with six chapters and two mini cases from the second edition being moved to the Web site. All too often, in our efforts to prepare future executives to deal effectively with
the issues of IT strategy and management, we lead them into a foreign country where they encounter a different language, different culture, and different customs. Acronyms (e.g., SOA, FTP/IP, SDLC, ITIL, ERP), buzzwords (e.g., asymmetric encryption, proxy servers, agile, enterprise service bus), and the widely adopted practice of abstraction (e.g., Is a software monitor a person, place, or thing?) present formidable “barriers to entry” to the technologically uninitiated, but more important, they obscure the impor- tance of teaching students how to make business decisions about a key organizational resource. By taking a critical issues perspective, IT Strategy: Issues and Practices treats IT as a tool to be leveraged to save and/or make money or transform an organization—not as a study by itself. As in the first two editions of this book, this third edition combines the experi- ences and insights of many senior IT managers from leading- edge organizations with thorough academic research to bring important issues in IT management to life and demonstrate how IT strategy is put into action in contemporary businesses. This new edition has been designed around an enhanced set of critical real-world issues in IT management today, such as innovating with IT, working with big data and social media, 13 A01_MCKE0260_03_GE_FM.indd 13 26/11/14 9:32 PM
14 Preface enhancing customer experience, and designing for business intelligence and introduces students to the challenges of making IT decisions that will have significant impacts on how businesses function and deliver value to stakeholders. IT Strategy: Issues and Practices focuses on how IT is changing and will continue to change organizations as we now know them. However, rather than learning concepts “free of context,” students are introduced to the complex decisions facing real organi- zations by means of a number of mini cases. These provide an opportunity to apply the models/theories/frameworks presented and help students integrate and assimilate this material. By the end of the book, students will have the confidence and ability to tackle the tough issues regarding IT management and strategy and a clear understand- ing of their importance in delivering business value. Key Features of This Book • A focus on IT management issues as opposed to technology issues • Critical IT issues explored within their organizational contexts • Readily applicablemodels and frameworks for implementing IT strategies • Mini cases to animate issues and focus
classroom discussions on real-world deci- sions, enabling problem-based learning • Proven strategies and best practices from leading-edge organizations • Useful and practical advice and guidelinesfor delivering value with IT • Extensive teaching notes for all mini cases A Different ApproAch to teAching it StrAtegy The real world of IT is one of issues—critical issues—such as the following: • How do we know if we are getting value from our IT investment? • How can we innovate with IT? • What specific IT functions should we seek from external providers? • How do we buildan IT leadershipteam that is a trusted partner with the business? • How do we enhance IT capabilities? • What is IT’s role in creating an intelligent business? • How can we best take advantage of new technologies, such as big data and social media, in our business? • How can we manage IT risk? However, the majority of management information systems (MIS) textbooks are orga- nized by system category (e.g., supply chain, customer relationship management, enterprise resource planning), by system component (e.g., hardware, software, networks), by system
function (e.g., marketing, financial, human resources), by system type (e.g., transactional, decisional, strategic), or by a combination of these. Unfortunately, such an organization does not promote an understanding of IT management in practice. IT Strategy: Issues and Practices tackles the real-world challenges of IT manage- ment. First, it explores a set of the most important issues facing IT managers today, and second, it provides a series of mini cases that present these critical IT issues within the context of real organizations. By focusing the text as well as the mini cases on today’s critical issues, the book naturally reinforces problem-based learning. A01_MCKE0260_03_GE_FM.indd 14 26/11/14 9:32 PM Preface 15 IT Strategy: Issues and Practices includes thirteen mini cases— each based on a real company presented anonymously.1 Mini cases are not simply abbreviated versions of standard, full-length business cases. They differ in two significant ways: 1. A horizontal perspective. Unlike standard cases that develop a single issue within an organizational setting (i.e., a “vertical” slice of organizational life), mini cases take a “horizontal” slice through a number of coexistent issues.
Rather than looking for a solution to a specific problem, as in a standard case, students analyzing a mini case must first identify and prioritize the issues embedded within the case. This mim- ics real life in organizations where the challenge lies in “knowing where to start” as opposed to “solving a predefined problem.” 2. Highly relevant information. Mini cases are densely written. Unlike standard cases, which intermix irrelevant information, in a mini case, each sentence exists for a reason and reflects relevant information. As a result, students must analyze each case very carefully so as not to miss critical aspects of the situation. Teaching with mini cases is, thus, very different than teaching with standard cases. With mini cases, students must determine what is really going on within the organiza- tion. What first appears as a straightforward “technology” problem may in fact be a political problem or one of five other “technology” problems. Detective work is, there- fore, required. The problem identification and prioritization skills needed are essential skills for future managers to learn for the simple reason that it is not possible for organi- zations to tackle all of their problems concurrently. Mini cases help teach these skills to students and can balance the problem-solving skills learned in other classes. Best of all, detective work is fun and promotes lively classroom discussion.
To assist instructors, extensive teaching notes are available for all mini cases. Developed by the authors and based on “tried and true” in-class experience, these notes include case summaries, identify the key issues within each case, present ancillary information about the company/industry represented in the case, and offer guidelines for organizing the class- room discussion. Because of the structure of these mini cases and their embedded issues, it is common for teaching notes to exceed the length of the actual mini case! This book is most appropriate for MIS courses where the goal is to understand how IT delivers organizational value. These courses are frequently labeled “IT Strategy” or “IT Management” and are offered within undergraduate as well as MBA programs. For undergraduate juniors and seniors in business and commerce programs, this is usually the “capstone” MIS course. For MBA students, this course may be the compulsory core course in MIS, or it may be an elective course. Each chapter and mini case in this book has been thoroughly tested in a variety of undergraduate, graduate, and executive programs at Queen’s School of Business.2 1 We are unable to identify these leading-edge companies by agreements established as part of our overall research program (described later). 2 Queen’s School of Business is one of the world’s premier business schools, with a faculty team renowned
for its business experience and academic credentials. The School has earned international recognition for its innovative approaches to team-based and experiential learning. In addition to its highly acclaimed MBA programs, Queen’s School of Business is also home to Canada’s most prestigious undergraduate business program and several outstanding graduate programs. As well, the School is one of the world’s largest and most respected providers of executive education. A01_MCKE0260_03_GE_FM.indd 15 26/11/14 9:32 PM 16 Preface These materials have proven highly successful within all programs because we adapt how the material is presented according to the level of the students. Whereas under- graduate students “learn” about critical business issues from the book and mini cases for the first time, graduate students are able to “relate” to these same critical issues based on their previous business experience. As a result, graduate students are able to introduce personal experiences into the discussion of these critical IT issues. orgAnizAtion of thiS Book One of the advantages of an issues-focused structure is that chapters can be approached in any order because they do not build on one another. Chapter
order is immaterial; that is, one does not need to read the first three chapters to understand the fourth. This pro- vides an instructor with maximum flexibility to organize a course as he or she sees fit. Thus, within different courses/programs, the order of topics can be changed to focus on different IT concepts. Furthermore, because each mini case includes multiple issues, they, too, can be used to serve different purposes. For example, the mini case “Building Shared Services at RR Communications” can be used to focus on issues of governance, organizational structure, and/or change management just as easily as shared services. The result is a rich set of instructional materials that lends itself well to a variety of pedagogical appli- cations, particularly problem-based learning, and that clearly illustrates the reality of IT strategy in action. The book is organized into four sections, each emphasizing a key component of developing and delivering effective IT strategy: • Section I: Delivering Value with IT is designed to examine the complex ways that IT and business value are related. Over the past twenty years, researchers and prac- titioners have come to understand that “business value” can mean many different things when applied to IT. Chapter 1 (The IT Value Proposition) explores these con- cepts in depth. Unlike the simplistic value propositions often
used when imple- menting IT in organizations, this chapter presents “value” as a multilayered busi- ness construct that must be effectively managed at several levels if technology is to achieve the benefits expected. Chapter 2 (Delivering Business Value through IT Strategy) examines the dynamic interrelationship between business and IT strat- egy and looks at the processes and critical success factors used by organizations to ensure that both are well aligned. Chapter 3 (Making IT Count) discusses new ways of measuringIT’s effectiveness that promote closer business–IT alignment and help drive greater business value. Chapter 4 (Effective Business–IT Relationships) exam- ines the nature of the business–IT relationship and the characteristics of an effec- tive relationship that delivers real value to the enterprise. Chapter 5 (Business–IT Communication) explores the business and interpersonal competencies that IT staff will need in order to do their jobs effectively over the next five to seven years and what companies should be doing to develop them. Finally, Chapter 6 (Effective IT Leadership) tackles the increasing need for improved leadership skills in all IT staff and examines the expectations of the business for strategic and innovative guid- ance from IT. A01_MCKE0260_03_GE_FM.indd 16 26/11/14 9:32 PM
Preface 17 In the mini cases associated with this section, the concepts of delivering value with IT are explored in a number of different ways. We see business and IT executives at Hefty Hardware grappling with conflicting priorities and per- spectives and how best to work together to achieve the company’s strategy. In “Investing in TUFS,” CIO Martin Drysdale watches as all of the work his IT depart- ment has put into a major new system fails to deliver value. And the “IT Planning at ModMeters” mini case follows CIO Brian Smith’s efforts to create a strategic IT plan that will align with business strategy, keep IT running, and not increase IT’s budget. • Section II: IT Governance explores key concepts in how the IT organization is structured and managed to effectively deliver IT products and services to the orga- nization. Chapter 7 (Effective IT Shared Services) discusses how IT shared services should be selected, organized, managed, and governed to achieve improved organi- zational performance. Chapter 8 (Successful IT Sourcing: Maturity Model, Sourcing Options, and Decision Criteria) examines how organizations are choosing to source and deliver different types of IT functions and presents a …
Security Strategies in Windows Platforms and Applications Lesson 11 Hardening the Microsoft Windows Operating System © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Cover image © Sharpshot/Dreamstime.com Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 Learning Objective(s) Apply system hardening techniques in Microsoft Windows. Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts General hardening concepts and strategies Hardening servers, clients, networks, and more
Security awareness Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Understanding the Hardening Process and Mind-set Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 4 Employ strategies to secure Windows computers Install only what you need Use Security Compliance Toolkit (SCT) Manually disable and remove programs/services
Strategies to Secure Windows Computers Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The process of making configuration changes and deploying controls to reduce the attack surface is called hardening. 5 Disable/remove programs with vulnerabilities Establish controls on running programs Install Only What You Need When installing Windows Server, select which programs to install Customize a server by defining one or more roles Role is a predefined set of services, programs, and configuration settings that enables a computer to fulfill specific requirements Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Security Compliance Toolkit (SCT) A set of tools from Microsoft to help manage Windows security baselines Provides guidance to administrators that makes it easier to ensure policies adhere to policy best practices Includes two tools to help manage baseline input and GPOs Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Policy Analyzer Selection Window Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 8 Windows Security Configuration Wizard—Select Server Roles Policy Analyzer Page ‹#› Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9 Manually Disabling and Removing Programs and Services Back up the Windows Registry before making any changes Make changes on a test computer whenever possible Evaluate each computer Identify remaining programs and services you don’t need Remove unneeded programs Use the Windows Services maintenance utility to start, stop, and change services settings Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Uninstalling a Program in Windows Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
11 Windows Services Maintenance Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 12 Windows Services Properties Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 13 Hardening Microsoft Windows Operating System Authentication Disallow older authentication methods Remove or disable any unused or inactive user accounts Protect Administrator account
Establish and enforce strong account policies Password policy Account policy Kerberos policy Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 14 Hardening the Network Infrastructure Identify network server and client services that require access to ports Modify firewall settings to open those ports; close all other ports To manage firewall settings, use: Windows Defender Firewall with Advanced Security Local Group Policy Editor Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 15
Windows Defender Firewall with Advanced Security Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 16 Group Policy Management Editor—Windows Defender Firewall with Advanced Security Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 17 Securing Directory Information and Operations Active Directory (AD) Limit the number of administrators with access to AD Ensure that administrators use separate Administrator user accounts
Administrators should have one account for AD administration and at least one other account for other administration tasks Create an AD security group Require that AD administrators do their AD work only from dedicated terminal servers instead of workstations Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 18 Securing Information and Operations (Cont.) Directory Service Restore Mode (DSRM) Change password from the default password after installation Periodically change the DSRM password Protect the DSRM password for each domain controller and change it every six months Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 19
Hardening Microsoft Windows OS Administration After creating other user accounts with Administrator privileges, disable default Administrator account Enable strong passwords Set Administrator passwords to expire on a regular basis Create and maintain baselines Create full backup of each system before and after hardening Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 20 Hardening Microsoft Windows OS Administration (Cont.) Create individual backups of policies each time they change Ensure Windows systems are updated to latest patch Ensure Windows Update is configured to automatically download and install latest updates from Microsoft Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 21
Group Policy Management Console—Backup GPO Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 22 Windows Update Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 23 Windows Update Advanced Options Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com
All rights reserved. 24 Hardening Server Computers Ensure server computers don’t do anything they’re not supposed to do, such as run unneeded services Harden services they are supposed to provide After installing a server, run Security Compliance Toolkit to disable unneeded roles and services Use nmap utility to identify open ports Enable IPSec for server-to-server communications Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 25 Hardening Workstation Computers Use malware protection Mitigate vulnerabilities Disable programs and services not used Review firewall settings Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved. 26 Hardening Data Access and Controls Minimize number of user accounts on computers Carefully control access to accounts with Administrator rights Use Windows Group Policy to establish access control lists (ACLs) Avoid allowing anonymous or guest user accounts to access sensitive data Protect data at rest with Windows Encrypting File System (EFS) or Windows BitLocker Ensure data backups are encrypted Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 27 Hardening Communications and Remote Access Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved. 28 Network access control (NAC) Authentication servers VPN and encryption Hardening PKI Public key infrastructure (PKI): The hardware, software, policies, and procedures to manage all aspects of digital certificates Makes environments more secure Ensure all computers that participate are hardened Harden certificate authority (CA) servers Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 29
Hardening PKI (Cont.) Ensure CAs are physically secure and only accessible by authorized administrators Backup CA keys and store them in a safe location Use GPOs to distribute root CA certificates Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 30 Security Awareness Reminders Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Physical posters and banners in conspicuous locations, such as in break rooms and cafeterias, and around printers, fax machines, or shredders Email newsletters, social media contact, and security policy updates Periodic website reminders Social media messages Daily or weekly tip programs Contests with security themes
Security events on specific dates, such as November 30, International Computer Security Awareness Day Lunch-and-learn meetings about topics of interest to employees personally—such as identity theft or cyberbullying—as well as topics of interest to your organization Visible modeling of good security behaviors by your organization’s leaders 31 Posters and banners Newsletters Website reminders Social media messages Daily or weekly tip programs Contests Security events Lunch-and-learn meetings Leadership
Best Practices Install only the Windows Server Core option when you don’t need extra functionality. Select the minimum number of roles in Windows Server. Run SCT immediately after installation of Windows Server. Update and patch systems; configure for automatic Windows updates. Install and run Microsoft Baseline Security Analyzer (MBSA) and at least one vulnerability scanner. Create one or more user accounts with Administrator rights. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 32 Best Practices (Cont.) Disable the Administrator and Guest user accounts. Disable all unneeded services. Close all ports not required by services or applications. Create GPOs for all security settings, including firewall rules. Use AD to distribute all configuration changes using GPOs. Create a backup of each GPO. Scan all computers for open ports and vulnerabilities. Limit physical access to all critical servers. Create an initial baseline backup.
Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 33 Best Practices (Cont.) Change the AD DSRM password periodically, at least every six months. Install anti-malware software on each computer. Ensure all anti-malware software and data are current. Use NAC software or devices to control remote computer connections. Use remote authentication methods to authorize remote computers and users. Require secure VPNs to access internal network resources. Use IPSec with digital certificates to authenticate computer-to- computer connections in the datacenter. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 34 Best Practices (Cont.)
Require security awareness training prior to issuing access credentials. Require periodic recurrent security awareness training to retain access credentials. Provide continuing security awareness. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 35 Summary General hardening concepts and strategies Hardening servers, clients, networks, and more Security awareness Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 36
Submission Requirements Format Microsoft Word (or compatible).docx

More Related Content

DOCX
Discussion 1Review chapter 21 in the course text.In your own .docx
madlynplamondon
 
DOCX
Review chapter 4 in the course text.1. Discuss only one of the.docx
audeleypearl
 
DOCX
Global editionGlobal editionthis i.docx
fathwaitewalter
 
DOCX
Global editionGlobal editionthis i.docx
gilbertkpeters11344
 
DOCX
Scanned with CamScannerGlobal editionGloba.docx
jeffsrosalyn
 
DOCX
Scanned with CamScannerGlobal editionGloba.docx
todd331
 
DOCX
Unit 3 HCM640 DB Assignment due Friday 1.17.20When developing .docx
ouldparis
 
DOCX
Scan2Scan20001Scan20002Scan20003Scan2000.docx
todd331
 
Discussion 1Review chapter 21 in the course text.In your own .docx
madlynplamondon
 
Review chapter 4 in the course text.1. Discuss only one of the.docx
audeleypearl
 
Global editionGlobal editionthis i.docx
fathwaitewalter
 
Global editionGlobal editionthis i.docx
gilbertkpeters11344
 
Scanned with CamScannerGlobal editionGloba.docx
jeffsrosalyn
 
Scanned with CamScannerGlobal editionGloba.docx
todd331
 
Unit 3 HCM640 DB Assignment due Friday 1.17.20When developing .docx
ouldparis
 
Scan2Scan20001Scan20002Scan20003Scan2000.docx
todd331
 

Similar to Submission Requirements Format Microsoft Word (or compatible).docx (20)

DOCX
Example Leadership ModelsTransformational Servant Leadership V.docx
cravennichole326
 
PDF
IT strategy issues and practices 3rd ed Edition Mckeen
lipkenoniems
 
DOCX
Research Problem AssignmentInstructions For completing th.docx
gholly1
 
DOCX
DocuSign Envelope lB 93D1 C8E$7E6F-40Gi-993F-3C36E912M98d.docx
madlynplamondon
 
DOCX
Store InfoStore #OpenCloseOpenClosePart TimeFull TimeSalariedOffic.docx
susanschei
 
DOCX
Research Problem AssignmentInstructions For completing th.docx
audeleypearl
 
PDF
Download full ebook of IT strategy issues and practices Mckeen instant downlo...
aguonecton3h
 
DOCX
Sheet1Pasadena Facility Inventory Status of PlantsAs of September.docx
manningchassidy
 
DOCX
IT STraTegyISSueS and PracTIceSThis page intent.docx
christiandean12115
 
DOCX
IT STraTegyISSueS and PracTIceSThis page intent.docx
priestmanmable
 
DOCX
IT STraTegyISSueS and PracTIceSThis page intent.docx
donnajames55
 
DOCX
IT STraTegyISSueS and PracTIceSThis page intent.docx
jesssueann
 
DOCX
IT STraTegyISSueS and PracTIceSThis page intent.docx
DioneWang844
 
DOCX
IT STraTegyISSueS and PracTIceSThis page intent.docx
vrickens
 
DOCX
MGMT 501Satterlee Chapters 1 – 2 OverviewsChapter One provide
DioneWang844
 
DOCX
CLINICAL DECISION MAKING4What do you see as the fu.docx
ShiraPrater50
 
DOCX
Question #4, 300-wordsReference Staff, B. O. (2020, May 12)..docx
amrit47
 
DOCX
4Type name of case study hereType Your Full Name H.docx
alinainglis
 
DOCX
Robotic System Upgrade Analysis and PresentationFor this a.docx
healdkathaleen
 
DOCX
SOC-510 Global Current Events – Ethnicity Analysis Worksheet.docx
pbilly1
 
Example Leadership ModelsTransformational Servant Leadership V.docx
cravennichole326
 
IT strategy issues and practices 3rd ed Edition Mckeen
lipkenoniems
 
Research Problem AssignmentInstructions For completing th.docx
gholly1
 
DocuSign Envelope lB 93D1 C8E$7E6F-40Gi-993F-3C36E912M98d.docx
madlynplamondon
 
Store InfoStore #OpenCloseOpenClosePart TimeFull TimeSalariedOffic.docx
susanschei
 
Research Problem AssignmentInstructions For completing th.docx
audeleypearl
 
Download full ebook of IT strategy issues and practices Mckeen instant downlo...
aguonecton3h
 
Sheet1Pasadena Facility Inventory Status of PlantsAs of September.docx
manningchassidy
 
IT STraTegyISSueS and PracTIceSThis page intent.docx
christiandean12115
 
IT STraTegyISSueS and PracTIceSThis page intent.docx
priestmanmable
 
IT STraTegyISSueS and PracTIceSThis page intent.docx
donnajames55
 
IT STraTegyISSueS and PracTIceSThis page intent.docx
jesssueann
 
IT STraTegyISSueS and PracTIceSThis page intent.docx
DioneWang844
 
IT STraTegyISSueS and PracTIceSThis page intent.docx
vrickens
 
MGMT 501Satterlee Chapters 1 – 2 OverviewsChapter One provide
DioneWang844
 
CLINICAL DECISION MAKING4What do you see as the fu.docx
ShiraPrater50
 
Question #4, 300-wordsReference Staff, B. O. (2020, May 12)..docx
amrit47
 
4Type name of case study hereType Your Full Name H.docx
alinainglis
 
Robotic System Upgrade Analysis and PresentationFor this a.docx
healdkathaleen
 
SOC-510 Global Current Events – Ethnicity Analysis Worksheet.docx
pbilly1
 
Ad

More from david4611 (20)

DOCX
Submit a 2-page Reading Response that uses either The Latino Th.docx
david4611
 
DOCX
Submit a 2-page document in which you highlight the important co.docx
david4611
 
DOCX
Submit a 2-page Reading Response for the river In essenc.docx
david4611
 
DOCX
Submit a 2- to 3-page paper that addresses the followingO.docx
david4611
 
DOCX
Submit a 2- to 4-page paper that includes the following.docx
david4611
 
DOCX
Submit a 2 to 3-page paper in which youBriefly describe an .docx
david4611
 
DOCX
Submission Ide 05cfd469-b092-4817-8562-c1cd61b4b6be47 SI.docx
david4611
 
DOCX
Subject  Pollution Must follow all directions BI 301 Term Pape.docx
david4611
 
DOCX
Submission date 11282019The requirement is to come up with .docx
david4611
 
DOCX
Submission - MarkUpSubmission MarkUp This is a machine generated.docx
david4611
 
DOCX
Submission Use your selected business plan template to complete t.docx
david4611
 
DOCX
subject:Theologytopic:reflection paper (helping the church yard .docx
david4611
 
DOCX
Submission authorAssignment titleSubmission titleFi.docx
david4611
 
DOCX
SUBJECT Security Architecture & DesignTo enhance the security.docx
david4611
 
DOCX
Submission Requirements Answer all the questions included in th.docx
david4611
 
DOCX
Subject Law – Case LawRequested Due Date 061914 500PM EDT.docx
david4611
 
DOCX
SubjectiveCC My stomach hurts, I have diarrhea and nothing .docx
david4611
 
DOCX
Subject Sex Tourism Compare and contrast at least two countries.docx
david4611
 
DOCX
Submission Date May 21st 2021Residency AssignmentRes.docx
david4611
 
DOCX
Subject Raising children 7-10 pages  Paper should be double.docx
david4611
 
Submit a 2-page Reading Response that uses either The Latino Th.docx
david4611
 
Submit a 2-page document in which you highlight the important co.docx
david4611
 
Submit a 2-page Reading Response for the river In essenc.docx
david4611
 
Submit a 2- to 3-page paper that addresses the followingO.docx
david4611
 
Submit a 2- to 4-page paper that includes the following.docx
david4611
 
Submit a 2 to 3-page paper in which youBriefly describe an .docx
david4611
 
Submission Ide 05cfd469-b092-4817-8562-c1cd61b4b6be47 SI.docx
david4611
 
Subject  Pollution Must follow all directions BI 301 Term Pape.docx
david4611
 
Submission date 11282019The requirement is to come up with .docx
david4611
 
Submission - MarkUpSubmission MarkUp This is a machine generated.docx
david4611
 
Submission Use your selected business plan template to complete t.docx
david4611
 
subject:Theologytopic:reflection paper (helping the church yard .docx
david4611
 
Submission authorAssignment titleSubmission titleFi.docx
david4611
 
SUBJECT Security Architecture & DesignTo enhance the security.docx
david4611
 
Submission Requirements Answer all the questions included in th.docx
david4611
 
Subject Law – Case LawRequested Due Date 061914 500PM EDT.docx
david4611
 
SubjectiveCC My stomach hurts, I have diarrhea and nothing .docx
david4611
 
Subject Sex Tourism Compare and contrast at least two countries.docx
david4611
 
Submission Date May 21st 2021Residency AssignmentRes.docx
david4611
 
Subject Raising children 7-10 pages  Paper should be double.docx
david4611
 
Ad

Recently uploaded (20)

PPTX
Unit 4 Computer Architecture Multicore Processor.pptx
Gunasundari Selvaraj
 
PDF
advance database management system book.pdf
hinamannan364
 
PDF
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PDF
International_Financial_Reporting_Standa.pdf
VrindaTayade1
 
DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
PPTX
20th Century Theater, Methods, History.pptx
cpadilla9
 
PDF
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
PPTX
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
PPTX
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
PDF
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
PDF
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
PPTX
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
PPTX
History, Philosophy and sociology of education (1).pptx
tmdth1
 
PDF
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PDF
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
PDF
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
Unit 4 Computer Architecture Multicore Processor.pptx
Gunasundari Selvaraj
 
advance database management system book.pdf
hinamannan364
 
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
International_Financial_Reporting_Standa.pdf
VrindaTayade1
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
20th Century Theater, Methods, History.pptx
cpadilla9
 
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
History, Philosophy and sociology of education (1).pptx
tmdth1
 
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 

Submission Requirements Format Microsoft Word (or compatible).docx

  • 1. Submission Requirements ? Format: Microsoft Word (or compatible) ? Font: Arial, size 12, double-space ? Citation Style: Follow your school�s preferred style guide ? Length: 2 page ? APA Format ? No resources before 2015 ? Must complete all parts to answer the questions *** will be reviewed for plagiarism prior to all grading “Your Company” is expanding. The company wants additional network controls to protect their growing network. Tasks
  • 2. Consider the Windows servers and workstations in the domains of a typical IT infrastructure. Based on your understanding of network security controls, recommend at least four possible controls that will enhance the network’s security. Focus on ensuring that controls satisfy the defense in depth approach to security. Summarize your network security controls in a summary report to management. You must provide rationale for your choices by explaining how each control makes the environment more secure and what potential flaws the controls have as well. Global editionGlo b a l ed it io n
  • 3. this is a special edition of an established title widely used by colleges and universities throughout the world. Pearson published this exclusive edition for the benefit of students outside the United States and Canada. if you purchased this book within the United States or Canada you should be aware that it has been imported without the approval of the Publisher or author. Pearson Global Edition Global edition For these Global editions, the editorial team at Pearson has collaborated with educators across the world to address a wide range of subjects and requirements, equipping students with the best possible learning tools. this Global edition preserves the cutting-edge approach and pedagogy of the original, but also features alterations, customization, and adaptation from the north american version. it Strategy: Issues and Practices M cK een Sm ith
  • 4. it Strategy Issues and Practices tHiRd edition James D. McKeen • Heather A. Smith t H iR d e d it io n McKeen_1292080264_mech.indd 1 28/11/14 12:56 PM IT STraTegy: ISSueS and PracTIceS A01_MCKE0260_03_GE_FM.indd 1 26/11/14 9:32 PM A01_MCKE0260_03_GE_FM.indd 2 26/11/14 9:32 PM
  • 5. IT STraTegy: ISSueS and PracTIceS T h i r d E d i t i o n G l o b a l E d i t i o n James D. McKeen Queen’s University Heather A. Smith Queen’s University Boston Columbus Indianapolis New York San Francisco Hoboken Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montréal Toronto Delhi Mexico City São Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo A01_MCKE0260_03_GE_FM.indd 3 26/11/14 9:32 PM Editor in Chief: Stephanie Wall Head of Learning Asset Acquisition, Global Edition: Laura Dent Acquisitions Editor: Nicole Sam Program Manager Team Lead: Ashley Santora Program Manager: Denise Vaughn Editorial Assistant: Kaylee Rotella Assistant Acquisitions Editor, Global Edition: Debapriya Mukherjee Associate Project Editor, Global Edition: Binita Roy Executive Marketing Manager: Anne K. Fahlgren Project Manager Team Lead: Judy Leale
  • 6. Project Manager: Thomas Benfatti Procurement Specialist: Diane Peirano Senior Manufacturing Controller, Production, Global Edition: Trudy Kimber Cover Image: © Toria/Shutterstock Cover Designer: Lumina Datamantics Full Service Project Management: Abinaya Rajendran at Integra Software Services, Pvt. Ltd. Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on appropriate page within text. Pearson Education Limited Edinburgh Gate Harlow Essex CM20 2JE England and Associated Companies throughout the world Visit us on the World Wide Web at: www.pearsonglobaleditions.com © Pearson Education Limited 2015 The rights of James D. McKeen and Heather A. Smith to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. Authorized adaptation from the United States edition, entitled IT Strategy: Issues and Practices, 3rd edition, ISBN 978-0-13-354424-4, by James D. McKeen and Heather A. Smith, published by Pearson Education © 2015.
  • 7. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without either the prior written permission of the publisher or a license permitting restricted copying in the United Kingdom issued by the Copyright Licensing Agency Ltd, Saffron House, 6–10 Kirby Street, London EC1N 8TS. All trademarks used herein are the property of their respective owners. The use of any trademark in this text does not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such trademarks imply any affiliation with or endorsement of this book by such owners. ISBN 10: 1-292-08026-4 ISBN 13: 978-1-292-08026-0 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library 10 9 8 7 6 5 4 3 2 1 Typeset in 10/12 Palatino LT Std by Integra Software Services, Pvt. Ltd. Printed and bound in Great Britain by Clays Ltd, Bungay, Suffolk. A01_MCKE0260_03_GE_FM.indd 4 26/11/14 9:32 PM ConTEnTS
  • 8. Preface 13 About the Authors 21 Acknowledgments 22 Section I Delivering Value with IT 23 Chapter 1 The IT Value ProPoSITIon 24 Peeling the Onion: Understanding IT Value 25 What Is IT Value? 25 Where Is IT Value? 26 Who Delivers IT Value? 27 When Is IT Value Realized? 27 The Three Components of the IT Value Proposition 28 Identification of Potential Value 29 Effective Conversion 30 Realizing Value 31 Five Principles for Delivering Value 32 Principle 1. Have a Clearly Defined Portfolio Value Management Process 33 Principle 2. Aim for Chunks of Value 33 Principle 3. Adopt a Holistic Orientation to Technology Value 33
  • 9. Principle 4. Aim for Joint Ownership of Technology Initiatives 34 Principle 5. Experiment More Often 34 Conclusion 34 • References 35 Chapter 2 DelIVerIng BuSIneSS Value Through IT STraTegy 37 Business and IT Strategies: Past, Present, and Future 38 Four Critical Success Factors 40 The Many Dimensions of IT Strategy 42 Toward an IT Strategy-Development Process 44 Challenges for CIOs 45 Conclusion 47 • References 47 Chapter 3 MakIng IT CounT 49 Business Measurement: An Overview 50 Key Business Metrics for IT 52 5 A01_MCKE0260_03_GE_FM.indd 5 26/11/14 9:32 PM 6 Contents Designing Business Metrics for IT 53 Advice to Managers 57 Conclusion 58 • References 58
  • 10. Chapter 4 effeCTIVe BuSIneSS–IT relaTIonShIPS 60 The Nature of the Business–IT Relationship 61 The Foundation of a Strong Business–IT Relationship 63 Building Block #1: Competence 64 Building Block #2: Credibility 65 Building Block #3: Interpersonal Interaction 66 Building Block #4: Trust 68 Conclusion 70 • References 70 Appendix A The Five IT Value Profiles 72 Appendix B Guidelines for Building a Strong Business–IT Relationship 73 Chapter 5 BuSIneSS–IT CoMMunICaTIon 74 Communication in the Business–IT Relationship 75 What Is “Good” Communication? 76 Obstacles to Effective Communication 78 “T-Level” Communication Skills for IT Staff 80 Improving Business–IT Communication 82 Conclusion 83 • References 83 Appendix A IT Communication Competencies 85 Chapter 6 effeCTIVe IT leaDerShIP 86
  • 11. The Changing Role of the IT Leader 87 What Makes a Good IT Leader? 89 How to Build Better IT Leaders 92 Investing in Leadership Development: Articulating the Value Proposition 95 Conclusion 96 • References 97 MInI CaSeS Delivering Business Value with IT at Hefty Hardware 98 Investing in TUFS 102 IT Planning at ModMeters 104 A01_MCKE0260_03_GE_FM.indd 6 26/11/14 9:32 PM Contents 7 Section II IT governance 109 Chapter 7 effeCTIVe IT ShareD SerVICeS 110 IT Shared Services: An Overview 111 IT Shared Services: Pros and Cons 114 IT Shared Services: Key Organizational Success Factors 115 Identifying Candidate Services 116 An Integrated Model of IT Shared Services 117
  • 12. Recommmendations for Creating Effective IT Shared Services 118 Conclusion 121 • References 121 Chapter 8 SuCCeSSful IT SourCIng: MaTurITy MoDel, SourCIng oPTIonS, anD DeCISIon CrITerIa 122 A Maturity Model for IT Functions 123 IT Sourcing Options: Theory Versus Practice 127 The “Real” Decision Criteria 131 Decision Criterion #1: Flexibility 131 Decision Criterion #2: Control 131 Decision Criterion #3: Knowledge Enhancement 132 Decision Criterion #4: Business Exigency 132 A Decision Framework for Sourcing IT Functions 133 Identify Your Core IT Functions 133 Create a “Function Sourcing” Profile 133 Evolve Full-Time IT Personnel 135 Encourage Exploration of the Whole Range of Sourcing Options 136 Combine Sourcing Options Strategically 136 A Management Framework for Successful
  • 13. Sourcing 137 Develop a Sourcing Strategy 137 Develop a Risk Mitigation Strategy 137 Develop a Governance Strategy 138 Understand the Cost Structures 138 Conclusion 139 • References 139 Chapter 9 BuDgeTIng: PlannIng’S eVIl TwIn 140 Key Concepts in IT Budgeting 141 The Importance of Budgets 143 The IT Planning and Budget Process 145 A01_MCKE0260_03_GE_FM.indd 7 26/11/14 9:32 PM 8 Contents Corporate Processes 145 IT Processes 147 Assess Actual IT Spending 148 IT Budgeting Practices That Deliver Value 149 Conclusion 150 • References 151 Chapter 10 rISk ManageMenT In IT 152 A Holistic View of IT-Based Risk 153
  • 14. Holistic Risk Management: A Portrait 156 Developing a Risk Management Framework 157 Improving Risk Management Capabilities 160 Conclusion 161 • References 162 Appendix A A Selection of Risk Classification Schemes 163 Chapter 11 InforMaTIon ManageMenT: STageS anD ISSueS 164 Information Management: How Does IT Fit? 165 A Framework For IM 167 Stage One: Develop an IM Policy 167 Stage Two: Articulate the Operational Components 167 Stage Three: Establish Information Stewardship 168 Stage Four: Build Information Standards 169 Issues In IM 170 Culture and Behavior 170 Information Risk Management 171 Information Value 172 Privacy 172
  • 15. Knowledge Management 173 The Knowing–Doing Gap 173 Getting Started in IM 173 Conclusion 175 • References 176 Appendix A Elements of IM Operations 177 MInI CaSeS Building Shared Services at RR Communications 178 Enterprise Architecture at Nationstate Insurance 182 IT Investment at North American Financial 187 A01_MCKE0260_03_GE_FM.indd 8 26/11/14 9:32 PM Contents 9 Section III IT-enabled Innovation 191 Chapter 12 TeChnology-DrIVen InnoVaTIon 192 The Need for Innovation: An Historical Perspective 193 The Need for Innovation Now 193 Understanding Innovation 194 The Value of Innovation 196 Innovation Essentials: Motivation, Support,
  • 16. and Direction 197 Challenges for IT leaders 199 Facilitating Innovation 201 Conclusion 202 • References 203 Chapter 13 when BIg DaTa anD SoCIal CoMPuTIng MeeT 204 The Social Media/Big Data Opportunity 205 Delivering Business Value with Big Data 207 Innovating with Big Data 211 Pulling in Two Different Directions: The Challenge for IT Managers 212 First Steps for IT Leaders 214 Conclusion 215 • References 216 Chapter 14 effeCTIVe CuSToMer exPerIenCe 217 Customer Experience and Business value 218 Many Dimensions of Customer Experience 219 The Role of Technology in Customer Experience 221 Customer Experience Essentials for IT 222 First Steps to Improving Customer Experience 225 Conclusion 226 • References 226 Chapter 15 BuSIneSS InTellIgenCe: an oVerVIew 228 Understanding Business Intelligence 229 The Need for Business Intelligence 230
  • 17. The Challenge of Business Intelligence 231 The Role of IT in Business Intelligence 233 Improving Business Intelligence 235 Conclusion 238 • References 238 A01_MCKE0260_03_GE_FM.indd 9 26/11/14 9:32 PM 10 Contents Chapter 16 TeChnology-enaBleD CollaBoraTIon 240 Why Collaborate? 241 Characteristics of Collaboration 244 Components of Successful Collaboration 247 The Role of IT in Collaboration 249 First Steps for Facilitating Effective Collaboration 251 Conclusion 253 • References 254 MInI CaSeS Innovation at International Foods 256 Consumerization of Technology at IFG 261 CRM at Minitrex 265 Customer Service at Datatronics 268 Section IV IT Portfolio Development and Management 273
  • 18. Chapter 17 ManagIng The aPPlICaTIon PorTfolIo 274 The Applications Quagmire 275 The Benefits of a Portfolio Perspective 276 Making APM Happen 278 Capability 1: Strategy and Governance 280 Capability 2: Inventory Management 284 Capability 3: Reporting and Rationalization 285 Key Lessons Learned 286 Conclusion 287 • References 287 Appendix A Application Information 288 Chapter 18 IT DeManD ManageMenT: SuPPly ManageMenT IS noT enough 292 Understanding IT Demand 293 The Economics of Demand Management 295 Three Tools for Demand management 295 Key Organizational Enablers for Effective Demand Management 296 Strategic Initiative Management 297 Application Portfolio Management 298 Enterprise Architecture 298
  • 19. Business–IT Partnership 299 Governance and Transparency 301 Conclusion 303 • References 303 A01_MCKE0260_03_GE_FM.indd 10 26/11/14 9:32 PM Contents 11 Chapter 19 TeChnology roaDMaP: BenefITS, eleMenTS, anD PraCTICal STePS 305 What is a Technology Roadmap? 306 The Benefits of a Technology Roadmap 307 External Benefits (Effectiveness) 307 Internal Benefits (Efficiency) 308 Elements of the Technology Roadmap 308 Activity #1: Guiding Principles 309 Activity #2: Assess Current Technology 310 Activity #3: Analyze Gaps 311 Activity #4: Evaluate Technology Landscape 312 Activity #5: Describe Future Technology 313 Activity #6: Outline Migration Strategy 314
  • 20. Activity #7: Establish Governance 314 Practical Steps for Developing a Technology Roadmap 316 Conclusion 317 • References 317 Appendix A Principles to Guide a Migration Strategy 318 Chapter 20 eMergIng DeVeloPMenT PraCTICeS 319 The Problem with System Development 320 Trends in System Development 321 Obstacles to Improving System Development Productivity 324 Improving System Development Productivity: What we know that Works 326 Next Steps to Improving System Development Productivity 328 Conclusion 330 • References 330 Chapter 21 InforMaTIon DelIVery: PaST, PreSenT, anD fuTure 332 Information and IT: Why Now? 333 Delivering Value Through Information 334 Effective Information Delivery 338 New Information Skills 338 New Information Roles 339
  • 21. New Information Practices 339 A01_MCKE0260_03_GE_FM.indd 11 26/11/14 9:32 PM 12 Contents New Information Strategies 340 The Future of Information Delivery 341 Conclusion 343 • References 344 MInI CaSeS Project Management at MM 346 Working Smarter at Continental Furniture International 350 Managing Technology at Genex Fuels 355 Index 358 A01_MCKE0260_03_GE_FM.indd 12 26/11/14 9:32 PM PrEFACE Today, with information technology (IT) driving constant business transformation, overwhelming organizations with information, enabling 24/7 global operations, and undermining traditional business models, the challenge for business leaders is not simply to manage IT, it is to use IT to deliver business value. Whereas until fairly recently,
  • 22. decisions about IT could be safely delegated to technology specialists after a business strategy had been developed, IT is now so closely integrated with business that, as one CIO explained to us, “We can no longer deliver business solutions in our company without using technology so IT and business strategy must constantly interact with each other.” What’s New in This Third Edition? • Six new chapters focusing on current critical issues in IT management, including IT shared services; big data and social computing; business intelligence; manag- ing IT demand; improving the customer experience; and enhancing development productivity. • Two significantly revised chapters: on delivering IT functions through different resourcing options; and innovating with IT. • Twonew mini cases based on real companies and real IT management situations: Working Smarter at Continental Furniture and Enterprise Architecture at Nationstate Insurance. • A revised structure based on reader feedback with six chapters and two mini cases from the second edition being moved to the Web site. All too often, in our efforts to prepare future executives to deal effectively with
  • 23. the issues of IT strategy and management, we lead them into a foreign country where they encounter a different language, different culture, and different customs. Acronyms (e.g., SOA, FTP/IP, SDLC, ITIL, ERP), buzzwords (e.g., asymmetric encryption, proxy servers, agile, enterprise service bus), and the widely adopted practice of abstraction (e.g., Is a software monitor a person, place, or thing?) present formidable “barriers to entry” to the technologically uninitiated, but more important, they obscure the impor- tance of teaching students how to make business decisions about a key organizational resource. By taking a critical issues perspective, IT Strategy: Issues and Practices treats IT as a tool to be leveraged to save and/or make money or transform an organization—not as a study by itself. As in the first two editions of this book, this third edition combines the experi- ences and insights of many senior IT managers from leading- edge organizations with thorough academic research to bring important issues in IT management to life and demonstrate how IT strategy is put into action in contemporary businesses. This new edition has been designed around an enhanced set of critical real-world issues in IT management today, such as innovating with IT, working with big data and social media, 13 A01_MCKE0260_03_GE_FM.indd 13 26/11/14 9:32 PM
  • 24. 14 Preface enhancing customer experience, and designing for business intelligence and introduces students to the challenges of making IT decisions that will have significant impacts on how businesses function and deliver value to stakeholders. IT Strategy: Issues and Practices focuses on how IT is changing and will continue to change organizations as we now know them. However, rather than learning concepts “free of context,” students are introduced to the complex decisions facing real organi- zations by means of a number of mini cases. These provide an opportunity to apply the models/theories/frameworks presented and help students integrate and assimilate this material. By the end of the book, students will have the confidence and ability to tackle the tough issues regarding IT management and strategy and a clear understand- ing of their importance in delivering business value. Key Features of This Book • A focus on IT management issues as opposed to technology issues • Critical IT issues explored within their organizational contexts • Readily applicablemodels and frameworks for implementing IT strategies • Mini cases to animate issues and focus
  • 25. classroom discussions on real-world deci- sions, enabling problem-based learning • Proven strategies and best practices from leading-edge organizations • Useful and practical advice and guidelinesfor delivering value with IT • Extensive teaching notes for all mini cases A Different ApproAch to teAching it StrAtegy The real world of IT is one of issues—critical issues—such as the following: • How do we know if we are getting value from our IT investment? • How can we innovate with IT? • What specific IT functions should we seek from external providers? • How do we buildan IT leadershipteam that is a trusted partner with the business? • How do we enhance IT capabilities? • What is IT’s role in creating an intelligent business? • How can we best take advantage of new technologies, such as big data and social media, in our business? • How can we manage IT risk? However, the majority of management information systems (MIS) textbooks are orga- nized by system category (e.g., supply chain, customer relationship management, enterprise resource planning), by system component (e.g., hardware, software, networks), by system
  • 26. function (e.g., marketing, financial, human resources), by system type (e.g., transactional, decisional, strategic), or by a combination of these. Unfortunately, such an organization does not promote an understanding of IT management in practice. IT Strategy: Issues and Practices tackles the real-world challenges of IT manage- ment. First, it explores a set of the most important issues facing IT managers today, and second, it provides a series of mini cases that present these critical IT issues within the context of real organizations. By focusing the text as well as the mini cases on today’s critical issues, the book naturally reinforces problem-based learning. A01_MCKE0260_03_GE_FM.indd 14 26/11/14 9:32 PM Preface 15 IT Strategy: Issues and Practices includes thirteen mini cases— each based on a real company presented anonymously.1 Mini cases are not simply abbreviated versions of standard, full-length business cases. They differ in two significant ways: 1. A horizontal perspective. Unlike standard cases that develop a single issue within an organizational setting (i.e., a “vertical” slice of organizational life), mini cases take a “horizontal” slice through a number of coexistent issues.
  • 27. Rather than looking for a solution to a specific problem, as in a standard case, students analyzing a mini case must first identify and prioritize the issues embedded within the case. This mim- ics real life in organizations where the challenge lies in “knowing where to start” as opposed to “solving a predefined problem.” 2. Highly relevant information. Mini cases are densely written. Unlike standard cases, which intermix irrelevant information, in a mini case, each sentence exists for a reason and reflects relevant information. As a result, students must analyze each case very carefully so as not to miss critical aspects of the situation. Teaching with mini cases is, thus, very different than teaching with standard cases. With mini cases, students must determine what is really going on within the organiza- tion. What first appears as a straightforward “technology” problem may in fact be a political problem or one of five other “technology” problems. Detective work is, there- fore, required. The problem identification and prioritization skills needed are essential skills for future managers to learn for the simple reason that it is not possible for organi- zations to tackle all of their problems concurrently. Mini cases help teach these skills to students and can balance the problem-solving skills learned in other classes. Best of all, detective work is fun and promotes lively classroom discussion.
  • 28. To assist instructors, extensive teaching notes are available for all mini cases. Developed by the authors and based on “tried and true” in-class experience, these notes include case summaries, identify the key issues within each case, present ancillary information about the company/industry represented in the case, and offer guidelines for organizing the class- room discussion. Because of the structure of these mini cases and their embedded issues, it is common for teaching notes to exceed the length of the actual mini case! This book is most appropriate for MIS courses where the goal is to understand how IT delivers organizational value. These courses are frequently labeled “IT Strategy” or “IT Management” and are offered within undergraduate as well as MBA programs. For undergraduate juniors and seniors in business and commerce programs, this is usually the “capstone” MIS course. For MBA students, this course may be the compulsory core course in MIS, or it may be an elective course. Each chapter and mini case in this book has been thoroughly tested in a variety of undergraduate, graduate, and executive programs at Queen’s School of Business.2 1 We are unable to identify these leading-edge companies by agreements established as part of our overall research program (described later). 2 Queen’s School of Business is one of the world’s premier business schools, with a faculty team renowned
  • 29. for its business experience and academic credentials. The School has earned international recognition for its innovative approaches to team-based and experiential learning. In addition to its highly acclaimed MBA programs, Queen’s School of Business is also home to Canada’s most prestigious undergraduate business program and several outstanding graduate programs. As well, the School is one of the world’s largest and most respected providers of executive education. A01_MCKE0260_03_GE_FM.indd 15 26/11/14 9:32 PM 16 Preface These materials have proven highly successful within all programs because we adapt how the material is presented according to the level of the students. Whereas under- graduate students “learn” about critical business issues from the book and mini cases for the first time, graduate students are able to “relate” to these same critical issues based on their previous business experience. As a result, graduate students are able to introduce personal experiences into the discussion of these critical IT issues. orgAnizAtion of thiS Book One of the advantages of an issues-focused structure is that chapters can be approached in any order because they do not build on one another. Chapter
  • 30. order is immaterial; that is, one does not need to read the first three chapters to understand the fourth. This pro- vides an instructor with maximum flexibility to organize a course as he or she sees fit. Thus, within different courses/programs, the order of topics can be changed to focus on different IT concepts. Furthermore, because each mini case includes multiple issues, they, too, can be used to serve different purposes. For example, the mini case “Building Shared Services at RR Communications” can be used to focus on issues of governance, organizational structure, and/or change management just as easily as shared services. The result is a rich set of instructional materials that lends itself well to a variety of pedagogical appli- cations, particularly problem-based learning, and that clearly illustrates the reality of IT strategy in action. The book is organized into four sections, each emphasizing a key component of developing and delivering effective IT strategy: • Section I: Delivering Value with IT is designed to examine the complex ways that IT and business value are related. Over the past twenty years, researchers and prac- titioners have come to understand that “business value” can mean many different things when applied to IT. Chapter 1 (The IT Value Proposition) explores these con- cepts in depth. Unlike the simplistic value propositions often
  • 31. used when imple- menting IT in organizations, this chapter presents “value” as a multilayered busi- ness construct that must be effectively managed at several levels if technology is to achieve the benefits expected. Chapter 2 (Delivering Business Value through IT Strategy) examines the dynamic interrelationship between business and IT strat- egy and looks at the processes and critical success factors used by organizations to ensure that both are well aligned. Chapter 3 (Making IT Count) discusses new ways of measuringIT’s effectiveness that promote closer business–IT alignment and help drive greater business value. Chapter 4 (Effective Business–IT Relationships) exam- ines the nature of the business–IT relationship and the characteristics of an effec- tive relationship that delivers real value to the enterprise. Chapter 5 (Business–IT Communication) explores the business and interpersonal competencies that IT staff will need in order to do their jobs effectively over the next five to seven years and what companies should be doing to develop them. Finally, Chapter 6 (Effective IT Leadership) tackles the increasing need for improved leadership skills in all IT staff and examines the expectations of the business for strategic and innovative guid- ance from IT. A01_MCKE0260_03_GE_FM.indd 16 26/11/14 9:32 PM
  • 32. Preface 17 In the mini cases associated with this section, the concepts of delivering value with IT are explored in a number of different ways. We see business and IT executives at Hefty Hardware grappling with conflicting priorities and per- spectives and how best to work together to achieve the company’s strategy. In “Investing in TUFS,” CIO Martin Drysdale watches as all of the work his IT depart- ment has put into a major new system fails to deliver value. And the “IT Planning at ModMeters” mini case follows CIO Brian Smith’s efforts to create a strategic IT plan that will align with business strategy, keep IT running, and not increase IT’s budget. • Section II: IT Governance explores key concepts in how the IT organization is structured and managed to effectively deliver IT products and services to the orga- nization. Chapter 7 (Effective IT Shared Services) discusses how IT shared services should be selected, organized, managed, and governed to achieve improved organi- zational performance. Chapter 8 (Successful IT Sourcing: Maturity Model, Sourcing Options, and Decision Criteria) examines how organizations are choosing to source and deliver different types of IT functions and presents a …
  • 33. Security Strategies in Windows Platforms and Applications Lesson 11 Hardening the Microsoft Windows Operating System © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Cover image © Sharpshot/Dreamstime.com Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 Learning Objective(s) Apply system hardening techniques in Microsoft Windows. Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts General hardening concepts and strategies Hardening servers, clients, networks, and more
  • 34. Security awareness Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Understanding the Hardening Process and Mind-set Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 4 Employ strategies to secure Windows computers Install only what you need Use Security Compliance Toolkit (SCT) Manually disable and remove programs/services
  • 35. Strategies to Secure Windows Computers Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The process of making configuration changes and deploying controls to reduce the attack surface is called hardening. 5 Disable/remove programs with vulnerabilities Establish controls on running programs Install Only What You Need When installing Windows Server, select which programs to install Customize a server by defining one or more roles Role is a predefined set of services, programs, and configuration settings that enables a computer to fulfill specific requirements Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
  • 36. Security Compliance Toolkit (SCT) A set of tools from Microsoft to help manage Windows security baselines Provides guidance to administrators that makes it easier to ensure policies adhere to policy best practices Includes two tools to help manage baseline input and GPOs Page ‹#› Security Strategies in Windows Platforms and Applications © 2020 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Policy Analyzer Selection Window Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 8 Windows Security Configuration Wizard—Select Server Roles Policy Analyzer Page ‹#› Security Strategies in Windows Platforms and Applications
  • 37. © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9 Manually Disabling and Removing Programs and Services Back up the Windows Registry before making any changes Make changes on a test computer whenever possible Evaluate each computer Identify remaining programs and services you don’t need Remove unneeded programs Use the Windows Services maintenance utility to start, stop, and change services settings Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Uninstalling a Program in Windows Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
  • 38. 11 Windows Services Maintenance Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 12 Windows Services Properties Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 13 Hardening Microsoft Windows Operating System Authentication Disallow older authentication methods Remove or disable any unused or inactive user accounts Protect Administrator account
  • 39. Establish and enforce strong account policies Password policy Account policy Kerberos policy Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 14 Hardening the Network Infrastructure Identify network server and client services that require access to ports Modify firewall settings to open those ports; close all other ports To manage firewall settings, use: Windows Defender Firewall with Advanced Security Local Group Policy Editor Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 15
  • 40. Windows Defender Firewall with Advanced Security Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 16 Group Policy Management Editor—Windows Defender Firewall with Advanced Security Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 17 Securing Directory Information and Operations Active Directory (AD) Limit the number of administrators with access to AD Ensure that administrators use separate Administrator user accounts
  • 41. Administrators should have one account for AD administration and at least one other account for other administration tasks Create an AD security group Require that AD administrators do their AD work only from dedicated terminal servers instead of workstations Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 18 Securing Information and Operations (Cont.) Directory Service Restore Mode (DSRM) Change password from the default password after installation Periodically change the DSRM password Protect the DSRM password for each domain controller and change it every six months Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 19
  • 42. Hardening Microsoft Windows OS Administration After creating other user accounts with Administrator privileges, disable default Administrator account Enable strong passwords Set Administrator passwords to expire on a regular basis Create and maintain baselines Create full backup of each system before and after hardening Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 20 Hardening Microsoft Windows OS Administration (Cont.) Create individual backups of policies each time they change Ensure Windows systems are updated to latest patch Ensure Windows Update is configured to automatically download and install latest updates from Microsoft Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 21
  • 43. Group Policy Management Console—Backup GPO Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 22 Windows Update Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 23 Windows Update Advanced Options Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com
  • 44. All rights reserved. 24 Hardening Server Computers Ensure server computers don’t do anything they’re not supposed to do, such as run unneeded services Harden services they are supposed to provide After installing a server, run Security Compliance Toolkit to disable unneeded roles and services Use nmap utility to identify open ports Enable IPSec for server-to-server communications Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 25 Hardening Workstation Computers Use malware protection Mitigate vulnerabilities Disable programs and services not used Review firewall settings Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
  • 45. www.jblearning.com All rights reserved. 26 Hardening Data Access and Controls Minimize number of user accounts on computers Carefully control access to accounts with Administrator rights Use Windows Group Policy to establish access control lists (ACLs) Avoid allowing anonymous or guest user accounts to access sensitive data Protect data at rest with Windows Encrypting File System (EFS) or Windows BitLocker Ensure data backups are encrypted Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 27 Hardening Communications and Remote Access Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
  • 46. www.jblearning.com All rights reserved. 28 Network access control (NAC) Authentication servers VPN and encryption Hardening PKI Public key infrastructure (PKI): The hardware, software, policies, and procedures to manage all aspects of digital certificates Makes environments more secure Ensure all computers that participate are hardened Harden certificate authority (CA) servers Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 29
  • 47. Hardening PKI (Cont.) Ensure CAs are physically secure and only accessible by authorized administrators Backup CA keys and store them in a safe location Use GPOs to distribute root CA certificates Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 30 Security Awareness Reminders Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Physical posters and banners in conspicuous locations, such as in break rooms and cafeterias, and around printers, fax machines, or shredders Email newsletters, social media contact, and security policy updates Periodic website reminders Social media messages Daily or weekly tip programs Contests with security themes
  • 48. Security events on specific dates, such as November 30, International Computer Security Awareness Day Lunch-and-learn meetings about topics of interest to employees personally—such as identity theft or cyberbullying—as well as topics of interest to your organization Visible modeling of good security behaviors by your organization’s leaders 31 Posters and banners Newsletters Website reminders Social media messages Daily or weekly tip programs Contests Security events Lunch-and-learn meetings Leadership
  • 49. Best Practices Install only the Windows Server Core option when you don’t need extra functionality. Select the minimum number of roles in Windows Server. Run SCT immediately after installation of Windows Server. Update and patch systems; configure for automatic Windows updates. Install and run Microsoft Baseline Security Analyzer (MBSA) and at least one vulnerability scanner. Create one or more user accounts with Administrator rights. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 32 Best Practices (Cont.) Disable the Administrator and Guest user accounts. Disable all unneeded services. Close all ports not required by services or applications. Create GPOs for all security settings, including firewall rules. Use AD to distribute all configuration changes using GPOs. Create a backup of each GPO. Scan all computers for open ports and vulnerabilities. Limit physical access to all critical servers. Create an initial baseline backup.
  • 50. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 33 Best Practices (Cont.) Change the AD DSRM password periodically, at least every six months. Install anti-malware software on each computer. Ensure all anti-malware software and data are current. Use NAC software or devices to control remote computer connections. Use remote authentication methods to authorize remote computers and users. Require secure VPNs to access internal network resources. Use IPSec with digital certificates to authenticate computer-to- computer connections in the datacenter. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 34 Best Practices (Cont.)
  • 51. Require security awareness training prior to issuing access credentials. Require periodic recurrent security awareness training to retain access credentials. Provide continuing security awareness. Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 35 Summary General hardening concepts and strategies Hardening servers, clients, networks, and more Security awareness Page ‹#› Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 36