SlideShare a Scribd company logo

Week 7 - Choices in Systems Acquisition and Risks, Security,.docx

Download as DOCX, PDF
H
helzerpatrina

The document discusses system acquisition options for information management, including in-house development, outsourcing, licensing, and Software as a Service (SaaS), detailing their advantages and disadvantages. It also covers disaster recovery strategies, emphasizing the importance of data security, the development of business continuity plans, and various security measures against potential threats. Key concepts include the significance of adhering to organizational needs, evaluating vendor reliability, and preparing for unforeseen disasters through robust recovery plans.

Education
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Week 7 - Choices in Systems Acquisition and Risks, Security, and Disaster Recovery Sousa, K., & Oz, E. (2015). Management Information Systems, 7th Edition. Cengage Learning. ISBN-13: 978-1285186139 Read: · Chapter 13 · Chapter 14 Week 7 Lecture 1 - Choices in Systems Acquisition and Risks, Security Management of Information Systems Choices in Systems Acquisition and Risks, Security Systems Acquisition Options to consider when acquiring a new system are, development in-house, outsourcing, licensing, software as a service (SaaS), and having users develop the system. There are trade-offs to consider for each option. In-house development has several advantages to consider such as a good fit to organizational need and culture, dedicated maintenance, since the developers are accessible within the company, seamless interface, when the system is custom-made for an organization special requirements can be implemented to ensure that it has proper interfaces with other systems, and specialized security, special security measures can be integrated into an application. Additionally, there is a potential for strategic advantage. Some of the disadvantages of in-house development are, high cost, a long wait for development personnel, who might be busy with other projects and the application may be excessively
organization specific to integrate with other systems. Outsourcing Advantages of outsourcing are improved financial planning sense outsourcing enables a client to know the exact costs of IT functions over the period of a contract. Another advantage is reduced license and maintenance fee discounts. Outsourcing gives businesses an opportunity to increase their attention to the core business by letting experts manage IT. Outsourcing also provides shorter implementation time as IT vendors can in most cases complete a new application in less time than in-house development. A reduction in personnel as another advantage as IS salaries and benefits are expensive. Outsourcing increases access to highly qualified knowledge. Clients can tap into the IT vendor’s knowledge and experience gained by working with many clients in different environments. Some of the risks of outsourcing IT services are a loss of control, a loss of experienced employees, outsourcing involves transferring organizations employees to the highest vendor, the risk of losing competitive advantage outsourcing the development of strategic systems is the same as disclosing trade secrets. Another disadvantage is high price despite careful pre- contractual calculations companies find that outsourcing cost them significantly more than if they had spent their resources on in-house development. Licensing Benefits of licensing software are immediate system availability, low price (the license fee), available support, and high quality. Immediate availability shortens the time from when a decision is made to acquire the new system and when the new system begins to be productive. The product is high quality because the software company specializes in producing the product. The licensing fee is small because the cost of developing the software has been spread out among many elements. Software support is usually included with the license. Figure 11 Steps in licensing software © Cengage Learning 2015
Some of the risks of licensing software are that the software is a loose fit to the needs of the organization and culture software’s ready-made and developed for the widest common denominator another risk is that modifications to the software can be difficult and complicated to maintain. There is a chance that the vendor could dissolve or stop supporting the software. Changes in the vendor’s organization can influence the support and the quality of software upgrades. Software as a service (SaaS) An application service provider (ASP) is an organization that offers use of software over a network such as the Internet or a private network. Applications provided by ASPs are referred to as software as a service (SaaS). The application is not installed on the client’s computer. However, the client can choose to save data to their local computer. Benefits of software as a service are, the elimination of the need to maintain application software, elimination of reliance on experts for installation and maintenance, there’s no need to purchase hardware for installation, there’s a significant reduction in implementation time, there’s no financial risk, and the support is provided by the SaaS vendor. Caveat emptor, buyer, beware. ASPs can disappoint organizations by not providing the scope of services and level of reliability expected. Before deciding on an ASP thoroughly research its history, validate the ASP’s financial strength, ensure that you understand the price structure, get a list of the ASP’s infrastructure, and carefully craft a service contract. An important aspect to check is the uptime of the ASP systems. An appropriate uptime percentage would be 99.999%. An inappropriate percentage would be 99.9% that allows 500 minutes per year of downtime which would be unacceptable in most cases. User application development Another alternative to software development is user application development which is sometimes appropriate when organizations do not wish to purchase or rent an application that
is not very complex. User application development is performed by nonprogrammers for their own use. These applications tend to be fairly simple and limited in scope, and can be maintained by the end-users. These applications are usually used for a brief period of time and then discarded end-user should not develop complex applications that interface with other systems. An advantage of end-user development is sure to lead times. Another advantages user application development is a good fit to the organizational needs. User application development complies with the organizational culture, and it can be an efficient use of resources, and it also frees up information systems staff time. A disadvantage of user application development is that the applications are can be poorly developed. Another disadvantage is that an organization that relies on users development runs a risk of creating islands of information or private databases. Sometimes users will develop applications that are identical to existing systems elsewhere in the organization. Security issues could arise, particularly if the user developer is given access to organizational databases to develop the application. Additionally, user-developed applications tend to be poorly documented. Week 7 Lecture 2 - Disaster Recovery Management of Information Systems Disaster Recovery Risks and Security As companies have increased their dependency on the Internet, the risk to information has increased. Information technology has connected individuals and organizations, and threats have increased proportionately. Security and data breaches associated with information technology has eroded trust in business organizations and government entities. Although hardware and software are expensive investments and should be protected, security of data is far more critical for an organization.
Controls Controls are actions taken to minimize damage to or loss of data, software, or hardware. Controls are applied in the form of hardware, procedures, and software. A control is a constraint. The challenge is to apply a constraint that poses minimal delay and inconvenience to legitimate users of data, hardware, and software. Recovery plans Increasingly businesses are creating business recovery plans or business continuity plans, or business resumption plans. These plans detail what should be done if critical systems go down. Business recovery plans should not focus on the damage to an organization’s assets, but to its business. The plan should contain contingencies in the case of a disaster that would enable resumption of business operations. Experts have proposed nine steps to a business recovery plan. Obtain management’s commitment to the plan Establish a planning committee Perform risk assessment and implement analysis Prioritize recovery needs Select a recovery plan Selected vendors Develop and implement the plan Test the plan Continually test and evaluate Some companies choose not to develop fully their own recovery plan and choose to outsource it to companies that specialize in either disaster recovery planning or provision of alternative sites. Some companies provide both planning and software for disaster recovery. Duplicate databases and applications are maintained for clients.
© Cengage Learning 2015 1 Figure 13.2 Advantages and disadvantages of custom-designed applications © Cengage Learning 2015 Outsourcing meanings in the IT arena To commission the development of an application to another organization To hire the services of another company to manage all or parts of the services usually rendered by an IT unit in the organization May not include development of new applications Outsouricing custom-designed (tailored) software is software, developed by another company, specifically for the needs of an organization There are several advantages which are The software is a good fit to business needs The software is a good fit to organizational culture There is dedicated maintenance Seamless interfaces with other systems can be included Specialized security Potential for strategic advantage Disadvantages can be A high cost The organization must fund all development costs Staff may be diverted from other projects Software is less likely to be compatible with other organizations’ systems Must deal with an inherent conflicts when outsourcing software development:
Client wants a firm contract and set of requirements Specific requirements may mean that no deviation is allowed if changes are needed later as development progresses Changes may involve hefty additional charges Offshoring: outsourcing to other countries such as Costa Rica, Indonesia, Columbia, etc. 1 Licensing Applications Purchasing software usually means purchasing a license to use the software There is a large selection of high-quality packaged software available Groups of ready-made software Relatively inexpensive software that helps in the workplace, such as office suites Large, costly applications that support entire organizational functions, such as HR or financial management © Cengage Learning 2015 2 2 Purchasing software usually means purchasing a license to use the software There is a large selection of high-quality packaged software available Groups of ready-made software Relatively inexpensive software that helps in the workplace, such as office suites Large, costly applications that support entire organizational functions, such as HR or financial management Software licensing benefits are: Immediate system availability High quality
Low price (license fee) And Available support A Beta version is a prerelease version of software to be tested by companies who want to use it After-the-sale support often includes a period of up to one year of free service Large applications require installation specialists Some software licensing risks are: There can be a loose fit between needs and features We must determine if the software will comply with company needs and organizational culture There can be difficulties in customizing the software for company needs The vendor may dissolve or stop supporting the software before the company is ready and may be left without support and maintenance High turnover of vendor personnel may result in lowered support expertise from vendor If custom modifications are undertaken, vendor updates may require, tedious “weaving” into customized system © Cengage Learning 2015 3 Figure 13.8 Benefits and risks of Software as a Service (SaaS) © Cengage Learning 2015 An application service provider (ASP) is an organization that offers software through a network (the Internet or private network) Software as a service (SaaS) are applications available through a network No software is installed on a client’s computers Files may be stored on local storage devices ASPs may rent the software they offer
The benefits of renting software are: There is no need to learn how to maintain the software There is no large start-up fee Storage hardware is unnecessary Software is usually available sooner A good option for small companies Considered a “software on demand” approach The risks of renting software are The lack of control may be an issue, as the client’s data is managed by the vendor The vendor is unlikely to make many customized changes to the software Response time is impacted by traffic levels There may be security risks through a public network Many clients use leased lines instead of the Internet to limit security risks 3 © Cengage Learning 2015 4 Figure 13.9 Guidelines for end-user development of information technology applications © Cengage Learning 2015 User application development is when a nonprogrammer users write their own business applications Characteristics of user-developed software are: Simple and limited in scope software Small applications developed for immediate or brief needs Software is maintained by end users Challenges of user-developed applications are: Managing the reaction of IT professionals,
Providing support., Compatibility issues, And managing access Advantages of user development of applications are: Shortened lead times Good fit to needs Compliance with culture Efficient utilization of resources Acquisition of skills And freeing up IS staff time Disadvantages of user-developed applications are Poorly developed applications Islands of information Duplication Security problems and poor or no documentation 4 Goals of Information Security Protecting IT resources is a primary concern Securing corporate ISs is becoming increasingly challenging Major goals of information security Reduce the risk of systems ceasing operation Maintain information confidentiality Ensure the integrity and reliability of data resources Ensure the uninterrupted availability of resources Ensure compliance with policies and laws © Cengage Learning 2015 5 5 Protecting IT resources is a primary concern Securing corporate ISs is becoming increasingly challenging
Major goals of information security are to Reduce the risk of systems ceasing operation, Maintain information confidentiality, Ensure the integrity and reliability of data resources, Ensure the uninterrupted availability of resources, And Ensure compliance with policies and laws Laws passed by U.S. Congress setting standards for protecting privacy Health Insurance Portability and Accountability Act of 1996 (HIPAA) Sarbanes-Oxley Act of 2002 (SOX) CIA triad: foundational concepts of information systems security Confidentiality Integrity Availability Risks associated with cloud computing and data storage Downtime: the period of time during which an IS is not available $26 billion lost annually in the U.S. due to downtime Costs of downtime vary depending on industry, the size of the company, and other factors There are also risk to hardware. The #1 cause of system downtime is hardware failure Major causes of hardware damage Natural disasters Fires, floods, earthquakes, hurricanes, tornadoes, and lightning Blackouts and brownouts Blackout: total loss of electricity Brownout: partial loss of electricity Uninterruptible power supply (UPS): backup power for a short time Major causes of hardware damage Vandalism Deliberate destruction
Deliberate alteration or destruction is often done as a prank, but has a high cost Online vandal’s target may be a company’s website Hacking: unauthorized access Honeytoken: a bogus record in a networked database used to combat hackers Honeypot: a server containing a mirrored copy of a database or a bogus database Educates security officers about vulnerable points Virus: spreads from computer to computer Worm: spreads in a network without human intervention Antivirus software: protects against viruses Trojan horse: a virus disguised as legitimate software Logic bomb: software that is programmed to cause damage at a specific time Unintentional, non-malicious damage can be caused by: Poor training Lack of adherence to backup procedures Unauthorized downloading and installation of software may cause damage Human error There are risks to online operations. Many hackers try daily to interrupt online businesses Some types of attacks Unauthorized access Data theft Defacing of webpages Denial of service Hijacking computers Denial of service (DoS): an attacker launches a large number of information requests Slows down legitimate traffic to site Distributed denial of service (DDoS): an attacker launches a
DoS attack from multiple computers Usually launched from hijacked personal computers called “zombies” There is no definitive cure for this A site can filter illegitimate traffic Computer Hijacking is using some or all of a computer’s resources without the consent of its owner Often done for making a DDoS attack Done by installing a software bot on the computer Main purpose of hijacking is usually to send spam Bots are planted by exploiting security holes in operating systems and communications software A bot usually installs e-mail forwarding software Security Measures Organizations can protect against attacks using various approaches, including: Firewalls Authentication Encryption Digital signatures Digital certificates © Cengage Learning 2015 6 6 Organizations can take security measures to protect against attacks using various approaches, including: Firewalls Authentication Encryption Digital signatures
And Digital certificates Firewall: hardware and software that blocks access to computing resources The best defense against unauthorized access over the Internet Firewalls are now routinely integrated into routers DMZ: demilitarized zone approach One end of the network is connected to the trusted network, and the other end to the Internet Connection is established using a proxy server Proxy server: “represents” another server for all information requests from resources inside the trusted network Can also be placed between the Internet and the trusted network when there is no DMZ Authentication: the process of ensuring that you are who you say you are Encryption: coding a message into an unreadable form Messages are encrypted and authenticated to ensure security Important when communicating confidential information, e.g., financial and medical records A message may be text, image, sound, or other digital information Encryption programs scramble the transmitted information Plaintext is the original message Ciphertext is the encoded message Encryption uses a mathematical algorithm and a key A Key is a unique combination of bits that will decipher the ciphertext Public-key encryption uses two keys, one public and one private Symmetric encryption is when the sender and the recipient use the same key Asymmetric encryption is when both a public and a private key are used
Transport Layer Security (TLS) is a protocol for transactions on the Web that uses a combination of public key and symmetric key encryption HTTPS is a the secure version of HTTP A Digital signature is a means to authenticate online messages; implemented with public keys A Message digest is unique fingerprint of file Digital certificates are computer files that associate one’s identity with one’s public key Issued by certificate authority Certificate authority (CA) is a trusted third party A digital certificate contains its holder’s name, a serial number, its expiration dates, and a copy of holder’s public key Also contains the digital signature of the CA The downside of security measures are: For Single sign-on (SSO) a user must enter his or her name/password only once Single sign-on saves employees time Encryption slows down communication Every message must be encrypted and then decrypted IT specialists must clearly explain the implications of security measures to upper management Recovery Measures Security measures may reduce mishaps, but no one can control all disasters Preparation for uncontrolled disasters requires that recovery measures are in place Redundancy may be used Very expensive, especially in distributed systems Other measures must be taken © Cengage Learning 2015 7
7 Security measures may reduce mishaps, but no one can control all disasters Recovery measures are preparation for uncontrolled disasters that require recovery of data and information. Redundancy may be used It is Very expensive, especially in distributed systems Other measures must be taken A Business recovery plan is a detailed plan about what should be done and by whom if critical systems go down Also called a disaster recovery plan, business resumption plan, or business continuity plan To develop a business recovery plan Obtain management’s commitment to the plan Establish a planning committee Perform risk assessment and impact analysis Prioritize recovery needs Mission-critical applications: those without which the business cannot conduct operations Select a recovery plan Select vendors Develop and implement the plan Test the plan Continually test and evaluate Can outsource recovery plans to firms that specialize in disaster recover planning Hot sites are alternative sites that a business can use when a disaster occurs Backup sites provide desks, computer systems, and Internet links Companies that implement hot sites IBM Hewlett-Packard SunGard Availability Services
Week 7 - Choices in Systems Acquisition and Risks, Security,.docx

More Related Content

PPTX
Relevance of choice of system in mis
Aakash Bhardwaj
 
PDF
Build vs buy
Ricardo Peláez Negro
 
PPT
Outsourcing.ppt
saadbougarn
 
PPTX
Chapter 07
andyburghardt
 
PPTX
CISA_WK_4.pptx
dotco
 
PDF
Half Prepared?: Business Survey on Disaster Recovery
Regus
 
PDF
Asante's Computing Merged Slide.pdf
Francis946283
 
PPTX
Chapter 7 Development Strategies
Meryl C
 
Relevance of choice of system in mis
Aakash Bhardwaj
 
Build vs buy
Ricardo Peláez Negro
 
Outsourcing.ppt
saadbougarn
 
Chapter 07
andyburghardt
 
CISA_WK_4.pptx
dotco
 
Half Prepared?: Business Survey on Disaster Recovery
Regus
 
Asante's Computing Merged Slide.pdf
Francis946283
 
Chapter 7 Development Strategies
Meryl C
 

Similar to Week 7 - Choices in Systems Acquisition and Risks, Security,.docx (20)

DOCX
2 pages, each question a pageFinal Research Question (s).docx
felicidaddinwoodie
 
PPTX
Low/No Cost Software is it right for your business
Bill Maynard
 
PPT
Ch12
jinglebill
 
PDF
Get the entire Systems Analysis and Design 11th Edition Tilley Solutions Manu...
vardyhanoa6w
 
PPTX
10 - Project Management
Raymond Gao
 
PPTX
Chap3
chandrajais
 
PDF
Finance :: Insurance Software Solutions - Build or Buy
torpidpenitenti59
 
PDF
Project management part 2
Anjan Mahanta
 
PPTX
CISM_WK_2.pptx
dotco
 
PPTX
Isys40051 12 is suppliers & outsourcing v2
Grenville Lannon
 
DOCX
Home Notifications My CommunityBBA 3551-16P-5A19-S3, Infor.docx
fideladallimore
 
PDF
Other Systems & Application Software
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
PDF
Create your own enterprise apps store
1E: Software Lifecycle Automation
 
PDF
Software as a Service (SaaS): Custom Acquisition Strategies - LabGroup.com.au
Susan Diaz
 
PDF
Saa s hr automation
Global Groupware Solution Limited
 
PPT
App softwares
ACCA Global
 
PDF
Cloud Service Models.pdf
HasanRaza331074
 
PDF
Open Source in Government / Graham Taylor
Paris Open Source Summit
 
DOCX
The social and ethical issues of sdd
sarthakgarg97
 
PPT
ppt application softwears (getting work)
Dynamic Research Centre & institute
 
2 pages, each question a pageFinal Research Question (s).docx
felicidaddinwoodie
 
Low/No Cost Software is it right for your business
Bill Maynard
 
Ch12
jinglebill
 
Get the entire Systems Analysis and Design 11th Edition Tilley Solutions Manu...
vardyhanoa6w
 
10 - Project Management
Raymond Gao
 
Chap3
chandrajais
 
Finance :: Insurance Software Solutions - Build or Buy
torpidpenitenti59
 
Project management part 2
Anjan Mahanta
 
CISM_WK_2.pptx
dotco
 
Isys40051 12 is suppliers & outsourcing v2
Grenville Lannon
 
Home Notifications My CommunityBBA 3551-16P-5A19-S3, Infor.docx
fideladallimore
 
Other Systems & Application Software
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Create your own enterprise apps store
1E: Software Lifecycle Automation
 
Software as a Service (SaaS): Custom Acquisition Strategies - LabGroup.com.au
Susan Diaz
 
Saa s hr automation
Global Groupware Solution Limited
 
App softwares
ACCA Global
 
Cloud Service Models.pdf
HasanRaza331074
 
Open Source in Government / Graham Taylor
Paris Open Source Summit
 
The social and ethical issues of sdd
sarthakgarg97
 
ppt application softwears (getting work)
Dynamic Research Centre & institute
 
Ad

More from helzerpatrina (20)

DOCX
Most patients with mental health disorders are not aggressive. H.docx
helzerpatrina
 
DOCX
MotivationExplain your motivation for applying to this prog.docx
helzerpatrina
 
DOCX
Most public policy is made from within government agencies. Select a.docx
helzerpatrina
 
DOCX
Mr. Smith brings his 4-year-old son to your primary care office. He .docx
helzerpatrina
 
DOCX
Mrs. Walsh, a woman in her 70s, was in critical condition after rep.docx
helzerpatrina
 
DOCX
Much has been made of the new Web 2.0 phenomenon, including social n.docx
helzerpatrina
 
DOCX
MSN 5550 Health Promotion Prevention of Disease Case Study Module 2.docx
helzerpatrina
 
DOCX
MSEL Strategy Mid-term Instructions Miguel Rivera-SantosFormat.docx
helzerpatrina
 
DOCX
Much of the focus in network security centers upon measures in preve.docx
helzerpatrina
 
DOCX
Mt. Baker Hazards Hazard Rating Score High silic.docx
helzerpatrina
 
DOCX
Motivation and Cognitive FactorsQuestion AAlfred Hit.docx
helzerpatrina
 
DOCX
Motivation in OrganizationsMotivation i.docx
helzerpatrina
 
DOCX
Motivations to Support Charity-Linked Events After Exposure to.docx
helzerpatrina
 
DOCX
Mrs. Walsh, a woman in her 70s, was in critical condition after.docx
helzerpatrina
 
DOCX
MOVIE TITLE IS LIAR LIAR starring JIM CARREYProvide the name o.docx
helzerpatrina
 
DOCX
mple selection, and assignment to groups (as applicable). Describe.docx
helzerpatrina
 
DOCX
More and more businesses have integrated social media into every asp.docx
helzerpatrina
 
DOCX
Module Five Directions for the ComparisonContrast EssayWrite a.docx
helzerpatrina
 
DOCX
Monica asked that we meet to see if I could help to reduce the d.docx
helzerpatrina
 
DOCX
Module 6 AssignmentPlease list and describe four types of Cy.docx
helzerpatrina
 
Most patients with mental health disorders are not aggressive. H.docx
helzerpatrina
 
MotivationExplain your motivation for applying to this prog.docx
helzerpatrina
 
Most public policy is made from within government agencies. Select a.docx
helzerpatrina
 
Mr. Smith brings his 4-year-old son to your primary care office. He .docx
helzerpatrina
 
Mrs. Walsh, a woman in her 70s, was in critical condition after rep.docx
helzerpatrina
 
Much has been made of the new Web 2.0 phenomenon, including social n.docx
helzerpatrina
 
MSN 5550 Health Promotion Prevention of Disease Case Study Module 2.docx
helzerpatrina
 
MSEL Strategy Mid-term Instructions Miguel Rivera-SantosFormat.docx
helzerpatrina
 
Much of the focus in network security centers upon measures in preve.docx
helzerpatrina
 
Mt. Baker Hazards Hazard Rating Score High silic.docx
helzerpatrina
 
Motivation and Cognitive FactorsQuestion AAlfred Hit.docx
helzerpatrina
 
Motivation in OrganizationsMotivation i.docx
helzerpatrina
 
Motivations to Support Charity-Linked Events After Exposure to.docx
helzerpatrina
 
Mrs. Walsh, a woman in her 70s, was in critical condition after.docx
helzerpatrina
 
MOVIE TITLE IS LIAR LIAR starring JIM CARREYProvide the name o.docx
helzerpatrina
 
mple selection, and assignment to groups (as applicable). Describe.docx
helzerpatrina
 
More and more businesses have integrated social media into every asp.docx
helzerpatrina
 
Module Five Directions for the ComparisonContrast EssayWrite a.docx
helzerpatrina
 
Monica asked that we meet to see if I could help to reduce the d.docx
helzerpatrina
 
Module 6 AssignmentPlease list and describe four types of Cy.docx
helzerpatrina
 
Ad

Recently uploaded (20)

PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Presentation on HIE in infants and its manifestations
joghikamal786
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Classroom Observation Tools for Teachers
Nicaramirez
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Presentation on HIE in infants and its manifestations
joghikamal786
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
RMMM.pdf make it easy to upload and study
sajedul2
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 

Week 7 - Choices in Systems Acquisition and Risks, Security,.docx

  • 1. Week 7 - Choices in Systems Acquisition and Risks, Security, and Disaster Recovery Sousa, K., & Oz, E. (2015). Management Information Systems, 7th Edition. Cengage Learning. ISBN-13: 978-1285186139 Read: · Chapter 13 · Chapter 14 Week 7 Lecture 1 - Choices in Systems Acquisition and Risks, Security Management of Information Systems Choices in Systems Acquisition and Risks, Security Systems Acquisition Options to consider when acquiring a new system are, development in-house, outsourcing, licensing, software as a service (SaaS), and having users develop the system. There are trade-offs to consider for each option. In-house development has several advantages to consider such as a good fit to organizational need and culture, dedicated maintenance, since the developers are accessible within the company, seamless interface, when the system is custom-made for an organization special requirements can be implemented to ensure that it has proper interfaces with other systems, and specialized security, special security measures can be integrated into an application. Additionally, there is a potential for strategic advantage. Some of the disadvantages of in-house development are, high cost, a long wait for development personnel, who might be busy with other projects and the application may be excessively
  • 2. organization specific to integrate with other systems. Outsourcing Advantages of outsourcing are improved financial planning sense outsourcing enables a client to know the exact costs of IT functions over the period of a contract. Another advantage is reduced license and maintenance fee discounts. Outsourcing gives businesses an opportunity to increase their attention to the core business by letting experts manage IT. Outsourcing also provides shorter implementation time as IT vendors can in most cases complete a new application in less time than in-house development. A reduction in personnel as another advantage as IS salaries and benefits are expensive. Outsourcing increases access to highly qualified knowledge. Clients can tap into the IT vendor’s knowledge and experience gained by working with many clients in different environments. Some of the risks of outsourcing IT services are a loss of control, a loss of experienced employees, outsourcing involves transferring organizations employees to the highest vendor, the risk of losing competitive advantage outsourcing the development of strategic systems is the same as disclosing trade secrets. Another disadvantage is high price despite careful pre- contractual calculations companies find that outsourcing cost them significantly more than if they had spent their resources on in-house development. Licensing Benefits of licensing software are immediate system availability, low price (the license fee), available support, and high quality. Immediate availability shortens the time from when a decision is made to acquire the new system and when the new system begins to be productive. The product is high quality because the software company specializes in producing the product. The licensing fee is small because the cost of developing the software has been spread out among many elements. Software support is usually included with the license. Figure 11 Steps in licensing software © Cengage Learning 2015
  • 3. Some of the risks of licensing software are that the software is a loose fit to the needs of the organization and culture software’s ready-made and developed for the widest common denominator another risk is that modifications to the software can be difficult and complicated to maintain. There is a chance that the vendor could dissolve or stop supporting the software. Changes in the vendor’s organization can influence the support and the quality of software upgrades. Software as a service (SaaS) An application service provider (ASP) is an organization that offers use of software over a network such as the Internet or a private network. Applications provided by ASPs are referred to as software as a service (SaaS). The application is not installed on the client’s computer. However, the client can choose to save data to their local computer. Benefits of software as a service are, the elimination of the need to maintain application software, elimination of reliance on experts for installation and maintenance, there’s no need to purchase hardware for installation, there’s a significant reduction in implementation time, there’s no financial risk, and the support is provided by the SaaS vendor. Caveat emptor, buyer, beware. ASPs can disappoint organizations by not providing the scope of services and level of reliability expected. Before deciding on an ASP thoroughly research its history, validate the ASP’s financial strength, ensure that you understand the price structure, get a list of the ASP’s infrastructure, and carefully craft a service contract. An important aspect to check is the uptime of the ASP systems. An appropriate uptime percentage would be 99.999%. An inappropriate percentage would be 99.9% that allows 500 minutes per year of downtime which would be unacceptable in most cases. User application development Another alternative to software development is user application development which is sometimes appropriate when organizations do not wish to purchase or rent an application that
  • 4. is not very complex. User application development is performed by nonprogrammers for their own use. These applications tend to be fairly simple and limited in scope, and can be maintained by the end-users. These applications are usually used for a brief period of time and then discarded end-user should not develop complex applications that interface with other systems. An advantage of end-user development is sure to lead times. Another advantages user application development is a good fit to the organizational needs. User application development complies with the organizational culture, and it can be an efficient use of resources, and it also frees up information systems staff time. A disadvantage of user application development is that the applications are can be poorly developed. Another disadvantage is that an organization that relies on users development runs a risk of creating islands of information or private databases. Sometimes users will develop applications that are identical to existing systems elsewhere in the organization. Security issues could arise, particularly if the user developer is given access to organizational databases to develop the application. Additionally, user-developed applications tend to be poorly documented. Week 7 Lecture 2 - Disaster Recovery Management of Information Systems Disaster Recovery Risks and Security As companies have increased their dependency on the Internet, the risk to information has increased. Information technology has connected individuals and organizations, and threats have increased proportionately. Security and data breaches associated with information technology has eroded trust in business organizations and government entities. Although hardware and software are expensive investments and should be protected, security of data is far more critical for an organization.
  • 5. Controls Controls are actions taken to minimize damage to or loss of data, software, or hardware. Controls are applied in the form of hardware, procedures, and software. A control is a constraint. The challenge is to apply a constraint that poses minimal delay and inconvenience to legitimate users of data, hardware, and software. Recovery plans Increasingly businesses are creating business recovery plans or business continuity plans, or business resumption plans. These plans detail what should be done if critical systems go down. Business recovery plans should not focus on the damage to an organization’s assets, but to its business. The plan should contain contingencies in the case of a disaster that would enable resumption of business operations. Experts have proposed nine steps to a business recovery plan. Obtain management’s commitment to the plan Establish a planning committee Perform risk assessment and implement analysis Prioritize recovery needs Select a recovery plan Selected vendors Develop and implement the plan Test the plan Continually test and evaluate Some companies choose not to develop fully their own recovery plan and choose to outsource it to companies that specialize in either disaster recovery planning or provision of alternative sites. Some companies provide both planning and software for disaster recovery. Duplicate databases and applications are maintained for clients.
  • 6. © Cengage Learning 2015 1 Figure 13.2 Advantages and disadvantages of custom-designed applications © Cengage Learning 2015 Outsourcing meanings in the IT arena To commission the development of an application to another organization To hire the services of another company to manage all or parts of the services usually rendered by an IT unit in the organization May not include development of new applications Outsouricing custom-designed (tailored) software is software, developed by another company, specifically for the needs of an organization There are several advantages which are The software is a good fit to business needs The software is a good fit to organizational culture There is dedicated maintenance Seamless interfaces with other systems can be included Specialized security Potential for strategic advantage Disadvantages can be A high cost The organization must fund all development costs Staff may be diverted from other projects Software is less likely to be compatible with other organizations’ systems Must deal with an inherent conflicts when outsourcing software development:
  • 7. Client wants a firm contract and set of requirements Specific requirements may mean that no deviation is allowed if changes are needed later as development progresses Changes may involve hefty additional charges Offshoring: outsourcing to other countries such as Costa Rica, Indonesia, Columbia, etc. 1 Licensing Applications Purchasing software usually means purchasing a license to use the software There is a large selection of high-quality packaged software available Groups of ready-made software Relatively inexpensive software that helps in the workplace, such as office suites Large, costly applications that support entire organizational functions, such as HR or financial management © Cengage Learning 2015 2 2 Purchasing software usually means purchasing a license to use the software There is a large selection of high-quality packaged software available Groups of ready-made software Relatively inexpensive software that helps in the workplace, such as office suites Large, costly applications that support entire organizational functions, such as HR or financial management Software licensing benefits are: Immediate system availability High quality
  • 8. Low price (license fee) And Available support A Beta version is a prerelease version of software to be tested by companies who want to use it After-the-sale support often includes a period of up to one year of free service Large applications require installation specialists Some software licensing risks are: There can be a loose fit between needs and features We must determine if the software will comply with company needs and organizational culture There can be difficulties in customizing the software for company needs The vendor may dissolve or stop supporting the software before the company is ready and may be left without support and maintenance High turnover of vendor personnel may result in lowered support expertise from vendor If custom modifications are undertaken, vendor updates may require, tedious “weaving” into customized system © Cengage Learning 2015 3 Figure 13.8 Benefits and risks of Software as a Service (SaaS) © Cengage Learning 2015 An application service provider (ASP) is an organization that offers software through a network (the Internet or private network) Software as a service (SaaS) are applications available through a network No software is installed on a client’s computers Files may be stored on local storage devices ASPs may rent the software they offer
  • 9. The benefits of renting software are: There is no need to learn how to maintain the software There is no large start-up fee Storage hardware is unnecessary Software is usually available sooner A good option for small companies Considered a “software on demand” approach The risks of renting software are The lack of control may be an issue, as the client’s data is managed by the vendor The vendor is unlikely to make many customized changes to the software Response time is impacted by traffic levels There may be security risks through a public network Many clients use leased lines instead of the Internet to limit security risks 3 © Cengage Learning 2015 4 Figure 13.9 Guidelines for end-user development of information technology applications © Cengage Learning 2015 User application development is when a nonprogrammer users write their own business applications Characteristics of user-developed software are: Simple and limited in scope software Small applications developed for immediate or brief needs Software is maintained by end users Challenges of user-developed applications are: Managing the reaction of IT professionals,
  • 10. Providing support., Compatibility issues, And managing access Advantages of user development of applications are: Shortened lead times Good fit to needs Compliance with culture Efficient utilization of resources Acquisition of skills And freeing up IS staff time Disadvantages of user-developed applications are Poorly developed applications Islands of information Duplication Security problems and poor or no documentation 4 Goals of Information Security Protecting IT resources is a primary concern Securing corporate ISs is becoming increasingly challenging Major goals of information security Reduce the risk of systems ceasing operation Maintain information confidentiality Ensure the integrity and reliability of data resources Ensure the uninterrupted availability of resources Ensure compliance with policies and laws © Cengage Learning 2015 5 5 Protecting IT resources is a primary concern Securing corporate ISs is becoming increasingly challenging
  • 11. Major goals of information security are to Reduce the risk of systems ceasing operation, Maintain information confidentiality, Ensure the integrity and reliability of data resources, Ensure the uninterrupted availability of resources, And Ensure compliance with policies and laws Laws passed by U.S. Congress setting standards for protecting privacy Health Insurance Portability and Accountability Act of 1996 (HIPAA) Sarbanes-Oxley Act of 2002 (SOX) CIA triad: foundational concepts of information systems security Confidentiality Integrity Availability Risks associated with cloud computing and data storage Downtime: the period of time during which an IS is not available $26 billion lost annually in the U.S. due to downtime Costs of downtime vary depending on industry, the size of the company, and other factors There are also risk to hardware. The #1 cause of system downtime is hardware failure Major causes of hardware damage Natural disasters Fires, floods, earthquakes, hurricanes, tornadoes, and lightning Blackouts and brownouts Blackout: total loss of electricity Brownout: partial loss of electricity Uninterruptible power supply (UPS): backup power for a short time Major causes of hardware damage Vandalism Deliberate destruction
  • 12. Deliberate alteration or destruction is often done as a prank, but has a high cost Online vandal’s target may be a company’s website Hacking: unauthorized access Honeytoken: a bogus record in a networked database used to combat hackers Honeypot: a server containing a mirrored copy of a database or a bogus database Educates security officers about vulnerable points Virus: spreads from computer to computer Worm: spreads in a network without human intervention Antivirus software: protects against viruses Trojan horse: a virus disguised as legitimate software Logic bomb: software that is programmed to cause damage at a specific time Unintentional, non-malicious damage can be caused by: Poor training Lack of adherence to backup procedures Unauthorized downloading and installation of software may cause damage Human error There are risks to online operations. Many hackers try daily to interrupt online businesses Some types of attacks Unauthorized access Data theft Defacing of webpages Denial of service Hijacking computers Denial of service (DoS): an attacker launches a large number of information requests Slows down legitimate traffic to site Distributed denial of service (DDoS): an attacker launches a
  • 13. DoS attack from multiple computers Usually launched from hijacked personal computers called “zombies” There is no definitive cure for this A site can filter illegitimate traffic Computer Hijacking is using some or all of a computer’s resources without the consent of its owner Often done for making a DDoS attack Done by installing a software bot on the computer Main purpose of hijacking is usually to send spam Bots are planted by exploiting security holes in operating systems and communications software A bot usually installs e-mail forwarding software Security Measures Organizations can protect against attacks using various approaches, including: Firewalls Authentication Encryption Digital signatures Digital certificates © Cengage Learning 2015 6 6 Organizations can take security measures to protect against attacks using various approaches, including: Firewalls Authentication Encryption Digital signatures
  • 14. And Digital certificates Firewall: hardware and software that blocks access to computing resources The best defense against unauthorized access over the Internet Firewalls are now routinely integrated into routers DMZ: demilitarized zone approach One end of the network is connected to the trusted network, and the other end to the Internet Connection is established using a proxy server Proxy server: “represents” another server for all information requests from resources inside the trusted network Can also be placed between the Internet and the trusted network when there is no DMZ Authentication: the process of ensuring that you are who you say you are Encryption: coding a message into an unreadable form Messages are encrypted and authenticated to ensure security Important when communicating confidential information, e.g., financial and medical records A message may be text, image, sound, or other digital information Encryption programs scramble the transmitted information Plaintext is the original message Ciphertext is the encoded message Encryption uses a mathematical algorithm and a key A Key is a unique combination of bits that will decipher the ciphertext Public-key encryption uses two keys, one public and one private Symmetric encryption is when the sender and the recipient use the same key Asymmetric encryption is when both a public and a private key are used
  • 15. Transport Layer Security (TLS) is a protocol for transactions on the Web that uses a combination of public key and symmetric key encryption HTTPS is a the secure version of HTTP A Digital signature is a means to authenticate online messages; implemented with public keys A Message digest is unique fingerprint of file Digital certificates are computer files that associate one’s identity with one’s public key Issued by certificate authority Certificate authority (CA) is a trusted third party A digital certificate contains its holder’s name, a serial number, its expiration dates, and a copy of holder’s public key Also contains the digital signature of the CA The downside of security measures are: For Single sign-on (SSO) a user must enter his or her name/password only once Single sign-on saves employees time Encryption slows down communication Every message must be encrypted and then decrypted IT specialists must clearly explain the implications of security measures to upper management Recovery Measures Security measures may reduce mishaps, but no one can control all disasters Preparation for uncontrolled disasters requires that recovery measures are in place Redundancy may be used Very expensive, especially in distributed systems Other measures must be taken © Cengage Learning 2015 7
  • 16. 7 Security measures may reduce mishaps, but no one can control all disasters Recovery measures are preparation for uncontrolled disasters that require recovery of data and information. Redundancy may be used It is Very expensive, especially in distributed systems Other measures must be taken A Business recovery plan is a detailed plan about what should be done and by whom if critical systems go down Also called a disaster recovery plan, business resumption plan, or business continuity plan To develop a business recovery plan Obtain management’s commitment to the plan Establish a planning committee Perform risk assessment and impact analysis Prioritize recovery needs Mission-critical applications: those without which the business cannot conduct operations Select a recovery plan Select vendors Develop and implement the plan Test the plan Continually test and evaluate Can outsource recovery plans to firms that specialize in disaster recover planning Hot sites are alternative sites that a business can use when a disaster occurs Backup sites provide desks, computer systems, and Internet links Companies that implement hot sites IBM Hewlett-Packard SunGard Availability Services