Information Technology For Management 4
Turban, McLean, Wetherbe
Lecture Slides by A. Lekacos,
Stony Brook University
John Wiley & Sons, Inc.
Resources and Security
Recognize the difficulties in managing information resources.
Understand the role of the IS department and its relationships
with end users.
Discuss the role of the chief information officer.
Recognize information systems’ vulnerability, attack methods,
and the possible damage from malfunctions.
Describe the major methods of defending information systems.
Describe the security issues of the Web and electronic
Describe business continuity and disaster recovery planning.
Understand the economics of security and risk management.
The IS Department
The reporting relationship
of the ISD is important in
that it reflects the focus of the department. If the ISD
reports to the accounting or finance areas, there is
often a tendency to emphasize accounting or finance
applications at the expense of those in the marketing,
production, and logistics areas.
of the ISD is also important.
Data Processing (DP) Department.
Management Information Systems (MIS) Department
Information Systems Department (ISD)
Another important characteristic is the
of the ISD
IT resources are very diversified; they include personnel assets,
technology assets, and IT relationship assets. The management
of information resources is divided between the
services department (ISD)
and the end users. The division of
responsibility depends on many factors.
To improve collaboration, the ISD and end users may
employ three common arrangements:
the steering committee
the information center.
Since the ISD is a
that manages the IT
infrastructure needed to carry on end
user IT applications. It is
extremely important to have a good relationship with the end
users. The development of
was motivated in part by the poor service that end users felt they
received. However, this is not an easy task since the ISD is
basically a technical organization that may not understand the
business and the users. While the users, may not understand
To carry out its mission in the digital economy,
the ISD needs to adapt.
(Chief Information Officer)
The changing role of the ISD highlights the fact that the CIO
is becoming an important member of the firm's top
Realization of the need for IT
related disaster planning and the
importance of IT to the firm’s activities.
Aligning IT with the business strategy
Providing information access
Being a business visionary
who drives business strategy
Managing the ISD is similar to managing any other organizational
unit. The unique aspect of the ISD is that it operates as a service
department in a rapidly changing environment, thus making the
department’s projections and planning difficult.
physical resources, data, software, procedures,
and other information resources
are scattered throughout the firm.
Information is transmitted to and from the firm’s components.
Therefore vulnerabilities exist at many points and at any time.
is a state in a computing system
which either: allows an attacker to execute commands as
another user; allows an attacker to access data that is
contrary to the access restrictions for that data; allows an
attacker to pose as another entity; or allows an attacker to
conduct a denial of service.
is a state in a computing system (or set of
systems) which is not a universal vulnerability, but either:
allows an attacker to conduct information gath
activities; allows an attacker to hide activities; includes a
capability that behaves as expected, but can be easily
compromised; is a primary point of entry that an attacker
may attempt to use to gain access to the system or data;
and is considered a problem according to some reasonable
These threats can be classified as:
Computer system failures
Theft of data
Inappropriate use of data
Theft of mainframe com
Theft of equipment and/or programs
The vulnerability of information systems is increasing as we move
to a world of networked and especially wireless computing.
Theoretically, there are hundreds of points in a corporate
information system that can be subject to some threats.
Deliberate manipulation in handling
Malicious damage to computer resources
Destruction from viruses and similar attacks
Miscellaneous computer abuses
is implemented through the modification of a
The most common attack method is the
a program that
attaches itself to (“infect”) other computer programs, without the
owner of the program being aware of the infection. It spreads,
causing damage to that program and possibly to others. When a
virus is attached to a legitimate software program, the legitimate
software is acting as a
, a program that contains a
Protecting Information Resources
. The program must be aligned with organizational goals.
. Everyone in the organization must be included.
. The program must be operational all the time.
. Use innovative, preventive, and protective measures.
. The program must be tested to ensure it works.
. It must include authority, responsibility & accountability.
Information security problems are increasing rapidly, causing
damage to many organizations. Protection is expensive and
complex. Therefore, companies must not only use controls to
prevent and detect security problems, they must do so in an
organized manner. An approach similar to TQM (total quality
management) would have the following characteristics:
Corporate Security Plan
The major objectives of a defense strategy are:
Prevention and deterrence.
Limitation of damage.
Awareness and compliance
Knowing about potential threats to IS is necessary, but
understanding ways to
against these threats is equally
critical. Because of its importance to the entire enterprise,
organizing an appropriate defense system is one of the major
activities of the CIO. It is accomplished by inserting
(defense mechanisms) and developing
Any defense strategy involves the use of several controls. These
controls are divided into two categories
protect the system regardless of the specific application and
that safeguard specific applications.
Over the Internet, messages are sent from one computer to
another. This makes the network difficult to protect, since there
are many points to tap into the network.
Web Attack Threats
The major objective of
is access control. Then
or proof of identity and finally
which determine the action or activities a user is allowed to
An important element in any security system is the
, also known as the
disaster recovery plan
plan outlines the process by which businesses should recover
from a major disaster.
The purpose of a business continuity plan is to keep the
business running after a disaster occurs.
Recovery planning is part of asset protection
Planning should focus on recovery from a total loss of all
Proof of capability usually involves some kind of what
analysis that shows that the recovery plan is current.
All critical applications must be identified and their recovery
The plan should be written so that it will be effective in case of
The plan should be kept in a safe place; copies should be
given to all key managers; or it should be available on the
Intranet and the plan should be audited periodically.
One of the most logical ways to deal with loss of data is to back it up. A business continuity
plan should include backup arrangements were all copies of important files are kept offsite.
Implementing controls in an organization can be very complicated
and difficult to enforce. Are controls installed as intended? Are
they effective? Did any breach of security occur? These and other
questions need to be answered by independent and unbiased
observers. Such observers perform an
There are two types of auditors:
is usually a corporate employee who is not
a member of the ISD.
is a corporate outsider. This type of auditor
reviews the findings of the internal audit.
There are two types of audits.
determines whether the ISD is working
determines whether controls have been
implemented properly and are adequate.
It is usually not economical to prepare protection against every
possible threat. Therefore, an IT security program must provide a
and deciding which ones to prepare
for and which ones to ignore.
IT Security Trends
Increasing the reliability of systems
Intelligent systems for early intrusion detection
Intelligent systems in auditing and fraud detection
Artificial intelligence in biometrics
Expert systems for diagnosis, prognosis, and disaster
To whom should the IS department report?
This issue is related to the
degree of IS decentralization and to the role of the CIO. Having the IS department
reporting to a functional area may introduce biases in providing IT priorities to that
functional area, which may not be justifiable. Having the IS report to the CEO is
Who needs a CIO?
This is a critical question that is related to the role of the
CIO as a senior executive in the organization. Giving a title without authority can
damage the ISD and its operation. Asking the IS director to assume a CIO’s
responsibility, but not giving the authority and title, can be just as damaging. Any
organization that is heavily dependent on IT should have a CIO.
End users are friends, not enemies, of the IS department.
relationship between end users and the ISD can be very delicate. In the past,
many ISDs were known to be insensitive to end
user needs. This created a strong
desire for end
user independence, which can be both expensive and ineffective.
Successful companies develop a climate of cooperation and friendship between the
The reporting relationship of the ISD can result in some un
ethical behavior. For example, if the ISD reports to the ﬁnance department, the
ﬁnance department will have access to information about individuals or other
departments that could be misused.
Responsibilities for security should be assigned in all areas.
more organizations use the Internet, extranets, and intranets, the greater are the
security issues. It is important to make sure that employees know who is
responsible and accountable for what information and that they understand the
need for security control. The vast majority of information resources is in the hands
of end users. Therefore, functional managers must understand and practice IT
security management and other proper asset management tasks.
Security awareness programs are important for any organization,
especially if it is heavily dependent on IT.
Such programs should be
corporate wide and supported by senior executives. In addition, monitoring
security measures and ensuring compliance with administrative controls are
essential to the success of any security plan. For many people, following
administrative controls means additional work, which they prefer not to do.
Auditing information systems should be institutionalized into the
Organizations should audit IS because it can save
considerable amounts of money. Conversely, over
auditing is not cost
Organizing the ISD in a multinational
corporation is a complex issue. Some organizations prefer a complete
decentralization, having an ISD in each country or even several ISDs in one
country. Others keep a minimum of centralized staff. Some companies prefer a
highly centralized structure. Legal issues, government constraints, and the size of
the IS staff are some factors that determine the degree of decentralization.
Copyright © 2003 John Wiley & Sons, Inc.
reserved. Reproduction or translation of this work
beyond that permitted in Section 117 of the 1976
United States Copyright Act without the express
written permission of the copyright owner is
Request for further information should be
addressed to the Permissions Department, John
Wiley & Sons, Inc.
The purchaser may make back
up copies for his/her own use only and not for
distribution or resale.
The Publisher assumes no
responsibility for errors, omissions, or damages,
caused by the use of these programs or from the
use of the information contained herein.