This action might not be possible to undo. Are you sure you want to continue?
PROBLEMS AND ISSUES WITH MIS 1. Definition
A MIS manages the information a business needs to run effectively. While these systems have existed for hundreds of years, the MIS that is referred to in recent times is more indicative of a consistent approach to developing an information framework replete with guidelines, polices, procedures and standards supportive of the company's long-term goals. MIS, as it is defined in the vernacular, typically refers to a strategic information system that, if used effectively, manifests itself as a tool that builds productivity in a way that maximizes profit margins.
While new technology in and of itself is not a solution, it can provide methods by which to overcome existing performance gaps and to capitalize on new opportunities. Although technology-based, the term "technology" may not necessarily connote a complicated endeavor in a MIS. But it should be noted that, in practice, newer technology is what enables newer versions of these strategic Information Systems (IS). To quote the Organisation of Economic Cooperation and Development (OECD), "the Internet and related advances in information and communication technology (ICT) are transforming economic activity, much as the steam engine, railways and electricity did in the past." ICT is developing at an exponential rate, and while its impact can be seen on the economy at large, the impact of ICT is even more clearly demonstrated in the ways by which the new technology has enabled more sophisticated IS. For instance, think about the impact the typewriter had, the word processor and finally the computer. Huge, right? Today, ICT is growing so exponentially that it has to be considered spherically. New storage devices, such as Apple's Time Capsule or Seagate's FreeAgent External Drive have presented new information storage options for businesses, enabling individuals or smaller businesses to have a secure method of information storage. There are also newer applications for business, such as Google Apps, which change the way information can be gathered, shared and accessed. These newer ICT innovations create both new concerns and new opportunities. First, any technology can fail, at any time, for no reason. This is an issue that has to be accounted for. Also, information can be pirated from electronic devices, so security measures must be in place. While issues such as storage failure and security needed to be considered when everything was handwritten, the way those concerns manifest themselves with the advent of ICT is much different and must be handled in new and improved ways.
while common in any goal-setting environment. are answered affirmatively at the company level and at the individual level. with people and with the complexity of the system. view of organization and self-image. while a goal to improve efficiency of cog production would present a better breadth. Lastly. the process must be easy to use and understand. the first. For example. An example of this would be "increase profits for this quarter" versus "increase profits for the year". Is the data reliable. Trying to meet both goals is difficult. with concepts. is in regard to the goals of the MIS. Frequently. whereas process features refer to whether the process by which to achieve that goal will be successful. Usage Problems in MIS o Lyytinen goes on to identify issues regarding the process of the MIS. both as a limitation (the system does not have the capability to use an automated information-gathering system) and to its opportunities (the system has the capability of intra-networking. the goals are "ambiguous. and is the right data being reviewed? Did the people who set up the IS process . a goal to improve the efficiency of the production of half-inch purple cogs is probably too narrow. too narrow" or "conflicting. The view of the organization and self-image have to do with whether the queries "can it be done?". a person must understand the goal presented in order to work toward it. in terms of the company. no one does well when goals are conflicting. otherwise it may prove too difficult for the average person to complete successfully. if for no other reason than the aggravation that accompanies them. Technology here refers to the impact technology has on information systems. if not impossible. people will stop using them. All of these factors can contribute to an unreliable system. She observes that the process is frequently seen as too difficult. are of special importance in MIS. processes that are slow simply take up too much time. refers to whether the correct goal was identified. file sharing and collaboration). process features. if it provides incorrect information it is useless. The profits of this quarter may decline because of factors like reinvestment and new opportunities. and most common. slow and/or unreliable. Other process-oriented problems regarding MIS have to do with data.2 Development Problems in MIS o In dealing with MIS. Economy. economy. Since the information gathered is the purpose of the system." These development issues. According to Kalle Lyytinen (reference 1). Also. the goal must be broad enough. and "can we do really do this?". Essentially. A good example here would be a set of instructions 50 pages long for a process that should take 15 minutes. several common development issues arise. After a while. Secondly. Other issues identified by Lyytinen relevant to the development of MIS include technology. Basically.
source code control. change management. and "Right first time". how can its success (or lack of success) be gauged? And much of the research into MIS has neglected to look at the myriad of different types and focus on how each would apply. monitoring of processes and an associated feedback loop that confers error prevention. MIS research tends to look at issues in such a narrow way that practical applications to a given business are few if any. either in its development or its usage. services related to production. testing. Who judges whether the MIS process being implemented is the correct one? QUALITY ASSURANCE (QA) refers to the systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled. And is the process too complex. This can be contrasted with quality control. It is not related to cost and adjectives or descriptors such "high" and "poor" are not applicable. which includes processes such as requirements definition. and product integration. code reviews. assemblies. mistakes should be eliminated. and may include ensuring conformance to one or more standards. SQA encompasses the entire software development process. the product should be suitable for the intended purpose. It is the systematic measurement. a low priced product may be viewed as having high quality because it is disposable where another may be viewed as having poor quality because it is not disposable. Software quality assurance (SQA) consists of a means of monitoring the software engineering processes and methods used to ensure quality. Suitable quality is determined by product users. release management. The methods by which this is accomplished are many and varied. products and components. . and have to believe that that goal can be achieved through the process instituted. software design. clients or customers. such as ISO 9000 or a model such as CMMI.coding. For example. Two principles included in QA are: "Fit for purpose". comparison with a standard. Without ways to make its use measurable and understandable. and management. configuration management. lies in the fact that the systems do not have a concrete definition or a quantitative measure. QA includes management of the quality of raw materials. not by society in general. and the data it collects not clear enough for accurate measurement? Effective MIS o One of the biggest issues facing MIS.3 fully understand the nature of the product? Is the process chosen for the management of the information system appropriate? The people the company employs need to understand how the MIS is attempting to improve company function. Few totally understand the technology being used. production and inspection processes. which is focused on process outputs.
Format. as well as. geography or jurisdiction and coverage of related or narrower topics. Objectivity. and verifications.  Information quality (IQ) is a term to describe the quality of the content of information systems. activities. It has been suggested. Consider time periods. When working with legal or government information. To verify the facts is part of the duty of care of the journalistic deontology. "Information quality" is a measure of the value which the information provides to the user of that information. • Composition and Organization Composition and Organization has to do with the ability of the information source to present it’s particular message in a coherent. Timeliness. however. Believability. Verifiability refers to the ability of a reader to verify the validity of the information irresepective of how authoritative the source is. where possible. Value-Added. Consider the reputation of the author and publisher. that higher the quality the greater will be the confidence in meeting more general. It is often pragmatically defined as: "The fitness for use of the information provided. Amount of information Representational IQ: Interpretability. • Objectivity . Reputation Contextual IQ: Relevancy. Coherence. to provide the sources of information so that they can be verified • Scope of coverage Scope of coverage refers to the extent to which a source explores a topic. less specific contexts. commitments. measurements. "Quality" is often perceived as subjective and the quality of information can then vary among users and among uses of the information. logically sequential manner. abilities. Compatibility Accessibility IQ: Accessibility." Information quality assurance is the process to guarantee confidence that particular information meets some context specific quality requirements. consider whether the source is the official provider of the information. list of dimensions or elements used in assessing Information Quality is: • • Intrinsic IQ: Accuracy. Access security • • quality metrics • Authority/Verifiability Authority refers to the expertise or recognized official status of a source.4 SQA is organized into goals. Completeness.
Consider the use of persuasive language. The state of being whole. disclosure. Of large scope..) Below are the typical terms you will hear when dealing with information security: . inspection. Adherence to moral and ethical principles. Consider publication. recording or destruction. INFORMATION SECURITY (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access. entire. having an extensive mental grasp. • Timeliness Timeliness refers to information that is current at the time of publication. modification. It is a general term that can be used regardless of the form the data may take (electronic. creation and revision dates. inclusive: a comprehensive study.. its reason for providing the information and advertising. 2. • Integrity 1. the source’s presentation of other viewpoints. Comprehending mentally. Beware of Web site scripting that automatically reflects the current day’s date on a page. covering or involving much. disruption. • Validity Validity of some information has to do with the degree of obvious truthfulness which the information caries • Uniqueness As much as ‘uniqueness’ of a given piece of information is intuitive in meaning. use. covering or providing broad protection against loss. it also significantly implies not only the originating point of the information but also the manner in which it is presented and thus the perception which it conjures. etc. • Reproducibility (utilized primarily when referring to instructive information) Means that documented methods are capable of being used on the same data set to achieve a consistent result. physical. The essence of any piece of information we process consists to a large extent of those two elements. Insurance.5 Objectivity is the bias or opinion expressed when a writer interprets or analyze facts. or undiminished • Comprehensiveness 1. perusal. 3. soundness of moral character 2.
hospitals. security testing. research and financial status. Most of this information is now collected. processed and stored on electronic computers and transmitted across networks to other computers. There are many ways of gaining entry into the field as a career. customers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor. physical theft. . and private businesses amass a great deal of confidential information about their employees. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise. Governments. It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). Information Assurance = The act of ensuring that data is not lost when critical issues arise. or any other instance where data has the potential of being lost. military. information security has a significant effect on privacy. etc. They are responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to breach into critical private information or gain control of the internal systems. Since most information is stored on computers in our modern era. For the individual.6 IT Security = Sometimes referred to as computer security. IT Security is information security when applied to technology (most often some form of computer system). computer/server malfunction. and in many cases also an ethical and legal requirement. financial institutions. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. These issues include but are not limited to. corporations. information systems auditing. natural disasters. securing applications and databases. The field of information security has grown and evolved significantly in recent years. products. which is viewed very differently in different cultures. such a breach of security could lead to negative consequences. information assurance is typically dealt with by IT security specialists. business continuity planning and digital forensics. Protecting confidential information is a business requirement. It offers many areas for specialization including: securing network(s) and allied infrastructure.
Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds] Integrity In information security. log files. In 1992 and revised in 2002 the OECD's Guidelines for the Security of Information Systems and Network proposed the nine generally accepted principles: Awareness. Democracy.7 Information Security Attributes: or qualities. procedures or policies are implemented to tell people (administrators. Key concepts The CIA triad (confidentiality. in 2004 the NIST's Engineering Principles for Information Technology Security proposed 33 principles. The elements are confidentiality. backups. Information Systems are decomposed in three main portions. Response. Ethics. and by restricting access to the places where it is stored. For example. Security Management. Information security systems typically provide message integrity in addition to data confidentiality.e. Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. If an unauthorized party obtains the card number in any way. printed receipts. Other principles such as Accountability have sometimes been proposed for addition – it has been pointed out that issues such as Non-Repudiation do not fit well within the three core concepts. Risk Assessment. authenticity. . The system attempts to enforce confidentiality by encrypting the card number during transmission. and Reassessment. personal and organizational. From each of these derived guidelines and practices. Essentially. and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations. hardware. Responsibility. There is continuous debate about extending this classic trio. integrity means that data cannot be modified undetectably. although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing.. possession. and utility. and so on). users and operators) how to use products to ensure information security within the organizations. Integrity is violated when a message is actively modified in transit. The merits of the Parkerian hexad are a subject of debate amongst security professionals. integrity. software and communications with the purpose to help identify and apply information security industry standards. a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. as mechanisms of protection and prevention. by limiting the places where it might appear (in databases.Confidentiality. In 2002. i. availability. This is not the same thing as referential integrity in databases. at three levels or layers: physical. integrity and availability) is one of the core principles of information security. Integrity and Availability (CIA). Building upon those. Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. a breach of confidentiality has occurred. Security Design and Implementation.
It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Sharing some data with one group of external users while sharing a different . Ensuring availability also involves preventing denial-of-service attacks. This is often a variation on user provisioning. preventing service disruptions due to power outages. INFORMATION SECURITY CONTROLS Organizational Controls Organizational controls are procedures and processes that define how people in the organization should perform their duties. communications or documents (electronic or physical) are genuine. and customers. hardware failures. This means that the computing systems used to store and process the information. partners. transactions. When properly implemented. while leaving personnel lose access immediately upon departure. the information must be available when it is needed. These are developed to explain how controls have been implemented and how they are to be maintained. This is necessary for all members of the organization so that users and members of the IT team understand their responsibilities and how to properly utilize the computing resources while protecting the organization's data. For example. Security training and ongoing awareness campaigns. Authenticity In computing. Separation of duties and least privileges. and information security. Systems and processes for provisioning and de-provisioning users. but in many cases it is very distinct. mentioned previously. Established processes for granting access to contractors. Non-repudiation In law. and system upgrades. non-repudiation implies one's intention to fulfill their obligations to a contract. the security controls used to protect it. or vice versa. and the communication channels used to access it must be functioning correctly. Processes for provisioning should also include employee transfers from groups within the company where privileges and access change from one level to another.8 Availability For any information system to serve its purpose. Documented security plans and procedures. vendors. it is necessary to ensure that the data. these ensure that people have only enough access to IT systems to effectively perform their job duties and no more. Preventative controls in this category include: Clear roles and responsibilities. It is also important for authenticity to validate that both parties involved are who they claim to be. These controls are necessary so that new members of the organization are able to become productive quickly. consider government personnel changing jobs and security classifications form Secret to Top Secret. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation. These must be clearly defined and documented so that management and staff clearly understand who is responsible for ensuring that an appropriate level of security is implemented for the most important IT assets. High availability systems aim to remain available at all times. e-Business.
biometric locks. electronic badges and locks. software and hardware. sensors. Environmental security. which enables an organization to recover from catastrophic events that impact a large fraction of the IT infrastructure. alarms. Temperature and humidity control systems that extend the life of sensitive electrical equipment and help to protect the data stored on them. alarms. which provides an organization with the ability to quickly react to and recover from security violations while minimizing their impact and preventing the spread of the incident to other systems. Executing recurrent reviews of controls to verify the controls' efficacy. which shields the organization from attackers attempting to gain access to its premises. Management controls in this category include: Incident response planning. and flood . Detection and recovery controls in this category include: Physical security. Emergency backup power. Business continuity planning. examples include smoke and fire detectors. Preventative controls in this category include: Protection of computing facilities by physical means such as guards. cameras. backup media stored offsite makes it possible to store critical business data on replacement systems. including devices such as mobile computer locks and alarms and encryption of files stored on mobile devices. Fire protection systems such as automated fire suppression systems and fire extinguishers. In the event of a catastrophic incident. They also include environmental and physical protections as described below. which can save sensitive electrical systems from harm during power brownouts and blackouts. Establishing a rotation of duties. which safeguards the organization from environmental threats such as floods and fires. Physical protection for end-user systems. Media access control and disposal procedures to ensure that only authorized personnel have access to sensitive information and that media used for storing such data is rendered unreadable by degaussing or other methods before disposal. you should contemplate implementing additional background investigations for employees when they are being considered for promotions to positions with a significantly higher level of access to the organization's IT assets. for example when health or financial data is involved. and fences. Performing background investigations of prospective candidates for employment. which is an effective way to uncover nefarious activities by members of the IT team or users with access to sensitive information. Operational Controls Operational controls define how people in the organization should handle data. Legal and regulatory requirements often impact the choices.9 collection of data with a different group can be challenging. which are essential tools for guarding the organization's key assets. Backup systems and provisions for offsite backup storage to facilitate the restoration of lost or corrupted data. Detection controls in this category include: Performing continuing risk management programs to assess and control risks to the organization's key assets. Periodic undertaking of system audits to ensure that systems have not been compromised or misconfigured. examples include sensors. they can also ensure that applications and operating systems are shut down gracefully manner to preserve data and transactions. and motion detectors.
Authentication requires that the person. or functionality. Nonrepudiation. Technological Controls Technological controls vary considerably in complexity. understanding. They are all of the technological components used to build an organization's information systems. biometric data. Responses may include blocking user access to infected files. Cryptography. Management controls in this category include: Security administration tools included with many computer operating systems and business applications as well as security oriented hardware and software products.10 detectors. System integrity tools. Detection and recovery controls in this category include: Audit systems. or device requesting access. Access control can be mandatory. storage. The mechanism for limiting access to certain information based on a user's identity and membership in various predefined groups. discretionary. and distribution of cryptographic keys make possible such technologies as virtual private networks (VPNs). authorizing a purchase. or device access to certain information. These tools are needed in order to effectively maintain. process. smart cards. secure user authentication. Authorization is derived from the identity of the person. Protected communications. The process of granting a person. Access control. Common forms of credentials are digital signatures. engineering. Authorization. or informing the user that an infected program was detected. and troubleshoot security features in all of these products. such as viruses and worms. They include system architecture design. services. which is the foundation for many other security controls. computer. some system integrity tools calculate a checksum for all files present on the system's storage volumes and store the information in a database on a separate computer. Comparisons between a system's current state and its previously-known good configuration can be completed in a reliable and automated fashion with such a tool. process. The technique used to ensure that someone performing an action on a computer cannot falsely deny that he or she performed that action. or role-based. and firmware. hardware. software. or device. which is verified through authentication. and encryption of data on various types of storage . cleaning infected files or systems. computer process. Make it possible to monitor and track system behavior that deviates from expected norms. or sending a message. They are a fundamental tool for detecting. support. These controls use encryption to protect the integrity and confidentiality of information transmitted over networks. The secure creation. Antivirus programs. Preventative controls in this category include: Authentication. Make it possible for IT staff to determine whether unauthorized changes have been made to a system. and recovering from security breaches. Designed to detect and respond to malicious software. computer process. Nonrepudiation provides undeniable proof that a user took a specific action such as transferring money. or device making the request provide a credential that proves it is what or who it says it is. The process of validating the credentials of a person. and a combination of user names and passwords. For example.
Safely reusing objects. ETHICS . systems can include features such as accountability. Protections inherent in the system. and mandatory access control.11 media. which supplies the ability to identify unique users and processes. With this capability. supporting no-execute (NX) memory. Identification. and process separation all demonstrate system protection features. role-based access control. discretionary access control. which are features designed into the system to provide protection of information processed or stored on that system.