Ch 5 - IS Planning


What is ISP? ISP = IS + P y You should know what is meant by :y Information System y Planning Why Planning is Important? y Systematic approach in dealing with future uncertainties. y It focuses efforts and resources on long-term, general objectives and yet provides a foundation for short-term activities y Provides a framework for action. Planning involves thinking ahead and designing future action. ISP Key Activities y Describing current situation: it includes a listing of the manual and automated processes, listing of manual and automated data, technology inventory and human resources inventory y Describing future situation: includes blueprints of manual and automated processes, blueprints of manual and automated data, technology blueprints and human resources blueprints. y Describing scheduling of the project: includes scheduling of manual and automated processes, scheduling of manual and automated data, technology of scheduling and human resources scheduling. ISP Planning Types y Top-Down Planning: A generic information systems planning methodology that attempts to gain a broad understanding of the information system needs of the entire organization. y Bottom-up Planning: generic information systems planning methodology that identifies and defines IS development projects based upon solving operational business problems or taking advantages of some business opportunities Components of ISP y The Process of Information Systems Planning y Strategic Alignment of Business and IT y Selecting Systems to Invest In y Project Management Issues

users) y Top management commitment successful ISP. y To take account of the different viewpoints of business professionals and IT professionals.html Approaches to I. diverse and complicated information requirements of their users HOW? y Look at business structure. y To ensure that the use of scarce resources are maximized within a business. culture y Look at existing IT y Look at available technology. e-Reference . Who Perform ISP? y IS Planners / System Analyst y Variety of stakeholders ( Where & When ISP? y Any organization that has interest in getting the best out of its IT investments. y To maximize the benefits of changing technology. y Facing problems y Grabbing opportunities. processes. function. planning NO planning TRADITIONAL information resource planning STRATEGIC information systems planning REACTIVE information resource planning LINKED information resource planning No Planning Speaks for itself more of this about than you might think . sponsor.Why ISP? Why do we need to plan for IS? y To ensure that IS both complements and assists in the achievement of our business goals.T.cse. implementation etc. y Information Systems (IS) fail to satisfy y Carry out interviews y Develop policies y Develop application portfolio y Plan schedules for migration.

Inputs and Outputs for the Traditional Information Resource Plan Linking Business and IS/IT Strategy .

Control and Security What is a security audit? y Policy based y Assessment of risk y Examines site methodologies and practices y Dynamic y Communication What kinds of Security Audits are there? y Host y Firewall y Networks y Large networks . 4. Efficiently allocating information systems development and operational resources among competing applications. Aligning the IT plan with the organizational business plan 2. and databases can be integrated and networked together. y IT planning identifies the applications portfolio.IT Planning Issues Basic IT planning addresses the following four general issues: 1. and eventually shifted to managerial planning. a list of major. A Generic/General Approach to SPIT CH 7 IS Audit. Planning information systems projects so that they are completed on time and within budget and include the specified functions ‡ IT Planning y A Strategic information systems plan identifies a set of computer-based applications that will help a company reach its business goals. y Initial mechanisms addressed operational planning. approved IS projects that are consistent with the long-range plan. applications. 3. Designing an IT architecture for the organization in such a way that users.

y RFC 1244 y What if a written policy doesn't exist? y Other documentation RFC 1244 ``Site Security Handbook'' y Defines security policies & procedures y Policy violations y Interpretation y Publicizing y Identifying problems y Incident response y Updating Other Documentation y Hardware/software inventory y Network topology y Key personnel y Emergency numbers y Incident logs Why do a Security Audit? y Information is power y Expectations y Measure policy compliance When to audit? y Emergency! y Before prime time y Scheduled/maintenance y y y y Assessing risk & security level Assessing potential damage Change management Security incident response Components of a Security Policy y Who can use resources y Proper use of the resources y Granting access & use y System Administrator privileges y User rights & responsibilities y What to do with sensitive information y Desired security configurations of systems Audit Schedules y Individual Host 1224 months y Large Networks 1224 months y Network 12 months y Firewall 6 months How to do a Security Audit y Preaudit: verify your tools and environment y Audit/review security policy y Gather audit information y Generate an audit report y Take actions based on the report's findings .Security Policies & Documentation What is a security policy? y Components y Who should write it? y How long should it be? y Dissemination y It walks. it is alive. it talks..

y If the results of the auditing tools cannot be trusted. place) y Verify them with a digital signature (MD5) Audit Tools the Hall of Fame y SAINT/SATAN/ISS y Nessus y lsof /pff y Nmap. Audit Tools Trust? y Write them yourself y Find a trusted source (person. the audit is useless The Bootstrapping Problem y If the only way to verify that your auditing tools are ok is by using auditing tools.y Safeguard data & report Verify your tools and environment y The golden rule of auditing y Bootstrapping problem y Audit tools y The Audit platform The Golden Rule of Auditing y Verify ALL tools used for the audit are untampered with. tcpdump. SunOS/Solaris. OpenBSD ? y Source code y A good development platform y Large body of available literature Choosing a security audit platform: Software y Unix / Linux y Secured OS y OS source code y Audit tools y Development tools . ipsend y MD5/DES/PGP y COPS/Tiger y Crack The Audit Platform y Should have extraordinary security y Submit it to a firewall+ type of audit y Physical access should be required to use y No network services running Choosing a security audit platform: Hardware y laptop computer y three kilograms or less y graphics display y MB memory y MB disk y ethernet (as many connectors as possible) Unix / Linux y BSD: FreeBSD. then..

managers y Usage & patterns y Have they seen/read the security policy? y What can/can't they do. sysadmins.) that are used y Must have explicit time schedules of security y audits and/or tools used y Logfiles must be regularly examined! Examine dissemination procedures y Policies are worthless unless people read and understand them y Ideally it is distributed and addressed when people join org y Email is useful for updates. in own words y Could they get root/system privileges? y What are systems used for? y What are the critical systems? . etc. S/Key. janitors. changes y Written user acknowledgment necessary Gather audit information y y y Talk to/Interview people Review Documentation Technical Investigation Talk to/Interview people y Difficult to describe.) y Allowable trust must be clearly outlined y Should specify specific tools (The TCP wrappers. network services run. etc.Audit/review security policy y Utilize existing or use ``standard'' policy y Treat the policy as a potential threat y Does it have all the basic components? y Are the security configs comprehensive? y Examine dissemination procedures Does it Have All the Basic Components? y Who can use resources y Proper use of the resources y Granting access & use y System Administrator privileges y User rights & responsibilities y What to do with sensitive information Security policy y Treat the policy as a potential threat y Bad policies are worse than none at all y Good policies are very rare y Look for clarity & completeness y Poor grammar and spelling are not tolerated Are the security configs comprehensive? y Details are important! y Addresses specific technical problems y (COPSlike tests. operators. easy to do y Usually ignored y Users.

) y Code review ``home grown'' programs (CGI' netstat.* like files) Check static items y Examine all config files of running processes (inetd. etc. bugtraq.) y Search for privileged programs (SUID.) y Follow startup execution y Check static items (config files. etc. CIAC advisories.) Run Static Tools y Nmap y SAINT/SATAN/ISS y Crack y Nessus y COPS/Tiger Follow Startup Execution y y y Boot (P)ROMS init Startup programs (rc. etc. etc. etc. etc.) y Run dynamic tools (ps.) y Examine config files of programs that can start up dynamically (ftpd.conf. Crack.) y Check system logs y Check system against known vulnerabilities (CERT.y How do they view the security audit? Review Documentation y Hardware/software inventory y Network topology y Key personnel y Emergency numbers y Incident logs Technical Investigation y Run static tools (COPS. SGID.) y Actively test defenses (packet filters. etc. lsof. TCP wrappers. run as root) y Examine all trust y Check extra network services (NFS. etc. TCP wrappers.) y Check for replacement programs (wuftpd. httpd. finger FIFO's.) Search for privileged programs y Find all SUID/SGID programs y Look at all programs executed as root y Examine: y Environment y Paths to execution y Configuration files . etc. etc. sendmail. news.

special services) y Management Protocols (SNMP. hosts.equiv y NFS. etc.) Actively test defenses y packet screens y TCP wrappers y Other defense programs . NIS y DNS y Windowing systems y User traffic and interactive flow Check Extra Network Services y NFS/AFS/RFS y NIS y News y WWW/httpd y Proxy (telnet.) Check for replacement programs y wuftpd y TCP wrappers y Logdaemon y Xinetd y GNU fingerd Code review ``home grown''/non standard programs y y y y y Network daemons Anything SUID. ftp.) y Authentication (Kerberos. SGID Programs run as system account CGI's Bad signs: o external commands (system. etc.Examine all Trust y rhosts.) o /usr/ucb/mail o large size o No documentation o No comments in code o No source code available Code review. etc(cont. shell. security tokens. etc.

E xam p le P rofit C oncern G oals E arnings/share R eturn on Investm ent M arket Share N ew P roduct CSF A utom otive Industry S tyling Q uality dealer system C ost control E nergy S tandards R egional integration w ith other hospitals E fficient use of resources Im proved m onitoring of regulations N on-profit E xcellent health care M eeting governm ent regulations F uture health needs . helps identify the key entities and attributes in the organization s data y Developed by IBM in the 1960s y Method: Take a large sample of managers and ask them how they use information. the firm. where they get it.Safeguard Data & Report y Save for the next audit y Do not keep online y Use strong encryption if stored electronically y Limit distribution to those who ``need to know'' y Print out report. functions. processes. what their objectives are. and number copies Ch 8 . expensive to collect and difficult to analyze y Bias towards top management and data processing y Focus not on critical objectives but rather on what existing information is used y The result is a tendency to automate whatever exists Critical Success Factors A small number of easily identifiable operational goals shaped by the industry.Redesigning the Organization with IS Establishing Organizational Information Requirements y To develop an effective IS plan. and data elements. how they make decisions and what their data needs are Enterprise Analysis Take aways y Gives a comprehensive view of the organization y Produces an enormous amount of information. the manager. sign. what their environment is like. the organization must have a clear understanding of both its longand short-term information requirements y Two principal methodologies for establishing those: o Enterprise Analysis (Business Systems Planning) o Strategic Analysis (Critical Success Factors) Enterprise Analysis y An analysis of organization-wide information requirements by looking at the entire organization in terms of organizational units. and the broader environment that are believed to ensure the success of an organization.

global reach of firms) y Enterprise networks (collaborative work) y Distributed Computing (empowerment) y Portable Computing (virtual organizations) y Graphical User Interfaces (everybody has access to information) The Spectrum of Organizational Change (1) y Automation: using the computer to speed up the performance of existing tasks o most common form of IT-enabled change o involves assisting employees perform their tasks more efficiently and effectively o akin to putting a larger motor in an existing vehicle The Spectrum of Organizational Change (2) y Rationalization of procedures: the streamlining of existing operating procedures.Using CSFs to Develop IS M anager A C S F s M anager B C S Fs M anager C C S Fs M anager D C S Fs A g g re g a te & a n a ly z e in d iv id u a l C S F s D e v e lo p a g re e m e n t o n com pany C S F s D e fin e com pany C S F s D e fin e D S S a n d d a ta b a s e s U s e C S F s to d e v e lo p IS p rio ritie s CSF Limitations y Produces a smaller set of data to analyze y Can be tailored to the structure of each industry y Takes into account the changing environment y Data collection and analysis are art forms y Confusion between individual and organizational CSFs y Biased towards top managers y Assumes that successful TPS already exist y Like the Enterprise Analysis method provides a static picture y Systems Development and Organizational Change y Global networks (International division of labor. eliminating obvious bottlenecks so that automation makes operating procedures more efficient o follows quickly from early automation .

o o Toshiba had to rationalize its procedures down to the level of installation manuals and software instruction and had to create standard names and formats for the data items in its global data warehouse Think: without a large amount of business process rationalization. combining steps to cut waste and eliminating repetitive. paper-intensive tasks to improve cost. its expensive. but transportation itself o e-business is a paradigm shift o Deciding which business process to get right is half the challenge o 70% of time programmatic reengineering efforts fail o Why then change? Because the rewards are high! Information Systems Development y y Systems Development: the activities that go into producing an information systems solution to an organizational problem or opportunity Structured kind of problem with distinct activities Systems Analysis (1) y Systems Analysis: the analysis of a problem that the organization will try to solve with an IS o thorough understanding of the existing organization and system o identify the primary owners and users of data in the organization o identification of the details of the problems of existing systems Systems Analysis (2) y Feasibility Study: the way to determine whether the solution is achievable. given the organization s resources and constraints o Technical feasibility o Economic feasibility . its very risky and its extremely difficult to carry out and manage Business Process Reengineering y y y y y Develop the business vision and process objective Identify the processes to be redesigned (core and highest payback) Understand and measure the performance of existing processes Identify the opportunities for applying information technology Build a prototype of the new process The Spectrum of Organizational Change (4) Paradigm Shift: Radical reconceptualization of the nature of the business and the nature of the organization o akin to rethinking not only the automobile. computer technology would have been useless at Toshiba (what ERPs do) The Spectrum of Organizational Change (3) y Business Process Re-engineering (BPR): The radical redesign of business processes. quality. and service and to maximize the benefits of information technology o Involves radical rethinking o Can change the way an organization conducts its business o Strikes fear.

reduced ork orce. improved decision making. Controls. Processing. Conversion. Organizational Changes Completing the Design Process y y Programming Testing o Unit testing o System testing o Acceptance testing Conversion Parallel strategy Direct cut-over strategy Pilot study strategy Phased approach strategy Maintenance Understanding the Business value of systems The Business Value of Information Systems Costs and B enefits of Information Costs o t are e rvices Intangible Improved asset utilization. higher client satis actions. increased organizational learning. ¤ ¤ ¡ ¤ ¤ Telecommunications Increased productivity. improved operations. improved organizational planning. more in ormation. The difference between cash outflows and cash inflows is used for calculating the financial worth of an investment. Documentation. Security. lo operational costs. Database Design. Manual Procedures. more timely in ormation. User Interface. Input. improved resource control. lo er outside vendor costs.o Operational feasibility Systems Design y Systems Design: details how a system will meet the information requirements as determined by the systems analysis o Output. reduced rate o gro th in expenses ¡ £ Hard are Tangible ( ost a vings)   ystems Benefits ¢ ¤ ¡ ¤ ¡ ¡ ¤ ¡ ¡ ¡¤ £ £ ¥ . Training. lo er clerical and pro essional costs. enhanced employee good ill. increased job satis action. better corporate image ersonnel Capital Budgeting Models y y Information Systems are considered long-term capital investment projects Capital budgeting: The process of analyzing and selecting various proposals for capital expenditures.

A method for calculating the returns from a capital expenditure by dividing the total benefits by total costs Non-financial and Strategic Considerations . and the time value of money Cost-Benefit Ratio .A measure of the time required to pay back the initial investment of a project Accounting Rate of Return on Investment (ROI) . taking into account its cost.Calculation of the rate of return from an investment by adjusting cash inflows produced by the investment for depreciation Net Present Value (NPV) . earnings.The amount of money an investment is worth. and the rates of return higher than typical capital projects with much longer useful lives Capital Budgeting Models (2) The Payback Method.y The high rate of technological obsolescence in budgeting for systems means simply that the payback period must be shorter.

Sign up to vote on this title
UsefulNot useful