Unit 5

MANAGEMENT INFORMATION SYSTEM

ECONOMICS OF IT AND MANAGING IT SECURITY

Evaluating IT Investment

Meaning of Investment evaluation

Evaluating IT investments introduces different types of problems that investment in traditional

assets does not consider. The focal point shifts from measuring hard and quantifiable benefits
that appear on a firm's income statement to measuring soft, diffuse, and qualitative impact.

ORGANIZATIONAL ATTRIBUTE FOR

SUCCESSFUL IT INVESTMENTS

While each phase of the investment process has its own requirements for successful
implementation, there are some overall organizational attributes that are critical to successful
investment evaluation. These shared, critical attributes are: senior management attention, overall
mission focus, and a comprehensive portfolio approach to IT investment.

Critical Attribute #1: Senior management attention

Agency processes should include the following elements:

• Senior program managers, with authority to make key business and funding decisions on IT
projects, are continuously involved in the process.

• A disciplined and structured management forum is used to make IT investment decisions, with
the authority to approve, cancel, or delay projects, mitigate risks, and validate expected returns.

• Program, Information Resource Management (IRM) , and financial managers with clearly
defined roles, responsibilities, and accountability for the success of IT projects. Mechanisms to
achieve this include establishing service agreements between providers (IRM/Chief Financial
Officer (CFO)) and consumers (line management) of information technology, incorporating
IRM/CFO issues and requirements into program plans, and routinely involving the IRM/CFO
offices in operational decisions.

Critical Attribute #2: Overall mission focus

Agency processes should:

• link strategic planning to the agency's mission goals and customer needs as required by the
Government Performance and Results Act (GPRA) of 1993 (Public Law 103-62). This includes

1
developing long-term general goals, setting specific annual performance targets, and annually
evaluating actual performance against these targets.

• develop mission-related IT measures that link the IRM strategic plan with the agency strategic
plan.End Note 3 For example, mission goals should be translated into objective, results-oriented
measures of performance, both quantitative and qualitative, which can form the basis for
measuring the impact of information technology investments.

• determine whether the function to be supported by the investment should be performed in the
private sector rather than by an agency of the Federal government.

• determine whether the agency proposing to perform the function is the most appropriate
agency.

• examine the work processes involved to ensure they are efficient, effective, and will take full
advantage of the proposed automation.

• use mission benefit, not project completion on time and within budget, as an important measure
of success for any IT project.

• identify all major existing or planned information systems and define their relationship to one
another and to the agency's mission.

Critical Attribute #3: Comprehensive approach to IT investment

Agencies should:

• define a portfolio that includes IT projects in every phase (initial concept, new, ongoing, or
fully operational) End Note 4 and for every type (mission critical, cross-functional,
infrastructure, administrative, and R&D) End Note 5 of IT system.

• develop levels of review, documentation requirements, and selection criteria appropriate to the
phase and type of IT system.

• define dollar thresholds that can be used to channel projects to the appropriate agency decision
levels to best accommodate organization wide versus unit specific impact. Mostimportant is the
use of a consistent set of investment decision practices throughout the agency. Some best
practice organizations submit projects to thorough investment reviews when costs exceed
between 0.5 and 2 percent of the organization's IT budget.

• develop criteria for identifying projects of a critical nature that fall below the dollar threshold
but should be included in the investment review process.

Each attribute contributes to properly implementing the three phases of the investment process.
Senior managers and those helping to install the investment process in each agency should keep

2
these elements in mind during review of the details of the selection, control, and evaluation
phases.

SUCCESSFUL IT INVESTMENTS

While each phase of the investment process has its own requirements for successful
implementation, there are some overall organizational attributes that are critical to successful
investment evaluation. These shared, critical attributes are: senior management attention, overall
mission focus, and a comprehensive portfolio approach to IT investment.

Critical Attribute #1: Senior management attention

Agency processes should include the following elements:

• Senior program managers, with authority to make key business and funding decisions on IT
projects, are continuously involved in the process.

• A disciplined and structured management forum is used to make IT investment decisions, with
the authority to approve, cancel, or delay projects, mitigate risks, and validate expected returns.

• Program, Information Resource Management (IRM) , and financial managers with clearly
defined roles, responsibilities, and accountability for the success of IT projects. Mechanisms to
achieve this include establishing service agreements between providers (IRM/Chief Financial
Officer (CFO)) and consumers (line management) of information technology, incorporating
IRM/CFO issues and requirements into program plans, and routinely involving the IRM/CFO
offices in operational decisions.

Critical Attribute #2: Overall mission focus

Agency processes should:

• link strategic planning to the agency's mission goals and customer needs as required by the
Government Performance and Results Act (GPRA) of 1993 (Public Law 103-62). This includes
developing long-term general goals, setting specific annual performance targets, and annually
evaluating actual performance against these targets.

• develop mission-related IT measures that link the IRM strategic plan with the agency strategic
plan.End Note 3 For example, mission goals should be translated into objective, results-oriented
measures of performance, both quantitative and qualitative, which can form the basis for
measuring the impact of information technology investments.

• determine whether the function to be supported by the investment should be performed in the
private sector rather than by an agency of the Federal government.

• determine whether the agency proposing to perform the function is the most appropriate
agency.

3
• examine the work processes involved to ensure they are efficient, effective, and will take full
advantage of the proposed automation.

• use mission benefit, not project completion on time and within budget, as an important measure
of success for any IT project.

• identify all major existing or planned information systems and define their relationship to one
another and to the agency's mission.

Critical Attribute #3: Comprehensive approach to IT investment

Agencies should:

• define a portfolio that includes IT projects in every phase (initial concept, new, ongoing, or
fully operational) End Note 4 and for every type (mission critical, cross-functional,
infrastructure, administrative, and R&D) End Note 5 of IT system.

• develop levels of review, documentation requirements, and selection criteria appropriate to the
phase and type of IT system.

• define dollar thresholds that can be used to channel projects to the appropriate agency decision
levels to best accommodate organization wide versus unit specific impact. Mostimportant is the
use of a consistent set of investment decision practices throughout the agency. Some best
practice organizations submit projects to thorough investment reviews when costs exceed
between 0.5 and 2 percent of the organization's IT budget.

• develop criteria for identifying projects of a critical nature that fall below the dollar threshold
but should be included in the investment review process.

4
 Each attribute contributes to properly implementing the three phases of the investment process.
Senior managers and those helping to install the investment process in each agency should keep
these elements in mind during review of the details of the selection, control, and evaluation
phases.

What are the issues and challenges of information technology evaluation?

The eight issues and challenges are: evaluation scope, evaluation timing, unit of analysis, level of
analysis, different perspectives, different dimensions, different measures, and underpinning
theoretical frameworks. Next, each of the eight issues and challenges is discussed

How to build a strong enterprise security architecture

1. Educate employees and business stakeholders. ...
2. Implement an access control policy. ...
3. Adopt an encryption strategy. ...
4. Establish device security protocol: ...
5. Monitor network performance.
How to build a strong enterprise security architecture
Building strong enterprise security architecture is a key factor to seamless security management.
Implementing strategic, comprehensive security solutions protects your organization's assets,
user data, and ultimately, your brand's reputation. Consider the following best practices to
protect your business from cyber threats: 
Educate employees and business stakeholders

5
Protecting the corporate network extends beyond the information technology team -- everyone
needs to be aware of security policy, compliance regulations, and potential vulnerabilities, such
as phishing or social engineering schemes. Make sure all employees, including management, are
fully aware of the risks and consequences of a security breach.
Implement an access control policy
Clearly define user roles so that employees only have access to the systems and permissions
necessary to complete the tasks related to their specific jobs. Protecting information and IT assets
against unauthorized access can prevent internal security risks caused by human error or
disgruntled employees.
Adopt an encryption strategy
Develop a strong encryption strategy with a combination of file permissions, passwords, and
two-factor authentication that can scale across your network and protect data in highly
distributed environments.  
Establish device security protocol: 
IoT devices and Bring Your Own Device (BYOD) policies can both serve as security risks.
Make sure all devices are properly configured and updated with the latest firmware. If employees
use personal devices to access work assets, create clear protocols around security and make
corporate security software mandatory.
Monitor network performance
Manage endpoint security with a comprehensive monitoring solution that can quickly identify
and alert on anomalies. Developing a thorough understanding of how your network and
infrastructure operates by establishing performance benchmarks makes it easier to identify
threats. 
5 techniques for securing your enterprise data
When it comes to securing enterprise data, picture an IT leader with one foot on a dock and the
other on a boat. Now watch the boat slowly drift away. Mobile, cloud and big data technologies
are dragging businesses into uncharted waters, and data endpoints are moving further and further
from the IT department’s control.

Meanwhile infrastructure is barely able to handle existing threats — let alone new ones. IT
departments are obviously stretched, often without the manpower or skills to handle growing
security needs.

A string of enterprise security breaches shows the obvious strain. In 2013, Verizon reported more
than 63,000 security incidents and 1,367 confirmed data breaches worldwide in its annual
security breach investigations report. In the first half of this year, some 395 data breaches were
reported to regulators in the U.S., according to the Identity Theft Resource Center.

“We’ve shattered the perimeters of our businesses,” says Chris Gray, vice president of enterprise
security and risk at Accuvant, a Denver-based provider of IT security products and services.

6
“We’re outsourcing, we’re shoving everything to the cloud, we’re enabling mobility and
[allowing] alternative means of access at levels that we’ve never done before.” As a result, he
adds, “we’ve opened up holes . . . and spread everything out. Instead of watching one spot, we’re
now watching 50 — which makes the problem we’re facing all the greater.”

It’s not all gloom and doom. More than 90% of those breaches analyzed by Verizon fit into just
nine distinct security patterns. Security experts say there are ways to balance security risks with
the opportunities that new technologies provide. Here are five data security technologies worth
considering this year.

1. Endpoint detection and resp

To regain control, businesses are looking to automated tools that detect, correct and even predict
security breaches, says Mike Lloyd, CTO at RedSeal Networks, a Sunnyvale, Calif.-based
security vendor. “The need for automation is clear if they’re short-staffed or can’t get the talent,”
or if the number of access points to cover is just too great, he says.

Endpoint threat detection and response tools can satisfy the need for continuous protection from
advanced threats at endpoints like tablets, phones and laptops. These tools monitor endpoints and
networks, and store data in a centralized database. Analytics tools are then used to continually
search the database to identify tasks that can improve the security state to deflect common
attacks, provide early identification of ongoing attacks (including insider threats) and rapidly
respond to those attacks, according to a report presented at the Gartner Security & Risk
Management Summit in June. These tools can then help IT security staffers to quickly
investigate the scope of attacks and stop them.

Nashville-based insurance provider Cigna-HealthSpring wants to be proactive in the way it

monitors the security of its mobile devices. The number of iPads and iPhones that HealthSpring
issues to employees is expected to double in the next two years as the company adds more online
apps and offers more reporting capabilities in the field, says Anthony Mannarino, IT director,
security and compliance.

Anthony Mannarino
HealthSpring uses Absolute Software’s Computrace product to monitor and track employees’
mobile devices. The benefits of using the software include “knowing what’s on the device [and]
being able to remotely wipe it,” Mannarino explains. New software capabilities let HealthSpring
check on devices in real time. “We can build in zones of where we do business. If a device goes
outside of a zone, it will alert us and we can take a proactive approach,” often before the user
even realizes it’s missing, he adds.

2. Sandboxing

Inevitably, some malware or hacker will make it through the security perimeter. One of the
easiest things that enterprises can do to ensure that their data remains safe when that happens is
to add sandboxing capabilities that can automatically isolate suspected malware that’s been
detected on a network device, says Pete Lindstrom, an analyst at research firm IDC. Once the

7
malware is isolated and is safely away from active systems, the sandboxing tool will run the
application and analyze its potential effect. “This idea of monitoring the outcomes of activity and
looking for malicious stuff on the backside after a program is executed is really becoming crucial
to success,” he says.

Dedicated sandboxing tools, available from vendors such as FireEye, do the job but can be
expensive, Lindstrom says. But other security vendors are adding sandboxing features to existing
products. “It’s not uncommon for the antivirus players to have it, and most of the network
security players have some sandboxing capabilities,” he says.

Cigna-HealthSpring uses FireEye’s sandboxing application. “They can see a threat and run it in a
sandbox environment to see what it does, and we can stop it,” Mannarino says. “If [the tool] is
reporting that it’s trying to connect to some site in China, then we can go into our Web filtering
technologies and make sure we put blocks on those URLs.” For many companies, the tricky part
may be understanding and analyzing the results uncovered by the tool, Lindstrom adds, but there
are services that help make sense of the results. Companies offering such services include
DataHero in San Francisco and ClearStory Data in Menlo Park, Calif.

Lindstrom predicts that sandboxing functionality will become standard fare in security products
in the next two or three years.

3. Security analytics

Most security teams have a wealth of data coming from myriad endpoints and security products.
“The problem is they lack actionable, decision-making indicators,” Lloyd says. Analytics is
becoming a cornerstone of security capabilities. Going forward, Gartner predicts that all effective
security protection platforms will include domain-specific embedded analytics as a core
capability. By 2020, 40% of enterprises will have “security data warehouses” for storing and
monitoring data to support post-event analysis, according to Gartner. Over time, this data,
combined with other intelligence, will create a baseline for normal activity and make any
deviations noticeable.

Florida-based Broward Health, the third-largest healthcare system in the U.S., deploys an arsenal
of security technologies to protect its patient and company data, but Ronaldo Montmann, vice
president of IT, still doesn’t have the big picture. “We have next-generation firewalls, the best
intrusion-prevention systems, data loss prevention systems in place, identity management
solutions in place — but they operate in silos,” he explains. In addition to a comprehensive
system, he wants the ability to predict future vulnerabilities.

“We’re trying to see if we can [take] the big analytics software that we bought for the financial
and clinical system and leverage that for infrastructure to look at events and correlate those
events in a meaningful way so we can predict or understand how they relate.”

But that also requires a team of senior-level staffers who understand all the nuances of the
technology that the hospital system supports and can work collaboratively and proactively to
maintain the network.

8
A protocol algorithm looks at event logs at the server, switch and workstation levels and gathers
information “that typically a human being wouldn’t be able to process,” Montmann says. That
data is analyzed to correlate issues on the network. “We’re trying to design an environment
where we can learn more about what’s going on in the network and perhaps those different odd
behaviors can lead us to understand whether it’s malware [or] a hacker.” Montmann says he
expects to have the analytics team in place by the first quarter of 2015.

4. Cloud security gateways

The state of Wyoming in August announced plans to discontinue most of its data center
operations and move its physical equipment to commercial colocation facilities. It will continue
to manage its own physical servers at the colocation centers, but this outsourcing step is part of a
broader plan to move the state’s computing resources to cloud services. No doubt, security will
be a top-of-mind issue when it comes to protecting data in the cloud.

Enterprises that use the cloud should consider cloud security gateways. These on-premises or
cloud-based security policy enforcement points are placed between cloud services consumers
and cloud services providers to interject enterprise security policies as the cloud-based resources
are accessed.

“This is really the wave of the future for how IT folks are going to get visibility and control into
cloud architectures,” Lindstrom says. Operating like unified threat managers in the cloud, cloud
security gateways provide access security or policy enforcement, but they monitor activity using
analytics, handle data loss prevention functionality on the back end, and apply communication
encryption, as well as encryption of structured and unstructured data. Cloud security gateways
can be deployed entirely in the cloud or as edge-based appliances. “It’s a very useful way to
address the problems of loss of visibility and control that you typically get in the cloud, and it’s
not particularly expensive,” Lindstrom adds.

5. Adaptive access control

Despite the need to lock down data, IT departments also need to support business operations by
allowing a wide range of mobile devices to access corporate systems. To keep data safe, Gartner
suggests using adaptive access control, a form of context-aware access control that acts to
balance the level of trust against risk at the moment of access using a combination of trust
elevation and other dynamic risk mitigation techniques. Context awareness means that decisions
about who is and isn’t granted access reflect current conditions, according to Gartner, and
dynamic risk mitigation means that access can be safely allowed where otherwise it would have
been blocked. This type of access management architecture allows companies to provide access
from any device in any location, and makes it possible to set up different levels of access to a
range of corporate systems depending on users’ risk profiles.

Choosing security technologies

Deciding if and when to deploy one of these up-and-coming security technologies depends on
the structure of the organization and the amount and types of data that are considered to be

9
 valuable, says David Brown, director of Accuvant’s technology solutions practice. “How is your
data used, who needs access to it and what is your budget,” not just for the technology but the
staff to support it, he says. For instance, “security analytics has some good solutions out there,
but it also takes multiple smart people to manage it,” says Brown.

“If you take an economics approach to technology risk management, you have trade-offs,” he
notes. “Most folks are doing it successfully. Embrace the nature of risk, manage it, and don’t let
it manage you.”

What are the common vulnerabilities of information system?

The most common software security vulnerabilities include:
● Missing data encryption.
● OS command injection.
● SQL injection.
● Buffer overflow.
● Missing authentication for critical function.
● Missing authorization.
● Unrestricted upload of dangerous file types.
● Reliance on untrusted inputs in a security decision.
● Cyber threats are security incidents or circumstances that can have a negative outcome for
your network or other data management systems.
● Examples of common types of security threats include phishing attacks that result in
installing malware that infects your data, failure of a staff member to follow data protection
protocols that cause a data breach, or even nature’s forces that takes down your company’s
data headquarters, disrupting access.
● Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt
threat actors to exploit them.
● Types of vulnerabilities in network security include but are not limited to SQL injections,
server misconfigurations, cross-site scripting, and transmitting sensitive data in a non-
encrypted plain text format.
● When threat probability is multiplied by the potential loss that may result, cybersecurity
experts refer to this as a risk.

TYPES OF CYBERSECURITY THREATS

Just as some germs and diseases can attack the human body, numerous threats can affect
hardware, software, and the information you store. Some of the major ones include the
following:

10
● Viruses are designed so that they can be easily transmitted from one computer or system to
another. Often sent as email attachments, viruses corrupt and co-opt data, interfere with your
security settings, generate spam, and may even delete content.
● Computer worms are similar; they spread from one computer to the next by sending themselves
to all of the user’s contacts and subsequently to all contacts’ contacts.
● Trojans. These malicious pieces of software insert themselves into a legitimate program. Often,
people voluntarily let trojans into their systems in email messages from a person or an advertiser
they trust. As soon as the accompanying attachment is open, your system becomes vulnerable to
the malware within.
● Bogus security software that tricks users into believing that their system has been infected with a
virus. The accompanying security software that the threat actor provides to fix the problem
causes it.
● The adware tracks your browsing habits and causes particular advertisements to pop up.
Although this is common and often something you may even agree to, adware is sometimes
imposed upon you without your consent.
● Spyware is an intrusion that may steal sensitive data such as passwords and credit card numbers
from your internal systems.
● A denial of service (DOS) attack occurs when hackers deluge a website with traffic, making it
impossible to access its content. A distributed denial of service (DDOS) attack is more forceful
and aggressive since it is initiated from several servers simultaneously. As a result, a DDOS
attack is harder to mount defenses against it.
● Phishing attacks are social engineering infiltrations whose goal is to obtain sensitive data:
passwords and credit card numbers incorrectly. Via emails or links coming from trusted
companies and financial institutions, the hacker causes malware to be downloaded and installed.
● SQL injections are network threats that involve using malicious code to infiltrate cyber
vulnerabilities in data systems. As a result, data can be stolen, changed, or destroyed.
● Man-in-the-middle attacks involve a third party intercepting and exploiting communications
between two entities that should remain private. Eavesdropping occurs, but information can be
changed or misrepresented by the intruder, causing inaccuracy and even security breaches.
● Rootkit tools gain remote access to systems without permission and can lead to the installation of
malware and the stealing of passwords and other data.
COMMON NETWORK VULNERABILITIES

Even seemingly minor flaws or oversights in the design or implementation of your network
systems can lead to disaster.
Some of the most common network vulnerabilities include the following gaps in your application
security: when applications are not kept up-to-date, tested, and patched, the doors are open to
code injection, cross-site scripting, insecure direct object references, and much more. 
Vulnerabilities in Information Security
Vulnerabilities are weaknesses in a system that gives threats the opportunity to compromise
assets. All systems have vulnerabilities. Even though the technologies are improving but the

11
number of vulnerabilities are increasing such as tens of millions of lines of code, many
developers, human weaknesses, etc. Vulnerabilities mostly happened because of Hardware,
Software, Network and Procedural vulnerabilities.
violate the security policy. For examples:
1. Lack of input validation
2. Unverified uploads
Information Classification in Information Security
● Public: Information that is not sensitive and can be shared freely with anyone.
● Internal: Information that is sensitive but not critical, and should only be shared within the
organization.
● Confidential: Information that is sensitive and requires protection, and should only be shared
with authorized individuals or groups.
● Secret: Information that is extremely sensitive and requires the highest level of protection,
and should only be shared with a select group of authorized individuals.
● Top Secret: Information that if disclosed would cause exceptionally grave damage to the
national secur

Information Systems Audit & Risk Management

We offer enterprise-wide risk management systems and services that can improve your business
operations by reducing costs, enhancing revenues and managing changes to your business
processes. 

● The financial information that will be provided to the Government and the public
● The systems of internal controls, that management and the board have established 
● All audit processes 
● Compliance with laws, regulations and policies that may apply 

Internal control

Management is responsible for internal control in the Company and it has implemented a risk
management and control system, which is designed to ensure its business is focused on achieving
its objectives and that significant risks are identified and mitigated to the extent possible. The
system is also designed to ensure compliance with relevant laws and regulations.
The Company’s risk management and internal control system is designed to determine risks in
relation to the achievement of business objectives and appropriate risk responses. This includes
management reviews, reviews of the design and implementation of the Company’s risk
management approach and business and functional Audit and Risk Management Committee.
Based on those reviews, the management provides assessments of the effectiveness of the
company’s internal control structure and the procedures for financial reporting.

12
It should be noted, however, that the above does not imply that these systems and procedures
provide certainty as to the realisation of operational and financial business objectives, nor can
they prevent all misstatements, inaccuracies, errors, fraud and non-compliance with rules and
regulations.

Risk management

As part of its commitment to sound corporate governance, Aperam has set up a process of risk
identification and management. These risks include but are not limited to financial, legal and
operational risk and risks concerning Aperam’s reputation and ethical standards. The Board’s
Audit and Risk Management Committee (ARMC) assists the Board of Directors with the
identification and management of risks to which the Aperam group is exposed. The Leadership
Team’s Risk Management Committee (RMC) has oversight at executive management level. The
RMC assists the Board in the monitoring and review of the group’s risk-management framework
and process.

Audit

The Audit and Risk Management Committee is composed of three independent directors,
appointed by the Board of Directors. The committee serves as an independent and objective
party to monitor the company’s financial reporting process and internal control system.
Its primary function is to assist the Board of Directors in fulfilling its oversight responsibilities
by reviewing the financial reports and other financial information provided by the company to
any governmental body or the public; the system of internal control regarding finance,
accounting, legal compliance and ethics; and the company’s auditing, accounting and financial
reporting processes generally. It also reviews and appraises the audit efforts of the company’s
independent accountants and internal auditing.

Whistleblowing

Aperam has an established procedure for whistleblowing, including a whistleblowing policy,

which all its employees and all other stakeholders can access. If they have an issue they feel they
can’t raise with their line manager or with local management, they can use the whistleblowing
process to report it.

13