Managing Information Resources and Security

1
Managing Information Resources and Security

• Chapter 15

2
Learning Objectives

• Role of CIO in managing and securing IT resources
• Understand IT End User relationships
• Understand threats to IS operations
• Understand actions to
• Create secure IS environments
• Recover ISs from disasters

3
Emerging CIO Roles in the Web-Based Economy

• Helping to define the strategic future
• Become a business visionary who can help drive
  business strategy and help develop new business
  models
• Lead in the exploration of new computing
  environments, like mobile enterprises and utility
  computing
• Help others understand that the web-based era is
  more about business change than technology
• Improvement of the IT asset-acquisition process

4
Emerging CIO Roles in the Web-Based Economy, cont

• Help avoid disillusionment with IT as it becomes
  more prevalent in the firm
• Argue for a greater measure of central control
• Protecting the ever-increasing IT assets against
  ever-increasing hazards

5
Issues

• IS End User Relationships
• Ensuring IT integrity through controls
• Protecting IT Assets

6
The IS End User Relationship

• The ISD is a service organization that manages
  the IT infrastructure needed to carry on end-user
  IT applications.
• It is extremely important to have a good
  relationship with the end users.
• The development of end-user computing and
  outsourcing was motivated in part by the poor
  service that end users felt they received.

7
The IS End-User Relationship, cont
The ISD and Four Approaches to End User
Relationships

• Let them sink or swim. Dont do anything let the
  end user beware.
• Use the stick. Establish policies and procedures
  to control end-user computing so that corporate
  risks are minimized, and try to enforce them.
• Use the carrot. Create incentives to encourage
  certain end-user practices that reduce
  organizational risks.
• Offer support. Develop services to aid end users
  in their computing activity

8
The IS End-User Relationship, cont

• To improve collaboration, the ISD and end users
  may employ three common arrangements
• the steering committee
• service-level agreements
• the information center

9
Threats and Vulnerabilities

• Security
• Protection / recovery from (un) authorized access
• Disasters
• Protection / recovery from (un)natural disasters
• System Quality
• Hardware
• Software
• Network
• Data (entry)

10
Areas of Threats
11
How to Protect?

• Security Controls (prevention)
• Disaster Recovery (restoration)

12
Creating a Controlled Environment

• Security Controls
• Technology, methods, policies, procedures
• Ensure
• Safety of assets
• Accuracy, reliability of hw/sw/information
• Adherence to standards
• Types
• General
• Application

13
General Controls

• System-wide controls
• Physical
• Protects physical access to and damage from IT
• Access
• Controls who has access to system resources
• Data Security
• Controls who has what access to organization data
• Network/Communication
• Secure access to network, data traveling on
  network
• Administrative
• Includes policies governing IT use
• Other
• SDLC controls (quality assurance)

14
Application Controls

• Application-specific control over access and use
• Input _______________________
• User authorization
• Edit checks
• Processing ___________________
• Control totals
• Consistency checks
• Output ______________________
• Logging

15
Business Continuity Plan

• aka Disaster Recovery Plan
• Plan to restore systems to use after natural
  disaster
• Includes
• Backing up critical hw/data
• Off-site storage of data
• Backup data center ("hot sites")
• Backup manual procedures
• Should be included in SDLC activities