Information system

From Wikipedia, the free encyclopedia

Jump to: navigation, search
Not to be confused with information systems (discipline).

CS, SE, IS, IT, & Customer Venn Diagram where functionality spans left and design spans
right stemming from discovery.

An information system (IS) is any combination of information technology and people's

activities using that technology to support operations, management, and decision-making.[1]
In a very broad sense, the term information system is frequently used to refer to the
interaction between people, algorithmic processes, data and technology. In this sense, the
term is used to refer not only to the information and communication technology (ICT) an
organization uses, but also to the way in which people interact with this technology in support
of business processes[2].

Some make a clear distinction between information systems, ICT, and business processes.
Information systems are distinct from information technology in that an information system is
typically seen as having an ICT component. Information systems are also different from
business processes. Information systems help to control the performance of business
processes [3].

Alter argues for an information system as a special type of work system. A work system is a
system in which humans and/or machines perform work using resources (including ICT) to
produce specific products and/or services for customers. An information system is a work
system whose activities are devoted to processing (capturing, transmitting, storing, retrieving,
manipulating and displaying) information [4].

Part of the difficulty in defining the term information system is due to vagueness in the
definition of related terms such as system and information. Beynon-Davies argues for a
clearer terminology based in systemics and semiotics. He defines an information system as an
example of a system concerned with the manipulation of signs. An information system is a
type of socio-technical system. An information system is a mediating construct between
actions and technology [5].

As such, information systems inter-relate with data systems on the one hand and activity
systems on the other. An information system is a form of communication system in which
data represent and are processed as a form of social memory. An information system can also
be considered a semi-formal language which supports human decision making and action.

Information systems are the primary focus of study for the information systems discipline and
fororganisational informatics
You are here: Freetutes.com > Systems Analysis and Design

Types of Information Systems

Information systems differ in their business needs. Also depending upon different levels in
organization information systems differ. Three major information systems are

1. Transaction processing systems

2. Management information systems

3. Decision support systems

Figure 1.2 shows relation of information system to the levels of organization. The
information needs are different at different organizational levels. Accordingly the information
can be categorized as: strategic information, managerial information and operational
information.

Strategic information is the information needed by top most management for decision
making. For example the trends in revenues earned by the organization are required by the
top management for setting the policies of the organization. This information is not required
by the lower levels in the organization. The information systems that provide these kinds of
information are known as Decision Support Systems.
Figure 1.2 - Relation of information systems to levels of organization

The second category of information required by the middle management is known as

managerial information. The information required at this level is used for making short term
decisions and plans for the organization. Information like sales analysis for the past quarter or
yearly production details etc. fall under this category. Management information system (MIS)
caters to such information needs of the organization. Due to its capabilities to fulfill the
managerial information needs of the organization, Management Information Systems have
become a necessity for all big organizations. And due to its vastness, most of the big
organizations have separate MIS departments to look into the related issues and proper
functioning of the system.

The third category of information is relating to the daily or short term information needs of
the organization such as attendance records of the employees. This kind of information is
required at the operational level for carrying out the day-to-day operational activities. Due to
its capabilities to provide information for processing transaction of the organization, the
information system is known as Transaction Processing System or Data Processing System.
Some examples of information provided by such systems areprocessing of orders, posting of
entries in bank, evaluating overdue purchaser orders etc.

Transaction Processing Systems

TPS processes business transaction of the organization. Transaction can be any activity of the
organization. Transactions differ from organization to organization. For example, take a
railway reservation system. Booking, canceling, etc are all transactions. Any query made to it
is a transaction. However, there are some transactions, which are common to almost all
organizations. Like employee new employee, maintaining their leave status, maintaining
employees accounts, etc.

This provides high speed and accurate processing of record keeping of basic operational
processes. These include calculation, storage and retrieval.
Transaction processing systems provide speed and accuracy, and can be programmed to
follow routines functions of the organization.

Management Information Systems

These systems assist lower management in problem solving and making decisions. They use
the results of transaction processing and some other information also. It is a set of
information processing functions. It should handle queries as quickly as they arrive. An
important element of MIS is database.

A database is a non-redundant collection of interrelated data items that can be processed

through application programs and available to many users.

Decision Support Systems

These systems assist higher management to make long term decisions. These type of systems
handle unstructured or semi structured decisions. A decision is considered unstructured if
there are no clear procedures for making the decision and if not all the factors to be
considered in the decision can be readily identified in advance.

These are not of recurring nature. Some recur infrequently or occur only once. A decision
support system must very flexible. The user should be able to produce customized reports by
giving particular data and format specific to particular situations.

Summary of Information Systems

Catagories of Information System Characteristices

Transaction Processing System Substitutes computer-based processing for manual

procedures.

Deals with well-structured processes. Includes record

keeping applications.

Management information system Provides input to be used in the managerial decision

process. Deals with supporting well structured
decision situations. Typical information requirements
can be anticipated.

Decision support system Provides information to managers who must make

judgements about particular situations. Supports
decision-makers in situations that are not well
structured.
You are in: Home » Business & Finance » General » The Importance of Information System

The Importance of Information System

Dec 30th, 2008 by axos
3 comments

why the information system is important for company and its benefit

It is surprising facts that there are many more companies still do not use the Internet. It
is even more surprising that some of them are still using their twenty-year-old computer
information system. Company information system is a set of interrelated component that
collect, process, store, and disseminate information to support companies’ managerial
team in decision making, coordinating, controlling, and analyzing.

Upgrading the computer information system is not an option in this technology-driven

era; it is a requirement. Companies that use an up-to-date information system to gather,
assimilate, and evaluate internal as well as external information are gaining competitive
advantage over other firms. Management is quicker to cater to customer’s needs and
complaints. With the growth of communication networks, there are almost no barriers
between the firm’s management, employees, customers and suppliers. Networked
computing systems have made new modes of work possible.

A sophisticated computer information system enables companies to monitor employees,

to keep managers and employees informed, to coordinate activities among divisions, or
even to sell their products to customers via the internet. Moreover, in the era of
information technology like this, information has become valuable organizational asset
just like human resources and inventories.

Furthermore, a good information system can facilitate direct communication between

firm and suppliers, manufacturers, dealers, and marketers. Together, they can create a
value chain as though they were in one organization.

In the meantime, the widespread use of information freeway is inviting unwelcome

threats. Today, companies are plagued by hackers; competitors, thieves, spies, hired
agents, or even from disgruntled employees. Therefore, firms have taken measures to
safeguard their system such as installing complex computer firewalls to detect hackers
or purchasing expensive and advance encryption software.

More and more people are working from their homes nowadays. Information technology
has become so sophisticated it allows people to choose to work from home.
Teleconferencing and video conferencing enable employees to beam in whenever
needed. In addition to that, information technology can allow a firm to reduce costs.
Taking Ernst &Young for example, the company has successfully reduced its office
space by 2 million square feet by allowing their employees to work from home.

In conclusion, information system enables companies to react, respond

Read more: http://www.bukisa.com/articles/20243_the-importance-of-information-

system#ixzz0xsApHyHV
 Information System Security
 

Section 1. Responsibilities and Duties

8-100. General.

a. Information systems (IS) that are used to capture, create, store, process or distribute classified
information must be properly managed to protect against unauthorized disclosure of classified
information, loss of data integrity, and to ensure the availability of the data and system.

b. Protection requires a balanced approach including IS security features to include but not limited to,
administrative, operational, physical, computer, communications, and personnel controls. Protective
measures commensurate with the classification of the information, the threat, and the operational
requirements associated with the environment of the IS are required.

c. The requirements outlined in the following sections apply to all information systems processing
classified information. Additional requirements for high-risk systems and data are covered in the
NISPOM Supplement.

8-101. Responsibilities.

a. The CSA shall establish a line of authority for training, oversight, program review, certification, and
accreditation of IS used by contractors for the processing of classified information. The CSA will
conduct a risk management evaluation based on the contractor's facility, the classification, and
sensitivity of the information processed. The evaluation must ensure that a balanced, cost-effective
application of security disciplines and technologies is developed and maintained.

b. Contractor management will publish and promulgate an IS Security Policy addressing the classified
processing environment. Additionally, an IS Security Manager (ISSM) will be appointed with
oversight responsibility for the development, implementation, and evaluation of the facility's IS
security program. Contractor management will assure that the ISSM is trained to a level commensurate
with the complexity of the facility's IS.

8-102. Designated Accrediting/Approving Authority.

The CSA is the Designated Accrediting/Approving Authority (DAA) responsible for accrediting information
systems used to process classified information in industry

8-103. IS Security Manager (ISSM). The ISSM:

a. Ensures the development, documentation, and presentation of IS security education, awareness, and
training activities for facility management, IS personnel, users, and others, as appropriate.

b. Establishes, documents, implements, and monitors the IS Security Program and related procedures for
the facility and ensures facility compliance with requirements for IS.

c. Identifies and documents unique local threats/vulnerabilities to IS.

d. Coordinates the facility IS Security Program with other facility security programs.

e. Ensures that periodic self-inspections of the facility's IS Program are conducted as part of the overall
facility self-inspection program and that corrective action is taken for all identified findings and
 vulnerabilities. Self-inspections are to ensure that the IS is operating as accredited and that
accreditation conditions have not changed.

f. Ensures the development of facility procedures to:

(1) Govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and destroying
media and equipment containing classified information.

(2) Properly implement vendor supplied authentication (password, account names) features or security-
relevant features.

(3) Report IS security incidents to the CSA. Ensure proper protection or corrective measures have been
taken when an incident/vulnerability has been discovered.

(4) Require that each IS user sign an acknowledgment of responsibility for the security of the IS.

(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as
appropriate.

g. Certifies to the CSA, in writing, that each System Security Plan (SSP) has been implemented; that the
specified security controls are in place and properly tested; and that the IS is functioning as described
in the SSP.

h. Ensures notification of the CSA when an IS no longer processes classified information, or when
changes occur that might affect accreditation.

i. Ensures that personnel are trained on the IS's prescribed security restrictions and safeguards before they
are initially allowed to access a system.

j. Develops and implements general and remote maintenance procedures based on requirements provided
by the CSA.

8-104. Information System Security Officer(s) (ISSO). ISSOs may be appointed by the ISSM in facilities
with multiple accredited IS. The ISSM will determine the responsibilities to be assigned to the ISSO that may
include the following:

a. Ensure the implementation of security measures, in accordance with facility procedures.

b. Identify and document any unique threats.

c. If so directed by the GCA and/or if an identified unique local threat exists, perform a risk assessment to
determine if additional countermeasures beyond those identified in this chapter are required.

d. Develop and implement a certification test as required by the ISSM/CSA.

e. Prepare, maintain, and implement an SSP that accurately reflects the installation and security
provisions.

f. Notify the CSA (through the ISSM) when an IS no longer processes classified information, or when
changes occur that might affect accreditation.

g. Ensure:

(1) That each IS is covered by the facility Configuration Management Program, as applicable.
 (2) That the sensitivity level of the information is determined prior to use on the IS and that the proper
security measures are implemented to protect this information.

(3) That unauthorized personnel are not granted use of, or access to, an IS.

(4) That system recovery processes are monitored to ensure that security features and procedures are
properly restored.

h. Document any special security requirement identified by the GCA and the protection measures
implemented to fulfill these requirements for the information contained in the IS.

i. Implement facility procedures:

(1) To govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and
destroying media and equipment containing classified information.

(2) To ensure that vendor?supplied authentication (password, account names) features or security-
relevant features are properly implemented.

(3) For the reporting of IS security incidents and initiating, with the approval of the ISSM, protective or
corrective measures when a security incident or vulnerability is discovered.

(4) Requiring that each IS user sign an acknowledgment of responsibility for the security of IS and
classified information.

(5) For implementing and maintaining security-related software for the detection of malicious code,
viruses, and intruders (hackers), as appropriate.

j. Conduct ongoing security reviews and tests of the IS to periodically verify that security features and
operating controls are functional and effective.

k. Evaluate proposed changes or additions to the IS, and advises the ISSM of their security relevance.

l. Ensure that all active user Ids are revalidated at least annually.

8-105. Users of IS. Users of IS are either privileged or general users.

a. Privileged users have access to IS control, monitoring or administration functions. Examples include:

(1) Users having "superuser," "root," or equivalent access to a system (e.g., system administrators,
computer operators, ISSOs); users with near or complete control of an IS or who set up and administer
user accounts and authenticators.

(2) Users having access to change control parameters (routing tables, path priorities, addresses, etc.) on
routers, multiplexers, and other key IS equipment.

(3) Users who have been given the authority to control and change other users' access to data or
program files (e.g., applications software administrators, administrators of specialty file systems,
database managers).

(4) Users who have been given special access for troubleshooting or monitoring an IS' security
functions (e.g., those using analyzers, management tools).

b. General users are individuals who can input information to or modify information on an IS or who can
receive information from an IS without a reliable human review.
 c. All users shall:

(1) Comply with the IS Security Program requirements.

(2) Be aware of and knowledgeable about their responsibilities in regard to IS security.

(3) Be accountable for their actions on an IS.

(4) Ensure that any authentication mechanisms (including passwords) issued for the control of their
access to an IS are not shared and are protected at the highest classification level and most restrictive
classification category of information to which they permit access.

(5) Acknowledge, in writing, their responsibilities for the protection of the IS and classified
information.

Section 2
Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification or destruction.[1]

The terms information security, computer security and information assurance are frequently
incorrectly used interchangeably. These fields are interrelated often and share the common
goals of protecting the confidentiality, integrity and availability of information; however,
there are some subtle differences between them.

These differences lie primarily in the approach to the subject, the methodologies used, and
the areas of concentration. Information security is concerned with the confidentiality,
integrity and availability of data regardless of the form the data may take: electronic, print, or
other forms.

Computer security can focus on ensuring the availability and correct operation of a computer
system without concern for the information stored or processed by the computer.

Governments, military, corporations, financial institutions, hospitals, and private businesses

amass a great deal of confidential information about their employees, customers, products,
research, and financial status. Most of this information is now collected, processed and stored
on electronic computers and transmitted across networks to other computers.

Should confidential information about a business' customers or finances or new product line
fall into the hands of a competitor, such a breach of security could lead to lost business, law
suits or even bankruptcy of the business. Protecting confidential information is a business
requirement, and in many cases also an ethical and legal requirement.

For the individual, information security has a significant effect on privacy, which is viewed
very differently in different cultures.

The field of information security has grown and evolved significantly in recent years. There
are many ways of gaining entry into the field as a career. It offers many areas for
specialization including: securing network(s) and allied infrastructure, securing applications
and databases, security testing, information systems auditing, business continuity planning
and digital forensics science, to name a few, which are carried out by Information Security
Consultants

This article presents a general overview of information security and its core concepts.

When Management chooses to mitigate a risk, they will do so by implementing one or more
of three different types of controls.

[edit] Administrative

Administrative controls (also called procedural controls) consist of approved written policies,
procedures, standards and guidelines. Administrative controls form the framework for
running the business and managing people. They inform people on how the business is to be
run and how day to day operations are to be conducted. Laws and regulations created by
government bodies are also a type of administrative control because they inform the business.
Some industry sectors have policies, procedures, standards and guidelines that must be
followed - the Payment Card Industry (PCI) Data Security Standard required by Visa and
Master Card is such an example. Other examples of administrative controls include the
corporate security policy, password policy, hiring policies, and disciplinary policies.

Administrative controls form the basis for the selection and implementation of logical and
physical controls. Logical and physical controls are manifestations of administrative controls.
Administrative controls are of paramount importance.

[edit] Logical

Logical controls (also called technical controls) use software and data to monitor and control
access to information and computing systems. For example: passwords, network and host
based firewalls, network intrusion detection systems, access control lists, and data encryption
are logical controls.

An important logical control that is frequently overlooked is the principle of least privilege.
The principle of least privilege requires that an individual, program or system process is not
granted any more access privileges than are necessary to perform the task. A blatant example
of the failure to adhere to the principle of least privilege is logging into Windows as user
Administrator to read Email and surf the Web. Violations of this principle can also occur
when an individual collects additional access privileges over time. This happens when
employees' job duties change, or they are promoted to a new position, or they transfer to
another department. The access privileges required by their new duties are frequently added
onto their already existing access privileges which may no longer be necessary or
appropriate.

[edit] Physical

Physical controls monitor and control the environment of the work place and computing
facilities. They also monitor and control access to and from such facilities. For example:
doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems,
cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and
work place into functional areas are also physical controls.

An important physical control that is frequently overlooked is the separation of duties.

Separation of duties ensures that an individual can not complete a critical task by himself. For
example: an employee who submits a request for reimbursement should not also be able to
authorize payment or print the check. An applications programmer should not also be the
server administrator or the database administrator - these roles and responsibilities must be
separated from one another.[3]

[edit] Security classification for information

An important aspect of information security and risk management is recognizing the value of
information and defining appropriate procedures and protection requirements for the
information. Not all information is equal and so not all information requires the same degree
of protection. This requires information to be assigned a security classification.
The first step in information classification is to identify a member of senior management as
the owner of the particular information to be classified. Next, develop a classification policy.
The policy should describe the different classification labels, define the criteria for
information to be assigned a particular label, and list the required security controls for each
classification.

Some factors that influence which classification information should be assigned include how
much value that information has to the organization, how old the information is and whether
or not the information has become obsolete. Laws and other regulatory requirements are also
important considerations when classifying information.

The type of information security classification labels selected and used will depend on the
nature of the organisation, with examples being:

 In the business sector, labels such as: Public, Sensitive, Private, Confidential.
 In the government sector, labels such as: Unclassified, Sensitive But Unclassified,
Restricted, Confidential, Secret, Top Secret and their non-English equivalents.
 In cross-sectoral formations, the Traffic Light Protocol, which consists of: White, Green,
Amber and Red.

All employees in the organization, as well as business partners, must be trained on the
classification schema and understand the required security controls and handling procedures
for each classification. The classification a particular information asset has been assigned
should be reviewed periodically to ensure the classification is still appropriate for the
information and to ensure the security controls required by the classification are in place.

[edit] Access control

Access to protected information must be restricted to people who are authorized to access the
information. The computer programs, and in many cases the computers that process the
information, must also be authorized. This requires that mechanisms be in place to control the
access to protected information. The sophistication of the access control mechanisms should
be in parity with the value of the information being protected - the more sensitive or valuable
the information the stronger the control mechanisms need to be. The foundation on which
access control mechanisms are built start with identification and authentication.

Identification is an assertion of who someone is or what something is. If a person makes the
statement "Hello, my name is John Doe." they are making a claim of who they are. However,
their claim may or may not be true. Before John Doe can be granted access to protected
information it will be necessary to verify that the person claiming to be John Doe really is
John Doe.

Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to
make a withdrawal, he tells the bank teller he is John Doe (a claim of identity). The bank
teller asks to see a photo ID, so he hands the teller his driver's license. The bank teller checks
the license to make sure it has John Doe printed on it and compares the photograph on the
license against the person claiming to be John Doe. If the photo and name match the person,
then the teller has authenticated that John Doe is who he claimed to be.
There are three different types of information that can be used for authentication: something
you know, something you have, or something you are. Examples of something you know
include such things as a PIN, a password, or your mother's maiden name. Examples of
something you have include a driver's license or a magnetic swipe card. Something you are
refers to biometrics. Examples of biometrics include palm prints, finger prints, voice prints
and retina (eye) scans. Strong authentication requires providing information from two of the
three different types of authentication information. For example, something you know plus
something you have. This is called two factor authentication.

On computer systems in use today, the Username is the most common form of identification
and the Password is the most common form of authentication. Usernames and passwords
have served their purpose but in our modern world they are no longer adequate. Usernames
and passwords are slowly being replaced with more sophisticated authentication mechanisms.

After a person, program or computer has successfully been identified and authenticated then
it must be determined what informational resources they are permitted to access and what
actions they will be allowed to perform (run, view, create, delete, or change). This is called
authorization.

Authorization to access information and other computing services begins with administrative
policies and procedures. The policies prescribe what information and computing services can
be accessed, by whom, and under what conditions. The access control mechanisms are then
configured to enforce these policies.

Different computing systems are equipped with different kinds of access control mechanisms
- some may even offer a choice of different access control mechanisms. The access control
mechanism a system offers will be based upon one of three approaches to access control or it
may be derived from a combination of the three approaches.

The non-discretionary approach consolidates all access control under a centralized

administration. The access to information and other resources is usually based on the
individuals function (role) in the organization or the tasks the individual must perform. The
discretionary approach gives the creator or owner of the information resource the ability to
control access to those resources. In the Mandatory access control approach, access is
granted or denied basing upon the security classification assigned to the information resource.

Examples of common access control mechanisms in use today include Role-based access
control available in many advanced Database Management Systems, simple file permissions
provided in the UNIX and Windows operating systems, Group Policy Objects provided in
Windows network systems, Kerberos, RADIUS, TACACS, and the simple access lists used
in many firewalls and routers.

To be effective, policies and other security controls must be enforceable and upheld.
Effective policies ensure that people are held accountable for their actions. All failed and
successful authentication attempts must be logged, and all access to information must leave
some type of audit trail.[
B. Why Information Systems Security
Several studies have documented actual and potential losses due to IS security abuses
(e.g. Burger, 1993; Loch, Carr, & Warkentin, 19992; Panettieri, 1995). An
understanding of the effective and responsible use of management of information
systems and technologies is important for managers and business professionals etc.
Information systems play a vital role in the strategic success of a business. Thus,
better computer literacy, increased computer user sophistication, and availability of
advanced software tools may also contribute to IS security abuses in the future.
Hence, management needs to pay more attention to IS security issues (Dhillon &
Backhouse, 2000).
C. Goals of Information Systems Security
As the businesses are getting more dependent upon the use of information systems the
need for better IS security is also increasing. Thus, the main goal of defining an IS
security policy is the .Protection of information systems against unauthorized access
to or modification of information whether in storage, processing or transit, and
against the denial of service to authorized users, including those measures necessary
to detect, document, and counter such threats.(NSTISSI 4009, August, 1997).. The
organizations today must protect their information from loss just as it would protect
any other valuable asset, such as tangible property, equipment, money, or staff. By
the development of a IS security method the organization must ensure that all the
information security loopholes are covered. The information assets must be protected