Ch 5 - IS Planning

CONCEPT MAP OF UNDERSTANDING ISP

What is ISP? ISP = IS + P

 You should know what is meant by :-
 Information System
 Planning

Why Planning is Important?

 Systematic approach in dealing with future uncertainties.
 It focuses efforts and resources on long-term, general objectives and yet provides a foundation for
short-term activities
 Provides a framework for action. Planning involves thinking ahead and designing future action.

ISP Key Activities

 Describing current situation: it includes a listing of the manual and automated processes, listing of
manual and automated data, technology inventory and human resources inventory
 Describing future situation: includes blueprints of manual and automated processes, blueprints of
manual and automated data, technology blueprints and human resources blueprints.
 Describing scheduling of the project: includes scheduling of manual and automated processes,
scheduling of manual and automated data, technology of scheduling and human resources
scheduling.

ISP Planning Types

 Top-Down Planning: A generic information systems planning methodology that attempts to gain a
broad understanding of the information system needs of the entire organization.
 Bottom-up Planning: generic information systems planning methodology that identifies and defines
IS development projects based upon solving operational business problems or taking advantages of
some business opportunities

Components of ISP
 The Process of Information Systems Planning
 Strategic Alignment of Business and IT
 Selecting Systems to Invest In
 Project Management Issues

Why ISP?

Why do we need to plan for IS?

 To ensure that IS both complements and assists in the achievement of our business goals.
 To ensure that the use of scarce resources are maximized within a business.
 To maximize the benefits of changing technology.
 To take account of the different viewpoints of business professionals and IT professionals.

Who Perform ISP?

 IS Planners / System Analyst
 Variety of stakeholders (i.e. sponsor, users)
 Top management commitment à successful ISP.

Where & When ISP?

 Any organization that has interest in getting the best out of its IT investments.
 Facing problems
 Grabbing opportunities.
 Information Systems (IS) fail to satisfy huge, diverse and complicated information requirements of
their users

HOW?
 Look at business structure, function, processes, culture
 Look at existing IT
 Look at available technology.
 Carry out interviews
 Develop policies
 Develop application portfolio
 Plan schedules for migration, implementation etc.
e-Reference - http://www.cse.dmu.ac.uk/~nkm/sisp/CONTENTS.html

Approaches to I.T. planning

NO planning
TRADITIONAL information resource planning
STRATEGIC information systems planning
REACTIVE information resource planning
LINKED information resource planning

No Planning
Speaks for itself – more of this about than you might think
Inputs and Outputs for the Traditional Information Resource Plan

Last Years Budget

Computer Operations
Last Years Backlog
Traditional
Planning Program maintenance
Machine depreciation
Process
+ lease cost
Application Development
Staff numbers + Salaries

Linking Business and IS/IT Strategy

IT Planning Issues

• Basic IT planning addresses the following four general issues:

1. Aligning the IT plan with the organizational business plan
2. Designing an IT architecture for the organization in such a way that users, applications, and
databases can be integrated and networked together.
3. Efficiently allocating information systems development and operational resources among
competing applications.
4. Planning information systems projects so that they are completed on time and within budget
and include the specified functions

IT Planning
 A Strategic information systems plan identifies a set of computer-based applications that will help a
company reach its business goals.
 IT planning identifies the applications portfolio, a list of major, approved IS projects that are
consistent with the long-range plan.
 Initial mechanisms addressed operational planning, and eventually shifted to managerial planning.

A Generic/General Approach to SPIT

 Objectives, Systems
Goals, Audit
Mission Strategic
Applications options
opportunities
by
Vision brainstorming Information -- timescales
funding
Strategic
Information
Technology Systems
- productivity
- competitive Architecture -- resources
control
Plan
Strategy edge
- business
effectiveness
CSF’s +
K P I’s Data Usage
Business
- business
models
- data
objectives
+ constraints

CH – 7 IS Audit, Control and Security

What is a security audit?  Communication

 Policy based
 Assessment of risk What kinds of Security Audits are there?
 Examines site methodologies and  Host
practices  Firewall
 Dynamic  Networks
 Large networks
Security Policies & Documentation
What is a security policy? Components of a Security Policy
 Components  Who can use resources
 Who should write it?  Proper use of the resources
 How long should it be?  Granting access & use
 Dissemination  System Administrator privileges
 It walks, it talks, it is alive..  User rights & responsibilities
 RFC 1244  What to do with sensitive information
 What if a written policy doesn't exist?  Desired security configurations of systems
 Other documentation

RFC 1244
``Site Security Handbook''
 Defines security policies & procedures
 Policy violations
 Interpretation
 Publicizing
 Identifying problems
 Incident response
 Updating

Other Documentation
 Hardware/software inventory
 Network topology
 Key personnel
 Emergency numbers
 Incident logs

Why do a Security Audit?  Assessing risk & security level

 Information is power  Assessing potential damage
 Expectations  Change management
 Measure policy compliance  Security incident response

When to audit? Audit Schedules

 Emergency!  Individual Host 1224 months
 Before prime time  Large Networks 1224 months
 Scheduled/maintenance  Network 12 months
 Firewall 6 months

How to do a Security Audit

 Preaudit: verify your tools and environment
 Audit/review security policy
 Gather audit information
 Generate an audit report
 Take actions based on the report's findings
 Safeguard data & report

Verify your tools and environment

 The golden rule of auditing
 Bootstrapping problem
 Audit tools
 The Audit platform

The Golden Rule of Auditing

 Verify ALL tools used for the audit are untampered with.
 If the results of the auditing tools cannot be trusted, the audit is useless
The Bootstrapping Problem
 If the only way to verify that your auditing tools are ok is by using auditing tools, then..

Audit Tools Trust?

 Write them yourself
 Find a trusted source (person, place)
 Verify them with a digital signature (MD5)

Audit Tools the Hall of Fame

 SAINT/SATAN/ISS
 Nessus
 lsof /pff
 Nmap, tcpdump, ipsend
 MD5/DES/PGP
 COPS/Tiger
 Crack

The Audit Platform

 Should have extraordinary security
 Submit it to a firewall+ type of audit
 Physical access should be required to use
 No network services running

Choosing a security audit platform: Hardware Choosing a security audit platform: Software
 laptop computer  Unix / Linux
 three kilograms or less  Secured OS
 graphics display  OS source code
 MB memory  Audit tools
 MB disk  Development tools
 ethernet (as many connectors as possible)
Unix / Linux
 BSD: FreeBSD, SunOS/Solaris, OpenBSD ?
 Source code
 A good development platform
 Large body of available literature
Audit/review security policy Security policy
 Utilize existing or use ``standard'' policy  Treat the policy as a potential threat
 Treat the policy as a potential threat  Bad policies are worse than none at all
 Does it have all the basic components?  Good policies are very rare
 Are the security configs comprehensive?  Look for clarity & completeness
 Examine dissemination procedures  Poor grammar and spelling are not
tolerated

Does it Have All the Basic Components?

 Who can use resources
 Proper use of the resources
 Granting access & use
 System Administrator privileges
 User rights & responsibilities
 What to do with sensitive information
Are the security configs comprehensive?
 Details are important!
 Addresses specific technical problems
 (COPSlike tests, network services run, etc.)
 Allowable trust must be clearly outlined
 Should specify specific tools (The TCP wrappers, S/Key, etc.) that are used
 Must have explicit time schedules of security
 audits and/or tools used
 Logfiles must be regularly examined!
Examine dissemination procedures
 Policies are worthless unless people read and understand them
 Ideally it is distributed and addressed when people join org
 Email is useful for updates, changes
 Written user acknowledgment necessary
Gather audit information
 Talk to/Interview people
 Review Documentation
 Technical Investigation
Talk to/Interview people
 Difficult to describe, easy to do
 Usually ignored
 Users, operators, sysadmins, janitors, managers…
 Usage & patterns
 Have they seen/read the security policy?
 What can/can't they do, in own words
 Could they get root/system privileges?
 What are systems used for?
 What are the critical systems?
 How do they view the security audit?

Review Documentation
 Hardware/software inventory
 Network topology
 Key personnel
 Emergency numbers
 Incident logs

Technical Investigation
 Run static tools (COPS, Crack, etc.)
 Check system logs
 Check system against known vulnerabilities (CERT, bugtraq, CIAC advisories, etc.)
 Follow startup execution
 Check static items (config files, etc.)
 Search for privileged programs (SUID, SGID, run as root)
 Examine all trust
 Check extra network services (NFS, news, httpd, etc.)
 Check for replacement programs (wuftpd, TCP wrappers, etc.)
 Code review ``home grown'' programs (CGI's, finger FIFO's, etc.)
 Run dynamic tools (ps, netstat, lsof, etc.)
 Actively test defenses (packet filters, TCP wrappers, etc.)

Run Static Tools

 Nmap
 SAINT/SATAN/ISS
 Crack
 Nessus
 COPS/Tiger
Follow Startup Execution
 Boot (P)ROMS
 init
 Startup programs (rc.* like files)

Check static items

 Examine all config files of running processes (inetd.conf, sendmail.cf, etc.)
 Examine config files of programs that can start up dynamically (ftpd, etc.)

Search for privileged programs

 Find all SUID/SGID programs
 Look at all programs executed as root
 Examine:
 Environment
 Paths to execution
 Configuration files

Examine all Trust

 rhosts, hosts.equiv
 NFS, NIS
 DNS
 Windowing systems
 User traffic and interactive flow

Check Extra Network Services

 NFS/AFS/RFS
 NIS
 News
 WWW/httpd
 Proxy (telnet, ftp, etc.)
 Authentication (Kerberos, security tokens, special services)
 Management Protocols (SNMP, etc.)

Check for replacement programs

 wuftpd
 TCP wrappers
 Logdaemon
 Xinetd
 GNU fingerd

Code review ``home grown''/non

standard programs

 Network daemons
 Anything SUID, SGID
 Programs run as system account
 CGI's
Code review, etc(cont.)
 Bad signs:
o external commands (system, shell, etc.)
o /usr/ucb/mail
o large size
o No documentation
o No comments in code
o No source code available

Actively test defenses

 packet screens
 TCP wrappers
 Other defense programs

Safeguard Data & Report

 Save for the next audit
 Do not keep online
 Use strong encryption if stored electronically
 Limit distribution to those who ``need to know''
 Print out report, sign, and number copies

Ch 8 - Redesigning the Organization with IS

Establishing Organizational Information Requirements

 To develop an effective IS plan, the organization must have a clear understanding of both its long-
and short-term information requirements
 Two principal methodologies for establishing those:
o Enterprise Analysis (Business Systems Planning)
o Strategic Analysis (Critical Success Factors)

Enterprise Analysis
 An analysis of organization-wide information requirements by looking at the entire organization in
terms of organizational units, functions, processes, and data elements; helps identify the key entities
and attributes in the organization’s data
 Developed by IBM in the 1960s
 Method: Take a large sample of managers and ask them how they use information, where they get
it, what their environment is like, what their objectives are, how they make decisions and what their
data needs are

Enterprise Analysis Take aways

 Gives a comprehensive view of the organization
 Produces an enormous amount of information, expensive to collect and difficult to analyze
 Bias towards top management and data processing
 Focus not on critical objectives but rather on what existing information is used
 The result is a tendency to automate whatever exists

Critical Success Factors

A small number of easily identifiable operational goals shaped by the industry, the firm, the manager,
and the broader environment that are believed to ensure the success of an organization.

Example Goals CSF

Profit Concern Earnings/share Automotive Industry
Return on Investment Styling
Market Share Quality dealer system
New Product Cost control
Energy Standards

Non-profit Excellent health care Regional integration with other

Meeting government regulations hospitals
Future health needs Efficient use of resources
Improved monitoring of
regulations

Using CSFs to Develop IS

Manager A Manager B Manager C Manager D

CSFs CSFs CSFs CSFs

Aggregate &
analyze
individual
CSFs

Develop
agreement on
company
CSFs

Define
company
CSFs

Use CSFs to
Define DSS develop IS
and databases priorities
CSF Limitations
 Produces a smaller set of data to analyze
 Can be tailored to the structure of each industry
 Takes into account the changing environment
 Data collection and analysis are ‘art forms’
 Confusion between individual and organizational CSFs
 Biased towards top managers
 Assumes that successful TPS already exist
 Like the Enterprise Analysis method provides a static picture
 Systems Development and Organizational Change
 Global networks (International division of labor; global reach of firms)
 Enterprise networks (collaborative work)
 Distributed Computing (empowerment)
 Portable Computing (virtual organizations)
 Graphical User Interfaces (everybody has access to information)

The Spectrum of Organizational Change (1)

 Automation: using the computer to speed up the performance of existing tasks
o most common form of IT-enabled change
o involves assisting employees perform their tasks more efficiently and effectively
o akin to putting a larger motor in an existing vehicle

The Spectrum of Organizational Change (2)

 Rationalization of procedures: the streamlining of existing operating procedures, eliminating
obvious bottlenecks so that automation makes operating procedures more efficient
o follows quickly from early automation
o Toshiba had to rationalize its procedures down to the level of installation manuals and
software instruction and had to create standard names and formats for the data items in its
global data warehouse
o Think: without a large amount of business process rationalization, computer technology
would have been useless at Toshiba (what ERPs do)

The Spectrum of Organizational Change (3)

 Business Process Re-engineering (BPR): The radical redesign of business processes, combining steps
to cut waste and eliminating repetitive, paper-intensive tasks to improve cost, quality, and service
and to maximize the benefits of information technology
o Involves radical rethinking
o Can change the way an organization conducts its business
o Strikes fear, its expensive, its very risky and its extremely difficult to carry out and manage

Business Process Reengineering

 Develop the business vision and process objective
 Identify the processes to be redesigned (core and highest payback)
 Understand and measure the performance of existing processes
 Identify the opportunities for applying information technology
 Build a prototype of the new process
The Spectrum of Organizational Change (4)
Paradigm Shift: Radical reconceptualization of the nature of the business and the nature of the
organization
o akin to rethinking not only the automobile, but transportation itself
o e-business is a paradigm shift
o Deciding which business process to get right is half the challenge
o 70% of time programmatic reengineering efforts fail
o Why then change? Because the rewards are high!

Information Systems Development

 Systems Development: the activities that go into producing an information systems solution to an
organizational problem or opportunity
 Structured kind of problem with distinct activities

Systems Analysis (1)

 Systems Analysis: the analysis of a problem that the organization will try to solve with an IS
o thorough understanding of the existing organization and system
o identify the primary owners and users of data in the organization
o identification of the details of the problems of existing systems

Systems Analysis (2)

 Feasibility Study: the way to determine whether the solution is achievable, given the organization’s
resources and constraints
o Technical feasibility
o Economic feasibility
o Operational feasibility

Systems Design
 Systems Design: details how a system will meet the information requirements as determined by the
systems analysis
o Output, Input, User Interface, Database Design, Processing, Manual Procedures, Controls,
Security, Documentation, Conversion, Training, Organizational Changes

Completing the Design Process

 Programming
 Testing
o Unit testing
o System testing
o Acceptance testing
Conversion
Parallel strategy
Direct cut-over strategy
Pilot study strategy
Phased approach strategy
Maintenance
Understanding the Business value of systems

The Business Value of Information Systems

Costs and Benefits of Information Systems

Costs Benefits
Hardware Tangible (Cost Savings)
Telecommunications Increased productivity, low operational costs,
reduced work force, lower outside vendor costs,
lower clerical and professional costs, reduced rate
of growth in expenses
Software Intangible
Services Improved asset utilization, improved resource
control, improved organizational planning, more
timely information, more information, increased
organizational learning, enhanced employee
goodwill, increased job satisfaction, improved
decision making, improved operations, higher
client satisfactions, better corporate image
Personnel

Capital Budgeting Models

 Information Systems are considered long-term capital investment projects
 Capital budgeting: The process of analyzing and selecting various proposals for capital expenditures.
The difference between cash outflows and cash inflows is used for calculating the financial worth of
an investment.
 The high rate of technological obsolescence in budgeting for systems means simply that the payback
period must be shorter, and the rates of return higher than typical capital projects with much longer
useful lives

Capital Budgeting Models (2)

The Payback Method- A measure of the time required to pay back the initial investment of a project
Accounting Rate of Return on Investment (ROI) - Calculation of the rate of return from an investment by
adjusting cash inflows produced by the investment for depreciation
Net Present Value (NPV) - The amount of money an investment is worth, taking into account its cost,
earnings, and the time value of money
Cost-Benefit Ratio - A method for calculating the returns from a capital expenditure by dividing the total
benefits by total costs

Non-financial and Strategic Considerations

Potential Benefits to Firm