Foundations of Information

Systems

PART4: INFORMATION SYSTEMS MANAGEMENT

CHAPTER 11: STRUCTURE, GOVERNANCE, AND ETHICS
Chapter 11: Structure, Governance,
and Ethics

Q1. How is the IT department organized?

Q2. What jobs exist in IT services?
Q3. What is IT architecture?
Q4. What is alignment, why is it important and why is it difficult?
Q5. What is information systems governance?
Q6. What is an information systems audit, and why should you
care about it?
Q7. What is information systems ethics?
Q8. What is Green IT, and why should you care about it?

2 2 2
Q1. How Is the IT Department
Organized?

•All IS (e.g. email systems, accounting applications, etc.) used in

an organization require some form of technical support
•The department of people who support this is often referred to as
“IT Services” or “Information Systems Services”

3 3 3
 Typical Senior-Level Reporting
Relationships

Note:
Organizational
structure varies,
depending on the
organization’s
size, culture,
competitive
environment,
industry, etc.

4 4 4
What About the Web?

•Web has had a significant impact on the organization of IT

departments
•Traditionally, IT department was responsible for designing and
maintain a website
•This task now belongs to marketing department to keep up with
branding and control of content while IT provides technical
support for the website

5 5 5
Web Design

•Creating well-designed company web pages requires knowledge

of branding and marketing, plus technical skills
•A whole new industry, the Web design consulting industry, was
born
◦ Canadian examples: Blast Radius (www.blastradius.com) and Traction
on Demand (www.tractionondemand.com)

6 6 6
Q2. What Jobs Exist in IT Services?

•Wide range of interesting and well-paying jobs

•Some think that it consists only of programmers and computer
technicians who have great technical skills
•Most jobs that are in the highest demand in the IT industry
require a mix of interpersonal and technical skills
•The industry needs people who can bridge the knowledge gap
between computer technicians and business system users

7 7 7
Jobs in IT Services

•The data, procedures, and people components of IS require

professionals with great interpersonal communication skills
•For most technical positions, knowledge of business specialty
increases marketability
•High-paying jobs require communication, leadership, and
business skills
•For students, a dual major can be an excellent choice to open up
opportunities

8 8 8
Q3: What Is IT Architecture?

•Organization’s goals and objectives help determine its

competitive strategy
•Porter’s five forces model can be used to consider the structure of
the industry under which a company operates
•Given that structure, we could develop a competitive strategy for
the organization. This strategy is supported by activities in the
value chain, which consist of a collection of business processes
supported by information systems

9 9 9
Organizational Strategy and
Information Systems

10 10 10
Q3: What Is IT Architecture?

•Like a city plan that lays out the street network, water
systems, emergency system, power grids
•IT architecture: Basic framework for all the computers,
systems, and information management that supports
organizational services
•Enterprise architect: new title being used to describe
person who manages IT architecture
◦ Create a blueprint of an organization’s IS and the management
of these systems
◦ Must understand current investments in technology and plan for
changes
11 11 11
IT Architecture

•Few standards since companies are diverse

•Usually a long document with complicated diagrams,
management policies, discussion of future changes
•Zachman framework: helps in designing IT architecture
◦ Divides systems into two dimensions:
◦ Based on 6 reasons for communication
◦ Based on stakeholder groups

12 12 12
A Framework of Enterprise
Architecture

13 13 13
Q4: What Is Alignment, Why Is It
Important, and Why Is It Difficult?

•Alignment: process of matching organizational objectives with

IT architecture
•Ongoing process: fitting IT architecture to business objectives is
continuous challenge
•Maintaining a balance between business objectives and IT
architecture

14 14 14
Q4: What Is Alignment, Why Is It
Important, and Why Is It Difficult?

•Matching investments in IT with organizational strategy is not as

straightforward as it may seem
◦ Walmart; a low-price retailer; so aligning IT objectives with this strategy
would cause Wal-Mart spending less on IT than the industry average?

15 15 15
Q4: What Is Alignment, Why Is It
Important, and Why Is It Difficult?

•Measured as the degree to which the IT department’s missions,

objectives, and plans overlapped with the overall business
missions, objectives, and plans
•Communication between business and IT executives is the most
important indicator of alignment

16 16 16
Q5: What Is Information Systems
Governance?

•For business organizations:

•Governance is the development of consistent, cohesive
management policies and verifiable internal processes for IT and
related services
•Goal is to improve the benefits of an organization’s IT investment
over time

17 17 17
Creating Benefits from IT Governance

18 18 18
The Sarbanes-Oxley Act and the
Budget Measures Act

•The increasing interest in information systems governance is the

result of laws, such as Sarbanes-Oxley Act (SOX) in USA and
Budget Measures Act (Bill 198) in Canada
•These laws force companies to comply with governance
standards for collecting, reporting, and disclosing information

19 19 19
The Sarbanes-Oxley Act and the
Budget Measures Act

Example:
•The computer-based accounting information system used by the
company must have appropriate controls, and management must
assert that they do
•The order-processing information system used by the company,
which stores credit card data and customer identifies, must
prevent unauthorized persons from access

20 20 20
SOX- Enron Company Scandal

•https://www.investopedia.com/updates/enron-scandal-summary/

21 21 21
Q6: What Is an Information Systems
Audit, and Why Should You Care About
It?
•Financial audit: examination and verification of a company’s
financial and accounting records and supporting documents by an
accredited professional
◦ Chartered Professional Accountant (CPA)
•IS audit: the focus is placed on information resources that are
used to collect, store, process, and retrieve information
•Information Systems Audit and Control Association (ISACA):
leader in developing knowledge and standards relating to IT audit
and IT governance
◦ The Certified Information Systems Auditor (CISA)

22 22 22
COBIT

•One of the developments provided by ISACA along with the IT

Governance Institute (ITGI) is the Control Objectives for
Information and Related Technology (COBIT)
•COBIT is a framework of best practices designed for IT
management
•This framework provides a set of generally accepted measures,
indicators, processes, and best practices to assist them in getting
the best from their organizational IT investments
•COBIT provides a process through which alignment between IT
and business objectives is developed

http://www.isaca.org/cobit/pages/default.aspx
23 23 23
COBIT 5

24 https://youtu.be/Y8kqh9q3Jwg
24 24
Q7: What Is Information Systems
Ethics?

•People involved with the system, not hardware or software

•Understanding our own behaviour—the way we think and act in
situations where our choices affect others
•Ethical principles
◦ United Nations Declaration of Human Rights
◦ Canada’s Charter of Rights and Freedoms
◦ Association of Computing Machinery’s code of ethics
https://www.acm.org/code-of-ethics

25 25 25
Q8: What Is Green IT, and Why
Should You Care About It?

•Green IT (green computing) - using IT resources to better support

the triple bottom line for organizations
•The triple bottom line includes measures of traditional profit
along with ecological and social performance
•Primary goals of green IT: improve energy efficiency, promote
recyclability, and reduce the use of materials that are hazardous to
the environment

26 26 26
Green IT

•Green IT considers the effects of choices on people and the

environment
•ENERGY STAR program - is an international
government/industry partnership to produce equipment that meets
high-energy efficiency specifications or promotes the use of such
equipment
◦ https://www.energystar.gov/products/office_equipment/computers
•E-cycling or the recycling of electronic computing devices

27 27 27
E-cycling

•Electronics Product Recycling Association (EPRA)

https://www.recyclemyelectronics.ca/

28 28 28
 Foundations of Information
Systems

PART4: INFORMATION SYSTEMS MANAGEMENT

CHAPTER 12:MANAGING INFORMATION SECURITY AND PRIVACY
Chapter 12: Managing Information
Security and Privacy

Q1. What is identity theft?

Q2. What is PIPEDA?
Q3. What types of security threats do organizations face?
Q4. How can technical safeguards protect against security threats?
Q5. How can data safeguards protect against security threats?
Q6. How can human safeguards protect against security threats?
Q7. What is disaster preparedness?
Q8. How should organizations respond to security incidents?

30 30 30
Q1: What Is Identity Theft?

•Identity theft: vital information is stolen to create a new identity

◦ Can be done with just a person’s name, address, date of birth, social
insurance number, and mother’s maiden name
•Identity thief can take over a victim’s financial accounts; open
new bank accounts; transfer bank balances; apply for loans, credit
cards, and other services

31 31 31
Protect Yourself from Identity Theft
https://www.getcybersafe.gc.ca/index-en.aspx

32 32 32
Q2: What Is PIPEDA?

•PIPEDA: Personal Information Protection and Electronic

Documents Act
•Act intended to balance an individual’s right to the privacy of his
or her personal information, which organizations need to collect,
use, or share for business purposes
•The Privacy Commissioner of Canada oversees this Act

33 33 33
PIPEDA and Organizations

•Should be aware of PIPEDA because it governs how data are

collected and used
•Organizations should not be able to use the information collected
for any purpose other than what the organization agreed to use it
for
•It is the duty of an organization to protect the information they
collect

34 34 34
Q3: What Types of Security Threats
Do Organizations Face?

•Three sources of security threats are:

1. Human errors and mistakes
◦ Accidental problems
◦ Employee accidentally delete’s a customer's records
◦ Employee drives truck through wall of computer room

35 35 35
Sources of Security Threats

2. Malicious human activity

◦ Intentional destruction of data
◦ Destroying system components
◦ Hackers
◦ Virus and worm writers
◦ People who send unwanted emails (spam)

36 36 36
Sources of Security Threats

3. Natural events and disasters

◦ Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, tornados,
and other acts of nature
◦ Initial losses of capability and service
◦ Plus losses from recovery actions

37 37 37
Types of Security Problems

•Five types of security problems :

1. Unauthorized data disclosure
2. Incorrect data modification
3. Faulty service
4. Denial of service
5. Loss of infrastructure

38 38 38
Sources and Types of Security Threats

39 39 39
Elements of a Security Program

•Senior management involvement

◦ Must establish a security policy
◦ Manage risk
◦ balancing costs and benefits

•Safeguards
◦ Protections against security threats
•Incident response
◦ Must plan for prior to incidents

40 40 40
Security Safeguards as They Relate to
the Five Components

41 41 41
Q4: How Can Technical Safeguards
Protect Against Security Threats?

•Technical safeguards involve the hardware and software

components of an information system

42 42 42
Technical Safeguards

Identification and Authentication

•Usernames and passwords
◦ Identification
◦ Authentication
•Smart cards
◦ Personal identification number (PIN)
•Biometric authentication
◦ Fingerprints, facial features, retinal scans

43 43 43
Technical Safeguards (Cont’d)

Malware Protection
Malware includes viruses, worms, Trojan horses, spyware, and
adware

44 44 44
Malware

https://youtu.be/n8mbzU0X2nQ
45 45 45
Technical Safeguards

•Malware safeguards
◦ Install antivirus and anti-spyware programs
◦ Scan your computer frequently
◦ Update malware definitions
◦ Patterns the exist in malware
◦ Open e-mail attachments only from known sources
◦ Install software updates promptly
◦ Browse only reputable Web sites

46 46 46
Q5: How Can Data Safeguards Protect
Against Security Threats?

•Data safeguards protect databases and other organizational data

•Data administration: an organization-wide function
◦ develops data policies
◦ enforce data standards
•Database administration, particular database function
◦ procedures for multi-user processing
◦ change control to structure
◦ protection of database

47 47 47
Data Safeguards

48 48 48
Q6: How Can Human Safeguards
Protect Against Security Threats?

•Involve people and procedure components of information

system
•User access restriction requires authentication and account
management
•Design appropriate security procedures
•Security considerations for:
◦ Employees
◦ Non-employee personnel

49 49 49
Human Safeguards for Employees

50 50 50
Human Safeguards for Non-
Employees

•Temporary personnel and vendors

◦ Screen personnel process is often reduced compared with that for
employees
◦ Training and compliance also have limitations
◦ Contract should include specific security provisions
◦ Provide accounts and passwords with the least privileges

51 51 51
Human Safeguards for Non-
Employees

•Public users
◦ Harden Web site and facility
◦ Hardening: Take extraordinary measures to reduce system’s vulnerability
•Partners and public that receive benefits from the information
system
◦ Protect these users from internal company security problems

52 52 52
Account Administration

•Account management
◦ Creation of new user accounts
◦ Modification of existing account permissions
◦ Removal of unneeded accounts
•Password management
◦ Acknowledgment forms
◦ Change passwords frequently

53 53 53
Account Administration (Cont’d)

•Help-desk policies
◦ Authentication of users who have lost their password
◦ Password should not be e-mailed (just a notification of password change)
•System procedures
◦ Normal operation
◦ Backup
◦ Recovery

54 54 54
System Procedures

•Procedures of each type should exist for each information system

•Definition and use of standardized procedures reduces the
likelihood of computer crime
•Each procedure type should be defined for both, system users and
operations personnel
◦ Different duties and responsibilities
◦ Varying needs and goals

55 55 55
System Procedures

56 56 56
Security Monitoring

•Activity log analyses

◦ Firewall logs
◦ DBMS log-in records
◦ Web server logs
•Security testing
◦ In-house and external security professionals

57 57 57
Security Monitoring

•Investigation of incidents
◦ How did the problem occur?
•Lessons learned
◦ Indication of potential vulnerability and corrective actions

58 58 58
Q7: What Is Disaster Preparedness?

•A substantial loss of computing infrastructure caused by acts of

nature, crime, or terrorist activity can be disastrous for an
organization
•Best safeguard is appropriate location
•Backup processing centers in geographically removed site

59 59 59
Disaster Preparedness Guidelines

60 60 60
Remote Backup Facilities

61 61
https://youtu.be/xWTbPY0OfB0 61
Q8: How Should Organizations
Respond to Security Incidents?

•Organization must have plan

◦ Detail reporting and response
•Centralized reporting of incidents
◦ Allows for application of specialized expertise
•Speed is of the essence
•Preparation pays off
◦ Identify critical employees and contact numbers
◦ Training is vital
•Practise incidence response!

62 62 62