Management Control and Security

MIS 503 Management Information Systems

MBA Program

1

2

When It Comes to IT, What Has to be Managed?

• Relationships• Strategy• Infrastructure• Human Capital• Innovation• Solutions Delivery• Provisioning of Service• Financial Performance

How do we manage all these interrelated functions and tasks?

• Organizations need to think about technology as an enabling force and incorporate IT in strategic, tactical, and operational decision making

• Several questions need to be addressed– Decide how the IT function should be organized– Deal with organizational design issues that will affect IT

implementation and use– Decide how to manage the future of the IT function– Decide how to plan for IT– Decide how to control and secure IT

3

How should the IT function be organized?

• Two extreme structures for the IT group– Centralized:

• Results in the lowest operational costs for the organization

• Allows the greatest control over the IT resources– Decentralized:

• Allows the greater flexibility • IT is managed closer to home, which should result in

better service and greater innovation• Has the greatest potential for security problems

4

Factors Effecting IT Design: Organizational Politics

Information PoliticsTechnocratic Utopianism Technology Positivism; If we build it, they

will use it. Model the firm’s IT structure and rely on new technologies

Anarchy No overall information management policy

Feudalism Management of IT by individual business units; limited reporting to the organization

Monarchy Strong control by senior management; information may not be shared with lower levels of the firm

Federalism Management through consensus and negotiation about key IT decisions and structures

5

Factors Effecting IT Design: Organizational Culture

• “Competing Values” Perspective on Organizational Culture: 4 categories of organizational effectiveness defined by organizational structure and focus– Structure:

• Flexible• Control Oriented

– Focus• Internal• External

6

Factors Effecting IT Design: Organizational Culture

7

External Positioning

Control-Oriented Processes

Flexible Processes

Internal Maintenance

Type: Group Dominant Attribute:

Cohesiveness, participation, teamwork, sense of family

Leadership Style: Mentor, facilitator, paretn-figure

Bonding: Loyalty, tradition, interpersonal cohesion

Strategic Emphasis: Toward developing human resources, committment, and morale

Type: Adhocracy Dominant Attribute:

Entrepreneurship, creativity, adaptability, dynamism

Leadership Style: Innovator, entrepreneur, risk taker

Bonding: Flexibility, risk, entrepreneur

Strategic Emphasis: Toward innovation, growth, new resources

Type: Hierarchy Dominant Attribute: Order, rules

and regulations, uniformity, efficiency

Leadership Style: Coordinator, organizer, administrator Bonding: Rules, policies and

procedures, clear expectations Strategic Emphasis:Toward

stability, predictability, smooth operations

Type: Market Dominant Attribute: Goal

achievement, environment exchange, competitiveness

Leadership Style: production- & achievement-oriented, decisive

Bonding: Goal orientation, production, competition

Strategic Emphasis: Toward competitive advantage and market superiority

The Competing Values Framework (after Quinn & Rohrbaugh, 1981)

Organizational Models for IT

• Models for Organizing IT for Innovation– The Partner Model: IT personnel are partners in IT

innovation– The Platform Model: Build the infrastructure and

let users focus on developing IT innovations– The Scalable Model: Fast and quick; IT relies on

external experts to develop innovations and bring them to the firm

8

Organizational Models for ITThree Models for the IT Organization

Partner Platform Scalable

Strategic position IT is an active business partner for innovation

IT provides infrastructure for the entire business

IT remains flexible and able to undertake new initiatives quickly

Characteristics IT managers in divisions, corporate IT for leadership, matrix reporting in IT

Corporate IT supervises overall infrastructure, businesses “own” IT innovations, IT account manager in each business

Centralize IT to encourage commonality and reduce duplication, IT in business units

Most applicable Senior executives lack in-depth knowledge of IT, firm needs to promote IT innovation, solid IT leadership

Global companies with diverse lines of business; company managers knowledgeable about IT

Cyclical businesses, global businesses with similar subsidiaries, e.g., oil retailer

9

Managing the IT Function

• Regardless of the organizational structure, culture, and innovative focus, the IT function needs to be managed in a coordinated way

• Two Extreme View of Managing the organization– Focus on rules and procedures– Enabling emphasis on be fluid and flexible

10

Managing the IT Function: The CIO

• In many firms, the best way to manage the IT function is to have a Chief Information Officer (CIO)– The CIO is in charge of IT in the firm and a senior member

of management• CIOs participate in planning and campaigning for the effective use

of technology and for the appropriate level of investment in IT• CIOs provide leadership and control over the IT function• CIOs help the firm develop a competitive edge with the strategic

use of IT

11

12

How CIOs Add Value• They have an obsessive and continuous focus on

business imperatives• They relay external IT success stories and show how

they represent potential models for success in the firm

• They establish and maintain relationships with other executives and their own personnel

• They establish and communicate the IS performance record

• They focus on making IS development efforts successful

• They develop and share a challenging vision of the role of IT

13

Questions CEOs Need to Address

• Some CEOs see IT as a strategic resource while others see IT as a cost. Common concerns that CIOs need to respond to include:– Are we getting value for money invested in IT?– How important is IT?– How do we plan for IT?– Is the IS function doing a good job?– What is the IT strategy?– What is my vision for the role of IT?– What do we expect of the CIO?

14

A Vision and Plan for IT

• A vision is a general statement of what the organization is trying to become. – It needs to be sufficiently compelling to create

enthusiasm for the plan to achieve it

• The IT plan combines the vision of IT with strategy to guide IT decision making– The vision and strategy provide goals for the IT

plan which describes how to achieve them

15

Contents of an IS Plan

• Executive summary• Goals – general and specific• Assumption• Scenario – vision of the firm• Applications areas – status, cost, schedule, priorities• Operations• Maintenance and enhancements• Organizational structure – pattern of computing• Effects of plan on the organization – financial impact• Implementation – risks, obstacles

Planning for Security and Control

• In today’s net-enabled environment, an increasingly important part of planning involved planning to control and secure the IT resource

16

Control Systems

• The components of control systems are– Standards for performance– Sensory determination of actual conditions– Comparison of standard with actual conditions– Compensatory action if the deviation is too great

17

18

When there are Failures of Control

• Examples of control breakdowns– Worldcom– Qwest– Global Crossing

• What caused these? Probably, it was in part the reward systems for senior managers that consisted of stock options. Managers were rewarded for inflating the bottom line.

• IS has an important role to play in strengthening control systems– Audits– Monitoring– Information dissemination– Reporting

19

Control of the Systems Development Process

• It is difficult to predict development time and development cost for new systems– Package implementation can reduce this uncertainty

• Projects slip for a number of reasons– Lack of user input– Too few resource– Too few individuals working on the project– Lack of top management support– Poor project management

20

Control of Operations• The Foreign Corrupt Practices Act requires publicly held

companies to devise and maintain a system of internal accounting controls pertaining to several operational components– Execution of transactions based on managerial authorization– Recording of transactions so that financial statements can be properly

created– Records of assets are kept and audited for accuracy– Managers sign-off on financial statements and certify the correctness

of the statements (Sarbanes-Oxley Act)• The Sarbanes-Oxley Act: created to protect investors by improving the

accuracy and reliability of corporate disclosures. The act covers issues such as auditor independence, corporate responsibility, and enhanced financial disclosure.

21

Vulnerability of Systems: Where Does Control Fail?

• Errors in and intrusion of the operating system• Errors in application programs• Problems with database security• Lack of network reliability and security• Problems with adequate control of manual procedures• Failure of management to maintain proper organizational

control• Open networks and connectivity• Misuse or mistakes made by users

22

23

Vulnerability of Systems: Where Does Control Fail?

Control in the Organization: Controls can be created through…

• The structure of the organization– Decentralized or

centralized

• Rewards• Management committee• Budget• Direct supervision• Routine audits

• Establish and enforce standards and procedures

• Develop a plan and policy for managing database resources– Data Backup/Recovery– Data Concurrency

Management– Data Security

24

25

Control in the Organization

A Key Requirement for Control is Establishing IT Security

• Without security, the integrity of organizational IT resources will be at risk – therefore, security is everyone’s business

• Security is an increasingly important issue because of an increasing number of threats– According to the statistics reported to CERT/CC over the past several

years (CERT/CC 2003) the number of cyber attacks grew from approximately 22,000 in 2000 to 137,529 2003

– According to the 2004 E-Crime Watch Survey, 43% of respondents report an increase in e-crimes and intrusions versus the previous year and 70% reported at least one e-crime or intrusion was committed against their organization

26

Security Concepts• Authentication: The process by which one entity verifies that

another entity is who they claim to be • Authorization: The process that ensures that a person has the

right to access certain resources• Confidentiality: Keeping private or sensitive information from

being disclosed to unauthorized individuals, entities, or processes

• Integrity: Being about to protect data from being altered or destroyed in an unauthorized or accidental manner

• Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes

• Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature

27

28

Types of Threats and Attacks

• Nontechnical attack: An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network

29

Types of Threats and Attacks (cont.)

• Social engineering: A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access

30

Types of Threats and Attacks (cont.)

• Multiprong approach used to combat social engineering:

1. Education and training

2. Policies and procedures

3. Penetration testing

31

Types of Threats and Attacks (cont.)

• Technical attack: An attack perpetrated using software and systems knowledge or expertise

32

Types of Threats and Attacks (cont.)

• Denial-of-service (DoS) attack: An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

33

Types of Threats and Attacks (cont.)

• Distributed denial-of-service (DDoS) attack: A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer

34

Types of Threats and Attacks (cont.)

• Malware: A generic term for malicious software– The severity of virus attacks are increasing

substantially, requiring much more time and money to recover

– 85% of survey respondents said that their organizations had been the victims of e-mail viruses in 2002

35

Types of Threats and Attacks– Malware takes a variety of forms - both pure and

hybrid• Virus: A piece of software code that inserts itself into a host,

including the operating systems, to propagate; it requires that its host program be run to activate it

• Worm: A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine

• Macro virus or macro worm: A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed

• Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk

CERT: Recommendations for Governing Organizational Security

• Questions to ask:– What is at risk?– How much security is enough– How should an organization …

• Develop policies on security• Achieve and sustain proper security

36

The CERT recommendations are derived from a report written by Julia Allen entitled Governing for Enterprise Security, which may be found at http://www.cert.org/archive/pdf/05tn023.pdf

CERT: Recommendations for Governing Organizational Security

• What is at risk?– Trust that the public has in your organization– Reputation and brand– Shareholder value– Market confidence – Regulatory compliance

• Fines• Jail time

– Market share– Customer privacy– Ongoing, uninterrupted operations– Morale of organizational members

37

CERT: Recommendations for Governing Organizational Security

• How Much Security is Enough?– “Management’s perspective needs to shift

From ToScope: Technical problem Enterprise problemOwnership: Enterprise ITFunding: Expense InvestmentFocus: Intermittent IntegratedDriver: External EnterpriseApplication: Platform/practice ProcessGoal: IT security Enterprise

38

CERT: Recommendations for Governing Organizational Security

• Good Security Strategy Questions– What needs to be protected?

• Why does it need to be protected? • What happens if it is not protected?

– What potential adverse consequences need to be prevented?

• What will be the cost? • How much of a disruption can we stand before we take action?

– How do we effectively manage the residual risk when protection and prevention actions are not taken?

39

CERT: Recommendations for Governing Organizational Security

• What is Adequate Security?– The condition where the protection strategies for an organization's

critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances

• Adequacy depends On . . .– Enterprise factors: size, complexity, asset criticality, dependence on

IT, impact of downtime– Market sector factors: provider of critical infrastructure, openness of

network, customer privacy, regulatory pressure, public disclosure– Principle-based decisions: Accountability, Awareness, Compliance,

Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.

40

CERT: Recommendations for Evolving the Security Approach

41

CERT: Recommendations for Evolving the Security Approach

42

CERT: Recommendations for Evolving the Security Approach

• What Does Effective Security Look Like at the Enterprise Level?– It’s no longer solely under IT’s control– Achievable, measurable objectives are defined and

included in strategic and operational plans– Functions across the organization view security as part of

their job (e.g., Audit) and are so measured– Adequate and sustained funding is a given– Senior executives visibly sponsor and measure this work

against defined performance parameters– Considered a requirement of being in business

43