Management Control and Security MIS 503 Management Information Systems MBA Program 1

2 When It Comes to IT, What Has to be Managed? Relationships Strategy Infrastructure Human Capital Innovation Solutions Delivery Provisioning of Service Financial Performance

How do we manage all these interrelated functions and tasks? Organizations need to think about technology as an enabling force and incorporate IT in strategic, tactical, and operational decision making Several questions need to be addressed – Decide how the IT function should be organized – Deal with organizational design issues that will affect IT implementation and use – Decide how to manage the future of the IT function – Decide how to plan for IT – Decide how to control and secure IT 3

How should the IT function be organized? Two extreme structures for the IT group – Centralized: Results in the lowest operational costs for the organization Allows the greatest control over the IT resources – Decentralized: Allows the greater flexibility IT is managed closer to home, which should result in better service and greater innovation Has the greatest potential for security problems 4

Factors Effecting IT Design: Organizational Politics Information Politics Technocratic UtopianismTechnology Positivism; If we build it, they will use it. Model the firm’s IT structure and rely on new technologies AnarchyNo overall information management policy FeudalismManagement of IT by individual business units; limited reporting to the organization MonarchyStrong control by senior management; information may not be shared with lower levels of the firm FederalismManagement through consensus and negotiation about key IT decisions and structures 5

Factors Effecting IT Design: Organizational Culture “Competing Values” Perspective on Organizational Culture: 4 categories of organizational effectiveness defined by organizational structure and focus – Structure: Flexible Control Oriented – Focus Internal External 6

Factors Effecting IT Design: Organizational Culture 7 The Competing Values Framework (after Quinn & Rohrbaugh, 1981)

Organizational Models for IT Models for Organizing IT for Innovation – The Partner Model: IT personnel are partners in IT innovation – The Platform Model: Build the infrastructure and let users focus on developing IT innovations – The Scalable Model: Fast and quick; IT relies on external experts to develop innovations and bring them to the firm 8

Organizational Models for IT Three Models for the IT Organization PartnerPlatformScalable Strategic positionIT is an active business partner for innovation IT provides infrastructure for the entire business IT remains flexible and able to undertake new initiatives quickly CharacteristicsIT managers in divisions, corporate IT for leadership, matrix reporting in IT Corporate IT supervises overall infrastructure, businesses “own” IT innovations, IT account manager in each business Centralize IT to encourage commonality and reduce duplication, IT in business units Most applicableSenior executives lack in- depth knowledge of IT, firm needs to promote IT innovation, solid IT leadership Global companies with diverse lines of business; company managers knowledgeable about IT Cyclical businesses, global businesses with similar subsidiaries, e.g., oil retailer 9

Managing the IT Function Regardless of the organizational structure, culture, and innovative focus, the IT function needs to be managed in a coordinated way Two Extreme View of Managing the organization – Focus on rules and procedures – Enabling emphasis on be fluid and flexible 10

Managing the IT Function: The CIO In many firms, the best way to manage the IT function is to have a Chief Information Officer (CIO) – The CIO is in charge of IT in the firm and a senior member of management CIOs participate in planning and campaigning for the effective use of technology and for the appropriate level of investment in IT CIOs provide leadership and control over the IT function CIOs help the firm develop a competitive edge with the strategic use of IT 11

12 How CIOs Add Value They have an obsessive and continuous focus on business imperatives They relay external IT success stories and show how they represent potential models for success in the firm They establish and maintain relationships with other executives and their own personnel They establish and communicate the IS performance record They focus on making IS development efforts successful They develop and share a challenging vision of the role of IT

13 Questions CEOs Need to Address Some CEOs see IT as a strategic resource while others see IT as a cost. Common concerns that CIOs need to respond to include: –Are we getting value for money invested in IT? –How important is IT? –How do we plan for IT? –Is the IS function doing a good job? –What is the IT strategy? –What is my vision for the role of IT? –What do we expect of the CIO?

14 A Vision and Plan for IT A vision is a general statement of what the organization is trying to become. –It needs to be sufficiently compelling to create enthusiasm for the plan to achieve it The IT plan combines the vision of IT with strategy to guide IT decision making –The vision and strategy provide goals for the IT plan which describes how to achieve them

15 Contents of an IS Plan Executive summary Goals – general and specific Assumption Scenario – vision of the firm Applications areas – status, cost, schedule, priorities Operations Maintenance and enhancements Organizational structure – pattern of computing Effects of plan on the organization – financial impact Implementation – risks, obstacles

Planning for Security and Control In today’s net-enabled environment, an increasingly important part of planning involved planning to control and secure the IT resource 16

Control Systems The components of control systems are – Standards for performance – Sensory determination of actual conditions – Comparison of standard with actual conditions – Compensatory action if the deviation is too great 17

18

When there are Failures of Control Examples of control breakdowns – Worldcom – Qwest – Global Crossing What caused these? Probably, it was in part the reward systems for senior managers that consisted of stock options. Managers were rewarded for inflating the bottom line. IS has an important role to play in strengthening control systems – Audits – Monitoring – Information dissemination – Reporting 19

Control of the Systems Development Process It is difficult to predict development time and development cost for new systems – Package implementation can reduce this uncertainty Projects slip for a number of reasons – Lack of user input – Too few resource – Too few individuals working on the project – Lack of top management support – Poor project management 20

Control of Operations The Foreign Corrupt Practices Act requires publicly held companies to devise and maintain a system of internal accounting controls pertaining to several operational components – Execution of transactions based on managerial authorization – Recording of transactions so that financial statements can be properly created – Records of assets are kept and audited for accuracy – Managers sign-off on financial statements and certify the correctness of the statements (Sarbanes-Oxley Act) The Sarbanes-Oxley Act: created to protect investors by improving the accuracy and reliability of corporate disclosures. The act covers issues such as auditor independence, corporate responsibility, and enhanced financial disclosure. 21

Vulnerability of Systems: Where Does Control Fail? Errors in and intrusion of the operating system Errors in application programs Problems with database security Lack of network reliability and security Problems with adequate control of manual procedures Failure of management to maintain proper organizational control Open networks and connectivity Misuse or mistakes made by users 22

23 Vulnerability of Systems: Where Does Control Fail?

Control in the Organization: Controls can be created through… The structure of the organization – Decentralized or centralized Rewards Management committee Budget Direct supervision Routine audits Establish and enforce standards and procedures Develop a plan and policy for managing database resources – Data Backup/Recovery – Data Concurrency Management – Data Security 24

25 Control in the Organization

A Key Requirement for Control is Establishing IT Security Without security, the integrity of organizational IT resources will be at risk – therefore, security is everyone’s business Security is an increasingly important issue because of an increasing number of threats – According to the statistics reported to CERT/CC over the past several years (CERT/CC 2003) the number of cyber attacks grew from approximately 22,000 in 2000 to 137, – According to the 2004 E-Crime Watch Survey, 43% of respondents report an increase in e-crimes and intrusions versus the previous year and 70% reported at least one e-crime or intrusion was committed against their organization 26

Security Concepts Authentication: The process by which one entity verifies that another entity is who they claim to be Authorization: The process that ensures that a person has the right to access certain resources Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Integrity: Being about to protect data from being altered or destroyed in an unauthorized or accidental manner Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature 27

28 Types of Threats and Attacks Nontechnical attack: An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network

29 Types of Threats and Attacks (cont.) Social engineering: A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access

30 Types of Threats and Attacks (cont.) Multiprong approach used to combat social engineering: 1.Education and training 2.Policies and procedures 3.Penetration testing

31 Types of Threats and Attacks (cont.) Technical attack: An attack perpetrated using software and systems knowledge or expertise

32 Types of Threats and Attacks (cont.) Denial-of-service (DoS) attack: An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

33 Types of Threats and Attacks (cont.) Distributed denial-of-service (DDoS) attack: A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer

34 Types of Threats and Attacks (cont.) Malware: A generic term for malicious software –The severity of virus attacks are increasing substantially, requiring much more time and money to recover –85% of survey respondents said that their organizations had been the victims of e- mail viruses in 2002

35 Types of Threats and Attacks –Malware takes a variety of forms - both pure and hybrid Virus: A piece of software code that inserts itself into a host, including the operating systems, to propagate; it requires that its host program be run to activate itVirus Worm: A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine Macro virus or macro worm: A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk

CERT: Recommendations for Governing Organizational Security Questions to ask: – What is at risk? – How much security is enough – How should an organization … Develop policies on security Achieve and sustain proper security 36 The CERT recommendations are derived from a report written by Julia Allen entitled Governing for Enterprise Security, which may be found at

CERT: Recommendations for Governing Organizational Security What is at risk? – Trust that the public has in your organization – Reputation and brand – Shareholder value – Market confidence – Regulatory compliance Fines Jail time – Market share – Customer privacy – Ongoing, uninterrupted operations – Morale of organizational members 37

CERT: Recommendations for Governing Organizational Security How Much Security is Enough? – “Management’s perspective needs to shift 38

CERT: Recommendations for Governing Organizational Security Good Security Strategy Questions – What needs to be protected? Why does it need to be protected? What happens if it is not protected? – What potential adverse consequences need to be prevented? What will be the cost? How much of a disruption can we stand before we take action? – How do we effectively manage the residual risk when protection and prevention actions are not taken? 39

CERT: Recommendations for Governing Organizational Security What is Adequate Security? – The condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances Adequacy depends On... – Enterprise factors: size, complexity, asset criticality, dependence on IT, impact of downtime – Market sector factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure – Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc. 40

CERT: Recommendations for Evolving the Security Approach 41

CERT: Recommendations for Evolving the Security Approach 42

CERT: Recommendations for Evolving the Security Approach What Does Effective Security Look Like at the Enterprise Level? – It’s no longer solely under IT’s control – Achievable, measurable objectives are defined and included in strategic and operational plans – Functions across the organization view security as part of their job (e.g., Audit) and are so measured – Adequate and sustained funding is a given – Senior executives visibly sponsor and measure this work against defined performance parameters – Considered a requirement of being in business 43