Module 9: IS operational and security issues

Overview
Firms that make extensive use of information systems must contend with a number of ongoing challenges.
Planning for systems, and then building or buying and implementing them, accounts for only about 20% of an
IS departments budget. Maintaining systems and dealing with ongoing operations reflect the largest expenses
of the IS department the balance of the remaining 80%.
There are many IS operations issues. Strategic planning, data quality, and the management of IS personnel,
which relate to ongoing operations, were covered in Module 2. This module focuses on some other important
operational and security issues, which can be categorized into three classes:
structuring of the IS function, particularly the ownership of IS resources
protecting IS resources from accidental or intentional threats
addressing ethical challenges associated with IS operations
Topic 9.1 deals with the ownership of resources. Decisions about what functions to outsource, what functions
to own, and what kinds of providers to work with when outsourcing are critical to the structuring of the IS
function. Not all resources have to be owned by the firm, and making these choices is an important general
management role.
Topics 9.2 to 9.4 address IS security issues, and Topic 9.5 provides an overview of the issues surrounding the
ethics of IS.
At the end of this module, you should be able to advise on implications of IT acquisitions and vendor selection,
implement and advise on measures to mitigate enterprise risk, advise on the development of business
continuity planning, and apply professional ethical standards.
9.1 Outsourcing and outsourcing models
9.2 IS security: Threats and vulnerability
9.3 Dealing with security threats
9.4 Role of auditing in IS security
9.5 Ethical issues
Module summary
Print this module
Course Schedule Course Modules Review and Practice Exam Preparation Resources
9.1 Outsourcing and outsourcing models
Learning objectives
Evaluate the advantages and disadvantages of outsourcing information systems, and assess
different outsourcing models. (Level 1)
Evaluate the key factors to address when considering an outsourcing arrangement. (Level 1)
Required reading
Chapter 11, Section 11.4, Technology Issues and Opportunities for Global Value Chains
Review Chapter 9, Section 9.3, Alternative Systems Development Approaches
Module scenario: Change from the Inside Out
The article was titled Outsourcing IT Saves Businesses 20%, and it was placed on the corner of your desk.
The 20% was circled a few times. It was the first thing you saw when you arrived at work Monday morning.
Attached to the front of the article was a sticky note from the CEO asking you two things: one, your strategy
on outsourcing IT and two, when you are going to implement it. You were also invited to visit the CEO that
afternoon at 3 p.m. to discuss your plans.
It wasnt that you had been ignoring the outsourcing of some IT functions. For the past month you have been
narrowing down areas of IT that could be outsourced. The key is outsourcing without disrupting the business.
Backups will be first on the list eliminating your archaic tape backup subsystem in favour of a cloud-based
solution. Over time, this will save money, but you sense that the CEO is thinking bigger. But you worry about
fragmenting your staff, about losing skills that have taken years to develop. You worry about the impact on
your staff morale too. Yes, there is money to be saved, but the balanced scorecard has shown that there is
more to evaluation and decision making than a pure financial cost. Maybe the help desk? But if you do that,
you know that three of your technical staff will be gone. Decisions involving the livelihood of people are never
easy.
In the early days of information systems, all processing was external. You bought time on large, centrally
controlled machines that took punched cards as input. There was no such a thing as internal IT staff. Are we
returning to that model? you wonder. Will IT become solely a service, a utility that companies pay for as
needed, but do not see the value in staffing themselves? It seems improbable, and just a little too far away
from your decisions today.
But as you prepare your ideas and support for this afternoons meeting, it keeps nagging at you, the same way
you felt when two years ago you let your most senior developer go, because you could easily assemble a
virtual team, as needed, to handle any future development requests. IT as a commodity, you think, echoing
the words of Nicholas Carr a decade earlier.
LEVEL 1
The text provides a brief overview of the advantages and disadvantages of IT outsourcing in the context of
alternative systems development approaches.
Outsourcing is an effective way to provide a portion of a firms information systems services. Outsourcing can
result in lower costs and better performance, if managed well. But managing outsourcing arrangements is
complex. It depends more on partnership management than on control, and there are many risks to be
considered. For example, when a key element on a project is outsourced, and no longer under your direct
control (because consultants of outsourcing firms can have many clients simultaneously), something as simple
as an ad-hoc meeting can be almost impossible to arrange. Using todays virtual software helps address the
meeting issue; people may not be physically available, but they can be remotely available. Smart planning for
outsourcing deals is an important way to improve the chances of productive and profitable relationships.
Expectations of time and commitment are topics that must be clearly stated and agreed on in the outsourcing
contract.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Activity 9.1-1: Financial systems outsourcing
CGAs with IS expertise have many opportunities in financial systems outsourcing projects. In this reading called
Living It, youll be introduced to a successful CGA practitioner who has made this his focus.
What is outsourcing?
Outsourcing in information systems is defined as the practice of contracting computer centre operations,
telecommunications networks, or applications development to external vendors.
1
Two aspects of this definition of outsourcing need further explanation. First, many texts describe outsourcing as
an alternative to traditional systems development methods. Yet, to think about outsourcing as a systems
development approach puts a great deal of emphasis on applications development while ignoring computer
centre operations and telecommunications. Outsourcing is at least as much about the management of the
function and dealing with operational issues as it is about systems development.
Second, the definition does not explicitly acknowledge that outsourcing involves contracting for all or part of the
functions described. Too many managers think about outsourcing as being about turning over the entire IS
function, or at least the vast majority of it, to an external provider. Yet recent research suggests that there are
only a handful of total outsourcing deals around the world. The most common method for outsourcing is
selective outsourcing.
Outsourcing history
Outsourcing has its historical roots in the timesharing systems of the late 1960s and early 1970s. In the earliest
days of corporate computing, hardware was extremely expensive and there were relatively few specialists
capable of designing and building systems. Most of the applications were highly structured (for example, payroll
and general ledger), and it was common to purchase access to systems through a timesharing firm. For many
firms, this was the only way they could ensure reliable processing of business data.
As computer prices dropped dramatically (especially with the development of the minicomputer and then the
PC), the financial incentive to pursue timesharing became less attractive. Moreover, specialists became more
common as educational institutions designed programs to teach them. At the same time, companies began to
recognize that there were other things they could do with the information in their systems, things that might be
best handled in proprietary ways to provide strategic advantage. The majority of companies began to build
their own internal systems, purchase their own hardware, and control all (or nearly all) aspects of their IS
operations.
By the mid-1980s, IS costs were spiralling out of control (according to many senior managers), and it was not
clear what benefits were being achieved. A few notable firms (for example, Eastman Kodak and First Fidelity
Bancorporation) started to pursue outsourcing of their systems a new take on timesharing with new
partners. One key difference was that the systems being outsourced were not generic applications but those
that had previously been considered strategic by the firms. The accepted wisdom that you had to own
resources that were considered strategic began to be questioned.
Today, many IS departments outsource portions of their responsibilities. And with the current trend toward
cloud computing, including SaaS, IaaS, and PaaS models, many businesses are experiencing setup cost
reductions. Finding and retaining computing staff with technical expertise is often an issue for businesses, but
now these skill sets are readily available through the outsourcer. The outsourcer offers expertise in the
particular area or function you are outsourcing, often with more skilled and current staff than your own.
Outsourcing models
The following are different models and variations of outsourcing. Two of the top players are IBM Global
Services and Accenture, but India-based firms like Infosys Technologies, Tata Consulting, and Wipro
Technologies are growing at a faster pace and are all in top 10 spots.
Traditional outsourcing model
The traditional outsourcing model involves an outsourcing provider who remotely runs custom designed
applications for a firm. The outsourcing provider may maintain specific hardware for that firm or may have
multiple firms using the same hardware (for example, a large mainframe running applications for three different
firms, all coexisting in different environments). Telecommunications connections often include T1 lines, or
dedicated leased lines for greater security, to ensure high performance through the network. The outsourcing
provider adds value through its expertise, its ability to attract skilled professionals, and the economies of scale
that accrue from combining applications on single hardware platforms.
Cloud computing
Cloud computing has edged its way into the outsourcing plans of many organizations. Where it was once
considered a fringe and risky part of computing, it has now become mainstream. For example, outsourcing
services are offered by respected companies such as Amazon, Microsoft, Google, Oracle, Salesforce, and many
others. There are generally three models of cloud computing: SaaS, IaaS, and PaaS. Cost is an important factor
for cloud, as is scalability, which is often built into the solution at the start so it can expand or contract as
needed. Each of the three cloud models will now be discussed.
SaaS model
Today, outsourcing includes both traditional outsourcing and new models. The application service provider
(ASP) model had a rocky start, but has been rebranded as SaaS (software as a service). In the SaaS
approach, the provider runs relatively generic applications accessed through the Internet. Firms contracting
with SaaS providers get very little choice in their application design, but can get very low rates for monthly
access. SaaS services were initially provided by third-party companies. These organizations would purchase
applications from software companies and then offer to own and run them for clients. Many of these early firms
struggled financially, and now the SaaS market is dominated by the software companies themselves, who seek
alternative ways of marketing their products (such as leasing and on-demand services rather than licensing).
The SaaS model has fit a niche where large software vendors such as SAP and Oracle, who once sold only to
large enterprise customers, now target SMEs. Gartner predicts that by 2015, SaaS models will account for a
US$21.3B industry.
2
SaaS models not only include hosted software but storage as well.
IaaS model
Where SaaS is concerned with software and storage, IaaS is about infrastructure. A cloud-based server can be
shared and divided into multiple virtual machines, each running independent operating systems and application
software. These services are offered by such providers as Amazon, with EC2 (Elastic Cloud 2), Rackspace
Cloud, Google Compute Engine, and others. For connectivity, businesses can use the Internet as a more
standard cloud solution by using a providers data centre (for cloud users) (although this may pose response
and security problems). Businesses can also opt to use a carrier cloud, which integrates wide area networks for
more demanding cloud-based applications that best mimic the configurations and response of on-site
installations.
PaaS model
The platform-as-a-service model delivers a computing platform for developers. It usually includes an OS, an
execution environment for a specific programming language, a database, and a web server. The idea behind
PaaS is that developers can concentrate on the program they are writing as opposed to all the underlying
infrastructure of hardware and software that they would be forced to manage in a local install. Examples of
PaaS providers include Google App Engine, Windows Azure Cloud Services, and AWS Elastic Beanstalk (Amazon
Web Services).
Utility models
Another model in outsourcing relates to the ability to outsource additional processing power as needed. This is
utility or on-demand processing, where companies occasionally need a boost in resources, but not with enough
frequency to make them purchase and configure more servers. Instead, a third party offers computation
resources, storage, or services that the using company pays for on an as-needed basis like a utility. Amazon
EC2 is an example of utility computing. This model is now folding into the IaaS model, and is no longer referred
to as a separate entity.
Edge computing
Edge computing is similar to the processing offer of utility computing, in that it is about balancing capacity, but
focuses on the realm of web servers. It replicates fragments of information across distributed networks of web
servers, and decentralizes the processing from a single web server to a clustered web server farm. The term
edge computing describes how data, applications, and computing power are pushed away from a centralized
server to the edge or extremities of a network. Examples of companies that offer edge computing software and
services are Akamai and Limelight Networks.
Shared service facilities
Other variations on the outsourcing model are common in web operations. Shared service facilities, where a
provider and its customers work as a team in maintaining and operating systems, are used in both traditional
data processing and e-commerce. Because of security concerns, many companies want to run their website
from computers that are separate from the in-house production systems. Limiting the points of connectivity
between these systems limits the risk of outsiders gaining access to internal systems.
For both of these reasons, web hosting, which is contracting a company to design and/or operate a website,
became a common practice. Various kinds of hosting facilities exist, ranging from those that only provide a
place to store and operate hardware and a connection to the Internet (co-location facilities) to those that
provide sophisticated development, implementation, and operational assistance, including performance
monitoring, security, and disaster recovery services (shared and dedicated hosting facilities). The difference
between shared and dedicated hosting facilities is whether your organizations applications are on a separate
server from the other customers of the provider.
Outsourcing in a global marketplace
In the last ten years or so, new competitors in the outsourcing arena have emerged in the developing
economies. This list, from Bloomberg Businessweek, shows the top five country rankings for outsourcing
destinations in 2007:
India, China, Malaysia, Thailand, and Brazil
In 2012, the list was updated:
Philippines, China, Vietnam, Poland, and India
Historically, the motivation for offshore outsourcing has been largely financial. Estimates of the wage
differential between North America and India suggest it might be five times cheaper to locate IS tasks in India.
Even factoring in the so-called hidden costs of offshore outsourcing, (higher costs of negotiating and
monitoring contracts, challenges in dealing with language, infrastructure costs (roads, power), and so on) the
savings can still be significant.
In a global marketplace, however, chasing the lowest wage rate to gain high savings is ultimately a losing
game. As Indian firms have become more globally competitive, their volume of work has increased and their
staff needs have increased to the point where there is competition for key talent. As a result, salaries in the
sector have increased, and new offshore destinations such as China and Korea have started to develop.
Theoretically, over a long period of time, wage rates around the world will even out until there is little wage-
rate benefit to any particular location. Indian software firms understand this challenge and have expended
significant resources to become more than just a low cost player. The investment by Indian firms in developing
capability maturity model (CMM) certification is one of the means by which they attempt to distinguish
themselves as suppliers of choice.
Not all IS jobs are amendable to offshore outsourcing; programming work is easily sent overseas since it can
be done reasonably independently from the work of the organization (assuming good specifications are
written). But some IS work is tightly coupled with the business processes it supports. The work of business
analysts, for example, depends on regular interaction with users, and knowledge of both the industry and the
company. While it is theoretically possible to do this work at a distance using technology-mediated
communications, the issue is about more than technology.
Interestingly, in some of these areas that are closer to the user, Canada has become an offshore destination for
U.S. companies. The practice is referred to as near-shoring. The financial savings are not as great as they
would be with offshoring to an emerging economy, but there are benefits in terms of cultural similarity and
ease of communication (for example, less significant time zone differences, and more potential for occasional
face-to-face interaction).
Outsourcing advantages and disadvantages
Outsourcing offers many advantages to firms that pursue it as an IS management approach. Many risks and
limitations are also associated with the approach. These pros and cons must be evaluated for each firm and
each task that is considered a candidate for outsourcing.
Advantages
The key advantages of outsourcing can be summarized as follows:
cost savings through economies of scale and scope
infusion of cash through liquidation of computer assets
facilitation of the transition of data centre from cost centre to profit/loss centre
ability to rapidly introduce new technology and access IS talent
focus on core competencies
Cost savings
Cost savings accrue from economies of scale (sharing a large mainframe computer across multiple different
clients) and economies of scope (working across a larger range of projects and processes and allowing fixed
cost resources to be spread over more kinds of work). The ability to save costs is a key management motivator
for outsourcing and can be a very real benefit. Forrester estimates that firms can save between 12 and 17% of
their current IT spending by effectively outsourcing some elements.
3
Infusion of cash
The infusion of cash that often occurs at the start of an outsourcing deal, when assets are liquidated (often
they are sold to the outsourcing provider), is a short-term benefit. On its own, it is a poor reason to pursue a
long-term business arrangement such as outsourcing, but it can have a nice one-time effect on the cash
balance in the year in which the outsourcing deal is completed.
Cost centre operation
IS departments in organizations tend to operate as cost centres rather than as profit centres. (In other words,
because they are support services for the organization and do not generate revenue or product value, they are
evaluated based on their ability to control costs rather than based on profits. They are indirect, rather than
direct, labour in the value stream.) This is fine in principle, but there is a danger that costs will not be managed
well enough because there is no revenue or benefit figure against which to compare them. Outsourcing
arrangements, on the other hand, require an explicit comparison between revenues and costs and can thus
result in more efficient IS operations. This is especially true with data centre operations.
Access to new technology and IS talent
The next two benefits of outsourcing come from the expertise developed by the outsourcer. Because these
firms are in the business of providing effective and efficient IS services to clients, it is in their business interest
to develop deep expertise in technology and its application. An outsourcer may be able to more rapidly develop
and implement a new technology. Moreover, outsourcers have better access to new technology and new IS
talent because of their focus on IS.
Focus on core competencies
Finally, outsourcing arrangements, by turning over the IS operations to a firm that specializes in those tasks,
allow the organization to focus its internal resources on its own core competencies. For most firms, IS is not a
core competency. Working in partnership with a firm for whom it is a core competency frees up management
attention to focus on other priorities, and helps IS reduce the 80% role of maintaining existing systems.
Risks and limitations
The critical risks and limitations of outsourcing include:
loss of direct managerial control
potential for lock-in (difficulty in reversing decision)
dependence on the outsourcers viability (financial strength, responsiveness, service, and so on)
diluted strength of in-house staff
lack of knowledge of the business by the vendor (outsourcer)
lack of flexibility
untenable long-term contracts; fixed price versus service trade-off
requirement for skills in partnership management
strategic factors
Loss of direct management control
The loss of direct management control concerns many managers. While control does not necessarily result in
higher performance (especially when the outsourcer has better expertise and can take advantage of scale or
scope economies), the loss of control does necessitate a new way of thinking about how to manage the
function. Constant communications between the manager and the outsource vendor are key to ensure that the
partnership is successful.
Potential for lock-in and vendor dependence
There is also the fundamental ethical issue of whether the outsourcer is trustworthy. Of course, it is important
to do due diligence before engaging an outsourcer by checking references and having legal counsel review
contractual arrangements. However, no amount of due diligence or legal reviews will replace dealing with
trustworthy contractors. While business is inherently competitive, it also depends on trust and good ethics.
Hence, it is important to get a sense of the ethical character and track record of potential outsourcers. It is just
as important to realize that trust is a two-way street; if you expect others to behave in a trustworthy way you
need to do the same.
Twice in 2012, Amazon Web Services suffered outages that brought down some popular customers like Netflix,
Pinterest, and Instagram. These are pure-play Internet companies where any downtime could potentially
cripple the organization. Also, as reported by PC World on October 27, 2012, A third of us now access a site
that uses Amazon Web Services as its backend at least once a day, according to a recent DeepField Networks
survey.
4
Viability of the outsourcer
Dependency on the outsourcer plays a role in the ability to negotiate contracts, but it also exposes the
organization to the business risks of the outsourcer. What happens if the outsourcer goes bankrupt, as
happened to several ASPs in 2001? How will you deal with issues of data and resource ownership and ensure
that your systems keep operating? What happens if the outsourcer decides to change its market focus? The
outsourcer may continue to provide service, but the expertise you have come to rely on may not be maintained
as other options are pursued. What if the outsourcer can no longer expertly maintain your company resources
and wants to hire a third-party contractor? Understanding the viability and strategy of your outsourcing partner
is a critical element of developing this kind of partnership.
Dilution of in-house IT staff
One of the reasons dependency increases is that the strength of your in-house IS staff is diluted over time. If
data centre operations are outsourced, for example, most of your staff in this function will leave. They will
either be "acquired" by the outsourcer along with your hardware and software, or they will leave the firm to
work elsewhere, voluntarily or not. This is a necessary part of the outsourcing arrangement if cost savings are
to be achieved. A small staff may be kept to act as relationship managers with the outsourcer, but the skills
required of these employees will be different than those required in the past. As a result, much of your internal
technical expertise will vanish. Not only does this decrease your ability to walk away from the arrangement, but
it also makes it more difficult to manage the outsourcer, as it now has more expertise than you. The shift in
power in the arrangement becomes noticeable because now you often need the outsourcer more than they
need you. At this point, vendor lock-in is already well underway.
Lack of knowledge of your business
While a key advantage of outsourcing arrangements is the expertise that the outsourcer has in the
management of IS, these firms lack detailed knowledge of your business. Because success in IS comes from
matching IT opportunities with firm needs, understanding both the technology and business is necessary. This
relates back to the strategic focus of the outsourcer. Companies that specialize in providing services in your
industry or related industries likely have a better sense of the issues you will face. Without this expertise, there
will be a greater education and communication requirement between the two firms to ensure that needs are
understood and met.
Reduced flexibility
If economies of scale and scope are key reasons why outsourcers are able to charge lower prices for the same
services, it stands to reason that they will try to limit the options for any one firm to increase similarity across
organizations. The result is reduced flexibility in how applications are operated. Flexibility may also be lost in
the provision of support services (for example, your help desk operations are merged with the outsourcers
central help desk), the handling of maintenance processes, and in other aspects of IS operations. The
importance of this flexibility to the firm must be critically examined to determine whether it is worth the added
cost that it usually involves.
Risks of a fixed-price contract
A related issue is the trade-off between fixed-price contracts and fee-for-service contracts, especially when the
contracts are long-term. Deciding how to price an outsourcing contract is complex. The organization buying the
contract would, ideally, like to have a known price that cannot be easily changed to protect it from the
dependencies described earlier. Many outsourcing contracts are like this. However, if the costs of providing the
service turn out to be substantially higher than expected, the outsourcer faced with a fixed-price contract will
have little choice but to reduce service levels as much as possible. If such situations are not handled well, there
is a risk that the IS operations will not provide adequate support to the business. Documentation of events and
communications between managers of both companies are necessary to ensure that the outsourcing
relationship remains profitable to both companies.
Skills in partnership management
Many of these factors point to the need for skills in partnership management in order to make outsourcing
work successfully. Dealing with contract issues requires the development of a trusting relationship and a set of
mechanisms for determining when the conditions of the contract have changed sufficiently to warrant
renegotiation. Dealing with management of the outsourcer, when the resources are outside of your direct
control, also requires partnership management skills. This is not really a limitation of outsourcing, but you
should realize its importance in dealing with many of the limitations presented. Companies considering
outsourcing solutions should have managers that have experience with these joint arrangements. Managing an
outsource arrangement is not the same as managing an internal employee.
Strategic factors
A final concern with outsourcing relates to strategic factors. This broad category refers to the idea that
applications and processes that are core to the company may not be best handled by an outsourcer. This is not
a simple decision. It may still be that outsourcing is the best approach, even for strategic applications such as
supply chain and customer relationship management. The question is whether the way the processes are
handled is sufficiently novel to warrant keeping direct control.
SaaS advantages and disadvantages
The SaaS approach to outsourcing is slightly different than the traditional approach. Along with the general
advantages and disadvantages of outsourcing that have already been covered, there are some specific benefits
and limitations relevant to the SaaS approach.
Advantages of SaaS
With the SaaS approach, you access applications and data primarily through the Internet with any web
browser. This results in simpler access, which may be particularly valuable to small firms who cannot afford the
infrastructure to maintain their own communications platform and to firms with a high number of mobile
workers.
The SaaS approach is a pay-as-you-use subscription pricing model, or service on demand. Applications are
leased or subscribed to, rather than licensed. Like traditional outsourcing, this turns capital costs into operating
costs. But SaaS contracts tend to be much more usage-based than traditional outsourcing contracts. This is
valuable to organizations that are growing rapidly, because they often need to buy services now that can be
scaled up as additional capacity is needed, which is also the appeal for SaaS subsets like infrastructure-as-a-
service and edge computing.
Also, the SaaS approach, relying on relatively more generic implementations of software applications, can result
in a much faster implementation time. Training IS employees under a SaaS model costs much less as the
technical, infrastructure, and storage issues are all handled as part of the subscription through the provider.
Limitations of SaaS
The primary limitation of the SaaS approach is that the applications tend to be generic because they service so
many clients. In fact, the value proposition of the SaaS is access to generic applications at a very low cost.
This may limit the flexibility of the firm even more than a traditional outsourcing arrangement, and may be
unacceptable for organizations with more complex processes. Or it may increase the complexity of the
arrangement if the customer must extract data to their own site in order to perform additional tasks that the
vendor software cannot accommodate. Performance of a SaaS application depends on Internet loading and
outages, as well as on the transaction loads of other SaaS clients.
Finally, SaaS applications are susceptible to Internet hackers worldwide. Security challenges must be carefully
dealt with. Encryption, authentication, and VPN secured tunnels are all methods that must be explored and
included in any SaaS agreement.
Negotiating outsourcing contracts
Most of the downsides of outsourcing relate to risk. There is the risk that you will become dependent on an
outsourcer who will then take advantage of you, or that you will partner with a company that will subsequently
go out of business. You must create an arrangement (that is, select a partner and negotiate a contract) to try
to minimize these risks, and thereby maximize the likelihood that the advantages will be obtained. With an
outsourcing agreement, because it is not a one-time deal but is forged over time, the goal of the negotiations
is a win-win solution, not a winner-take-all approach. If either side feels undermined in the agreement, the
resulting relationship will be adversarial rather than partnership-based. Outsourcing agreements are a slow and
careful process that leads to workable solutions by both partners, not a one-time event.
This process of creating win-win situations is often described in game theoretic terms. See, for example, the
reading from ERH Unit B3 on Making a moral corporation by Peter Danielson which tells the story of how the
Hanko Corporation created a win-win situation with its major customer by turning itself into a thoroughly
trustworthy corporation. This topic is also discussed in ERH Unit A4 under the heading Game Theory: The
Prisoners Dilemma.
A number of factors have been shown to lead to more successful outsourcing contracts, measured by the
degree to which cost savings are realized.
Selective outsourcing arrangements
Successful experiences tend to happen with selective, rather than total, outsourcing arrangements. Selective
outsourcing arrangements allow a firm to make function-by-function decisions about which functions to keep in
the firm and which to outsource. They also minimize the risks of dependence and staff dilution by keeping a
significant amount of functionality in-house. Also, where outsourcing arrangements once included mega-
contracts with single provider firms, many companies now are splitting the services to help counter vendor
lock-in and reliance.
Involving IS and senior management
J oint decision making by IS management and senior executives about how to implement outsourcing is also
important to success, as is the consideration of formal internal and external bids. For many senior managers,
outsourcing seems like an easy way to deal with the problem that they perceive IS to be. They see spending
they dont understand, they hear from a vendor that it can be reduced by 20% or more, and they are tempted
to leap at the opportunity to get rid of a headache. Because they think IS will resist, they may not involve
senior IS management in the decision making, and they will not allow the internal group to make a competitive
bid for services along with outside providers.
This lack of trust results in decision making that may ignore critical variables that drive costs and may miss the
opportunities to provide performance improvements in other ways. Astute IS managers will not resist selective
outsourcing. They will understand it as a viable option for providing some services that can enhance their
overall performance and value to the firm.
Contract length
The earliest outsourcing deals were 12 to 15 years in length. It was thought that such long deals were
important to ensure that this valuable infrastructure was protected, and not subject to frequent changes.
Moreover, longer deals would keep vendors from raising prices as soon as the deal was settled. Today,
however, shorter term contracts (such as seven years) are becoming more common. Gartner released an
average contract length of 5.3 years in 2005. In a 2012 Deloitte document titled 2012 Global Outsourcing and
Insourcing Survey Executive Summary, three to five years was the most common length for outsourced
contracts. Also, 82% of all outsourcing was for projects under USD $75 million.
5
There is a recognition that too
many business variables change over time to make it sensible for either the vendor or the adopter to commit
to such a long-term arrangement.
Fee-for-service contracts
Contracts should be detailed fee-for-service contracts as opposed to standard or loose contracts. Even
though outsourcing involves the creation of a partnership, there must be sufficient detail in the contracts for
both parties to feel comfortable with their protections and the inability of their partners to abuse them.
Fee-for-service contracts are preferred to fixed-price contracts because they allow changes in service levels
(either up or down) to be reflected in the costs. Standard contracts rarely contain sufficient information to
handle dispute resolution and loose contracts leave too much room for interpretation.
Some outsourcers offer value-pricing models. That is, they ask to be compensated based on specifics of
performance improvements, in order to create aligned incentives with their clients. This can be a good form of
arrangement, but it depends on having good baseline measurements against which to compare future
performance, and a clear indication of the issues at hand.
Details to include in an outsourcing contract
Among the details that should be included in any outsourcing contract are:
service level agreements
data protection and ownership
change control mechanisms
dispute resolution
pricing
evaluation of subject matter expertise
termination transition, including data migration, changing software licenses, testing, training, and
providing specifications
Clear statements about service levels make it apparent what exactly is being promised and paid for. Rules
about data protection and ownership are essential to minimize the vulnerability associated with providing a
third party with direct access to valuable corporate information.
Change control and dispute resolution mechanisms are important to specify in advance, in recognition of the
fact that over the course of a multi-year contract, things are going to change for both parties. Knowing in
advance what things will cause the contract to be renegotiated and what procedures are in place to protect
both parties can prevent a lot of problems later.
The pricing for services covered in the contract must be clearly described and tie into the targeted service level
agreements. Again, this sets expectations for both parties about how one side of the contract defines support,
and the other defines fee for service.
It is important that the company outsourcing the responsibility has assessed the expertise level of the
outsourcer. Unsubstantiated claims related to their employee skill level, infrastructure, internal support
structure, and ability to respond are all critical factors to the success of an outsource project.
Finally, it is critical to specify in advance the processes by which the contract can be terminated and the
arrangements that are in place to ensure continuity of service during any transition to a new provider. If you
make an outsourcing deal without such provisions and later decide not to renew the contract with a vendor,
you want to know that you have already worked through how your systems will be operated during that
changeover period. Expecting a partner you have just terminated to be responsive to a request for additional
services beyond what was planned for is unrealistic.
Example 9.1-1: The SaaS model in a company
An example of a large software company that has aligned much of its software offerings to a SaaS model is
Oracle. The company is perhaps best known for its enterprise-class database management systems (DBMS).
Implementing an Oracle DBMS is normally associated with large organizations and relatively large IS budgets.
Oracle implementations were in-house, on the customer site, and on the customer hardware. Since the late
1990s, Oracle has been expanding its software offerings through acquisitions such as J D Edwards, PeopleSoft,
BEA Systems, and Sun Microsystems.
SAP was the first large software vendor to embrace SaaS in 2008. Oracle president Larry Ellison conversely had
no plans for SaaS, stating that it wasnt profitable. Today, Oracle offers traditional customer installations of its
software suite, and a platform for Oracle SaaS, which provides third-party companies the ability to manage
SaaS and cloud-based applications for subscribing customers. This is not an offering by Oracle itself.
For more details, go to the Oracle website. The extent to which services such as these will be accepted is, as
yet, uncertain. However, between 2011 and 2012, Oracle made several SaaS related acquisitions including
Taleo, an on-demand talent management company, and Eloqua, maker of SaaS marketing apps.
1
Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management Information Systems:
Managing the Digital Firm, Fifth Canadian Edition, 2011, page G-9.
2
J uly 7, 2011, Computerweekly.com, Accessed on April 13, 2013:
http://www.computerweekly.com/news/2240104975/Worldwide-SaaS-sales-to-grow-21-in-2011-driven-by-
CRM-purchases-says-Gartner
3
Roehrig, P., Ferrusi Ross, C., Thresher, A. (2007). Outsourcing Clients Can Expect 12% To 17% Savings.
Forrester Research Report, August 30, 2007.
4
Oswald, Ed, Amazon Web Services outage takes out popular websites again, October 22, 2012,
PCWorld.com, Access on April 13, 2013: http://www.pcworld.com/article/2012852/amazon-web-services-
outage-takes-out-popular-websites-again.html
5
Deloitte, 2012 Global Outsourcing and Insourcing Survey Executive Summary, Accessed on March 15, 2013:
https://www.deloitte.com/assets/Dcom-
UnitedStates/Local%20Assets/Documents/IMOs/Shared%20Services/us_sdt_2012GlobalOutsourcingandInsourcingSurveyExecutiveSummary_041012.pdf
9.2 IS security: Threats and vulnerability
Learning objective
Assess the different threats to information systems security, including physical and electronic
threats and intentional and unintentional threats. (Level 1)
Required reading
Chapter 8, Sections 8.1, System Vulnerability and Abuse, and 8.2, Business Value of Security and
Control
LEVEL 1
Your textbook provides a brief overview of the vulnerabilities of firms to security failures and the sources of
those problems. Exhibit 9.2-1 describes and categorizes the various risks to computer systems.
Exhibit 9.2-1
The columns separate physical from electronic threats. Not all security failings involve accessing files
electronically. Breaking in to computing facilities to steal equipment or destroy sensitive information is as much
a threat as is hacking into the data centre. A security plan must consider both kinds of risks. The rows in the
matrix reflect the fact that risks to the security of information systems can be both intentional and
unintentional. It is tempting to equate IT security with computer crime, but in reality, it involves all threats,
including those that result from accidents.
Threats to security from deliberate and inadvertent actions
IS security is defined in the IBM Dictionary of Computing
1
(McDaniel, 1994) as
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Concepts, techniques, technical measures, and administrative measures used to protect information assets
from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss,
or use.
This is very close to the definition in the text, except that it explicitly recognizes the risk from both deliberate
and inadvertent actions.
In Exhibit 9.2-1, you can see that human error plays a big role in threats to security. The biggest single
security vulnerability in most firms is, in fact, its users. Even beyond the explicit categories labeled human
error, user mistakes account for many other security vulnerabilities. System errors caused by bugs are often a
form of human error on the part of the programmer.
Social engineering is also a threat to IS security. This would include situations where a computer criminal
tries to convince a system user to provide him or her with access to either facilities or systems. For example, if
you wanted to gain access to sensitive systems in an organization, you might call employees and tell them you
work for their IS department, are doing some routine maintenance, and require their password to check the
status of their account. Or you might phone the help desk and impersonate the employee, asking for help with
a password that cannot be remembered. Software can make an outside call appear as an inside extension to
the help desk. In either case, if sensitive information is revealed, there is error on the part of the employee.
Passwords should not be divulged to anyone for any reason. A critical element of any organizational security
plan must be employee education about what can be asked and what answers constitute an acceptable reply
(see Topic 9.3).
Computer crime
Computer crime is the most sensational aspect, though not necessarily the biggest risk, of computer security.
Stories of denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks and viruses are regular
fodder for news outlets. Less common are reports of fraud perpetrated on companies through their information
systems, though these themes are common in Hollywood movies (for example, Firewall, Entrapment, and
Minority Report). The statistics on computer crime give some clue as to the magnitude of the problem and the
challenges in understanding it.
For example, in 2010, Gawker Media and its series of sister blog sites were hacked, and the hackers made off
with e-mail addresses and passwords for their customer registration accounts. Gawker claimed the passwords
were safe; shortly afterward hackers announced that thousands of the passwords had already been
compromised. Two years later, Twitter experienced a similar attack, causing them to force thousands of users
to immediately change their passwords.
Example 9.2-1: Computer crime and security survey
Read about the latest CSI computer crime and security survey at the Computer Security Institute. Review the
types and costs of security threats, and the methods used to combat them.
The lack of reporting of computer crime makes it more difficult to deal with the problem, but it is
understandable. After all, if you just found out that your corporate systems were vulnerable to attack (because
you had been attacked) would you want to announce this fact to the world, and potentially expose the
organization to further attacks? What would happen to consumer confidence? Investor confidence? It is easy
to see why many attacks go unreported.
Managers role in IS security
As a non-IS manager, you must still recognize the wide variety of threats to information systems security. It is
easy to overlook things like human error in designing a security policy, even though human errors are by far
the most common threat to security. It is also easy to think of security as dealing with high tech electronic
threats and overlook vulnerabilities in physical facilities. Security measures should be determined by business
need and should be designed to protect key business processes. The textbook discusses relevant Canadian
federal legislation for security measures for the protection of data. Provincial and territorial controls are also
important to review to ensure the best protection. For example, search for the Office of Information and
Privacy Commissioner in your province/territory of business. As a manager, you must realize that your data is
at risk. You should be involved in ensuring that it is protected from the various risks that have been identified.
A well-designed security policy that is constantly revisited and consistently applied, will address all of these
risks.
Also, a well-designed security policy will take into account people factors as well as technological factors. For
people factors, ethical behaviour and character are prominent considerations. Does the organization pay
attention to employee trustworthiness in hiring and promotions? Does it treat its employees well and fairly thus
not allowing grievances to fester and later erupt into security violations? Does the organization provide the
training and leadership so employees know how to maintain security and are led in a security conscious
direction?
1
George McDaniel, IBM Dictionary of Computing, ISBN 0070314896, The McGraw-Hill Companies Inc.,
copyright 1994.
9.3 Dealing with security threats
Learning objectives
Assess an organizations IS risks using the risk assessment framework. (Level 1)
Design the critical elements of an organizations security plan. (Level 1)
J ustify the purpose and scope of a disaster recovery plan. (Level 1)
Required reading
Chapter 8, Sections 8.3, Establishing a Framework for Security and Control, and 8.4, Technologies
and Tools for Safeguarding Information Resources
LEVEL 1
Dealing with security threats requires establishing detailed plans, policies and procedures to minimize the risks
and deal with problems when they occur. Security policies have technological and human aspects. Training and
education about the role of security and the ways of protecting vital resources are necessary because even the
most secure systems can be defeated by users who do not adhere to the policies designed to protect them.
Plans must also be updated constantly to deal with changing threats and emerging technologies, and be
rehearsed in order to identify weaknesses and prepare people for crisis situations. The Sarbanes-Oxley Act
(SOX) has had a major effect upon how both IS and financial departments work together to ensure information
security. SOX compliance for U.S. publicly traded companies is a detailed undertaking, and requires
commitment from senior management throughout the company. All security procedures today must be weighed
against SOX to determine their compliance with SOX.
As more organizations conduct business over telecommunications networks and the Internet, their vulnerability
to both intentional and accidental security breaches increases. Today, this is even more so, due to the success
of cloud computing (and the security concerns with cloud) and the fact that we constantly submit personal and
private information to online sites without having a clue where that information is actually going (stored). The
consequences of a possible attack also increase because the company is increasingly dependent on IS for
carrying out business procedures. (If you have doubts, try going to a bank or grocery store when their
computer systems are down!)
What can you do about it? Abandoning computer-based information systems or refusing to allow access to the
Internet are extreme solutions and probably not workable for most companies. What is needed is a sensible
approach to IS security.
Exhibit 9.3-1: 8 Keys to a Sane Security Strategy
Steve Andriole (2001) developed 8 Keys to a Sane Security Strategy, which are still applicable today:
1. Linking the [security] strategy to the organizations business strategy, and to the SOX strategy
2. Creating a clear written policy that covers access to data, applications and networks, software,
privacy, recovery, and systems development
3. Establishing procedures for user authentication, such as password schemes
4. Establishing clear user authorizations to define which users can access which resources
5. Monitoring usage (errors, violations, activity reporting) on an ongoing basis to enforce the
Course Schedule Course Modules Review and Practice Exam Preparation Resources
security policies
6. Maintaining a disaster recovery plan and running simulations to test it out on a regular basis
7. Ensuring that security personnel have broad and deep skills, outsourcing where necessary to
provide those skills
8. Monitoring developments in security technology, such as firewalls, anti-virus, certificate authority,
biometrics, encryption, and privacy
Andrioles approach shows a nice balance of technological and human elements, which is important because
technology cannot solve all of the security challenges. It is also clearly tied to the business importance of
security, which ensures that security decisions are made based on organizational realities. One area where it is
lacking is in the process of setting security policy. It offers little guidance on who should be involved, what
policies and procedures could be implemented, and how they should be determined.
Worth adding to this list today, are some points from a 2011 Forrester Research document titled Forrester's
2011 security strategy recommendations:
9. Preparing for social media adoption
10. Helping the business devise a strategy to leverage cloud services
11. Actively supporting mobility in the post-PC era
With these three additional elements a security strategy is now shaped to the concerns of todays businesses.
The following sections deal with each element in more detail, complementing the material in the text.
Linking to the organizations business strategy
As with all IS decisions, the determination of an appropriate security strategy demands consideration of
business strategy and business issues. Faced with the security risks and consequences described above, it is
tempting for managers to want to apply a full barrage of security the highest level available to
organizational processes, reports, web access, and everything else computer related, but this can be
unnecessarily costly and can get in the way of doing work. Loosely applying Paretos rule, 80% of all security
fears can be handled inexpensively, as a matter of course, and as a matter of planning. The remaining 20% of
security concerns are where the expense lies, and where the discussions of vulnerabilities, requirements, and
what can be afforded, occur.
Each security measure you put in place requires system users to add a step in their daily work. Each step may
be small, but when you put them all together, security can seem like so much red tape. It also encourages
users to circumvent security policies, thus defeating their purpose. A balance must be found. If there is too
much security on e-commerce websites, customers will not purchase and will not return. Too little security, and
you run the risk of fraud and privacy issues.
Security policies should be matched to the critical nature of the business processes being supported. Is it worth
it to spend thousands of dollars on biometric identification for a small professional services firm? Not likely. But
it probably is worthwhile in a high security weapons facility.
Risk assessment
The text describes risk assessment as a critical part of determining the costs and benefits of IT security. Risk
assessment involves identifying possible threats, then evaluating both the likelihood and probability of each
occurring and its consequence or impact should it occur. Exhibit 9.3-2 shows a simplified version of how this
might work.
Exhibit 9.3-2:
In practice, you may want to evaluate risks more finely low, medium, and high, or on a scale of 1 to 5. It is
also valuable to assess your certainty about your judgments. If you think something is unlikely to happen (low
probability) but have little to base that on, you may want to adjust your scoring. Common ways of obtaining
guidance about relevant risks and their probabilities include referencing technical publications and government
statistics, reviewing historical information from your own organization and industry, and consulting security
specialists.
Clear written policy
Thinking in general terms about security as you make decisions is good, but it is not a substitute for having a
clear written policy. The policy should cover each of the areas from this topic, as well as rules about software
(controls), privacy (covered in Module 10), and systems development. For SOX compliance, this is a required
step.
For assistance in writing clear policy, one site to consult is Plainlanguage.gov out of the United States. Their
goal is to improve public communications, and they offer some free articles, samples, and advice on how to
write policies in a clear, jargon-free manner. In 2010, U.S. President Obama signed the Plain Writing Act into
law.
The text describes software controls (Section 8.4) and the link between systems development practices and
security (Section 8.3). You should review these sections to understand their role in ensuring the security of
organizational information systems.
A written policy forces you to think through the issues fully and makes it more difficult to gloss over important
factors. It forces you to assign responsibilities for various factors to people, or roles so that it will be clear to all
how security is maintained. A written policy is also important for treating people in a fair, non-arbitrary way
since people are notified as to what the ground rules are. Finally, it gives a greater weight to the decisions that
have been made. People respond more seriously to a written document than to a lot of talk because the
documentation demonstrates the value management places on the topic.
Given the range of security threats discussed in Topic 9.2, it is important to remember that the written policy
needs to cover not just high technology controls, but also controls on paper-based materials (what types of
documents can go in a recycling bin and what types need to be shredded) and other low technology controls
(security guards, training, and so on). In larger organizations, the written security policies are likely to be
contained in a separate, specific document, whereas smaller organizations may incorporate security
components within their standard policies and procedures manuals. Whatever the form, security policies are
meant to be taken seriously and should be presented as such. Changes must be included quickly, and then
signed and dated by the appropriate people.
Procedures for user authentication
Procedures for user authentication are one of the most important aspects of security. When someone tries to
log on to a network, it is important to be able to determine:
if the person is allowed to log on (authorization through a recognized username)
if they are who they purport to be (authentication by providing the password associated with the
given username; username is a form of identification)
Bruce Schneier (Secrets & Lies: Digital Security in a Networked World, 2000, page 136) states Authentication
is determined through a challenge to one, or a combination, of three factors, something you know (for
example, a password or passphrase), something you have (for example, an access card or key), or something
you are (for example, a physical characteristic).
Something you know
Passwords
Passwords are the most common security mechanism for user authentication. You probably know the basic
rules of secure passwords:
They should include both upper and lower case letters, numbers, and symbols in seemingly
random patterns. Longer passwords are also more secure.
They should be changed frequently (every 30 days or so), and repetition of recently used
passwords should not be allowed.
They should not be words found in the dictionary because one password cracking technique is
simply to try every word in the dictionary.
They should not be names or other things that are easily guessed (important dates, phone
numbers, and so on).
Of course, all of these rules amount to passwords that are difficult for users to remember. Many people write
down their passwords so that theyre accessible, which defeats the purpose of passwords. There is a trade-off
between the theoretical level of security enforced on passwords and their usability and security in practice.
New apps, such as 1Password for iOS devices, allow users to enter IDs and passwords for the sites they
regularly visit into the softwares encrypted tracking system, which then inserts the ID and password when you
visit one of your authenticated sites.
Passphrases
Another alternative is the use of passphrases. These are short phrases of normal words that are assembled in a
seemingly nonsensical way, such as sHEcLiMbEd5.Ten. The advantage of these passphrases is that they can
be easier to remember than a completely random string of characters and symbols, but they are still difficult to
crack (the example passphrase would be meaningful to rock climbers 5.10 is a difficulty rating, and the
capitalized letters spell HELMET). Notice that the passphrase example here still complies with the basic rules.
Single sign-on
A goal in many organizations albeit a divisive one is single sign-on. When an organization has several
different systems, each with its own security, users may be required to sign on to each system as they enter it.
This, however, creates red tape for the user and frustrates them with the security requirements of the
organization.
Single sign-on involves creating programs that can pass sign-on information from one system to the next so
that once a user is authenticated on the network, their access privileges and password information can be
automatically given to the other systems they access.
There are a number of challenges with this type of approach. First, a single point of attack would give an
outsider access to multiple systems. Second, building single sign-on capability into non-integrated legacy
systems can be an enormous programming challenge. Finally, implementing single sign-on often requires
authorization information to be stored on the client PC, which is a security risk itself. Users love the concept of
single sign-on; IS often frowns on it.
Something you have
Access cards can also be an important tool for security. Access cards can be required to access places,
providing for physical security, but they can also be used with systems. Users have to insert a card into a
reader and then give a password to access the system. This means that even if a password is guessed, it is
unusable without the access card, or if an access card is lost, it is unusable without the password. Such
overlapping schemes enhance the security of authentication tools.
Something you are
While authentication establishes you are who you say you are, most security measures focus on something
you know and something you have. These are really indirect measures of who you are and can be
circumvented. Biometric identification techniques are becoming more popular and less expensive, focusing
more directly on authentication based on something you are. Because they measure physical characteristics (for
example, fingerprints, hand scans, retinal scans, and handwriting), biometric identification techniques tend to
be more secure.
The disadvantages of biometrics include
sometimes using intrusive measurement techniques (for example, retinal scans)
concerns about data privacy (for example, storage of highly personal user data that is itself
subject to access)
the relative permanence of biometric data (for example, you only have two retinas; if their
characteristics are digitally copied, they can no longer reliably be used for authentication).
Biometric measures are still more costly than other authentication techniques, such as password schemes, and
must be more closely evaluated from a risk management perspective.
A useful website to learn more about biometrics is the United States governments Biometric Consortium.
User authorizations
Authentication procedures are used to allow access to resources (such as data, applications, and networks)
that users need to perform their jobs, even though not all users need the same level of access.
The concept of having different levels of access to resources depending on user requirements is called
authorization. For example, although most users should probably have access to the office telephone
numbers of their colleagues, they should not have access to their home telephone numbers or their salaries.
Thus, different users require different levels of data access. Similarly, not all users would need access to an
order entry system because not all users would be expected to process customer orders. They require different
levels of application access. Finally, on a LAN, users should have access to their own files, but not to those of
other users unless the files are intended to be shared. This requires different network access, and the setting
up of shared drives with read and/or write privileges for each user.
All these levels of access must be formally defined by the organization. Designing access rules for applications
is part of the systems development process (systems design). You should start by considering organizational
roles and the functionality needs driven by those roles and map out how access would look before
implementing changes. MS-Visio, used for use case diagrams in Module 4, is also a great tool for mapping a
network, its users, and the levels of security required by each user.
Also, many IS departments create typical job profiles, for example, a list of drives, folders, and data that an
accounts payable clerk or an HR associate needs. This way, authorization is standardized based upon job
function and modified only if written requests are submitted and approved. In most organizations, the network
administrator is the only person with authorization to all functions, and this is documented and approved.
There are two basic ways to approach this sort of access identification inclusion and exclusion. Inclusion is
the more secure approach. You begin with zero access for every user and then add access as needed to
specific data, applications, or networks. The danger with this approach is that if it is not done well using proper
documentation, users will be frustrated in their attempts to work on systems to which they have not been
granted required access and calls to the IS group to change access rules will increase.
Exclusion involves starting with access to everything and then excluding things that are not needed. It is
easier to implement (less danger of forgetting to give users access to something they need) but far less secure.
It is too easy to forget something that the user has no need for but that compromises security. As a result,
security specialists recommend the inclusion approach, even though it may take more adjusting to ensure it is
complete.
Monitoring usage
Having a security plan is not sufficient. Knowing that certain users are only allowed to access certain functions
and that the system has been designed to accomplish this is great, but monitoring the network to ensure that it
is working as intended is essential. Users will always inform you when they do not have access to something
they believe they need, but rarely will they tell you if they have too much access. The text describes intrusion
detection systems that can be used to monitor unexpected network traffic, and security policy violations.
There are two types of intrusion detection systems (IDS): passive (where a breach is detected and logged and
an alert signalled to the administrator of the system) and reactive (also called an intrusion prevention system,
where, when an intrusion is detected, the system auto-responds and blocks the fire-wall breach from the
intruding source). Sourcefire, IBM, HP and McAfee all provide respected products in the IDS.
Network logging software can also be used to monitor who is logged on at any given time, what processes
(applications) they are using, and what changes they are making. This log should be monitored to ensure
security policies are being followed and violations are followed up.
Again, as part of SOX compliance, IS is expected to monitor the access to specific programs, identified as those
capable of changing the financial position of the company. For example, programs that run cheques or receive
or delete inventory must all be extracted from the logs of running applications, and correlated to an authorized
user sign-on to run those programs. This type of usage monitoring is usually directed internally, but not
exclusively, and it usually takes custom programming to achieve the results.
Monitoring hackers
One technique for monitoring hackers is the creation of a honey pot. A honey pot is a dummy network set up
to attract and monitor hackers. To improve defences on their production systems, organizations implement,
maintain, and monitor these systems to track common intrusion techniques, popular service and port targets,
Trojans delivered, intruder source IP addresses, and so on.
Honey pots are subjected to somewhat less security than production networks, but enough to make them
credible to would-be intruders. However, their monitoring facilities are very sophisticated in order to track
intrusions as they occur. Because monitoring takes system resources, it might not be practical to implement the
same degree of monitoring on a production system as it might compromise overall performance. But on the
honey pot, there is not the same volume of transaction processing, so the high level of monitoring is feasible.
Of course, if implemented poorly, a honey pot could actually compromise security by providing an easy target
and point of entry into corporate systems. In addition, the cost of creating and maintaining such a system
makes it an impractical approach for small businesses.
Business continuity planning
Planning to minimize the likelihood of security failures is essential. Authentication and authorization procedures,
as well as the controls described in the text, are all designed to minimize the probability that something will go
wrong. But probability is only one aspect of risk; impact is the other crucial factor.
Business continuity planning deals with what happens when things do go wrong. Even a low probability event
can sometimes occur. So what do you do when it does happen? For example, what do you do if your website
is subject to a denial of service attack? Who is notified of the problem? What steps do they take, in what
order, to end the attack, resume services when it is ended, and identify the source of the attack to undertake
legal action? Businesses that suffered long outages over the Amazon cloud issues of 2011/2012 have likely
made technological changes so that they are no longer 100% dependent on a single source for website uptime
. No matter how big your provider is (Amazon), your business model needs continuity planning.
Disaster planning, as another example, and as the name suggests, is what you do when a catastrophic event
affects your business. What do you do when a tornado or earthquake takes out your data centre? Your
response may be that an organization should not put its data centre in a high tornado or earthquake activity
location, but these things dont just happen where they are likely. Once it has happened, what are your policies
for getting things back up and running?
Continuity planning and disaster planning are not mutually exclusive. The documentation, procedures, and
processes created for the one is equally valuable for the other. It is a matter of degree. A power outage in one
section of the plant is continuity planning. A machine room flooded with water is disaster planning. Continuity
means that some things are down but the company can still function as a business; disaster planning means
that the company cannot function as a business until the problem is solved.
Here are some of the key concerns consistent across contingency and disaster planning:
Backup data centres
Most companies that rely heavily on information systems for business operations maintain backup data centres.
This may be done internally within the firm in situations where processing is regionally separated. In such a
case, the Manitoba data centre, for example, may be able to take on processing for the Nova Scotia data
centre in the event of a catastrophic loss. Alternatively, firms may contract with outside providers for access to
either a hot site (a site with office equipment and hardware already installed, set up and running a recent
backup of applications that can be ready in a matter of hours) or a cold site (a facility that is available but will
require more setup, likely days).
The choice of a hot or cold site depends on the degree to which immediate recovery is necessary. Hot sites are
significantly more expensive to maintain and should only be considered in cases where the business losses
associated with an outage would be very high.
Cloud computing offers a new approach to data centres. Hot sites are usually physical locations not far from
the business for ease of access and speed of recovery. This puts them in question if the event is city-wide as
opposed to company-wide. Live production/hot sites are essentially what cloud offers: a location remote from
your physical business, Internet-based and always accessible. If your company suffers a disaster, your data is
not lost and doesnt need to be recovered. It is already remotely stored and processed.
Regular data backups
Data backup and recovery procedures are also an important element of a disaster recovery plan. Regular
backups are necessary, daily for user files and in real-time for transaction data. Backups should be periodically
tested to ensure that they are correct. More than one organization has found out only after a data loss that
their backup processes did not work correctly.
Before cloud, enterprising companies offered Internet-based backup services. This way, companies eliminated
costly and finicky tape backup systems in favour of online remote backup systems. Although originally costly (a
four-year ROI was not uncommon), cloud computing has opened this sector up with more choice and less cost.
Sites like Dropbox.com and Carbonite.com are examples of user backups. For enterprise backups, the current
contenders are Crashplan, Zmanda, and Mozy for more service-based firms.
Test the plan
Testing business continuity plans through simulations is also essential. Having the plan written down is only
half the battle. Acting it out periodically ensures that people understand their responsibilities and can react
effectively in times of crisis. Also, Sox compliance asserts that a recovery test must be performed a minimum
of once per year.
Security personnel
Security is a complex, highly specialized area of IS. It requires an in-depth understanding of hardware,
software, and networks, and a strong analytical ability. Not all IS personnel are suited to working in this area.
An organization should ensure that it has access to the right kind of person. This is harder for small
organizations that require people to fulfill multiple roles. Outsourcing some parts of security planning and
management is a realistic option if the right capabilities are not present in the organization or the cost of
employing someone full-time is not justified based on the security risks. For smaller organizations, outsourcing
of security planning and management is likely to be the preferred option.
Monitoring developments in security technology
Security technology and security risks change relatively quickly. Computer criminals seem to have an insatiable
need to find new ways to circumvent systems, and keeping up with their attacks requires changes in the
means of protecting resources. Once established, security procedures need to be regularly revisited to account
for new developments. This is part of the responsibility of security personnel, either internal or external, wired
or wireless, employee or customer.
9.4 Role of auditing in IS security
Learning objective
Evaluate the role of auditing in a security plan. (Level 2)
Required reading
Review Chapter 8, Section 8.3 (subsection on "The Role of Auditing")
LEVEL 2
The techniques for dealing with security threats all require an understanding of the current levels of security
risk in organizational systems and ongoing monitoring of those risks against the security plan. IT changes too
quickly to expect risks and plans to be stable. Monitoring organizational risk levels is the role of the IT/IS audit
function.
IS audit is a highly specialized function, often provided by public accounting firms and specialty consulting
firms. In large firms is also not uncommon for internal audit departments to perform this function. As in all
audits, it is important that the auditor be independent of the systems being audited. With SOX compliance so
central to many organizations today, auditing is now a regular function that IS accepts, where proactive
managers build security audits into their procedures. Rather than complain about frequency, they make audits
central to the security function.
Security audits
Security audits involve identifying every organizational process and the systems that support them, then
tracking and verifying the security of those systems. Not all processes can be audited every year, so schedules
based on criticality of processes are made to ensure a reasonable timeframe for dealing with all of an
organizations processes. Regular audits of security processes are essential to ensure that correct procedures
exist and that they are being implemented as intended. With SOX, however, there are areas that are
continuously checked, so building regular audits into the procedures is not only good planning, but is essential.
Auditing looks at computer facilities, such as data centres, and at installed applications. It assesses employee
understanding of security, as well as the technology in place. It involves using computer-based tools to test for
security weaknesses (for example, ethical hacking or penetration testing) and physical weaknesses (such as
who has keyed access to IT machine rooms), as well as simple non-technological tests (such as social
engineering).
An external auditor may test for physical security procedures by trying to walk into a secure area and sitting
down to use a computer without authorization. In a hospital years ago, an auditor was able to access the
system without anyone in the facility recognizing her as an intruder. She looked official, carrying a clipboard
and acting as if she belonged, and no one wanted to challenge her. Part of physical security training is to
teach employees to ask who someone is if they dont recognize her. This is a small but vital requirement, and
inexpensive to implement.
Once problems are identified, and they likely will be, a plan for addressing them needs to be constructed. The
auditor makes recommendations about what is to be done, the urgency with which the problems need to be
addressed, and sets some kind of process to ensure that it is undertaken perhaps certain functions will be
added back into the next audit to ensure that they are addressed. There is no sense in using resources to
identify vulnerabilities if a plan and subsequent action is not undertaken to address deficiencies.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Here is a list of some of the questions that an IS audit could test, as offered in an article titled Conducting a
Security Audit: An Introductory Overview by Bill Hayes, and posted on Symantecs website:
Are passwords difficult to crack?
Are there access control lists (ACLs) in place on network devices to control who has access to
shared data?
Are there audit logs to record who accesses data?
Are the audit logs reviewed?
Are the security settings for operating systems in accordance with accepted industry security
practices?
Have all unnecessary applications and computer services been eliminated for each system?
Are these operating systems and commercial applications patched to current levels?
How is backup media stored? Who has access to it? Is it up-to-date?
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the
disaster recovery plan?
Are there adequate cryptographic tools in place to govern data encryption, and have these tools
been properly configured?
Have custom-built applications been written with security in mind?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these records
reviewed and who conducts the review?
Source: Hayes, Bill, Conducting a Security Audit: An Introductory Overview, Symantec Connect, accessed
March 17, 2013: http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview
9.5 Ethical issues
Learning objectives
Identify the five key ethical challenges related to information technology and interpret different
ethical principles, including the CGA-Canada Code of Ethical Principles and Rules of Conduct, in
guiding decision making about these challenges. (Level 1)
Assess the importance of stakeholder analysis and involvement in ethical decision making.
(Level 1)
Required reading
Chapter 4, Social, Ethical, and Legal Issues in the Digital Firm
Review Ethics Readings Handbook (ERH), Section A and Units C1, C2, C3, and C11
(For all ethics-related readings in this course, it is assumed that you are already familiar with
Section A and Units C1, C2, C3, C4, C5, and C10 of Section C of the Ethics Readings
Handbook. ERH readings are provided electronically.)
LEVEL 1
Information technology, through its unique characteristics and applications, has demonstrated the power to
radically reshape the social world. Coupled with other forces, IT has resulted in significant changes in the
structuring of organizations, the patterns of employment throughout society, and the commercial and social
relationships of millions of people. No change of this size can occur without creating ethical or moral issues.
The text provides an excellent overview of the challenges in IS ethics. This topic highlights and extends the
text coverage.
Ethics in context
Ethical and moral choices are always defined within the context of the political and social environment in which
they exist.
This said, it is always much harder to look beyond our own current environment. When large-scale change
occurs, our social and political imperatives often do not provide sufficient guidance on how to behave. For
example, in the past, organizations did not have the capability to profile customers to determine shopping and
product preferences, or to use predictive analytics to suggest what else a customer may be interested in based
on a number of data sets. The technology simply did not exist to create the kinds of large databases that are
becoming increasingly common and form the basis of todays one-to-one customized, web-based shopping
experience.
There is no clear law that states what the rules are in creating these databases, and even our social traditions
do not give clear guidance. On one hand, the law tells us that individuals have a certain expectation of privacy,
which might argue against the creation of large tracking databases. But tradition also tells us that a corporation
has a duty to its shareholders to maximize wealth. So which tradition is more important? This is the challenge
of ethical decision making.
With new technologies, we often argue back and forth on the basis of social conventions developed for earlier
technologies. Is, for example, customer information in a corporate database more like mail entrusted to the
Course Schedule Course Modules Review and Practice Exam Preparation Resources
post office for delivery to a specified person, or is it more like a statement made at a public forum which would
be freely available for any listener to repeat? The challenge is to develop new social conventions that meet the
needs of technology users and accord with our deeper ethical convictions about fairness, respect, non-
harmfulness, and other matters discussed in the reading Moral reasoning (ERH, Unit A6).
Take the music industry. When faced with the advent of digital music, and unable to come up with a clear
method of purchase, digital rights, and cost, the Internet user community firmly provided the answers to these
questions itself: no download restrictions and no cost for music. Ever since Napster, the recording industry has
been trying to make up for lost ground, even to the point of prosecuting the consumers of its product. In
2007, Microsoft, using a different approach, decided not to fight the Chinese piracy of its Windows, Office, and
other software, instead subscribing to the belief that people running and using pirated versions of your
software is better than not running it at all. In 2010, this approach changed. Microsoft has since successfully
sued Chinese corporations for software piracy, in a market that estimates a loss of over $6 billion per year to
pirated software. The ethics in both situations, of the users, their culture, and the industries, are obviously at
odds, but lawsuits have done little to deter software piracy. The ethical answer is still to be determined .
Principles of ethical decision making
The text provides an interesting discussion of how decision making about ethical issues should be approached.
It provides definitions of the key concepts of responsibility, accountability, and liability, and their role in ethical
analysis. The Ethics Readings Handbook (ERH) also provides a detailed overview of ethical principles and
decision making. The principles in Unit A9 of the ERH are similar to those in the textbook.
Unit A9 of the ERH introduces a nine-step approach to case analysis for decision making when analyzing ethical
dilemmas. The text has a five-step decision-making process which is quite dissimilar to the nine-step approach.
It is suggested to use the nine-step approach proposed in Unit A9 of the ERH.
The textbook puts an emphasis on defining the problem because how one defines the problem can significantly
influence how it is resolved. The attention to different stakeholders is an important aspect of this in the
textbook model.
The ERH model puts more emphasis on the process of making the decision, which is important because
ultimately the framework is intended to guide action.
The textbook introduces various candidate ethical principles (page 105) that can be used to evaluate
alternative actions. These principles require the decision maker to step outside of the situation, to take the
perspectives of other stakeholders (the Golden Rule, Risk Aversion, Ethical no free lunch rule), and to
generalize the actions to a broader set of situations (Kants categorical imperative, Descartes rule of change).
By taking these broader views, the longer-term implications of an action can be better understood, and the
steps that led to the decision can be seen as a process as opposed to a single event. The utilitarian principle
underlies many of these other principles, and recognizes that any action will likely involve choices between
competing alternatives. Considering the value however that may be defined of alternative actions can
help to compare options.
However, as noted in Unit A5 of the ERH, utilitarian reasoning overemphasizes the attainment of ends and
ignores the ethical importance of the means used to attain those ends. As in traveling, it is not just where you
are going, but how you get there that matters.
Section A of the ERH provides additional background information on ethics and the roles of ethics in society.
Professional codes of conduct are mentioned as an important guiding force for making ethical decisions. The
code of conduct you adopt as a CGA (ERH, Unit C3) provides specific principles that should guide decision
making. These principles, from CGA Canadas Code of Ethical Principles and Rules of Conduct, can be applied to
IS decisions as well as other decisions:
1
1. Responsibilities to society Members have a fundamental responsibility to safeguard and
advance the interests of society. This implies acting with trustworthiness, integrity, and
objectivity. This responsibility extends beyond a members own behaviour, to the behaviour of
colleagues and to the standards of the Association and the profession.
2. Trust and duties Members shall act in the interest of their clients, employers and interested
third parties, and shall be prepared to sacrifice their self-interest to do so. Members shall honour
the trust bestowed on them by others and shall not use their privileged position without their
principals knowledge and consent. Members shall strive to be independent of mind and in
appearance.
3. Due care and professional judgment Members shall strive to continually upgrade and develop
their technical knowledge and skills in the areas in which they practice as professionals. This
technical expertise shall be employed with due professional care and judgment.
4. Deceptive information Members shall not be associated with any information which the
member knows, or ought to know, to be false or misleading, whether by statement or omission.
5. Practice of the profession Members shall act openly and fairly towards others in the practice of
their profession.
6. Responsibilities to the profession Members shall always act in accordance with the duties and
responsibilities associated with being members of the profession and shall carry on work in a
manner that will enhance the image of the profession and the Association.
Activity 9.5-1: Ethical dilemma
Read The Right Stuff Sylvia for an illustration of ethical issues in a corporate setting that allows you to
exercise your judgment.
Specific ethical issues with information systems
The text presents five specific issues to consider called moral dimensions of the information age:
Information rights and obligations
Property rights (particularly intellectual property)
Accountability and control
System quality expectations
Quality of life
The kinds of decisions that relate to each issue are presented, along with some of the factors making them
more problematic at present. The ethical, social, and political dimensions of each issue are also explained.
Making ethics effective in the organization
Making ethics effective in the organization involves having managers and employees buy into and act upon
good ethical principles. Buy in is not established simply through posting policies or even imposing a code of
ethics. Buy in involves willing acceptance and commitment on the part of managers and employees. In other
words, they accept, internalize, and act upon the organizations ethical principles. When this happens, an
ethical culture is created in the organization, which means that there is a predominant expectation on the part
of members of the organization that people will act rightly.
A good example of this is provided in ERH Unit B4 (not a required reading). Several years ago, J ohnson &
J ohnson, a major manufacturer of household and medical products, was faced with a very serious problem.
Someone had been tampering with Tylenol packages and putting poison into Tylenol capsules. Only one city in
the United States was involved. Well before any regulatory agency became involved, senior executives of
J ohnson & J ohnson immediately recalled Tylenol across the United States and Canada.
When one of J ohnson & J ohnsons senior executives was asked why they made such an immediate and
unconditional recall, he said, We never really thought we had much of a choice in the matter of the recall. Our
Code of Conduct (CREDO) was such a way of life in the firm that our employees, including me, would have
been scandalized had we taken another course. We never seriously considered avoiding the costly recall.
2
In this it is clear that an ethical culture had been created within the firm based on real buy in from managers
and employees. It is also important to note that ethical behaviour in organizations often flows from the top
down, and like the J ohnson & J ohnson case, must be defined and consistently applied, regardless of the size
of the issue.
Establishing policies
Establishing an organizational code of ethics is an important part of a general strategy for building an ethical
culture in an organization. The code should help all stakeholders understand their rights and responsibilities
with regard to IS. This is especially important given the new ethical challenges posed by IS. In many cases,
existing personal and social norms and traditions are inadequate to address the specific ethical issues listed
above. Whatever codes you establish need to address the five issues listed and explained in the text.
How do you go about developing a code of ethics for an organization? How can you ensure that it is
reasonable when the nature of ethical dilemmas is that they are complex, ill understood, and can be viewed in
different ways by different people? There is no simple answer to this question, but ensuring attention to the
positions of a variety of stakeholders will help, as does accepting that your policies regarding information
systems may be challenged more frequently than in other areas.
Who are the relevant stakeholders? Employees from all levels of the organization and all areas (geographic,
functional, product line) are the first group. Management and employees may have a different perspective on
things like e-mail monitoring. Sales may have a different perspective on the treatment of customer information
than finance or R&D. Differences between employee groups may be driven by differences in the work they do,
their place within the organizational power structure, and their social environment (people in different countries
will have different views, as will people from different socio-economic positions).
Shareholders are also an important group. Shareholders are normally not as connected to the day-to-day
operations of the firm and are often accused of being interested only in short-term profits that drive stock
price. Yet corporations do owe a fiduciary responsibility to shareholders, and their position must be understood.
Customers, as well as suppliers and other partners, are another important stakeholder group, especially when
considering issues that will directly influence them (for example, privacy and quality, as they influence things
such as ordering and billing). Members of the community in which the business operates are also important
stakeholders, especially in environmental decision making, which may influence such things as pollution and
technology decisions, where changes in technology could result in substantial job losses in the community.
Given the variety of stakeholder perspectives and interests, it is important to design an inclusive process so
that all reasonable concerns are heard. However, in the end, decisions have to be made about the priorities
expressed in the organizations code of ethics. Then an effective strategy for communicating the code must be
put in place.
Further steps are necessary. There should be a process for evaluating how well the code is working. Here it is
important to identify meaningful indicators of ethical performance and use them in a process of continuous
quality improvement (CQI). In effect, it is important to audit for ethical successes and failures. Then the
measures used for CQI will help you identify areas in which the code needs to be revised.
1
Source: CGA-Canada, Code of Ethical Principles and Rules of Conduct
2
Source: CGA-Canada, Ethics Reading Handbook, Unit B4, A Conceptual Model of Corporate Moral
Development.
Activity 9.5-1 solution
The two models are similar. They differ primarily in the level of depth associated with the different phases. The
textbook puts an emphasis on defining the problem because how one defines the problem can significantly
influence how it is resolved. The attention to different stakeholders is an important aspect of this in the
textbook model.
The ERH model puts more emphasis on the process of making the decision, which is important because
ultimately the framework is intended to guide action.
Regardless, the two models should be seen as complementary, rather than competing. The table below shows
one mapping of the steps between the two models. You may have combined them in slightly different ways.
Textbook ERH
Identify and describe the facts clearly. Identify the problem.
Define the conflict or dilemma and
identify the higher order values involved.

Identify the stakeholders.
Identify the options that you can
reasonably take.
Specify the feasible alternatives.

Use your ethical resources to identify morally
significant factors for each alternative.
Identify the potential consequences of
your options.
Propose and test resolutions.
Make your choice.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 9 self-test
1. Complete the Management Decision Problem, Evaluating an Application Service Provider.
Solution
2. List and describe the most common threats against contemporary information systems.
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management
Information Systems: Managing the Digital Firm, Fifth Canadian Edition (Toronto: Pearson
Canada, 2011), page 267. Reproduced with permission from Pearson Canada.
Solution
3. Explain how security and control provide value for businesses.
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management
Information Systems: Managing the Digital Firm, Fifth Canadian Edition (Toronto: Pearson
Canada, 2011), page 267. Reproduced with permission from Pearson Canada.
Solution
4. Describe the function of risk assessment and explain how it is conducted for information systems.
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management
Information Systems: Managing the Digital Firm, Fifth Canadian Edition (Toronto: Pearson
Canada, 2011), page 267. Reproduced with permission from Pearson Canada.
Solution
5. Explain how informed consent, legislation, industry self-regulation, and technology tools help
protect the individual privacy of Internet users.
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management
Information Systems: Managing the Digital Firm, Fifth Canadian Edition (Toronto: Pearson
Canada, 2011), page 124. Reproduced with permission from Pearson Canada.
Solution
6. Read the case study, Flexible Scheduling at Walmart: Good or Bad for Employees?, (page 121
in your textbook) and answer Questions 1-3.
Solution
Course Schedule Course Modules Review and Practice Exam Preparation Resources
MANAGEMENT DECISION PROBLEM
EVALUATING AN APPLICATION SERVICE PROVIDER
Your company has grown from 40 to 200 employees in the past two years. All of your human resources record
keeping, such as processing hired and terminated employees, documenting promotions, and enrolling
employees in medical and dental insurance plans used to be performed manually, but your two-person Human
Resources Department is swamped with paperwork. You are looking at two options to automate these
functions. One is to purchase a client/server human resources package to run on the company's midrange
computer. The other is to use an application service provider that delivers human resources software over the
Web. The company's Human Resources Department has PCs with web browser software and Internet access.
Your information systems staff consists of two IS professionals.
The Human Resources software package that best fits your needs costs $13 500 to purchase. One information
systems specialist with an annual salary of $50 000 would have to spend four hours per forty-hour workweek
supporting the program and applying upgrades as they became available. Upgrades cost $1500 each, and the
vendor provides one upgrade every year after the first year the package is purchased.
The application services provider you have identified charges $2500 to set up the system initially and $7.50 per
month for each employee in the firm. You do not need to purchase any additional hardware to run the system,
and the vendor is responsible for supporting the system, including upgrades.
1. What are the costs of each option in the first year?
2. Which option is less expensive over a three-year period?
3. Which option would you select? Why? What factors would you use in making a decision? What
are the risks of each approach?
4. What management and organizational challenges will you have in implementing your choice?
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management Information Systems:
Managing the Digital Firm, First Canadian Edition, 2002. Reproduced with the permission of Pearson
Education Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 9 self-test solution
Question 1 solution
A. Costs of each option in the first year:
Package costs
Purchase of system 13,500
10% of specialist annual salary 5,000
TOTAL 18,500

Web costs
Set up 2,500
200 employees $7.50 per month 12 18,000
TOTAL 20,500

B. Costs for years two and three (assuming company still has 200 employees):
Package costs, 2nd and 3rd years
Specialist salary 10,000
Two upgrades 3,000
Total years 2 and 3 13,000
Cost of 1st year 18,500
TOTAL COST OF FIRST THREE YEARS 31,500
Web costs, 2nd and 3rd years
200 employees x $7.50 per month x 12 36,000
Cost of 1st year 20,500
TOTAL COST OF FIRST THREE YEARS 56,500
C. Some of the factors you might consider in making your decision:
The impact on employees other than the specialist has not been factored in. In either case,
employees will still need to spend time on the HR tasks, although the time spent would
presumably be significantly less than is currently the case. You would need to consider if the
time requirements for employees are the same under either option.
The package cost is less for the first three years and is projected to remain less if the
number of employees does not drop.
The web alternative will enable the company to pay only for the services they need, so that
should the number of employees drop by 50%, the costs would also drop an equivalent
percentage. On the other hand, a staff growth of 50% would result in costs rising by the
same percentage, while the package cost would remain the same.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
The web alternative presents more security problems because it is being run over the
Internet, while the package alternative runs only on the companys own LAN. This may be
particularly important because of the sensitivity of the data maintained by most HR
departments.
The package alternative uses 10% of the companys IS staff time whereas the web choice
leaves that staff free to address other company problems, some of which might be more
strategic and critical than the running of a human resource system.
Employees today know how to use a web browser. While some further user training might be
necessary with the web choice content, it is likely that much more user training will be
needed for the package choice.
The web system will probably be up and running much more quickly and with much less
organizational disruption than the package system.
As stated above, some of the web risks are of rising costs and security, while the package
risks are lost IS time and higher expenses in set up and training.
D. The challenges that could potentially be experienced when implementing either choice are
acceptance of the new system by HR employees
business future of the service provider and whether or not the service is long-term
user-friendliness of the software
ability of the new software to handle the organizations HR functions
Source: Adapted from Anne Nelson and Mary Elizabeth Brabston, Instructor's Manual to Management
Information Systems: Managing the Digital Firm, First Canadian Edition, 2002. Reproduced with the
permission of Pearson Education Canada.
Module 9 self-test solution
Question 2 solution
The most common threats against contemporary information systems include technical, organizational, and
environmental factors compounded by poor management decisions. Figure 8-1 includes the following:
Technical: unauthorized access, introducing errors
Communications: tapping, sniffing, message alternation, theft and fraud, radiation
Corporate servers: hacking, viruses and worms, theft and fraud, vandalism, denial of service
attacks
Corporate systems: theft of data, copying data, alteration of data, hardware failure, and software
failure. Power failures, floods, fires, or other natural disasters can also disrupt computer systems.
Poor management decisions: poor safeguard design to protect valuable data from being lost or
destroyed, or from falling into the wrong hands.
Source: Adapted from Dale Foster, Instructors Manual to accompany Management Information Systems:
Managing the Digital Firm, Fifth Canadian edition, Pearson Canada, 2011, Chapter 8, Page 291. Reproduced
with the permission of Pearson Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 9 self-test solution
Question 3 solution
Security refers to the policies, procedures, and technical measures used to prevent unauthorized access,
alteration, theft, or physical damage to information systems.
Controls consist of all the methods, policies, and organizational procedures that ensure the safety of the
organizations assets; the accuracy and reliability of its account records; and operational adherence to
management standards.
Firms relying on computer systems for their core business functions can lose sales and productivity.
Information assets, such as confidential employee records, trade secrets, or business plans, lose much of their
value if they are revealed to outsiders or if they expose the firm to legal liability.
Source: Dale Foster, Instructors Manual to accompany Management Information Systems: Managing the Digital
Firm, Fifth Canadian edition, Pearson Canada, 2011, Chapter 8, page 294-295. Reproduced with the permission
of Pearson Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 9 self-test solution
Question 4 solution
A risk assessment determines the level of risk to the firm if a specific activity or process is not properly
controlled. Business managers working with information systems specialists can determine the value of
information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage.
Controls can be adjusted or added to focus on the areas of greatest risk. An organization does not want to
over-control areas where risk is low and under-control areas where risk is high.
Security risk analysis involves determining what you need to protect, what you need to protect it from, and
how to protect it. It is the process of examining all of the firms risks, and ranking those risks by level of
severity. This process involves making cost-effective decisions on what you want to protect. The old security
adage says that you should not spend more to protect something than it is actually worth. A full treatment of
risk analysis is outside the scope of this section; however, there are two elements of a risk analysis that should
be briefly covered for the students: (1) identifying the assets and (2) identifying the threats. For each asset,
the basic goals of security are availability, confidentiality, and integrity. Each threat should be examined with
an eye to how the threat could affect these areas. One step in a risk analysis is to identify all the things that
need to be protected. Some things are obvious, like all the various pieces of hardware, but some are
overlooked, such as the people who actually use the systems. The essential point is to list all things that could
be affected by a security problem.
Source: Dale Foster, Instructors Manual to accompany Management Information Systems: Managing the Digital
Firm, Fifth Canadian edition, Pearson Canada, 2011, Chapter 8, Page 296-297. Reproduced with the permission
of Pearson Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 9 self-test solution
Question 5 solution
Informed consent means that the website visitor knowingly permits the collection of his/her data during his/her
visit to the companys website. In Canada, individuals must opt-in to allow their information to be shared by
organizations (legislated by PIPEDA). The federal legislation that applies to private sector organizations is
mirrored by public sector legislation at most provincial levels, and at the federal level. Industry must comply
with PIPEDA legislation that dictates the level of responsibility for privacy and protection of data. Some
industries professional organizations, such as accountants, engineers, and information systems professionals,
have adopted codes of ethics to help regulate what their professionals do. Businesses have taken some steps,
including publishing statements about how their information will be used.
Technology tools can be used on individual computers to protect against viruses, spyware, and block certain
sites. Technical solutions also enable e-mail encryption, anonymous emailing and surfing, and cookie rejection.
Of particular interest is the P3P standard that allows the user to have more control over personal information
that is gathered on the websites visited.
Source: Dale Foster, Instructors Manual to accompany Management Information Systems: Managing the Digital
Firm, Fifth Canadian edition, Pearson Canada, 2011, Chapter 4, Pages 126-127. Reproduced with the
permission of Pearson Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 9 self-test solution
Question 6 solution
1. What is the ethical dilemma facing Walmart in this case? Do Walmarts associates also face an
ethical dilemma? If so, what is it?
Walmart is trying to automate a process that was largely left to people who could make decisions
based on personal judgments. The new Kronos system tracks business data within each store and
uses the data to schedule employee work hours. The work schedules compiled by the system are
more favorable to the company's profit margin at each store than to the employees. That impacts
the quality of life for employees. Walmart must accept responsibility of the potential conflicts its
new system may cause employees.
Employees also face an ethical dilemma under the new Kronos system. It may decrease the
stability of their jobs and perhaps create financial hardships. The new system generates schedules
that are irregular and unpredictable. That makes it more difficult for employees to schedule their
own personal needs and those of their family. The ethical dilemma they face is whether to cheat
on their personal availability forms to try to create a schedule thats favorable to themselves
and their families. Language on the form instructs associates that Limiting your personal
availability may restrict the number of hours you are scheduled. That causes conflict for
employees if they cheat on the form they may suffer less hours and less income; if they dont
cheat, they may suffer from irregular schedules.
2. What ethical principles apply to this case? How do they apply?
Both sides, Walmart and its employees, should be guided by the Candidate Ethical principle of
Do unto others as you would have them do unto you. Would Walmart want its employees to
treat customers as callously as the employees feel they have been? Do the employees want
Walmart cheating against them like many of them might on their availability slips?
Employees must consider Immanuel Kants Categorical Imperative. If every employee cheated on
their availability slip, could the organization survive and thrive?
Walmart must consider Descartes rule of change. While the new scheduling system may bring
only small changes now, what happens if the corporation continues making similar small changes
to the detriment of its employees? What will those incremental changes do to the employees
morale in the long run?
3. What are the potential effects of computerized scheduling on employee morale? What are the
consequences of these effects for Walmart?
Obviously, employee morale is and will continue suffering. Experienced associates with high pay
rates have expressed concern that the system enables managers to pressure them into quitting.
If employees are unwilling to work nights and weekends, some justifiably so, managers can
replace them with lower cost employees. Managers can avoid paying overtime or full-time wages
by cutting back the hours of associates who are approaching the thresholds that cause extra
benefits to kick in. Most importantly, associates are almost always people who need all the work
they can get.
The consequences of poor morale in the workforce will most likely show up in customer relations.
The employees most likely impacted by the new Kronos system are the very ones that most likely
are on the front lines of customer touch points the cashiers and customer assistants. Poor
Course Schedule Course Modules Review and Practice Exam Preparation Resources
treatment of the customer will drive them away from the stores.
Source: Dale Foster, Instructors Manual to accompany Management Information Systems: Managing the Digital
Firm, Fifth Canadian edition , Pearson Canada, 2011, Chapter 4, pages 117-118. Reproduced with the
permission of Pearson Canada.
Module 9 summary
IS operational and security issues
Evaluate the advantages and disadvantages of outsourcing information systems, and assess
different outsourcing models.
Outsourcing refers to the practice of contracting computer centre operations, telecommunications
networks, or applications development to external vendors.
Traditional model:
Outsourcer runs custom-designed applications for a firm.
Outsourcer may provide dedicated or shared hardware, depending on contract.
Outsourcer adds value through expertise, ability to attract skilled expertise, and
economies of scale.
Cloud computing:
Three models: SaaS, IaaS, and PaaS
SaaS model:
An application service provider runs more generic (as opposed to customized)
applications.
Applications are accessible through the Internet.
Principal value added is through low-cost, quickly accessible applications.
IaaS model:
A cloud-based server can be shared and divided into multiple virtual machines, each
running independent operating systems and application software
PaaS model:
Computing platform for developers.
Usually includes an OS, an execution environment for a specific programming
language, a database and a web server.
Shared service facilities:
Facilities are used for web operations, to provide a secure and separate location.
Outsourcer and firm work as a team to maintain and operate systems.
These are common in disaster recovery contracts.
Advantages of outsourcing:
cost savings through economies of scale
cost savings from economies of scope
infusion of cash through liquidation of computer assets
facilitation of transition of data centre from cost centre to profit/loss centre
ability to rapidly introduce new technology
access to new technologies and IT talent
ability of management to focus on core competencies
Disadvantages of outsourcing:
loss of direct managerial control
difficulty in reversing decision
dependence on outsourcers viability (financial strength, responsiveness, service,
and so on)
dilution of in-house staffs strength
lack of knowledge of the business (by vendor)
lack of flexibility
untenable, long-term contracts; fixed price vs. service tradeoff
requirement for skills in partnership management
strategic factors
Evaluate the key factors to address when considering an outsourcing arrangement.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
selective outsourcing rather than total outsourcing
involving IS management as well as senior management in the outsourcing decision
considering both internal and external bids
shorter term rather than longer-term contracts
fee-for-service (time and material) contracts rather than standard (how much to deliver the
results) or loose contracts
the trustworthiness of the outsourcer
specific outsourcing contract provisions:
service level agreement
data protection and ownership
change control mechanisms
dispute resolution
termination transition
Assess the different threats to information systems security, including physical and electronic
threats and intentional and unintentional threats.
Exhibit 9.2-1 shows a framework of security threats, classified along two dimensions: physical /
electronic and unintentional / intentional.
Computer crime, while sensational, is not necessarily the biggest risk.
Assess an organizations IS risks using the risk assessment framework.
Risks can be categorized in terms of their probability of occurring and their impact if they do
occur.
Exhibit 9.3-2 shows the risk assessment framework that incorporates these dimensions.
Design the critical elements of an organizations security plan.
The plan should be linked to the organizations business strategy.
It should include
clear, written policy that covers access to data, applications and networks,
software, privacy, recovery, and systems development
procedures for user authentication, such as password schemes
clear user authorizations to define which users can access which resources
procedures for monitoring usage (errors, violations, activity reporting) on an
ongoing basis to enforce the security policies
a disaster recovery plan, and running simulations to test it out on a regular basis
a business continuity plan
a means of ensuring that security personnel have broad and deep skills, outsourcing
where necessary to provide those skills
processes for monitoring developments in security technology, such as firewalls,
anti-virus, certificate authority, biometrics, encryption, and privacy
Justify the purpose and scope of a disaster recovery plan.
Disaster plans provide procedures by which an organization can continue to operate its
information systems in the event of a major security failure (fire, flood, and so on)
Disaster recovery plans include several elements:
procedures for who to notify of the disaster and what steps to take in what order
rules regarding backup of data, including off-site backup
a means of providing service during a disruption to normal operations, often using
either a hot site or cold site
a plan for recovering data once the disruption is over
a testing plan, to ensure that personnel know how to implement the procedures
Evaluate the role of auditing in a security plan.
Independent audit of the plan helps ensure that it meets its desired objectives and is actually
implemented as intended.
Security audits involve identifying every organizational process and the systems that support
them, then tracking the security of those systems.
The audit includes both technological tests and non-technological tests.
Results of an audit will include a plan for addressing any shortcomings and then evaluating
whether they have been addressed.
Identify the five key ethical challenges related to information technology and interpret
different ethical principles, including the CGA-Canada Code of Ethical Principles and Rules of
Conduct, in guiding decision making about these challenges.
Key ethical challenges involve
information rights (privacy and access to information)
property rights (particularly intellectual property)
accountability, liability and control (relates to enforcement of above two rights)
system quality expectations
quality of life: equity, access, and boundaries
Principles of ethical decision making require the decision maker to step outside of the situation,
take the perspective of other stakeholders, and generalize actions to a broader set of situations.
In doing so, the longer-term ethical implications of an action can be better understood.
Assess the importance of stakeholder analysis and involvement in ethical decision making.
Involving a greater number of stakeholders ensures a fuller debate of the different perspectives
on a situation, which ultimately should result in decisions which are more ethically sound.