B4: Information Systems and Communications Flashcards
Information Technology
general term that encompasses many different computer-related components
- one of the most basic IT components of any business is the set of software “business information system”
- business info systems can be divided into categories of: transaction processing system, enterprise resource planning systems, decision support systems (aka business intelligence), and executive information systems
- these categories are not mutually exclusive, many business info systems perform multiple functions
Components of IT
- Hardware
- actual physical computer or peripheral device - Software
- processes data and turns that data into info
- can be used for general use or specialized purposes - Network
- communication media that allows multiple computers to share data and info - People
- job titles vary but functions are somewhat standard
- functions may be outsourced - Data/Information
a) Data: raw facts
- production data: results from production processing and stored in production systems
- test data: results from test processing and stored in test systems
- production and test data should be separately stored and accessed
b) Information: data that has been processed and organized
- useful for decision making, whereas data are facts that are stored
Roles of Business Info Systems
4 Primary Roles in Business Operations
- to process detailed data (such as transaction data)
- to provide info used for daily decisions
- to provide info used for developing business strategies
- to take orders from customers
Hierarchy of Roles
- enterprise information system should be able to capture detailed transactional data as well as higher level aggregated data for mgmt
- integrated system for less redundancy, all users can use single system or network for lower level and higher level
Functional Perspective
- sales and marketing systems
- mfg and production systems
- finance and accounting systems and
- HR systems
Data Capture
first step in processing business transactions is to capture data for each transactions
Data Capture Techniques
- Manual Entries
- physically input by individuals
- data entry screen often retains same name and layout as paper source document it replaced - Source Data Automation
- capture transaction data in machine-readable form at time and place of origin
Data Accuracy
- Well-Designed Input Screen
- data entry screens should request all required data and guide the data entry person in entering correct data
- validation rules and clear messages for errors help - Auto-Entry Fields
- auto-numbering can ensure that all transactions have been recorded and that none of the documents have been misplaced
- other auto-entry can be used similarly
Processing
once data has been collected and entered, it must be processed
5 functions performed on data*
- Collect
- Process
- Store
- Transform
- Distribute
Normal Series of Events in a Business Info System
- after a business info system is set up and configured by hardware techs, network admins, and software developers, the system is considered functional
- once functional, a person inputs data which is collected, stored, processed, and outputted/shared and it’s then working!
more on future flashcards
Accounting Information Systems (AIS) overview
Processing
type of management info system; it may also be partly a transaction processing system and partly a knowledge system
- aka transaction processing system
- business info system that is most important to an accounting is AIS
- there may be separate systems (modules) for each accounting function or one integrated system that performs all accounting functions
- a well-designed AIS created an audit trail for accounting transactions
- the audit trail allows a user to trace a transaction from a source document to the ledger and from the ledger back to the source documents
Objectives of an AIS
Accounting Information Systems (AIS)
Processing
- record valid transactions
- properly classify transactions
- record transactions at proper value
- record transactions in proper period
- properly present transactions and info in FSs
Transaction Cycles
Accounting Information Systems (AIS)
Processing
w/i an individual cycle, transactions are numerous but gr similar and processed almost identically
- Revenue Cycle: transactions associated w sales of goods or services that produce cash or other assets
- customer orders
- AR
- cash receipts - Expenditure Cycle: transactions associated w purchase of goods or services that use cash or produce debt
- purchasing
- inventory control (WIP)
- AP
- cash disbursements - Production Cycle: conversion of resources into products or services
- product design and production planning
- product manufacturing
- inventory control (finished goods) - HR/Payroll Cycle: employee administration
- HR
- time and attendance
- payroll disbursements
- payroll tax reporting - Financing Cycle: transactions associated w equity and debt financing including issuance of stock or debt, payment of dividends or debt service payments, etc
Data Processing Cycle
Processing
transaction processes are gr divided into 4 functional areas that make up the data processing cycle
- Data Input
- Data Storage
- Data Processing
- Information Output
- Data Input
Data Processing Cycle
Processing
transactions must be captured or gathered and entered into a system
Basic Issues
- all transactions of interest are accounted for
- all transactions accounted for in correct accounts
- all people originating transactions are identified
Input Verification
- tracing the data to appropriate supporting evidence contributes to validation of accuracy
- Source Documents: may be manual or computer generated
- Turnaround Documents: preprint data in machine-readable form, sent to customer w invoice/statement, when customer remits payment the doc. is included and ensures correct account is credited w payment
- Data Storage
Data Processing Cycle
Processing
different methods for keeping data available for retrieval
- Journals and Ledgers
- data is entered into AIS first to journals and summarized into ledgers
- audit trails allow for summary ledger data to be traced to journals and then to specific transactions and source documents - Coding
a) Sequence Codes
- list of transactions should include neither duplicates nor gaps in number sequence
- to ensure all transactions/documents are accounted for
b) Block Codes
- blocks of numbers to group similar items
- e.g. chart of accounts
c) Group Codes
- different groups of numbers have meaning
- e.g. phone number - Chart of Accounts
- form of coding that summarizes accounting data by ledger classifications
- allows business to customize classification of data in ways that best meet info requirements of a business
Computer Storage of data should follow a logical sequence
- entity: subject of stored information
- attributes: specific items of interest for each entity
- field: single piece of info (attribute) of the entity
- record: all attributes of an entity, multiple fields
- data value: contents of the field
- file: records that are grouped
- master file: similar to a ledger, stores cumulative info and relatively permanent
- transaction file: similar to a journal, stores individual transactions
- database: files that are interrelated and coordinated
- Data Processing
Data Processing Cycle
Processing
processed to keep info current
Functions- what is done to the database
- Addition: adding new records to database
- Updating: revisions to master file
- Deletion: removal of records from database
Methods- how is it done
- Batch Processing: master files are only updated periodically (e.g. daily)
- Online Real-Time Processing: master files are immediately updated in real time
- Information Output
Data Processing Cycle
Processing
Form
- Documents: outputs such as checks, purchase orders, receipts, etc
- Reports: internal (sales analysis) or external (FSs)
- common reports: budgets, production and delivery schedules, and performance reports - Query: request for specific data
1/2 Batch Processing
Processing Methodology
Processing
- input documents/transactions are collected and grouped by type of transaction (into batches)
- batches are processed periodically
- may use either sequential storage device or random access storage device
a) Always a Time Delay
- b/w time transaction is initiated and time it is fully processed
b) Steps in Batch Processing
1. Create a Transaction File (batch)
- enter data, edit for completeness/accuracy (edit process or data validation)
2. Update Master File
- by processing the batch and updating relevant records in master file
c) Compare Manual and Computer Generated Batch Control Totals
- a batch total is manually calculated then compared to a computer-generated batch control total
- batch total: $s
- hash total: other #
d) Often Used in Traditional Systems
- batch processing is most often found where the data in the system does not need to be current at all times
- more efficient in processing large volumes bc records are sorted in a master file to facilitate more efficient processing
2/2 Online Real-Time (OLRT) Processing
Processing Methodology
Processing
master files updated as transactions are entered
- requires random access storage devices
a) Immediate Processing
- always current and error detection is immediate
- OLRT systems used when it is critical to have current info or when individual accounts need to be accessed in a random order
b) OLRT Often Used in Networked Systems
- bc transactions are processed as they occur, OLRT gr require use of computer network to permit data entered at many locations to update a common set of master files
~ lecturer skipped the rest of these
c) POS System
- scanners to capture data encoded on bar codes and transmitted to a central database
d) Online Analytical Processing
- allows end users to retrieve data from a system and perform analysis using statistical and graphical tools
e) Scanners
- data can be collected in real time
f) Importing and Exporting Data
- b/w programs
Centralized vs Decentralized (Distributed) Processing
Processing
not one or the other, often a matter of degree
Centralized Processing
- maintain all data and perform all data processing at a central location
- e.g. mainframe and large server computing applications
Decentralized (Distributed) Processing
- computing power, applications, and work are spread out over many locations
- each remote computer performs a portion of the processing, thus reducing processing burden on the central computer
Advantages of Centralized
- enhanced data security: only protect one instead of multiple
- consistent processing: decentralized systems may result in inconsistent processing at various locations
Disadvantages of Centralized
- possible high cost: cost of transmitting large #s of detailed transactions, but costs are falling
- need for processing power and data storage
- reduction in local accountability
- bottlenecks: can occur at high traffic times
- delay in response time
- increased vulnerability: bc everything in one place, if something happens there goes everything
End User Computing
Processing
hands-on use of computers by end users
- functional end users do their own info processing activities w hardware, software, and professional resources provided by the org
- common EUC is info retrieval from org’s database using query language feature of database mgmt systems (DBMS)
- data can be extracted then manipulated by end user w spreadsheet software or other analytical tools
Periodic Scheduled Reports
1/6 types of MIS reports
Reporting
made available on a regular basis to end users of the system
- traditional reports that display info in a predefined format
Exception Reports
2/6 types of MIS reports
Reporting
produced when a specific condition or exception occurs
Demand Reports
3/6 types of MIS reports
Reporting
available on demand
- aka response report or pull report
Ad Hoc Reports
4/6 types of MIS reports
Reporting
does not currently exist but can be created on demand, without having to get a software developer or programmer involved
- aka user report writer
- one of the most attractive features of a well-designed MIS (mgmt info system)
Query
- set of criteria that end user can send to system to extract all transactions that meet the criteria
Push Reports
5/6 types of MIS reports
Reporting
if a report window displays up-to-date reports every time an end user logs into a computer network
- an end user creates a template or profile specifying info desired
Dashboard Reports
6/6 types of MIS reports
Reporting
present summary info necessary for mgmt action
- quick visual references
XBRL
Reporting
extensible business reporting language, derived from XML
- XBLR tags define data
- tags could indicate taxonomy used (GAAP or IFRS), the currency, the time period, as well as definition of the element
- an open, royalty free, internet based information standard for business reporting of financial data
- macros are created to automate analysis of the data tags, producing comparable ratios!
Role of Information Technology in Business Strategy
technology should be an input to the strategy process, helping define innovations and seeking to increase revenue, rather than merely an after-the-fact tool
Common Principles of Technology-Driven Strategy Development
- technology is a core input to the development of strategy
- strategy development must be a continual process
- innovation emerging business opportunities must be managed separately and differently than core business
- power to change long-held assumptions
- managed from 2 perspectives: 1. ability to create innovation in existing businesses and 2. ability of emerging tech to create new markets/products
- focus on customer priorities as well as internal efficiencies
Role of Technology in Information and Communications
- selection of specific tech to support ERM for an org typically is a reflection of
- entity’s approach to ERM and degree of sophistication
- types of events affecting the entity
- entity’s overall information technology architecture
- degree of centralization of supporting technology - ERM includes key components that enable an org to identify, assess, and respond to risks
- B4-19 lazyyy
Categories of Business Information Systems
Business Process Design
- Transaction Processing Systems (TPS)
- process and record the routine daily transactions necessary to conduct business
- functions are normally predefined and highly structured - Management Information Systems (MIS)
- predefined reports that support effective business decisions
- more tactical - Decision Support Systems (DSS)
- an extension of MIS that provides interactive tools to support decision making
- aka expert system - Executive Information Systems (EIS)
- provide senior executives w immediate and EASY access to internal and external info to assist in strategic decision making
Systems Development Life Cycle (SDLC)
Business Process Design
provides a framework for planning and controlling the detailed activities associated w system development
- waterfall approach is most popular: sequential steps of analysis, planning, design, and implementation which flow in a single downward direction like a waterfall
- prototying model is an alternative: approximates a final system that is built, tested, and reworked until acceptable then a complete system is developed from the prototype
“A DITTO”
- System Analysis
- define the nature and scope of the project
- in-depth study to determine its technological and economic feasibility
- identify the needs of system users and managers
- document previous step
- prepare a report summarizing work done during system analysis and submit to mgmt - Conceptual Design
- decides how to meet user needs
- identify and evaluate appropriate design alternatives
- buy software, develop software in house, or outsource systems development (can mix!) - Physical Design
- begin design process w identifying outputs
- B4-21 - Implementation and Conversion
- building and implementing - Training
- train the people - Testing
- Operations and Maintenance
- system should be periodically reviewed
- if major modification or system replacement is necessary, the SDLC begins again
Participants in Business Process Design
Business Process Design
- Management
- send clear signal from top mgmt that user involvement is important
- providing support and encouragement
- ensure team members are given adequate time and support to work on the project - Accountants
- information needs and system requirements
- help manage system development
- active role in designing system controls and periodically monitoring and testing the system - Info Systems Steering Committee
- plan and oversee the info systems function and address the complexities created by functional and divisional boundaries
- gr high level mgmt - Project Development Team
- responsible for successful design and implementation of the business system - External Parties
~B4-23
IT Control Objectives (COBIT)
Control Objectives for Information and Related Technology (COBIT) framework provides a set of measures, indicators, and processes and best practices to maximize the benefit of IT
- created by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992
- has been updated several times, w most recent COBIT 5 in 2012
Business Objectives
COBIT
might include (but not limited to)
- effective decision support
- efficient transaction processing
- compliance
Governance Objectives* 5 focus areas of COBIT
COBIT
5 focus areas
- Strategic Alignment: linkage b/w business and IT plans
- Value Delivery: provision of IT of promised benefits while satisfying its customers and optimizing costs (cost-benefit)
- Resource Management: optimization of knowledge and infrastructure
- Risk Management: risk awareness by senior mgmt, characterized by understanding risk appetite and risk mgmt responsibilities
- begins w identification of risk followed by determining how a comp will respond to the risk
- comp can: avoid, mitigate, share, or ignore the risk - Performance Measurement
- tracking and monitoring strategy implementation, project completion, resource usage, etc.
Information Criteria
COBIT
“ICE RACE”
- Integrity: info is accurate, complete, and valid
- Confidentiality: protection of sensitive information
- Efficiency: low cost w/o compromising effectiveness
- Reliability: information represents what it purports to represent
- Availability: provides current and future info as required
- Compliance: comply w policies, laws, regulations, and contractual arrangements
- Effectiveness: relevant or pertinent to a business process, and delivered in a timely, correct, consistent, and useful manner
IT Resources
COBIT
B4-25 to 26
Domains and Processes of COBIT*
COBIT
“PO AIDS ME”
- Plan and Organize
- direct the IT process - Acquire and Implement
- deliver the IT solution - Deliver and Support
- deliver the IT service - Monitor and Evaluate
- ensure directions in PO are followed
General and Application Controls
Role of Technology Systems in Control Monitoring
General Controls
- designed to ensure that an org’s control environment is stable and well-managed, includes:
- systems development standards
- security mgmt controls
- change mgmt procedures
- software acquisition, development, operations, and maintenance controls
- IT infrastructure
Application Controls
- prevent, detect, and correct transaction error and fraud and are application-specific, providing reasonable assurance as to system: accuracy, completeness, validity, authorization
Input Controls
1/3 types of programmed controls
Role of Technology Systems in Control Monitoring
regulate integrity of input
- data validation at the field level
- prenumbering forms
- well-defined source data preparation procedures
- edit check
Processing Controls
2/3 types of programmed controls
Role of Technology Systems in Control Monitoring
Data Matching
- matching two or more items of data prior to taking an action
File Labels
- ensure correct and most current files are updated
- external labels are readable by humans
- internal labels are written in machine-readable form
- both labels should be used
- 2 important types of internal labels: header and trailer records
Recalculation of Batch Totals/Hash Totals
- if someone submitted a diff. invoice w the same amount, the batch total would agree but the hash total would not
Cross-Footing and Zero-Balance Tests
- test sum of a column of rows to sum of a row of columns to verify
- a zero-balance test requires use of control accounts
Write-Protection Mechanisms
- guard against accidental writing over or erasing of data files stored on magnetic media
Database Processing Integrity Procedures
- B4-28
Output Controls
3/3 types of programmed controls
Role of Technology Systems in Control Monitoring
User Review of Output
- examination by users for reasonableness, completeness, and verification that the output is provided to the intended recipient
Reconciliation Procedures
External Data Reconciliation
- can check something generated w/i the system w something that never touched the system
Output Encryption
- authenticity and integrity of data outputs must be protected during transmission
- reduce chance for data interception
- controls should be designed to minimize the risk of data transmission errors
- parity checking and message acknowledgement techniques are two basic types of data transmission controls
Managing Control Activities
Role of Technology Systems in Control Monitoring
B4-29 to 30
Operational Effectiveness
evaluating the ongoing effectiveness of control policies and procedures provides added assurances
Diagnostic Controls
- designed to achieve efficiency in operations of the firm to get the most from resources used
- compares actual performance to planned performance
Control Effectiveness
- Strategic Master Plan
- multiyear strategic master plan should be developed and updated annually
- should show projects that must be completed to achieve LT goals and address the comp’s hardware, software, personnel, and infrastructure requirements - Data Processing Schedule
- all data processing tasks should be organized - Steering Committee
- guide and oversee system development and acquisition - System Performance Measurements
- evaluate using system performance measurements
IT Responsibilities and Segregation of Duties
titles may vary but jobs are somewhat standard
System Analyst
a) internally developed system
- determine system requirements
- designs overall application system
- determines type of network needed
b) purchased system
- integrates the application w existing applications
- provides training to end users
Computer Programmer
a) application programmer/software developer
- write or maintain application programs
- segregation of duties, no access to data
b) system programmer
- installing, supporting, monitoring, and maintaining operating system
- also performs capacity planning functions
- segregation of duties, no access to data
Computer Operator: schedule and run processing jobs
- can be automated and, in large computing environments, must be
IT Supervisor
- manage the IT department
File Librarian: store and protect program and tapes from damage and unauthorized use
- control the file libraries
- much of this work is automated
Data Librarian: custody of and maintains the entity’s data and ensures production data is released only to authorized individuals
Security Administrator: responsible for assignment of initial passwords and maintenance of those passwords
- operation of various security systems and security software
System Administrator
a) Database Administrator: responsible for database software and performing certain security functions
- different from data administrators, who are responsible for data within a database
b) Network Administrator: support computer networks through performance monitoring and troubleshooting
c) Web Administrator: responsible for website
Data Input Clerk: prepare, verify, and input data to be processed
- this function is being distributed to end users
Hardware Technician
- sets up and configures hardware and troubleshoots problems
End User
- workers in an org who enter data in system or who use information processed by the system
Segregation of Duties within IT
bc many transactions are performed by the application software, segregation of duties revolves around granting and/or restricting access to production programs and data
- System Analysts (hardware) vs Computer Programmers (software)
- if same person in charge of both, could easily bypass security w/o anyone knowing to steal org info or assets - Computer Operator vs Computer Programmers
- if both, could make unauthorized and undetected program changes - Security Administrators vs Computer Operators and Programmers
- could give themself or others access to areas they are not authorized to enter
IT Policies
IT policies represent mgmt’s formal notification to employees regarding the entity’s objectives
- authority and responsibility are assigned through formal job descriptions, employee training, code of conduct, written policy and procedures manual, operating plans, schedules, and budgets
Security skipped
B1-34 to 39
Electronic Commerce (E-Commerce)
completion of exchange (buying and selling) transactions
- more specific
Electronic Business (E-Business)
use of IT, particularly networking and communications technology, to perform business processes in an electronic form
- more general
Electronic Data Interchange (EDI)
computer to computer exchange of business transaction documents
Reduce Handling Cost and Increased Processing Speed
- however to actually reduce costs, the EDI system must be integrated w the org’s accounting info systems
Standard Data Format
- Mapping: determining correspondence b/w data elements in an org’s terminology and data elements in standard EDI terminology
- Standards: XML is flexible format instead of standard formats of EDI. XMI tells systems the format of data and what kind of info the data is with tags
- EDI requires all transactions be submitted in standard data format, translation software is required to convert transaction data
Communications
- EDI can be implemented using direct links b/w orgs (trading partners) through communication intermediaries (service bureaus), value added networks (VANs) or over the internet
- VAN is like mailbox, like a mailbox where transactions can be left until they’re retrieved by the other party
- internet-based EDI is replacing VAN-based EDI bc it it cheaper
Costs of EDI
- Legal Costs: modifying and negotiating trading contracts w trading partners and w communications providers
- Hardware Costs: cost of equipment
- Cost of Translation Software
- Cost of Data Transmission : decreasing, especially w internet-based EDI
- Process Reengineering and Employee Training Costs
- Security, Monitoring, and Control Procedure Costs
EDI Controls
- audit trails in EDI systems should include
1. activity logs of failed transactions
2. network and sender/receipt acknowledgements - also, encryption of data
EDI Risks
- unauthorized access to the org’s system
Comparison of EDI and E Commerce
- B4-42
- more expensive, slower (Batch), VAN (Private) vs e commerce that uses internet
- only better thing is more secure
- EDI requires organizations enter a contract before transacting business, E Commerce does not
Opportunities for Business Process Reengineering (BRP)
analysis and redesign of business processes and information systems to achieve significant performance improvements
- reduces a comp to its essential business processes and reshapes its to take advantage of technological advancements
Challenges
- Tradition: changes in employee culture and beliefs
- Resistance
- Time and Cost Requirements: takes awhile and is costly
- Lack of Mgmt Support: w/o support from top mgmt, reengineering has little chance of succeeding
- Skepticism: some people view BPR as traditional systems development in a new wrapper w a fancy name
- Retraining: takes time and money
- Controls: controls that ensure system reliability and integrity can not be deleted
Business to Business (B2B)
- business sells to public (B2C)
- business sells to business (B2B)
- consumer sells to consumer (C2C)
- B2B E Commerce: sales occur in wholesale markets and on the supply side of commercial processes
- Electronic Market: common for B2B transactions to occur electronically via Internet
- Direct Market: electronic transaction b/w businesses where there is a preexisting relationship
Advatages of B2B E Commerce
- Speed: Internet time
- Timing: do not have to occur during normal business hours (globalization)
- Personalization: online profiles and can be guided to areas of the website in which it is most interested every time it returns to the website
- Security: private info is encrypted
- Reliability: gr there is no opportunity for human error
Components of B2B
- customer connecting to the site through internet
- seller’s site behind an enterprise firewall
- seller’s internet commerce center, w a catalog and order entry system
- seller’s back office systems for inventory mgmt, order processing, and order fulfillment
- seller’s back office accounting system and
- seller’s payment gateway communicating through the Internet to validate and authorize payment methods
B2B vs B2C
- B2C is less complex
- B2B involves more participants, more complex products, require order fulfillment be more certain and predictable, payment mechanisms much more complex
- B2C has consumer protection while B2B does not
Enterprise Resource Planning Systems (ERP)
cross functional enterprise system that integrates and automates the many business processes and systems that must work together for various functions of the business
- ERP software comprises a number of modules that can function independently or as an integrated system to allow data and info to be shared amount all the diff departments
- ERP is often considered a back-office system
- does not offer planning
ERP Functions
- store info in a central repository so data can be entered once then used by all
- acts as a framework for integration
- can provide vital cross-functional information quickly to managers across the org in order to assist in the decision-making process
Supply Chain Management (SCM)
concerned w 4 important characteristics of every sale: what, when where, and how much
- goods received should match goods ordered
- goods should be delivered on or before date promised
- goods should b delivered to the location requested and
- cost of goods should be as low as possible
Reengineering of Supply Chains
- comps reengineer supply chains to increase efficiency, reduce costs, and meet customers’ needs
SCM Objectives
- Achieve Flexibility and Responsiveness
- are the overall objectives, SCM might incorporate 1 or more of the following:*
a) Planning
b) Sourcing
c) Making
d) Delivery - Supply Chain Planning Software
- utilized to improve the flow and efficiency of the supply chain and reduce inventory
- supply chain execution software automates the various steps of the supply chain - Often Termed as Extension of ERP
- but more complex
Customer Relationship Management System
provides sales force automation and customer services in an attempt to manage customer relationships
CRM Objectives
- increase customer satisfaction
- thus increasing revenue and profitability
- attempts to do this by appearing to market to each customer individually
- 5 to 10 times more expensive to acquire a new customer than to obtain repeat business from an existing customer
Categories of CRM
- Analytical CRM: creates and exploits knowledge of comp’s current and future customers to drive business decisions
- Operational CRM: automation of customer contacts or contact points
Electronic Funds Transfers (EFT)
Other E-Commerce Technologies
- form of electronic payment for banking and retailing industries
- the Federal Reserve Fedwire System is used freq. in EFT to reduce the time and expense required to process checks and credit transactions
- Third Party Vendor: EFT service is often provided by a third party vendor who acts as the intermediary b/w a company and the banking system
- Data Encryption is critical
- Reduction in Errors bc it is more electronic
Application Service Providers (ASP)
Other E-Commerce Technologies
provide access to application programs on a rental basis
- like renting an apt vs buying
- allow smaller comps to avoid high cost of owning and maintaining a application system
- stayed owned by ASP and they’re responsible for updating and backups
Advantages
- lower costs
- greater flexibility
- small business dont have to hire system experts
Disadvantages
- risks to security and privacy of data
- financial liability of ASP (like a bad landlord)
- possible poor support by ASP (like a bad landlord)
Concepts Similar to ASP
- IBM similar in its utility computing and e-commerce on demand strategies
- similar to timesharing providers or service bureaus of the past that rented raw computing power to customers
- related ASPs are present day service bureaus, which perform processing outside the org
Web 2.0
Effects of Internet Evolution on Business Ops and Organization Cultures
used just to look at information, but now you can interact with websites
Collaborative Websites and Social Networking
- wiki: a type of collaborative website in which users can browse contact and modify it
- facebook, blackboard collaborate (businesses), etc
Dynamic Content
- content that changes frequently and can include video, audio and animation
- dynamically embedded in web pages through XML w data stored in a database separate from the web page
Mash-ups
Effects of Internet Evolution on Business Ops and Organization Cultures
web pages that are collages of other web pages and info
- e.g. google maps
- allows user to view various sources of information
Web Stores
Effects of Internet Evolution on Business Ops and Organization Cultures
- Stand Alone Web Stores
- not integrated w larger accounting system
- hosted by shopping cart software
- financial reports are generated by the software and import them into general accounting software - Integrated Web Store
- ERP systems that integrate all the major accounting functions, as well as the web store, into a single software system
Cloud Computing
Effects of Internet Evolution on Business Ops and Organization Cultures
virtual servers available over the internet
- includes any subscription-based or pay-per-use service that extends an entity’s existing IT capabilities on a real-time basis over the internet
- a public cloud sells services to anyone on the internet
- a private cloud is a private network that provides services to a limited number of customers
- cloud providers gr have sophisticated backup procedures as well as high level security for customer data
1. Infrastructure-as-a-Service - aka Hardware-as-a-Service (HaaS)
- outsources storage, hardware, services, and networking components to customers, gr on a per use basis
2. Platform-as-a-Service - allows customers to rent virtual servers and related services that can be used to develop and test new software applications
3. Software-as-a-Service - method of software distribution in which applications are hosted by a vendor and made available to customers over the Internet
- aka ASP (application service provider)
Hypertext Markup Language (HTML)
tag-based formatting language used for web pages
Hypertext Transfer Protocol (HTTP)
the communications protocol used to transfer web pages on the world wide web
- HTTPS is the secure version of HTTP that uses SSL (secure socket layer) for its security
Uniform Resource Locator (URL)
technical name for a web address
- transfer protocol: http:// or ftp://
- server: www indicates a web server
- domain name: becker.com, becker is the subdomain name
- top-level domain: .com, .net, etc
- country: .US, .DE, etc
Transport Control Protocol (TCP)
transmission protocol of the internet protocol suite
- TCP is a transport layer protocol
- is a reliable and a connection-oriented protocol
- a protocol is a set of rules required for electronic communications to take place
Domain Name
name that includes 1 or more Internet Protocol (IP) addresses: a numerical label assigned to each device in a network
- becker.com is the domain name
- .com is the top level domain name
- Becker is a second level domain name
- organizations w second-level domain names have to have a DNS server
- a third level domain name is an individual host and would be something like olinto.becker.com
- the entire address is called a fully qualified domain name
- file name: if there was becker.com/students and anything after students
- a DNS root server is the server that administers the top-level domain names
Domain Name System (DNS)
system of domain names that is employed by the internet
- the internet is based on IP addresses, not domain names
- each web server requires a domain name server to translate domain names into IP addresses
- domain name servers are like large electronic telephone books
Domain Name Warehousing
obtaining control of domain names w the intent of warehousing (owning them w/o using them)
Web Server
computer that delivers a web page upon requires
- every web server has an IP address
- any computer can be turned into a web server by installing web server software and connecting to the internet
Web Hosting Service
organization that maintains a number of web servers and provides fee-paying customers w space to maintain their websites
Wi-Fi
set of standards for wireless local area networks (LANs)
- Wi-Fi Alliance is a global nonprofit org created in 1999 w goal of driving the adoption of a single worldwide accepted standard for high-speed wireless LANs
Web Services
internet protocol for transporting data b/w different applications w/i a company’s boundaries or across companies
- XML may be used w web services to produce automated info exchange b/w computers and software and to automate business reporting processes
Risk Event Identification
risks in a business information system:
Strategic Risk: risk of choosing inappropriate technology
Operating Risk: risk of doing the right things the wrong way
Financial Risk: risk of having financial resources lost, wasted, or stolen
Information Risk: risk of loss of data integrity, incomplete transactions, or hackers
Specific Risks
risks can be divided into 3 categories
- Errors
- unintentional - Intentional Acts
- sabotage, embezzlements, viruses, etc - Disasters
- floods, earthquakes, war, terrorism, etc
Threats in a Computerized Environment
- Virus: piece of computer program that inserts itself into some other program, including operating systems, to propagate and harm files and programs
- requires a host program, cannot run independently - Worm: program that can run independently and normally propagates itself over a network
- cannot attach itself to other programs
- special type of virus - Trojan Horse: program that appears to have a useful function but contains hidden and unintended function that presents a security risk
- normally does not replicate itself - Denial-of-Service Attack: one computer or group of computers bombards another computer w a flood of network traffic
- computers attacking called zombies - Phishing: sending of phony e-mails to try to lure people to phony websites where they’re asked for information that will allow the phisher to impersonate the user
Risk Assessment and Control Activities
Risk: possibility of harm or loss
Threat: any eventuality that represents a danger to an asset or a capability linked to hostile intent
- how that risk could manifest
Vulnerability: characteristic of a design that makes it susceptible to a threat
- are we defended against it?
Safeguards and Controls: policies and procedures that, when effectively applied, reduce or minimize vulnerabilities
Risk Assessment
- before risks can be managed, they must be assessed
- steps in risk assessment: identify threats, evaluate probability, evaluate exposure in terms of potential loss, identify controls that could guard against the threat, evaluate the costs and benefits of implementing controls, and implement controls that are cost effective
Evaluation and Types of Controls
- controls are always evaluated on a cost/benefit basis
- access controls and data and procedural controls are important tools of risk management, as is disaster recovery
Physical Access
Access Controls
physical access to computer rooms should be limited to computer operators and other personnel of the IT department
- restricted access via ID cards or keys, manual locks, etc
Electronic Access
Access Controls
User Identification Code
- couple w regularly changed passwords
- backdoors, a means of access to program/system that bypass normal security so program/system can be easily accessed for troubleshooting, should be eliminated
- dual authentication
File-Level Access Attributes
- control privileges a user has to a file
- e.g. read-only
Callbacks on Dial-up Systems
- system automatically looks up phone # of user and calls to authorize them before access is allowed
- less common as fewer users accessing networks via phone lines
File Attributes
- set to restrict writing, reading, and/or directory privileges for a file
- extremely basic
Firewalls
- both hardware and software system of user ID and authentication that prevents unauthorized users from gaining access to the network
- acts as a gatekeeper, for those who try to come in
- firewalls deter, but can not completely prevent
- network firewalls protect network as a whole
- application firewalls protect specific application services
- Firewall Methodologies
a) packet filtering: examines packets of data, simplest type but can be circumvented by an intruder who forges an acceptable address (IP spoofing)
b) circuit level gateways: allow data into a network only when computer inside the network request the data
c) application level gateways (aka proxies): examine data coming in in a more sophisticated fashion, more secure but can be slow
Disaster Recover
entity’s plan for restoring and continuing operations in the event of the destruction of program and data files, as well as processing capabilities
- if processing cannot be quickly reestablished at the original processing site, then disaster recover is necessary
Major Players in Disaster Recovery
- organization itself, senior mgmt
- disaster recovery service provider
- possibly package vendors if software packages are utilized or hardware vendors for distributed processing
Steps in Disaster Recovery
- assess the risk
- identify mission-critical applications and data
- develop a plan
- determine the responsibilities of personnel involved
- test the plan
Types of Disaster Recovery
- Use of a Disaster Recovery Service
- from outsider providers
- ranging from an empty room to complete facilities
- major emphasis on hardware and telecommunications services - Internal Disaster Recovery
- some orgs w req. for instantaneous resumption of processing after a disaster provide their own duplicate facilities in separate locations
- data might be mirrored and processing can switch almost instantaneously from one location to another
- expensive - Multiple Data Center Backups
- full backup: exact copy of the entire database; take the longest
- incremental backup: copying only data changed since last backup; shortest, but have to restore last full back up then manually add every incremental backup since
- differential backup: copies all changes made since last full backup; each new differential backup consists of cumulative effects since last backup; middle amount of time
Types of Off-Site Locations
Cold Site
- 1-3 days slowest, cheapest
- has electrical connections and other physical requirements, but does not have equipment
Hot Site
- few hours, quickest, most expensive
- equipped to take over comp’s data processing
- backup copies of essential data files and programs may be maintained at location or nearby data storage facility
Warm Site
- 1/2 day to 1 day, middle
- stocked w all the hardware it takes to create a reasonable facsimile of the primary data center
- backups must be retrieved and delivered to warm site
- bare-metal restoration of operating system and network must be completed before recover work can be done
enterprise architecture for IT
combination of IT resources and defined processes
enterprise architecture for IT
combination of IT resources and defined processes
Virtual Memory
memory where portions of a program not being executed are stored, but it is not real memory
- it’s actually part of disk storage
- it’s stored in real memory when it is to be executed
RAID
disk storage where multiple disk drives are combined to obtain the performance, capacity, and reliability that exceeds that of a large disk