Class 4 - Information System Strategy Flashcards
What are information systems crucial for?
Support, sustainability and growth of enterprises
What are some threats that organizations face with IS aside from near complete dependence on them for functional and operational activities?
IS resource abuse
Cybercrime
Fraud
Errors and omissions
What are IS strategic processes?
Necessary components within the organization’s governance structure that provide reasonable assurance that existing and emerging business goals will be attained
Senior management should appoint a ___________ to oversee the IT function and its activities
IT steering committee
Who should be appointed to an IT steering committee?
Representatives from senior management, each line of business, corporate departments (HR and finance) and the IT department
Where are the IT steering committee’s duties and responsibilities defined?
In a formal charter
What do members of an IT steering committee need to know?
IT department policies, procedures and practices
What is the purpose of an IT steering committee?
To serve as a general review board for major IS projects. (should not become involved in routine operations)
Why do large IT projects require economic justification?
Because they require large amounts of capital and capital is limited
Because selecting one project often means foregoing others
Because they often involve changes in business processes that will affect substantial portions of the organization
Because good governance requires that all significant investments be justified
Many organizations find it _______ to evaluate IT projects using __________________
Difficult
Traditional techniques
What are some questions that the economic justification for IT initiatives should answer?
Why are we doing this project?
How does it address key business issues?
How much will it cost and how long will it take?
What is the ROI and payback period?
What are the risks of doing the project?
What are the risks of not doing the project?
What are the alternatives?
How will success be measured?
What needs to be done to fully understand the financial implications of a project proposal?
Determine the relevant time frame for costs and benefits
Select appropriate discount rates to apply
Prepare capital budgeting financial metrics
Assess the sensitivity of results to the assumptions
How to calculate payback period?
Initial investment/ increased cash flow per period
It represents the number of periods needed to recover the project’s initial investment
__________ and __________ both compare the costs with benefits of an IT project
Payback period and breakeven analysis
What are the capital budgeting financial metrics?
Net present value - sum of the PV of all cash inflows - sum of PV of all cash outflows
IRR - discount rate that makes the project’s NPV = 0
ROI - how much money company will gain given cash flows and terms of investment
In capital budgeting you need to test sensitivity to changes in ___________
Assumptions
When you prepare the value proposition you assemble the analysis for each alternative IT initiative and recommend the preferred alternatives. What 5 questions should you focus on?
- The change and technology proposed
- The anticipated benefits (related to KSFs)
- The group(s) within the firm that will benefit
- The timing of the benefits
- The likelihood of achieving those benefits as planned
Policies and procedures reflect management _________ and _________ over IS, related resources, and IT department processes
Guidance and direction
Explain what policies are
High-level documents that represent the corporate philosophy of an organization
Must be clear and concise
Create a positive control environment by formulating, documenting and controlling employee actions
Need to be fully explained to the affected employees and understand their intent
Policies are part of _____ scope and need to be ________ ________ ________
Policies are part of audit scope and need to be tested for compliance
Auditor needs to consider how policies apply to the third parties or outsourcers and review conflicts if any
Provide examples of policies
Data classification - describes classification, levels of control at each classification, responsibilities of all potential users
Acceptable use - includes information of all information resources (hardware, software, networks, internet, phones) and states permissions for usage
End-user computing - describes parameters and usage of desktop, mobile computers and other tools by users
Access control - describes the method for defining and granting access to users of various IT resources
Describe procedures
Procedures are documented, defined steps for achieving policy objectives
Must be derived from the parent policy and implement the spirit (intent)
Must be clear and concise to be properly understood
Are more dynamic and reflect regular changes in business
What is risk management?
The process of identifying vulnerabilities and threats to information resources
and deciding what safeguards if any, to take in reducing the risk to an appropriate level
based on the value of the information resource to the organization
It starts with a clear understanding of the organizational appetite for risk
What are the 4 strategies for risk management?
Avoid - not implement certain activities or processes that incur risk
Mitigate - lessen probability or impact by defining, implementing and monitoring appropriate controls
Share - share risk with partners, transfer via insurance coverage, or contractual agreement
Accept - formally acknowledge existence of risk and monitor it
What are the steps in the risk management process?
- asset identification
- evaluation of threats and vulnerabilities
- evaluation of the impact
- calculation of risk (probability of occurrence * magnitude of impact)
- evaluation and response to risk
In summary, the risk management process should ….
Achieve a cost-effective balance between application of security controls as safeguards and the significant threats
IS management practices for HR deparment
hiring
employee handbook
promotion policies
training
scheduling and time reporting
performance evaluation
required vacation
termination policies
