Embed Size (px)
Chapter 3 Information Systems Development and Management
3.1 Overview of System Development
3.1.1 System Development A system is a set of components that interact to achieve a common goal. You use, observe, and interact with many systems during daily activities. You drive a highway system to reach a destination. You use a programmable thermostat to regulate your heating and cooling systems to save energy. Businesses also use many types of systems. A billing system allows a company to send invoices and receive payments from customers. An inventory system keeps track of the items in a warehouse. A manufac-turing system produces the goods that customers order. Through a payroll system, employees receive paychecks. Very often, theses systems also are information systems.
An information system is a collection of hardware, software, data, people, communications, and procedures that work to-gether to produce quality information. The goal of an information system is to provide users with high-quality information so they can make effective decisions. An information system supports daily, short-term, and long-range activities of users. Some
Overview of System Development System Development Information System Planning Establishing Objectives and information requirements for Systems Development Measuring Information System Performance Project Management
Participants in Information Systems Development System Development Life Cycle
Phases in System Development Cycle Planning Phase Analysis Phase Design Phase Implementation Phase Operation and Maintenance Phase CSAE Tools
Alternative System Development Approaches Prototyping Application Software Package End-User Development Developing Systems with Teams: JAD and RAD Outsourcing Summary
Information System Management Understanding Ethical and Social Issues Related to Systems Information Security Establishing a Framework for System Security and Control
After completing this chapter, you will be able to
• Understand howl organizations develop their information systems. • Identify the key participants in the system development process and understand their roles. • Explain the phases in the system development life cycle. • Identify the core activities in the information systems development process. • Understand other system-building alternatives. • Understand ethical and social issues related to information systems • Understand information security and control
examples of users include store clerks, sales representatives, accountants, supervisors, managers, executives, and customers. The kinds and types of information that users need often change over time.
As a system user in a business, you someday may participate in the modification of an existing system or the development of a new system. Thus, it is important that you understand the system development in business. Systems development is the activity of creating a new business system or modifying an existing business system. It refers to all aspects of the process -- from identifying problems to be solved or opportunities to be exploited to the implementation and refinement of the chosen solution. Whatever its scope and objectives, a new information system is an outgrowth of a process of organizational problem solving. A new information system is developed as a solution to some type of problem or set of problems the organization perceives it is facing. The problem may be one where managers and employees realize that the organization is not performing as well as expected, or it may come from the realization that the organization should take advantage of new opportunities to perform more successfully.
When information requirements change, the information system must meet the new requirements. In some cases, the cur-rent information system is modified; in other cases, an entirely new information system is developed. Understanding informa-tion systems development is important to all professionals, not just those in the field of information systems. In today's organizations, managers and employees in all levels and functional areas work together and use business information systems. As a result, users of all types are helping with systems development and, in many cases, leading the way. At some point in your career, you will likely be involved in a systems development project -- as a user, as a manager of a business area or project team, as a member of the information systems department, maybe even as a CIO (Chief Information Officer) or CEO. Under-standing and being able to apply systems development life cycle concepts, tools and techniques will help ensure the success of the development projects on which you participate.
One important thing to know about information systems development is that an information system is a sociotechnical entity, an arrangement of both technical and social elements. The development of a new information system not only involves hardware, software, data, programmers and communications, but also includes changes in jobs, knowledge, skills, management, policies, processes, and organization. Often new systems mean new ways of doing business and working together. Building a new information system will affect the organization as a whole and change the decision-making process. When we develop a new information system, we are actually changing the organization and business processes. System builders must understand how a system will affect the organization as a whole, focusing particularly on organizational conflict and changes in the locus of decision making. Builders must also consider how the nature of work groups will change under the new system. Systems can be technical successes but organizational failures because of a failure in the social and political process of building the system. Therefore, information systems development has become an essential component of the organizational planning process.
3.1.2 Information Systems Planning Because an organization's business strategic plan contains both organizational goals and a broad outline of steps required to reach them, the business strategic plan affects the type of system an organization needs. Deciding which new systems to build should be an essential component of the organizational planning process. Organizations need to develop an information systems plan that supports their overall business plan and in which strategic systems are incorporated into top-level planning.
The information systems planning refers to the process of the translation of strategic and organizational goals into sys-tems development plan and initiatives (Figure 3-1). For example, part of the information systems plan for a luxury car com-pany might be to build a new product tracking system to meet the organizational goal of improving customer service. Proper information systems planning ensures that specific systems development objectives support organizational goals. One of the primary benefits of information systems planning is that it provides a long-range view of information technology use in the organization. The information systems plan provides guidance on how the information systems infrastructure of the organiza-tion should be developed over time. The plan serves as a road map indicating the direction and rationale of systems develop-ment. Another benefit of information systems planning is that it ensures better use of information systems resources, including funds, information systems personnel, and time for scheduling specific projects.
Organization’s Business Strategic
Information Systems Planning
Figure 3-1 The process of information systems planning
Figure 3-2 shows the steps of information systems planning. Overall objectives of information systems are usually distilled from the relevant aspects of the organization's business strategic plan. Information systems projects can be identified either directly from the objectives determined in the first step or may be identified by others, such as managers within the various functional areas. Setting priorities and selecting projects typically requires the involvement and approval of senior management. Once specific projects have been selected within the overall context of a strategic plan for the business and the systems area, an information systems plan can be developed. The plan contains a statement of organizational goals, identifies the project objectives, and specifies how information technology supports the attainment of the organizational goals. When objectives are set, planners consider the resources necessary to complete the projects including equipment (computers, network servers, printers, and other equipment and devices), software, employees (systems analysts, programmers, users and others), expert advice (specialists and other consultants), and so on.
The information systems plan lays out specific target dates and milestones that can be used later to monitor the plan’s progress in terms of how many objectives were actually attained in the time frame specified in the plan. The plan also includes the key manage-ment decisions concerning hardware acquisition; structure of authority, data, and hardware; telecommunications; and required organizational change. Organizational changes are usually described, including management and employee training requirements; recruiting efforts; changes in business processes; and changes in authority, structure, or management practice. The manager's toolkit in Figure 3-3 gives the guideline for developing an information system plan.
As part of translating the corporate strategic plan into the infor-mation systems plan, many companies seek systems development project that will provide a competitive advantage. This usually requires creative and critical analysis. Creative analysis involves the investigation of new approaches to existing problems. By looking at problems in new or different ways and by introducing innovative methods to solve them, many firms have gained a competitive advantage. Typically, these new solutions are inspired by people and things not directly related to the problem. Critical analysis requires unbiased and careful questioning of whether system elements are related in the most effective or efficient ways. It involves considering the establishment of new or different relationships among system elements and perhaps introduc-ing new elements into the system.
3.1.3 Establishing Objectives and Information Requirement for Systems Development The impact a particular system has on an organization's ability to meet its goals determines the true value of that system to the organization. While all systems should support business goals, some systems are more pivotal in continued operations and goal attainment than others. These systems are called mission-critical systems. An order processing TPS, for example, is usually considered mission-critical. Without it, few organizations could continue daily activities, and they clearly would not meet the goals.
The goals defined for an organization will in turn define the objectives set for a system. A manufacturing plant, for exam-ple, might determine that minimizing the total cost of owning and operating its equipment is a critical success factor (CSF) in meeting a production volume and profit goals. This CSF would be converted into specific objectives for a proposed plant equipment maintenance system. One specific objective might be to alert maintenance planner when a piece of equipment is due for routine preventive maintenance (e.g., cleaning and lubrication). Another objective might be to alert the maintenance planners when the necessary cleaning materials, lubrication oils, or spare parts inventory levels are below specified limits.
Develop overall objectives
Identify information system projects
Set priorities and select projects
Develop information systems plan
Analyze resource requirements
Set schedules and deadlines
Develop information system planning document
Figure 3-2 The steps of information system planning
These objectives could be accomplished either through automatic stock replenishment via electronic data interchange or through the use of exception reports.
Regardless of the particular system development effort, the development process should define a system with specific per-formance and cost objectives. The success or failure of the systems development effort will be measured against these objec-tives. Performance objectives measure the extent to which a system performs as desired. Is the system generating the right information for a value-added business process? Is the output generated in a form that is usable and easily understood? Is the system generating output in time to meet organizational goals and operational objectives? Cost objectives attempt to balance the benefits of achieving performance goals with all costs associated with the system. Balancing performance and cost objectives within the overall framework of organizational goals can be challenging. Systems development objectives are important, however, in that they allow an organization to effectively and efficiently allocate resources and measure the success of a systems development effort.
In order to develop an effective information systems plan, the organization must have a clear understanding of both its long- and short-term information requirements. Two principal methodologies for establishing the essential information requirements of the organization as a whole are enterprise analysis and critical success factors.
Enterprise analysis argues that the firm's information requirements can only be understood by looking at the entire or-ganization in terms of organizational units, functions, processes, and data elements. Enterprise analysis can help identify the key entities and attributes of the organization's data. The central method used in the enterprise analysis approach is to take a large sample of managers and ask them how they use information, where they get the information, what their environments are like, what their objectives are, how they make decisions, and what their data needs are. The results of this large survey of managers are aggregated into subunits, functions, processes, and data matrices. Data elements are organized into logical application groups--groups of data elements that support related sets of organizational processes. The weakness of enterprise analysis is that it produces an enormous amount of data that is expensive to collect and difficult to analyze. Most of the interviews are conducted with senior or middle managers, but there is little effort to collect information from clerical workers
Manager’s Toolkit How to Develop an Information Systems Plan
A good information systems plan should address the following topic:
1. Purpose of the Plan • Overview of plan contents • Changes in form’s current situation • Firm’s strategic plan • Current business organization and future or-
ganization • Key business processes • Management Strategy
2. Strategic Business Plan • Current situation • Current business organization • Changing environments • Major Environments
3. Current Systems • Major systems supporting business functions
and processes • Current infrastructure capabilities
o Hardware o Software o Database o Telecommunications and Internet
• Difficulties meeting business requirements • Anticipated future demands
4. New Development • New system projects
o Project descriptions o Business rational
• New infrastructure capabilities required o Hardware o Software o Database o Telecommunications and Internet
5. Management Strategy • Acquisition plans • Milestones and timing • Organizational realignment • Internal reorganization • Management controls • Major training initiatives • Personnel strategy
6. Implementation Plan • Anticipated difficulties in implementation • Progress reports
7. Budget Requirement • Requirements • Potential savings • Financing • Acquisition cycle
Figure 3-3 Guideline of an information system plan
and supervisory managers. Moreover, the questions frequently focus not on management's critical objectives and where information is needed but rather on what existing information is used. The result is a tendency to automate whatever exists. But in many instances, entirely new approaches to how business is conducted are needed, and these needs are not addressed.
The strategic analysis or critical suc-cess factors approach argues that an organization's information requirements are determined by a small number of critical success factors (CSFs) of manag-ers. If these goals can be attained, the firm's or organization's success is assured. CSFs are shaped by the industry, the firm, then manager, and the broader environ-ment. An important premise of the strategic analysis approach is that there are a small number of objectives that managers can easily identify and on which information systems can focus. The strength of the CSF method is that it produces a smaller data set to analyze than does enterprise analysis. The CSF method takes into account the changing environment with which organizations and managers must deal. This method explicitly asks managers to look at the environment and consider how their analysis of it shapes their information needs. Unlike enterprise analysis, the CSF method focuses organizational attention on how information should be handled. The method's primary weakness is that the aggregation process and the analysis of the data are art forms. There is no particularly rigorous way in which individual CSFs can be aggregated into a clear company pattern. Second, there is often confusion among interviewees (and interviewers) between individual and organizational CSFs. They are not necessarily the same. What can be critical to a manager may not be important for the organization. Moreover, this method is clearly biased toward top managers because they are generally the only ones interviewed.
3.1.4 Measuring Information Systems Performance Organizations spend enormous sums of money on IT to compete in today’s fast-paced business environment. Some organiza-tions spend up to 50 percent of their total capital expenditures on IT. To justify these expenditures, an organization must measure the payoff of these investments, their impact on business performance, and the overall business value gained. Effi-ciency and effectiveness metrics are two primary types of IT metrics. Efficiency IT metrics measure the performance of the information system itself such as throughput, speed and availability. Effectiveness IT metrics measure the impact the system has on business processes and activities including customer satisfaction, conversion rates, and sell-through increases. Peter Drucker offers a helpful distinction between efficiency and effectiveness. Drucker states that managers “Do things right”
Efficiency IT Metrics
Throughout The amount of information that can travel through a system at any point in time
The amount of time a system takes to perform a transaction
The number of hours a system is available for users
Includes a host of benchmarks such as the number of page views, the number of unique visitors, and the average time spent viewing a Web page
The time it takes to respond to user interactions such as a mouse click
The extent to which a system generates the correct results when executing the same transaction numerous times
Effectiveness IT Metrics
Usability The ease with which people perform transactions and/or find information. A popular usability metric on the Internet is degrees of freedom, which measures the number of clicks required to find desired information
Measured by such benchmarks as satisfaction surveys, percentage of existing customers retained, and in-creases in revenue dollars per customer.
The number of customers an organization “touches” for the first time and persuades to purchase its products or services. This is a popular metric for evaluating the effectiveness of banner, pop-up, and pop-under ads on the Internet
Financial Such as return on investment, cost-benefit analysis and break-even analysis
Figure 3-4 Common Types of Efficiency and Effectiveness IT Metrics
and/or “Do the right things.” Doing things right addresses efficiency – getting the most from each resource. Doing the right things addresses effectiveness – setting the right goals and objectives and ensuring they are accomplished. Efficiency focuses on the extent to which an organization is using its resources in an optimal way; while effectiveness focuses on how well an organization is achieving its goals and objectives. The two—efficiency and effectiveness—are definitely interrelated. However, success in one area does not necessarily imply success in the other.
Regardless of what is measured, how it is measured, and whether it is for the sake of efficiency or effectiveness, there must be benchmarks, or baseline values the system seeks to attain. Benchmarking is a process of continuously measuring system results, comparing those results to optimal system performance, and identifying steps and procedures to improve system performance. Efficiency IT metrics focus on the technology itself. Effectiveness IT metrics are determined according to an organization’s goals, strategies, and objectives. Figure 3-4 highlights the most common types of efficiency and effectiveness IT metrics.
3.1.5 Project Management A project is a planned series of related activities for achieving a specific business objective. Information systems projects include the development of new information system, enhancing existing systems, upgrading the firm’s IT infrastructure, or replacing the old systems. There is a very high failure rate among information systems projects because they have not been properly managed. The Standish Group, which monitors IT projects success rates, found that in 2007 only 29 percent of all IT investment were completed on time, on budget, and with all features and functions originally specified. Firms may have incorrectly assessed the business value of the new system or were unable to manage the organizational change required by the new technology. That is why it is essential to know how to manage information systems projects.
Project management refers to the application of knowledge, skills, tools, and techniques to achieve specific targets within specified budget, and time constraints. Project management activities include planning the work, assessing risk, estimating resources required to accomplish the work, organizing the work, acquiring human and material resources, assigning tasks, directing activities, controlling project execution, reporting progress, and analyzing the result. As in other areas of business, project management for information systems must deal with five major variables: scope (defining what work is included in a project), time (defining the amount of time required to complete the project), cost (calculating the total cost of hardware, software, human resources, and work space), quality (specifying an indicator of how well the end result of a project satisfies the objectives), and risk (estimating the potential problems that would threaten the success of a project).
To plan and schedule a project effectively, the project leader must identify the following components of the project: • The goal, objectives, and expectations of the project, collectively called the scope of the project • Required activities • Time estimates for each activity • Cost estimates for each activity • The order in which activities must occur • Activities that may be performed concurrently
When these items are identified, the project leader usu-ally records them in a project plan. A popular tool used to plan and schedule the time relationships among project activities is a Gantt chart (Figure 3-5). A Gantt chart, developed by Henry L. Gantt, is a bar chart that uses horizontal bars to show project phases or activities. The left side, or vertical axis, displays the list of required activities. A horizontal axis across the top or bottom of the chart represents time.
Another tool used for planning and scheduling time is called a PERT chart, short for Program Evaluation and Review Technique chart. Developed by the U.S. Depart-ment of Defense, a PERT chart analyzes the time required to
Figure 3-5 An example of Gantt chart
Figure 3-6 An example of PERT chart
complete a task and identifies the minimum time required for an entire project (see Figure 3-6). PERT chats, sometimes called network diagrams, can be more complicated to create than Gantt charts for planning and scheduling large, complex projects.
After a project begins, the project leader monitors and controls the project. Some activities take less time than originally planned. Others take longer. The project leader may realize that an activity is taking excessive time or that scope creep has occurred. Scope creep occurs when one activity has led to another that was not originally planned; thus, the scope of the project now has grown.
Project leaders should have good change management skills so they can recognize when a change in the project has oc-curred, take actions to react the change, and plan for opportunities because of the change. For example, the project leader may recognize the team will not be able to meet the original deadline of the project due to scope creep. Thus, the project leader may extend the deadline or may reduce the scope of the system development. If the latter occurs, the users will receive a less comprehensive system at the original deadline. In either case, the project leader revises the first project plan and presents the new plan to users for approval. It is crucial that everyone is aware of and agrees on any changes made to the project plan.
One aspect of managing projects is to ensure that everyone submits deliverables on time and according to plan. A deliver-able is any tangible item such as a chart, diagram, report, or program file. Project leaders can use project management software such as Microsoft Project (Figure 3-7) to assist them in planning, scheduling, and controlling development projects.
Companies typically are presented with many different projects for solving problems and improving performance. There are far more ideas for system projects than there are resources. The company should select the projects that promise the greatest benefit to the business. In order to identify the information systems projects that will deliver the most business value, you will need to identify their costs and benefits and how they relate to the firm’s business strategy and information system plan. Some systems development projects are more likely to run into problems or to suffer delays because they carry a much higher level of risk than others. The level of project risk is influenced by project size, project structure and the level of technical expertise of the information systems staff and project team. Dealing with the project risks requires an understanding of the implementation process and change management. A broader definition of implementation refers to all the organization
Figure 3-7 Microsoft Project is popular project management software
activities working toward the adoption and management of an innovation, such as a new information system. Successful implementation requires a high level of user involvement in a project and management support.
As globalization proceeds, companies will be building many more new systems that are global in scale, spanning many different units in many different countries. The project management challenges for global systems are similar to those for domestic systems, but they are complicated by the international environment. User information requirements, business processes, and work cultures differ from country to country.
Developing a new information system solution is not merely a matter of installing hardware and software. The business must also deal with the organizational changes that the new solution will bring about—new information, new business processes, and perhaps new reporting relationships and decision-making power. A very well-designed solution may not work unless it is introduced to the organization very carefully. The process of planning change in an organization so that it is implemented in an orderly and effective manner is critical to the success or failure of information system solutions.
3.2 Participants in Systems Development
Effective system development requires a team effort. For each system development project, the organization usually establishes a project team to work on the project from beginning to end. The team usually consists of stakeholders, user, managers, systems development specialists and various support personnel (Figure 3-8). The development team is responsible for deter-mining the objectives of the information system and delivering a system that meets these objectives to the organization. System
Other system analysts
Installs and maintains networks; installs and monitors communica-tions equipment and software
Interacts with the information system or uses the information it generates; assists with defining system requirements
Decision-making body of an organization
Develop and maintains an organization’s Web site; create or helps users create Web pages
Webmaster Develop and designs enterprise-wide applications for data mining
Administers and controls an organization’s resources; works with system administrator and with application development teams; assists systems analysts and programmers in developing or modifying applications that use the company’s database
Database administrators and database analysts
Responsible for security of an organization’s systems, data and information
Application and system programmers
Converts the system design into the appropriate programming language and tests finished programs; installs and maintains operating system software and provides technical support to the programmer’s staff
Figure 3-8 Systems development participants
development should involve representatives from each department in which the proposed system will be used. This includes both nontechnical users and IT professionals. Although the roles and responsibilities of members of the system development team may change from company to company, this section presents general descriptions of tasks for various team members.
Stakeholders are individuals who, either themselves or through the area of the organization they represent, ultimately benefit from the systems development project. Managers who have high visibility roles as system sponsors or champions are key stakeholders in many strategically important systems because they work toward the system’s success and ultimately receive some of the credit or blame. Other stakeholders may be affected less directly if a system shifts the balance of power in an organization or works contrary to their personal goals. Information systems that create new communication patterns are likely to have a wide range of stakeholders. Information system staff members are important stakeholders of most information systems because they are responsible for system operation and enhancement. As professionals in the field, they have a deeper understanding than most business professionals about what it takes to build and maintain solid information systems. They also have a clearer view of technical relationships between different systems and of policies and practices related to systems.
During the course of the system development project, the systems analyst meets and works with a variety of people. A systems analyst is a professional who specializes in analyzing and designing business systems and is responsible for designing and developing an information system for his/her company. The systems analyst is the users' primary contact person. Depend-ing on the size of the organization, the tasks performed by the systems analyst may vary. Smaller companies may have one system analyst or even one person who assumes the roles of both system analyst and programmer. Larger companies often have multiple systems analysts.
System analysts are the liaison between the users and the IT professionals. They convert user requests into technical speci-fications. Thus, systems analysts must have superior technical skills. They also must be familiar with business operations, be able to solve problems, have the ability to introduce and support change, and posses excellent communications and interper-sonal skills. System analysts prepare many reports, drawings, and diagrams. They discuss various aspects of the development project with users, management, other analysts, database analysts, database administrators, network administrators, the webmaster, programmers, vendors, and steering committee.
Systems analyst is one of the most demanding positions in the country. Typically, systems analysts are more involved in design issues than in day-to-day programming. The minimum educational requirement is a bachelor's degree, but many companies opt for a master's degree. Salaries are excellent in this demanding occupation. A successful systems analyst is willing to embrace new technologies and is open to continued learning. Growing in demand are skills for the systems analyst that include e-business and enterprise-wide networking.
The steering committee is a decision-making body in an organization. The goal of a steering committee is to get an or-ganization’s leaders, who have different interests and agendas, to share the responsibilities and risks that come with aligning information systems initiatives with broader business aims. Many organizations utilize a steering committee for some aspect of their information systems project management.
A software programmer is a professional who uses a computer programming language, such as C++, C#, Java, Perl, PHP, and Visual Basic, to write the instructions necessary to direct the computer to process data into information. Programmers are responsible for developing computer programs to satisfy user requirements. They take the plans from the systems analyst and build the necessary software.
Users are individuals who will interact with the system regularly. They can be employees, managers, customers, or suppli-ers. For large-scale systems development projects, where the investment in and value of a system can be quite high, is common to have senior-level managers, including the company president and functional vice presidents, be part of the development team. Since user information requirements drive the entire system-developing effort, user must have sufficient control over the design process to ensure that the system reflects their business priorities and information needs. The nature and level of user participation in systems development vary from system to system. There is more need for user involvement in systems with requirements that elaborate, complex, or vaguely defined than in those with simple or straightforward requirements.
The other support personnel on the development team are mostly technical specialists. The network specialists are respon-sible for installing and maintaining local networks; the database specialists assist systems analysts and programmers in developing or modifying applications that use the company’s database; the database administrators administer and control an organization’s data and information resources; the data warehousing specialists develop and design enterprise-wide applica-tions for data mining; the data communications specialists evaluate, install, and monitor data communications equipment and software and is responsible for connections to the Internet and other wide area networks; and the Webmasters create and maintain an organization’s Web site. One or more of these roles may be outsourced to other companies or consultants. Depending on the magnitude of the systems development project and the number of information systems development specialists on the team, the team may also include one or more IT managers. The composition of a development team may vary over time and from project to project. For small businesses, the development team may consist of a system analyst and the business owner as the primary stakeholder. For large organizations, formal information systems development team can include hundreds of people involved in a variety of systems development activities. Every development team should have a team leader,
who is responsible for managing and controlling the budget and schedule of the project. The system analyst may or may not be selected as the project leader of the project.
3.3 System Development Life Cycle
3.3.1 Phases in the System Development Cycle Information systems development consists of phases, referred to collectively as the system development life cycle. The system development life cycle (SDLC) is a very formal approach to building information systems and refers to all the activities that go into producing an information systems solution to an organizational problem or opportunity. This methodology assumes that an information system has a life cycle similar to that of any living organism, with a beginning, a working period, and an end. SDLC partitions the system development process into distinct phases and has an organized set of activities that guide people through the development of an information system. Some activities in the SDLC may be performed at the same time, while other activities are performed sequentially. Each activity involves interaction with the organization. Depending on the type and complexity of the information systems being developed, the nature and duration of the specific activities vary from one system to the next. The activities of the SDLC can be grouped into the five major phases (Figure 3-9):
1. Planning 2. Analysis 3. Design 4. Implementation 5. Operation and maintenance.
As shown in Figure 3-9, each phase in the system development cycle consists of a series of activities, and the phases form a loop. Information systems development is an ongoing process for an organization. The phases in the SDLC form a loop, because when the information system requires changing, which may happen for a variety of reasons such as information requirements of users has changed or hardware and software become obsolete, the planning phases for a new or modified system begins and the system development life cycle starts again. The goal of the SDLC is to keep the project under control and assure that the information system developed satisfies the requirements.
In theory, the five phases in the system development cycle often appear sequentially, as shown in Figure 3-9. In reality, activities within adjacent phases often interact with one another--making the system development cycle a dynamic iterative process. Members of the system development team follow established guidelines during the entire system development cycle.
Ongoing Activities• Project management • Feasibility assessment • Documentation • Data/information gathering
5. Operation, Support, and Security • Perform maintenance activities • Monitor system performance • Assess system security
1. Planning• Review project requests • Prioritize project requests • Allocate resources • Form project development team
2. Analysis • Conduct preliminary investigation • Perform detailed analysis activities:
o Study current system o Determine user requirements o Recommend solution
3. Design• Acquire hardware and software, if
necessary • Develop details of system
4. Implementation • Develop programs, if necessary • Install and test new system • Train users • Convert to new system
Figure 3-9 Phases of the system development cycle
They also interact with a variety of IT professionals and others during the system development cycle. In addition, they perform several ongoing activities during all five phases of the system development cycle. The following sections discuss each of these phases.
3.3.2 Planning Phase The initiation of a system development project may begin in many different ways. A system user requests a new or modified information system for a variety of reasons, some external and some internal. An external reason is competition. For example, once one bank offers Internet access to account information, others will have to follow suit, or run the risk of losing customers. One internal reason for modifying an information system is to improve or enhance it. For example, if a school wants to provide students with the ability to register for classes via the Internet, the school would have to modify the existing registration system to include this enhancement. The most obvious internal reason for changing an information system is to correct a business problem. For example, the stock-on-hand listed on a report may not match the actual stock-on-hand in the warehouse.
The planning phase for a project begins when the steering committee receives a project request. As mentioned earlier in this chapter, the steering committee is a decision-making body for a company. This committee typically includes a mix of vice presidents, managers, nonmanagement users, and IT personnel.
During the planning phase, four major activities are performed: (1) review and approve the project requests; (2) prioritize the project requests; (3) allocate resources such as money, people, and equipment to approved projects; and (4) form a project development team for each approved project.
If the management receives several projects requests at the same time, the project requests should be prioritized. The pro-jects that receive the highest priority are those mandated by management or some other governing body. These requests are given immediate attention. The steering committee evaluates the remaining project requests based on their value to the company. The steering committee approves some projects and rejects others. Of the approved projects, it is likely that only a
Business Objective System Functionality Information Requirements
Provide product information (content)
Execute a transaction payment
Accumulate customer information
Provide after-sale customer support
Understand marketing effectiveness
Provide production and supplier links
Digital catalog Dynamic text and graphics catalog
Product database Product description, stocking numbers, inventory levels
Customer on-site tracking Site log for every customer visit; data mining capability to identify common customer paths and appropriate responses
Shopping cart/payment system Secure credit card clearing; multiple options
Customer database Name, address, phone, and e-mail; online customer registration
Sales database Customer ID, product, date, shipping date, payment
Ad server, e-mail server, ad banner manager, campaign manager
Site behavior log of prospects and customers linked to e-mail and banner ad campaigns
Site tracking and reporting system
Number of unique visitors, pages visited, products purchased, identified by marketing campaign
Inventory management system Product and inventory levels, supplier ID and contact, order quantity data by product
Figure 3-10 Business objectives, system functionality, and information requirements for a typical e-commerce system
few will begin their system development cycle immediately. Others will have to wait for additional funds or resources to become available.
3.3.3 Analysis Phase This phase of the SDLC tries to answer the question, “What do we want the system to do for our business?” This phase identifies business objectives, system functionality, and information requirements. System functionalities are a list of the types of information systems capabilities you will need to achieve your business objectives. The information requirements for a system are the information elements that the system must produce in order to achieve the business objectives. You will need to provide these lists to system developers and programmers so they know what you as the manager expect them to do. The key here is to let the business decisions drive the technology, not the reverse. This will ensure that your technology platform is aligned with your business. Figure 3-10 shows an example that describes some basic business objectives, system functionalities, and information requirements for a typical e-commerce system.
Once you have identified the business objectives and system functionalities, and have developed a list of information re-quirements, you can consider how all these functionalities will be delivered. System analysis is the analysis of the problem that the organization will try to solve with an information system. This analysis consists of two major tasks: (1) conduct a prelimi-nary investigation and (2) perform a detailed analysis.
The preliminary investigation, also called the feasibility study, is a user-oriented overview of the proposed information system's purpose and feasibility. The purpose of the preliminary investigation is to define the problem or enhancement, identify its causes or sources, determine whether or not the problem or enhancement identified is worth pursuing, and determine whether that projects is feasible, or achievable, given the organization's resources and constraints. Should the company continue to assign resources to this project? To answer this question, the systems analyst conducts a general study of the project and presents his or her findings in a report.
The most important aspect of the preliminary investigation is to define accurately the problem or enhancement. The per-ceived problem or enhancement identified in the project request may or may not be the actual problem. In other words, the actual problem may be different from the one suggested in the project request. For example, suppose the shipping department complains that the marketing department takes too long to send customer names and addresses. An investigation might reveal the marketing department is not the problem. The problem exists because the marketing department does not have instant access to the customer names and addresses.
The preliminary investigation begins with an interview of the user who submitted the project request, and other users who will be affected by the project. In addition to interviewing, members of the project team may use other data gathering tech-niques. During the preliminary investigation, through examining documents and procedures, observing system operations, and interviewing key users, the development team can identify the problem area and objectives to be achieved by the solution.
Upon completion of the preliminary investigation, the systems analyst writes the feasibility report that presents his/her findings and a recommendation to the steering committee. Feasibility is a measure of how suitable the development of a system will be to the company. A project that is feasible at one point of the system development cycle might become infeasible at a later point. Thus, system analysts frequently reevaluate feasibility during the system development cycle. A systems analyst typically uses the following four tests to evaluate feasibility to a project:
1) Technical Feasibility: whether the proposed information system can be implemented with the available hardware, software, technical resources, and human resource.
2) Economic Feasibility: whether the lifetime benefits of the proposed information system outweigh the lifetime costs. 3) Operational Feasibility: whether the proposed solution is desirable within the existing managerial and organizational
framework and culture. Will the users like the new system? Will they use it? Will it meet their requirements? Will it cause any changes in their work environment?
4) Schedule Feasibility: whether the established deadlines for the project are reasonable. If a deadline is not reasonable, the project leader might make a schedule. If a deadline cannot be extended, then the scope of the project might be reduced to meet a mandatory deadline.
Normally the feasibility study will identify several alternative solutions that can be pursued by the organization. The writ-ten feasibility report will assess the feasibility of each alternative, describe the costs and benefits, advantages and disadvan-tages of each alternative, and give a recommendation. However, it is up to the steering committee to determine which mix of costs, benefits, technical features, and organizational impacts represents the most desirable alternative.
In some cases, the project team may recommend not to continue the project. In other words, the team considers the project infeasible. If the steering committee agrees, the project ends at this point. If the project team recommends continuing and the steering committee approves this recommendation, however, then detailed analysis begins.
The detailed analysis defines the specific information requirements that must be met by the system solution selected and develops a detailed description of the functions that the new system must perform. This analysis involves three major activities: (1) study the existing system in depth so you thoroughly understand the current operations, uncover all possible problems and enhancements, and determine the causes and effects of these problems or enhancements; (2) determine the user's requirements for the proposed system, which includes who needs what information, and when, where, and how the information is needed; and (3) present alternative solutions to the problem or enhancement and then recommend a proposed solution. Perhaps the most difficult task of the detailed analysis is to define the specific information requirements that must be met by the system. Faulty requirement analysis is a leading cause of system failure and high system development costs. An important benefit from studying the existing system and determining user requirements is that these activities build valuable relationships among the systems analyst and users. The systems analyst has much more credibility with users if he/she understands how the users currently perform their job responsibilities and respects their concerns.
During the detailed analysis, systems analysts use all available data and information gathering techniques. They review documentation, observe employees and machines, distribute surveys, interview employees, and do research. While studying the current system and identifying user requirements, the systems analyst collects a great deal of data and information. A major task for the systems analyst is to document these findings in a way that can be understood by everyone. Both users and IT professionals refer to this documentation. An important benefit from these activities is that they build valuable relationships among the system analysts and users.
Most system analysts use either a process modeling or object modeling approach to analysis and design. Process modeling is an analysis and design technique that describes processes that transform inputs into outputs. Tools that a systems analyst uses for process modeling include entity-relationship diagrams, data flow diagrams, and the project dictionary.
An entity-relationship diagram (ERD) is a tool that graphically shows the connections among entities in a system. An entity is an object in the system that has data. Each relationship describes a connection between two entities. For example, in the ERD shown in Figure 3-11, a vendor supplies one or more computers. A customer may or may not use one of these computers. A customer may or may not place an order. Some customers may place multiple orders. Each order contains one or more items from the menu. It is important that the systems analyst reviews the ERD with the user. After users approve the ERD, the systems analyst identifies data items associated with an entity. For example, the VENDOR entity might have these data items: Vendor Number, Vendor Name, Address, City, State, Postal Code, Telephone Number, and E-mail Address.
A data flow diagram (DFD) is a tool that graphically shows the flow of data in a system. The key elements of a DFD are the data flows, the processes, the data stores, and the sources (Figure 3-12). A data flow, indicated by a line with an arrow, shows the input or output of data or information into or out from a process. A process, which is drawn as a circle, transforms
Figure 3-11 The ERD shows the relationships among entities in a system
Figure 3-12 The DFD shows the flow of data in a system
an input data flow into an output data flow. A data store, shown as a rectangle with no sides, is a holding place for data and information. A source, drawn as a square, identifies an entity outside the scope of the system. Source sends data into the system or receives information from the system. Like ERDs, systems analysts often use EFDs to review processes with users. System analysts prepare DFDs on a level-by-level basis. The top level, known as a context diagram, identifies only the major proc-ess. Lower-level add detail and definition to the higher levels, similar to zooming in on a computer screen. The lower levels contain sub-processes.
The project dictionary, sometimes called the repository, contains all the documentation and deliverables of a project. The project dictionary helps everyone keep track of the huge amount of details in a system. The dictionary explains every item found on DFDs an ERDs. Each process, data store, data flow, and source on every DFD has an entry in the project dictionary. Every entity on the ERD has an entry in the project dictionary. The dictionary also contains an entry for each data item associated with the entities. The number of entries added to the dictionary at this point can be enormous. As you might imagine, this activity requires a huge amount of time. The system analyst uses a variety of techniques to enter these items in the project dictionary. Some of these include
structured English, decision tables, decision trees, and the data dictionary. Structured English is a style of writing that describes the steps in a process. Many systems analysts use structured English
to explain the details of a process. Figure 3-13 shows an example of structured English that describes the process of uploading vendor information. Sometimes, a process consists of many conditions or rules. In this case, the systems analyst may use a decision table or decision tree instead of structured English. A decision table is a table that lists a variety of conditions and the actions that correspond to each condition. A decision tree also shows conditions and actions, but it shows them graphically. Figure 3-14 and 3-15 show a decision table and decision tree for the same process: determining whether a vendor is approved.
Each data item has an entry in the data dictionary section of the project dictionary (Figure 3-16). The data dictionary stores the data item's name, description, and other details about each data item. The systems analyst creates the data dictionary during detailed analysis. In later phases of the system development cycle, the systems analyst refers to and updates the data dictionary.
Another approach systems analysts can use is the object modeling, sometimes called object-oriented (OO) analysis and design, which combines the data with the processes that act on that data into a single unit, called an object. An object is an item that can contain both data and the procedures that read or manipulate that data. For example, a Customer object might contain data about a customer (Customer ID, First Name, Last Name, Address, and so on) and instructions
Figure 3-13 An example of structured English
Figure 3-14 An example of decision table
Figure 3-15 An example of decision tree
about how to print a customer's record or the formula required to compute a customer's amount due. Each data element is called an attribute or property. The procedure in the object, called an operation or method, contains activities that read and manipulate the data.
Object modeling can use the same tools as those used in process modeling. Many systems analysts, however, choose to use tools defined in the UML (Unified Modeling Language). Although used in all types of business modeling, the UML has been adopted as a standard notation for object modeling and devel-opment. The UML is a graphical tool that enables analysts to document a system. It consists of many interrelated diagrams. Each diagram conveys a view of the systems. The latest UML tool includes 13 different diagrams to assist the analyst in modeling the system. Two of the more common diagrams are the use case diagram and class diagram.
A use case diagram graphically shows how actors (a user or other entity) interact with the information system (Figure 3-17). The function that the actor can perform is called the use case. A class diagram graphically shows classes
and subclasses in a system (Figure 3-18). On a class diagram, objects are grouped into classes. Each class can have one or more lower levels called subclasses. Each subclass inherits the methods and attributes of the objects in its higher-level class. Every object in a class shares methods and attributes that are part of its higher-level class. This concept of lower levels inheriting methods and attributes of higher levels is called inheri-tance.
The System Proposal
After having studied the current system and determined all user require-ments, the systems analyst communicates possible solutions for the project in a system proposal. The purpose of the system proposal is to assess the feasibility of each alternative solution and then recommend the most feasible solution for the project. The systems analyst presents the system proposal to the steering committee. If the steering committee approves a solution, the project enters the design phase.
When the steering committee discusses the system proposal and de-cides which alternative to pursue, it often is deciding whether to buy packaged software from an outside source, build its own custom software, or outsource some or all of its IT needs to an outside firm.
Packaged software is mass-produced, copyrighted, prewritten soft-ware available for purchase. Vendors offer two types of packaged software: horizontal and vertical. Horizontal market software meets the
Figure 3-16 An example of data dictionary
Figure 3-18 An example of class diagram
Figure 3-17 An example of use case diagram
needs of many different types of companies. If a company has a unique way of accomplishing activities, then it also ma require vertical market software. Vertical market software specifically is designed for a particular business or industry. Horizontal market software tends to be more widely available and less expensive than vertical market software. You can search for vertical and horizontal market software on the Web.
Instead of buying packaged software, some companies write their own applications. Application software developed by the user or at the user's request is called custom software. The main advantage of custom software is that it matches the company's requirements exactly. The disadvantages usually are that it is more expensive and takes longer to design and implement than packaged software. Companies can develop custom software in-house using their own IT personnel or outsource it, which means having an outside source develop it for them. Some companies outsource just the software development aspect of their IT operation. Others outsource more or all of their IT operation. Depending on a company's needs, outside firms can handle as much of the IT requirements as desired. Some provide hardware and software. Others provide services such as Web design and
Web Site Customer
Display Catalog Pages
Figure 3-19 A logical design for a simple Web site
Figure 3-20 A physical design for a simple Web site
Customer Internet Your Firm’s Web Server
IBM WebSphere e-commerce suite
Oracle SQL database T1/Cable/DSL/56 KB modem
T1 Verizon line at 1.54 Mbps
IBM eServer xSeries 336 Web server with two Intel Xeon proces-sors and 300 GB storage
development, Web hosting, sales, marketing, billing, customer service, and legal assistance. A trend that has caused much controversy relates to companies that outsource to firms located outside their homeland.
3.3.4 Design Phase Information analysis describes what an information system should do to meet information requirements, while information systems design shows how the system will fulfill this objective. The design of an information system is the overall plan or model for that system, which consists of all the specifications that give the system its form and structure. You must have a system design specification--a description of the main components in the system and their relationship to one another. These specifications should address all of the managerial, organizational, and technological components of the system solution.
The design phase consists of two major activities: logical design and physical design. Logical design lays out the logical model that describes the components of the system and their relationship to each other as they would appear to the users. It describes inputs and outputs, processing functions to be performed, business procedures, data models and controls. Controls specify standards for acceptable performance and methods for measuring actual performance in relation to these standards. A logical design usually is a data flow diagram. Figure 3-19 shows an example of local design for a very basic Web site.
After the systems analyst identifies the data and process requirements, the next step is to develop detailed specifications for the components in the proposed solutions. A detailed design sometimes is called a physical design. Physical design is the process of translating the abstract logical design into physical components--specific model of computers to be purchased, software to be used, the size of the telecommunications link that will be required, the way the system will be backed, and security procedures. It produces the specifications for hardware, software, physical databases, input/output media and format, networking, manual procedures, and specific controls. Physical design develops all of the details of the information system to be implemented with respect to functionality, features, and performance. To obtain these specifications, the systems analyst researches using a variety of techniques such as talking with other analysts, visiting vendor's stores, surfing the Web, and reviewing written technical materials. Many trade journals, newspapers, and magazines provide some or all of their printed content as e-zines. An e-zine, or electronic magazine, is a publication available on the Web. Figure 3-20 shows the physical design of the logical model shown in Figure 3-19.
During database design, the system analyst builds upon the data dictionary developed during the analysis phase. The systems analyst works closely with the database analysts and database adminis-trators to identify those data elements that currently exist within the company and those that are new. With relational database systems, the systems analyst defines the structure of each table in the system, as well as relationships among the tables. The systems analyst also addresses user access privileges. That is, the systems analyst defines which data elements each user can access, when they can access the data elements, what actions they can perform on the data elements, and under what circumstances they can access the elements. The result of database design is called a data model.
During the input and output design, the systems analyst carefully designs every menu, screen, and report specified in the requirements. The outputs often are designed first because they help define the requirements for the inputs. Thus, it is
Figure 3-21 This input screen is a mockup for users to review and approval
Figure 3-22 The layout chart for the mockup in Figure 3-21
very important that outputs are identified correctly and that users agree to them. The systems analyst typically develops two types of designs for each input and output: a mockup and a layout chart. A mockup is a sample of the input or output that contains actual data (Figure 3-21). The systems analyst shows mockups to users for their approval. Because users will work with the inputs and outputs of the system, it is crucial to involve users during input and output design. After users approve the mockup, the systems analyst develops a layout chart for the programmer. A layout chart is more technical and contains programming-like notations for the data items (Figure 3-22). Other issues that must be addressed during input and output design include the types of media to use (paper, video, audio); formats (graphical or narrative); and data entry validation techniques, which make sure the entered data is correct.
During program design, the systems analyst prepares the program specification package, which identifies the required pro-grams and the relationship among each program, as well as the input, output, and database specifications.
Many people should review the detailed design specifications before they are given to the programming team. Reviewers should include users, systems analysts, managers, IT staff, and members of the system development team. One popular review technique is an inspection. An inspection is a formal review of any system development cycle deliverable. A team of four or five people examines the deliverables, such as reports, diagrams, mockups, layout charts, and dictionary entries. The purpose of an inspection is to identify errors in the item being inspected. Any identified errors are summarized in a report so they can be addressed and corrected.
One again, the systems analyst reevaluates feasibility to determine if it still beneficial to proceed with the proposed solu-tion. If the steering committee decides the project still is feasible, which usually is the case, the project enters the implementa-tion phase.
3.3.5 Implementation Phase When you have both the logical and physical designs for your system, you can begin considering how to actually build the system. The implementation phase converts the system specifications established during systems analysis and design phases into a fully operational information system. The purpose of this phase is to construct the new or enhanced system and then deliver it to the users. Five major activities are performed in this phase: (1) acquire necessary hardware and software; (2) develop computer programs if necessary; (3) install and test the new system; (4) train and educate users; and (5) convert to the new system.
According to the specifications in the system design, the system analyst sends either a request for quotation or a request for proposal to prospective hardware and software vendors. A request for quotation (RFQ) is used when you know which products you want. The vendor quotes prices for the specified products. A request for proposal (RFP) is used when you want the vendor to select the products that meets your requirements and them quote the prices. Systems analysts have a variety of ways to locate vendors. Many publish their product catalogs on the Web. These online catalogs provide up-to-date information on and easy access to products, prices, technical specifications, and ordering information. Another source for hardware and software products is a value-added reseller. A value-added reseller (VAR) is a company that purchases products from manufacturers and then resells these products to the public--offering additional services with the product. Examples of additional services include user support, equipment maintenance, training, installation, and warranties. Instead of using vendors, some companies hire IT consultants; that is, they outsource this task. An IT consultant is a professional who is hired based on computer expertise, including service and advice. IT consultants often specialize in configuring hardware and software for businesses of all sizes.
After you receive completed quotations and proposals from the potential vendors, you must evaluate vendor proposals and then select the best one. It is a difficult task. It is important to be as objective as possible while evaluating each proposal. A popular technique is to establish a scoring system that you can use to rate each proposal. System analysts use many techniques to test the various software products from vendors. They obtain a list of user references from the software vendors. They also talk to current users of the software to solicit their opinions. Some vendors will give a demonstration of the product specified. Other vendors provide demonstration copies to test the software themselves. Demonstration copies usually are free and have limited functionality. Trial versions are free or have minimal fees and provide full functionality for a set time. In some cases, the demonstration copies and trial versions are available to download from the Web.
Sometimes it is important to know whether the software can process a certain volume of transactions efficiently. In this case, the systems analyst conducts a benchmark test. A benchmark test measures the performance of hardware or software. For example, a benchmark test could measure the time it takes a billing program to print 50 billing statements. Some computer magazines conduct benchmark tests while evaluating hardware and software and then publish these results for consumers to review.
Having rated the proposals, the systems analyst presents a recommendation to the steering committee. The recommenda-tion could be to award a contract to a vendor or to not make any purchases at this time.
If the project development team decides to write custom software, instead of purchasing packaged software, then the pro-grammers will develop programs from the program specification package created during analysis and design. It is here, called
programming, that system specifications are translated into program code, the actual instructions for the machine. Like the system development life cycle, program development also follows an organized set of activities, called program development life cycle (PDLC). The PDLC follows six steps: (1) analyze the requirements, (2) design the solution, (3) validate the design, (4) implement the design, (5) test the solution, and (6) document the solution. Chapter 14 explains the program development cycle in depth.
If new hardware was acquired, the hardware must be installed and tested at this point. Both packaged software and custom software programs have to install on the hardware. It is extremely important that the hardware and software be tested thor-oughly. Inadequate system testing will lead to serious problems or even disaster to the organization. Just as you test individual programs, you must test the entire information system to ensure that the programs and hardware operate together to accomplish the desired functions. System tests frequently uncover inconsistencies among programs as well as inconsistencies in the original hardware or software specification. It is better to find errors so you can correct them before putting the system into production; that is delivering it to the users. Testing an information system can be broken down into four types of activities:
1. Unit Testing: test each program separately in the system. The purpose of such testing is to guarantee that programs are error-free.
2. System Testing: test the functioning of the information system as a whole and verify that all programs in the system work together properly.
3. Integration Testing: verify that the information system works well with other systems. 4. Acceptance Testing: provide the final certification that the system is ready to be used in a production setting. System
tests are evaluated by users and reviewed by management. When all parties are satisfied that the new system meets their standards, the system is formally accepted for the conversion.
According to a recent study, poor user training is one of the top ten reasons why system development projects fail. For an information system to be effective, users must be trained properly on its functionality. They must be trained on how to use both the hardware and the software. Users must be trained properly on a system's functionality. Training is the process of ensuring that system users know what they need to know about both the work system and the information system. Training shows the users exactly how they will use the new hardware and software in the system. Training may take place as classroom-style lectures or Web-based training that is a self-directed, self-paced online instruction method. The training format depends on user backgrounds and the purpose and features of both work system and the information system. Companies can also provide education to the users. Education is the process of learning new principles or theories that help users understand the system. For example, many companies do their businesses electronically. In this case, employees need to be educated on the concepts and practices of E-commerce.
The final implementation activity is to change from the old system to the new system. This process is called conversion. This conversion can take place using one or more of the following conversion strategies (Figure 3-23):
• Direct cutover strategy: With direct cutover strategy, users stop using the old system and begin using the new system on a certain date. The advantage of this strategy is that it requires no transition costs and is a quick implementation technique. The disadvantage is that it is ex-tremely risk and can disrupt operations seri-ously if the new system does not work cor-rectly, since there is no other system to fall back on.
• Parallel strategy: Both the old system and its potential replacement are running together for a specified time period until it is assured that the new one functions correctly. The advan-tage of this strategy is that any problems with the new system can be solved before the old system is terminated. The disadvantage is that it is very expensive since additional staff or re-sources may be required to run the extra sys-tem.
• Phased strategy: This strategy introduces the new system in stages, either by functions or by organizational units. Each function or organ-izational unit is converted separately at differ-ent times using either a direct cutover or paral-lel conversion. This strategy is often used with
Old system New system
Old system New system
Figure 3-23 System conversion strategies
larger systems that are split into individual sites. • Pilot strategy: This strategy introduces the new system to only a limited area of the organization, such as a single
department or operating unit. When this pilot version is complete and working smoothly and correctly, it is installed throughout the rest of the organization, using one of the aforementioned conversion strategies.
3.3.6 Operation and Maintenance Phase After the new system is installed and conversion is complete, the system is said to be in production or operation. The informa-tion systems specialists maintain the information system and provide its users with ongoing assistance during its operation period. This phase consists of four major activities: (1) conducting a post-implementation system review; (2) correcting errors; (3) identifying enhancements; and (4) monitoring system performance.
One of the first activities the company performs is to meet with users. The purpose of this meeting, called the post-implementation system review, is to discover whether the information system is performing according to the users' expecta-tions. Both users and technical specialists will review the information system to determine how well it has met its original objectives and to decide whether any revisions or modifications are in order. If the system is not meeting the users' expecta-tions, the systems analyst must determine what must be done to satisfy the users--back to the planning phase.
Sometimes users identify errors in the system when the program does not produce correct results. Problems with design (logic) usually are the cause of these errors. For example, the total of a column might be incorrect on a daily order summary. These types of errors require investigation--back to the planning phase.
If the users would like the system to do more, that is, they have additional requirements, the system analyst must decide how to enhance the existing system to satisfy the users. System enhancement involves modifying or expanding an existing information system--back to the planning phase.
The system analyst monitors the system to determine if the system is inefficient at any point and if the inefficiency is caus-ing a problem. Changes in hardware, software, documentation, or procedures to an existing system to correct errors, meet new requirements, or improve processing efficiency means that we begin planning all over again. Thus, the loop forms in the system development life cycle.
3.3.7 CASE Tools Many systems analysts use computer software to assist in the system development cycle. Computer-aided software engi-neering (CASE) software tools are designed to support a variety of activities of the system develop-ment cycle. CASE tools typically include diagrams to support both process and object modeling. CASE tools automate the method-ologies we have just described to reduce the amount of repetitive work in system development. Some CASE tools exist separately. One program might be a dictionary and another might allow you to create drawings. The most effective tools are integrated (see Figure 3-24). The purpose of these tools is to increase the efficiency and productivity of the project devel-opment team. Usually an integrated CASE product includes the following capabilities:
• Graphics—enables the drawing of diagrams. • Modeling—creates models of the proposed system. • Code Generators—create actual computer programs from design specifications.
Figure 3-24 Case tools can assist system developers in their development processes
• Project Repository—stores diagrams, specifications, descriptions, programs, and any other deliverable generated dur-ing the system development cycle.
• Quality Assurance—analyzes deliverables, such as graphs and the data dictionary for accuracy. • Housekeeping—establishes user accounts and provides backup and recovery functions.
3.4 Alternative System Development Approaches
Systems differ in terms of their size and technological complexity, and in terms of the organizational problems they are meant to solve. Because there are different kinds of systems, a number of methods have been developed to build systems. This sections describes these other alternative methods: prototyping, application software packages, end-user development, JAD/RAD, and outsourcing.
3.4.1 Prototyping A major problem with the traditional SDLC is that the user does not use the solution until the system is nearly complete. The traditional approach is also inflexible -- changes in user requirements cannot be accommodated during development. One of alternative approaches to system development is the prototyping. Prototyping takes an iterative approach to the systems development process. During each iteration, requirements and alternative solutions to the problem are identified and analyzed, new solutions are designed, and a portion of the system is implemented. Users are then encouraged to try the prototype and provide feedback.
The prototype is a working version of an information system or part of the system, but it meant to be only a preliminary model. During the development process, the prototype will be further refined until it conforms precisely to users' requirements. For many applications, a prototype will be extended and enhanced many times before a final design is accepted. Once the design has been finalized, the prototype can be converted to a polished production system.
Prototyping is less formal than the development life cycle method. Instead of generating detailed specifications and sign-off documents, prototyping quickly generates a working model of a system. Requirements are determined dynamically as the prototype is constructed. Systems analysis, design, and implementation all take place at the same time. The process of building a preliminary design, trying it out, refining it, and trying again has been called an iterative process of systems development because the steps required to build a system can be repeated over and over again. Figure 3-25 shows a model of the prototyping process. Prototyping process consists of the following steps:
1. Determine requirements: The system developer works with users to identify the users' basic informa-tion needs.
2. Develop a working prototype: The system devel-oper creates a preliminary model of a major subsys-tem or a scaled-down version of the entire system.
3. Use the prototype: The developer let users work with the working prototype to determine how well the prototype meets their needs and to make sugges-tions for improving the prototype.
4. Revise and enhance the prototype: The developer refines the prototype according to the users' requests. After the prototype has been revised, the cycle re-turns to step 3. The steps 3 and 4 are repeated until the user is satisfied. When no more iteration is re-quired, the approved prototype then becomes an op-erational system.
Prototyping is most useful when there is some uncer-tainty about requirements or design solutions. Require-ments may be difficult to specify in advance or they may change substantially as implementation progresses. This is particularly true of decision-oriented applications, where requirements tend to be very vague. Prototyping is also valuable for the design of the end-user interface of an information system (the part of the system that end users interact with, such as online display and data entry
Develop a working prototype
Use the prototype
Revise the prototype
Figure 3-25 Prototyping process
screens, reports, or Web pages). User needs and behaviors are not entirely predictable and are strongly dependent on the context of the situation. Because prototyping encourages intense end-user involvement throughout the systems development process, it is more likely to produce systems that fulfill user requirements.
However, rapid prototyping can gloss over essential steps in systems development. If the completed prototype works rea-sonably well, management may not see the need for reprogramming, redesign, or full documentation and testing to build a polished production system. Some of these hastily constructed systems may not easily accommodate large quantities of data or a large number of users in a production environment.
3.4.2 Application Software Packages Information systems can be built using software from application software packages. There are many applications that are common to all business organizations--for example, payroll accounts receivable, general ledger, or inventory control. For such universal functions with standard processes that do not change a great deal over time, a generalized system will fulfill the requirements of many organizations.
If a software package can fulfill all of an organization's requirements, the company does not have to write its own software. The company can save time and money by using the prewritten, predesigned, pretested software programs from the package. Package vendors supply much of the ongoing maintenance and support for the system, including enhancements to keep the system in line with ongoing technical and business developments.
If an organization has unique requirements that the package does not address, many packages include capabilities for cus-tomization. Customization features allow a software package to be modified to meet an organization's unique requirements without destroying the integrity of the package software. If a great deal of customization is required, additional programming and customization work may become so expensive and time consuming that they eliminate many of the advantages of software packages.
When a system is developed using an application software package, system analysis will include a package evaluation effort. The most important evaluation criteria are the functions provided by the package, flexibility, user-friendliness, hardware and software resources, database requirements, installation and maintenance effort, documentation, vendor quality, and cost. The package evaluation process often is based on a Request for Proposal (REP).
When a software package solution is selected, the organization no longer has total control over the system design process. Instead of tailoring the system design specifications directly to user requirements, the design effort will consist of trying to mold user requirements to conform to the features of the package. If the organization's requirements conflict with the way the package works and the package cannot be customized, the organization will have to adapt to the package and change its procedures. Even if the organization's business processes seem compatible with those supported by a a software package, the package may be too constraining if these business processes are continually changing. A new company that was just being set up could adopt the business processes and information flows provided by the package as its own business processes. But organizations that have been in existence for some time may not be able to easily change the way they work to conform to the package.
3.4.3 End-User Development One of the most difficult steps in creating any new system is determining the user requirements. What does the system need to do and how will it work? This step is crucial. If the designers make a mistake here, the system will either be useless or will need expensive modifications later. SDLC and prototyping take different approaches to this problem. With SDLC, analysts talk with users and write reports that describe how the system will operate. User examines the reports and makes changes. This approach is time consuming and difficult for users because they only see paper notes of the proposed system. Prototyping overcomes some of the problems by letting users work with actual screens and reports. But use of prototyping is hard to expand beyond one or two users.
Designing and developing systems is much easier if the entire system can be built by one person. In fact, that is one of the strengths of recent tools -- they enable a single person to build more complex systems. The term end-user development simply means that users do all of the development work themselves. Using fourth-generation languages, graphics languages, and PC software tools, end users can access data, create reports, build business models, and develop entire information systems on their own, with little or no help from professional systems analysts or programmers. Many of these end-user developed systems can be created much more rapidly than the traditional systems life cycle. Clearly the main advantage is that users get what they want without waiting for an IS team and without the difficulty of trying to describe the business problems to someone else. Two basic reasons explain why end-user development is increasingly popular. First, most IS teams are facing a two- or three-year backlog of projects. That means that if you bring a new project to the IS team, the designers will not even start on it for at least two years. The second reason is that software tools are getting more powerful and easier to use at the same time. Today, it is possible for managers to create a business model and solve a business problem with a spreadsheet in a few hours that 10
years ago would have taken IS programmers a month to build with third-generation languages. As tools become more powerful and more integrated, it becomes possible to create even more complex systems.
Many organizations have reported gains in application development productivity by using end-user computing approach that in a few cases have reached 300 to 500 percent. Allowing users to specify their own business needs improves requirements gathering and often leads to higher level of user involvement and satisfaction with the system. However, end-user computing still cannot replace conventional methods for some business applications because the end users cannot easily handle the complexity of large transactions or applications with extensive procedural logic and updating requirements.
The potential problems of end-user development are not always easy to see. Most of them arise from the fact that users generally lack the training an experience of systems analysts and programmers. For instance, systems produced by end users tend to be written for only one person to use. They are oriented to working on stand-alone personal computers. The systems are often customized to fit the needs of the original users. The systems lack security controls and are hard to modify.
Other problems stem from the bottom-up approach inherent in end-user development. People in different areas of the com-pany will wind up working on the same problem, when it could have been solved once by IS teams. Data tends to be scattered throughout the company, making it hard to share and wasting space. Not following standards generates incompatibilities among systems, making it difficult to combine systems created by different departments or even by people within the same department. The end-user computing poses organizational risks because it occurs outside of traditional mechanisms for information system management and control. When systems are created rapidly, without a formal development methodology, testing and documentation may be inadequate. Control over data can be in systems outside the traditional information systems department.
The last, and possibly most import, complication is that end-user development takes time away from the user's job. Some users spend months creating and modifying systems that might have been created by IS programmers in a fraction of the time. One of the reasons for creating an IS department is to gain efficiency from using specialists.
To help organizations maximize the benefits of end-user applications development, management should control the devel-opment of end-user applications by requiring cost justification of end-user information system projects and by establishing hardware, software, and quality standards for user-developed applications. Some organizations use information centers to promote standards for hardware and software so that end users could not introduce many disparate and incompatible technolo-gies into the firm. Information centers are special facilities housing hardware, software, ad technical specialists to supply end users with tools, training, and expert advice so they can create information system applications on their won or increase their productivity. The role of information centers is diminishing as end-users become more computer literate, but organizations still need to closely monitor and manage end-user development.
3.4.4 Developing Systems with Teams: JAD and RAD Many information systems, especially those that affect the entire organization, require teams of IS workers. As soon as multiple designers, analysts, and programmers are involved, we encounter management and communication problems. MIS researchers have measured the effects of these problems. For example, one study by Jones showed that team activities ac-counted for 85 percent of the development costs. These seem to be substantial areas for improvement in systems development by focusing on teamwork.
A technique known as joint application design (JAD) was created to accelerate the generation of information requirements and to develop the initial systems design. With JAD the main system is designed in an intense three- to five-day workshop. Users, managers, and systems analysts participate in a series of intense meetings to design the inputs and outputs needed by the new system. By putting all of the decision makers in one room at the same time, conflicts are identified and resolved faster. Users and managers gain a better understanding of the problems and limitations of technology. The resulting system has greater value for users and managers because it more closely matches their needs. There is less need for changes later, when they become more expensive, so the system is cheaper to create. Properly prepared and facilitated, JAD sessions can signifi-cantly speed the design phase while involving users at an intense level.
The biggest drawback to JAD is that it requires getting everyone together at the same time for an expended period of time. Even for moderately complex system, the meetings can run eight hours a day for three to five days. Most managers and users find it difficult to be away from their jobs for that length of time. Higher-level managers are also needed at these meetings to ensure the system provides the appropriate reports and information. Finally, the meetings can only succeed if they are led by a trained facilitator. The facilitator keeps the discussions moving in the right direction, minimizes conflicts, and encourages everyone to participate. At the end of the sessions, the systems development team should have a complete description of the proposed system.
By providing advanced development tools, pre-built objects, and collaboration tools, some companies have found it is pos-sible to reduce the overall development time. The key is to target steps that can overlap and be performed by multiple teams. By improving the collaboration tools, more steps can be compressed. Many e-commerce projects were developed with rapid application development (RAD) techniques. RAD is used to describe the process of creating workable systems in a very short
period of time. RAD can include the use of visual programming and other tools for building graphical user interfaces, iterative prototyping of key system elements, the automation of program code generation, and close teamwork among end users and information systems specialists. RAD applies the value of teamwork to the developers. Firms are concerned about being the first in the market and feel they need to develop software rapidly. Systems often can be assembled from pre-built components. The process does not have to be sequential, and key parts of development can occur simultaneously. The techniques of using small groups of programmers using advanced tools, collaboration, and intense programming sessions was relatively successful at quickly producing thousands of new applications.
3.4.5 Outsourcing If a firm does not want to use its internal resources to build or operate information systems, it can hire an external organization that specializes in providing these services to do the work. The process of turning over an organization's computer center operations, telecommunications networks, or applica-tions development to external vendors is called outsourcing. The application service providers (ASPs) are one form of outsourc-ing. Subscribing companies would use the software and computer hardware provided by the ASP as the technical platform for their system. In another form of outsourcing, a company would hire an external vendor to design and create the software for its system, but that company would operate the system on its own computer. Figure 3-26 illustrates the alternatives.
Outsourcing has become popular because some organizations perceive it as more cost effective than maintaining their own computer center or information systems staff. The provider of outsourcing services benefits from economies of scale (the same knowledge, skills, and capacity can be shared with many different customers) and is likely to charge competitive prices for information systems services. Outsourcing allows a company with fluctuating needs for computer processing to pay for only what it uses rather than to build its own computer center, which would be underutilized when there is no peak load. Some firms outsource because their internal information systems staff cannot keep pace with technological change or innovative business practices or because they want to free up scarce and costly talent for activities with higher payback.
Not all organizations benefit from outsourcing, and the disadvantages of outsourcing can create serious problems for or-ganizations if they are not well understood and managed. Many firms underestimate costs for identifying and evaluating vendors of information technology services, for transitioning to a new vendor, and for monitoring vendors to make sure they are fulfilling their contractual obligations. These "hidden costs" can easily undercut anticipated benefits from outsourcing. When a firm allocates the responsibility for developing and operating its information systems to another organization, it can lose control over its information systems function. If the organization lacks the expertise to negotiate a sound contract, the firm's dependency on the vendor could result in high costs or loss of control over technological direction. Firms should be especially cautious when using an outsourcer to develop or to operate applications that give it some type of competitive advantage.
3.4.6 Summary Increasingly, companies are converting at least some portion of their business to run over the Internet, intranets, or extranets. An important trend in systems development is that business applications are been moving to the Internet to support selling products to customers, placing orders with suppliers, and letting customers and/or suppliers access information about produc-tion, inventory, orders, or accounts receivable. Internet technology provides a platform for applications that enables companies to extend their transaction processing systems beyond the boundaries of the organization to their customers, suppliers, and partners. This enables companies to conduct business much faster, interact with more people, and try to keep one step ahead of the competition.
Building a dynamic core business application that runs over the Web is much more complicated. Such applications must meet special business needs. They must be able to scale up to support highly variable transaction throughput from potentially thousands of users. Ideally, they can scale up instantly when needed. They must be reliable and fault tolerant, providing continuous availability while processing all transactions accurately. They must also integrate with existing infrastructure,
Completely In-house Build: in-house Host: in-house
Mixed Responsibility Build: in-house Host: outsource
Mixed Responsibility Build: outsource Host: in-house
Completely Outsource Build: outsource Host: outsource
In-house Outsource Building the System
Figure 3-26 Choices in building and hosting the system
including customer and order databases, existing applications, and enterprise resource planning systems. Development and maintenance must be quick and easy, as business needs may require changing applications on the fly.
In the digital firm environment, organizations need to be able to add, change, and retire their technology capabilities very rapidly. Companies are adopting shorter, more informal development processes for many of their e-commerce and e-business applications, processes that provide fast solutions that do not disrupt their core transaction processing systems and organiza-tional databases. They are relying more heavily on fast-cycle techniques such as JAD, prototypes, and reusable standardized software components that can be assembled into a complete set of services for e-commerce and e-business.
In summary, systems development can be a difficult task. Many projects have failed because they cost much more than anticipated or they did not produce useful systems. All development methods introduced in this chapter involve five basic steps: feasibility and planning, systems analysis, design, implementation, and maintenance. Prototyping and end-user development typically focus on the design stage. However, managers need to remember that implementation problems can arise with any new system, regardless of how it was created. The following table compares the advantages and disadvantages of each of the system-building alternatives.
Approach Features Advantages Disadvantages
Systems life cycle
• Sequential step-by-step formal process
• Written specification and approvals
• limited role of users
• Necessary for large complex systems and projects
• Slow and expensive • Discourages changes • Massive paperwork to
Prototyping • Requirements specified dynamically with ex-perimental system
• Rapid, informal, and iterative process
• Users continually interact with the proto-type
• Rapid and relatively inex-pensive
• Useful when requirements uncertain or when end-user interface is very important
• Promotes user participation
• Inappropriate for large, complex systems
• Can gloss over steps in analysis, documenta-tion, and testing
Applications software package
• Commercial software eliminates need for internally developed software programs
• Design, programming, installation, and mainte-nance work reduced
• Can save time and cost when developing common business applications
• Reduces need for internal information systems re-sources
• May not meet organi-zation's unique re-quirements
• May not perform many business functions well
• Extensive customiza-tion raises develop-ment costs
• Systems created by end users using forth-generation software tools
• Rapid and informal • Minimal role of informa-
tion systems specialists
• User control systems-building
• Saves development time and cost
• Reduces application backlog
• Can lead to prolifera-tion of uncontrolled information systems and data
• Systems do not always meet quality assurance standards
Outsourcing • Systems built and sometimes operated by external vendor
• Can reduce or control costs • Can produce systems when
internal resources are not available or technically defi-cient
• Loss of control over the information systems function
• Dependence on the technical direction and prosperity of external vendors
Figure 3-27 Advantages and disadvantages of system-building methods
3.5 Information Systems Management
3.5.1 Understanding Ethical and Social Issues Related to Systems Ethical, social, and political issues are closely linked. The ethical dilemma you may face as a manager or user of information systems typically is reflected in social and political debated. The major ethical, social, and political issues raised by informa-tion systems include the following moral dimensions:
• Information rights and obligations: What information rights do individuals and organizations possess with respect to themselves? What can they protect? What obligations do individuals and organizations have concerning this information? Privacy is the claim of individuals to be left alone. Information technology and systems threaten individual claims to pri-vacy by making the invasion of privacy cheap, profitable, and effective.
• Property rights and obligations: How will traditional intellectual property rights be protected in a digital society in which tracing and accounting for ownership are difficult and ignoring such property rights is so easy? Contemporary in-formation systems have severely challenged existing law and social practices that protect private intellectual property. Digital media differ from book, periodicals, and other media in terms of ease of replication; ease of transmission; ease of alteration; difficulty in classifying a software work as a program, book, or even music; compactness—making theft easy; and difficulties in establishing uniqueness.
• Accountability and control: Who can and will be held accountable and liable for the harm done to individual and collective information and property rights? New information technologies are challenging existing liability law and social practices for holding individuals and institutions accountable. For example, if you outsource your information processing, can you hold the external vendor liable for injuries done to your customers?
• System quality: What standards of data and system quality should we demand to protect individual rights and the safety of society? What is an acceptable, technologically feasible level of system quality? Some system errors are foreseeable and correctable only at very great expanse, an expense so great that pursuing this level of perfection is not feasible economi-cally. Today, our businesses, governments, schools, and private associations, such as churches, are incredibly dependent on information systems and are, therefore, highly vulnerable if these systems fail.
• Quality of Life: What value should be preserved in an information- and knowledge-based society? Which institutions should we protect from violation? Which cultural values and practices are supported by the new information technology? The negative social costs of introducing information technologies and systems are beginning to mount along with the power of the technology. Computers and information technologies potentially can destroy valuable elements of our culture and society even while they bring us benefits. If there is a balance of good and bad consequences of using information systems, who do we hold responsible for the bad consequences?
Ethics is a concern of humans who have freedom of choice. Ethics is about individual choice: when we faced with alterna-tive courses of action, what is the correct moral choice? Ethical choices are decisions made by individuals who are responsible for the consequences of their actions. Information technologies are filtered through social institutions, organizations, and individuals. Systems do not have impacts by themselves. Whatever information system impact exist are products of institu-tional, organizational, and individual actions and behaviors. The responsibility for the consequences of technology falls clearly on the institutions, organizations, and individuals who choose to use the technology. Using information technology in a socially responsible manner means that you can and will be held accountable for the consequences of your actions.
Technology poses new challenges for our ethics—the principles and standards that guide our behavior toward other people. Figure 3-28 summaries the concepts, terms, and ethical issues stemming from advances in technology. Individuals determine how to use information and how information affects them. How individuals behave toward each other, how they handle information and technology, are largely influenced by their ethics. Ethical dilemmas usually arise not in simple, clear-cut situations but out of a clash between competing goals, responsibilities, and loyalties. Some examples of ethically questionable or unacceptable uses of information technology include:
1. Individuals copy, use, and distribute software 2. Employees search organizational databases for
sensitive corporate and personal information
Fair Use Doctrine
Intangible creative work that is embodied in physical form.
The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents.
In certain situations, it is legal to use copy-righted material.
The unauthorized use, duplication, distribu-tion, or sale of copyrighted software.
Software that is manufactured to look like the real thing and sold as such.
Figure 3-28 Technology-related ethical issues
3. Organizations collect, buy, and use information without checking the validity or accuracy of the information 4. Individuals create and spread viruses that cause trouble for those using and maintaining IT systems. 5. Individuals hack into computer systems to steal proprietary information 6. Employees destroy or steal proprietary organization information such as schematics, sketches, customer lists, and reports.
Privacy is one of the largest ethical issues organizations. Privacy is the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent. Privacy is related to confidentiality, which is the assurance that messages and information are available only to those who are authorized to view them. Some of the most problematic decisions facing organizations lie in the murky and turbulent waters of privacy. The burden comes from the knowledge that each time employees makes a decision regarding issues of privacy, the outcome could potentially sink the company.
Trust between companies, customers, partners, and suppliers is the support structure of e-business. Privacy is one of the main ingredients in trust. Privacy continues to be one of the primary barriers to the growth of e-business.
Information has no ethics. Information does not cre how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls on the shoulders of those who own the information to develop ethical guidelines on how to manage the information.
Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, personnel procedures, and organizational rules for information. These policies set employee expectations about the organization’s practices and standards and protect the organization from misuse of computer systems and IT resources. These policies address the ethical use of computers and Internet usage in the business environment. These policies typically embody the following:
3.5.2 Information Security Organizational information is intellectual capital. Just as organizations protect their assets—keeping their money in an insured bank or providing a safe working environment for employees—they must also protect their intellectual capital. An organiza-tion’s intellectual capital includes everything from its patents to its transactional and analytical information. With security breaches on the rise and computer hackers everywhere, an organization must put in place strong security measures to survive. All businesses must understand the importance of information security. Information security is a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization. Security is perhaps the most fundamental and critical of all the technologies/disciplines an organization must have squarely in place to execute its business strategy. Without solid security processes and procedures, none of the other technologies can develop business advantages. Enterprises can implement information security lines of defense through people first and through technology second.
Adding to the complexity of information security is the fact that organizations must enable employees, customers, and partners to access information electronically to be successful in this electronic world. Doing business electronically automati-cally creates tremendous information security risks for organizations. Surprisingly, the biggest issue surrounding information security is not a technical issue, but a people issue. Most information security breaches result from people misusing an organization’s information either advertently or inadvertently. For example, many individuals freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open to intruders. Hackers frequently use such “social engineering” to obtain password. Social engineering is using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker. Information security policies identify the rules required to maintain information security. An information security plan details how an organization will implement the information security policies. Once an organization has protected its intellectual capital by arming its people with a detailed information security plan, it can begin to focus on its efforts on deploying the right types of information security technologies. Organizations can deploy numerous technologies to prevent information security breaches. When determining which types of technologies to invest in, it helps to understand the three primary information security areas:
1. Authentication and authorization: Authentication is a method for confirming users’ identities. Once a system deter-mines the authentication of a user, it can then determine the access privileges (or authorization) for that user. Authoriza-tion is the process of giving someone permission to do or have something. Authentication and authorization techniques include (1) something the user knows such as a user ID and password, (2) something the user has such as a smart card or token, and (3) something that is part of the user such as a fingerprint or voice signature. Identity theft is the forging of someone’s identity for the purpose of fraud. The fraud is often financial fraud, to apply for and use credit cards in the vic-tim’s name or to apply for a loan. Phishing is a common way to steal identities online. Phishing is a technique to gain per-sonal information for the purpose of identity theft, usually by means of fraudulent e-mail.
2. Prevention and resistance: Prevention and resistance technologies stop intruders from accessing intellectual capital. One of the most common defenses for preventing a security breach is a firewall. A firewall is hardware and/or software that guard a private network by analyzing the information leaving and entering the network. Firewalls examine each message that wants entrance to the network. Unless the message has the correct markings, the firewall prevents it from entering the network. Content filtering occurs when organizations use software that filters content to prevent the transmission of unau-thorized information. Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting, whether the transmission was malicious or accidental. Encryption scrambles in-formation into an alternative form that requires a key or password to decrypt the information. If there is an information security breach and the information was encrypted, the person stealing the information will be unable to read it.
3. Detection and response: If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. The most common type of defense is antivirus software.
Implementing information security lines of defense through people first and through technology second is the best way for an organization to protect its vital intellectual capital. The first line of defense is securing intellectual capital by creating an information security plan detailing the various information security policies. The second line of defense is investing in technology to help secure information through authentication and authorization, prevention and resistance, and detection and response.
3.5.3 Establishing a Framework for Systems Security and Control Can you imagine what happen if you tried to link to the Internet without a firewall or antivirus software? Your computer would be disabled in a few seconds, and it might take you many days to recover. If you operate a business today, you need to make security and control a top priority. Security refers to the policies, procedures, and technical measures used to prevent unauthor-ized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, and organizational procedures that ensure the safety of the organization’s assets, the accuracy and reliability of its records, and operational adherence to management standards.
Figure 3-29 illustrates the most common threats against contemporary information systems. They can stem from technical, organizational, and environmental factors compounded by poor management decisions. Large public networks, such as the Internet, are more vulnerable than internal networks because they are virtually open to anyone. When the Internet becomes part of the corporate network, the organization’s information systems are even more vulnerable to actions from outsiders.
Software errors pose a constant threat to information system. Growing complexity and size of software programs, coupled
Corporate Servers Corporate Systems
Hardware Operating Systems Application Software Database
• Unauthorized access
• Errors • Viruses and
worms • Spyware
• Tapping • Sniffing • Message alteration • Theft and fraud • Radiation
• Hacking • Viruses and worms • Theft and fraud • Vandalism • Denial of service attacks
• Theft of data • Copying data • Alteration of data • Hardware failure • Software failure
Figure 3-29 Contemporary security challenges and vulnerabilities
with demands for timely delivery to markets, have contributed to an increase in software flaws or vulnerabilities. A major problem with software is the presence of hidden hugs or program code defects. Studies have shown that it is vir-
tually impossible to eliminate all bugs from large programs. Zero defects cannot be achieved in larger programs. Complete testing simply is not possible. Fully testing programs that contain thousands of choices and millions of paths would require thousands of years.
Flaws in commercial software not only impede performance but also create security vulnerabilities that open networks to intruders. Each year, security firms identify about 5,000 software vulnerabilities in Internet and PC software. To correct software flaws once they are identified, the software vendor creates small pieces of software called patches to repair the flaws without disturbing the proper operation. It is up to users of the software to track these vulnerabilities, test, and apply all patches. This process is called patch management. Even with the best security tools, your information system won’t be reliable and secure unless you know how and where to deploy them. You will need to know where your company is at risk and what controls you must have in place to protect your information systems. Before your company commits resources to security and information systems controls, it must know which assets require protection and the extent to which these assets are vulnerable. A risk assessment helps answer these questions and determine the most cost-effective set of controls for protecting assets. A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Business managers working with information system specialists can determine the value of information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage. Once the risks have been assessed, system builders will concentrate on the control points with the greatest vulnerability and potential for loss. Once you have identified the main risks to your systems, your company will need to develop a security policy for protecting the company’s assets. A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying mechanisms for achieving these goals. The security policy drives policies determining acceptable use of the firm’s information resources and which members of the company have access to its information assets. Information systems controls consist of both general controls and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization’s information technology infrastructure. One the whole, general controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. General controls include the following controls:
• Software controls: Monitor the use of system software and prevent unauthorized access of software programs, system software, and computer programs.
• Hardware controls: Ensure that computer hardware is physical secure, and check for equipment malfunction. Organiza-tions that are critically dependent on their computers also must make provisions for backup or continued operation to maintain constant service.
• Computer operations controls: Oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data.
• Data security controls: Ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage.
• Implementation controls: Audit the systems development process at various points to ensure that the process is properly controlled and managed.
• Administrative controls: Formalized standards, rules, procedures, and control disciplines to ensure that the organization’s general and application controls are properly executed and enforced.
Application controls are specific controls unique to each computerized application, such as payroll or order processing. They ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, which check data for accuracy and completeness when they enter the system; (2) processing controls, which establish that data are complete and accurate during updating, and (3) output controls, which ensure that the results of computer processing are accurate, complete, and properly distributed.
A business needs to plan for events, such as power outages, floods, earthquakes, or terrorist attacks that will prevent your information systems and your business form operating. Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services. Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down. Business managers and information technology specialists need to work together on both types of plans to determine which systems and business processes are most critical to the company.